Analysis Overview
SHA256
54e9cab63cca9089fb3741a1bca5273f7f40541ae5c0b370c8727f21bae68a07
Threat Level: Known bad
The file 2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
xmrig
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:25
Reported
2024-06-01 15:28
Platform
win7-20231129-en
Max time kernel
137s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xKeexmm.exe | N/A |
| N/A | N/A | C:\Windows\System\vhhLODB.exe | N/A |
| N/A | N/A | C:\Windows\System\pzBWMbu.exe | N/A |
| N/A | N/A | C:\Windows\System\jNIlIkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\hMOfZzY.exe | N/A |
| N/A | N/A | C:\Windows\System\xuZumZc.exe | N/A |
| N/A | N/A | C:\Windows\System\aVZZluE.exe | N/A |
| N/A | N/A | C:\Windows\System\ypAdOhx.exe | N/A |
| N/A | N/A | C:\Windows\System\PaGLpZg.exe | N/A |
| N/A | N/A | C:\Windows\System\mkUoOiH.exe | N/A |
| N/A | N/A | C:\Windows\System\wYqRmrb.exe | N/A |
| N/A | N/A | C:\Windows\System\aqzjrpF.exe | N/A |
| N/A | N/A | C:\Windows\System\dHLVonx.exe | N/A |
| N/A | N/A | C:\Windows\System\AbhgGcn.exe | N/A |
| N/A | N/A | C:\Windows\System\FuLHNAC.exe | N/A |
| N/A | N/A | C:\Windows\System\LhuaVgq.exe | N/A |
| N/A | N/A | C:\Windows\System\QbIhKtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YMLgTEd.exe | N/A |
| N/A | N/A | C:\Windows\System\OhPGeBR.exe | N/A |
| N/A | N/A | C:\Windows\System\KUctjaT.exe | N/A |
| N/A | N/A | C:\Windows\System\SYnlnJs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xKeexmm.exe
C:\Windows\System\xKeexmm.exe
C:\Windows\System\vhhLODB.exe
C:\Windows\System\vhhLODB.exe
C:\Windows\System\pzBWMbu.exe
C:\Windows\System\pzBWMbu.exe
C:\Windows\System\jNIlIkJ.exe
C:\Windows\System\jNIlIkJ.exe
C:\Windows\System\hMOfZzY.exe
C:\Windows\System\hMOfZzY.exe
C:\Windows\System\xuZumZc.exe
C:\Windows\System\xuZumZc.exe
C:\Windows\System\aVZZluE.exe
C:\Windows\System\aVZZluE.exe
C:\Windows\System\ypAdOhx.exe
C:\Windows\System\ypAdOhx.exe
C:\Windows\System\PaGLpZg.exe
C:\Windows\System\PaGLpZg.exe
C:\Windows\System\mkUoOiH.exe
C:\Windows\System\mkUoOiH.exe
C:\Windows\System\wYqRmrb.exe
C:\Windows\System\wYqRmrb.exe
C:\Windows\System\aqzjrpF.exe
C:\Windows\System\aqzjrpF.exe
C:\Windows\System\dHLVonx.exe
C:\Windows\System\dHLVonx.exe
C:\Windows\System\AbhgGcn.exe
C:\Windows\System\AbhgGcn.exe
C:\Windows\System\LhuaVgq.exe
C:\Windows\System\LhuaVgq.exe
C:\Windows\System\FuLHNAC.exe
C:\Windows\System\FuLHNAC.exe
C:\Windows\System\YMLgTEd.exe
C:\Windows\System\YMLgTEd.exe
C:\Windows\System\QbIhKtZ.exe
C:\Windows\System\QbIhKtZ.exe
C:\Windows\System\OhPGeBR.exe
C:\Windows\System\OhPGeBR.exe
C:\Windows\System\KUctjaT.exe
C:\Windows\System\KUctjaT.exe
C:\Windows\System\SYnlnJs.exe
C:\Windows\System\SYnlnJs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2412-0-0x0000000001B20000-0x0000000001B30000-memory.dmp
memory/2412-1-0x000000013F530000-0x000000013F884000-memory.dmp
\Windows\system\xKeexmm.exe
| MD5 | 3d9650f1c20419850930d5fb047560a8 |
| SHA1 | 2924404087f12faf1c40659d49911b76a21b5385 |
| SHA256 | 8cbf9f50c3cde2569e04e3e2b0e4be783d3aa58b2c9cb4bf6d349a4b1dfb7f39 |
| SHA512 | ea19d95e84fc02363716dc6d9cb6a786312039f77739a869b7554d5001fe26e5fb53568aaf06f6f573810d292f32cc45186ad6cd9b317fe9e3a64bc00fa36805 |
C:\Windows\system\vhhLODB.exe
| MD5 | a9514cea69b8491d039663f137953bc0 |
