Analysis Overview
SHA256
a7625ebd01d317d216eba5b87eb178ee2e94c08a1594cc40be5a0fb5597f2e83
Threat Level: Known bad
The file 2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:52
Reported
2024-05-30 00:55
Platform
win7-20240221-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TPKfjhI.exe | N/A |
| N/A | N/A | C:\Windows\System\Oqkuxnp.exe | N/A |
| N/A | N/A | C:\Windows\System\kgWnGYX.exe | N/A |
| N/A | N/A | C:\Windows\System\KUEJvSd.exe | N/A |
| N/A | N/A | C:\Windows\System\HrQlkgf.exe | N/A |
| N/A | N/A | C:\Windows\System\SAMFYhF.exe | N/A |
| N/A | N/A | C:\Windows\System\eIgIeqr.exe | N/A |
| N/A | N/A | C:\Windows\System\XmaUpGE.exe | N/A |
| N/A | N/A | C:\Windows\System\SCjNjKE.exe | N/A |
| N/A | N/A | C:\Windows\System\nrdjtVv.exe | N/A |
| N/A | N/A | C:\Windows\System\lvFMeZb.exe | N/A |
| N/A | N/A | C:\Windows\System\CDtWcXU.exe | N/A |
| N/A | N/A | C:\Windows\System\FwCZxnW.exe | N/A |
| N/A | N/A | C:\Windows\System\YmElaBj.exe | N/A |
| N/A | N/A | C:\Windows\System\yDhrhiz.exe | N/A |
| N/A | N/A | C:\Windows\System\mYFtgUU.exe | N/A |
| N/A | N/A | C:\Windows\System\XRFbbOo.exe | N/A |
| N/A | N/A | C:\Windows\System\JrwAXZK.exe | N/A |
| N/A | N/A | C:\Windows\System\abgqlfr.exe | N/A |
| N/A | N/A | C:\Windows\System\kvwKOPp.exe | N/A |
| N/A | N/A | C:\Windows\System\LXvtWBy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TPKfjhI.exe
C:\Windows\System\TPKfjhI.exe
C:\Windows\System\Oqkuxnp.exe
C:\Windows\System\Oqkuxnp.exe
C:\Windows\System\kgWnGYX.exe
C:\Windows\System\kgWnGYX.exe
C:\Windows\System\HrQlkgf.exe
C:\Windows\System\HrQlkgf.exe
C:\Windows\System\KUEJvSd.exe
C:\Windows\System\KUEJvSd.exe
C:\Windows\System\SAMFYhF.exe
C:\Windows\System\SAMFYhF.exe
C:\Windows\System\eIgIeqr.exe
C:\Windows\System\eIgIeqr.exe
C:\Windows\System\XmaUpGE.exe
C:\Windows\System\XmaUpGE.exe
C:\Windows\System\SCjNjKE.exe
C:\Windows\System\SCjNjKE.exe
C:\Windows\System\nrdjtVv.exe
C:\Windows\System\nrdjtVv.exe
C:\Windows\System\lvFMeZb.exe
C:\Windows\System\lvFMeZb.exe
C:\Windows\System\CDtWcXU.exe
C:\Windows\System\CDtWcXU.exe
C:\Windows\System\FwCZxnW.exe
C:\Windows\System\FwCZxnW.exe
C:\Windows\System\YmElaBj.exe
C:\Windows\System\YmElaBj.exe
C:\Windows\System\yDhrhiz.exe
C:\Windows\System\yDhrhiz.exe
C:\Windows\System\mYFtgUU.exe
C:\Windows\System\mYFtgUU.exe
C:\Windows\System\XRFbbOo.exe
C:\Windows\System\XRFbbOo.exe
C:\Windows\System\JrwAXZK.exe
C:\Windows\System\JrwAXZK.exe
C:\Windows\System\abgqlfr.exe
C:\Windows\System\abgqlfr.exe
C:\Windows\System\kvwKOPp.exe
C:\Windows\System\kvwKOPp.exe
C:\Windows\System\LXvtWBy.exe
C:\Windows\System\LXvtWBy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2952-0-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2952-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\TPKfjhI.exe
| MD5 | f36b3302b81d2152648e702ad9325ecc |
| SHA1 | 174e88dabb03b6b3207d1c7778f058ab8312635e |
| SHA256 | 04d67d77efb16f1f639e4c344559a6f1500ea573e00ba92007363097ac5b8948 |
| SHA512 | 15e7b100cac4ae5be600993018f9b967bf5b26282e2ee294028cf546f1a926c44e0383a31d5ae3b48acf8ee062965dca936895e9c6f9e5ff68150e66cf24d0ff |
C:\Windows\system\TPKfjhI.exe
| MD5 | a927e766ce0dd88b8afa022d7aaab378 |
| SHA1 | 422287f8a834644e1848d54f2bf2947cb4d9c611 |
| SHA256 | 81e0932dbf7d0f4e5ae2a26abdde6c855e4888a48395a5365d915a2c028faba5 |
| SHA512 | 1a5afcf433c3816618fd8297bfb37e0bc1b4e3be23e1e6dc3013e5c60bbdb78a00fe2f7e08abcbf58f9eebc2f68922438d301e367329a99bc5093689ed541864 |
memory/2952-8-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\Oqkuxnp.exe
| MD5 | 7754132381e07a385a002dbbeb9dee0c |
| SHA1 | 9955b7072502b3d89101be3a732d5a85945f3ea8 |
| SHA256 | 88f6c1eda4756a51b9ddd77ca22f9c5d9a7bb654762436621691287a245d3d3e |
