Analysis Overview
SHA256
726914d628598886304ef351405730241e562ed8585971a69f30e528570d2f98
Threat Level: Known bad
The file 2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:09
Reported
2024-05-29 21:12
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SfaDwso.exe | N/A |
| N/A | N/A | C:\Windows\System\uCZYxud.exe | N/A |
| N/A | N/A | C:\Windows\System\likxodp.exe | N/A |
| N/A | N/A | C:\Windows\System\zAEeNvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UMnDPtM.exe | N/A |
| N/A | N/A | C:\Windows\System\KTpODwa.exe | N/A |
| N/A | N/A | C:\Windows\System\kzGlmhI.exe | N/A |
| N/A | N/A | C:\Windows\System\XphbLfu.exe | N/A |
| N/A | N/A | C:\Windows\System\PsnMUPe.exe | N/A |
| N/A | N/A | C:\Windows\System\LERbveN.exe | N/A |
| N/A | N/A | C:\Windows\System\BuEphUR.exe | N/A |
| N/A | N/A | C:\Windows\System\tGjZpYe.exe | N/A |
| N/A | N/A | C:\Windows\System\qKFKbsv.exe | N/A |
| N/A | N/A | C:\Windows\System\WJDKysA.exe | N/A |
| N/A | N/A | C:\Windows\System\pbIlHSw.exe | N/A |
| N/A | N/A | C:\Windows\System\ldMPqfl.exe | N/A |
| N/A | N/A | C:\Windows\System\KdOBxVg.exe | N/A |
| N/A | N/A | C:\Windows\System\wwviOrR.exe | N/A |
| N/A | N/A | C:\Windows\System\qHNmkXR.exe | N/A |
| N/A | N/A | C:\Windows\System\SvjRilp.exe | N/A |
| N/A | N/A | C:\Windows\System\QohzuvY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SfaDwso.exe
C:\Windows\System\SfaDwso.exe
C:\Windows\System\uCZYxud.exe
C:\Windows\System\uCZYxud.exe
C:\Windows\System\likxodp.exe
C:\Windows\System\likxodp.exe
C:\Windows\System\zAEeNvZ.exe
C:\Windows\System\zAEeNvZ.exe
C:\Windows\System\UMnDPtM.exe
C:\Windows\System\UMnDPtM.exe
C:\Windows\System\KTpODwa.exe
C:\Windows\System\KTpODwa.exe
C:\Windows\System\kzGlmhI.exe
C:\Windows\System\kzGlmhI.exe
C:\Windows\System\XphbLfu.exe
C:\Windows\System\XphbLfu.exe
C:\Windows\System\PsnMUPe.exe
C:\Windows\System\PsnMUPe.exe
C:\Windows\System\LERbveN.exe
C:\Windows\System\LERbveN.exe
C:\Windows\System\BuEphUR.exe
C:\Windows\System\BuEphUR.exe
C:\Windows\System\tGjZpYe.exe
C:\Windows\System\tGjZpYe.exe
C:\Windows\System\qKFKbsv.exe
C:\Windows\System\qKFKbsv.exe
C:\Windows\System\WJDKysA.exe
C:\Windows\System\WJDKysA.exe
C:\Windows\System\pbIlHSw.exe
C:\Windows\System\pbIlHSw.exe
C:\Windows\System\ldMPqfl.exe
C:\Windows\System\ldMPqfl.exe
C:\Windows\System\KdOBxVg.exe
C:\Windows\System\KdOBxVg.exe
C:\Windows\System\wwviOrR.exe
C:\Windows\System\wwviOrR.exe
C:\Windows\System\qHNmkXR.exe
C:\Windows\System\qHNmkXR.exe
C:\Windows\System\SvjRilp.exe
C:\Windows\System\SvjRilp.exe
C:\Windows\System\QohzuvY.exe
C:\Windows\System\QohzuvY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2792-0-0x00007FF6104F0000-0x00007FF610841000-memory.dmp
memory/2792-1-0x00000121A2460000-0x00000121A2470000-memory.dmp
C:\Windows\System\SfaDwso.exe
| MD5 | 884060902072fbc1414a5370e8b49083 |
| SHA1 | 8a9455602c7d8270739757f4cd1297fd8a4cb1e8 |
| SHA256 | ee3ef25a168a9a19e946dcae225bfee88319ae83431fae9fc15fe65eb9295972 |
| SHA512 | 80ed0d7dd429d08319649f9e48d6f722e09baee6c2aa1faa649568b050fccb4983caae3b719b96fa0b8366368f83c00feb7bb501d89aeb0fcbca94647a2f131f |
C:\Windows\System\uCZYxud.exe
| MD5 | 73603ab1d91811038c9d248e20cdd08e |
| SHA1 | f34d172cb614ed75f827846429840d6ab140bd29 |
