Analysis Overview
SHA256
1ebfdfdfe32e52c06e2bcde945cd4519e889f34020ef500ac4d2e330b8db6122
Threat Level: Known bad
The file 2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Cobaltstrike
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:30
Reported
2024-06-01 15:33
Platform
win7-20231129-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FSGkGrA.exe | N/A |
| N/A | N/A | C:\Windows\System\xeApPcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FxtgDVY.exe | N/A |
| N/A | N/A | C:\Windows\System\OTKpAAE.exe | N/A |
| N/A | N/A | C:\Windows\System\aEmxsmv.exe | N/A |
| N/A | N/A | C:\Windows\System\iTIaKLV.exe | N/A |
| N/A | N/A | C:\Windows\System\jneWkpe.exe | N/A |
| N/A | N/A | C:\Windows\System\twluoDU.exe | N/A |
| N/A | N/A | C:\Windows\System\dECXvrv.exe | N/A |
| N/A | N/A | C:\Windows\System\bCoCdXn.exe | N/A |
| N/A | N/A | C:\Windows\System\PqClPnq.exe | N/A |
| N/A | N/A | C:\Windows\System\zvoQIHh.exe | N/A |
| N/A | N/A | C:\Windows\System\CAsVuSI.exe | N/A |
| N/A | N/A | C:\Windows\System\tUVGtTB.exe | N/A |
| N/A | N/A | C:\Windows\System\eRRyiIi.exe | N/A |
| N/A | N/A | C:\Windows\System\kYyLnSl.exe | N/A |
| N/A | N/A | C:\Windows\System\rMwEXGF.exe | N/A |
| N/A | N/A | C:\Windows\System\oXTfCVA.exe | N/A |
| N/A | N/A | C:\Windows\System\hBNbVwm.exe | N/A |
| N/A | N/A | C:\Windows\System\owCRDdd.exe | N/A |
| N/A | N/A | C:\Windows\System\BJNijAE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FSGkGrA.exe
C:\Windows\System\FSGkGrA.exe
C:\Windows\System\xeApPcJ.exe
C:\Windows\System\xeApPcJ.exe
C:\Windows\System\FxtgDVY.exe
C:\Windows\System\FxtgDVY.exe
C:\Windows\System\OTKpAAE.exe
C:\Windows\System\OTKpAAE.exe
C:\Windows\System\aEmxsmv.exe
C:\Windows\System\aEmxsmv.exe
C:\Windows\System\iTIaKLV.exe
C:\Windows\System\iTIaKLV.exe
C:\Windows\System\jneWkpe.exe
C:\Windows\System\jneWkpe.exe
C:\Windows\System\twluoDU.exe
C:\Windows\System\twluoDU.exe
C:\Windows\System\dECXvrv.exe
C:\Windows\System\dECXvrv.exe
C:\Windows\System\bCoCdXn.exe
C:\Windows\System\bCoCdXn.exe
C:\Windows\System\PqClPnq.exe
C:\Windows\System\PqClPnq.exe
C:\Windows\System\zvoQIHh.exe
C:\Windows\System\zvoQIHh.exe
C:\Windows\System\CAsVuSI.exe
C:\Windows\System\CAsVuSI.exe
C:\Windows\System\tUVGtTB.exe
C:\Windows\System\tUVGtTB.exe
C:\Windows\System\eRRyiIi.exe
C:\Windows\System\eRRyiIi.exe
C:\Windows\System\kYyLnSl.exe
C:\Windows\System\kYyLnSl.exe
C:\Windows\System\rMwEXGF.exe
C:\Windows\System\rMwEXGF.exe
C:\Windows\System\oXTfCVA.exe
C:\Windows\System\oXTfCVA.exe
C:\Windows\System\hBNbVwm.exe
C:\Windows\System\hBNbVwm.exe
C:\Windows\System\owCRDdd.exe
C:\Windows\System\owCRDdd.exe
C:\Windows\System\BJNijAE.exe
C:\Windows\System\BJNijAE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2024-0-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2024-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\FSGkGrA.exe