| SHA1 | 5d220af52fa09fef40a566b97cb960b5c2c36cfd |
| SHA256 | 314de3edf1f53c5b1ecee416affd8354ff693295e58c79f57cbb06c4c2a69e7d |
| SHA512 | f96bc7364fd074ebc344834e3e666d10ca50b9951f5d7800460ed4d530946895f401d748fe98911bd36c9c009c78d82e5c2e74a409b5fadb3f86b70c2a787468 |
memory/2412-8-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2896-17-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2680-21-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\pzBWMbu.exe
| MD5 | 130da94f6166243dd9d75e9dd760fcef |
| SHA1 | 9c8defe7680e63219dc54d4d0c04a346b73a3ce1 |
| SHA256 | 82f7e8e0e7ab8cce84af689140b078d7c78ca80c2f58f736784d90cd71b29349 |
| SHA512 | f679978256f943072ed37c7275accb3238e2635185f75c1af7c8d714c9cd3b4f6c29134f1c48ef11ad6f1862a69c9152897b937f3f6463e9d8fb99001688f8a1 |
memory/2972-19-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\jNIlIkJ.exe
| MD5 | 7b2c3c7141fc7f993da0e6a377658b3e |
| SHA1 | 0fd324d433927cfb7b215bb573b5b1691b8454f9 |
| SHA256 | db177dd076da386a8a6f3b4bbc00d34502a5a8fa5184dcbdd8bcee89a7780812 |
| SHA512 | 6b0be2eb89060ce2021beded15e70fe58174bc03d2929ec1f2bb9582223028082ea4fb5654eff128632849290e60d3a536cb782e5a3d847709f9153084b225b3 |
memory/2412-27-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2116-28-0x000000013F460000-0x000000013F7B4000-memory.dmp
C:\Windows\system\hMOfZzY.exe
| MD5 | 8e739ce4e8484791094a67e24f183edd |
| SHA1 | 40a7ecdee0e2e80d4b34929b8ed013c9c6be9154 |
| SHA256 | df82a6868b49a762f9ed4e41c001ac5f0b8e46d2f5e70ea2daf5cfe61471fd1d |
| SHA512 | 2be2977d874c457f3e94c7b0ec3f2d745ab1be205e5ffce5d595099754df11b5a8c3e97d52bd3eae473b9df2ec16faebdc23a04d70479c6bae6211d79982f817 |
memory/2412-39-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2644-35-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2640-40-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2412-34-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\xuZumZc.exe
| MD5 | bef9d2b47e6be5f789b88e43243cf55e |
| SHA1 | b1817a66291c053ac59945084158a3ccb21d8535 |
| SHA256 | edc40bacac85eb3a873f1601194d6251cdf4297a161342610cd1b58b0d2c6674 |
| SHA512 | 4d77f27c7672b7c457886fe161b4fba107535b3c3964dfcc707ed7d3d3ab894dc6b0cdebc97dbb1b99c5e19b595671629e8f8929dd576247d835a8b27b4bc29c |
memory/2412-18-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\aVZZluE.exe
| MD5 | f29f68d7d4cfdfe189b4f938ea219db5 |
| SHA1 | 84de3dbac1a1849809b073befaff2570db6a8fab |
| SHA256 | 5ecc1c396645671849810a64a79128efcd2fde1b8a074d7bb41590cb38693983 |
| SHA512 | 6cc8a199968a3f68f89e23d19f2597203e25be77ab9f820a43abacfa465ca7f532a93d7c398ed39db006faa0665af00d3986a3688dda9dc2351b65def93d4de2 |
memory/2748-50-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2412-49-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\ypAdOhx.exe
| MD5 | d4fb8843f8eb82ca97ac98139dc81376 |
| SHA1 | 435dbf81bc8a5d97e434b587e5b01a80cf3266e1 |
| SHA256 | 087922df130861ad5242362842939071617a6412317ba8c97caf8396ae5c1019 |
| SHA512 | 256035c0db4c6e53d63228ac11267e57329a8806427f4abee1f7197f05c60820bbf55acc87a9d91523baa015fc4bf5d9a9439e06b362e82e3f18b1e6aee0e333 |
memory/2412-56-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1920-57-0x000000013FE10000-0x0000000140164000-memory.dmp
\Windows\system\PaGLpZg.exe
| MD5 | 83232166a49ca342ddc0d2421a34a5c2 |
