Analysis Overview
SHA256
3e556ffaf9e2648325df77d7469c3ef04541e4d21c8c031a352b6cbbfef45fc0
Threat Level: Known bad
The file 2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:43
Reported
2024-06-06 18:46
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IeWEplK.exe | N/A |
| N/A | N/A | C:\Windows\System\nlBHFCV.exe | N/A |
| N/A | N/A | C:\Windows\System\UpsQWRF.exe | N/A |
| N/A | N/A | C:\Windows\System\bCtwBIm.exe | N/A |
| N/A | N/A | C:\Windows\System\GTpALEi.exe | N/A |
| N/A | N/A | C:\Windows\System\IEMdUSS.exe | N/A |
| N/A | N/A | C:\Windows\System\YSYmBmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bxOBqeY.exe | N/A |
| N/A | N/A | C:\Windows\System\mHaYSMx.exe | N/A |
| N/A | N/A | C:\Windows\System\HEDjmOD.exe | N/A |
| N/A | N/A | C:\Windows\System\rURooeK.exe | N/A |
| N/A | N/A | C:\Windows\System\jwZMUmc.exe | N/A |
| N/A | N/A | C:\Windows\System\kbGraKR.exe | N/A |
| N/A | N/A | C:\Windows\System\bCrzDQn.exe | N/A |
| N/A | N/A | C:\Windows\System\vqOawKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\AlSBiqT.exe | N/A |
| N/A | N/A | C:\Windows\System\PEuDGPN.exe | N/A |
| N/A | N/A | C:\Windows\System\LdsrTZq.exe | N/A |
| N/A | N/A | C:\Windows\System\drIlBVq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwXfQQH.exe | N/A |
| N/A | N/A | C:\Windows\System\JmuTvez.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IeWEplK.exe
C:\Windows\System\IeWEplK.exe
C:\Windows\System\nlBHFCV.exe
C:\Windows\System\nlBHFCV.exe
C:\Windows\System\UpsQWRF.exe
C:\Windows\System\UpsQWRF.exe
C:\Windows\System\bCtwBIm.exe
C:\Windows\System\bCtwBIm.exe
C:\Windows\System\GTpALEi.exe
C:\Windows\System\GTpALEi.exe
C:\Windows\System\IEMdUSS.exe
C:\Windows\System\IEMdUSS.exe
C:\Windows\System\YSYmBmQ.exe
C:\Windows\System\YSYmBmQ.exe
C:\Windows\System\bxOBqeY.exe
C:\Windows\System\bxOBqeY.exe
C:\Windows\System\mHaYSMx.exe
C:\Windows\System\mHaYSMx.exe
C:\Windows\System\HEDjmOD.exe
C:\Windows\System\HEDjmOD.exe
C:\Windows\System\rURooeK.exe
C:\Windows\System\rURooeK.exe
C:\Windows\System\jwZMUmc.exe
C:\Windows\System\jwZMUmc.exe
C:\Windows\System\bCrzDQn.exe
C:\Windows\System\bCrzDQn.exe
C:\Windows\System\kbGraKR.exe
C:\Windows\System\kbGraKR.exe
C:\Windows\System\vqOawKQ.exe
C:\Windows\System\vqOawKQ.exe
C:\Windows\System\AlSBiqT.exe
C:\Windows\System\AlSBiqT.exe
C:\Windows\System\PEuDGPN.exe
C:\Windows\System\PEuDGPN.exe
C:\Windows\System\LdsrTZq.exe
C:\Windows\System\LdsrTZq.exe
C:\Windows\System\drIlBVq.exe
C:\Windows\System\drIlBVq.exe
C:\Windows\System\ZwXfQQH.exe
C:\Windows\System\ZwXfQQH.exe
C:\Windows\System\JmuTvez.exe
C:\Windows\System\JmuTvez.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3020-0-0x000000013F520000-0x000000013F874000-memory.dmp
memory/3020-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\IeWEplK.exe
| MD5 | 480140cdfaab069bd8a87a69a40cc80b |
| SHA1 | 1dc614a9cd644ec8ca8f0c9f9af8094ad390e97e |
| SHA256 | 18262e542e8f49e8076137ee7b9576725aedf8244f7bfd6accb040a929fcc8ed |
| SHA512 | 172818c7d49b9d8bbeae9ec6c7430cdfecf77a1d0dfab2bb70a589f4258a965c3a1723dc013686a71be8a2255a208b358802cf1ab392dfe5c5669d931564d414 |
memory/3020-6-0x00000000024D0000-0x0000000002824000-memory.dmp
\Windows\system\nlBHFCV.exe
| MD5 | 8e859af6a1192856afadb48c18d19026 |
| SHA1 | 42379e42d32a0637879e689e24e95882e8a341eb |
| SHA256 | 8b70a12363341f69213d6c7aad7f1bfdd18a47269dad10320b4e53f87e66633a |