| SHA512 | 29d68f6cc518163fcbf52b6da736e73b235366b1096bfe0074c6435080b8930dd34903f21b6a407b20ea2927c0287be4edb5686b1c5fd269cd0d3466a1c5a1c8 |
C:\Windows\system\kgWnGYX.exe
| MD5 | 91df922314a4caab432bba0c590ca3c0 |
| SHA1 | b91e20ca4d9be7c8e6fd75ac2830eb878c22eb76 |
| SHA256 | 0cf813b51717aab8d4bf85c804cd17451a9e8a3cc11f9cb8db55a7f62fc7b809 |
| SHA512 | 41834d81c15003ab88fdc17f65dd4d58bf778aa7f748c1778b8b4cf1f00ba4e25cbf41434779e3783c6b2862972c82761d5a6dbf80e22770db840e6a09a40184 |
\Windows\system\HrQlkgf.exe
| MD5 | c158417a6b8f8e60f963da0a669fb73d |
| SHA1 | fbee5db6397d3fbb8d1b7b963ba67086c38e538d |
| SHA256 | 92e01e0f98627daa1565c842cdc4bc694df62de483e6abb31a64a3e722593027 |
| SHA512 | 7e1e3c36d96e82def3470c40cdd109dd873395a9477215571324649d5c6ccd61e2fb8acea5f9f56ad4dd4e37b8ca22bbd3b4fe85f02c9a5b920134a2e2db3c76 |
C:\Windows\system\kgWnGYX.exe
| MD5 | 0eeff42903c14c2247189ea7a774d687 |
| SHA1 | 7e0ea0bdfcc151021c75c1108e934342b605846b |
| SHA256 | bb823b109c3fd202f70fc62155af45ef4186e0c757ed0cb8da1df53c92fcdb73 |
| SHA512 | e723d232f83176b67b80263d7ecae4fda24b6fe7dc5a72e0959e68db588a629e4e927b1dc64edfd8095967e592caaf0b239fa916b26e0632b33c5c047e690c49 |
C:\Windows\system\SAMFYhF.exe
| MD5 | 6c2e3b26858a7441169e9035ff1be4a2 |
| SHA1 | 34433bac98b048c39484729ff9203ec06f3933d7 |
| SHA256 | 36ba98fada74e84acdc8e5001c9fb8b1af8fb5e404660f31fd4406b744af3c17 |
| SHA512 | 74818455772b8287af008671749b4cdfc8ef21fc81c889d31e3435ccecc96c7f2001655b743f18b70a94b99c864dfc9fcbb5a9d02f28c2ceba327b59c1a3efb3 |
memory/1300-30-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\HrQlkgf.exe
| MD5 | 4a2baacbaa621a0245869c1e83a330c0 |
| SHA1 | f407db0e6d9bff0c7cbc3e3257a2820fc68962ee |
| SHA256 | 61fa97c0c980f7e9efd4a22f4af73e9966d4c9b55ddce44e7897df47f6ef9a83 |
| SHA512 | 905b8a5a26e4bb8135396cd7ba7250b86d9db96dc8aca0d2b340ca0b3ebb11f2337e6d7456913513de6838904317ee1a536303487ab018f294fc6c7f20fafd36 |
C:\Windows\system\eIgIeqr.exe
| MD5 | 9c7b82e7cf3f776819bf027b168bc3e3 |
| SHA1 | 473f79e7c7966633fe68ecee77b1d4973d6575da |
| SHA256 | 5d7bd1b8a49c2c358905cf6e420c49378244e547fc18a80e1f79f64e93ee7a18 |
| SHA512 | f653e50625c9028e1695c3596e95364c164dd57804812b2d262616d80948f9fadd3df40fd49d331e95950492d86dfba8b914aef77222cf164697d0f820504794 |
memory/2952-49-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\XmaUpGE.exe
| MD5 | 88fb2332b2960a2b1dae6d0fb26e6df4 |
| SHA1 | 6f4ba29487fa566d094a7974f9bc03d8b01fa9e2 |
| SHA256 | ff21ec406122a242992d655c94b22ecb787639b804891f10fa9c1c01f153e15a |
| SHA512 | 16ca644f750ab98cca3b073e75396757b04a4ed1a8234a5def1e7f02462a5653460329ab58141c427205b80668b183e4a1c718e1db4ffe2b0d33713fc46623df |
memory/2520-57-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
C:\Windows\system\nrdjtVv.exe
| MD5 | 6a5a8059ed60bcf5a89f323cd200a115 |
| SHA1 | ad558fa2a3c479a6365a7dfe9d0a15b8c77970f0 |
| SHA256 | ab5744d8ceceff736fc3725048e62b7f1c9839abd49db2d01c882ca62b27f771 |
| SHA512 | b7382def3b644e02957fa024a3db1f30b10f97ad03cf944d39bf8eabbd02caa9face50b204e9c6a15048daea304e0f7b7a10777a4aeb9f8067778ae386984ac6 |
memory/2912-78-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2932-83-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2420-92-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2952-98-0x000000013F110000-0x000000013F461000-memory.dmp
C:\Windows\system\yDhrhiz.exe
| MD5 | e079a532debf2aa09ed43399f7482a78 |
| SHA1 | d64d769e3852c50693e4939ff3c40188d985ada3 |
| SHA256 | f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11 |
| SHA512 | 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e |
memory/1300-105-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\mYFtgUU.exe
| MD5 | 35dc97925499d03367fbc14e4ef4637b |
