Analysis Overview
SHA256
562b315233cb000ad89b12ac77530bd90cabe1def5772c6523920f1dac1652a0
Threat Level: Known bad
The file 2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 21:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 21:35
Reported
2024-06-09 21:38
Platform
win7-20240419-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RQmmvEH.exe | N/A |
| N/A | N/A | C:\Windows\System\pIMnxdz.exe | N/A |
| N/A | N/A | C:\Windows\System\JrUblFY.exe | N/A |
| N/A | N/A | C:\Windows\System\okZETgH.exe | N/A |
| N/A | N/A | C:\Windows\System\nOicpOD.exe | N/A |
| N/A | N/A | C:\Windows\System\MkRJwXK.exe | N/A |
| N/A | N/A | C:\Windows\System\lVPYlcm.exe | N/A |
| N/A | N/A | C:\Windows\System\PMrexzj.exe | N/A |
| N/A | N/A | C:\Windows\System\ruYIdbj.exe | N/A |
| N/A | N/A | C:\Windows\System\JLWsAjW.exe | N/A |
| N/A | N/A | C:\Windows\System\yqFsaNw.exe | N/A |
| N/A | N/A | C:\Windows\System\qDkBOVF.exe | N/A |
| N/A | N/A | C:\Windows\System\lpNfSLt.exe | N/A |
| N/A | N/A | C:\Windows\System\sWMJJeu.exe | N/A |
| N/A | N/A | C:\Windows\System\ExphGhO.exe | N/A |
| N/A | N/A | C:\Windows\System\uaSPkIg.exe | N/A |
| N/A | N/A | C:\Windows\System\UriPApj.exe | N/A |
| N/A | N/A | C:\Windows\System\JSAsJni.exe | N/A |
| N/A | N/A | C:\Windows\System\xhxRreR.exe | N/A |
| N/A | N/A | C:\Windows\System\FQhzerE.exe | N/A |
| N/A | N/A | C:\Windows\System\qJYxZcg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RQmmvEH.exe
C:\Windows\System\RQmmvEH.exe
C:\Windows\System\pIMnxdz.exe
C:\Windows\System\pIMnxdz.exe
C:\Windows\System\JrUblFY.exe
C:\Windows\System\JrUblFY.exe
C:\Windows\System\okZETgH.exe
C:\Windows\System\okZETgH.exe
C:\Windows\System\nOicpOD.exe
C:\Windows\System\nOicpOD.exe
C:\Windows\System\MkRJwXK.exe
C:\Windows\System\MkRJwXK.exe
C:\Windows\System\lVPYlcm.exe
C:\Windows\System\lVPYlcm.exe
C:\Windows\System\PMrexzj.exe
C:\Windows\System\PMrexzj.exe
C:\Windows\System\ruYIdbj.exe
C:\Windows\System\ruYIdbj.exe
C:\Windows\System\JLWsAjW.exe
C:\Windows\System\JLWsAjW.exe
C:\Windows\System\yqFsaNw.exe
C:\Windows\System\yqFsaNw.exe
C:\Windows\System\qDkBOVF.exe
C:\Windows\System\qDkBOVF.exe
C:\Windows\System\lpNfSLt.exe
C:\Windows\System\lpNfSLt.exe
C:\Windows\System\sWMJJeu.exe
C:\Windows\System\sWMJJeu.exe
C:\Windows\System\ExphGhO.exe
C:\Windows\System\ExphGhO.exe
C:\Windows\System\uaSPkIg.exe
C:\Windows\System\uaSPkIg.exe
C:\Windows\System\UriPApj.exe
C:\Windows\System\UriPApj.exe
C:\Windows\System\JSAsJni.exe
C:\Windows\System\JSAsJni.exe
C:\Windows\System\xhxRreR.exe
C:\Windows\System\xhxRreR.exe
C:\Windows\System\FQhzerE.exe
C:\Windows\System\FQhzerE.exe
C:\Windows\System\qJYxZcg.exe
C:\Windows\System\qJYxZcg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2424-0-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\RQmmvEH.exe
| MD5 | 58bee7f456ffbeeda8982460c71343dc |
| SHA1 | 6b91160e6b6c986b81b0fe01287d7743e879df00 |
| SHA256 | 1d52a9f77478bbdbab4872aba89b4a9faa65f692b8c37d1874694ed4caefa5e0 |
| SHA512 | 983ce59866ebbc3161fe97400828851177a5add3ad9678503f5ecbba5ed9c23be67bb03f2f73c87b9af15039f77ca15ca562269c9cf2e28135e9b5af14a9f2fd |
memory/2424-2-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2120-9-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2424-8-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\pIMnxdz.exe
| MD5 | 01998f7902bde6336a750fc13b3f6a3c |
| SHA1 | ac85d259855c8d030b7aeb8487c8b70a864d0b53 |
