Analysis Overview
SHA256
5a3d8265796fc5444a98d86f1d0ad3db9d5e4ad0e9b0f1d222e72d0ef0ac2878
Threat Level: Known bad
The file 2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:05
Reported
2024-06-01 17:07
Platform
win7-20240221-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eXJOhaG.exe | N/A |
| N/A | N/A | C:\Windows\System\wZbsihz.exe | N/A |
| N/A | N/A | C:\Windows\System\ucsVsXo.exe | N/A |
| N/A | N/A | C:\Windows\System\rAbXgtA.exe | N/A |
| N/A | N/A | C:\Windows\System\BkLBHVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PTbGLws.exe | N/A |
| N/A | N/A | C:\Windows\System\VGbKeXb.exe | N/A |
| N/A | N/A | C:\Windows\System\zMUYFTo.exe | N/A |
| N/A | N/A | C:\Windows\System\SDJrldb.exe | N/A |
| N/A | N/A | C:\Windows\System\SgvGkAw.exe | N/A |
| N/A | N/A | C:\Windows\System\mFdPKRW.exe | N/A |
| N/A | N/A | C:\Windows\System\bDhsjKz.exe | N/A |
| N/A | N/A | C:\Windows\System\DVpUQNI.exe | N/A |
| N/A | N/A | C:\Windows\System\olankER.exe | N/A |
| N/A | N/A | C:\Windows\System\iZUNdQl.exe | N/A |
| N/A | N/A | C:\Windows\System\JONyWpW.exe | N/A |
| N/A | N/A | C:\Windows\System\uztvnQH.exe | N/A |
| N/A | N/A | C:\Windows\System\QkYeBlM.exe | N/A |
| N/A | N/A | C:\Windows\System\UTXIUWv.exe | N/A |
| N/A | N/A | C:\Windows\System\KIgzcRg.exe | N/A |
| N/A | N/A | C:\Windows\System\pkHReYH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eXJOhaG.exe
C:\Windows\System\eXJOhaG.exe
C:\Windows\System\wZbsihz.exe
C:\Windows\System\wZbsihz.exe
C:\Windows\System\ucsVsXo.exe
C:\Windows\System\ucsVsXo.exe
C:\Windows\System\rAbXgtA.exe
C:\Windows\System\rAbXgtA.exe
C:\Windows\System\BkLBHVZ.exe
C:\Windows\System\BkLBHVZ.exe
C:\Windows\System\PTbGLws.exe
C:\Windows\System\PTbGLws.exe
C:\Windows\System\VGbKeXb.exe
C:\Windows\System\VGbKeXb.exe
C:\Windows\System\zMUYFTo.exe
C:\Windows\System\zMUYFTo.exe
C:\Windows\System\SDJrldb.exe
C:\Windows\System\SDJrldb.exe
C:\Windows\System\SgvGkAw.exe
C:\Windows\System\SgvGkAw.exe
C:\Windows\System\mFdPKRW.exe
C:\Windows\System\mFdPKRW.exe
C:\Windows\System\bDhsjKz.exe
C:\Windows\System\bDhsjKz.exe
C:\Windows\System\DVpUQNI.exe
C:\Windows\System\DVpUQNI.exe
C:\Windows\System\olankER.exe
C:\Windows\System\olankER.exe
C:\Windows\System\iZUNdQl.exe
C:\Windows\System\iZUNdQl.exe
C:\Windows\System\JONyWpW.exe
C:\Windows\System\JONyWpW.exe
C:\Windows\System\uztvnQH.exe
C:\Windows\System\uztvnQH.exe
C:\Windows\System\QkYeBlM.exe
C:\Windows\System\QkYeBlM.exe
C:\Windows\System\UTXIUWv.exe
C:\Windows\System\UTXIUWv.exe
C:\Windows\System\KIgzcRg.exe
C:\Windows\System\KIgzcRg.exe
C:\Windows\System\pkHReYH.exe
C:\Windows\System\pkHReYH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2992-0-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2992-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\eXJOhaG.exe
| MD5 | e5c354bced6c428f587ee3222e66c1a3 |
| SHA1 | f2a5af000e60e0486764e7dc7fd60a39e5e79dad |
| SHA256 | ad0df4bc595c18d5a153fb37fde1011e756c5ee2719be1ee34dff34c20bdf743 |
| SHA512 | 5248b63e1d684bbf02d6e47033385c61bf04c9c5cb221fc22ccb403492f05848ea8fee605e44d622baca53eb4f99952b06445f7e38362047523d98745bdd82d3 |
\Windows\system\wZbsihz.exe
| MD5 | 463fc211f910bf76b5dfe67bfdd97571 |
| SHA1 | 481e689503c7773dc8e78434cc6c68f8964ae94b |
| SHA256 | 6e4475ee83372aa63b127e3d498e937e04e506f50055a1871eccf1bcd8f0724d |