| MD5 | ac6ca4b9e1c13653b28c7fc1c0424088 |
| SHA1 | 14ecbdce17e96f57bcba69974e834a19aeb35c21 |
| SHA256 | f1bd3b5227186370d70c7f16cf0c1f12ab56467aedebb5f6babfeb0bbe3b1971 |
| SHA512 | 5d2a3caf6e6b7e31ae0bf5ac618c55ba8534c1026d8780cb628934b77ff31c5724ca1cc0ab99f7fd0b519c66d403e8a0e9cb0efc2ada3142ef0380cb36e6beac |
C:\Windows\system\xeApPcJ.exe
| MD5 | 764ff28d103d1363ec934727f328a623 |
| SHA1 | 2a4c532ba6c1fa869382833ba53f0777c0e0cb06 |
| SHA256 | 2d98c2be04c56d2b2dd0328692d3f92078ce7043e460ab0171c1270e2570d854 |
| SHA512 | 7e80f04ba8adb5e5a898d63b2db59f72e8d55402e8fcc3e2c01ef85da84f1c099a7121bdcab6812ab56bb00f095bc7c1ec89437e40f93ba4c39225e40676dbed |
C:\Windows\system\FxtgDVY.exe
| MD5 | dbf56609069e51e05ef54ed1a1021ccf |
| SHA1 | 1f61d7c09ddb2c21997ce51928fc69b2be3c41fa |
| SHA256 | cf7efd6745476e801d367be7134f44798d3efe4db029b492de5cdc1e29d23059 |
| SHA512 | 0d746834712eb4a9b136c5ea4548fa982c129838a5e2f156e674019a9c00e74ba789d8f7bfc16026a7d87c0c74a9f4dacf10131672769781e4df6046bf35d73a |
memory/1616-18-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2024-27-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2024-28-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\aEmxsmv.exe
| MD5 | 8c19afb81a6db00285a59a900fc0aa1a |
| SHA1 | 88ec879d349c70c1817e657baf502635fa875c99 |
| SHA256 | 01efd5b209f9c98e8c019e85acbe954b977b9d362790da50b68e9b56f5f8d3b6 |
| SHA512 | 6e89ae6fabf95a8859caa3936612fa91e0a502c9046ece82a865d35baf6c55f738cf0df72e479ccca17347e476992f547385ea308e1af6fdb43a394fd81f3357 |
memory/2684-35-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\iTIaKLV.exe
| MD5 | 4b41a81b3d9206fe0caffc882e63e406 |
| SHA1 | ce9b1809ef6d74feb3a4ee76e9bb394561dc9e0d |
| SHA256 | 954c09006ba2008e6d9836c1d92c3fac0f5efc71940684684e750ac95070d0de |
| SHA512 | 385234e60e96c88b2989aed457e81a10518bc0249fe0fa4c00bd8198d508cf6b5d69a4ff7a89b487add49da1c235ea776ac5ac5a9971279ea10ff0585a41c966 |
memory/2024-40-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2624-41-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\twluoDU.exe
| MD5 | 18cb15f8eb3f634c07ca6c5f15940c65 |
| SHA1 | ac4a5a3b0526c18b82d8241ab4815c9a0d243446 |
| SHA256 | 4984a34bf9cf7676fc3f7a890dcf5f288ab6b06c868e560d93fea98c19fcf0b2 |
| SHA512 | 0a6e25a6391e91083522b75014c8e63f102449ba787c3af51a6699043af1f9a46f91119efbf3110697b8f4dfc2bbe8d0c79458f207d1ba716f7fa8b7aa259e97 |
memory/2764-53-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2584-47-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\dECXvrv.exe
| MD5 | b90a5d9415445dd52d50cb76bf83f8cf |
| SHA1 | 53032327567eed342e41f9084d564f4038161321 |
| SHA256 | 95b3f2bf64633f0f1afb90662d454643cc4d61753cf93b8cac619db92f19846d |