| SHA256 | dd6d23a53cc787a763ead22c6d90eb2d33528fd95cad6162ebf5b4f4434fedad |
| SHA512 | 36e593312e0353a99786419dcdea022f0f136d0d53c82a5b1960032ead9e1269da400efd319032b2984055032fa96768a379cf77abf71379a839ef2b72568862 |
C:\Windows\system\JrUblFY.exe
| MD5 | 2d047013b110a83cc5fba7ec2492a297 |
| SHA1 | bed34552fa4af879898801afe9af1485736244c3 |
| SHA256 | 1d66790cc7bb0bf44a2b4609096e965a133789fe18fa1bc6e55e62375ad41720 |
| SHA512 | 7eb3dedc4fa59fa92c342d61958753e6408eab446590bda82a1c3863fbc719a3f184fec88ad0b64006c61e8f55f9285e42090396a836d93b27b9037f8a5b692a |
memory/2676-37-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\lVPYlcm.exe
| MD5 | 09c50a7e07fb879a316855bf20059dde |
| SHA1 | bbfdb94c8374b0b45acf6edf9977440e641d4565 |
| SHA256 | 51e00124aa8045a3c96cc4b40f4bc582e676f839839511ec7fe7998f4d679216 |
| SHA512 | 95fb4e10a0bf655f8d9e978a054d615f75beca02a4a503770bd20a3d582743677c9c5a41cf40db2dd6d3301d5c889b74832fbdd290708b4427992cf713320a77 |
C:\Windows\system\JLWsAjW.exe
| MD5 | c3e9844347ff9fb02a228f786c652052 |
| SHA1 | c1d611eb7bd525cf2f53e2bc366ce122abff829c |
| SHA256 | 148c52178b2dd62edf1fcfffe53481708bb5d7305fbdd6164dd50ac6a3fad4f3 |
| SHA512 | f464bcc8f1399d45e1f7c33ed087ed95d92aaea1e803c53d8109457d5f5bb244bac248466853bfdf55336d360e458bdd555d79f178edc5d5ca241fb8693b27df |
C:\Windows\system\yqFsaNw.exe
| MD5 | f6f7c6f5f93527bc44bf21c470ea3af9 |
| SHA1 | 6776524e0fdfea068b74add1c2f05669d77cbcba |
| SHA256 | cbb3fa9a1af7b339ba298c0765ff038c3defbb75b5b46b71f75c1579609ecde4 |
| SHA512 | 48979290397fd50937b979833d1630670e27071829eb35bb6821f467505e7863f65b7b5fe6d69e13a03c0cac8dca38b8542c9285b9f9a96c4235c077388ca28b |
C:\Windows\system\uaSPkIg.exe
| MD5 | 0e5c8654c33b72c55fe99719ce65a053 |
| SHA1 | da4872aa258a7e557c31d8f01ddf0cdcc1ac0139 |
| SHA256 | a7414af554ea2c8c04baa24904d12dafdb0377997ea42ed29a60c42c348124c5 |
| SHA512 | 48e4d3702bcbea6772b136b2684d0644cea1f8dbca520797470c804f8a83b12d99d13ea6951fcacff6dfc6d485fbfa8bcf518c8ac802588b2ddeded532fdcfeb |
\Windows\system\qJYxZcg.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
C:\Windows\system\qJYxZcg.exe
| MD5 | 805d6db0177034f4ef9f06d0e8f3970c |
| SHA1 | 67585ab26db8a0f7514bdddbe659a432c3af93ed |
| SHA256 | 89cb7ee366d7d52c8fbcb3a32cf095fd97d18d76331743469587b2f7ab169ca8 |
| SHA512 | c53966c4bd83d34a25a166391ac16ddf867ef50ef1bc67c351a4be7ba9cec60c60197219abaa391aa6a74c9615188bf95180c476bbf86e5e4e60b8523ed7049f |
C:\Windows\system\FQhzerE.exe
| MD5 | 2845745df0db5a020d828a78d8ae1661 |
| SHA1 | 83761c2c52986df0099588c7e94de11c734e87ab |
| SHA256 | 22054713cbd39eeb7b3c42ed914bc51a7c9ac7ffabefdfc6338a82875d027f7c |
| SHA512 | 6ea499553899485323bdca098445221063797efbbdd10a4e65b60273807e4e9a6da5f97c183334f1402f19ddfaef66b2150db8f17e1d851d88ab9697a9c2b8ad |
memory/2524-102-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\xhxRreR.exe
| MD5 | 5358a4b13063c2520e17c51f96bfa1ac |
| SHA1 | 3047ca801e2e286bc4b4527dc3ff6b307ee48d17 |
| SHA256 | 4b577413d2954ff1827ef1546213de820c85902a49dd2cfa7981ae608438098f |
| SHA512 | b682cd0a63cdfea59f099bd3eb10ee8c5155c236ec32112f0b9473c83ab89021444804bbd74602f570e7171db86ace3ed6d1b8ddb2d954cd961eb91038a09927 |
