Analysis Overview
SHA256
a68bfbb56f837cf1ff160268161fd52d1d76c07380038da8ac16ba70de1f86e7
Threat Level: Known bad
The file 2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 07:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 07:24
Reported
2024-06-10 07:27
Platform
win7-20240508-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wBdHWcd.exe | N/A |
| N/A | N/A | C:\Windows\System\pzlMwnd.exe | N/A |
| N/A | N/A | C:\Windows\System\qNtGZgH.exe | N/A |
| N/A | N/A | C:\Windows\System\XgsxlOY.exe | N/A |
| N/A | N/A | C:\Windows\System\QXCoGGU.exe | N/A |
| N/A | N/A | C:\Windows\System\QpSmZeA.exe | N/A |
| N/A | N/A | C:\Windows\System\IiCXkDB.exe | N/A |
| N/A | N/A | C:\Windows\System\DLSDDPu.exe | N/A |
| N/A | N/A | C:\Windows\System\XlvKLzj.exe | N/A |
| N/A | N/A | C:\Windows\System\WHhOIZx.exe | N/A |
| N/A | N/A | C:\Windows\System\bFhNQex.exe | N/A |
| N/A | N/A | C:\Windows\System\rrtKoEk.exe | N/A |
| N/A | N/A | C:\Windows\System\zxEgolI.exe | N/A |
| N/A | N/A | C:\Windows\System\zxuUdZk.exe | N/A |
| N/A | N/A | C:\Windows\System\EIlQuwa.exe | N/A |
| N/A | N/A | C:\Windows\System\bOJMHNH.exe | N/A |
| N/A | N/A | C:\Windows\System\GzAjCzs.exe | N/A |
| N/A | N/A | C:\Windows\System\BBrLAHZ.exe | N/A |
| N/A | N/A | C:\Windows\System\XUdFcVM.exe | N/A |
| N/A | N/A | C:\Windows\System\uEqXaYn.exe | N/A |
| N/A | N/A | C:\Windows\System\uQjsPLW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wBdHWcd.exe
C:\Windows\System\wBdHWcd.exe
C:\Windows\System\pzlMwnd.exe
C:\Windows\System\pzlMwnd.exe
C:\Windows\System\qNtGZgH.exe
C:\Windows\System\qNtGZgH.exe
C:\Windows\System\XgsxlOY.exe
C:\Windows\System\XgsxlOY.exe
C:\Windows\System\QXCoGGU.exe
C:\Windows\System\QXCoGGU.exe
C:\Windows\System\QpSmZeA.exe
C:\Windows\System\QpSmZeA.exe
C:\Windows\System\IiCXkDB.exe
C:\Windows\System\IiCXkDB.exe
C:\Windows\System\DLSDDPu.exe
C:\Windows\System\DLSDDPu.exe
C:\Windows\System\XlvKLzj.exe
C:\Windows\System\XlvKLzj.exe
C:\Windows\System\WHhOIZx.exe
C:\Windows\System\WHhOIZx.exe
C:\Windows\System\bFhNQex.exe
C:\Windows\System\bFhNQex.exe
C:\Windows\System\rrtKoEk.exe
C:\Windows\System\rrtKoEk.exe
C:\Windows\System\zxEgolI.exe
C:\Windows\System\zxEgolI.exe
C:\Windows\System\zxuUdZk.exe
C:\Windows\System\zxuUdZk.exe
C:\Windows\System\EIlQuwa.exe
C:\Windows\System\EIlQuwa.exe
C:\Windows\System\bOJMHNH.exe
C:\Windows\System\bOJMHNH.exe
C:\Windows\System\GzAjCzs.exe
C:\Windows\System\GzAjCzs.exe
C:\Windows\System\BBrLAHZ.exe
C:\Windows\System\BBrLAHZ.exe
C:\Windows\System\XUdFcVM.exe
C:\Windows\System\XUdFcVM.exe
C:\Windows\System\uEqXaYn.exe
C:\Windows\System\uEqXaYn.exe
C:\Windows\System\uQjsPLW.exe
C:\Windows\System\uQjsPLW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2232-1-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2232-0-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2232-7-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\wBdHWcd.exe
| MD5 | 663affe80915189dc9c5b585f36299c0 |
| SHA1 | b14402bbb800b9f4d2b3cc7082f4b8604dcbef24 |
| SHA256 | 2e6078258203bf874805530da985a12fdbb7ee07158b966030205929efd41580 |
| SHA512 | 8a4bcc6618fa0a3a12b447381473900f9c256f95dfd0a39341b5cf773cc73dfcbc309c3f4cd35e229ad141ad961502fb4d26103e89636ab86e53326cbcd2fccb |
C:\Windows\system\pzlMwnd.exe
| MD5 | 5e0ac260d060e1563baaaa07f11b986a |
| SHA1 | cc9bcd72f3ae67f36d7a277835d0cd23ed291cfe |