| SHA512 | b24efb5c1c2163cbebf35d86ad97de3123b8a54ce9c537245699bdfc8c1a08957b25666af1b3ad9f583234c73789e028fd2c5bb86d60d68897efd6cb0d9d64a8 |
memory/1616-71-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2480-73-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2024-87-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2424-88-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1048-104-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2024-103-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2624-109-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\oXTfCVA.exe
| MD5 | 116bd8c5a2ae6f759daf10ff9dff34ad |
| SHA1 | ce3e7812db7dab954759a1878d7d751f8e225c18 |
| SHA256 | a425521612952a364a138e3abda9172025fcd0c2effe33d3c76c3e36fc77b230 |
| SHA512 | d16f825718c090573d2e6ea62afa83830908f348ecfa5ee62261f087011db4044332146236698b65be0c0f3fd8418473caa545c547820c8492a328d4f4d6a3a4 |
\Windows\system\BJNijAE.exe
| MD5 | d94d6ae6658df08a65be65de7ab7b4fe |
| SHA1 | d14693d3ee4beeecb58cde01a4a9755d0de49c4a |
| SHA256 | b512acc63868dbc3415cfa6b9780c764f0cb1cfd01c49a419cdcae20841d5fd8 |
| SHA512 | 18bff39bf023996c407840fc982170ae3f8569a2ab6cfd4b11437d5a9c83186d5a904bfc9af3b38b17db5766de7a42ab2c8d2ef6e7ef0b2eaadd367ba1322f51 |
C:\Windows\system\hBNbVwm.exe
| MD5 | e4a3018e41dccedc53098cd97a306512 |
| SHA1 | 3b06719eafdbcdc33cec188f6982fc9dbe541879 |
| SHA256 | 3065930eab623ef664d4a16a83bae83fac4ef4c1f475016dcd9991e51f278c31 |
| SHA512 | dd224bb69b1b83e0fa013fa124ec5fe399359c64287b38c7408c214c8cbb3c6ac1e8906aa110aeb8a25b24028d9fe4e15195764f8666f3c4f50e1b4c9068af72 |
C:\Windows\system\owCRDdd.exe
| MD5 | cb1db901d692d84f4c1ba71963e5f293 |
| SHA1 | 46076016d90b10e5f7f7859e38742bc91e33297b |
| SHA256 | 9704c2fd16bdd58a0e64b7b1684e05c0948de553fa3b307d7bb0b880bf4cafd4 |
| SHA512 | e0af8fee6dc513c8478f62ad54bcea5989e27ee5dcf1d7260a4d1db511119c6d779fb89c110e9450559d61d324f776a1606454d31e83328c70a86ed0aabcc4ec |
C:\Windows\system\rMwEXGF.exe
| MD5 | 3a54a844af1d4310cdd2df803d6d12c0 |
| SHA1 | b5a6a826bfa5661604a2bddad900833257da271b |
| SHA256 | da0b908c6d0ca33a6809160886eb42335458d8ab60d630cc2c0c1aa47e459d69 |
| SHA512 | 6f04af7fb38e9fa5fe83bdd58f487e96a60dda88746f4f05c9121ed2481228d5ac702593e1a9d48300e36bd326a255c035f7cd908064c99943ac5abeb0ddb5b3 |
C:\Windows\system\kYyLnSl.exe
| MD5 | 74c4aa2c879fc927c8e83e438f12f22d |
| SHA1 | 6fd301211ada8ef2df02398f79447e52aab07c06 |
| SHA256 | bcf5a7c2f692207ec96cf5916b9663e971c034765304b26fe559b7fa51e161d7 |
| SHA512 | f52ddcb725722e37b25c9935dc47bad45e78e6910fd5ca69f38d50aa3f19cc361f99602459e98f56a133d77f0524b1e6b1a14fee2dd649f645b2f4147f9d8e38 |
memory/2024-110-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\eRRyiIi.exe
| MD5 | 6ec4e86b52d9eb04fecabf0f6e0eb7f1 |