memory/2596-127-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2424-131-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1252-130-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2424-129-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/3008-128-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2424-126-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2536-125-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2424-124-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2796-123-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2692-122-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2424-121-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2748-120-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2424-119-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2800-118-0x000000013F3B0000-0x000000013F704000-memory.dmp
\Windows\system\xhxRreR.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\system\JSAsJni.exe
| MD5 | 17ae3cbfca04f683a7aac5e17e165342 |
| SHA1 | ea0e8f815106b7a2c7373a1c3929102ae9b25cab |
| SHA256 | 9f430796dda29d4039b85e36d711e1e9d5ca6ba0e948286ae51ab57be809fac9 |
| SHA512 | 207c9e5c2122aee47dc389cdff03b5272174516c4a7e1a44d55f7f1b32055f90171afa99b4d66830d17d54f6dfa245e322b01c9714aa13684169e9cbc078ed0c |
C:\Windows\system\UriPApj.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
\Windows\system\UriPApj.exe
| MD5 | 859d94456bb3da553ce8b1a48ed5270c |
| SHA1 | 147a5c8674e46a7def81e3132c1064e5b94bb48d |
| SHA256 | 628ca57463e5aad8ef829809b5b8ac058b4ef16d57ba8fcfd96838bbb018af8b |
| SHA512 | f1df12a7169cf442068dcabeac80288cdc24d71631e29b3d8fb5711c8593b406a752d6cdb0ced43357528d74c5eecc1d2da4a7e6dcdf69f9c1e81ea7faf6873d |
C:\Windows\system\ExphGhO.exe
| MD5 | f991a15ca3ac60a167fa1a9c6e8de38e |
| SHA1 | d439e0cc0a94122db1c5ba149582caa0a0697f4e |
| SHA256 | fdcb1f7457c984d8eef6a2f17ef1df7dd4ef7d397e6731a8084f8d30609845b0 |
| SHA512 | 60fcf22b0d122b18e20c538ceebbe59509ae233af3dc78fe804a99f603d9127125a3ac2c9c4dd7a255838e233096e5136ed0a6735069ac83f2b28c2721c5d50f |
memory/2424-132-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\sWMJJeu.exe
| MD5 | ceb9098f5230061fcf932a8cbe87d317 |
| SHA1 | a2d1a3e81d5292da4aaf67e666eb73bba353f7cd |
| SHA256 | d6817381308bd4ffe6cf3c0f7f6f7144a23f45ccbc833a0c62492f88dfb36323 |
| SHA512 | 2dce8b9b2ed335da48d228caf439f5162ea1293a703453d6dc707864eaa0dab131c5b97227940de0debcb88dac45dec260320060be9dedb69bb74f43150e0df0 |
C:\Windows\system\lpNfSLt.exe
| MD5 | 7aaed59e81883ccc6a1f51d7ceba8aea |
| SHA1 | ad439da9e172d66fb363ee3ccdeb784403802da7 |
| SHA256 | 60993be56448ec872285aca4f955766be9ffb9322286c54762c862c7bff99a4a |
| SHA512 | a8213af11deee16995da3c584834892588465d8fcd7ba16d1dd81cde7e4051b7f82cc58b51f91d4f9df8d00b1ae51dd7c77c17c0b2f9917f25c200091d3e704c |
C:\Windows\system\qDkBOVF.exe
| MD5 | 5e0326ab63e44bcbb413da2eb1cede5f |
| SHA1 | 189fc080f0b195fe3e9004389d0fc400311918cb |
| SHA256 | 3d25a6341e2d099eb068708d7eb6acc6b0832d304052e4873badfd0d1582a464 |
| SHA512 | be356826d1d74f4f544c85dd17d55fa419abe001f7f7474edbbfa296ae778841bb4fe87e9763a3a12b65052a65ba656876bc6084ed122a441bfe91fd86b49880 |
\Windows\system\JLWsAjW.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\system\ruYIdbj.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
\Windows\system\ruYIdbj.exe
| MD5 | 030d80ee86dcb0299658f76269396f1f |
| SHA1 | c321123581ea66ffedcef821911ccc978f0b8797 |
| SHA256 | 97f8bc146e8dd61b74b62b1e6490d08b853578e355a16d99b1fca31c723f0d50 |
| SHA512 | da40c12c7593c0bf257bcee5bf83b42451980ebdb2bbecea1acaa04b1b303d1d74e08c7954ccdc495c8f29345f676109d84a708d9b918dd992e02259ad6dd517 |
C:\Windows\system\PMrexzj.exe
| MD5 | 12895d7ff9e186b402c0cbc8144fdd93 |