| SHA256 | e84bad6eca0ceb9ca4aed8d433bda3128ce2750b14404681d8a46af05826ffa7 |
| SHA512 | 057d82be6b7b946aa2da8bdc5c81771fff48c34086bc0c8ecdeeb7e303d19bf5228405229b538b487431aeba8b05bf2c982abd7ab104786bbab287dbf66214cf |
memory/536-7-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp
C:\Windows\System\likxodp.exe
| MD5 | 2558b9e156a46f8322636d7924766511 |
| SHA1 | 8d8ef136c016db67067f5fc64a28b91234c15475 |
| SHA256 | 78b635248d08f9b64085e8cb34406bd78e09aea57262416d76f546fae82a8e50 |
| SHA512 | 575412b5538b05c963a0f9dc9584f5e6ab2059bc2f232dc5a8ed5b02fb441c31b4638d342574c35bf1f26e9ddc60b8f08ad20ea8d3c2fd954fe1d904c9a1b5b8 |
memory/5056-13-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
memory/2404-19-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp
C:\Windows\System\zAEeNvZ.exe
| MD5 | 3c8d92b5b5771624fb0b40bf85fe3b24 |
| SHA1 | df7c5db2b90bd2037e5670dcad3b855eab072d48 |
| SHA256 | da2f6818d92a8e218ef796c60c187a1db2d978bcfc4c450ced08e011a527de8a |
| SHA512 | ac972232673bceb1e43c0f77349a7c14b70dc638f2ad2d1c60d317583e33d2a40aefa1b81022b4b45a4f0a2706c74cc123d2e0ded91e46095c079dfe95218500 |
memory/948-26-0x00007FF7AF4C0000-0x00007FF7AF811000-memory.dmp
C:\Windows\System\UMnDPtM.exe
| MD5 | 83037d34043032c01dda75a7ff8bd9fb |
| SHA1 | 1b9747952ddc1cb15bf2a0ac9428b57dd5377c3b |
| SHA256 | 787be9cd074e3aea343c23d9fe8f388580caf757b0f7458b4ef20a0bd5af8a98 |
| SHA512 | c6eb962e12c166f07b6d7210351e5d15563cb989f1f011712a6fcd1aeac93fcbc6cb53d25b158522649a06e4ef6aa54c7a5feac06011a2b2d73e520b70ac3e06 |
C:\Windows\System\KTpODwa.exe
| MD5 | b9e0693c3cc296578a749e551bf0d430 |
| SHA1 | 17c4ee8c18a84c8cd7fcb0d8aaf629fe37c669fb |
| SHA256 | 46532107dc098f33699ce858105d6ba78ea200fd3bfc0203731c36bd80c858ed |
| SHA512 | 0c45d299ce03f796037f6c1ddf25a959835d8c08787b4ea06f33b9e645948825c5ad674cd0f128cd1248779a19e394648213ae07d87f0b0f247f70c39b528c4a |
C:\Windows\System\kzGlmhI.exe
| MD5 | ff79a2101fe37c57ad65da446fd25d6d |
| SHA1 | 2862b7829829db9fccb3898793c68204635cbc4a |
| SHA256 | cc5a4b4372d32c9f45c23987efb16b754417d2fb50bda308888f165890234d8a |
| SHA512 | 949c06966ed7852fc8c54df5df80cacd84cdee8361c45327968a3e6d3c1327e9bb61b4aac586dcb086c721c1f6df6f665cc489c9365e3eb39337741c535d99bc |
memory/4568-43-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp
C:\Windows\System\XphbLfu.exe
| MD5 | 2eb2003ab1da3ea86a578dc1fe32a935 |
| SHA1 | 7e2674c4bcb453ce462cc6d34e05b4c67f1b9a59 |
| SHA256 | e0b9713e2804ccbc4cf0108265ce957a89fceaa35022f97b2d313f54694da3e4 |
| SHA512 | 783ef81cb88de592037ab4b42f02085492d666457ddcc43b2a3f26db8426455a3782bab6208e5f91c4ae20f329ca36185cd963ab4f2dbe162e6c6d2143e812d1 |
C:\Windows\System\PsnMUPe.exe
| MD5 | 83c203a88d34ea1bf96f2785fe084bc5 |
| SHA1 | f90a03bfe83b8d3611cba785b95eb5dec1e06893 |
| SHA256 | 0f36799e93c76286b286a5d4f436b1a378a2124f2eddfc193a23ac25ed670039 |
| SHA512 | 0c4350af500af87c9164b22e4e4a528da8414a98c1aa86e581b670677c5064c4bbfda236ddcc6d7d68561bff557008d408817f1742881434a0f110bd7ed79e2c |
C:\Windows\System\LERbveN.exe
| MD5 | 4212ad208e81f382ae29289e9697d1a9 |
| SHA1 | 1fa64d2974b6c97e61fa7580b49c92046af73618 |
| SHA256 | 3a97e561238f4ca827a6933bb35d0317b0b2da6861ba4cdc61074d3afccd4ea0 |
| SHA512 | 3223a9f425bd1cb0255bce3066932e2d1bdddd37d85a2b02d21b74f504012dd8252ca252253293bddbf25bbdbbf51683c4396b36f163dbaca9aed4e975f9dccc |