| SHA512 | 9cb9d2cf8a26de8dcf824bf37c46a7e431ccc02d06eae2db5f0a1fc0d4c9e350b6f73c733ca92da1bd6821c61e87cb9eb95730ec4ce9cd66b7a699045667eaf1 |
memory/2180-15-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2160-14-0x000000013F410000-0x000000013F764000-memory.dmp
memory/3020-12-0x00000000024D0000-0x0000000002824000-memory.dmp
\Windows\system\bCtwBIm.exe
| MD5 | 215fc5b6f9a71de33a5ac5c026f3f3f9 |
| SHA1 | 1665bca825584f3620a3cecd06ad356ef857ae1b |
| SHA256 | d8f5dbe5ec641cff26a9e28e8af1cdab71aea645d25628f113d5b6c44ef9f928 |
| SHA512 | 2afd020c5cf42be15827f3e64d8070875fb2005d349a34d40bea92c4dff77f79e2a5d0ed36e03d4107b041d04b14573031fec1b2def7284a1adcbbf3ec094c51 |
memory/2552-27-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2720-41-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/3020-39-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/3020-33-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2608-48-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2468-54-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\HEDjmOD.exe
| MD5 | d86b100fc55bceecc32c3df6298abd39 |
| SHA1 | 6d22e3ebcc17e879d4b881df17403a91afaaa5b6 |
| SHA256 | 04e2da5b58062bd67aa60984a7519280d1ddc700f1ee1a4b1b1f68da3538c647 |
| SHA512 | 1eefa3ef13bde1066d65a90ce1e568e21049b52e90dfe1b6f9c802e74437598cf312b997deace214fa3b780c75d03b102e04eab99104639c9e723fa700f5fe67 |
C:\Windows\system\jwZMUmc.exe
| MD5 | ab41a176964423e9bda73f0c26ad82ac |
| SHA1 | 934df14e2a87152b159c1893ebe082d3961925b1 |
| SHA256 | 00156b0dcacecba1de3e1198e5dc5b4b1d912004057656c8efdc090a6a7abae9 |
| SHA512 | fca3652455388b5e8dd29aa41510535f610a46fe47608dd0391b1748ff34594d4dcf1db3c79f5ad290cf21b2e04582e7aa24713ec2701893c302da11f4cd7e02 |
memory/3020-76-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2752-96-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\drIlBVq.exe
| MD5 | b24cb4ce356c5506b1595f2dbefdc175 |
| SHA1 | 871d227b7483bb453c09b42c4131e50d894e536c |
| SHA256 | 63b6283f6ec7c7c25215f12c4410332046221e8dc0460eca530e7186e2c3abde |
| SHA512 | f1f4bd088b4551c441b735a40b0fda833b9987967b477b9399fda840f65e75c2411ebdb5d4c2ea89017ffa1fce4a492108d908d5f09ffcd74c6217bd97c3c1ff |
\Windows\system\JmuTvez.exe
| MD5 | fee68a8801744917a32702f674ae9580 |
| SHA1 | 743c217d008bd5c0a392e79d2c25c8fb31efd49c |
| SHA256 | 540da21271d2a2124366e98bfd5a2f1050d05004b5e1ae1ba2e93f17e068bd43 |
| SHA512 | c63c61f5f17347bc5f10a4b7b80d0bbbd162d5fda3a618dbae38de22d50080b49cb11a1fa3f4d5bf5e226e0b623f4f1a95d0993475738811b4c6e7c400c5de30 |
C:\Windows\system\ZwXfQQH.exe
| MD5 | a1cd38d59c698897ed42a36a7ad4dba1 |
| SHA1 | 3bf15fd02bd552ebe5b19f39c8e86231fd65c00d |
| SHA256 | e10f13e3b7a8c227af3af6bcc13815f76395e6a5a6b802fd713e85effce44519 |
| SHA512 | e4e1d0e44f42ece0ce7c1a90ac7db50f0b325232cd052d1ca641fa0f84b259a840c3d1c84c160569958730deb8b38c3104d53167d996b4617a5fb5aa093fa2ab |
C:\Windows\system\LdsrTZq.exe
| MD5 | 35ccbd48366ec5a7b80e081b8f0cbebd |
| SHA1 | 88a4e59565d178156584e14cc3d3f18d8d244096 |
| SHA256 | 4aaa55aaac5185fd2fbecaebdd192c857b152ff6bb9bbf0a0b11607ef9605a47 |
| SHA512 | 846089f67ba22224a7f7ad882aab514be478cdcbf2cfd4a4b1eac7f52356f54fa139d2f663b8b147ae81c0a0fd8426927b10be656cd16543f1a456cfca091b77 |
C:\Windows\system\PEuDGPN.exe
| MD5 | 5ed333703af44e343f229514c715187b |
| SHA1 | 6bf97c613c4d5f99a4f1dc62f6c433b4cef7e2b8 |