| SHA1 | dedda3e20c0bb40a778ae633dda14c357a904425 |
| SHA256 | cba2a0b94e16f8136786aca5068084fdd0a746a6585c95fe4fb88c68e63edba9 |
| SHA512 | d8bbf698bb3d3a98802690857fa82a3e19e5bbc0303913b38ddfdaaa8b01a3842071fb8ca8de56f10cee21df8b450625a4e2c2a57494ee60e542c2e759a7fb10 |
memory/2412-62-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2692-65-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2896-63-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2512-78-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2492-80-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2412-81-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2412-82-0x000000013F080000-0x000000013F3D4000-memory.dmp
\Windows\system\dHLVonx.exe
| MD5 | 22c3919f9ea4ed8f880b76933a3e977d |
| SHA1 | c84fd6651096d4ad31ac0fb27571cbad27e61da4 |
| SHA256 | 7b3f5d78c464e67b2b3f63f726f8098a04d8ca95870f762dd397d310ad30d72d |
| SHA512 | ce3268eb13c607e0fc85fc7c5002f9383dd8d71121713f9f40c18f9a3fc2cc0684ff7fed31abb1d2aa85bcb2108ca1c64c9141d16ddc928f4c75082b49b4ccb8 |
memory/3016-83-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2412-87-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2680-86-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2412-76-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\wYqRmrb.exe
| MD5 | 597b6e37ef42252ef10484284662628d |
| SHA1 | db865f720a8ae6ad99f2b4fe1aa0ef3a42362737 |
| SHA256 | a5706c79d5a57d8a4830a01a840ea5ca76474ccdbaa5c01f033fcdd15a8b1fc3 |
| SHA512 | 4f0f7f49d12d401727afc17b84022d7520958b2e1be1b7b95211e1149c0cc0f1e8bcdf1292f25971ab490d07491de2be6f946695b8033d7466c58858e82fb56a |
\Windows\system\aqzjrpF.exe
| MD5 | 1164d920223ba82433d8acbf4f3f1d4c |
| SHA1 | 7b8c39d8a14703d0426a179111d66e9ee837ec75 |
| SHA256 | 37069e602f41b7e727fe0a460a7682fa9e31f39e94ed2eb2e7533c59a908aa63 |
| SHA512 | 0fc24a0e7dd0f0a5396c3b1b1b1a7dfd00c522be42bc16480fe6733dc1f1ed482b8927cfb58e4eaf599c059d199eed29c676d7adf287989ab98d2be0321df80d |
C:\Windows\system\mkUoOiH.exe
| MD5 | 8b2305ee211ef78cc04a2e437ea5f611 |
| SHA1 | 8ef2a1fdf5879bfd03ab1c326a5b0a7efd9f3fe0 |
| SHA256 | e4a9f8b93306b8d0cadf1b45df48e39fac7298c07e272f427d764b8ca98c5091 |
| SHA512 | 3d16443e71d4207175dd24f1797b0488600714f9cc86f3ffcc6f6d8141d671e4307731ca2e74facdc5e4fc94502d8c6025be3003bc0a7bed90abfe0e722e9208 |
C:\Windows\system\AbhgGcn.exe
| MD5 | 0329f8c3da81d323c790e1089e68d113 |
| SHA1 | cc8ddd9625e8d1a2be7c31292d7213cb6199564d |
| SHA256 | 871cb0d82e581d3012fa01732cdac315497b978395f2b6a80bd09a182d6587e3 |
| SHA512 | e9db7ed9ac64f30bc66eaccd31163a4769177ee7a5459632942f8f6d5e3e0cdfcbde2c7d7c47652beb98f39d5032294097f8f9cd396d0c169eeb03d71b1df9ef |
\Windows\system\QbIhKtZ.exe
| MD5 | c83dfbf8ab6ca404235bf0837ba4b559 |
| SHA1 | 8660a9921c2e34c8fd1457213fb9ec2e0ffe7423 |
| SHA256 | af18cd82c534095b0ab8e52ae07722af21fada542b62f75bbc0832b65c05a677 |
| SHA512 | 715d4b34027b7a57459c0500f7fd3cc461980fe972a0674205319d40a488d85349ed366a5e35213c4cddd9519dd55e0c81f3db703f625dd23e763bcfb07a0583 |
memory/2644-126-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\OhPGeBR.exe
| MD5 | dd00c07985d86232ce3df46666b8c9e8 |
| SHA1 | cf745bd21945f19f025d798ad62b24e6309e7c02 |
| SHA256 | 1535dd60244ccd9f01280cfabe03a26f6b0cd25f705646e0b1ed1f854b762f97 |
| SHA512 | f1cb36cdc23bb5a89ebbfa129fdde33447b24e2b3598e481726ee1d655ebe1f8bd2a4f7420bf4b0cb7947947e0f03fa6d7b3598b385e7b67ca3e2a8c3e97e105 |