memory/2792-60-0x00007FF6104F0000-0x00007FF610841000-memory.dmp
C:\Windows\System\BuEphUR.exe
| MD5 | 234b4230941665fe2fa6da0b83c6192d |
| SHA1 | 0594578766bdac733434348a23681dca15700975 |
| SHA256 | 8eec60d6f3b326cf18c146c1b994bab8ed9930059b669499c368b393ef64ff87 |
| SHA512 | 92940d8a06e21002b07acc1c9bdb584ad3c6e72536c69b12ad98f7d1635e89f3144725ecabeb9b2e4a6e34bfc72f3298737195dc57465b2de2b5bca934b59243 |
C:\Windows\System\tGjZpYe.exe
| MD5 | e957ee8906a56c67ee034e7cbe15c827 |
| SHA1 | 3a207572763ccd99838fa735f7957f4bde32f6b4 |
| SHA256 | b12779c43eb91e041a0ae8f30b7037e09c3e7607118def37055bd0876bbff31a |
| SHA512 | d36c0f25c3089604ec9b3b270f402281c0392c0ed843d2f703d33cd06e886c345d1c43f2bdb52d90a5608c3ad15062735eb6ee3f2821190bea374407af4f444a |
memory/5056-72-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
memory/2404-81-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp
C:\Windows\System\WJDKysA.exe
| MD5 | 04cf3b282fda8843b92ebc68d39bc4bc |
| SHA1 | ebd60b34663955b2ec4e493c3a2dde1eee35d249 |
| SHA256 | 87f56d15c5fd1ade6cf7173cbb88616ccebe93b98c45e5676953c238e09b99ec |
| SHA512 | d8a8c3bd92f1830d1c120c75d0f76746518595d778acd93ac7dab9e4dc9a951ca1831517bd81a5f09e473a5c2a20414520aa3d99f17c9be70f741fc68bf664f5 |
C:\Windows\System\pbIlHSw.exe
| MD5 | bffd3bc532f8fe45d2636930998cd854 |
| SHA1 | 76d043a6a3e7c24ba8f03fb72dfbe9d54c21a3a4 |
| SHA256 | 0aaa098791f8703a9af9be01f5c71fd820d3f3a98628e344b0b28f44260ed4af |
| SHA512 | ee1dbbe023f9d31fa778ac6c04b13d912eda90e5ae60f6b77b6d231184353166f7c296e5a7d7404ccb73d5c261ca9235611127678174bd2c5fe04a49d1804d18 |
memory/4796-93-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp
memory/1576-92-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp
C:\Windows\System\qKFKbsv.exe
| MD5 | f2f1dfd377c15f041e42ed926365d887 |
| SHA1 | df37e046cfd1150ab3231e3f98ff08b04361e58e |
| SHA256 | a34950ec1736410f9486d31188c8c0f9e007ced677a97a0f548274396b2d4aeb |
| SHA512 | b033c3b46a9d1145f2478d6f873b3078e290bc26af758127a6aaa632213ecbf30862ee7a4907314a6b7fcb5c0bccabe1014760da0b3d835dd2f7fc3ab2a6b841 |
memory/5052-84-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp
memory/1836-76-0x00007FF629690000-0x00007FF6299E1000-memory.dmp
memory/1944-71-0x00007FF721240000-0x00007FF721591000-memory.dmp
memory/536-68-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp
memory/540-63-0x00007FF627EC0000-0x00007FF628211000-memory.dmp
memory/3392-59-0x00007FF6C9B30000-0x00007FF6C9E81000-memory.dmp
memory/4644-51-0x00007FF634450000-0x00007FF6347A1000-memory.dmp
memory/1972-38-0x00007FF6B3D50000-0x00007FF6B40A1000-memory.dmp
memory/2644-32-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp
C:\Windows\System\ldMPqfl.exe
| MD5 | 55f4fe7dc17d288b771fda4b49fb7029 |
| SHA1 | 469d295cd6ae194c68bd7bd217a4690ae13d9b39 |
| SHA256 | 912e2b1bb1546f43d94c2c84464d114bd9b8c00806a6aa2094940d3426da9dd3 |
| SHA512 | 4972d6010943fcf5e199eba2e61ba82edd77228b8c56e2364ead6df15fd8d119dc58f80e7f0c9fc1859dc90501347a5a52bb3eaca744608c1c04f94cfa94cb36 |
C:\Windows\System\KdOBxVg.exe
| MD5 | 52091397340b0ab7753497d7f0dd542d |
| SHA1 | 9790fe317105be77fafaf4c1637e5acd56f0985b |
| SHA256 | 17b8bb34a2c05b5b1d14a36cd90eab1e4b2e07ebca85ad9a91d160c45028c1e1 |
