Analysis Overview
SHA256
c7f9817a07be5bf309084f6cd2704c5564e1f927ea87afbf741298e4af4a1d84
Threat Level: Known bad
The file 2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 00:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 00:33
Reported
2024-06-01 00:36
Platform
win7-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MxMnMkd.exe | N/A |
| N/A | N/A | C:\Windows\System\hQGCgWK.exe | N/A |
| N/A | N/A | C:\Windows\System\RJdUaAr.exe | N/A |
| N/A | N/A | C:\Windows\System\ELEumah.exe | N/A |
| N/A | N/A | C:\Windows\System\PeRMTfR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrXDeda.exe | N/A |
| N/A | N/A | C:\Windows\System\bBbeTMe.exe | N/A |
| N/A | N/A | C:\Windows\System\OBMGifP.exe | N/A |
| N/A | N/A | C:\Windows\System\YQMiycg.exe | N/A |
| N/A | N/A | C:\Windows\System\gRqaLDl.exe | N/A |
| N/A | N/A | C:\Windows\System\aMGpopW.exe | N/A |
| N/A | N/A | C:\Windows\System\falZAkK.exe | N/A |
| N/A | N/A | C:\Windows\System\uKlQOeS.exe | N/A |
| N/A | N/A | C:\Windows\System\tklzRsk.exe | N/A |
| N/A | N/A | C:\Windows\System\bsUXYey.exe | N/A |
| N/A | N/A | C:\Windows\System\IeSKwia.exe | N/A |
| N/A | N/A | C:\Windows\System\nQzPIqA.exe | N/A |
| N/A | N/A | C:\Windows\System\rhDYGuW.exe | N/A |
| N/A | N/A | C:\Windows\System\wGymNer.exe | N/A |
| N/A | N/A | C:\Windows\System\ttRxALo.exe | N/A |
| N/A | N/A | C:\Windows\System\JCdFTUu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MxMnMkd.exe
C:\Windows\System\MxMnMkd.exe
C:\Windows\System\hQGCgWK.exe
C:\Windows\System\hQGCgWK.exe
C:\Windows\System\ELEumah.exe
C:\Windows\System\ELEumah.exe
C:\Windows\System\RJdUaAr.exe
C:\Windows\System\RJdUaAr.exe
C:\Windows\System\PeRMTfR.exe
C:\Windows\System\PeRMTfR.exe
C:\Windows\System\ZrXDeda.exe
C:\Windows\System\ZrXDeda.exe
C:\Windows\System\OBMGifP.exe
C:\Windows\System\OBMGifP.exe
C:\Windows\System\bBbeTMe.exe
C:\Windows\System\bBbeTMe.exe
C:\Windows\System\YQMiycg.exe
C:\Windows\System\YQMiycg.exe
C:\Windows\System\gRqaLDl.exe
C:\Windows\System\gRqaLDl.exe
C:\Windows\System\aMGpopW.exe
C:\Windows\System\aMGpopW.exe
C:\Windows\System\falZAkK.exe
C:\Windows\System\falZAkK.exe
C:\Windows\System\uKlQOeS.exe
C:\Windows\System\uKlQOeS.exe
C:\Windows\System\tklzRsk.exe
C:\Windows\System\tklzRsk.exe
C:\Windows\System\bsUXYey.exe
C:\Windows\System\bsUXYey.exe
C:\Windows\System\IeSKwia.exe
C:\Windows\System\IeSKwia.exe
C:\Windows\System\nQzPIqA.exe
C:\Windows\System\nQzPIqA.exe
C:\Windows\System\rhDYGuW.exe
C:\Windows\System\rhDYGuW.exe
C:\Windows\System\wGymNer.exe
C:\Windows\System\wGymNer.exe
C:\Windows\System\ttRxALo.exe
C:\Windows\System\ttRxALo.exe
C:\Windows\System\JCdFTUu.exe
C:\Windows\System\JCdFTUu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2280-0-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2280-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\MxMnMkd.exe
| MD5 | e51c1f7602cd4f8138284d8ce27ece40 |
| SHA1 | f3a8c50eefa634e5dfdaa39a5cfd985f4ae02e77 |
| SHA256 | aeb6886cde43946b4252e0d03b106f2b07e8505a7e919e9951c0d90df91af95b |
| SHA512 | b56bfc97bc923401b1f35731c3819f9930a3a99a4b3638bd2f58e72fa63220cdebeb9e12b8a33cc854346e88e6034485811009a4d52e0b0f4c68e4b0c8c7803e |
memory/2280-6-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\hQGCgWK.exe
| MD5 | 80cc0586d42dee5c150d84d6be9e2e15 |