C:\Windows\system\YMLgTEd.exe
| MD5 | d98a977b5ffbb1f857f02573e259938c |
| SHA1 | 87bdffb22fea3923a665c53c8b3d47d444d7f6b6 |
| SHA256 | 5c1cf893a9dfbba18ea8e258ecf8c3877cdae3508f5246dd88c72fdac58f87a0 |
| SHA512 | 9ca8ae14cf3a0a05186524a8c86b5018a47b8f6ca2df0107d816e2f5975abfeb977da51cb20f880c13a58b7541b98c32d7fbc9d8996869722386697b5096a48a |
memory/2412-130-0x0000000002360000-0x00000000026B4000-memory.dmp
\Windows\system\KUctjaT.exe
| MD5 | ce2198e9598a86a6c240df9c6625edba |
| SHA1 | 9df59eea9abde3cff4c2027ca152ba89d262a0c7 |
| SHA256 | 32484e0fa097b34b97eb04a679f993db109fd36b8be57d6edb0495b4f9d4da02 |
| SHA512 | ce33a16df6edeb5008230c9bd8d0f25b7ab1ef468f6f498d8a68bf0685cd3a2c8ab5ab66900c961ebc15a3d318098c4df1041105ff0178d502d980b41b09e104 |
memory/2412-119-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\LhuaVgq.exe
| MD5 | 25dbb28b0f6d2cec1000a74d9556517f |
| SHA1 | 73dd04b6715241d52dce5834b8053f6de3b0831d |
| SHA256 | daafd4b0a58350f3e36e905240d19a04e52d8f6024ba7222e34791be3cd8eff8 |
| SHA512 | 01c0a512887e3d8d7903f9e55b729d634fc7fdcb50420e615c461435e2f437ab6b97c09577ca492d2c5bef1bd46361510d26a85c27c4ee711bdc5f77d99fd1f2 |
memory/1904-117-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\FuLHNAC.exe
| MD5 | af6b95d308ae083604a8275bda99f435 |
| SHA1 | 4640d937969833a423d68ef0db1c6e9be628a41e |
| SHA256 | a97044fb2d0bd688d47211c27ce1ba03f278442bcc9cb838e1f66b1e9cf8040e |
| SHA512 | 1a4480814c48edf84fc2c880014d0df6d8e9e7bca702c408c2fe67ee9e6295452c204aba327d05383bd0bce95e58465c48f3025e0c8afcb5156e6035afa929c2 |
memory/2284-106-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2116-94-0x000000013F460000-0x000000013F7B4000-memory.dmp
\Windows\system\SYnlnJs.exe
| MD5 | 51b49b7d6c22f23668feb5aba137d77c |
| SHA1 | da22478c0694d79d758db3eddf63e4ef2e6bc1b8 |
| SHA256 | b8256d3871802bf11c9bbee04899e35b589c8ec8f9a20e70f4ce0f00a28b0bad |
| SHA512 | 8d2d2fda880faeb4e366313a8905ab2ec31662db296ee77ad17f7078bce3598c92b28b14b9c0b50582a1ae27adf2de443d99a797ae08e378e1729d74b3850cce |
memory/2640-139-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2412-140-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2412-141-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2412-142-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2492-145-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2412-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2692-143-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2512-146-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2412-147-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/3016-148-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2284-149-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2972-150-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2896-151-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2680-152-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2116-153-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2640-154-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2644-155-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2748-156-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1920-157-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2692-158-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2512-159-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/3016-160-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1904-161-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2284-162-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2492-163-0x000000013F510000-0x000000013F864000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:25