| SHA512 | 6dc89d0e62a287b27fc8c973efa6a10e98b084e9107030363f1b2cf758d38b4e002c5a8090b60fdf03c0a8e5b6b4c86b17bb85246d17e21ec10ccdd3dea24ac8 |
memory/2992-7-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2992-13-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2940-12-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3028-15-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\ucsVsXo.exe
| MD5 | d66850f6040e367e0c75bd6163a4551a |
| SHA1 | 749e0d4efa8af800208d9fe9b355e3da2951b6e8 |
| SHA256 | e0ed049a1edaff9959fac4e598ea8d53f711dd4e5ffd57abfcbfdc35b2e09bad |
| SHA512 | d256fa98409a150c4c86cc268eef9599ebd65882db5eb52b8b5e944d18c0bf9b67fda17e3dec046fa3d7a0b884ab1d059ac09758741fd863f8ad45587fe27273 |
C:\Windows\system\rAbXgtA.exe
| MD5 | 7309cd2f94a037ce25c601bdd402d33a |
| SHA1 | a1cc0553efc41649de278b8087f280aef98a1332 |
| SHA256 | 29807a406678daa735de4eb2ad9022edcaf0c62cad0d25e6971aca747ed34bd7 |
| SHA512 | 64b9302e62da5c403563c3fed694dc7ea0a3107c4ec3293ba8105cb773c60a569908897b76ed00ce26f6a77d22bc6137a94a40d6a7bb92f904562508850fca75 |
memory/2992-21-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2992-30-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2652-29-0x000000013F5B0000-0x000000013F904000-memory.dmp
C:\Windows\system\PTbGLws.exe
| MD5 | 59b82ad301a668cdd2a9a60530bcfca7 |
| SHA1 | 45518bd69c88569a6d0456c3bc7bdc0d90844eb3 |
| SHA256 | 2009996c2b17c47d170c0a27252ebeb518241882a4901d91e29e370ae22e6440 |
| SHA512 | d0b2ec14e08282b42702d7f43a309e6cc376901811113bb771a74ee9d14997d753753f04b8c820b7f339cad2c94afc27ddbb9116555a1700cc94a66b463e087b |
C:\Windows\system\BkLBHVZ.exe
| MD5 | 699569c45844fc07112f73c91a18a4ff |
| SHA1 | baa1134538464033cce5d5dfff658440edc01ef5 |
| SHA256 | a4e9a437bdb914d97e823b6dc39894066d8131d8877b4265285b7656b90f4c0e |
| SHA512 | 7c40934ac6e7ecd34001ef00689235a4319d08a322cc65326614ac08a08516b6b470aa93a0f2bc6e7ffdf32e26527f81fa9f696aa1e7031b887b87d74e9d7cd5 |
memory/2992-34-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2496-43-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2992-40-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2512-39-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2528-25-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\VGbKeXb.exe
| MD5 | 0e41f7cc92a0e6660cf6e5caa16ba0cc |
| SHA1 | 5a9a0984606ba85013b8b8d3e2b489b05d517d4b |
| SHA256 | b868f4ad8f9f703bcdb80cac088bcb8be877d7d0de3ab1d5f0e5ac2b5849f274 |
| SHA512 | e161f316f08c947ff28aeb34d5744a080f1ce3c66e60437d4e35e5ea5b45f6f58e8e6d7e72c7161a6af12b3ab5cb35f0d5637837a47da2b8a2c317ef95183647 |
memory/2992-50-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2992-57-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2440-58-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2992-71-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2884-72-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3028-85-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\DVpUQNI.exe
| MD5 | 00cc4cbb5561f7335494951722b5648e |
| SHA1 | 610d3fc1d880325b2c637b5447f7b382c24631f9 |
| SHA256 | 2409ab1ec0fbadc96e89ac054d73382a58ecd0688f9f75b6850d55e9cdda9032 |
| SHA512 | bb241a075087c63888dd37da4f01310e8de2b4d45f4fe6d3d164de6f12cc362c77730efdb3b28811f09a200d12d8b9f6e3c0beea4fcf02ad8b8b7a5c7b70a876 |
C:\Windows\system\JONyWpW.exe
| MD5 | 7ee189927ad5eff6a5dea20dab8fd4df |