| SHA1 | bb193abf320449000ff0c8aacbb85db4586c707f |
| SHA256 | 62e823eba6c803242bb21082b0d298bc7bbbb24a524400bbed5ae5215062facc |
| SHA512 | 8ce490ebdb0faf9b3a7705d9aee7b8a0be3a79be332b1375c4493cb99faa0a26a7d42d0ba7782cae396adcaad739b5be4cabec15ec82d4db9fd0f9522962d4f6 |
memory/1712-14-0x000000013F4C0000-0x000000013F814000-memory.dmp
\Windows\system\ELEumah.exe
| MD5 | 44f76c6f86cfb0ac855a2733fa098a7f |
| SHA1 | 33c17a2a791582272bbd673333ff05636173c1bf |
| SHA256 | 4c243f98c7bd75808ad3710f7720a8971ff0e9e4508f64eb7cef1982cd5584bd |
| SHA512 | 1bec2fd0b763e93a5cf1cd266dc62a9b67a7fcd0110fa1d7d80c5ac35434e33ab777d2947f8185e3612c6dd65d6f77292c37e5f1abc33d5d38f2a64670422f68 |
memory/2280-23-0x000000013FB70000-0x000000013FEC4000-memory.dmp
\Windows\system\RJdUaAr.exe
| MD5 | 193d1819287cb2df8f86b5a88b3ac258 |
| SHA1 | 226508f0af65a7ea9b652d5dfed9ee6a8351631d |
| SHA256 | 711e439f966860ca56163ed84ea50a76a834ed90ab4e5bb5fa2fa8b33bf43c83 |
| SHA512 | 38d37ed5b2a69354b8393aaea76689841b8ee39725f1450ede873ff7b0e544dce3fb628518780f89e0365b2dd2a8884ffdee2c4b88e62d59b5c8f4b67822f35a |
memory/2280-15-0x0000000002230000-0x0000000002584000-memory.dmp
memory/3020-19-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2648-35-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2684-34-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\PeRMTfR.exe
| MD5 | e9e53ae8877635d8e1041ed7a3e1d334 |
| SHA1 | 6c8ffd7f2f6c492efe19893206be4f530301d2c1 |
| SHA256 | 454b8322ef07e14e57f6311795117d1e685baac76a42156b169285a3904e38a6 |
| SHA512 | a94ba96b24e777f5e19b8accdf4abc31d89f927b38eac4f6e639bd2369f5d3cf0550e10f8a65fc20a7eb20110cd09f7c10e846c3da108b2dda8244e4a45c43ba |
memory/2712-31-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2280-29-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2280-26-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2280-41-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2768-42-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\ZrXDeda.exe
| MD5 | 47a43b001f305ec13f90627fa0ae0f90 |
| SHA1 | f7373e3e2c3b7fa488eca9893b5baf840416f951 |
| SHA256 | b2220ab0db2ca5c8f0a2beab049aeff2b15f8385dce51a111bc9f3d0fff03910 |
| SHA512 | 06183ce0dcb183ea22905d845b4efc23a70605f121c97701cc92e0252144b89513fd95d06c08112c5291b43c76cc688ce5bc97b31d4e609e731b593ee371d977 |
\Windows\system\OBMGifP.exe
| MD5 | 97bed9808781c87c0126f7f556fbfc22 |
| SHA1 | bb7ec2d86e70a67877a3df434b9bf72215fb45c3 |
| SHA256 | c2b40434192ab38b8c17afbb4b7d7e8c55035c2a2ce0bb7bd7ed56f8de54a588 |
| SHA512 | c651d964264e148f141b21d661c7dc75689874e786e493faabca41ffbc00b9441db5bfce53b3def323e70f8a7284d67b456caa29a7eb54f457d7c8ebf40dce46 |
C:\Windows\system\bBbeTMe.exe
| MD5 | 490af6a6583b8f863b5f60abeba39f7f |
| SHA1 | 58222ae5563945f3ea795b9564b7a1ad6a9e686c |
| SHA256 | f37be5d4ae9d8275e0b902d16f0c581e55208b9ed2af070d6766c9547ff09389 |
| SHA512 | 9dc24aca0fdc70eb4b8108b7fa9b8c3f8da5f2c7d659e8e32f0a72327a798bd915bbf71b5fe8f6ef4371ddeb08e4d3b015e073d3b5990860a9ecc656d8e40606 |
memory/2280-53-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2280-60-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2604-59-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1712-56-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2504-55-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2280-48-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\YQMiycg.exe