| SHA256 | b8f745609aa997681ea449bebedc3ca01333bee2d03501a2a3c19aff55296c11 |
| SHA512 | eb064970b33c95d29702f2931a34ca9bc5a7afe9b4382036a56773b597fe4662e4482b615aa19fc16040c988df573bd06c1c2b5b01fdf1c5e4d3735d49c1039f |
memory/2720-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/3000-105-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/3020-104-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\vqOawKQ.exe
| MD5 | fb7f4d17fb6ae29eae49dfff25312e41 |
| SHA1 | a408683ac5d3dbb709286dc50487cbd49f5c8320 |
| SHA256 | ec306f55606a7f319d9a3f33e45de4dc32269abd443cfa51aa27b4b3b79796d3 |
| SHA512 | d5870c2ce2bf8da844d04bc8db74ac2086e65cf8261416f2b6f4e1a5bcfd999ea17aef8aef11fa4e328f710dbeb23b5fa4b6e9b02a59abe00eaf2b84c34f0964 |
C:\Windows\system\bCrzDQn.exe
| MD5 | 3ff814fbdec42092980147828759467e |
| SHA1 | c34ab7f18ce33a5b92eec9f45a7386c83509a094 |
| SHA256 | 4f76a55bc6e28ab6d6d0bf09653863709d0ae70eb6dc0a0063ef2e6750dc57d3 |
| SHA512 | ae68df0af57f5d6c5d3333192fb6382b1a842cfcfd057646b7d87a2c1b7b7dd91643bb33e53dfa9a91e88d6dbae116bfb9fde4d45e133b3cc2756f80cd09d271 |
C:\Windows\system\AlSBiqT.exe
| MD5 | 68b08c6b1060136a2999fb5b0d51fa10 |
| SHA1 | 4583dd9e0131b61b0e7c1e4084dcd13d2b579ff5 |
| SHA256 | 3f9b4e3f14f131b9695a9954df86a760aed55959d3852736285c5d982f1e5107 |
| SHA512 | fb4f4644bdb89aeaf13f30693459f5433a33ebce87601c26339b47520321862739538823c491f5c1f50cc2d5fa39b59eaadcf2c6315f478dd0591beedb8763ef |
memory/3020-90-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/1628-89-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2608-139-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/3020-95-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2552-94-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\kbGraKR.exe
| MD5 | 3c0b8cf51b31a6081d01584f27aa88bd |
| SHA1 | ba4410c94c2532bc6f52e6504c4e00ac29dc5823 |
| SHA256 | 8104f2c548a2470026292a364c35d1fbdf7b0099d6b9515925bcabc716d779df |
| SHA512 | a3905c3a822143d8acbf2a5d4a539928a742fb3a43ef6c25197f432eea9ad9160dfd4d06d8e33f97368e3ec9a30317b399f279d012ea4ed79baf0233369fb22e |
memory/3032-77-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2180-75-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2160-74-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2468-140-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2960-83-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/3020-82-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\rURooeK.exe
| MD5 | 31d6aa1bff22adf05629a276ad3dab68 |
| SHA1 | 6818f6cd8dbb90b7015f41d3339a6b569ad2fb7e |
| SHA256 | b5c0f63fdc06b83ad677ce1af49971b2234feb6c5ef123955d8b90f557a90e52 |
| SHA512 | 5cebebcff93d5d77885520b11deb3b7a1142e471245acefaf0b561f81a0f855d2df58853fdb3c8ac19dbeaace6a3b6537cb1baa7b3af4ab0112fc87f90fea715 |
memory/1016-62-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2476-68-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3020-61-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\mHaYSMx.exe
| MD5 | b792c54247545eae95d9728fe93ef136 |
| SHA1 | 86fa354d9df30f721948b80f09fc020b33432b1a |
| SHA256 | 7a93e0fc43f04bebab51652341d1c0dcc1341e9aeec6af10aaaf77b7bad2b993 |
| SHA512 | 75d61930a34165ad010ba00716630c14e7683bc0bbcc881f65060d17eb873adbb1313f489da87ef7dcecb55097e859cf15f1a9c05def5b221d0b7399d331ef57 |
memory/1016-141-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/3020-53-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\bxOBqeY.exe