| SHA1 | 998368e52f03ed42a80237249add352a5b121f86 |
| SHA256 | f8d5c76766f723517ea4772dbe6d9f9e91fb10f31535d79f81d185022bac4011 |
| SHA512 | 7775c766e38f10c46b99cf4b7efef0613ac24b973efac7d3c185e500b26ee9843b50efee8ac1047a5c530da0adab6f80c58447c5f71692a21adea29f167d9c12 |
C:\Windows\system\UTXIUWv.exe
| MD5 | 39bce3088190ca132937936468d55dfd |
| SHA1 | 732118f2f781b9ab34372676984fca7adb01e692 |
| SHA256 | 009f101cb5e908a2f17c96a928dfd1820d0399f7a1363610156847453cfada38 |
| SHA512 | b75a9e7e602e11aa8e8a503dc0c60563ade72d5980bb47a862ec219edf485d99210164c008c4a19b237e12f88f9fc4ac9239fe0e1c63b61f42b937a987471233 |
\Windows\system\pkHReYH.exe
| MD5 | c83866a7f33946a61036a3315977d537 |
| SHA1 | 906bdf64f7861a06814fd0d39f7bea241fe61145 |
| SHA256 | ed826f96faa9669a913b17a034c50a1ddb577f1fd2f2880f5b0a2bcff2f9c779 |
| SHA512 | a6bfc178d87de465385d9fce35eed31a98e10fd8aa844058e00d98a390c745e3cde7a7c7df850d56bd104d57380a32c0487e0f1e55375991d42332b03369b81b |
C:\Windows\system\KIgzcRg.exe
| MD5 | 879a1e826236ff37e6a49dd2377c7314 |
| SHA1 | e4bc067311ee089bab00895c3307a52d77a15aa4 |
| SHA256 | be7d7f195e0638d80710536dea314ed2890e249106af61aec987cb135f5ec645 |
| SHA512 | ae37620f9b2a3e82060f1dc5cd006e0e15bc1d7c2914c284b29f6d6d59095fdbefccda8db965fe6b26e851cef43e404ea9b61cacc968126a9811bd26a614ab24 |
C:\Windows\system\QkYeBlM.exe
| MD5 | 546908e546ede620c77537904ee60be4 |
| SHA1 | 084a6616568419785e46a7f0e10526a65a274327 |
| SHA256 | cfa0d19894662e1a13bd38ab924d688f61a0f5fec1bd7caacb463ec476ff52fc |
| SHA512 | 66d794d6f127cfc910fc9e13b570f22cfa6ff904a20bc3ef4206f36c90e0947c3d81786ebbd565704851c08d032bed66bad8530f86cc5584ec787748ff6568e4 |
C:\Windows\system\uztvnQH.exe
| MD5 | c1256fb094b47dc387bb401981cdd62a |
| SHA1 | 5c1907266091d31290156f1a7e668bf802d11727 |
| SHA256 | 76d997248d43ceb47e11df7b315b4fea78b424720c2e246dc6cddd93262e3c1e |
| SHA512 | 5e919dc600661040fc57d93254a915aa884faed616dc675723c8368c76fed45fa0a6ebd35ec7e7ae9375dc70f169beb995e926a6b680a9053f9d03d68697f52a |
memory/2992-107-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\iZUNdQl.exe
| MD5 | 25bb822ab5e07c39b9e6569f16296fa8 |
| SHA1 | da5eeba558f062fe20f0fd7a8fafeda17292e407 |
| SHA256 | 338b0d1cdeb6c72c59a1670d32bd1337abf938a885fcf8cb4898f7cf37e3daa8 |
| SHA512 | ef5ba82ecfc8a4ed99f2faa3317810448be5850e61f1b7de48a6d564c7b614a729e22478ddee5253aab4afc7344b1643f8ae72a28aaff8632e0ba46eb5450920 |
memory/2712-102-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2992-101-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2692-96-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2992-95-0x000000013F4B0000-0x000000013F804000-memory.dmp
C:\Windows\system\olankER.exe
| MD5 | 658385bf40d9ab85988c3b16562ad072 |
| SHA1 | 7d2ef8982d36baf7d30e3b966727fc4a1f1d2b86 |
| SHA256 | 65ebc248d5edb6d9eb1d7b80b66c62b7eff08b515c646bf71cfecad900854ba4 |
| SHA512 | b1d877094f98241595772bdc9bc6915df6e72bcc0e6ace7dca52422b51b096e4fd228132ec6ecce2739c4b37eccbe00a8a4f48470ee2511a217ac048aafa0f27 |
memory/2512-139-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2496-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2652-94-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2444-87-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2992-86-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2896-79-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2992-78-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\mFdPKRW.exe