| SHA256 | 1f3dbfe8cbe29ff72aa01053fd7fc24d706c73f3fff367d9e6295fc264a9d853 |
| SHA512 | 12a2abc3d9bd19aa02dcee52e5ec0d94a19c9ea2dd1307be2de5f680dad5c8a1aa39102619e4043d4ba4e32437e928c65444029f299bcb8604826abc8768c134 |
C:\Windows\system\qNtGZgH.exe
| MD5 | be2a325e9131200ef0d31f64b4d95b91 |
| SHA1 | f061544cd6e73f41d21560dabeb3ac5a4218db93 |
| SHA256 | 4cec39489eda4050726225347359d2b182398cb921a23a40efafe97986226720 |
| SHA512 | 235ce57f234f13e0ad3fef016c5491799fcbe6d6d350c5346333d1f6ded14d5e86297b62def74c7582edf439cdad1fdb2cdef03be28da5546a27aff211ab3040 |
C:\Windows\system\XgsxlOY.exe
| MD5 | 4385c9e4f54eb8a131162f84f4d17313 |
| SHA1 | 7b719e340d75c9616a52091ff74fe6808943b598 |
| SHA256 | 46072cf7c16e71e4a4aa045b5466beba3f74c8a09617408fda94688d6c0091bc |
| SHA512 | 7a3e193459e7e6cfec74ff857e4cc5e3922d59e37a617799da2375925add2d3ceefee978921ba5f332e2b9b817fc6cf0a5ddbee2557aa5bf01a324d813e98b3e |
C:\Windows\system\QXCoGGU.exe
| MD5 | 90203667c004bf07f179460652c4a907 |
| SHA1 | 357934cbce46974395183198bc3288977675ca52 |
| SHA256 | 658e82bd2c25f7009d9d1519f0eb39794eee6c294da128b4eb25f22d30c46a7a |
| SHA512 | 5ffd3967230b457efa0a8b2b8388829ecb632cdc99df11237792dd1cceaa3c803b86d0484aa8ac1c5bde0ca8e78591b13d376e0231f8a9d6bf8e9a301f5e0760 |
C:\Windows\system\IiCXkDB.exe
| MD5 | c4b9c3e6afffb5df10fe291b2bb5dcc1 |
| SHA1 | 557aaaf0dc26b57613179f22236e8e3abee79daa |
| SHA256 | 03b8a0cb6a9a25d511940312007fad0796aa739e4398889061886997044dfc65 |
| SHA512 | f3fb9c26b3396bedc78ee91187f0e30ac3e22b4b3a462c47aff489c82b072cbdc689d102dc4879dc2f962ff23cd1a99ab50039879192442a2dbb3849afa74f57 |
C:\Windows\system\DLSDDPu.exe
| MD5 | bef43b28e0e93d2b3cc97592624ca333 |
| SHA1 | c236503e50d31e1f81d193a1e6f4806b24a657ae |
| SHA256 | f7ef99eede76aa65e687299d0e864aeb85c94550be049e9bd3b1b84b174520f1 |
| SHA512 | df49ac23a226f3244bac8d73d5e14b4e76c305098a619cb0dbf7bb955e1d62d46f8d2bf944b89b083cb9ae577bf3e265d553e477321df55ad4b627b20c516854 |
C:\Windows\system\XlvKLzj.exe
| MD5 | b63479e79576e0a7a5630766200ee77f |
| SHA1 | 9ae918ff22be26d39c5081a09444027ab97a6277 |
| SHA256 | 018a75b37f53a55f6271dc1b006049d2812982e6ed7a01715ef781df0c7e5b75 |
| SHA512 | 90498b591b223b53892d103a8995a1db872fd7cc690d3c9abd23d30a5338203f25d6defeafa752750044869dd03afc2e0bbb91546228982836cefdecab1c17c9 |
C:\Windows\system\WHhOIZx.exe
| MD5 | 430d98fc8cdc23b80ea55dabcdff8b0e |
| SHA1 | 6f76dfb66479009ca7b50c702b08d42e0b3ad62d |
| SHA256 | 209e68294710c604eb2ca85be1de17e2bd3a39c48fb42ff52769a3ce4f03298c |
| SHA512 | eeac79de2a285ddff1e93ff1b88396d5a2025c436cbdb5d0aa032c56fb87c0d1fe844dc32c5136baea75115d8dc8a7f3be9b78751162df1503c4ff4342f66b30 |
C:\Windows\system\zxEgolI.exe
| MD5 | 9ce9f55365cea035e6fb5749fde4f298 |
| SHA1 | 0989191a88bf2de87aa024df9dc4afbec6899f55 |
| SHA256 | 19fcadd769ef4c5499813823fa754f675f9b11be1e6de58480527fb5ff036cfc |
| SHA512 | 28cd9881adc5771cbd4c9fa4bd5ea6cb9592785fd0b7d62fd9d1a09bf56bdde1b4d510a27cc6f23bc275cda54429e04d6a849a4c1c40c039c5c7cec779f4af1e |
C:\Windows\system\EIlQuwa.exe
| MD5 | 24f1fda4b9d525daa29c2ae83eb4a16f |
| SHA1 | 962de5fc29bc312154d4a6a40068d36d01d03b12 |
| SHA256 | 97463ce984f19eb573f50b35c0920c23fc40fcd3081ea1ea0e7c5965cbedc506 |
| SHA512 | a76c75cf7c04f9ec9b5056ad04cafea80642c530775d7797e059d6061174b0baa6bb8afd59acafbdf23b780818ff6bc5d0897da2f9008199afcd1acf60aedba1 |