| MD5 | a4e28f8607daabc4b72319d4df9f27f8 |
| SHA1 | 5d51e81a9f28bf348b495ec982574d97aa9a7505 |
| SHA256 | 183d368cec469cb558074c0211a21f8aa94d7afb85850f233d9094697a596b7f |
| SHA512 | 2c2ff0e6a7ac4ab32e697412d2e6903fd0b38361f56faf40132cad498ad2e071b7e31bb41e67482b1b5c0b9ca80f13477f0011771125ace7d7736cbdff940e7b |
memory/3020-47-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\YSYmBmQ.exe
| MD5 | 8b3e62a0dcc7487dd73463d0052fef6d |
| SHA1 | 94a4eb930ec247e9d138c207efc643d6d1911744 |
| SHA256 | 745c0d042252f843b771fff31af57462839273c5aa8b8442915cda9dd6aee048 |
| SHA512 | 3da0c9063650e14d082e9c61eeec06ab4cb9871ae4097a83d9546d34f837182b48f2b9c8b90fd3801fac8ac255680563252594a053ad3ec9b2a617a040d649a5 |
C:\Windows\system\GTpALEi.exe
| MD5 | 3f3acd7a2453331520289d012effa68c |
| SHA1 | bf205ca78b3663c5f19afa406c12c76a15582976 |
| SHA256 | a2f285211fdfe80f1a9ec156177f8edbddc7ec5169f6e5e432180873793cc680 |
| SHA512 | f7c43d6c88cfcb09aceb343a449e3df2748abb2912e808b01ee27ee49aa0715b921528a6d06a49afb61a0a1a11ddd1f568e05258c47ae64fb8c420d4841adf1b |
C:\Windows\system\IEMdUSS.exe
| MD5 | 95aeac685967dd7eea8609a7a0a6b093 |
| SHA1 | 139edd9f25866a7d1b63cda1a84713842d875ded |
| SHA256 | 38b11f1d26ab3c208bb3bcc94575cc33248906c42179f255342803bd0b0c9d9a |
| SHA512 | 2d907dd26d57f6939be4f6483e866b81e1e21e27b32861dc98b98e8f89a1b0cb2313a144812dec7aa6f225f0e56008b4c60e47a8580032d78a1a5c91759941fd |
memory/1628-20-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\UpsQWRF.exe
| MD5 | d710f0a79c724198bae6fa2c9d973cdc |
| SHA1 | 083058e37a13343d121b316ceb22af0ec08581ab |
| SHA256 | 7a2fd99985e89798cbc4d0366a16be3c6ba36f78f4b4633440a7ebd47ffb8504 |
| SHA512 | 383254d581344e20a46eece153f30223996ba6d1572cc7c0b0b709241302f33d4b0004028b809cfc45587de90f4195c065f626e89ea6c1e58b78105b25d41cfa |
memory/3020-26-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2476-142-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3020-143-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/3032-144-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/3020-145-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2960-146-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/3020-147-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2752-148-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3020-149-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/3000-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2160-151-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2180-152-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1628-153-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2552-154-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2720-155-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2608-156-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2468-157-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1016-158-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2476-159-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3032-160-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2960-161-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2752-162-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3000-163-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2688-164-0x000000013FB80000-0x000000013FED4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:43