| MD5 | 102c970e52e5e276b235cb8f31c07987 |
| SHA1 | b1911d932c3afb90e8b40f7234b33fbf445eeae2 |
| SHA256 | c78d90b54143077e5554ab01248f4747eb1f8c09a1b0dcf7f264e1b774d39062 |
| SHA512 | c3ed0bff7040f60b98d3a679e8e1539de71569ce5bbe54e5139f041a2a1d4f21a5f70a70b21b64c61cc070617f313f0034c599cd90c7bca800ac6033b69f4418 |
C:\Windows\system\gRqaLDl.exe
| MD5 | 6cbe5398ca6e8fe48150c86f72969d4a |
| SHA1 | 6fa99b3085cee8b86ec42ad57002a7a82b9656bc |
| SHA256 | c87c91b23f9f28d7fc0e28353ba5605cdd35b1976422d1de791a9e02690caa81 |
| SHA512 | 8a71deb44f4e0e52b1b6766405adcfc2c0f7db61c4bde24177cb48b510d6b7aa25a90ac752113346ecf7ce8ead004a9706283b789070b955424519607093e3db |
memory/1504-75-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2280-74-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2544-68-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2280-66-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2712-65-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\aMGpopW.exe
| MD5 | 36800d103bd490197653af58a1f1df6c |
| SHA1 | bbd280f54b7bb5595344c16dd626b20395fd2c7c |
| SHA256 | 3395bb15aacccbb9e08b5350dba9ebc34f2dd113c782c5d6d9c126126e7ee0dc |
| SHA512 | d8d04717d87e92417c5a7fd6b449c62d26f93086b2ce85713342f9b657ee009ce7fc8e3b1a2c6fe9c5c59e7a6bdcda9a58e3194eac3d6597e76bcec9332454c2 |
memory/2768-87-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2592-89-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1212-96-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\rhDYGuW.exe
| MD5 | 8b931546ea21a11db1291b5b91c1a714 |
| SHA1 | e5d3147cdf711971ebfeb370f0f8898f1a43d73b |
| SHA256 | b5501cad731980f1be60211697df43e1d6a671b731afae1c12dbdbd59f44cc74 |
| SHA512 | db2b97a71c2b454f3deef7c0bdb2c04586199e1874b961ac1e1ca20c63fca0fde5d96f22f3ada2e36be8738e8e98acb95b69456011ca4d23683951b9b222c64c |
C:\Windows\system\wGymNer.exe
| MD5 | c9765e2899d0ab19a5faeec7f1d2fe6f |
| SHA1 | 2833bb547d13846152f780b2a29b71aeeb43a348 |
| SHA256 | a09c1980237d93c46e2292f0cd67569eb08cd085c0a7d324a2dd52f397e5faa5 |
| SHA512 | 2ae66b9096b8b2b6e6f8379cb099bc9f49c83e02bb678f377f84d9fe40dfa119479d95495c7e70560bf794304e383c882198c4c06e1cdc23cb4127d686e00e75 |
C:\Windows\system\ttRxALo.exe
| MD5 | 26643ff96735857bdbb799790102fc6a |
| SHA1 | b0bb85c37d5a3be50393045eacbd5bea5ff5054d |
| SHA256 | 3d5acf340648e67c7d8997ff93d0c5171d746142798bf6eefbe104a784fba43f |
| SHA512 | e18682ff7e2c8bb30fd46decf3048eee0197a4d93f5b14793d8846b6823c5c2e58df90a652ce1954836fb81a9ad7a70b5beff9f74e3311bf39a84df53d4eb49c |
\Windows\system\JCdFTUu.exe
| MD5 | bace3866ec155abed5077ad4f79c5002 |
| SHA1 | 119da7dae18e6858d6ae38bc252eb5520434cc02 |
| SHA256 | efe3114007136142ad9fea90fa796392001a9eb7c058d785a4ac912919fa11d5 |
| SHA512 | 380aca86370fbb01820cd682bc1f4c45c2f281799a780ef24e37bffea917a7be56224402d4b04705b66f80d785e445fc81248fc76168e1311a20e1ece553adc8 |
C:\Windows\system\nQzPIqA.exe
| MD5 | 67cfd0eab4f669aaad85a64fbb970c51 |
| SHA1 | 7f460392fd2477957426ebef714cede4c1116a7d |
| SHA256 | 511b03e6690c210e17ea258d6921ae78bed4f0b798159e853b902fd85cee62c7 |
| SHA512 | c6e7e0335615b8d169092535453906233343a3d0660aab8f5b91afeef4e93d113262c25bffb7f179fb881d1a450ea11dbc36b81a82d699b4d96c34d1ead3f35a |
memory/2280-109-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\bsUXYey.exe