| SHA1 | b39018a3d94749e8999f102b422f482f843c02d8 |
| SHA256 | 8a7c014d158b2b58d0db468cdf4893e0da92b9ecbdd2421ceedd9484d15288c5 |
| SHA512 | 26cc5532c96a513d6dc620feabdc9a24207a689399faf4b2b64db2d62a1333320107b37f549bc8879e8602bc90608d598adb65ce4bcda502b8a0c2ad275ce57e |
\Windows\system\lVPYlcm.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\MkRJwXK.exe
| MD5 | 4b28a8de4ae6ebe88cfeb5419bc29e27 |
| SHA1 | 92c64b3d3923e7a6fc8537baaf44b185e5d8df1a |
| SHA256 | 02703b8d9827b0fdc3fb3647b09547bbfd5779d371a6b8ac60acab8abc808067 |
| SHA512 | b57812c594b441a92cd14e5a0197ad77d174486d3faabe6c99e3a491c9a60ca02f0e63e09198b98cb6ead70bc88ddb7adf77d3e74157fc00d401f64014bc4c83 |
memory/2424-36-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2424-35-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2424-33-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\nOicpOD.exe
| MD5 | aaf63299f5519f8596c1a6529aa0b906 |
| SHA1 | 53ec52cd06843079cbfdbc0cea000dc6eea86297 |
| SHA256 | f6c5c1093b686d618f67b914fc67f8675e2d0d7850b0c6cb2e9f7311bace0a05 |
| SHA512 | ded042c1f37f039c528b177e7c0ed5a86fbf8eab61703c8816d89c553d2a9f6f65657c40dee639d25447d95d3c662da5dadc3b7cca1ef1c1403c8434e43d289b |
memory/2716-31-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2344-30-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2808-25-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\okZETgH.exe
| MD5 | 187c732d89175fa52717d51b47481f7a |
| SHA1 | 8dbb3a4b317c1199a8490318fdc674b8e36470f5 |
| SHA256 | e066963b8f92e27d0b6334d7ac07bd065289bcb08036d1c4d7651f38ab008696 |
| SHA512 | 504a17775e68d9e75b111c2968f83bff8e5e0e04bec95b1439069841c8ecf3d65bb0202bd233f0e2f96abaa4d817eea2c23d0159be48aaf389debd4f254aa338 |
memory/2424-18-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2800-133-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2424-134-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2120-135-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2808-136-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2344-137-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2716-138-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2676-139-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2524-140-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2748-141-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2536-148-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2796-147-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2692-146-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2596-145-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/3008-144-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1252-143-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2800-142-0x000000013F3B0000-0x000000013F704000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 21:35
Reported
2024-06-09 21:38
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RQmmvEH.exe | N/A |
| N/A | N/A | C:\Windows\System\pIMnxdz.exe | N/A |
| N/A | N/A | C:\Windows\System\JrUblFY.exe | N/A |
| N/A | N/A | C:\Windows\System\okZETgH.exe | N/A |
| N/A | N/A | C:\Windows\System\nOicpOD.exe | N/A |
| N/A | N/A | C:\Windows\System\MkRJwXK.exe | N/A |
| N/A | N/A | C:\Windows\System\lVPYlcm.exe | N/A |
| N/A | N/A | C:\Windows\System\PMrexzj.exe | N/A |
| N/A | N/A | C:\Windows\System\ruYIdbj.exe | N/A |
| N/A | N/A | C:\Windows\System\JLWsAjW.exe | N/A |
| N/A | N/A | C:\Windows\System\yqFsaNw.exe | N/A |