| MD5 | afa1e34e8a11395c27a1a5e92ac07f55 |
| SHA1 | 9d64c9332dc0e3981ff3bc6b782f4841a3913933 |
| SHA256 | f3e55714b8797d1bd72a10b55d9e78d9d60553e1d26f70241903eae253a99124 |
| SHA512 | e5cc72d7e207516d642aa57a3aaee91c7dbe4adf0386b23128fd0f3af045ce0ec252e6b101b5b11d8e24e29dd114cce97906690451f049ea129c99908c127648 |
C:\Windows\system\bDhsjKz.exe
| MD5 | a94c0e5ab2cfb9b1b6c9459ed13de65d |
| SHA1 | b81f7a98e1005d2238b5dc0dd928a1c7ac577eaf |
| SHA256 | da85450b0e80ae4c303de3648088e8ffe44a66b57a514b4b76c5ff0b4761209b |
| SHA512 | 7ca085d98f703c5d580def3f9d825cc5ad4a0be3cf9d5d16eb1b397f1e7c74c4dac72f1888c97c3eeec8041ad667b0e9ded45e1b4ff7a305bed6666e73ae32cd |
C:\Windows\system\SgvGkAw.exe
| MD5 | b94d8b374a0641c6e5e8bb395e1875b9 |
| SHA1 | eaecb56dbae85cf1cf7a2c270b066a81dc6baf35 |
| SHA256 | 88bc135cfb2db1f543e11a287e4375318c9a33b1ca25f9b6e6d1ab7ea8b042d6 |
| SHA512 | 3501eea055a2feced0379e623523f6bd06b43a44a56f2a00c690fa478e2bd85e2a6beb12dd2d1fa6521bf1e34add39d6b6fce35b31309bcf3466ce59c4eccf37 |
memory/2416-64-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2992-63-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2940-62-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\SDJrldb.exe
| MD5 | fd9c5c86165a73f9275931002c8d2109 |
| SHA1 | b0a93f45cfcd74529da262906b73f3a2e6eae923 |
| SHA256 | da508c8a73250259a19bb8bfdade2f56b5f444d7e80c75f75bbe6612c6831033 |
| SHA512 | 8931fb6fd6e014afe45982db6b4a5eeb33a8abc793a07ff58412536c46543204b37c6bbb8bdd268da11a10a06346a48084f62b75a969aa86f091fff35b09ce5c |
memory/2776-51-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\zMUYFTo.exe
| MD5 | dc4d058dcd36dfdfa7689451c0bd2253 |
| SHA1 | 3c4501ca10b3d1552e1b10f83a1da743a06cbc3e |
| SHA256 | a333d1ac232530f4b8ff483e0e7b2dce83b295f940fd6841b209f6f2b9af5b39 |
| SHA512 | 305537078730e0ce4742f290fad99af1518c600ba5589badc5d05958afeac43f2c91d8afd518062445e2e142f0ec3ae53ce43f8c1c2588b9205cae9614f0e278 |
memory/2416-141-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2884-142-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2992-143-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2896-144-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2992-145-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2444-146-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2992-147-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2992-148-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2712-149-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2940-150-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2528-151-0x000000013F020000-0x000000013F374000-memory.dmp
memory/3028-152-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2652-153-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2496-154-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2512-155-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2776-156-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2440-157-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2416-158-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2884-159-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2896-160-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2444-161-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2692-162-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2712-163-0x000000013FB80000-0x000000013FED4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:05