| MD5 | 3677208bdf51189d7221e7ef48e33bbe |
| SHA1 | 4669a560c53de92e23256584fec6e32d9648c585 |
| SHA256 | a0c9ace358166fb697724fd636fe640a2958f43b485c9366a10acf9b88dd62da |
| SHA512 | b2abcdd4c752bc86e5c61be4a43d0be0487e99e22fd1261f40568ad0663b2197d225ac6aa2d116967cd3ee629808839ebf7c96cc1738cef421cbe1fb0dc3ac79 |
C:\Windows\system\IeSKwia.exe
| MD5 | 59695fcda41cccec8f234442fd88aa4d |
| SHA1 | 03b280e55dca39ad3fe90a0ac78572846c1ba951 |
| SHA256 | 8c44c8390ab1a905e593c841ebe1278ff71a2f3e5c678b5efde9980f281cac17 |
| SHA512 | 0af1dfc8021f96ae57544bab333c07c095126cf3c076950c079634cdd39f023597646fc8b95d49e2d815f1062a804deb5276cf6fd3e7a0dc901f3e0a2ad8ca06 |
memory/1896-102-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2280-101-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\tklzRsk.exe
| MD5 | 77dea11faade6994d388a245215969f8 |
| SHA1 | 2eda401266b705589f1763c42f1b5c71469b25c4 |
| SHA256 | b6a51b5afd495e14c133677728a7da5a27b7c583ded8963ce1354b2ce6b3237e |
| SHA512 | 921770e760f4ebea6a1f5f166c1f0d99abf39e042607ec47fa3a63d3b2121f62a0414d3de384299b0b449b1efb0232ed68ee1e13d0d602e0523c9a562c05c933 |
C:\Windows\system\uKlQOeS.exe
| MD5 | f00b056b1c8005a5698468c907b86da1 |
| SHA1 | 23715e4f8d351356a3607d5bf890854a45fa77f3 |
| SHA256 | 95941287055834986072ec863898b0e17797cf9f81e413b431b784f4d97c360e |
| SHA512 | 910cd2f9ddeb1d9e5896804c3ba1720a59c534ff28f75fd2c072b706a5f89e6b1e1cbcf41cc719a4651cc29c872e9fcb66ecaef883b1a69871732d9731fa832f |
memory/2552-81-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2280-80-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2280-88-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2648-86-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\falZAkK.exe
| MD5 | 8f4ad9c64522a94bd4d7637657ddf53b |
| SHA1 | 4af1e5f5ccdc2a9a692aecddf5b3575f21460973 |
| SHA256 | ead5aa7d4d7c9cfbb8ba672a37924328d8a22ee2bd024f6ee3c026b1c059304e |
| SHA512 | 5e412c3cb54898dd7772151865bfe08cc805930383d4decef76a5a9df1f02747537ec1c389d0203bdda89fcebfc6e4536aaea3ecb6f7c9f5e9dfb4af4c839b56 |
memory/2280-140-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2544-141-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2280-142-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2552-143-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2280-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2592-145-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2280-146-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1212-147-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1896-148-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2280-149-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1712-150-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/3020-151-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2684-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2712-153-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2648-154-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2768-155-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2504-156-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2604-157-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2544-158-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1504-159-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2552-160-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2592-161-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1212-163-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1896-162-0x000000013F730000-0x000000013FA84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 00:33