| SHA1 | 8c20109a008a4aa79f09166ddd85d8dbf64214ea |
| SHA256 | a66cf2eb35d7d1c0d67d3928f8d0c06874b90416bcd9b2062e016a4bc5fa1c00 |
| SHA512 | c23d870a56f0f6951311bf2f4010a72cbf2214fddc9a0cf8701a89369b126ecf0ee73f91918ca7da4f5d0139b6c638740cccb7e5de200003982a71b50a249dc9 |
memory/2684-102-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\tUVGtTB.exe
| MD5 | 3d86ff33e4322cba356b62b7fcb7d833 |
| SHA1 | 9e72744b23ff4241394639e450923dd09747bf36 |
| SHA256 | 37e1cd46e6c0e482970654b8494b11a714374ced43f74d6f7b9112ba84e4149b |
| SHA512 | 1396115d76eb4aabed12e0ef46caac4ab881f363cdc8fad6243ec2605c96f62300141d0722f2fadf5537a4cdf34a673d59a28cb692cfdeafd3946ca28491e39a |
memory/1768-95-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2024-94-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\CAsVuSI.exe
| MD5 | a4afbf65d336357ce1cd8e821bb545cd |
| SHA1 | 0fcfe1961636c02e84e4738e4aa2cad8e90cd5e5 |
| SHA256 | 688f99cdf8aedb9661619f405fac26a095b8db10d26b8919ca76cea0837ef07a |
| SHA512 | 2edfddac76203b5e90eaaf992e0f706fa1d7016909273f145984b936403a829604ec146e45b76fcb7f678ebb00e259b6ecdef764370fa5a39c4a4841360ff2bf |
memory/2584-141-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2800-81-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2024-80-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2416-79-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\PqClPnq.exe
| MD5 | 262ad90a9e40962f12ca126d7d3a000f |
| SHA1 | ec86f8f4cc159fc4f69592a47021c9d9bc9f87d8 |
| SHA256 | fd80fc3b1ce91b193c73f52d0cc20df3b31d9ecc8ef79d15e2911db6b5e41421 |
| SHA512 | 7c3688569bf8e678d7ed2719066d956c6767f1c9445ec71de5d4d307dd4d3f2c786f5dfb781f7e89efa45964ff53c94c38d55c70a5bf5edd96505031e37a4b43 |
C:\Windows\system\zvoQIHh.exe
| MD5 | 42e07e4a04a27f851dd047c8bbf2bcb0 |
| SHA1 | 93157423695caa09566d27b6be7475ffacf58787 |
| SHA256 | 27edb89ba20bfe6ecd6c4d4c2ae581798ef6fa590eeb14f9912f003ae7b8c07f |
| SHA512 | ed6b5ec50550c4f2ead81f999e71cda3f69e0f9ad158589a63964d82d2a7582ad5c7e901d776ddc06dcaefb070cc5cad4e5e9afe460f9b01c8e6d22517e85f56 |
memory/2100-72-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2288-60-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2024-59-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1828-70-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\bCoCdXn.exe
| MD5 | f9fc273f2497db9668a38197cc8ed594 |
| SHA1 | 938f70a55649f1197a45907891d0eb764227cde7 |
| SHA256 | 1b38f8101545cec1c28a262f730c1088527f2160e4eb195ab972573d9991582e |
| SHA512 | cd0b1951608c06e3965f37872c92181715ac12144799f70da6c0efeccb9f268d8b79c42c955d933388044e5d3c72ae63decdf56999b6ced3e7bd947e92b5a74c |
memory/2024-57-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2024-52-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2024-46-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\jneWkpe.exe