Reported
2024-06-01 17:07
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bnhjWzN.exe | N/A |
| N/A | N/A | C:\Windows\System\jqhsYGK.exe | N/A |
| N/A | N/A | C:\Windows\System\LlRqbNl.exe | N/A |
| N/A | N/A | C:\Windows\System\RAxELKO.exe | N/A |
| N/A | N/A | C:\Windows\System\kBOGuoe.exe | N/A |
| N/A | N/A | C:\Windows\System\EKwSxXg.exe | N/A |
| N/A | N/A | C:\Windows\System\Ldeimha.exe | N/A |
| N/A | N/A | C:\Windows\System\gFjcIRS.exe | N/A |
| N/A | N/A | C:\Windows\System\PTRUxLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yGdqbwT.exe | N/A |
| N/A | N/A | C:\Windows\System\QlxrXeb.exe | N/A |
| N/A | N/A | C:\Windows\System\bdlBDcI.exe | N/A |
| N/A | N/A | C:\Windows\System\wNZAwIO.exe | N/A |
| N/A | N/A | C:\Windows\System\TfVJWZu.exe | N/A |
| N/A | N/A | C:\Windows\System\rsjPZBK.exe | N/A |
| N/A | N/A | C:\Windows\System\AqYuPOT.exe | N/A |
| N/A | N/A | C:\Windows\System\dqoMRvc.exe | N/A |
| N/A | N/A | C:\Windows\System\KouetMy.exe | N/A |
| N/A | N/A | C:\Windows\System\jmfvdvd.exe | N/A |
| N/A | N/A | C:\Windows\System\DQyVfVb.exe | N/A |
| N/A | N/A | C:\Windows\System\drHuWVq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5efe69fb24be2b4ad6aa38d51e64d430_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bnhjWzN.exe
C:\Windows\System\bnhjWzN.exe
C:\Windows\System\jqhsYGK.exe
C:\Windows\System\jqhsYGK.exe
C:\Windows\System\LlRqbNl.exe
C:\Windows\System\LlRqbNl.exe
C:\Windows\System\RAxELKO.exe
C:\Windows\System\RAxELKO.exe
C:\Windows\System\kBOGuoe.exe
C:\Windows\System\kBOGuoe.exe
C:\Windows\System\EKwSxXg.exe
C:\Windows\System\EKwSxXg.exe
C:\Windows\System\Ldeimha.exe
C:\Windows\System\Ldeimha.exe
C:\Windows\System\gFjcIRS.exe
C:\Windows\System\gFjcIRS.exe
C:\Windows\System\PTRUxLZ.exe
C:\Windows\System\PTRUxLZ.exe
C:\Windows\System\yGdqbwT.exe
C:\Windows\System\yGdqbwT.exe
C:\Windows\System\QlxrXeb.exe
C:\Windows\System\QlxrXeb.exe
C:\Windows\System\bdlBDcI.exe
C:\Windows\System\bdlBDcI.exe
C:\Windows\System\wNZAwIO.exe
C:\Windows\System\wNZAwIO.exe
C:\Windows\System\TfVJWZu.exe
C:\Windows\System\TfVJWZu.exe
C:\Windows\System\rsjPZBK.exe
C:\Windows\System\rsjPZBK.exe
C:\Windows\System\AqYuPOT.exe
C:\Windows\System\AqYuPOT.exe
C:\Windows\System\dqoMRvc.exe
C:\Windows\System\dqoMRvc.exe
C:\Windows\System\KouetMy.exe
C:\Windows\System\KouetMy.exe
C:\Windows\System\jmfvdvd.exe
C:\Windows\System\jmfvdvd.exe
C:\Windows\System\DQyVfVb.exe
C:\Windows\System\DQyVfVb.exe
C:\Windows\System\drHuWVq.exe
C:\Windows\System\drHuWVq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5004-0-0x00007FF7FF3A0000-0x00007FF7FF6F4000-memory.dmp
memory/5004-1-0x0000022B0E120000-0x0000022B0E130000-memory.dmp
C:\Windows\System\bnhjWzN.exe
| MD5 | 1eb280438fcaee73b7501fc4ac00acdb |
| SHA1 | 23a69b08a49edd6c6f37c54eca8e68f230a3ed32 |
| SHA256 | bc961e5449858a1f5f6cf62a46a3fa8c07a7f4a5d35dcb44ba28b76bc734bf7c |
| SHA512 | ad8ee9d0a5ef2f6536380d769943964b7c6229586c50ab024d40d23aee33c6e4a406ea6c49f6a5ddc3a4c91d731064e7b1e9e5f109fa5e6750bb46f2ae934119 |
memory/2044-8-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp
C:\Windows\System\LlRqbNl.exe
| MD5 | c5c9dac8230b706923b0de4e90e818ec |
| SHA1 | d16c3d760faa8decb7164fcb5c9d495f0adadf22 |