Reported
2024-06-01 15:28
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HHvctGI.exe | N/A |
| N/A | N/A | C:\Windows\System\wiNTVwU.exe | N/A |
| N/A | N/A | C:\Windows\System\ianTLGL.exe | N/A |
| N/A | N/A | C:\Windows\System\RVtYTPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\exFIlnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EeNKkWN.exe | N/A |
| N/A | N/A | C:\Windows\System\DMQWFHY.exe | N/A |
| N/A | N/A | C:\Windows\System\CSIZFDR.exe | N/A |
| N/A | N/A | C:\Windows\System\NXpMije.exe | N/A |
| N/A | N/A | C:\Windows\System\dMMVpup.exe | N/A |
| N/A | N/A | C:\Windows\System\LYjXHUM.exe | N/A |
| N/A | N/A | C:\Windows\System\aJmzrgN.exe | N/A |
| N/A | N/A | C:\Windows\System\pgQEEDP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzGUYJm.exe | N/A |
| N/A | N/A | C:\Windows\System\AJsLOQe.exe | N/A |
| N/A | N/A | C:\Windows\System\hVVTzuC.exe | N/A |
| N/A | N/A | C:\Windows\System\OWkppYa.exe | N/A |
| N/A | N/A | C:\Windows\System\PYoorIy.exe | N/A |
| N/A | N/A | C:\Windows\System\dVPsKFY.exe | N/A |
| N/A | N/A | C:\Windows\System\vhZfZPa.exe | N/A |
| N/A | N/A | C:\Windows\System\ANKuCqy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_04d2da24e8c9f791b5a30e537100c1fe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HHvctGI.exe
C:\Windows\System\HHvctGI.exe
C:\Windows\System\wiNTVwU.exe
C:\Windows\System\wiNTVwU.exe
C:\Windows\System\ianTLGL.exe
C:\Windows\System\ianTLGL.exe
C:\Windows\System\RVtYTPZ.exe
C:\Windows\System\RVtYTPZ.exe
C:\Windows\System\exFIlnQ.exe
C:\Windows\System\exFIlnQ.exe
C:\Windows\System\EeNKkWN.exe
C:\Windows\System\EeNKkWN.exe
C:\Windows\System\DMQWFHY.exe
C:\Windows\System\DMQWFHY.exe
C:\Windows\System\CSIZFDR.exe
C:\Windows\System\CSIZFDR.exe
C:\Windows\System\NXpMije.exe
C:\Windows\System\NXpMije.exe
C:\Windows\System\dMMVpup.exe
C:\Windows\System\dMMVpup.exe
C:\Windows\System\LYjXHUM.exe
C:\Windows\System\LYjXHUM.exe
C:\Windows\System\aJmzrgN.exe
C:\Windows\System\aJmzrgN.exe
C:\Windows\System\pgQEEDP.exe
C:\Windows\System\pgQEEDP.exe
C:\Windows\System\ZzGUYJm.exe
C:\Windows\System\ZzGUYJm.exe
C:\Windows\System\AJsLOQe.exe
C:\Windows\System\AJsLOQe.exe
C:\Windows\System\hVVTzuC.exe
C:\Windows\System\hVVTzuC.exe
C:\Windows\System\OWkppYa.exe
C:\Windows\System\OWkppYa.exe
C:\Windows\System\PYoorIy.exe
C:\Windows\System\PYoorIy.exe
C:\Windows\System\dVPsKFY.exe
C:\Windows\System\dVPsKFY.exe
C:\Windows\System\vhZfZPa.exe
C:\Windows\System\vhZfZPa.exe
C:\Windows\System\ANKuCqy.exe
C:\Windows\System\ANKuCqy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/880-0-0x00007FF797FB0000-0x00007FF798304000-memory.dmp
memory/880-1-0x000002826DD10000-0x000002826DD20000-memory.dmp
C:\Windows\System\HHvctGI.exe
| MD5 | 81165f2eb67fd2a080adcb3db6be0bed |
| SHA1 | ac1ea7950860a5c881116cbff54be78cfd058276 |
| SHA256 | 8c1607dfc86a7a591a79d07942d6fdb670cd92cdbb7434d8d9f59b96bdfe4e54 |