| SHA512 | 2bf9e75c810372e2980cf77b6c6325b7cb5abd237e2f473dba3d0d9f8406d19f61340c3ad63ce64bc5dea0727ddb8dd0ef7a535ece70a10c59505faa3d9442c2 |
C:\Windows\System\wwviOrR.exe
| MD5 | 561ce1d441f52c720b8730fd8bdf15fe |
| SHA1 | ee8e11311106501edba7605235792471c3852b1e |
| SHA256 | d615fdee8895559d04a9703c8bab88be51e77df7184fd3dcc411bfa5ee0404d9 |
| SHA512 | f080d335914336edc71aebf4249f8bd044a270e020ebfa558dce95ae21a70ba2924c1e2e4c18f49f03666968634f8c7c679530c65e7c9db891078d28f984bf2d |
C:\Windows\System\qHNmkXR.exe
| MD5 | 59f39acbcaffc01c1a6fad3e684b6927 |
| SHA1 | b687743d7cfd826c9f6951c41b7e05e8221f1182 |
| SHA256 | be99d93de17d260f967ac721f68c63c9fb9db3306893513631a8edabcd2ea1d0 |
| SHA512 | d26ad9f0eab993f9907cba886a0b5d1f073445780ba2394a9d354eedff91f6a2ac71b00feb6a1831adceef8ea473bcfb283c0933bedd6200cd996f0966419ecc |
C:\Windows\System\SvjRilp.exe
| MD5 | 47ca8be4e5c27afe6697818c480e8bac |
| SHA1 | 11c8f69c2d1c20ae01eb3f51872c3ea5c030dddb |
| SHA256 | 53648548e316402d4ffddccb821cc45b1625ef806743dea4b2aa120e356f3b61 |
| SHA512 | ca5bcb89cb82f2409c01551e24ba72105b7347aff2a5e795cf0c9e19e3da3a9e9bfc163c96e0a7478c4ca714e87bddf2c751a207c0a96a6daff4721ab6330770 |
memory/2644-126-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp
memory/1332-129-0x00007FF6C68F0000-0x00007FF6C6C41000-memory.dmp
memory/2608-132-0x00007FF642380000-0x00007FF6426D1000-memory.dmp
C:\Windows\System\QohzuvY.exe
| MD5 | cadbfd6a01aa2701954623328b9c51d6 |
| SHA1 | 999d20134554c58814460aeecdcabb305bf93b6d |
| SHA256 | 5f8afe9728f57ad9627dc999443b828ec84c502ffaa4d2bb333c34d9986aa085 |
| SHA512 | 72a6db815f29dfe6c9b364e47eb78784daee9d47f0786dcd55d606f618ce950d8318aaee08e56fa32f2b327b658822cb2e3189c90a4438f1c85765bf7bcd53c4 |
memory/4308-128-0x00007FF72A690000-0x00007FF72A9E1000-memory.dmp
memory/1900-127-0x00007FF7414A0000-0x00007FF7417F1000-memory.dmp
memory/3516-135-0x00007FF7BAC30000-0x00007FF7BAF81000-memory.dmp
memory/4568-139-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp
memory/1576-146-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp
memory/3260-148-0x00007FF711250000-0x00007FF7115A1000-memory.dmp
memory/5052-145-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp
memory/1836-144-0x00007FF629690000-0x00007FF6299E1000-memory.dmp
memory/1944-143-0x00007FF721240000-0x00007FF721591000-memory.dmp
memory/540-142-0x00007FF627EC0000-0x00007FF628211000-memory.dmp
memory/4644-140-0x00007FF634450000-0x00007FF6347A1000-memory.dmp
memory/4796-147-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp
memory/2792-149-0x00007FF6104F0000-0x00007FF610841000-memory.dmp
memory/2792-171-0x00007FF6104F0000-0x00007FF610841000-memory.dmp
memory/536-194-0x00007FF7BAF30000-0x00007FF7BB281000-memory.dmp
memory/5056-196-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
memory/2404-208-0x00007FF7D1250000-0x00007FF7D15A1000-memory.dmp
memory/948-207-0x00007FF7AF4C0000-0x00007FF7AF811000-memory.dmp
memory/2644-211-0x00007FF7DC670000-0x00007FF7DC9C1000-memory.dmp
memory/1972-212-0x00007FF6B3D50000-0x00007FF6B40A1000-memory.dmp
memory/4568-214-0x00007FF60A8E0000-0x00007FF60AC31000-memory.dmp
memory/4644-216-0x00007FF634450000-0x00007FF6347A1000-memory.dmp
memory/3392-218-0x00007FF6C9B30000-0x00007FF6C9E81000-memory.dmp