| MD5 | c65afaa96e6052f12ea0cd07d65c5676 |
| SHA1 | 7fe03f8c6111d0fdfd664aa55c4c0d2dbdcf3906 |
| SHA256 | 579e63806f1fe177803e98894497ae3e49c0374fdfc3de628dcfaeb0b747fd37 |
| SHA512 | a750d452a84ebe557f76f9ec5659ede10e1cc2c175f9986b0359be1be5831945b67b71eb117deb0b446e6305eb87dc9dacf00d9ca3b15860d291516d2f781077 |
memory/2024-33-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2024-32-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2416-26-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\OTKpAAE.exe
| MD5 | 7a73b4ad076c01e38b6c8604690a3efb |
| SHA1 | 1450ff3c501091400293b5bad50512a6a7245d46 |
| SHA256 | a47f62ac57c65f842b6117ff22c518e3230408b930207d9179ac6d3b2d875a8a |
| SHA512 | 28568481e973bcece9bd7fb0a315ba9048156d312d342d9dee2315e5894a5a7686c0dccf2610c608f39c2084007057ec41fdbc921837e95937f7f697314c4190 |
memory/2100-22-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2764-142-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/1828-11-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2288-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2480-145-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2024-144-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2024-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2800-147-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2424-149-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2024-148-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1768-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2024-150-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/1828-152-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1616-153-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2416-154-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2100-155-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2624-156-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2288-158-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2764-157-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2584-159-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2684-160-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2480-161-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2800-162-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2424-163-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1768-164-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1048-165-0x000000013FC10000-0x000000013FF64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:30
Reported
2024-06-01 15:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FSGkGrA.exe | N/A |
| N/A | N/A | C:\Windows\System\xeApPcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FxtgDVY.exe | N/A |
| N/A | N/A | C:\Windows\System\OTKpAAE.exe | N/A |