| N/A | N/A | C:\Windows\System\qDkBOVF.exe | N/A |
| N/A | N/A | C:\Windows\System\lpNfSLt.exe | N/A |
| N/A | N/A | C:\Windows\System\sWMJJeu.exe | N/A |
| N/A | N/A | C:\Windows\System\ExphGhO.exe | N/A |
| N/A | N/A | C:\Windows\System\uaSPkIg.exe | N/A |
| N/A | N/A | C:\Windows\System\UriPApj.exe | N/A |
| N/A | N/A | C:\Windows\System\JSAsJni.exe | N/A |
| N/A | N/A | C:\Windows\System\xhxRreR.exe | N/A |
| N/A | N/A | C:\Windows\System\FQhzerE.exe | N/A |
| N/A | N/A | C:\Windows\System\qJYxZcg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a796dfa7be0b3a9a6cfde8828a3f0fee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RQmmvEH.exe
C:\Windows\System\RQmmvEH.exe
C:\Windows\System\pIMnxdz.exe
C:\Windows\System\pIMnxdz.exe
C:\Windows\System\JrUblFY.exe
C:\Windows\System\JrUblFY.exe
C:\Windows\System\okZETgH.exe
C:\Windows\System\okZETgH.exe
C:\Windows\System\nOicpOD.exe
C:\Windows\System\nOicpOD.exe
C:\Windows\System\MkRJwXK.exe
C:\Windows\System\MkRJwXK.exe
C:\Windows\System\lVPYlcm.exe
C:\Windows\System\lVPYlcm.exe
C:\Windows\System\PMrexzj.exe
C:\Windows\System\PMrexzj.exe
C:\Windows\System\ruYIdbj.exe
C:\Windows\System\ruYIdbj.exe
C:\Windows\System\JLWsAjW.exe
C:\Windows\System\JLWsAjW.exe
C:\Windows\System\yqFsaNw.exe
C:\Windows\System\yqFsaNw.exe
C:\Windows\System\qDkBOVF.exe
C:\Windows\System\qDkBOVF.exe
C:\Windows\System\lpNfSLt.exe
C:\Windows\System\lpNfSLt.exe
C:\Windows\System\sWMJJeu.exe
C:\Windows\System\sWMJJeu.exe
C:\Windows\System\ExphGhO.exe
C:\Windows\System\ExphGhO.exe
C:\Windows\System\uaSPkIg.exe
C:\Windows\System\uaSPkIg.exe
C:\Windows\System\UriPApj.exe
C:\Windows\System\UriPApj.exe
C:\Windows\System\JSAsJni.exe
C:\Windows\System\JSAsJni.exe
C:\Windows\System\xhxRreR.exe
C:\Windows\System\xhxRreR.exe
C:\Windows\System\FQhzerE.exe
C:\Windows\System\FQhzerE.exe
C:\Windows\System\qJYxZcg.exe
C:\Windows\System\qJYxZcg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4000-0-0x00007FF7464F0000-0x00007FF746844000-memory.dmp
memory/4000-1-0x000001EB0B220000-0x000001EB0B230000-memory.dmp
C:\Windows\System\RQmmvEH.exe
| MD5 | 58bee7f456ffbeeda8982460c71343dc |
| SHA1 | 6b91160e6b6c986b81b0fe01287d7743e879df00 |
| SHA256 | 1d52a9f77478bbdbab4872aba89b4a9faa65f692b8c37d1874694ed4caefa5e0 |
| SHA512 | 983ce59866ebbc3161fe97400828851177a5add3ad9678503f5ecbba5ed9c23be67bb03f2f73c87b9af15039f77ca15ca562269c9cf2e28135e9b5af14a9f2fd |
C:\Windows\System\pIMnxdz.exe
| MD5 | 01998f7902bde6336a750fc13b3f6a3c |
| SHA1 | ac85d259855c8d030b7aeb8487c8b70a864d0b53 |
| SHA256 | dd6d23a53cc787a763ead22c6d90eb2d33528fd95cad6162ebf5b4f4434fedad |
| SHA512 | 36e593312e0353a99786419dcdea022f0f136d0d53c82a5b1960032ead9e1269da400efd319032b2984055032fa96768a379cf77abf71379a839ef2b72568862 |
memory/4024-7-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp
C:\Windows\System\okZETgH.exe
| MD5 | 187c732d89175fa52717d51b47481f7a |
| SHA1 | 8dbb3a4b317c1199a8490318fdc674b8e36470f5 |
| SHA256 | e066963b8f92e27d0b6334d7ac07bd065289bcb08036d1c4d7651f38ab008696 |
| SHA512 | 504a17775e68d9e75b111c2968f83bff8e5e0e04bec95b1439069841c8ecf3d65bb0202bd233f0e2f96abaa4d817eea2c23d0159be48aaf389debd4f254aa338 |
memory/4768-21-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp
C:\Windows\System\JrUblFY.exe
| MD5 | 2d047013b110a83cc5fba7ec2492a297 |
| SHA1 | bed34552fa4af879898801afe9af1485736244c3 |
| SHA256 | 1d66790cc7bb0bf44a2b4609096e965a133789fe18fa1bc6e55e62375ad41720 |