| SHA256 | c9c35b79eacffa4b0c0cfdc1c3368562943b72e600e509521088b60f41b19d5a |
| SHA512 | 3318309a66b67a3b42ed43cb2140ba2f6f49d56bd9e590770559056c32e5e759cf59330f6b76b893b32c14ba92c28f28baa905de1914fee73ace11d6c87d7c98 |
C:\Windows\System\jqhsYGK.exe
| MD5 | 186fef5e29a024e3bba77e8ea329c193 |
| SHA1 | 5d4a4f65a7884656fc1bcfadbadf99234ef06041 |
| SHA256 | 51229816e7ef63f9906eef45f23b8d6bbecbf91a90efec7869e8ae95a138dfc4 |
| SHA512 | a8eff53ad316ba285365cf4c72175b692d4da0fdfbfba86f1b7874967aa3168570fd15e08b1f6fec8c655ae610a5c941939a0203379947f741f3e0dd08768f87 |
memory/4144-12-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp
C:\Windows\System\RAxELKO.exe
| MD5 | e11e9022e17f3d98b60598a202036c31 |
| SHA1 | 79b5102719039ac10c377f70bb9710c7b5dca828 |
| SHA256 | 3e543cdd92073baee43506e410abfe2689c277155fa321ceac5d852a8e4d8af1 |
| SHA512 | 7932d41ee030cdd450e5a01737585a91f728e232e3611701019ffb27b413b44fbe9942aa46d3eedd3e69899cace7fcdef3922cd82711a728bcd35ec85089b6a9 |
C:\Windows\System\kBOGuoe.exe
| MD5 | 865f8ad2f9a9edf3d5b713c5c0f25951 |
| SHA1 | 01020ef01e46e3dbf0a4caeaaa31a5cfa92de258 |
| SHA256 | c6539f29d2adbe9aebc19bfe5f31831e2483a0062b8586f31d1d9913559e0e4c |
| SHA512 | f8bd339ce2f06cdef6182e4537652a88182af0b3276ee64eda7e17bfe21eada1de558de1381b5ffcb0496cdfe92eafb374b36b0ec1dc34240e3b5e50e150b8ff |
memory/1108-32-0x00007FF716110000-0x00007FF716464000-memory.dmp
memory/3400-26-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp
memory/4928-22-0x00007FF6B07A0000-0x00007FF6B0AF4000-memory.dmp
C:\Windows\System\EKwSxXg.exe
| MD5 | b70dc101fc4c713d74dbc5b5a6c7b012 |
| SHA1 | 0f6ac37b4c27af4887bc742159469a88b040fdcf |
| SHA256 | 73eae1b41e595f7a3c605a5c5fcbb97fe9527cf2bd84aede13d5339f2c6092b7 |
| SHA512 | a5de82333b111ce377faa861877a3abc7e208ce554aea452486f1dfab2b71e66c56a7d3c3aa24d51dafa3cfb2a5b479cca2669c1ca3bd94a027abb5feb203eaa |
memory/3048-38-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp
C:\Windows\System\Ldeimha.exe
| MD5 | eec62a85b81583fc492f9d0f19b79379 |
| SHA1 | 6b43235757e61c18ee821a6820cf755b8d5f7b75 |
| SHA256 | 9b4f6364676592a3df66aece4bda88831e011ee2990dfc1e27b15a97539a08fc |
| SHA512 | a7de65f64456d0dbf4854b47f36ee30b623859d40bfde2abe9db7c9f0ffc5b26bcc9f8c3e300089c55d235bb905d1c5680a9cb7a0daaa27fe2f6bb77912e62d3 |
memory/4136-42-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp
C:\Windows\System\gFjcIRS.exe
| MD5 | 0d2a0e782f723913a0e5fb32b38e5fb6 |
| SHA1 | c2dde5844226abb1ec1d95bd12abf190cc9ca4ff |
| SHA256 | d09c509da4e2a11419070caad5ded15de63802520dc42f43b747359c48380924 |
| SHA512 | 64bb56b239eee4b8405d2a199774a7b2e7493d6cb48fd7c1517d27dcd401ac5766fae22d51ae53e7fcdf573fc0f97af01c038178b3bd41d91c5c1d1c700b9f34 |
memory/4980-46-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp
C:\Windows\System\PTRUxLZ.exe
| MD5 | 95162b44e86a8a943727964b56d89980 |
| SHA1 | 8deb023a57e9e9cedb0dda4dd71ccb7398c9be6d |
| SHA256 | 2b59500e362b580218280159b9057910c295b06cb9ac55442855fee1d882a454 |
| SHA512 | 647a01edbcb1cffb8e177d4ec83821198d45b60d6ca866ac0c3f26fbbb1c1ede6b46572220c7cf32be66c186594d758eec7008d5a598626a46f083922e1425ef |
C:\Windows\System\yGdqbwT.exe
| MD5 | 279cf66265b1dd4781d3eddaff23fbf5 |
| SHA1 | 601d839d4f59a63942e1b95c1fef385340fd2cc2 |
| SHA256 | c66847b28c004aefec11475a8333d3d6c6a2196921bd53711c086f4b18ad8fce |