| N/A | N/A | C:\Windows\System\aEmxsmv.exe | N/A |
| N/A | N/A | C:\Windows\System\iTIaKLV.exe | N/A |
| N/A | N/A | C:\Windows\System\jneWkpe.exe | N/A |
| N/A | N/A | C:\Windows\System\twluoDU.exe | N/A |
| N/A | N/A | C:\Windows\System\dECXvrv.exe | N/A |
| N/A | N/A | C:\Windows\System\bCoCdXn.exe | N/A |
| N/A | N/A | C:\Windows\System\PqClPnq.exe | N/A |
| N/A | N/A | C:\Windows\System\zvoQIHh.exe | N/A |
| N/A | N/A | C:\Windows\System\CAsVuSI.exe | N/A |
| N/A | N/A | C:\Windows\System\tUVGtTB.exe | N/A |
| N/A | N/A | C:\Windows\System\eRRyiIi.exe | N/A |
| N/A | N/A | C:\Windows\System\kYyLnSl.exe | N/A |
| N/A | N/A | C:\Windows\System\rMwEXGF.exe | N/A |
| N/A | N/A | C:\Windows\System\oXTfCVA.exe | N/A |
| N/A | N/A | C:\Windows\System\hBNbVwm.exe | N/A |
| N/A | N/A | C:\Windows\System\owCRDdd.exe | N/A |
| N/A | N/A | C:\Windows\System\BJNijAE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2382cc5628d0bdb63996e08230096c42_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FSGkGrA.exe
C:\Windows\System\FSGkGrA.exe
C:\Windows\System\xeApPcJ.exe
C:\Windows\System\xeApPcJ.exe
C:\Windows\System\FxtgDVY.exe
C:\Windows\System\FxtgDVY.exe
C:\Windows\System\OTKpAAE.exe
C:\Windows\System\OTKpAAE.exe
C:\Windows\System\aEmxsmv.exe
C:\Windows\System\aEmxsmv.exe
C:\Windows\System\iTIaKLV.exe
C:\Windows\System\iTIaKLV.exe
C:\Windows\System\jneWkpe.exe
C:\Windows\System\jneWkpe.exe
C:\Windows\System\twluoDU.exe
C:\Windows\System\twluoDU.exe
C:\Windows\System\dECXvrv.exe
C:\Windows\System\dECXvrv.exe
C:\Windows\System\bCoCdXn.exe
C:\Windows\System\bCoCdXn.exe
C:\Windows\System\PqClPnq.exe
C:\Windows\System\PqClPnq.exe
C:\Windows\System\zvoQIHh.exe
C:\Windows\System\zvoQIHh.exe
C:\Windows\System\CAsVuSI.exe
C:\Windows\System\CAsVuSI.exe
C:\Windows\System\tUVGtTB.exe
C:\Windows\System\tUVGtTB.exe
C:\Windows\System\eRRyiIi.exe
C:\Windows\System\eRRyiIi.exe
C:\Windows\System\kYyLnSl.exe
C:\Windows\System\kYyLnSl.exe
C:\Windows\System\rMwEXGF.exe
C:\Windows\System\rMwEXGF.exe
C:\Windows\System\oXTfCVA.exe
C:\Windows\System\oXTfCVA.exe
C:\Windows\System\hBNbVwm.exe
C:\Windows\System\hBNbVwm.exe
C:\Windows\System\owCRDdd.exe
C:\Windows\System\owCRDdd.exe
C:\Windows\System\BJNijAE.exe
C:\Windows\System\BJNijAE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/3820-0-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp
memory/3820-1-0x000002B3A0C60000-0x000002B3A0C70000-memory.dmp
C:\Windows\System\FSGkGrA.exe
| MD5 | ac6ca4b9e1c13653b28c7fc1c0424088 |
| SHA1 | 14ecbdce17e96f57bcba69974e834a19aeb35c21 |
| SHA256 | f1bd3b5227186370d70c7f16cf0c1f12ab56467aedebb5f6babfeb0bbe3b1971 |
| SHA512 | 5d2a3caf6e6b7e31ae0bf5ac618c55ba8534c1026d8780cb628934b77ff31c5724ca1cc0ab99f7fd0b519c66d403e8a0e9cb0efc2ada3142ef0380cb36e6beac |
C:\Windows\System\xeApPcJ.exe