Reported
2024-06-06 18:46
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IeWEplK.exe | N/A |
| N/A | N/A | C:\Windows\System\nlBHFCV.exe | N/A |
| N/A | N/A | C:\Windows\System\UpsQWRF.exe | N/A |
| N/A | N/A | C:\Windows\System\bCtwBIm.exe | N/A |
| N/A | N/A | C:\Windows\System\GTpALEi.exe | N/A |
| N/A | N/A | C:\Windows\System\IEMdUSS.exe | N/A |
| N/A | N/A | C:\Windows\System\YSYmBmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bxOBqeY.exe | N/A |
| N/A | N/A | C:\Windows\System\mHaYSMx.exe | N/A |
| N/A | N/A | C:\Windows\System\HEDjmOD.exe | N/A |
| N/A | N/A | C:\Windows\System\rURooeK.exe | N/A |
| N/A | N/A | C:\Windows\System\jwZMUmc.exe | N/A |
| N/A | N/A | C:\Windows\System\bCrzDQn.exe | N/A |
| N/A | N/A | C:\Windows\System\kbGraKR.exe | N/A |
| N/A | N/A | C:\Windows\System\vqOawKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\AlSBiqT.exe | N/A |
| N/A | N/A | C:\Windows\System\PEuDGPN.exe | N/A |
| N/A | N/A | C:\Windows\System\LdsrTZq.exe | N/A |
| N/A | N/A | C:\Windows\System\drIlBVq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwXfQQH.exe | N/A |
| N/A | N/A | C:\Windows\System\JmuTvez.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8b3e0dd2091117471a6b821c575135a4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IeWEplK.exe
C:\Windows\System\IeWEplK.exe
C:\Windows\System\nlBHFCV.exe
C:\Windows\System\nlBHFCV.exe
C:\Windows\System\UpsQWRF.exe
C:\Windows\System\UpsQWRF.exe
C:\Windows\System\bCtwBIm.exe
C:\Windows\System\bCtwBIm.exe
C:\Windows\System\GTpALEi.exe
C:\Windows\System\GTpALEi.exe
C:\Windows\System\IEMdUSS.exe
C:\Windows\System\IEMdUSS.exe
C:\Windows\System\YSYmBmQ.exe
C:\Windows\System\YSYmBmQ.exe
C:\Windows\System\bxOBqeY.exe
C:\Windows\System\bxOBqeY.exe
C:\Windows\System\mHaYSMx.exe
C:\Windows\System\mHaYSMx.exe
C:\Windows\System\HEDjmOD.exe
C:\Windows\System\HEDjmOD.exe
C:\Windows\System\rURooeK.exe
C:\Windows\System\rURooeK.exe
C:\Windows\System\jwZMUmc.exe
C:\Windows\System\jwZMUmc.exe
C:\Windows\System\bCrzDQn.exe
C:\Windows\System\bCrzDQn.exe
C:\Windows\System\kbGraKR.exe
C:\Windows\System\kbGraKR.exe
C:\Windows\System\vqOawKQ.exe
C:\Windows\System\vqOawKQ.exe
C:\Windows\System\AlSBiqT.exe
C:\Windows\System\AlSBiqT.exe
C:\Windows\System\PEuDGPN.exe
C:\Windows\System\PEuDGPN.exe
C:\Windows\System\LdsrTZq.exe
C:\Windows\System\LdsrTZq.exe
C:\Windows\System\drIlBVq.exe
C:\Windows\System\drIlBVq.exe
C:\Windows\System\ZwXfQQH.exe
C:\Windows\System\ZwXfQQH.exe
C:\Windows\System\JmuTvez.exe
C:\Windows\System\JmuTvez.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1124-0-0x00007FF70D980000-0x00007FF70DCD4000-memory.dmp
memory/1124-1-0x0000028F864E0000-0x0000028F864F0000-memory.dmp
C:\Windows\System\IeWEplK.exe
| MD5 | 480140cdfaab069bd8a87a69a40cc80b |
| SHA1 | 1dc614a9cd644ec8ca8f0c9f9af8094ad390e97e |
| SHA256 | 18262e542e8f49e8076137ee7b9576725aedf8244f7bfd6accb040a929fcc8ed |
| SHA512 | 172818c7d49b9d8bbeae9ec6c7430cdfecf77a1d0dfab2bb70a589f4258a965c3a1723dc013686a71be8a2255a208b358802cf1ab392dfe5c5669d931564d414 |
memory/4380-6-0x00007FF6D5780000-0x00007FF6D5AD4000-memory.dmp
C:\Windows\System\UpsQWRF.exe
| MD5 | d710f0a79c724198bae6fa2c9d973cdc |
| SHA1 | 083058e37a13343d121b316ceb22af0ec08581ab |
| SHA256 | 7a2fd99985e89798cbc4d0366a16be3c6ba36f78f4b4633440a7ebd47ffb8504 |