Reported
2024-06-01 00:36
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MxMnMkd.exe | N/A |
| N/A | N/A | C:\Windows\System\hQGCgWK.exe | N/A |
| N/A | N/A | C:\Windows\System\ELEumah.exe | N/A |
| N/A | N/A | C:\Windows\System\RJdUaAr.exe | N/A |
| N/A | N/A | C:\Windows\System\PeRMTfR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrXDeda.exe | N/A |
| N/A | N/A | C:\Windows\System\OBMGifP.exe | N/A |
| N/A | N/A | C:\Windows\System\bBbeTMe.exe | N/A |
| N/A | N/A | C:\Windows\System\YQMiycg.exe | N/A |
| N/A | N/A | C:\Windows\System\gRqaLDl.exe | N/A |
| N/A | N/A | C:\Windows\System\aMGpopW.exe | N/A |
| N/A | N/A | C:\Windows\System\falZAkK.exe | N/A |
| N/A | N/A | C:\Windows\System\uKlQOeS.exe | N/A |
| N/A | N/A | C:\Windows\System\tklzRsk.exe | N/A |
| N/A | N/A | C:\Windows\System\bsUXYey.exe | N/A |
| N/A | N/A | C:\Windows\System\IeSKwia.exe | N/A |
| N/A | N/A | C:\Windows\System\nQzPIqA.exe | N/A |
| N/A | N/A | C:\Windows\System\rhDYGuW.exe | N/A |
| N/A | N/A | C:\Windows\System\wGymNer.exe | N/A |
| N/A | N/A | C:\Windows\System\ttRxALo.exe | N/A |
| N/A | N/A | C:\Windows\System\JCdFTUu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MxMnMkd.exe
C:\Windows\System\MxMnMkd.exe
C:\Windows\System\hQGCgWK.exe
C:\Windows\System\hQGCgWK.exe
C:\Windows\System\ELEumah.exe
C:\Windows\System\ELEumah.exe
C:\Windows\System\RJdUaAr.exe
C:\Windows\System\RJdUaAr.exe
C:\Windows\System\PeRMTfR.exe
C:\Windows\System\PeRMTfR.exe
C:\Windows\System\ZrXDeda.exe
C:\Windows\System\ZrXDeda.exe
C:\Windows\System\OBMGifP.exe
C:\Windows\System\OBMGifP.exe
C:\Windows\System\bBbeTMe.exe
C:\Windows\System\bBbeTMe.exe
C:\Windows\System\YQMiycg.exe
C:\Windows\System\YQMiycg.exe
C:\Windows\System\gRqaLDl.exe
C:\Windows\System\gRqaLDl.exe
C:\Windows\System\aMGpopW.exe
C:\Windows\System\aMGpopW.exe
C:\Windows\System\falZAkK.exe
C:\Windows\System\falZAkK.exe
C:\Windows\System\uKlQOeS.exe
C:\Windows\System\uKlQOeS.exe
C:\Windows\System\tklzRsk.exe
C:\Windows\System\tklzRsk.exe
C:\Windows\System\bsUXYey.exe
C:\Windows\System\bsUXYey.exe
C:\Windows\System\IeSKwia.exe
C:\Windows\System\IeSKwia.exe
C:\Windows\System\nQzPIqA.exe
C:\Windows\System\nQzPIqA.exe
C:\Windows\System\rhDYGuW.exe
C:\Windows\System\rhDYGuW.exe
C:\Windows\System\wGymNer.exe
C:\Windows\System\wGymNer.exe
C:\Windows\System\ttRxALo.exe
C:\Windows\System\ttRxALo.exe
C:\Windows\System\JCdFTUu.exe
C:\Windows\System\JCdFTUu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2720-0-0x00007FF626550000-0x00007FF6268A4000-memory.dmp
memory/2720-1-0x000001EADF530000-0x000001EADF540000-memory.dmp
C:\Windows\System\MxMnMkd.exe
| MD5 | e51c1f7602cd4f8138284d8ce27ece40 |
| SHA1 | f3a8c50eefa634e5dfdaa39a5cfd985f4ae02e77 |
| SHA256 | aeb6886cde43946b4252e0d03b106f2b07e8505a7e919e9951c0d90df91af95b |
| SHA512 | b56bfc97bc923401b1f35731c3819f9930a3a99a4b3638bd2f58e72fa63220cdebeb9e12b8a33cc854346e88e6034485811009a4d52e0b0f4c68e4b0c8c7803e |
memory/3048-7-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp
C:\Windows\System\hQGCgWK.exe
| MD5 | 80cc0586d42dee5c150d84d6be9e2e15 |