| MD5 | 764ff28d103d1363ec934727f328a623 |
| SHA1 | 2a4c532ba6c1fa869382833ba53f0777c0e0cb06 |
| SHA256 | 2d98c2be04c56d2b2dd0328692d3f92078ce7043e460ab0171c1270e2570d854 |
| SHA512 | 7e80f04ba8adb5e5a898d63b2db59f72e8d55402e8fcc3e2c01ef85da84f1c099a7121bdcab6812ab56bb00f095bc7c1ec89437e40f93ba4c39225e40676dbed |
memory/3124-8-0x00007FF79A800000-0x00007FF79AB54000-memory.dmp
C:\Windows\System\FxtgDVY.exe
| MD5 | dbf56609069e51e05ef54ed1a1021ccf |
| SHA1 | 1f61d7c09ddb2c21997ce51928fc69b2be3c41fa |
| SHA256 | cf7efd6745476e801d367be7134f44798d3efe4db029b492de5cdc1e29d23059 |
| SHA512 | 0d746834712eb4a9b136c5ea4548fa982c129838a5e2f156e674019a9c00e74ba789d8f7bfc16026a7d87c0c74a9f4dacf10131672769781e4df6046bf35d73a |
memory/1540-14-0x00007FF7C2730000-0x00007FF7C2A84000-memory.dmp
memory/3200-22-0x00007FF746950000-0x00007FF746CA4000-memory.dmp
C:\Windows\System\OTKpAAE.exe
| MD5 | 7a73b4ad076c01e38b6c8604690a3efb |
| SHA1 | 1450ff3c501091400293b5bad50512a6a7245d46 |
| SHA256 | a47f62ac57c65f842b6117ff22c518e3230408b930207d9179ac6d3b2d875a8a |
| SHA512 | 28568481e973bcece9bd7fb0a315ba9048156d312d342d9dee2315e5894a5a7686c0dccf2610c608f39c2084007057ec41fdbc921837e95937f7f697314c4190 |
C:\Windows\System\aEmxsmv.exe
| MD5 | 8c19afb81a6db00285a59a900fc0aa1a |
| SHA1 | 88ec879d349c70c1817e657baf502635fa875c99 |
| SHA256 | 01efd5b209f9c98e8c019e85acbe954b977b9d362790da50b68e9b56f5f8d3b6 |
| SHA512 | 6e89ae6fabf95a8859caa3936612fa91e0a502c9046ece82a865d35baf6c55f738cf0df72e479ccca17347e476992f547385ea308e1af6fdb43a394fd81f3357 |
C:\Windows\System\iTIaKLV.exe
| MD5 | 4b41a81b3d9206fe0caffc882e63e406 |
| SHA1 | ce9b1809ef6d74feb3a4ee76e9bb394561dc9e0d |
| SHA256 | 954c09006ba2008e6d9836c1d92c3fac0f5efc71940684684e750ac95070d0de |
| SHA512 | 385234e60e96c88b2989aed457e81a10518bc0249fe0fa4c00bd8198d508cf6b5d69a4ff7a89b487add49da1c235ea776ac5ac5a9971279ea10ff0585a41c966 |
C:\Windows\System\jneWkpe.exe
| MD5 | c65afaa96e6052f12ea0cd07d65c5676 |
| SHA1 | 7fe03f8c6111d0fdfd664aa55c4c0d2dbdcf3906 |
| SHA256 | 579e63806f1fe177803e98894497ae3e49c0374fdfc3de628dcfaeb0b747fd37 |
| SHA512 | a750d452a84ebe557f76f9ec5659ede10e1cc2c175f9986b0359be1be5831945b67b71eb117deb0b446e6305eb87dc9dacf00d9ca3b15860d291516d2f781077 |
C:\Windows\System\dECXvrv.exe
| MD5 | b90a5d9415445dd52d50cb76bf83f8cf |
| SHA1 | 53032327567eed342e41f9084d564f4038161321 |
| SHA256 | 95b3f2bf64633f0f1afb90662d454643cc4d61753cf93b8cac619db92f19846d |
| SHA512 | b24efb5c1c2163cbebf35d86ad97de3123b8a54ce9c537245699bdfc8c1a08957b25666af1b3ad9f583234c73789e028fd2c5bb86d60d68897efd6cb0d9d64a8 |
C:\Windows\System\hBNbVwm.exe
| MD5 | e4a3018e41dccedc53098cd97a306512 |
| SHA1 | 3b06719eafdbcdc33cec188f6982fc9dbe541879 |
| SHA256 | 3065930eab623ef664d4a16a83bae83fac4ef4c1f475016dcd9991e51f278c31 |