| SHA512 | 3008cf69bf91b4157e1e602a57fbd6f205c9282f7483edda2286beeedab5efb76f76ead478361b81b6c06910c7ea874344f10a7d832b0828d89f41064f81bde7 |
memory/1672-54-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp
memory/3572-63-0x00007FF72D1F0000-0x00007FF72D544000-memory.dmp
memory/5004-62-0x00007FF7FF3A0000-0x00007FF7FF6F4000-memory.dmp
C:\Windows\System\QlxrXeb.exe
| MD5 | 151fcf83157bdc4dbf777acf8b4093f2 |
| SHA1 | 4064afa5a6b3d8c5779fc6b9458b6d6852743b91 |
| SHA256 | 59481c42a5c22f3b09c289112b0a67e0d27d2b427319097162d081c891883fcb |
| SHA512 | 8cd68a7c651b39065e6c76d1e10ad680800c7c336fafe46827cf7e3ecd4a4a8038ff279c724d12f0212640cea962394dc03b651a3547296a51bd08dfc787cb3c |
C:\Windows\System\bdlBDcI.exe
| MD5 | 7efe227d638ed4bf58367336147219e3 |
| SHA1 | 04556d17e7f1270a79d5084f4efaa89f0cdd2b3b |
| SHA256 | 9b6f6bf7f78a88a0a6cfe1df8bb9b46277089667b9093c7a9661914e53baaa14 |
| SHA512 | 42b79164e1d8fb94bd1f08dd584639ddf59e4102816b4c2a6053b159b459a77eed80b22ba1c3497f5e943d1cca65bcdf9eb9646e79d9e9ef85c4c63cd3435bbd |
memory/3188-78-0x00007FF6F2920000-0x00007FF6F2C74000-memory.dmp
C:\Windows\System\TfVJWZu.exe
| MD5 | 4e85ed4dfe53e4846401c070beb815be |
| SHA1 | 9b6f85b3b8da85ee98b3966b872f07cf27c65d05 |
| SHA256 | a001adfb1b5a423ea933b0caef11f448ec233db46be0db3a8e8f58a1f533e31a |
| SHA512 | edbb6b0466ab091dbcb04fe391560f967661b77a19223ef6c9c2925f80d0652e42718b905f2e2de8755b76e99808970b5626516de493a5113a0e3e99af0d623d |
C:\Windows\System\rsjPZBK.exe
| MD5 | a6632e1729e1c535c2800a855cf5507b |
| SHA1 | 44815cc044a9cf56242c65053d951fbe5082e958 |
| SHA256 | 3508e60a426fcf50b7aa1d216f2cbbea962adb43c2b635dec5aaa121f463c23e |
| SHA512 | 50e7a113900a69e1e89442707de33bcd9df817b959a4742eac8046c12203e574a2ffe0747b8c2ac709fae1bd87cb94b1ef557cf595a1c7593a53a8ac2dd7ac6f |
C:\Windows\System\AqYuPOT.exe
| MD5 | e520a603eca7ff42787aed4996d341aa |
| SHA1 | b8f530e3b483e682c4a515cd47c0470baa981fcb |
| SHA256 | a5a7ac6e562b1d8930a23130cf04281a63eef39a109670107301d891b61ec648 |
| SHA512 | 0d19504415ce4f758804d4cf26bbb1d512f3f5dce0a5e9fb9059081932712276a272ac5b9c88f85b194730f17d733b21b4e991073a824dbb260b51e6d990a622 |
C:\Windows\System\dqoMRvc.exe
| MD5 | 1507b4500935a3fd82fe3df6d663da65 |
| SHA1 | e9ba14d6bd0f5b8edcdc190817622c42c980e224 |
| SHA256 | cf5ccfe7136b4dae69de92b0eeeb4ab16f1f28c81ae85ed17b3cea2b974945fe |
| SHA512 | 7ee58453efdde300671b1d42bde456dae883bfecd89acb08859fd79c95b27fcbffd0b93f31dbf59681c4df6a0e0aa0287b8d9111509416aa36f9ff635465755c |
C:\Windows\System\KouetMy.exe
| MD5 | ab61de290b50792ffba1aa0784368645 |
| SHA1 | 24d4f88eaac1ba3d2ac8ec9842ca85cbf2061379 |
| SHA256 | e89b44a3f1ad6aefa3915312926edbbe55d677e3382de99e715369cb1c3161e9 |
| SHA512 | 3e64604a5656ef27b83a731912a7712a349c45a4ab8a3525b62d5ad2c54eb7787b0b30ef0ca57b3d77f6ad81833fe9846f6fd70d9a92610c8fbacfa67bd2619f |
C:\Windows\System\DQyVfVb.exe
| MD5 | 2ea2d255862ae5ff78d6d147e080bf6e |
| SHA1 | 30c4dc60bad86e65695e8cd932959e1a8c98e9b8 |
| SHA256 | 4d961904ad178e14f5c9e74e402fbb04b45901409d5dfd728c3b937e9cd69a8c |
| SHA512 | 8a0f3785e6ea65c8c05259f30e53afde616f7d85edb80b9d4ca2a673c9bc5b3109ea5dbb8738e58ca239c76479a009b013d270b41041f259d6648a31143dab44 |
C:\Windows\System\drHuWVq.exe
| MD5 | a610836a83094476cec2cc34d3fb2887 |
| SHA1 | 2a21183c1cb475f31fcdecb34e277bf0e2371528 |
| SHA256 | 47aec09702bc9de257c1338a837ab645cf416a23eeb638e427961bf786883243 |