| SHA1 | bb193abf320449000ff0c8aacbb85db4586c707f |
| SHA256 | 62e823eba6c803242bb21082b0d298bc7bbbb24a524400bbed5ae5215062facc |
| SHA512 | 8ce490ebdb0faf9b3a7705d9aee7b8a0be3a79be332b1375c4493cb99faa0a26a7d42d0ba7782cae396adcaad739b5be4cabec15ec82d4db9fd0f9522962d4f6 |
memory/3480-14-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp
C:\Windows\System\ELEumah.exe
| MD5 | 44f76c6f86cfb0ac855a2733fa098a7f |
| SHA1 | 33c17a2a791582272bbd673333ff05636173c1bf |
| SHA256 | 4c243f98c7bd75808ad3710f7720a8971ff0e9e4508f64eb7cef1982cd5584bd |
| SHA512 | 1bec2fd0b763e93a5cf1cd266dc62a9b67a7fcd0110fa1d7d80c5ac35434e33ab777d2947f8185e3612c6dd65d6f77292c37e5f1abc33d5d38f2a64670422f68 |
C:\Windows\System\RJdUaAr.exe
| MD5 | 193d1819287cb2df8f86b5a88b3ac258 |
| SHA1 | 226508f0af65a7ea9b652d5dfed9ee6a8351631d |
| SHA256 | 711e439f966860ca56163ed84ea50a76a834ed90ab4e5bb5fa2fa8b33bf43c83 |
| SHA512 | 38d37ed5b2a69354b8393aaea76689841b8ee39725f1450ede873ff7b0e544dce3fb628518780f89e0365b2dd2a8884ffdee2c4b88e62d59b5c8f4b67822f35a |
memory/1040-24-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp
memory/2592-22-0x00007FF63CE30000-0x00007FF63D184000-memory.dmp
C:\Windows\System\PeRMTfR.exe
| MD5 | e9e53ae8877635d8e1041ed7a3e1d334 |
| SHA1 | 6c8ffd7f2f6c492efe19893206be4f530301d2c1 |
| SHA256 | 454b8322ef07e14e57f6311795117d1e685baac76a42156b169285a3904e38a6 |
| SHA512 | a94ba96b24e777f5e19b8accdf4abc31d89f927b38eac4f6e639bd2369f5d3cf0550e10f8a65fc20a7eb20110cd09f7c10e846c3da108b2dda8244e4a45c43ba |
C:\Windows\System\ZrXDeda.exe
| MD5 | 47a43b001f305ec13f90627fa0ae0f90 |
| SHA1 | f7373e3e2c3b7fa488eca9893b5baf840416f951 |
| SHA256 | b2220ab0db2ca5c8f0a2beab049aeff2b15f8385dce51a111bc9f3d0fff03910 |
| SHA512 | 06183ce0dcb183ea22905d845b4efc23a70605f121c97701cc92e0252144b89513fd95d06c08112c5291b43c76cc688ce5bc97b31d4e609e731b593ee371d977 |
C:\Windows\System\OBMGifP.exe
| MD5 | 97bed9808781c87c0126f7f556fbfc22 |
| SHA1 | bb7ec2d86e70a67877a3df434b9bf72215fb45c3 |
| SHA256 | c2b40434192ab38b8c17afbb4b7d7e8c55035c2a2ce0bb7bd7ed56f8de54a588 |
| SHA512 | c651d964264e148f141b21d661c7dc75689874e786e493faabca41ffbc00b9441db5bfce53b3def323e70f8a7284d67b456caa29a7eb54f457d7c8ebf40dce46 |
memory/1460-47-0x00007FF6946F0000-0x00007FF694A44000-memory.dmp
C:\Windows\System\gRqaLDl.exe
| MD5 | 6cbe5398ca6e8fe48150c86f72969d4a |
| SHA1 | 6fa99b3085cee8b86ec42ad57002a7a82b9656bc |
| SHA256 | c87c91b23f9f28d7fc0e28353ba5605cdd35b1976422d1de791a9e02690caa81 |
| SHA512 | 8a71deb44f4e0e52b1b6766405adcfc2c0f7db61c4bde24177cb48b510d6b7aa25a90ac752113346ecf7ce8ead004a9706283b789070b955424519607093e3db |
C:\Windows\System\aMGpopW.exe
| MD5 | 36800d103bd490197653af58a1f1df6c |
| SHA1 | bbd280f54b7bb5595344c16dd626b20395fd2c7c |
| SHA256 | 3395bb15aacccbb9e08b5350dba9ebc34f2dd113c782c5d6d9c126126e7ee0dc |
| SHA512 | d8d04717d87e92417c5a7fd6b449c62d26f93086b2ce85713342f9b657ee009ce7fc8e3b1a2c6fe9c5c59e7a6bdcda9a58e3194eac3d6597e76bcec9332454c2 |
C:\Windows\System\uKlQOeS.exe
| MD5 | f00b056b1c8005a5698468c907b86da1 |
| SHA1 | 23715e4f8d351356a3607d5bf890854a45fa77f3 |
| SHA256 | 95941287055834986072ec863898b0e17797cf9f81e413b431b784f4d97c360e |
| SHA512 | 910cd2f9ddeb1d9e5896804c3ba1720a59c534ff28f75fd2c072b706a5f89e6b1e1cbcf41cc719a4651cc29c872e9fcb66ecaef883b1a69871732d9731fa832f |