| SHA512 | 96f3421c9441fe691b9766e5a0d26870fb9d5b174ac1c879c4fe890f6fdd0644795aa710dd259a12e6ad26f1e8bf82338e3b2de55168737216ae11867e35213a |
memory/2820-8-0x00007FF7301A0000-0x00007FF7304F4000-memory.dmp
C:\Windows\System\wiNTVwU.exe
| MD5 | 0f25c013ae702eff40a7a0d4fb064826 |
| SHA1 | 8e49be93e2faa2cc88d9032842d6fe8dbc3d0558 |
| SHA256 | 373e973eb29318e7aa546ffdbc2b6c78449f53f5bb6f487ccd86da7c1ac9d59c |
| SHA512 | b7d8ee911762e7d926904d4492085f399b1d6a1b24f879545babe2c1a519936768573a13fcf3ea1fa22711ce06bdc932397214399ca70155dc5a23429526177a |
C:\Windows\System\ianTLGL.exe
| MD5 | 6e45effb9aa255535ae25b05c3677d44 |
| SHA1 | 60ad42bb74a044ba5627e681d98ecc75ca13c620 |
| SHA256 | 584d82f0a7f34322c380749edca7a11b398c05e164abbbacf9706f6b838d064e |
| SHA512 | 5fa86ec6172eb694274d929fa5e15520c8e49016d48bedca4fa41e89b4b34e610a237db1015a0fd26a16f76df9b78873bb74e20561d3468d98c32692ff77ae2d |
C:\Windows\System\RVtYTPZ.exe
| MD5 | 84d97d18fb6416ef544b61fe681c2f09 |
| SHA1 | 21d01c33fc50a29a27dd3bcee31dbb1f1cd24170 |
| SHA256 | 4f2bd2d0727ead67fccbffeb3eb11df9b3588e0f2db8a6dd37c3c74130731a1d |
| SHA512 | 9bfdbef25dff6b26a96ba4a4304d824230ec0893df512aaee3329b3134342e5c0357db738bdcee10961e4afdd3afd96f7713458d21f8525f946753f63ccd6f5d |
C:\Windows\System\exFIlnQ.exe
| MD5 | 4e12cf467fd52b02af6a82d52a462418 |
| SHA1 | 7c1a910f00db32a4bac7b8d2a16356505cb17b24 |
| SHA256 | 9791635c60417469637de0ba28ab3c643a45e2e133c88498690782c5c3e98269 |
| SHA512 | bc8495df5ceb78318e7e37c4e1ff135f7e2f001a1ae8615859037d43d19e5728fa4db00f35d576d3dd180772baa58dc7a95cf35eced00e4b974ee5d84e750a6b |
C:\Windows\System\EeNKkWN.exe
| MD5 | 4189ec57a2a3de7ae8a63e2d623c1967 |
| SHA1 | cd04aa5882d26e991c2b47e926c087a71f650981 |
| SHA256 | bc5cbb75088c9f4e025b65e778b9e5e19fed702818049fc25e0ef49779da7f56 |
| SHA512 | f2a2555fefeab44df9606bdcdcef1d1255fd99018def99736c597506aa894018237f09bb0d85f50c259551a641431c3b10cc896c62a41f51189a2561de37d0b9 |
C:\Windows\System\CSIZFDR.exe
| MD5 | 3789955bb5e395e7f01ce239305c0953 |
| SHA1 | e918525317d20c1c6c460e714c252be987e64c17 |
| SHA256 | 7946b21904ff166e9fc03ca88d8881a4a9bbc7ea764a5a4b4a3c0a8ed90c0c6e |
| SHA512 | 5d3086b07f0e2ac42fb96e8f7c03006c201138f27a73b7baa5c9c94c0ac315bf6c4f91ee141279080bfd99b89d841068b215624cde1ff89b49404d1a3f7a0f0d |
C:\Windows\System\NXpMije.exe
| MD5 | 42f82ae8a6b44c17e8edbebc7734036d |
| SHA1 | 13f6cae69a055b7a6f646397a633a1cd0bca63f1 |
| SHA256 | 46c5ebd42a8d03904e03a310df086765697df8bfd36b4dddf08f2eeeada85aa6 |
| SHA512 | 5c2e5bd328a3645e76cc4730d2ee30166b6613c0337e7e6bd9784c564be22cfe63caec932d7ca771f11fd3f0921fc7ea5fab484c5f08aa2c6b40e1ce74168c60 |
C:\Windows\System\aJmzrgN.exe
| MD5 | 9fc0505e5486fd016ee2adc8b0078eef |
| SHA1 | be1891d154ace172fa7a1f915a3d52959017aebf |
| SHA256 | e5ecd35833d67d977111b21cac35d2c16f1d3928c12ca48fe11dc56bbad8c543 |
| SHA512 | 125f9b04a9d3a4551728e2d943a3ab86234c6242c390c44102f0fa353037f7fedd35f26468e7194726bee72de4806ce1b27dcf400ebf5f0ced215bb2239d0264 |
C:\Windows\System\pgQEEDP.exe
| MD5 | d17650fc5733a52cba492c3d44c9acf1 |
| SHA1 | 4e4ec3d7b02354c79e02d487db3d63186f8f39c3 |
| SHA256 | a0b6d0c142105cb1fd570c55e819f2ef6cf9c86ea139319a83f50ea3537403cf |
| SHA512 | aa83493192771d0dec50cc94b744827140a887078f5ff59edcc3a28751ac26fb9e595845793ad4c0d1db93a5da30ea1659e25d1574ef61e5b038791949ba87e5 |
C:\Windows\System\hVVTzuC.exe