C:\Windows\system\XUdFcVM.exe
| MD5 | cf07e20c84cc414fb40a5af0d384ecb2 |
| SHA1 | b7911dbc6df69d42303a03b7155d96eafcf5f304 |
| SHA256 | 642bf1bf3a39e05220249dadfe1f825c1ce4c03f3d73eed4cbd6ce9d9b1460b1 |
| SHA512 | 4a6b115de94d07ae12d75c983e8f5a877226846b523bd0a8fa3d6d5209581ef0b0889d5e8dea86b96b4f8a17a361d84a9079053ed5f829e9c5b80d88e4db6637 |
C:\Windows\system\uQjsPLW.exe
| MD5 | 3bbb180a33a8e0b9837fb18fc6e97c6a |
| SHA1 | 44ded321120ffab0c4699e88b8a3d56b86ada9fa |
| SHA256 | 160bd6aead16d1771894169c8cd5e7a0b64e750537512f46f9f51ac6e44b899a |
| SHA512 | d479bef438b76c58b337288f6b56ebeced0a0155f3ca34e824a77649e2f56401ef61ec8d74e4bd282448600b7785ea557cf20537537eae70385406f4471f2191 |
C:\Windows\system\uEqXaYn.exe
| MD5 | 6c4f6d307f6fa9637618ac6329f92578 |
| SHA1 | 93e08d060cdd01089baf285498c14588dd706c78 |
| SHA256 | 226f609aff9c54dc1a5da2b7bcf9f7de210ff60a1e06b15c6895176ecc6b733a |
| SHA512 | 9a83e908fc106b0f6f38cacbbfac3a58516b7bbb3f95369cd2ae60c51e8eed11cc299c1a10a831379de7cb91a5eb08ef47f36508d0269be1b763782ebf55df43 |
C:\Windows\system\BBrLAHZ.exe
| MD5 | 38e4b247fd4bc52e9aa37648b84984df |
| SHA1 | cee52c2e920d9b5c4bc2b27a1c711059286baae7 |
| SHA256 | d9bab6e041f8b0cacd0e94f95de0a7adcd96dbf76ac142b3343bf984c790ee7f |
| SHA512 | 4f4e0b8598135caa573466406ffda4dae9eb37bb6c94d0d3a568bd2aa1b4b5e4d1fb71f9b62f28ecb0d1699a36eaf922a6ad3028e1bc1df2c6539eb702706991 |
C:\Windows\system\GzAjCzs.exe
| MD5 | d3ef8342783aaf6efa10823eb92f065c |
| SHA1 | 0efdec05d6f4da8a02f9fd13b8f1bac8b272f351 |
| SHA256 | db85aafcbd9105ce1c0315300a160283cab507a8173d4afb423aa5849af9ba2b |
| SHA512 | 0dc7f307e740dfe415777dd3c252452f786ce282211db3c455ab536462eccb93f6ccdd8485b3754bed95a4555c7b07afc52db28be221ef55754c0233e92734e9 |
\Windows\system\GzAjCzs.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/2232-93-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2232-109-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2328-112-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2232-111-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2988-110-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2232-133-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2232-134-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2552-132-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2232-131-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2612-130-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2232-129-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2856-128-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2940-126-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2232-125-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2880-116-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2232-115-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2712-108-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2232-107-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2840-106-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2232-105-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2688-104-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2232-103-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/1580-102-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2232-101-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3060-100-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1344-92-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2372-88-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\bOJMHNH.exe