memory/5064-75-0x00007FF7345F0000-0x00007FF734944000-memory.dmp
C:\Windows\System\IeSKwia.exe
| MD5 | 59695fcda41cccec8f234442fd88aa4d |
| SHA1 | 03b280e55dca39ad3fe90a0ac78572846c1ba951 |
| SHA256 | 8c44c8390ab1a905e593c841ebe1278ff71a2f3e5c678b5efde9980f281cac17 |
| SHA512 | 0af1dfc8021f96ae57544bab333c07c095126cf3c076950c079634cdd39f023597646fc8b95d49e2d815f1062a804deb5276cf6fd3e7a0dc901f3e0a2ad8ca06 |
C:\Windows\System\wGymNer.exe
| MD5 | c9765e2899d0ab19a5faeec7f1d2fe6f |
| SHA1 | 2833bb547d13846152f780b2a29b71aeeb43a348 |
| SHA256 | a09c1980237d93c46e2292f0cd67569eb08cd085c0a7d324a2dd52f397e5faa5 |
| SHA512 | 2ae66b9096b8b2b6e6f8379cb099bc9f49c83e02bb678f377f84d9fe40dfa119479d95495c7e70560bf794304e383c882198c4c06e1cdc23cb4127d686e00e75 |
C:\Windows\System\JCdFTUu.exe
| MD5 | bace3866ec155abed5077ad4f79c5002 |
| SHA1 | 119da7dae18e6858d6ae38bc252eb5520434cc02 |
| SHA256 | efe3114007136142ad9fea90fa796392001a9eb7c058d785a4ac912919fa11d5 |
| SHA512 | 380aca86370fbb01820cd682bc1f4c45c2f281799a780ef24e37bffea917a7be56224402d4b04705b66f80d785e445fc81248fc76168e1311a20e1ece553adc8 |
C:\Windows\System\ttRxALo.exe
| MD5 | 26643ff96735857bdbb799790102fc6a |
| SHA1 | b0bb85c37d5a3be50393045eacbd5bea5ff5054d |
| SHA256 | 3d5acf340648e67c7d8997ff93d0c5171d746142798bf6eefbe104a784fba43f |
| SHA512 | e18682ff7e2c8bb30fd46decf3048eee0197a4d93f5b14793d8846b6823c5c2e58df90a652ce1954836fb81a9ad7a70b5beff9f74e3311bf39a84df53d4eb49c |
C:\Windows\System\rhDYGuW.exe
| MD5 | 8b931546ea21a11db1291b5b91c1a714 |
| SHA1 | e5d3147cdf711971ebfeb370f0f8898f1a43d73b |
| SHA256 | b5501cad731980f1be60211697df43e1d6a671b731afae1c12dbdbd59f44cc74 |
| SHA512 | db2b97a71c2b454f3deef7c0bdb2c04586199e1874b961ac1e1ca20c63fca0fde5d96f22f3ada2e36be8738e8e98acb95b69456011ca4d23683951b9b222c64c |
C:\Windows\System\nQzPIqA.exe
| MD5 | 67cfd0eab4f669aaad85a64fbb970c51 |
| SHA1 | 7f460392fd2477957426ebef714cede4c1116a7d |
| SHA256 | 511b03e6690c210e17ea258d6921ae78bed4f0b798159e853b902fd85cee62c7 |
| SHA512 | c6e7e0335615b8d169092535453906233343a3d0660aab8f5b91afeef4e93d113262c25bffb7f179fb881d1a450ea11dbc36b81a82d699b4d96c34d1ead3f35a |
C:\Windows\System\bsUXYey.exe
| MD5 | 3677208bdf51189d7221e7ef48e33bbe |
| SHA1 | 4669a560c53de92e23256584fec6e32d9648c585 |
| SHA256 | a0c9ace358166fb697724fd636fe640a2958f43b485c9366a10acf9b88dd62da |
| SHA512 | b2abcdd4c752bc86e5c61be4a43d0be0487e99e22fd1261f40568ad0663b2197d225ac6aa2d116967cd3ee629808839ebf7c96cc1738cef421cbe1fb0dc3ac79 |
C:\Windows\System\tklzRsk.exe
| MD5 | 77dea11faade6994d388a245215969f8 |
| SHA1 | 2eda401266b705589f1763c42f1b5c71469b25c4 |
| SHA256 | b6a51b5afd495e14c133677728a7da5a27b7c583ded8963ce1354b2ce6b3237e |
| SHA512 | 921770e760f4ebea6a1f5f166c1f0d99abf39e042607ec47fa3a63d3b2121f62a0414d3de384299b0b449b1efb0232ed68ee1e13d0d602e0523c9a562c05c933 |
memory/4048-80-0x00007FF701910000-0x00007FF701C64000-memory.dmp
memory/1696-79-0x00007FF722340000-0x00007FF722694000-memory.dmp
memory/5108-78-0x00007FF651A90000-0x00007FF651DE4000-memory.dmp
C:\Windows\System\falZAkK.exe
| MD5 | 8f4ad9c64522a94bd4d7637657ddf53b |
| SHA1 | 4af1e5f5ccdc2a9a692aecddf5b3575f21460973 |
| SHA256 | ead5aa7d4d7c9cfbb8ba672a37924328d8a22ee2bd024f6ee3c026b1c059304e |
| SHA512 | 5e412c3cb54898dd7772151865bfe08cc805930383d4decef76a5a9df1f02747537ec1c389d0203bdda89fcebfc6e4536aaea3ecb6f7c9f5e9dfb4af4c839b56 |