| SHA512 | fd5bfdcab7f290a803c8c7684715cd63024a623ab06f6b138edc8c5de26af64c38355af69b6822010b2be20e866f3616db110146b8c7a9919123aa94f422a7b9 |
C:\Windows\System\jmfvdvd.exe
| MD5 | 3816ba5ec3fecc68a395d96f0529131b |
| SHA1 | 1b113359c2a26c70ea3d9a96ac9a723ab0abd99d |
| SHA256 | d83b479dd1a73730f69d341289d0dca67ac217cce780c9d3933102b46c94b19c |
| SHA512 | 676274c06ca2a808cf8c7f913db54d7775182002e35da45c666d2d71dabeacdebe8a627e41f4cb1cf455ba6bf43b54818b3f0007ba987261981ced9b4f2b8d12 |
memory/2560-91-0x00007FF6155E0000-0x00007FF615934000-memory.dmp
memory/4212-86-0x00007FF7CFEA0000-0x00007FF7D01F4000-memory.dmp
memory/4144-82-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp
memory/4140-80-0x00007FF778CC0000-0x00007FF779014000-memory.dmp
C:\Windows\System\wNZAwIO.exe
| MD5 | 8156686c56ce3e51c9aa28af422f4611 |
| SHA1 | e89128850756f8a7c2e238dc97cec7cf09f0b530 |
| SHA256 | fdd1b9d26767dc394d2f39167df9183043400876781fd2bbc9b2df64a6d60ed8 |
| SHA512 | a984f06ebdd205156992da14064b19912123ba49ebc46cf782e2f169e6781ea9f072a2dd575e7657bea21a59d4343aa46aa1bc0dabf4c372934dc872cb738ef7 |
memory/2044-72-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp
memory/3400-124-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp
memory/2756-127-0x00007FF653FA0000-0x00007FF6542F4000-memory.dmp
memory/3284-126-0x00007FF65A760000-0x00007FF65AAB4000-memory.dmp
memory/4560-128-0x00007FF7920E0000-0x00007FF792434000-memory.dmp
memory/3320-125-0x00007FF6A8F80000-0x00007FF6A92D4000-memory.dmp
memory/4780-129-0x00007FF7DADE0000-0x00007FF7DB134000-memory.dmp
memory/4092-130-0x00007FF6DD8D0000-0x00007FF6DDC24000-memory.dmp
memory/652-131-0x00007FF6F0ED0000-0x00007FF6F1224000-memory.dmp
memory/3048-132-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp
memory/4136-133-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp
memory/4980-134-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp
memory/1672-135-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp
memory/2560-136-0x00007FF6155E0000-0x00007FF615934000-memory.dmp
memory/2044-137-0x00007FF60FFC0000-0x00007FF610314000-memory.dmp
memory/4144-138-0x00007FF7D5390000-0x00007FF7D56E4000-memory.dmp
memory/4928-139-0x00007FF6B07A0000-0x00007FF6B0AF4000-memory.dmp
memory/3400-140-0x00007FF6B1D00000-0x00007FF6B2054000-memory.dmp
memory/1108-141-0x00007FF716110000-0x00007FF716464000-memory.dmp
memory/3048-142-0x00007FF6ABBD0000-0x00007FF6ABF24000-memory.dmp
memory/4136-143-0x00007FF62BB00000-0x00007FF62BE54000-memory.dmp
memory/4980-144-0x00007FF74CE80000-0x00007FF74D1D4000-memory.dmp
memory/1672-145-0x00007FF61D930000-0x00007FF61DC84000-memory.dmp
memory/3572-146-0x00007FF72D1F0000-0x00007FF72D544000-memory.dmp
memory/3188-147-0x00007FF6F2920000-0x00007FF6F2C74000-memory.dmp
memory/4140-148-0x00007FF778CC0000-0x00007FF779014000-memory.dmp
memory/4212-149-0x00007FF7CFEA0000-0x00007FF7D01F4000-memory.dmp
memory/3320-150-0x00007FF6A8F80000-0x00007FF6A92D4000-memory.dmp
memory/2560-151-0x00007FF6155E0000-0x00007FF615934000-memory.dmp
memory/2756-153-0x00007FF653FA0000-0x00007FF6542F4000-memory.dmp
memory/3284-152-0x00007FF65A760000-0x00007FF65AAB4000-memory.dmp
memory/4560-154-0x00007FF7920E0000-0x00007FF792434000-memory.dmp
memory/4780-155-0x00007FF7DADE0000-0x00007FF7DB134000-memory.dmp
memory/652-157-0x00007FF6F0ED0000-0x00007FF6F1224000-memory.dmp
memory/4092-156-0x00007FF6DD8D0000-0x00007FF6DDC24000-memory.dmp