memory/540-220-0x00007FF627EC0000-0x00007FF628211000-memory.dmp
memory/1944-222-0x00007FF721240000-0x00007FF721591000-memory.dmp
memory/1836-224-0x00007FF629690000-0x00007FF6299E1000-memory.dmp
memory/5052-226-0x00007FF6CDBA0000-0x00007FF6CDEF1000-memory.dmp
memory/1576-228-0x00007FF7ED240000-0x00007FF7ED591000-memory.dmp
memory/4796-230-0x00007FF71C820000-0x00007FF71CB71000-memory.dmp
memory/1900-232-0x00007FF7414A0000-0x00007FF7417F1000-memory.dmp
memory/4308-234-0x00007FF72A690000-0x00007FF72A9E1000-memory.dmp
memory/1332-236-0x00007FF6C68F0000-0x00007FF6C6C41000-memory.dmp
memory/3516-239-0x00007FF7BAC30000-0x00007FF7BAF81000-memory.dmp
memory/2608-240-0x00007FF642380000-0x00007FF6426D1000-memory.dmp
memory/3260-242-0x00007FF711250000-0x00007FF7115A1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:09
Reported
2024-05-29 21:12
Platform
win7-20240508-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CNOuPWa.exe | N/A |
| N/A | N/A | C:\Windows\System\MjFImqY.exe | N/A |
| N/A | N/A | C:\Windows\System\igoyOUS.exe | N/A |
| N/A | N/A | C:\Windows\System\JtDWUFd.exe | N/A |
| N/A | N/A | C:\Windows\System\rRKcMFX.exe | N/A |
| N/A | N/A | C:\Windows\System\rAsWdkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\nuUciwd.exe | N/A |
| N/A | N/A | C:\Windows\System\apvnSwb.exe | N/A |
| N/A | N/A | C:\Windows\System\NiVgHNl.exe | N/A |
| N/A | N/A | C:\Windows\System\nLqcKJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mWzleJq.exe | N/A |
| N/A | N/A | C:\Windows\System\BnFdVRx.exe | N/A |
| N/A | N/A | C:\Windows\System\SUNDXIF.exe | N/A |
| N/A | N/A | C:\Windows\System\tSbMTAQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CnoFHNp.exe | N/A |
| N/A | N/A | C:\Windows\System\kzimpTo.exe | N/A |
| N/A | N/A | C:\Windows\System\BOGbRfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DFVYQvY.exe | N/A |
| N/A | N/A | C:\Windows\System\nKWRkTY.exe | N/A |
| N/A | N/A | C:\Windows\System\FLVaQZc.exe | N/A |
| N/A | N/A | C:\Windows\System\SUuEYAj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CNOuPWa.exe
C:\Windows\System\CNOuPWa.exe
C:\Windows\System\MjFImqY.exe
C:\Windows\System\MjFImqY.exe
C:\Windows\System\igoyOUS.exe
C:\Windows\System\igoyOUS.exe
C:\Windows\System\JtDWUFd.exe
C:\Windows\System\JtDWUFd.exe
C:\Windows\System\rRKcMFX.exe
C:\Windows\System\rRKcMFX.exe
C:\Windows\System\rAsWdkJ.exe
C:\Windows\System\rAsWdkJ.exe
C:\Windows\System\nuUciwd.exe
C:\Windows\System\nuUciwd.exe
C:\Windows\System\apvnSwb.exe
C:\Windows\System\apvnSwb.exe
C:\Windows\System\NiVgHNl.exe
C:\Windows\System\NiVgHNl.exe
C:\Windows\System\nLqcKJZ.exe
C:\Windows\System\nLqcKJZ.exe
C:\Windows\System\mWzleJq.exe
C:\Windows\System\mWzleJq.exe
C:\Windows\System\BnFdVRx.exe
C:\Windows\System\BnFdVRx.exe
C:\Windows\System\SUNDXIF.exe
C:\Windows\System\SUNDXIF.exe
C:\Windows\System\tSbMTAQ.exe
C:\Windows\System\tSbMTAQ.exe
C:\Windows\System\CnoFHNp.exe
C:\Windows\System\CnoFHNp.exe
C:\Windows\System\kzimpTo.exe
C:\Windows\System\kzimpTo.exe
C:\Windows\System\nKWRkTY.exe
C:\Windows\System\nKWRkTY.exe
C:\Windows\System\BOGbRfZ.exe
C:\Windows\System\BOGbRfZ.exe
C:\Windows\System\FLVaQZc.exe
C:\Windows\System\FLVaQZc.exe
C:\Windows\System\DFVYQvY.exe
C:\Windows\System\DFVYQvY.exe
C:\Windows\System\SUuEYAj.exe