| MD5 | cf04457e2d6ab9cd51c64fbe1668c80e |
| SHA1 | 8adeb366c49c91c689385af867b3957f753a1cb6 |
| SHA256 | 1df44bd1a6c1fae667c9d1b2554f27c2e2c4564a9d38bfc78b3ada0f12bf8909 |
| SHA512 | 1a433440f17b9096411c960e7a26bfe8d712b5155bcaf3e42ed3f1a2cfa51152dd7bba844e863501829a5a2dabbcadde792a6a815943b4dbc23ef0e2c4faf003 |
C:\Windows\system\zxuUdZk.exe
| MD5 | e797e92a71021619b097ae8fbac1fe7d |
| SHA1 | 0ef322320e521228467531e313f6894cfc732511 |
| SHA256 | fa67af7c377aecafcdda6d469d4fbf1eb2311ef86de0745d2d15b5b3a6b307cc |
| SHA512 | 078bbd0e8b9ceb8160f482bbd8cf5a8b49eb258b431daec75b3c7b5ac36906d8c09cf3e5e194ea5646de473a23bf3d19e23a793b86f6cce74a022f891e67bb28 |
C:\Windows\system\rrtKoEk.exe
| MD5 | eb4e7074c87125542ce65ad2969c8e55 |
| SHA1 | daaf83fe4c6a17b8f4c9d8e8c5710d0f50741664 |
| SHA256 | 56679e8eb3774ac1df76c05c38adb506727fe4f06f5d79d7b5785f9a34eb2db6 |
| SHA512 | dbcf931134a3ca096a1ae2cd4e2953b189a9e6d3edce06fa6ccd92189b72e2153ec1b1098edc3d475bbd26d46db0e506d153753f3f42e8637bc5e94b7c032641 |
C:\Windows\system\bFhNQex.exe
| MD5 | 99043fcc87b99e8f50dc187ac855ab6d |
| SHA1 | 79f090ed958b848efad445745d66de5e920f4491 |
| SHA256 | 87afbd936c9d8a13ab7deddabb6b83cec1fd5bf4335a2a14815401c0c1385237 |
| SHA512 | 9640d1baf87786098f32b6f529436e3c8186770fd2482c9de5c26cd1d6b104d614f0ade20005cccb8626309c75b408d6025af1d65dc51d6a93b43a80c413271a |
C:\Windows\system\QpSmZeA.exe
| MD5 | 836854b9dc48e7e87d5504e2584a2f4e |
| SHA1 | 363157d971444dedbb3392457c5b47b34e27bfff |
| SHA256 | 022be373597595219fb188665a87005b550873aa616eb640030b38edbccc6123 |
| SHA512 | a08f06ec04d60651381ac19cfce01b2285d0589c8f442fe7aeacc9fe44f1eea6dfdecd3f0bb38d32cee6796abb65dc15c9577d6dff9f09fa0af0e818c86db788 |
memory/2232-136-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2232-135-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2372-137-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1580-140-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2840-141-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2988-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2880-143-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2232-139-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1344-138-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2232-144-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2372-145-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2712-148-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/3060-147-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2688-146-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2612-151-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2328-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2940-149-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/1580-152-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2552-155-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1344-156-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2856-158-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2880-157-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2840-154-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2988-153-0x000000013F100000-0x000000013F454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 07:24