| SHA512 | 383254d581344e20a46eece153f30223996ba6d1572cc7c0b0b709241302f33d4b0004028b809cfc45587de90f4195c065f626e89ea6c1e58b78105b25d41cfa |
C:\Windows\System\nlBHFCV.exe
| MD5 | 8e859af6a1192856afadb48c18d19026 |
| SHA1 | 42379e42d32a0637879e689e24e95882e8a341eb |
| SHA256 | 8b70a12363341f69213d6c7aad7f1bfdd18a47269dad10320b4e53f87e66633a |
| SHA512 | 9cb9d2cf8a26de8dcf824bf37c46a7e431ccc02d06eae2db5f0a1fc0d4c9e350b6f73c733ca92da1bd6821c61e87cb9eb95730ec4ce9cd66b7a699045667eaf1 |
C:\Windows\System\bCtwBIm.exe
| MD5 | 215fc5b6f9a71de33a5ac5c026f3f3f9 |
| SHA1 | 1665bca825584f3620a3cecd06ad356ef857ae1b |
| SHA256 | d8f5dbe5ec641cff26a9e28e8af1cdab71aea645d25628f113d5b6c44ef9f928 |
| SHA512 | 2afd020c5cf42be15827f3e64d8070875fb2005d349a34d40bea92c4dff77f79e2a5d0ed36e03d4107b041d04b14573031fec1b2def7284a1adcbbf3ec094c51 |
memory/4412-26-0x00007FF68FDA0000-0x00007FF6900F4000-memory.dmp
memory/1576-18-0x00007FF77F020000-0x00007FF77F374000-memory.dmp
memory/4892-12-0x00007FF6805B0000-0x00007FF680904000-memory.dmp
C:\Windows\System\GTpALEi.exe
| MD5 | 3f3acd7a2453331520289d012effa68c |
| SHA1 | bf205ca78b3663c5f19afa406c12c76a15582976 |
| SHA256 | a2f285211fdfe80f1a9ec156177f8edbddc7ec5169f6e5e432180873793cc680 |
| SHA512 | f7c43d6c88cfcb09aceb343a449e3df2748abb2912e808b01ee27ee49aa0715b921528a6d06a49afb61a0a1a11ddd1f568e05258c47ae64fb8c420d4841adf1b |
memory/3096-32-0x00007FF7802D0000-0x00007FF780624000-memory.dmp
C:\Windows\System\IEMdUSS.exe
| MD5 | 95aeac685967dd7eea8609a7a0a6b093 |
| SHA1 | 139edd9f25866a7d1b63cda1a84713842d875ded |
| SHA256 | 38b11f1d26ab3c208bb3bcc94575cc33248906c42179f255342803bd0b0c9d9a |
| SHA512 | 2d907dd26d57f6939be4f6483e866b81e1e21e27b32861dc98b98e8f89a1b0cb2313a144812dec7aa6f225f0e56008b4c60e47a8580032d78a1a5c91759941fd |
C:\Windows\System\YSYmBmQ.exe
| MD5 | 8b3e62a0dcc7487dd73463d0052fef6d |
| SHA1 | 94a4eb930ec247e9d138c207efc643d6d1911744 |
| SHA256 | 745c0d042252f843b771fff31af57462839273c5aa8b8442915cda9dd6aee048 |
| SHA512 | 3da0c9063650e14d082e9c61eeec06ab4cb9871ae4097a83d9546d34f837182b48f2b9c8b90fd3801fac8ac255680563252594a053ad3ec9b2a617a040d649a5 |
memory/1620-36-0x00007FF6E41F0000-0x00007FF6E4544000-memory.dmp
C:\Windows\System\bxOBqeY.exe
| MD5 | a4e28f8607daabc4b72319d4df9f27f8 |
| SHA1 | 5d51e81a9f28bf348b495ec982574d97aa9a7505 |
| SHA256 | 183d368cec469cb558074c0211a21f8aa94d7afb85850f233d9094697a596b7f |
| SHA512 | 2c2ff0e6a7ac4ab32e697412d2e6903fd0b38361f56faf40132cad498ad2e071b7e31bb41e67482b1b5c0b9ca80f13477f0011771125ace7d7736cbdff940e7b |
memory/1828-48-0x00007FF7A5B70000-0x00007FF7A5EC4000-memory.dmp
C:\Windows\System\mHaYSMx.exe
| MD5 | b792c54247545eae95d9728fe93ef136 |
| SHA1 | 86fa354d9df30f721948b80f09fc020b33432b1a |
| SHA256 | 7a93e0fc43f04bebab51652341d1c0dcc1341e9aeec6af10aaaf77b7bad2b993 |
| SHA512 | 75d61930a34165ad010ba00716630c14e7683bc0bbcc881f65060d17eb873adbb1313f489da87ef7dcecb55097e859cf15f1a9c05def5b221d0b7399d331ef57 |
memory/3464-46-0x00007FF6383A0000-0x00007FF6386F4000-memory.dmp
memory/1764-54-0x00007FF687120000-0x00007FF687474000-memory.dmp
C:\Windows\System\HEDjmOD.exe
| MD5 | d86b100fc55bceecc32c3df6298abd39 |
| SHA1 | 6d22e3ebcc17e879d4b881df17403a91afaaa5b6 |
| SHA256 | 04e2da5b58062bd67aa60984a7519280d1ddc700f1ee1a4b1b1f68da3538c647 |
| SHA512 | 1eefa3ef13bde1066d65a90ce1e568e21049b52e90dfe1b6f9c802e74437598cf312b997deace214fa3b780c75d03b102e04eab99104639c9e723fa700f5fe67 |