C:\Windows\System\SUuEYAj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1260-0-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1260-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\CNOuPWa.exe
| MD5 | 6b9e3bca061e97f018697a9a8b8ac8c6 |
| SHA1 | 5c914e0dc3409ed2f6bf2fd72161a1a78aef45d2 |
| SHA256 | 4986dcf3e39a0f3342b8453f23cbe898be93746c63e75b7ec88db1b9306ec5a4 |
| SHA512 | 73e489d204a9452b32662c0d346c8d70ab9fdb8cf000b0b1e1817988adfe839689990717ee3c34cfd931f3580719eb61dedcf0e44994cdf2d92203dbe2fb2a30 |
memory/1788-7-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\MjFImqY.exe
| MD5 | cc8e8207ecc409255de08cca354c5240 |
| SHA1 | fa88fce5c7511b171b961370572ae0890b320f19 |
| SHA256 | 27e70a9c3ed17f0a0575dacf1a326c6c1915c530aa21ec829bb96265bac924c2 |
| SHA512 | 83f7e818481c0ab4abe3b7c4fac80dd34e6d30f4fcf6b6be68500c68244c3a4ca4a875e0ebb22b9cd78870081072b689d2f72c286c29d99f38f7e2465dce77bf |
memory/2372-15-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1260-13-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\igoyOUS.exe
| MD5 | 0c42f651c13e6c436f0a24bd97a8695f |
| SHA1 | f4df28259e188588396705bc37261a7d4dbbb408 |
| SHA256 | e9ca123cee5ebfc2047101deecae5622870f3afe5cdc53c8c6ae71bb09ad19e9 |
| SHA512 | 4f13f720d6be2cd635074a1fe92c3835d2d25b91d97fda81a3d60fd2b704ed8b1219ae8ca99b9a285e9e11967cf506a140847228c0ad0ea5980ac60796f70012 |
memory/3040-21-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1260-20-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\JtDWUFd.exe
| MD5 | 51e7c5f82a16e51453fd4f17535a1843 |
| SHA1 | a2bf584316a84e9d51185f2b93653d0ba8397220 |
| SHA256 | e2fc6a22fd818e9a9518dc140e75ce2db711a037197ce6544fb3ecf0cae3c226 |
| SHA512 | de14ac16c4a1858c3602ef4a5aad08d94cdb0f931e4fb8e1cc869a2c48d30f39f6a0b8afb8093dffcc399be9a634bac63767d430bebbb0fd2104b2f7d54d6a0f |
C:\Windows\system\rRKcMFX.exe
| MD5 | 707a804b407b9b18fc76c74c14a51327 |
| SHA1 | 35217e90f205d21751fd1d9f95b52d15987dc1f2 |
| SHA256 | b671122a5d200f1bd726b902d2eaa9dfbeec7540bead01eed05e621a45db0aa2 |
| SHA512 | b72fa015515d0d5350c73889b32ea74a6aa99594277c59ae022ebc35dae0867fcce686a96e5ceae22d4e8ebcaa53d15958ee2ce729813255d460aa3d8d329e62 |
memory/2796-33-0x000000013FA90000-0x000000013FDE1000-memory.dmp
\Windows\system\rAsWdkJ.exe
| MD5 | 970d7595b607acc4df01d939a6fa27a2 |
| SHA1 | 2aea7687ae0c026bc53dc01fb29c40fc1bcd5409 |
| SHA256 | 910c2e5e412e37788423355fe80df59b2f175e6e0f6c2d40ebf052ad656a97d7 |
| SHA512 | 281a61f9ac4b6f6f45aeaf07cac16bc874ff8a5144b5415d91c07078eb669159b7f766e0ba374315de342ccb973ed83d2a84664e446ba71492977591493d5848 |
memory/1260-36-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2788-39-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp
\Windows\system\nuUciwd.exe
| MD5 | c36d44dddfa03149fe1085a09084bdf9 |
| SHA1 | 1a96afb7b532fd80d056d66a1c041d4d3e981453 |
| SHA256 | 54a0d7177b8cdca4cbf5436060d589b7b3ee3a5ed6cb890ddb1c1d471bb01ac6 |
| SHA512 | 4476d5c0d45475a4f9896774976d186a7bddbfdbc91aa8be2fc562536bab7afe2f620f22621c8b0d4538025bdaf78d4c5f645a3fdd1304dc5425a93039590785 |
\Windows\system\apvnSwb.exe
| MD5 | 0d689616c7b3bac900380e636048dbae |
| SHA1 | 0bf0cce85713004f7903dd55f345749576ce4d9c |
| SHA256 | aa3d9b07a3c248910f62c7a98f91c051850e7542318cef52b190f2887d71a5f5 |