| MD5 | b9067320afb6d4d12016643a1b1e7880 |
| SHA1 | dbfe352c7467a9efd88d2a83f51f13d1fa85a22a |
| SHA256 | dfa320340fe1c05805d461b688af4074effcbeeabefa89878f6ba98c3c88fdc5 |
| SHA512 | c26e61d15706dca1b436990b3e97597a751322dfa897fa7b6152794f858d65d414d33ada3b0a171e1b92d8ae8ad38da01eb5614ce8337183a392f1e43c00314a |
C:\Windows\System\PYoorIy.exe
| MD5 | e7a280ea621772e3d478132f0e3fe392 |
| SHA1 | 4b8eccd3eaaa1e67e16a31c157b0477254faa686 |
| SHA256 | dba8d66478f0e089401cb20b9c38a88c67b0b1d315fbdbe81bf39d1f5f722aa9 |
| SHA512 | e934377aa908f4ad1f8db186752fa48c81d4c6be4ecd8db01392bda69995c68264e161ccef416e10b9e77dfb83a4c7d8a767cb42cd195fe4dae2f641f1268ee6 |
C:\Windows\System\vhZfZPa.exe
| MD5 | 36a45a445fe39fb04b5d51368c985d11 |
| SHA1 | 56496387d005813fbb033ab846728d829e2ea65c |
| SHA256 | f29e4d337f4a2859c330807e4cee7f059da15662ef0a21ac2b99e7d69d2dd4da |
| SHA512 | 28da677be9236823bf568e4082ca1a1e4583b3c5490d49a55cdb3e2b6aa06a3ae5bf7dbf7bbdfa748c513851ca9b568d54f5d391df732614a9d195ec04ea4823 |
C:\Windows\System\ANKuCqy.exe
| MD5 | 069cbcffb4bef887b9fb353d175349cd |
| SHA1 | 93607f54ebf735d0baaadb03a90f706d906409ff |
| SHA256 | 3183049873cda13c06ec3ef03c26c3772332d5a612e263efb2d8fbff0dfc4426 |
| SHA512 | 5c9adb9dd659f7f0eec908a07a058ea0961ceeed986068c33552a344196c701405298ff6ecdc2f8c77d99c3e1f9e1ff0f323376d6ad40f99fb217b37f3be0d24 |
C:\Windows\System\dVPsKFY.exe
| MD5 | 49be5940baf32483f9245641bc726e0d |
| SHA1 | 1a7c16e3734f0e83dc0a6e06ae7bc17ce338a91b |
| SHA256 | cdc8c43df902e54dca08f99dee67957bcf2be8c3619bbea67c30d8ec73ea900b |
| SHA512 | 1a527a5cdecb40921e4261205ab57f96403d62f4678b9de817a78450c7ec389a1a5bb23c8423136689f0e2ada4b2b72ad18bb4ba389c57ef37459d85610e4bef |
C:\Windows\System\OWkppYa.exe
| MD5 | d7cd94edaf7c06f026f251f0995873e0 |
| SHA1 | 0f03edf2e8835b8e26a41bfab62a40c8679768f2 |
| SHA256 | 2676cada1a22e7599ae73f8efde9a73e5d62dde889ede31ed23054ade1699cd0 |
| SHA512 | f31ee63d9af91b3ab8620129a20d6a9e66d4023e996a9d4dd197ebddc552c8c3cf749f5578d30eb525e12425d1eba6f50cbf1663d1c7156a54ec0e01d46a1889 |
C:\Windows\System\AJsLOQe.exe
| MD5 | 2ba94577ce432e4c424a9014e4514b8d |
| SHA1 | f6e37af6f9d217ebcda45999cf4cd058f01bf8c6 |
| SHA256 | 02e2cfa0b2fd8eca3b33a7db8c0fe07f1f3ea57895fa7363a99454dd16066c6a |
| SHA512 | be168946ed5adf626cd8a6a567e4bb576e76cd782f06ca74d765766451185de40b7c930c1efa889abce09a187f6f5927d490f5a302f41c354489530d6aa06c49 |
C:\Windows\System\ZzGUYJm.exe
| MD5 | 66146ce6029b7908a2c317693ea3a56f |
| SHA1 | 8282d791c8c33ee89b8ed6b4e7ee5abae9be1770 |
| SHA256 | fa24aaff4ff73e2d6899b227037159330de649cdabbde7890b1f225bc280895c |
| SHA512 | afab34ac38efdce1bb6c78e8194cb1b4fa4f77726095ace51415f35a727014dd1273eee1ea565a24eefa5bf56c21a3232d687dc992568b94d466e79bf8d481b3 |
C:\Windows\System\LYjXHUM.exe
| MD5 | fe836f95b7eb63baf01150f193d90295 |
| SHA1 | ac7f59fe2554b97485849fd3a6e4033bb3d38538 |
| SHA256 | d23d7fe1496aa9f4e33a004727705f8fa1d53cc41133fadafa1968d7cab24e29 |
| SHA512 | 2776fb9a2d7d79f95a3d14c3211d49aa4a3c36676a366728fe4c574c40fa0739237db578d747160b73e904aff426f93f2fd2435cc880ceb35d1d92e5b82db57b |
C:\Windows\System\dMMVpup.exe
| MD5 | b6d06c262fd712c32c90c17162274dd5 |
| SHA1 | d3c889426b30d5c437a79092dafdc180c6da81b9 |
| SHA256 | 85cc8f517abce29c4067960b5edf8758740c0cfd6ca5f686e8709b52f2dca795 |