memory/1124-62-0x00007FF70D980000-0x00007FF70DCD4000-memory.dmp
memory/3188-63-0x00007FF7834E0000-0x00007FF783834000-memory.dmp
memory/4380-66-0x00007FF6D5780000-0x00007FF6D5AD4000-memory.dmp
C:\Windows\System\rURooeK.exe
| MD5 | 31d6aa1bff22adf05629a276ad3dab68 |
| SHA1 | 6818f6cd8dbb90b7015f41d3339a6b569ad2fb7e |
| SHA256 | b5c0f63fdc06b83ad677ce1af49971b2234feb6c5ef123955d8b90f557a90e52 |
| SHA512 | 5cebebcff93d5d77885520b11deb3b7a1142e471245acefaf0b561f81a0f855d2df58853fdb3c8ac19dbeaace6a3b6537cb1baa7b3af4ab0112fc87f90fea715 |
memory/4624-72-0x00007FF7F84F0000-0x00007FF7F8844000-memory.dmp
C:\Windows\System\jwZMUmc.exe
| MD5 | ab41a176964423e9bda73f0c26ad82ac |
| SHA1 | 934df14e2a87152b159c1893ebe082d3961925b1 |
| SHA256 | 00156b0dcacecba1de3e1198e5dc5b4b1d912004057656c8efdc090a6a7abae9 |
| SHA512 | fca3652455388b5e8dd29aa41510535f610a46fe47608dd0391b1748ff34594d4dcf1db3c79f5ad290cf21b2e04582e7aa24713ec2701893c302da11f4cd7e02 |
memory/3624-77-0x00007FF655670000-0x00007FF6559C4000-memory.dmp
memory/4892-76-0x00007FF6805B0000-0x00007FF680904000-memory.dmp
C:\Windows\System\bCrzDQn.exe
| MD5 | 3ff814fbdec42092980147828759467e |
| SHA1 | c34ab7f18ce33a5b92eec9f45a7386c83509a094 |
| SHA256 | 4f76a55bc6e28ab6d6d0bf09653863709d0ae70eb6dc0a0063ef2e6750dc57d3 |
| SHA512 | ae68df0af57f5d6c5d3333192fb6382b1a842cfcfd057646b7d87a2c1b7b7dd91643bb33e53dfa9a91e88d6dbae116bfb9fde4d45e133b3cc2756f80cd09d271 |
memory/1576-83-0x00007FF77F020000-0x00007FF77F374000-memory.dmp
memory/2596-86-0x00007FF7DAFC0000-0x00007FF7DB314000-memory.dmp
C:\Windows\System\vqOawKQ.exe
| MD5 | fb7f4d17fb6ae29eae49dfff25312e41 |
| SHA1 | a408683ac5d3dbb709286dc50487cbd49f5c8320 |
| SHA256 | ec306f55606a7f319d9a3f33e45de4dc32269abd443cfa51aa27b4b3b79796d3 |
| SHA512 | d5870c2ce2bf8da844d04bc8db74ac2086e65cf8261416f2b6f4e1a5bcfd999ea17aef8aef11fa4e328f710dbeb23b5fa4b6e9b02a59abe00eaf2b84c34f0964 |
C:\Windows\System\kbGraKR.exe
| MD5 | 3c0b8cf51b31a6081d01584f27aa88bd |
| SHA1 | ba4410c94c2532bc6f52e6504c4e00ac29dc5823 |
| SHA256 | 8104f2c548a2470026292a364c35d1fbdf7b0099d6b9515925bcabc716d779df |
| SHA512 | a3905c3a822143d8acbf2a5d4a539928a742fb3a43ef6c25197f432eea9ad9160dfd4d06d8e33f97368e3ec9a30317b399f279d012ea4ed79baf0233369fb22e |
memory/3096-94-0x00007FF7802D0000-0x00007FF780624000-memory.dmp
memory/5688-93-0x00007FF641950000-0x00007FF641CA4000-memory.dmp
C:\Windows\System\AlSBiqT.exe
| MD5 | 68b08c6b1060136a2999fb5b0d51fa10 |
| SHA1 | 4583dd9e0131b61b0e7c1e4084dcd13d2b579ff5 |
| SHA256 | 3f9b4e3f14f131b9695a9954df86a760aed55959d3852736285c5d982f1e5107 |
| SHA512 | fb4f4644bdb89aeaf13f30693459f5433a33ebce87601c26339b47520321862739538823c491f5c1f50cc2d5fa39b59eaadcf2c6315f478dd0591beedb8763ef |
memory/1620-101-0x00007FF6E41F0000-0x00007FF6E4544000-memory.dmp
C:\Windows\System\PEuDGPN.exe
| MD5 | 5ed333703af44e343f229514c715187b |
| SHA1 | 6bf97c613c4d5f99a4f1dc62f6c433b4cef7e2b8 |
| SHA256 | b8f745609aa997681ea449bebedc3ca01333bee2d03501a2a3c19aff55296c11 |
| SHA512 | eb064970b33c95d29702f2931a34ca9bc5a7afe9b4382036a56773b597fe4662e4482b615aa19fc16040c988df573bd06c1c2b5b01fdf1c5e4d3735d49c1039f |
memory/4848-109-0x00007FF639A30000-0x00007FF639D84000-memory.dmp
memory/3464-105-0x00007FF6383A0000-0x00007FF6386F4000-memory.dmp
memory/5436-104-0x00007FF754F70000-0x00007FF7552C4000-memory.dmp
memory/4980-100-0x00007FF77C1E0000-0x00007FF77C534000-memory.dmp
C:\Windows\System\LdsrTZq.exe