| SHA1 | d85703eca99f6ae8fb53acf290bc99cd541e029a |
| SHA256 | 0017ee913bf62b45749c29c336f20bc56e7700247933dd049403650aba74e34f |
| SHA512 | 54a772af54e00f8585d89e796133ae1fa191554bfacce30dd56d3da9402f70c0efcffb40d8eb91b3d3e1380ce5251934cf059d6ae51bb8a8be04d1cf8c1ca8a7 |
\Windows\system\kvwKOPp.exe
| MD5 | 45ed70d0b7d4a61dd9ab7ea126749d24 |
| SHA1 | dd6ceff6a82643367652b586600c6977da94167a |
| SHA256 | 0a68780183fda4e42a9adc43162a22b3430f28bf502bc3d28178b95be3406c52 |
| SHA512 | ea44ec071da4dcb9da5b9e6352af0bd3e4626e8ca50b8021dd9dbc8c041c47f08d458d01d8bc5c46479b016f2e60ca92385b67030e5442a4d91124ee92491f20 |
C:\Windows\system\LXvtWBy.exe
| MD5 | dedc487574b40e0af842939fd32fae9e |
| SHA1 | 17c2f600cc70444fa42c7ae6e3b14d7a2220e40f |
| SHA256 | 280999b2d18879c822facc6ca39699b693d1490b093408217f108ef16e5f58c1 |
| SHA512 | b0e32c6de4661de265f558875a5fdca64f1529a0745ddc22795fd7e269a31aed490f3e4a6e36ab2f6347254ec4a005a4d5ab2941df32eebd5514d8c9540b99ea |
C:\Windows\system\kvwKOPp.exe
| MD5 | 9cc3b8c96655ff70e0bab32927095145 |
| SHA1 | d44bc1271168e8cd48fd0247350522ff19ba10d0 |
| SHA256 | 74c79613da11d512073bb65225893b278d9bbcf417b1b76e01905a61f9de45b8 |
| SHA512 | 3756c7f8b567842b22282115ffeb29b7b5301154331afcc7c93aa3748cf12a4eed1e40a794dc937299e81a9b4917e38dcff4fdc3d6936bb4c744cf7d417c4d15 |
C:\Windows\system\abgqlfr.exe
| MD5 | 1fca5c4c86e3159344efa30af95d388f |
| SHA1 | 5bbb3a754fa1af9c202fc58ddb46db247df44d98 |
| SHA256 | 38401ad31139ce7dcf623e1a64908301b960e16c6bd42ee14491a5f8f70199a5 |
| SHA512 | 3ad928fd77b8823136e5ba09c2b9a9d3b1d5c97ebf8d79eafa8999f4a71faf7746d3d342cbb1c107807506c8d5306ac4dbdd593ba2658294b373450edf8cddf6 |
C:\Windows\system\XRFbbOo.exe
| MD5 | 0c6727dce3173dbb9f04e51991283efd |
| SHA1 | 3c84a503a609aa8ad90c36338d779aa6cad21f95 |
| SHA256 | cc831b6f8dc54e9582675f8a67b8efd8115a422ce04e9f8ac3a38f4510668cc7 |
| SHA512 | 42ff04eb66fba229634d86440056e22c3f745e40bc8fa5e7f45cc7a9d01489cb447af568772a14da2d6b56929d68ba5534c1c885bee653e3ba3444b1cb5be03b |
\Windows\system\mYFtgUU.exe
| MD5 | 35d4b9b40e9b95b4a75dec06c4c6f979 |
| SHA1 | 0b088ae4df4f56a63f25ba22b7e936e89c483dcb |
| SHA256 | a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e |
| SHA512 | 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b |
\Windows\system\yDhrhiz.exe
| MD5 | 0af3e36956df6549470e3ff9e1f46248 |
| SHA1 | b7c2a347a49c58d4223a4286a6b289d55c0e1230 |
| SHA256 | de6283192da89a26e9e9d707cb3c816eaa62df7fecf1922d21e6ab2e9c704f7d |
| SHA512 | f6cbf74932b12c03901853f32cf1fb61f6e22feefcce2a97d48de63740fb58427602cef187e780bac418175b1bf620a28c6a169c5c08710f72ed2377d0caebb0 |
memory/2608-99-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\YmElaBj.exe
| MD5 | 8903a1e10bf1e21f164087c2b76007c3 |
| SHA1 | f0d81e1e4a4a630af7fc5007efb7fd2c392fe9a9 |
| SHA256 | 74846cee843c6df624fd78a7fb7a5650beecf0ccb9299e25f3d4b665292527b3 |
| SHA512 | 7ff4f487634d8f2169ee482262185e3b5a40aeb958c90d2eda518a0a4c917472bef135a1a36e0eb6771a70466e3f3ba0a485ad4525320c6bd3afc8acee9ed6d4 |
memory/2952-91-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\FwCZxnW.exe
| MD5 | 2c90cc0356f4566b008b342a9d566c17 |
| SHA1 | ebf9e9b28bb53ae069d716b5004df2309be38233 |
| SHA256 | 65b8cc921e5beac8acb4c4978327db0a6410ebad1d4888e3af51dc309ddedc42 |
| SHA512 | 4fc7b7f1cb308d635ae4f13da8749a4c3c49a3b33d7e00a30e678474258cb99d7d9e999972a39ce6a2df658ac2794e34b52570c8027cd8cc67d2e552eb9f0d90 |
memory/2952-82-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\CDtWcXU.exe
| MD5 | c0cad8066bfa2e4be9076791dd91901e |
| SHA1 | 12d4c53998fdfa9a7945677b374b1c4664af3b01 |
| SHA256 | 04868786f99256321a293db359efd29669e2c2ec89e724ab994fa6b2e5a22615 |
| SHA512 | dc282c9b4dd583a9cdc38eb848678d919e55a8038a424b840fdcfae791875e324ece3708fb042c29a03bc7dcd70f171a93ab187af0cac34142278936bd5c981a |