| SHA512 | 7eb3dedc4fa59fa92c342d61958753e6408eab446590bda82a1c3863fbc719a3f184fec88ad0b64006c61e8f55f9285e42090396a836d93b27b9037f8a5b692a |
memory/2380-15-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp
C:\Windows\System\nOicpOD.exe
| MD5 | aaf63299f5519f8596c1a6529aa0b906 |
| SHA1 | 53ec52cd06843079cbfdbc0cea000dc6eea86297 |
| SHA256 | f6c5c1093b686d618f67b914fc67f8675e2d0d7850b0c6cb2e9f7311bace0a05 |
| SHA512 | ded042c1f37f039c528b177e7c0ed5a86fbf8eab61703c8816d89c553d2a9f6f65657c40dee639d25447d95d3c662da5dadc3b7cca1ef1c1403c8434e43d289b |
memory/3556-31-0x00007FF665DC0000-0x00007FF666114000-memory.dmp
memory/3128-38-0x00007FF62A460000-0x00007FF62A7B4000-memory.dmp
C:\Windows\System\PMrexzj.exe
| MD5 | 12895d7ff9e186b402c0cbc8144fdd93 |
| SHA1 | b39018a3d94749e8999f102b422f482f843c02d8 |
| SHA256 | 8a7c014d158b2b58d0db468cdf4893e0da92b9ecbdd2421ceedd9484d15288c5 |
| SHA512 | 26cc5532c96a513d6dc620feabdc9a24207a689399faf4b2b64db2d62a1333320107b37f549bc8879e8602bc90608d598adb65ce4bcda502b8a0c2ad275ce57e |
C:\Windows\System\JLWsAjW.exe
| MD5 | c3e9844347ff9fb02a228f786c652052 |
| SHA1 | c1d611eb7bd525cf2f53e2bc366ce122abff829c |
| SHA256 | 148c52178b2dd62edf1fcfffe53481708bb5d7305fbdd6164dd50ac6a3fad4f3 |
| SHA512 | f464bcc8f1399d45e1f7c33ed087ed95d92aaea1e803c53d8109457d5f5bb244bac248466853bfdf55336d360e458bdd555d79f178edc5d5ca241fb8693b27df |
memory/1080-52-0x00007FF711000000-0x00007FF711354000-memory.dmp
memory/4344-63-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp
memory/2016-73-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp
C:\Windows\System\JLWsAjW.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/2140-89-0x00007FF7BCD80000-0x00007FF7BD0D4000-memory.dmp
memory/2380-95-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp
memory/4024-94-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp
memory/3548-93-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp
C:\Windows\System\ExphGhO.exe
| MD5 | f991a15ca3ac60a167fa1a9c6e8de38e |
| SHA1 | d439e0cc0a94122db1c5ba149582caa0a0697f4e |
| SHA256 | fdcb1f7457c984d8eef6a2f17ef1df7dd4ef7d397e6731a8084f8d30609845b0 |
| SHA512 | 60fcf22b0d122b18e20c538ceebbe59509ae233af3dc78fe804a99f603d9127125a3ac2c9c4dd7a255838e233096e5136ed0a6735069ac83f2b28c2721c5d50f |
memory/1140-90-0x00007FF6A38A0000-0x00007FF6A3BF4000-memory.dmp
memory/4000-88-0x00007FF7464F0000-0x00007FF746844000-memory.dmp
C:\Windows\System\ExphGhO.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\System\lpNfSLt.exe
| MD5 | 2f6c78680b2f75c8ce8f41a76f87884b |
| SHA1 | 12618eb206165ab41654bc3bd25b692c41161644 |
| SHA256 | d2cb9271753c86ffffe38e679b1bdb13c205d813c16264cd9aaf0aee321793e1 |
| SHA512 | 4ac821363b698dfb1ecacfa80cfce7b6c22aadc031ddb51d85d40c84978ae5362aba1e85ef771ec094bc3414bf35c72fed0ffb84a3c9e2f530d1dd09a23ea809 |
C:\Windows\System\sWMJJeu.exe
| MD5 | ceb9098f5230061fcf932a8cbe87d317 |
| SHA1 | a2d1a3e81d5292da4aaf67e666eb73bba353f7cd |
| SHA256 | d6817381308bd4ffe6cf3c0f7f6f7144a23f45ccbc833a0c62492f88dfb36323 |
| SHA512 | 2dce8b9b2ed335da48d228caf439f5162ea1293a703453d6dc707864eaa0dab131c5b97227940de0debcb88dac45dec260320060be9dedb69bb74f43150e0df0 |
C:\Windows\System\qDkBOVF.exe
| MD5 | 5e0326ab63e44bcbb413da2eb1cede5f |
| SHA1 | 189fc080f0b195fe3e9004389d0fc400311918cb |
| SHA256 | 3d25a6341e2d099eb068708d7eb6acc6b0832d304052e4873badfd0d1582a464 |
| SHA512 | be356826d1d74f4f544c85dd17d55fa419abe001f7f7474edbbfa296ae778841bb4fe87e9763a3a12b65052a65ba656876bc6084ed122a441bfe91fd86b49880 |