| SHA512 | eead0e94d264cd028f211f4271a16ad9a8b6224130a9cca3eadde7a34c51aa55b2fa5519bf223a14a076c72ff7cfd7c4f3326d160c6ccecae6a8029dc1b3d454 |
memory/3044-47-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp
\Windows\system\nLqcKJZ.exe
| MD5 | 9036af00e2efb6f8bbab67e826f9a5a4 |
| SHA1 | 0a8162fac365e4cbb0731939be995efee5afc41c |
| SHA256 | 8f6075c193c7b3904237c8c6e97c1ad46455518a8ffc925974c0695beb8a2853 |
| SHA512 | 1739e9921e89cfc2068b4c488bae77a6882b1c04571ea330021c29a0656925184c16350bfd99a8f5ae4718bcf1686ec3798452e575ff53a6b09c6152fd84b43d |
memory/1260-67-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2700-63-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2552-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2968-75-0x000000013FBE0000-0x000000013FF31000-memory.dmp
C:\Windows\system\BnFdVRx.exe
| MD5 | a37739597bea2489b37321984022375e |
| SHA1 | 9665eda95a0d914087650eb2b2c9b2ddfa81c608 |
| SHA256 | dec57f0bce78ca81b4e14370f19ae4b1147479300ebcd5773eebc1160b6c9592 |
| SHA512 | 99cd3e6d6d7da653979481cc368ba27d407f4d4e0bec32c907010da2cc81c8c027ff53fd415cf5fc0d9cc149a77069fe2beaaedceb2c151d4426d8772367877e |
\Windows\system\SUNDXIF.exe
| MD5 | 555fbc6016baddc498d996d67bdefef0 |
| SHA1 | 5dab086beab2f7c70e3c24043be17b29a9ce9a63 |
| SHA256 | caac5dabdf78c7fc27595f4b8c953bd1e3c9fbcd7833be57f2f9ca11136b3c89 |
| SHA512 | 10ba4e0a31b6f0f98b2ec787e40d555aa88db48afb148ecdf82506688e45dd97281e27697af4276a98cfa2bf104001a26a43e15d31172519ae807ff7e7591366 |
memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp
\Windows\system\kzimpTo.exe
| MD5 | b7eeeb3b8ebd352d2693538f71b70f86 |
| SHA1 | 7c30e9290ec3fd7430260e210352e4389e57a441 |
| SHA256 | aba7b4ead645b45de4880900349207521f7da56c9e91a818d4bd638405baaa2f |
| SHA512 | c0bb55b121dc98914aff23d50eca51a1cdcececabf982d87ee8622da5451001d0b1b8b9d174d9119d6ea37b02307bfb1b5242b5ecc48c7bbf36641bbbb4c07da |
\Windows\system\BOGbRfZ.exe
| MD5 | 6dfa8a0973cf8f21ad24fd0bc7bec6ae |
| SHA1 | b7aba4ff65407df812db559cfa401ec3ac824df6 |
| SHA256 | 051a3abd76f1023ffeee8b0af7397846f872951d3ab9991a04a25ba424e52e87 |
| SHA512 | f6f848dea629f034aefe5266aa0c138c3962967b24460b37f80d394dedfda71da46f7e2524b5249ad55c783ccc8ed67211bf14ec76cc453218dcd742d3c2610c |
C:\Windows\system\CnoFHNp.exe
| MD5 | e2497bdcf07d478a13a30061aed63f51 |
| SHA1 | 677200aaf8263da09142a6c6a8dba141b9eff6f0 |
| SHA256 | 2598a11136125e4f431ff12da3d22fb887e501220acb7e09c219f84339c90ce3 |
| SHA512 | 04e80e04065e0668060c90ca022a6e18454983b8d8ae273fc58f2fea5ec5fd012843ea9c23b687720fe604ae825d1ac5097b1726982ef51bfd917e2b4ffbb636 |
C:\Windows\system\nKWRkTY.exe
| MD5 | 257e5a38bbb79cd4d9fe3f34c96a7d96 |
| SHA1 | 57a1182de965e6d590294bebd9a563df6d513e26 |
| SHA256 | 821eb211c26692ec6765cf6a636b237a53e3f7dd08a627c763f03cf11d992d64 |
| SHA512 | f9a8911b03ec4007271eee86eaabded9083444f4a816c6c0e0dfd5cab5d68c2d01895dc3a74200cc6423ae2c0f3ee0d5c89c5a8c1ff9b0a08b1f0a8e6fb28733 |
\Windows\system\SUuEYAj.exe
| MD5 | 09235b7d5e2d5524d8b37a8849914ea0 |
| SHA1 | f7e5f39a197ab089837d3eba1b46e196fc540a78 |
| SHA256 | 7fd191f66d85edb824692e35355f5e17ff454a96d8342b3587555ddccb6d9ec1 |
| SHA512 | 0b1538628b485ceb042519d845503b59fc02c62d8d8d466acf9a0ed1cfc046136b89e02ac6f5d3af5abe98d47bcad0581591a98ef38d70b3cb90fa3f9faedd55 |