\Windows\system\lvFMeZb.exe
| MD5 | 584e10dc2cf96c43d3adc98aa3d1ed73 |
| SHA1 | 58e190f90e69964364e855ef8038da4e73480054 |
| SHA256 | 772b82101e0bd427190380143eeed46370c4f18e67c36539564a38365843734d |
| SHA512 | 30c530bee1b36aaf887310517b6603989b9a28aa583ecee277de0ed5a8e76396fcb47f5302e2d02f3e2e83b20b2e0a7d8a14354ea1b163fa16242c83d634a01c |
memory/2452-72-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2952-71-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2480-64-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2952-63-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2952-56-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
C:\Windows\system\SCjNjKE.exe
| MD5 | 36b836ea8337aef77e243fa159a41fef |
| SHA1 | 07a448a038a038af63be11708bf232543ec3999b |
| SHA256 | 47f8a0c149ff749f89e39eaba027364392567815bc24b02ecad30c5704e03e02 |
| SHA512 | 3c4d52a15e730154eb80ceb30abe9bc12cbe0b2d9c671780124fa7563f9c362785614c400ef1024f2b4ff4948a32f9c8873705b711a4f897973f16751791b592 |
memory/2952-51-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2112-50-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2564-48-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2952-47-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2584-46-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2988-45-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2952-44-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2952-43-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1160-42-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2952-40-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\KUEJvSd.exe
| MD5 | 8e5fe42f4b98bb66edf3a502dd76cdf0 |
| SHA1 | 1994dbd83dcb816550dd2b3ee26e290acda558d8 |
| SHA256 | 59e58a42a72c67195799b037cbd01127992229e15894c1f864a5a650573ec1ae |
| SHA512 | 3dcf870aa95b77b85a646e7fc1aacb12ff7d9749c6e51b4a1476a8d56d0f8db309b53b07cb2197d0f75914534250e47ddc3911be5a599de815a6f87054678664 |
memory/1684-24-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2520-135-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2952-136-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2480-152-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2952-151-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2932-148-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/600-159-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1664-158-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/792-156-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1980-155-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/1280-154-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2320-157-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/1960-153-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2952-160-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2952-182-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1684-206-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1160-208-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2988-212-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1300-214-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2112-211-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2564-216-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2520-219-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2584-220-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2480-222-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2452-224-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2912-226-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2932-228-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2420-230-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2608-232-0x000000013FB50000-0x000000013FEA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:52