Reported
2024-06-10 07:27
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tQJcDKl.exe | N/A |
| N/A | N/A | C:\Windows\System\VQrMuEo.exe | N/A |
| N/A | N/A | C:\Windows\System\PWSbQWE.exe | N/A |
| N/A | N/A | C:\Windows\System\pgGmQmm.exe | N/A |
| N/A | N/A | C:\Windows\System\AoFtlYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OfnyLFo.exe | N/A |
| N/A | N/A | C:\Windows\System\yFFnsNs.exe | N/A |
| N/A | N/A | C:\Windows\System\lDhHGFY.exe | N/A |
| N/A | N/A | C:\Windows\System\VAvvfhh.exe | N/A |
| N/A | N/A | C:\Windows\System\KgPGzVU.exe | N/A |
| N/A | N/A | C:\Windows\System\wtAoVrD.exe | N/A |
| N/A | N/A | C:\Windows\System\rRxUAWu.exe | N/A |
| N/A | N/A | C:\Windows\System\tooVMgW.exe | N/A |
| N/A | N/A | C:\Windows\System\fkoqXuN.exe | N/A |
| N/A | N/A | C:\Windows\System\FkBSrhy.exe | N/A |
| N/A | N/A | C:\Windows\System\SqUIseM.exe | N/A |
| N/A | N/A | C:\Windows\System\qymAgeF.exe | N/A |
| N/A | N/A | C:\Windows\System\EFMDsiT.exe | N/A |
| N/A | N/A | C:\Windows\System\eudteDv.exe | N/A |
| N/A | N/A | C:\Windows\System\eUItebq.exe | N/A |
| N/A | N/A | C:\Windows\System\qWbVHAx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tQJcDKl.exe
C:\Windows\System\tQJcDKl.exe
C:\Windows\System\VQrMuEo.exe
C:\Windows\System\VQrMuEo.exe
C:\Windows\System\PWSbQWE.exe
C:\Windows\System\PWSbQWE.exe
C:\Windows\System\pgGmQmm.exe
C:\Windows\System\pgGmQmm.exe
C:\Windows\System\AoFtlYZ.exe
C:\Windows\System\AoFtlYZ.exe
C:\Windows\System\OfnyLFo.exe
C:\Windows\System\OfnyLFo.exe
C:\Windows\System\yFFnsNs.exe
C:\Windows\System\yFFnsNs.exe
C:\Windows\System\lDhHGFY.exe
C:\Windows\System\lDhHGFY.exe
C:\Windows\System\VAvvfhh.exe
C:\Windows\System\VAvvfhh.exe
C:\Windows\System\KgPGzVU.exe
C:\Windows\System\KgPGzVU.exe
C:\Windows\System\wtAoVrD.exe
C:\Windows\System\wtAoVrD.exe
C:\Windows\System\rRxUAWu.exe
C:\Windows\System\rRxUAWu.exe
C:\Windows\System\tooVMgW.exe
C:\Windows\System\tooVMgW.exe
C:\Windows\System\fkoqXuN.exe
C:\Windows\System\fkoqXuN.exe
C:\Windows\System\FkBSrhy.exe
C:\Windows\System\FkBSrhy.exe
C:\Windows\System\SqUIseM.exe
C:\Windows\System\SqUIseM.exe
C:\Windows\System\qymAgeF.exe
C:\Windows\System\qymAgeF.exe
C:\Windows\System\EFMDsiT.exe
C:\Windows\System\EFMDsiT.exe
C:\Windows\System\eudteDv.exe
C:\Windows\System\eudteDv.exe
C:\Windows\System\eUItebq.exe
C:\Windows\System\eUItebq.exe
C:\Windows\System\qWbVHAx.exe
C:\Windows\System\qWbVHAx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2372-0-0x00007FF6CE0B0000-0x00007FF6CE404000-memory.dmp
memory/2372-1-0x0000018963CB0000-0x0000018963CC0000-memory.dmp
C:\Windows\System\tQJcDKl.exe
| MD5 | 6dec87fc0f7ba22f00ee917fb459a843 |
| SHA1 | 470ba7dfae5901193e04945a8a9fce46b6769e1f |
| SHA256 | 55608a4a13f6e28fde2ef3cf777c852b1626a2b65bc8e0bce326100eaa1f9e08 |
| SHA512 | b7c159e2620c31496d57ded7863aeef6b193e521634fc449a017647eb68c4c3a5e4e2294cb2376768c4a6f216ae58c49ff11d52b155bbd9c21f2ec510ca36243 |
memory/2876-8-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp
C:\Windows\System\VQrMuEo.exe
| MD5 | 72deaebd05fe40a0b9ee77ab49d78702 |
| SHA1 | 4cfe0c2834b6e019d7df84b7768a0e3d4c9ca564 |
| SHA256 | 9dd20e95ba4cf47b56f34c604017a84a0d57a4e45c26b0d3d9bcbe153effa632 |
| SHA512 | c1a8145272080482d2b0ce56dd974a00d69cda6b983f4061ea4ca58598a380606a6f0822eb22e50042164a306bd335d187d2d8373294b47665ea4ada92da1f0b |