memory/4468-72-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp
C:\Windows\System\YQMiycg.exe
| MD5 | 102c970e52e5e276b235cb8f31c07987 |
| SHA1 | b1911d932c3afb90e8b40f7234b33fbf445eeae2 |
| SHA256 | c78d90b54143077e5554ab01248f4747eb1f8c09a1b0dcf7f264e1b774d39062 |
| SHA512 | c3ed0bff7040f60b98d3a679e8e1539de71569ce5bbe54e5139f041a2a1d4f21a5f70a70b21b64c61cc070617f313f0034c599cd90c7bca800ac6033b69f4418 |
C:\Windows\System\bBbeTMe.exe
| MD5 | 490af6a6583b8f863b5f60abeba39f7f |
| SHA1 | 58222ae5563945f3ea795b9564b7a1ad6a9e686c |
| SHA256 | f37be5d4ae9d8275e0b902d16f0c581e55208b9ed2af070d6766c9547ff09389 |
| SHA512 | 9dc24aca0fdc70eb4b8108b7fa9b8c3f8da5f2c7d659e8e32f0a72327a798bd915bbf71b5fe8f6ef4371ddeb08e4d3b015e073d3b5990860a9ecc656d8e40606 |
memory/828-48-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp
memory/3052-43-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp
memory/3268-31-0x00007FF610040000-0x00007FF610394000-memory.dmp
memory/4748-120-0x00007FF6A4F50000-0x00007FF6A52A4000-memory.dmp
memory/3472-122-0x00007FF7E5760000-0x00007FF7E5AB4000-memory.dmp
memory/4928-121-0x00007FF6C3350000-0x00007FF6C36A4000-memory.dmp
memory/5036-124-0x00007FF669EE0000-0x00007FF66A234000-memory.dmp
memory/2212-125-0x00007FF6FC660000-0x00007FF6FC9B4000-memory.dmp
memory/3544-123-0x00007FF622900000-0x00007FF622C54000-memory.dmp
memory/4888-126-0x00007FF7A3EE0000-0x00007FF7A4234000-memory.dmp
memory/4076-127-0x00007FF73A0D0000-0x00007FF73A424000-memory.dmp
memory/2720-128-0x00007FF626550000-0x00007FF6268A4000-memory.dmp
memory/3048-129-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp
memory/3480-130-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp
memory/1040-131-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp
memory/3268-132-0x00007FF610040000-0x00007FF610394000-memory.dmp
memory/828-133-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp
memory/3048-134-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp
memory/3480-135-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp
memory/2592-136-0x00007FF63CE30000-0x00007FF63D184000-memory.dmp
memory/1040-137-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp
memory/3052-138-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp
memory/3268-139-0x00007FF610040000-0x00007FF610394000-memory.dmp
memory/1460-140-0x00007FF6946F0000-0x00007FF694A44000-memory.dmp
memory/828-141-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp
memory/4468-142-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp
memory/5064-143-0x00007FF7345F0000-0x00007FF734944000-memory.dmp
memory/5108-144-0x00007FF651A90000-0x00007FF651DE4000-memory.dmp
memory/1696-145-0x00007FF722340000-0x00007FF722694000-memory.dmp
memory/4048-146-0x00007FF701910000-0x00007FF701C64000-memory.dmp
memory/4748-147-0x00007FF6A4F50000-0x00007FF6A52A4000-memory.dmp
memory/4928-148-0x00007FF6C3350000-0x00007FF6C36A4000-memory.dmp
memory/3472-149-0x00007FF7E5760000-0x00007FF7E5AB4000-memory.dmp
memory/3544-150-0x00007FF622900000-0x00007FF622C54000-memory.dmp
memory/5036-151-0x00007FF669EE0000-0x00007FF66A234000-memory.dmp
memory/2212-152-0x00007FF6FC660000-0x00007FF6FC9B4000-memory.dmp
memory/4076-153-0x00007FF73A0D0000-0x00007FF73A424000-memory.dmp
memory/4888-154-0x00007FF7A3EE0000-0x00007FF7A4234000-memory.dmp