Reported
2024-05-30 00:55
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WreKtzA.exe | N/A |
| N/A | N/A | C:\Windows\System\iZdCzXm.exe | N/A |
| N/A | N/A | C:\Windows\System\TXFSXqb.exe | N/A |
| N/A | N/A | C:\Windows\System\hzCEFHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\avBERzY.exe | N/A |
| N/A | N/A | C:\Windows\System\VRrtmPS.exe | N/A |
| N/A | N/A | C:\Windows\System\gtdlWYt.exe | N/A |
| N/A | N/A | C:\Windows\System\quLYmIZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UmbkPcG.exe | N/A |
| N/A | N/A | C:\Windows\System\zSmzCaY.exe | N/A |
| N/A | N/A | C:\Windows\System\HPllRMW.exe | N/A |
| N/A | N/A | C:\Windows\System\CdpEHxL.exe | N/A |
| N/A | N/A | C:\Windows\System\DETlRtQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ArJPggF.exe | N/A |
| N/A | N/A | C:\Windows\System\xjSpdwb.exe | N/A |
| N/A | N/A | C:\Windows\System\vwmFoDX.exe | N/A |
| N/A | N/A | C:\Windows\System\oaLKwjT.exe | N/A |
| N/A | N/A | C:\Windows\System\HnbIgyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LIgDkyI.exe | N/A |
| N/A | N/A | C:\Windows\System\AneoCLu.exe | N/A |
| N/A | N/A | C:\Windows\System\XRCQWMP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_66faf3378e562436da963f35d69624e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WreKtzA.exe
C:\Windows\System\WreKtzA.exe
C:\Windows\System\iZdCzXm.exe
C:\Windows\System\iZdCzXm.exe
C:\Windows\System\TXFSXqb.exe
C:\Windows\System\TXFSXqb.exe
C:\Windows\System\hzCEFHQ.exe
C:\Windows\System\hzCEFHQ.exe
C:\Windows\System\avBERzY.exe
C:\Windows\System\avBERzY.exe
C:\Windows\System\VRrtmPS.exe
C:\Windows\System\VRrtmPS.exe
C:\Windows\System\gtdlWYt.exe
C:\Windows\System\gtdlWYt.exe
C:\Windows\System\quLYmIZ.exe
C:\Windows\System\quLYmIZ.exe
C:\Windows\System\UmbkPcG.exe
C:\Windows\System\UmbkPcG.exe
C:\Windows\System\zSmzCaY.exe
C:\Windows\System\zSmzCaY.exe
C:\Windows\System\HPllRMW.exe
C:\Windows\System\HPllRMW.exe
C:\Windows\System\CdpEHxL.exe
C:\Windows\System\CdpEHxL.exe
C:\Windows\System\DETlRtQ.exe
C:\Windows\System\DETlRtQ.exe
C:\Windows\System\ArJPggF.exe
C:\Windows\System\ArJPggF.exe
C:\Windows\System\xjSpdwb.exe
C:\Windows\System\xjSpdwb.exe
C:\Windows\System\vwmFoDX.exe
C:\Windows\System\vwmFoDX.exe
C:\Windows\System\oaLKwjT.exe
C:\Windows\System\oaLKwjT.exe
C:\Windows\System\HnbIgyQ.exe
C:\Windows\System\HnbIgyQ.exe
C:\Windows\System\LIgDkyI.exe
C:\Windows\System\LIgDkyI.exe
C:\Windows\System\AneoCLu.exe
C:\Windows\System\AneoCLu.exe
C:\Windows\System\XRCQWMP.exe
C:\Windows\System\XRCQWMP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/1732-0-0x00007FF686100000-0x00007FF686451000-memory.dmp
C:\Windows\System\WreKtzA.exe
| MD5 | edc44c7acfb430bc99efea55d1719afc |
| SHA1 | 90d2af465962e465a3b25c0a19b9bb69ef218693 |
| SHA256 | d1784f1230109fa939a5ce8fec8a0ccda07c58674271b7386c12026f15914dec |
| SHA512 | 6cd3e95ba292c6b2c93238b1f504fca75b39dbd9a50619a99a7871250633ad5383021292cc61ab7e7bcee2777681c1edd79cc7176941942ed6ca1453512cb836 |
C:\Windows\System\TXFSXqb.exe
| MD5 | 9d79ebd52bd5a8fec7251412b8276b56 |
| SHA1 | 82c96abaf016a8946e00d43dc4e512f491f05f76 |
| SHA256 | 6f6bf7962a709ab50229e821ac82406471866647dc41959722e1a540a948aa6d |
| SHA512 | d296db1077833ae01bbb2056498de4a68444843beb1df4e1ce61d09cf62b0bf8514405ae6de3b1c67012846c7692dec8e75015953118d68afc1c441d70b81252 |
memory/4416-26-0x00007FF6723C0000-0x00007FF672711000-memory.dmp
C:\Windows\System\avBERzY.exe
| MD5 | f8e3ee18d238c1f49a1c817e9c8d6c9f |
| SHA1 | bc4fb2106eda87d5ae283a3d68034754ed20380d |
| SHA256 | 88143843b3e105001e52b9eff8c77a13456f91c3a11713049cb3a266acfbbba3 |