C:\Windows\System\PWSbQWE.exe
| MD5 | c75c58f18329bd20290f2bbc4eb95168 |
| SHA1 | db74c19607fd8bac361360400ff19531cd61f9ff |
| SHA256 | 9fbb02546ab52d202830af9b0a7ffc3b33f340d063bcd4b3662e22c36a47ec2a |
| SHA512 | e271e6e2b54438024152ea95c85504c5ae28af3336e7584952371303691d2811ec1ef7c1d5f42e79fea9500bfef7fb4b024ae2c110ec9d8fefc7fca3a571ff04 |
memory/4372-14-0x00007FF71FF30000-0x00007FF720284000-memory.dmp
C:\Windows\System\pgGmQmm.exe
| MD5 | f9eea8336434c64cd7c0fd8f8ef71472 |
| SHA1 | c83461c4bf765b7a8ef67e50d6092bd481fa62f5 |
| SHA256 | d8834478fb70510eb29f837f8f26c761aeb3ccd6029264969f05c89c08f027a3 |
| SHA512 | e9fae94bc37b5cb3e1c639f2d9572041fd89a7922bdda76428f6868a084ecb1a88c4674621cdd3edfe2e477c5d1bf47274a9d49a470f14d7ea766607dc1aa86d |
memory/2864-20-0x00007FF682D10000-0x00007FF683064000-memory.dmp
C:\Windows\System\AoFtlYZ.exe
| MD5 | 4339387cf5720915090a8ed2c322961e |
| SHA1 | 454c6bad05a1a03c7202b25a5d4c15ec663495cf |
| SHA256 | 893c139698c5013d27be650ca5cabbe5844a8eb6e75c7ccd3a3a0aa19e0b63bc |
| SHA512 | 54bddccbb7a8653931f5b1df0128c139239406df47464da9a93262b2ead2071e41d39ac181794f6794fec42773afbfb0c5b789d1647803a28974dea9365c03ef |
memory/3028-32-0x00007FF751C00000-0x00007FF751F54000-memory.dmp
C:\Windows\System\OfnyLFo.exe
| MD5 | 8f9bb384ac6628e1b361bd98d36b185f |
| SHA1 | e7837937c7627b04f7f467bba513b98d2edef5c5 |
| SHA256 | 3eefa84b70fcd84cca65d53e7d8393e11d74a9ac392a778b1993f9fb81735edf |
| SHA512 | b26e1932152601e6d93e16fc9a1ad7ec64f483c145682d5250de27624d7fe52349fec407771d386f05d9a0f700387b981069cb2639dd5229a9fc7a3ced4b90b9 |
C:\Windows\System\yFFnsNs.exe
| MD5 | 5419a73b8d52816495af1cb578c03a54 |
| SHA1 | 0ed6a1e6686b7f8d8d61feed5a63346eeaedb447 |
| SHA256 | 7bbff49756e434989884819e71a66d277b417b0c128bb8e4272a1ceb8157bd3b |
| SHA512 | ebb9f3c48a7a7e56fd038a90d179f45743d4005129ad03c24d5079062d8bdedfe33adbab89202a4f345736c04577aa44c6808c9e07cbfc759f664c09aa10f3d9 |
memory/2468-42-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp
C:\Windows\System\lDhHGFY.exe
| MD5 | ca6de229e075a06c9bdd8eef51fd16d7 |
| SHA1 | bd8cd35046cd18c980772d4743683cc466afbd55 |
| SHA256 | c9da7c26b702d5a70d79938afb1782330e85a67d634f0ef9ae06b4c5a4b615e5 |
| SHA512 | c58f7c09e078e929a65169dc181ea94026afbb15a41d23fcd4f1634f882a3d24da53f0dc116af6c9b95376f58ec9266ac79a0c3a46b2441f4bf8be551d9e6197 |
C:\Windows\System\VAvvfhh.exe
| MD5 | 317155fbd032854645205cd0e460691e |
| SHA1 | 3fbd0ceee65c3ff19031d1c5ee3da3c4e91d5849 |
| SHA256 | 19c34d8b908a189958876b54a40f35262d0ca85340ffbb2028c9ffe93c7cdf2d |
| SHA512 | 2f58cb2a5f7a7ad75eac44d8efaade4ca581469e91fc6659e622bbc3a9f03f4a96e96d7f2abc5d58a0eae69fdb44a0fd23957ebe99629fd36682f55c0b805b32 |
memory/768-52-0x00007FF6DD930000-0x00007FF6DDC84000-memory.dmp
memory/1236-36-0x00007FF634010000-0x00007FF634364000-memory.dmp
memory/4856-26-0x00007FF7684E0000-0x00007FF768834000-memory.dmp
memory/5016-56-0x00007FF7964A0000-0x00007FF7967F4000-memory.dmp
memory/2372-62-0x00007FF6CE0B0000-0x00007FF6CE404000-memory.dmp
memory/3464-63-0x00007FF63D760000-0x00007FF63DAB4000-memory.dmp
C:\Windows\System\wtAoVrD.exe
| MD5 | 1b746d3274658525892c315ca99853c1 |
| SHA1 | 4fb0c56acc918e9e9b8378b763291096c006b381 |
| SHA256 | dc0f0ac79829af0f0fc20d8642502614379b39b60f4c2ae19d2d23dd66df399b |
| SHA512 | 071489c057d371b17e589cc1120327be3dafcd187cb379622cf13661b59971cf7db8453287b154ad414ddd58217e76abe5f02b26859b9f91f2a1b05be2aa49d4 |