| SHA512 | ac6de70e3667569ecf4f4c5b06eed7b255c8bea177a13af6674b63e40a46ac49b62b22dca8b535be55de75f094011d137373c49150f711e7a23d3c033e731ca1 |
C:\Windows\System\DMQWFHY.exe
| MD5 | 33d6880c1994f82da4588d9b851130a5 |
| SHA1 | cdecd3fc8a52661d307d28865a84d0d025e354bb |
| SHA256 | 41a8115be333f0044a5feca50765051a4f5773cccb1fe674f8aa8049afdb642c |
| SHA512 | 2f4b6d4a0e5efa79d037f7059a8e30afb55c2f2442f4389949b23aed711c8dc4c1c1aae25b68fa32f236e4732484072cc837529ac43a1dc0b5a581279c637363 |
memory/1152-36-0x00007FF712990000-0x00007FF712CE4000-memory.dmp
memory/2912-35-0x00007FF712730000-0x00007FF712A84000-memory.dmp
memory/3124-32-0x00007FF7335B0000-0x00007FF733904000-memory.dmp
memory/2252-18-0x00007FF7B3C10000-0x00007FF7B3F64000-memory.dmp
memory/4428-14-0x00007FF622F70000-0x00007FF6232C4000-memory.dmp
memory/5012-113-0x00007FF725660000-0x00007FF7259B4000-memory.dmp
memory/3940-114-0x00007FF68D750000-0x00007FF68DAA4000-memory.dmp
memory/1608-115-0x00007FF62BFC0000-0x00007FF62C314000-memory.dmp
memory/2424-116-0x00007FF73F290000-0x00007FF73F5E4000-memory.dmp
memory/4712-117-0x00007FF62C3E0000-0x00007FF62C734000-memory.dmp
memory/1708-118-0x00007FF6E1950000-0x00007FF6E1CA4000-memory.dmp
memory/4384-119-0x00007FF7A1760000-0x00007FF7A1AB4000-memory.dmp
memory/2244-120-0x00007FF7FC530000-0x00007FF7FC884000-memory.dmp
memory/4884-121-0x00007FF6E94A0000-0x00007FF6E97F4000-memory.dmp
memory/3104-123-0x00007FF7A9AB0000-0x00007FF7A9E04000-memory.dmp
memory/3300-125-0x00007FF744270000-0x00007FF7445C4000-memory.dmp
memory/3416-124-0x00007FF6D8460000-0x00007FF6D87B4000-memory.dmp
memory/4716-122-0x00007FF7D6480000-0x00007FF7D67D4000-memory.dmp
memory/1660-126-0x00007FF7C2840000-0x00007FF7C2B94000-memory.dmp
memory/3592-127-0x00007FF6C7E00000-0x00007FF6C8154000-memory.dmp
memory/880-128-0x00007FF797FB0000-0x00007FF798304000-memory.dmp
memory/2252-129-0x00007FF7B3C10000-0x00007FF7B3F64000-memory.dmp
memory/1152-130-0x00007FF712990000-0x00007FF712CE4000-memory.dmp
memory/2820-131-0x00007FF7301A0000-0x00007FF7304F4000-memory.dmp
memory/4428-132-0x00007FF622F70000-0x00007FF6232C4000-memory.dmp
memory/2252-133-0x00007FF7B3C10000-0x00007FF7B3F64000-memory.dmp
memory/3124-134-0x00007FF7335B0000-0x00007FF733904000-memory.dmp
memory/2912-135-0x00007FF712730000-0x00007FF712A84000-memory.dmp
memory/1152-136-0x00007FF712990000-0x00007FF712CE4000-memory.dmp
memory/5012-138-0x00007FF725660000-0x00007FF7259B4000-memory.dmp
memory/3940-137-0x00007FF68D750000-0x00007FF68DAA4000-memory.dmp
memory/2424-142-0x00007FF73F290000-0x00007FF73F5E4000-memory.dmp
memory/1708-141-0x00007FF6E1950000-0x00007FF6E1CA4000-memory.dmp
memory/1608-140-0x00007FF62BFC0000-0x00007FF62C314000-memory.dmp
memory/4712-139-0x00007FF62C3E0000-0x00007FF62C734000-memory.dmp
memory/3416-146-0x00007FF6D8460000-0x00007FF6D87B4000-memory.dmp
memory/3592-145-0x00007FF6C7E00000-0x00007FF6C8154000-memory.dmp
memory/3300-149-0x00007FF744270000-0x00007FF7445C4000-memory.dmp
memory/3104-150-0x00007FF7A9AB0000-0x00007FF7A9E04000-memory.dmp
memory/1660-148-0x00007FF7C2840000-0x00007FF7C2B94000-memory.dmp
memory/4716-147-0x00007FF7D6480000-0x00007FF7D67D4000-memory.dmp
memory/2244-144-0x00007FF7FC530000-0x00007FF7FC884000-memory.dmp
memory/4884-143-0x00007FF6E94A0000-0x00007FF6E97F4000-memory.dmp
memory/4384-151-0x00007FF7A1760000-0x00007FF7A1AB4000-memory.dmp