| SHA512 | 11f0f4965c32cd01be1e21dbc53e231f73ffd48637c45f0ec67d59fe832de7f4c47e4e9c00384ddb34947daac05347478984ad546e4081d1a16ffc25a23b33da |
C:\Windows\System\VRrtmPS.exe
| MD5 | aef5caaec2344bc24e19b818ed34b253 |
| SHA1 | 1a5a74f8b987e9ec52cf20ac04c88a20931925d6 |
| SHA256 | 9c12d7e37ee21ddcf94194c09cb9c9a40543134e2ab404ba31162ab3d059a967 |
| SHA512 | 09cf301bd4ad71a2407a77213c9c1d52624f2233b9bb5fb69894ce521c8f64389a344d3f74b4e09d5c2256c603f0f3609f6b043fee64583975d552064d74f5bf |
memory/3432-38-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp
C:\Windows\System\quLYmIZ.exe
| MD5 | 276ee099bc71c633091ea008ecac9ee5 |
| SHA1 | 833efaaa22ad4ea3037981aba2b2a264e99d92d8 |
| SHA256 | 186b779675b78601d094fc3265cca1af8af838e5c597d05ac2d0057d79ff814b |
| SHA512 | 882fafeb83535758613a6ffc6d9558559308fbe6e18e3789d8789e018cf4cd1d855647610df6c0e809a199c759d77a4be275969f2498c39f5a73cd5ceac1542e |
C:\Windows\System\UmbkPcG.exe
| MD5 | bf2638dd33d4fd2993691dae9a1a78da |
| SHA1 | f738b961e9d1f6aaa305d06f66cad5e0e3b88192 |
| SHA256 | 870f8c35cd691ce79f2098156b9a9a28d9a19d57d50b469d5248ca41d586d03b |
| SHA512 | e0244564099a87c7adf08109800e81bfb7f4e525dedd7613db72168a4eb687ea355e0973d997a4e58e9bab5c2210fa18273f62b247e46d37b8f1c7b40087bed2 |
C:\Windows\System\zSmzCaY.exe
| MD5 | f3d4a3adf1c1810069ae9093ccc9ce46 |
| SHA1 | b2ad3bccc7ab8dd56c6c5fc9cca56ae8919ca5fd |
| SHA256 | a960651c04ebb460edc7c27b78921ed8a9ef2af106197c9a7a22629c86872bf6 |
| SHA512 | 7546af4cf66d9f424e098e93dc97299d511d5e50f3eaa150eac68e3056d3becc71b6fbded9cdee3868772974df4c4ca13ded35e47ba60cd7ca2d2fc63e57557d |
C:\Windows\System\HPllRMW.exe
| MD5 | b08fbfa3678c91ef27dc5390191f511b |
| SHA1 | d981454a5798a8fab1a37f8196676db170bee03b |
| SHA256 | d6d94c91ae449a2ae63b2d41da8d9fecd52b7d6ccf34cbd1c2dbd5f297e323b0 |
| SHA512 | 80697690c23f9e6a0c60185707284e28241e9dd51b6efe92e8a387d0c84f23d38f0c113314a2a601bd79a87ca7e3ff1d3064548dfc13911ca264075116a11e31 |
memory/4932-72-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp
memory/3692-75-0x00007FF658D20000-0x00007FF659071000-memory.dmp
C:\Windows\System\DETlRtQ.exe
| MD5 | d727cd239dbde837337c2e2d6e57445d |
| SHA1 | 83a4f6efa124ad56f2e221645112eb0d3717d1b0 |
| SHA256 | 6b93c6ac9a055653305e390efb43f0df213bf0656450c179cbf9d3fe4906b0c4 |
| SHA512 | e16557b654e462f96b0168b07a6e18aacfba96ea90804b54c578550db2937269fa642b64cde203620ba5446a48ed2a27bd63260db7b36b2067b324b26db68de4 |
memory/4104-87-0x00007FF702700000-0x00007FF702A51000-memory.dmp
C:\Windows\System\ArJPggF.exe
| MD5 | eeecb2d124ade27da931dd76f94bac02 |
| SHA1 | 16353dae1acf3bccd8210b7e804ce557bfb16cd9 |
| SHA256 | c1aefe846fb31b35398c423ba63215eb320ff7b265d1f54e7be32d6e8d48c861 |
| SHA512 | 5574c785f40287757bdc61e6b36378788a486d513a85182512d64f5f1671a00c3bdc3158e182f2a5d52c0573d7a6266ab411d1c4eaedd957b30b7cc07c11464a |
C:\Windows\System\vwmFoDX.exe
| MD5 | 8f4f2c99c2a108ff93aa961a269ed287 |
| SHA1 | 3b5cb92721773c45bf57c67bf2aa8e5060d302c1 |
| SHA256 | aede35b569bd553e863d35658230d7d044a6a9d5794572ef161d07fbe31edd6b |
| SHA512 | 76c7b02b839e8114535501a3f3cf626b2f4ba3a7651a7daa0c7b87ac71b988b48d0280afb8e11596e322cbba03b91034018b10e0c600711da06d981bca37b6e1 |
C:\Windows\System\LIgDkyI.exe
| MD5 | 80e819558ec41836be26180cac2c6864 |
| SHA1 | b5ce3f3769e2bc97dec4e481e1af08d8f41101ab |
| SHA256 | 496d0eb793419d8ed87b5424682c882dccc39478dc35d259ac6c16ac5f641eae |
| SHA512 | fa47aa3ceed27af3d6624d0e395852a8507e93263477ab3fa7596e3e914526c27b35b50812b04dbe00c860fc84c0ac86e807e70248c8a94030062c83be80c437 |
C:\Windows\System\AneoCLu.exe
| MD5 | be4de5ad5baf332e355a7a57742ca6a7 |
| SHA1 | 575c97cc44d1dcdc0eeedef4d99b219cca3fb8ec |
| SHA256 | f7cea3d7dbc006462736b454806c03cb9d4a5497742cfca0d1522f47c6d0fa74 |