memory/2876-71-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp
C:\Windows\System\rRxUAWu.exe
| MD5 | 629567db3ce4ff6965f69a35d859dba2 |
| SHA1 | e09333f190fd6f1bdb707a56cb94e67df14d37fe |
| SHA256 | 3e1586cada73be4cf17ac52817d650a0ba567cf4e2706ed993bc2b050a4c4ef2 |
| SHA512 | f9b8624238e958b354cf83685e65c457e14814bc170336babf82511055b49e313b59d4b61ddbf07b9f37827e15c30befb0047a5e08d656c85d34ffa6995f69cf |
memory/3140-72-0x00007FF603600000-0x00007FF603954000-memory.dmp
C:\Windows\System\KgPGzVU.exe
| MD5 | 5d66efe224bd7a022dd572954e190afc |
| SHA1 | ff239bffcb015d92acf645574521f14839706da2 |
| SHA256 | be53ae9f1afb9f92829642ef6f0e8992fabcc67f3ae4d7f6a92acfb079a40f01 |
| SHA512 | cb6606f42a716ecf5d642e5f65a6970e2f7f908595fc25f969a8ca7dc250ed74ecb451518155ab81711acf54d9dff7302774834f6d7142ea66d140bbf70f8256 |
memory/4240-81-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp
memory/232-91-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp
memory/4856-89-0x00007FF7684E0000-0x00007FF768834000-memory.dmp
C:\Windows\System\SqUIseM.exe
| MD5 | 2455f8c4e3d9e594d8b4a1159c00f0c4 |
| SHA1 | 72f4ce9d06c9be2a25f61036b801e3f703839e46 |
| SHA256 | 7b5f985cbb1dc2b74b2b79068e7d0ddb307d93b63e66490c5078c07b777edd30 |
| SHA512 | 691e7ef357437312fcf9acc6ab4bfef98c186fe40edb0072258bf6213715a2c80e12385ba953566e9601409b7bf7be1de3d1e1a048a9214c0657109383e8388f |
memory/4220-113-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp
memory/1236-112-0x00007FF634010000-0x00007FF634364000-memory.dmp
memory/1824-121-0x00007FF72BED0000-0x00007FF72C224000-memory.dmp
C:\Windows\System\eUItebq.exe
| MD5 | e3d49cf7d281892fc5be8bc68c529bcc |
| SHA1 | 952bbf1b9a4a181f9a654b0b096d36d998fdb189 |
| SHA256 | f59bf67ca90f56699b85f06898c19d156c476a2b62d990d3232e2b54960ae54a |
| SHA512 | bf17bf76edcb6c5b00430718ee4f097344c96256f38fbc7bcdec363af6bdf51cee08215d4e272a44fcd8b8daaf2fbb9b6eb2b43dff9e208a010d82f6362fcde8 |
memory/4360-128-0x00007FF69D5C0000-0x00007FF69D914000-memory.dmp
memory/4552-127-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp
C:\Windows\System\eudteDv.exe
| MD5 | a2c317df42c7ee904cc6a987b1e10b83 |
| SHA1 | 32aa0b66c123c67e7ec97a90a8fabd83dab86b87 |
| SHA256 | f97bbd990e7b7a865c0e0e626b6a2307acc5517875f05a75eefa5ce297b5c265 |
| SHA512 | 5b7937fcb20219d2b9170bbe906c16f4d235ac8a5b797234012c0e04740ec2aa5766af474a4f0d24cc0dd1751c9db65449162aa66c9881c59bcd650dee9f66c2 |
memory/2468-122-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp
memory/4460-118-0x00007FF61CED0000-0x00007FF61D224000-memory.dmp
C:\Windows\System\EFMDsiT.exe
| MD5 | ec5693e5103596e8d4b8d9eac7be0186 |
| SHA1 | 409832003d8f08b1d3d05187935678921e964f7c |
| SHA256 | 72f7796cf333573e399eacec1bf43f84987dddd7c5c32043a57f306d4eee8ba6 |
| SHA512 | 00269caa6184f3ae4eb9fad087126d9e6c3724cfedb26f0573f055f5ce09f1f9e869eac4d1a2c7049448473d459b8374532d74cac3123ef6c3d09669d6134abc |
C:\Windows\System\qymAgeF.exe
| MD5 | 211bb4221f2642f1146b92aa05a0ceac |
| SHA1 | 57c04dbf92fc81207fea0ce725638eefa98d1446 |
| SHA256 | 5c2c7895ad7b3fbe07b4f596bbd079cf82135affcdfb2ce319ad947a854cac51 |
| SHA512 | 03b86a7c2b2ea57614b3019c20a4c20e430a01bae2503f22f9e29fc16820fa2442c713c4170311125c71e20abe6f6a8888f6637171614dcd42cdc56c34644f13 |
memory/224-99-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp
C:\Windows\System\FkBSrhy.exe
| MD5 | 8d788d0fa2290fe1936afe3d7a505eb2 |
| SHA1 | 36aab12a72a487db85d7bf51b23ac9a8ae17f375 |
| SHA256 | bc51180d4df38567be77130542b5fe46dc7e9c269a211d4f5e36475a8921b54a |
| SHA512 | bd1862f8e84b956e518b7db29416c7fc68edefc7fb9f90c7588e6d809a3aba069282f847ccc3a0a1591cb123d4cf5ad26a58ad5b2ecb6af98dde61c169ee9f96 |
C:\Windows\System\fkoqXuN.exe
| MD5 | 0eccae85ae5c58b6ae1d8899cd5085e5 |
| SHA1 | bafb4da52155a18a2421c39b343cfa8bb49c5925 |
| SHA256 | 4fbe103c8bfed161295e43ed6e3546d5bbe5242e99fa23c231b4944eee38760e |
| SHA512 | f6822d426bdba20ee7ed52a30ca883ce1c6e0d499dc78227f37661040688f3c822e7b6fff90880a55af8050735c2712a451642262d256d96e9fee9604df5c08b |
memory/444-83-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp
memory/2864-82-0x00007FF682D10000-0x00007FF683064000-memory.dmp
C:\Windows\System\tooVMgW.exe
| MD5 | d6176ff7934dbbde3f63962e9bea8463 |
| SHA1 | 420a4895b85f7d7b947124876aa2382d0039df84 |
| SHA256 | cec8344986243b0e0f95abeaab37682bbc7e89e27d72e5aa5013e28b9271a548 |
| SHA512 | e67d9381dc0470a315bf41ae7bc7d38e120eb96de97d5ccc6af84707819f08a2f4e2ae51e9a98d2e4c1a42f0b8044ab7fd84d06522aef537f6f74853f554d9a1 |
C:\Windows\System\qWbVHAx.exe
| MD5 | 317f31fd2644ea8fd80064c321965edd |
| SHA1 | 495304caf59fd8a1afde5dfce1a148a62c135760 |
| SHA256 | 29b1582c437ed66d8875c039e5aaa285c8de77ebe459e9962f86939bda234e8e |
| SHA512 | acd686560f67c1dd05f3bb63aba253ad57053b2745566cd65a0f63bf096001f7f354f4731eafe20d1438a77e50beff3d7abef56eb8d5c5b826be78870685d148 |
memory/4808-133-0x00007FF6B03F0000-0x00007FF6B0744000-memory.dmp
memory/4240-134-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp
memory/444-135-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp
memory/232-136-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp
memory/224-137-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp
memory/4552-138-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp
memory/2876-139-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp
memory/4372-140-0x00007FF71FF30000-0x00007FF720284000-memory.dmp
memory/2864-141-0x00007FF682D10000-0x00007FF683064000-memory.dmp
memory/4856-142-0x00007FF7684E0000-0x00007FF768834000-memory.dmp
memory/3028-143-0x00007FF751C00000-0x00007FF751F54000-memory.dmp
memory/1236-144-0x00007FF634010000-0x00007FF634364000-memory.dmp
memory/2468-145-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp
memory/768-146-0x00007FF6DD930000-0x00007FF6DDC84000-memory.dmp
memory/5016-147-0x00007FF7964A0000-0x00007FF7967F4000-memory.dmp
memory/3464-148-0x00007FF63D760000-0x00007FF63DAB4000-memory.dmp
memory/3140-149-0x00007FF603600000-0x00007FF603954000-memory.dmp
memory/4240-150-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp
memory/444-151-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp
memory/224-152-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp
memory/232-154-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp
memory/4460-155-0x00007FF61CED0000-0x00007FF61D224000-memory.dmp
memory/1824-156-0x00007FF72BED0000-0x00007FF72C224000-memory.dmp
memory/4360-158-0x00007FF69D5C0000-0x00007FF69D914000-memory.dmp
memory/4552-157-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp
memory/4220-153-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp
memory/4808-159-0x00007FF6B03F0000-0x00007FF6B0744000-memory.dmp