memory/3392-80-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp
memory/3876-79-0x00007FF795F40000-0x00007FF796294000-memory.dmp
C:\Windows\System\sWMJJeu.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\ruYIdbj.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\lpNfSLt.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
C:\Windows\System\yqFsaNw.exe
| MD5 | f6f7c6f5f93527bc44bf21c470ea3af9 |
| SHA1 | 6776524e0fdfea068b74add1c2f05669d77cbcba |
| SHA256 | cbb3fa9a1af7b339ba298c0765ff038c3defbb75b5b46b71f75c1579609ecde4 |
| SHA512 | 48979290397fd50937b979833d1630670e27071829eb35bb6821f467505e7863f65b7b5fe6d69e13a03c0cac8dca38b8542c9285b9f9a96c4235c077388ca28b |
C:\Windows\System\PMrexzj.exe
| MD5 | 90be846177ebce09b1bfa8b40630684a |
| SHA1 | 43a2c66ff47d9e295f18f8c18fe76b69e8850154 |
| SHA256 | 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65 |
| SHA512 | f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6 |
C:\Windows\System\lVPYlcm.exe
| MD5 | 09c50a7e07fb879a316855bf20059dde |
| SHA1 | bbfdb94c8374b0b45acf6edf9977440e641d4565 |
| SHA256 | 51e00124aa8045a3c96cc4b40f4bc582e676f839839511ec7fe7998f4d679216 |
| SHA512 | 95fb4e10a0bf655f8d9e978a054d615f75beca02a4a503770bd20a3d582743677c9c5a41cf40db2dd6d3301d5c889b74832fbdd290708b4427992cf713320a77 |
memory/1964-47-0x00007FF6672B0000-0x00007FF667604000-memory.dmp
C:\Windows\System\MkRJwXK.exe
| MD5 | 4b28a8de4ae6ebe88cfeb5419bc29e27 |
| SHA1 | 92c64b3d3923e7a6fc8537baaf44b185e5d8df1a |
| SHA256 | 02703b8d9827b0fdc3fb3647b09547bbfd5779d371a6b8ac60acab8abc808067 |
| SHA512 | b57812c594b441a92cd14e5a0197ad77d174486d3faabe6c99e3a491c9a60ca02f0e63e09198b98cb6ead70bc88ddb7adf77d3e74157fc00d401f64014bc4c83 |
memory/1892-27-0x00007FF6C6FF0000-0x00007FF6C7344000-memory.dmp
C:\Windows\System\JSAsJni.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
C:\Windows\System\xhxRreR.exe
| MD5 | 5358a4b13063c2520e17c51f96bfa1ac |
| SHA1 | 3047ca801e2e286bc4b4527dc3ff6b307ee48d17 |
| SHA256 | 4b577413d2954ff1827ef1546213de820c85902a49dd2cfa7981ae608438098f |
| SHA512 | b682cd0a63cdfea59f099bd3eb10ee8c5155c236ec32112f0b9473c83ab89021444804bbd74602f570e7171db86ace3ed6d1b8ddb2d954cd961eb91038a09927 |
C:\Windows\System\FQhzerE.exe
| MD5 | 2845745df0db5a020d828a78d8ae1661 |
| SHA1 | 83761c2c52986df0099588c7e94de11c734e87ab |
| SHA256 | 22054713cbd39eeb7b3c42ed914bc51a7c9ac7ffabefdfc6338a82875d027f7c |
| SHA512 | 6ea499553899485323bdca098445221063797efbbdd10a4e65b60273807e4e9a6da5f97c183334f1402f19ddfaef66b2150db8f17e1d851d88ab9697a9c2b8ad |
C:\Windows\System\JSAsJni.exe
| MD5 | 17ae3cbfca04f683a7aac5e17e165342 |
| SHA1 | ea0e8f815106b7a2c7373a1c3929102ae9b25cab |
| SHA256 | 9f430796dda29d4039b85e36d711e1e9d5ca6ba0e948286ae51ab57be809fac9 |
| SHA512 | 207c9e5c2122aee47dc389cdff03b5272174516c4a7e1a44d55f7f1b32055f90171afa99b4d66830d17d54f6dfa245e322b01c9714aa13684169e9cbc078ed0c |
memory/1508-115-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp
C:\Windows\System\UriPApj.exe
| MD5 | 859d94456bb3da553ce8b1a48ed5270c |
| SHA1 | 147a5c8674e46a7def81e3132c1064e5b94bb48d |
| SHA256 | 628ca57463e5aad8ef829809b5b8ac058b4ef16d57ba8fcfd96838bbb018af8b |
| SHA512 | f1df12a7169cf442068dcabeac80288cdc24d71631e29b3d8fb5711c8593b406a752d6cdb0ced43357528d74c5eecc1d2da4a7e6dcdf69f9c1e81ea7faf6873d |
memory/1964-129-0x00007FF6672B0000-0x00007FF667604000-memory.dmp