| SHA512 | 8e6963defc3df81edb2ebb1d8aea79a20721042ac0795aa350f4a5a6bd6d615889f4e19a84a9ca3d5dced882219b058daba0b18d8adac6516da1ada2bb371278 |
C:\Windows\System\XRCQWMP.exe
| MD5 | e079a532debf2aa09ed43399f7482a78 |
| SHA1 | d64d769e3852c50693e4939ff3c40188d985ada3 |
| SHA256 | f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11 |
| SHA512 | 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e |
C:\Windows\System\XRCQWMP.exe
| MD5 | e987161827c695a9efec275ab3dfb819 |
| SHA1 | 62cc16b2c1efef119033dabfae7bdfdcb60e01f4 |
| SHA256 | 7dce66013deb27e7787d87cd168bc6fb20a159a6de1e4c7ae4622fd518e3dd50 |
| SHA512 | e0bd5a283377eb2223599f02246dd6d683b2a1a124ef2b833a35392ab01fb79596f8870669565fd466359793a358e07dfc03685823b83d5b0dcc8b2cd523d558 |
C:\Windows\System\HnbIgyQ.exe
| MD5 | 844fca0375c8af1fc8e97aa51821c7bc |
| SHA1 | 1ccc79b52a31a885e02837e6ae20728661e08156 |
| SHA256 | 9840356bf411f9004dc5d1efe91117d7424113b443ce3cf4cb2b2cdfc507ae1f |
| SHA512 | 7d6c1c7ce8d2d1fd3b85a71f0767022075ad44c69dd6769f526acf9842799af7f483b6db1ce41bc359567a2bbe8bc6dcab5259e69263a88cc135c4dad2aec7a9 |
C:\Windows\System\oaLKwjT.exe
| MD5 | 80efa962739cb467e65c4f8ece105f17 |
| SHA1 | 572c435be28bff9c9d365d01765aa5bfde5b45f0 |
| SHA256 | 98d23ec773d039c0a16ae766b7a7e6518d8588b6eb401072b3df686012648e37 |
| SHA512 | 8f5a0cec6a0c841d6d601a0405dc63bf31cafa7655fb809298cb0b61ebf5663217be7b5477eded521210e530ecebc9df73af1d28607d6752c1a6b766eab0601c |
memory/5064-103-0x00007FF6FF310000-0x00007FF6FF661000-memory.dmp
memory/4416-102-0x00007FF6723C0000-0x00007FF672711000-memory.dmp
C:\Windows\System\xjSpdwb.exe
| MD5 | 722bd22ae927d02d3eee0e1fc22ad828 |
| SHA1 | 395ef0eded763c0e251454c4aebb14fa1b8f8a67 |
| SHA256 | b38aa2d5f9ec78860c890b0e04df5b5e641810d85184a10230ce9616cb662b41 |
| SHA512 | 4c2191a1a20dc0c4867caa821136606743b4f058a1b9f5fd921840e13942ac1b6a8b39599116e97328ff0db9733e429bb03646a48aef5db8999889e37310b4d9 |
memory/3900-97-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp
memory/4452-96-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp
memory/3728-90-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp
memory/5104-81-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp
C:\Windows\System\CdpEHxL.exe
| MD5 | 4163b35c41d291e6f2eb473e34f90d6e |
| SHA1 | 55cf70b022eb204a09714b8e927938325f91edc0 |
| SHA256 | e876f615444d943af07061e1ff78f664586d316d76e95c768a28836eb9cc5cb9 |
| SHA512 | aed27fe26606f4edc1c6bda242da186029600c13c6a69cd1e0687ec4f6eba15ddcf85980d7f2ebe29f8505112e2055ee81a44907da5add35a943531368ee336b |
memory/4100-76-0x00007FF6B6600000-0x00007FF6B6951000-memory.dmp
C:\Windows\System\CdpEHxL.exe
| MD5 | e935c8bd6daebba30d0f5b0347089679 |
| SHA1 | e53502702676a9ea04db230ea7ed4904e0192f5d |
| SHA256 | bb547bde953626ca4b877bfdb246afbd38d3af41ab7d7077c89cb8040e7bf2a9 |
| SHA512 | baa4b0359f00c888147ad36e3e9dc8b89dc20883fa0ffaeacafc6af641841b80ee4bc0bf69682282c5739e7f1d4e5c3b2aee6c96ea67d725494de48bb0969f8c |
memory/4128-64-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp
memory/1732-63-0x00007FF686100000-0x00007FF686451000-memory.dmp
memory/1256-58-0x00007FF6460D0000-0x00007FF646421000-memory.dmp
memory/1388-48-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp
memory/2740-43-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp
memory/4628-129-0x00007FF643CA0000-0x00007FF643FF1000-memory.dmp
memory/4428-132-0x00007FF7CF8B0000-0x00007FF7CFC01000-memory.dmp
memory/4520-133-0x00007FF628B70000-0x00007FF628EC1000-memory.dmp
memory/944-131-0x00007FF7F3940000-0x00007FF7F3C91000-memory.dmp
memory/2488-130-0x00007FF6E9630000-0x00007FF6E9981000-memory.dmp
memory/4700-128-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp
C:\Windows\System\gtdlWYt.exe