\Windows\system\FLVaQZc.exe
| MD5 | 409b05d7ba8fde49314318791b63e333 |
| SHA1 | ae4ff2b8d1cd9b3c7c383ed922cecf836c3ef48f |
| SHA256 | a51c2436045caaf6577f282b681c4d8e8208af61c14ada2438d432590e7224ba |
| SHA512 | 62b93763be75c88edee36c4cd96238a66171dccc3df7915ee9b9195143daf1b5040531f27debc3f514c580a21ad97757602bdb3acca98e4bc746dc7fc66f355a |
memory/1260-102-0x000000013FF00000-0x0000000140251000-memory.dmp
C:\Windows\system\DFVYQvY.exe
| MD5 | 4876da39455f7939dda1147ce6ba2dad |
| SHA1 | e575bab02c6d19a1c8acce26a2661ed19243c9bd |
| SHA256 | 87f9748f7fdd38bcdc68613ead2b83684431eaf2f5b3a53cca9ca04f5d89350d |
| SHA512 | 85227e9bb3a1db6526b9076903bcb13586244e1f621b51a46d7f93ac6c2aab683ae8fdd48db031cbdce69ad8386e04d730f225c8e474024bd559c3b396b0ab5b |
memory/2776-97-0x000000013F410000-0x000000013F761000-memory.dmp
C:\Windows\system\tSbMTAQ.exe
| MD5 | f1ffd1c96da67e79c4d94056a8a947c2 |
| SHA1 | c07f775c4f7bee2bddde83c8ce473aff6df94ead |
| SHA256 | 7dccb723fd22697449571bceed9588f5f9ed62ad6b66795d8c491bebd53e76f3 |
| SHA512 | f80689ee427c4dba76c6fdb71eaa11dd62e0d3f6822b42c140924bed947e8fe09a19f4465686c28b5e048fb42525b14a2be02ea082cea501f5fb320fecbaff66 |
memory/1260-92-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/1924-90-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1260-139-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1260-86-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2488-84-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1260-79-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp
C:\Windows\system\mWzleJq.exe
| MD5 | 119fdbc426efbcdaeff6add7bf19ca8f |
| SHA1 | b6ea8ac300e1a53a4b05e9ea1a74f24fc351228e |
| SHA256 | 0f795825f6125eef4418a84dec3a9be78d0f4889f9d53c1fac684a9b7a04a302 |
| SHA512 | 763bcfeaad6aca0218c1f12b2af86fb86fb2547e5e64d57b3dcfa5ea039114256bbf76e133360cdb01d03efb1aa915f36acf4dcf60504c07380fe5fdcfda0d0e |
memory/1260-72-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp
C:\Windows\system\NiVgHNl.exe
| MD5 | 6af730ef2db95367db94d1b7e99dfec3 |
| SHA1 | 530e5534bc34afe4c01d4e96b2759da41e95cf3f |
| SHA256 | ba1294d9889fcc6865edcf94f1a746aca0beab1c0b36ddc2d4a077d368b4d6a1 |
| SHA512 | f1cea73c3c3e759dace7b57a231fe802eb06b07a58f87c648862b97e5181903955ca52e381f22a8e3cd62fc2ce3b0fd174c90e0e9003a42dcf9f99d630d02b68 |
memory/2752-59-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1260-57-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1260-141-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1260-165-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1260-188-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp
memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2788-240-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2752-244-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/3044-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2552-246-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2776-250-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2488-249-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2700-254-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2968-256-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1924-259-0x000000013F330000-0x000000013F681000-memory.dmp