| MD5 | 35ccbd48366ec5a7b80e081b8f0cbebd |
| SHA1 | 88a4e59565d178156584e14cc3d3f18d8d244096 |
| SHA256 | 4aaa55aaac5185fd2fbecaebdd192c857b152ff6bb9bbf0a0b11607ef9605a47 |
| SHA512 | 846089f67ba22224a7f7ad882aab514be478cdcbf2cfd4a4b1eac7f52356f54fa139d2f663b8b147ae81c0a0fd8426927b10be656cd16543f1a456cfca091b77 |
memory/1828-115-0x00007FF7A5B70000-0x00007FF7A5EC4000-memory.dmp
C:\Windows\System\ZwXfQQH.exe
| MD5 | a1cd38d59c698897ed42a36a7ad4dba1 |
| SHA1 | 3bf15fd02bd552ebe5b19f39c8e86231fd65c00d |
| SHA256 | e10f13e3b7a8c227af3af6bcc13815f76395e6a5a6b802fd713e85effce44519 |
| SHA512 | e4e1d0e44f42ece0ce7c1a90ac7db50f0b325232cd052d1ca641fa0f84b259a840c3d1c84c160569958730deb8b38c3104d53167d996b4617a5fb5aa093fa2ab |
memory/3356-132-0x00007FF7126F0000-0x00007FF712A44000-memory.dmp
C:\Windows\System\JmuTvez.exe
| MD5 | fee68a8801744917a32702f674ae9580 |
| SHA1 | 743c217d008bd5c0a392e79d2c25c8fb31efd49c |
| SHA256 | 540da21271d2a2124366e98bfd5a2f1050d05004b5e1ae1ba2e93f17e068bd43 |
| SHA512 | c63c61f5f17347bc5f10a4b7b80d0bbbd162d5fda3a618dbae38de22d50080b49cb11a1fa3f4d5bf5e226e0b623f4f1a95d0993475738811b4c6e7c400c5de30 |
C:\Windows\System\drIlBVq.exe
| MD5 | b24cb4ce356c5506b1595f2dbefdc175 |
| SHA1 | 871d227b7483bb453c09b42c4131e50d894e536c |
| SHA256 | 63b6283f6ec7c7c25215f12c4410332046221e8dc0460eca530e7186e2c3abde |
| SHA512 | f1f4bd088b4551c441b735a40b0fda833b9987967b477b9399fda840f65e75c2411ebdb5d4c2ea89017ffa1fce4a492108d908d5f09ffcd74c6217bd97c3c1ff |
memory/2848-121-0x00007FF610C90000-0x00007FF610FE4000-memory.dmp
memory/1764-120-0x00007FF687120000-0x00007FF687474000-memory.dmp
memory/3656-119-0x00007FF789630000-0x00007FF789984000-memory.dmp
memory/3824-136-0x00007FF740DE0000-0x00007FF741134000-memory.dmp
memory/4980-137-0x00007FF77C1E0000-0x00007FF77C534000-memory.dmp
memory/4848-138-0x00007FF639A30000-0x00007FF639D84000-memory.dmp
memory/3656-139-0x00007FF789630000-0x00007FF789984000-memory.dmp
memory/2848-140-0x00007FF610C90000-0x00007FF610FE4000-memory.dmp
memory/4380-141-0x00007FF6D5780000-0x00007FF6D5AD4000-memory.dmp
memory/4892-142-0x00007FF6805B0000-0x00007FF680904000-memory.dmp
memory/4412-143-0x00007FF68FDA0000-0x00007FF6900F4000-memory.dmp
memory/1576-144-0x00007FF77F020000-0x00007FF77F374000-memory.dmp
memory/3096-145-0x00007FF7802D0000-0x00007FF780624000-memory.dmp
memory/1620-146-0x00007FF6E41F0000-0x00007FF6E4544000-memory.dmp
memory/3464-147-0x00007FF6383A0000-0x00007FF6386F4000-memory.dmp
memory/1828-148-0x00007FF7A5B70000-0x00007FF7A5EC4000-memory.dmp
memory/1764-149-0x00007FF687120000-0x00007FF687474000-memory.dmp
memory/3188-150-0x00007FF7834E0000-0x00007FF783834000-memory.dmp
memory/4624-151-0x00007FF7F84F0000-0x00007FF7F8844000-memory.dmp
memory/3624-152-0x00007FF655670000-0x00007FF6559C4000-memory.dmp
memory/2596-153-0x00007FF7DAFC0000-0x00007FF7DB314000-memory.dmp
memory/5688-154-0x00007FF641950000-0x00007FF641CA4000-memory.dmp
memory/5436-155-0x00007FF754F70000-0x00007FF7552C4000-memory.dmp
memory/4980-156-0x00007FF77C1E0000-0x00007FF77C534000-memory.dmp
memory/4848-157-0x00007FF639A30000-0x00007FF639D84000-memory.dmp
memory/3656-158-0x00007FF789630000-0x00007FF789984000-memory.dmp
memory/3356-159-0x00007FF7126F0000-0x00007FF712A44000-memory.dmp
memory/3824-161-0x00007FF740DE0000-0x00007FF741134000-memory.dmp
memory/2848-160-0x00007FF610C90000-0x00007FF610FE4000-memory.dmp