| MD5 | 26f58c5cd167bb72a4144c4c9f78b936 |
| SHA1 | 637892bd541f6f58aafe50edc979421b16fbbb97 |
| SHA256 | e33d80aaf4c41afa7d1cad42a8242a26935b70ae14bf352e4a4ca06d4bbe938f |
| SHA512 | bc674bcd23d6463a6a6957fa7a4fb5673866591987c54f82d092d69225ecc4c3873813bafebddc828945f7d659829cafe97d2ba7557b809221f3c0b5a0e94d29 |
memory/4700-31-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp
C:\Windows\System\hzCEFHQ.exe
| MD5 | d84891106dad0d7b4c34af85835ec4a8 |
| SHA1 | 9665f97e962cdc4144cc100086ef9767ced5a5b4 |
| SHA256 | e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d |
| SHA512 | 99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe |
C:\Windows\System\hzCEFHQ.exe
| MD5 | 2dd44e2b50c8e6148a4303001aa2ae37 |
| SHA1 | ae4db4195952d9226517b0c37577d8741cc4a8f5 |
| SHA256 | aa1c2375b413e6aab7ede2ee469a2252ec3a8cbeb374502de2938d573d4bd893 |
| SHA512 | 5bc4a51143348d5f49dc3ddc6ba9dc7512cbe8296768a7fd071c01f07c055cd535fb4bc72607f210e0afecafd4920075c36b7d0db4fb808cdfa04bda66d2514e |
memory/3728-20-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp
memory/3692-16-0x00007FF658D20000-0x00007FF659071000-memory.dmp
C:\Windows\System\iZdCzXm.exe
| MD5 | 0aa8a1fa32605cf3b72aa84b451d8fc0 |
| SHA1 | 7f540315efc8d0d2033a5a52b953bc6c0a6a6cd7 |
| SHA256 | c4587bf3886c936bab28c5f2a98b80d40252a3176fb9834b71861c5f7d8f6ce0 |
| SHA512 | c0d87c6f85886889f249cb5dade884360604b1b48a218fb0d946c718bb14bb1b63f11e2eed04960f19f2e899e1bc23f49145226dbe9183dc9f6346dfa4e2a922 |
memory/4932-8-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp
memory/1732-1-0x000002E238D00000-0x000002E238D10000-memory.dmp
memory/3432-134-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp
memory/3900-151-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp
memory/4104-148-0x00007FF702700000-0x00007FF702A51000-memory.dmp
memory/4128-145-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp
memory/1388-143-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp
memory/4452-149-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp
memory/5104-147-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp
memory/1256-144-0x00007FF6460D0000-0x00007FF646421000-memory.dmp
memory/2740-142-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp
memory/1732-135-0x00007FF686100000-0x00007FF686451000-memory.dmp
memory/1732-157-0x00007FF686100000-0x00007FF686451000-memory.dmp
memory/4932-208-0x00007FF7994A0000-0x00007FF7997F1000-memory.dmp
memory/3692-210-0x00007FF658D20000-0x00007FF659071000-memory.dmp
memory/3728-212-0x00007FF67DFE0000-0x00007FF67E331000-memory.dmp
memory/4416-214-0x00007FF6723C0000-0x00007FF672711000-memory.dmp
memory/4700-216-0x00007FF702B80000-0x00007FF702ED1000-memory.dmp
memory/3432-218-0x00007FF7F4C90000-0x00007FF7F4FE1000-memory.dmp
memory/2740-220-0x00007FF7C48D0000-0x00007FF7C4C21000-memory.dmp
memory/1388-222-0x00007FF625C60000-0x00007FF625FB1000-memory.dmp
memory/1256-224-0x00007FF6460D0000-0x00007FF646421000-memory.dmp
memory/4128-226-0x00007FF7F20F0000-0x00007FF7F2441000-memory.dmp
memory/4100-228-0x00007FF6B6600000-0x00007FF6B6951000-memory.dmp
memory/5104-230-0x00007FF6C7CF0000-0x00007FF6C8041000-memory.dmp
memory/5064-238-0x00007FF6FF310000-0x00007FF6FF661000-memory.dmp
memory/4628-234-0x00007FF643CA0000-0x00007FF643FF1000-memory.dmp
memory/4452-240-0x00007FF698A70000-0x00007FF698DC1000-memory.dmp
memory/2488-242-0x00007FF6E9630000-0x00007FF6E9981000-memory.dmp
memory/3900-237-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp
memory/4104-233-0x00007FF702700000-0x00007FF702A51000-memory.dmp
memory/4428-248-0x00007FF7CF8B0000-0x00007FF7CFC01000-memory.dmp
memory/944-247-0x00007FF7F3940000-0x00007FF7F3C91000-memory.dmp
memory/4520-244-0x00007FF628B70000-0x00007FF628EC1000-memory.dmp