memory/3252-132-0x00007FF638810000-0x00007FF638B64000-memory.dmp
C:\Windows\System\qJYxZcg.exe
| MD5 | df43099f8ecf7fc7231104cc7906f346 |
| SHA1 | 3e71eb14c6e419a455fbd4a3234cbfb9f69fb428 |
| SHA256 | 2fee27d95d784896594fd4c402904f15f7b6e8d0448726197f29a8303072c9e7 |
| SHA512 | 0780e96102ed70b27cdcc7843ce59b45e8d687f99de38cd1f2d8f08d1be12d524f20b3d4f78294edd2ce2d1dc761badaaa437128842e8b787cbe7919b203b90d |
memory/3728-125-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp
memory/512-128-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp
C:\Windows\System\qJYxZcg.exe
| MD5 | 805d6db0177034f4ef9f06d0e8f3970c |
| SHA1 | 67585ab26db8a0f7514bdddbe659a432c3af93ed |
| SHA256 | 89cb7ee366d7d52c8fbcb3a32cf095fd97d18d76331743469587b2f7ab169ca8 |
| SHA512 | c53966c4bd83d34a25a166391ac16ddf867ef50ef1bc67c351a4be7ba9cec60c60197219abaa391aa6a74c9615188bf95180c476bbf86e5e4e60b8523ed7049f |
memory/2600-108-0x00007FF7584E0000-0x00007FF758834000-memory.dmp
memory/4768-105-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp
C:\Windows\System\uaSPkIg.exe
| MD5 | 0e5c8654c33b72c55fe99719ce65a053 |
| SHA1 | da4872aa258a7e557c31d8f01ddf0cdcc1ac0139 |
| SHA256 | a7414af554ea2c8c04baa24904d12dafdb0377997ea42ed29a60c42c348124c5 |
| SHA512 | 48e4d3702bcbea6772b136b2684d0644cea1f8dbca520797470c804f8a83b12d99d13ea6951fcacff6dfc6d485fbfa8bcf518c8ac802588b2ddeded532fdcfeb |
memory/2816-101-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp
memory/4344-134-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp
memory/1080-133-0x00007FF711000000-0x00007FF711354000-memory.dmp
memory/2016-135-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp
memory/3392-136-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp
memory/3548-137-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp
memory/2816-138-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp
memory/2600-139-0x00007FF7584E0000-0x00007FF758834000-memory.dmp
memory/1508-140-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp
memory/3252-141-0x00007FF638810000-0x00007FF638B64000-memory.dmp
memory/4024-142-0x00007FF79F700000-0x00007FF79FA54000-memory.dmp
memory/1892-145-0x00007FF6C6FF0000-0x00007FF6C7344000-memory.dmp
memory/2380-144-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp
memory/4768-143-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp
memory/3556-146-0x00007FF665DC0000-0x00007FF666114000-memory.dmp
memory/3128-147-0x00007FF62A460000-0x00007FF62A7B4000-memory.dmp
memory/1080-149-0x00007FF711000000-0x00007FF711354000-memory.dmp
memory/1964-148-0x00007FF6672B0000-0x00007FF667604000-memory.dmp
memory/2016-151-0x00007FF6C9260000-0x00007FF6C95B4000-memory.dmp
memory/4344-152-0x00007FF6FCB50000-0x00007FF6FCEA4000-memory.dmp
memory/3392-155-0x00007FF757AB0000-0x00007FF757E04000-memory.dmp
memory/3548-156-0x00007FF600FA0000-0x00007FF6012F4000-memory.dmp
memory/2140-154-0x00007FF7BCD80000-0x00007FF7BD0D4000-memory.dmp
memory/1140-153-0x00007FF6A38A0000-0x00007FF6A3BF4000-memory.dmp
memory/3876-150-0x00007FF795F40000-0x00007FF796294000-memory.dmp
memory/2816-157-0x00007FF6A54F0000-0x00007FF6A5844000-memory.dmp
memory/2600-158-0x00007FF7584E0000-0x00007FF758834000-memory.dmp
memory/512-161-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp
memory/3728-160-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp
memory/1508-159-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp
memory/3252-162-0x00007FF638810000-0x00007FF638B64000-memory.dmp