| SHA512 | dd224bb69b1b83e0fa013fa124ec5fe399359c64287b38c7408c214c8cbb3c6ac1e8906aa110aeb8a25b24028d9fe4e15195764f8666f3c4f50e1b4c9068af72 |
C:\Windows\System\BJNijAE.exe
| MD5 | d94d6ae6658df08a65be65de7ab7b4fe |
| SHA1 | d14693d3ee4beeecb58cde01a4a9755d0de49c4a |
| SHA256 | b512acc63868dbc3415cfa6b9780c764f0cb1cfd01c49a419cdcae20841d5fd8 |
| SHA512 | 18bff39bf023996c407840fc982170ae3f8569a2ab6cfd4b11437d5a9c83186d5a904bfc9af3b38b17db5766de7a42ab2c8d2ef6e7ef0b2eaadd367ba1322f51 |
C:\Windows\System\owCRDdd.exe
| MD5 | cb1db901d692d84f4c1ba71963e5f293 |
| SHA1 | 46076016d90b10e5f7f7859e38742bc91e33297b |
| SHA256 | 9704c2fd16bdd58a0e64b7b1684e05c0948de553fa3b307d7bb0b880bf4cafd4 |
| SHA512 | e0af8fee6dc513c8478f62ad54bcea5989e27ee5dcf1d7260a4d1db511119c6d779fb89c110e9450559d61d324f776a1606454d31e83328c70a86ed0aabcc4ec |
C:\Windows\System\oXTfCVA.exe
| MD5 | 116bd8c5a2ae6f759daf10ff9dff34ad |
| SHA1 | ce3e7812db7dab954759a1878d7d751f8e225c18 |
| SHA256 | a425521612952a364a138e3abda9172025fcd0c2effe33d3c76c3e36fc77b230 |
| SHA512 | d16f825718c090573d2e6ea62afa83830908f348ecfa5ee62261f087011db4044332146236698b65be0c0f3fd8418473caa545c547820c8492a328d4f4d6a3a4 |
C:\Windows\System\rMwEXGF.exe
| MD5 | 3a54a844af1d4310cdd2df803d6d12c0 |
| SHA1 | b5a6a826bfa5661604a2bddad900833257da271b |
| SHA256 | da0b908c6d0ca33a6809160886eb42335458d8ab60d630cc2c0c1aa47e459d69 |
| SHA512 | 6f04af7fb38e9fa5fe83bdd58f487e96a60dda88746f4f05c9121ed2481228d5ac702593e1a9d48300e36bd326a255c035f7cd908064c99943ac5abeb0ddb5b3 |
C:\Windows\System\kYyLnSl.exe
| MD5 | 74c4aa2c879fc927c8e83e438f12f22d |
| SHA1 | 6fd301211ada8ef2df02398f79447e52aab07c06 |
| SHA256 | bcf5a7c2f692207ec96cf5916b9663e971c034765304b26fe559b7fa51e161d7 |
| SHA512 | f52ddcb725722e37b25c9935dc47bad45e78e6910fd5ca69f38d50aa3f19cc361f99602459e98f56a133d77f0524b1e6b1a14fee2dd649f645b2f4147f9d8e38 |
C:\Windows\System\eRRyiIi.exe
| MD5 | 6ec4e86b52d9eb04fecabf0f6e0eb7f1 |
| SHA1 | 8c20109a008a4aa79f09166ddd85d8dbf64214ea |
| SHA256 | a66cf2eb35d7d1c0d67d3928f8d0c06874b90416bcd9b2062e016a4bc5fa1c00 |
| SHA512 | c23d870a56f0f6951311bf2f4010a72cbf2214fddc9a0cf8701a89369b126ecf0ee73f91918ca7da4f5d0139b6c638740cccb7e5de200003982a71b50a249dc9 |
C:\Windows\System\tUVGtTB.exe
| MD5 | 3d86ff33e4322cba356b62b7fcb7d833 |
| SHA1 | 9e72744b23ff4241394639e450923dd09747bf36 |
| SHA256 | 37e1cd46e6c0e482970654b8494b11a714374ced43f74d6f7b9112ba84e4149b |
| SHA512 | 1396115d76eb4aabed12e0ef46caac4ab881f363cdc8fad6243ec2605c96f62300141d0722f2fadf5537a4cdf34a673d59a28cb692cfdeafd3946ca28491e39a |
C:\Windows\System\CAsVuSI.exe
| MD5 | a4afbf65d336357ce1cd8e821bb545cd |
| SHA1 | 0fcfe1961636c02e84e4738e4aa2cad8e90cd5e5 |
| SHA256 | 688f99cdf8aedb9661619f405fac26a095b8db10d26b8919ca76cea0837ef07a |
| SHA512 | 2edfddac76203b5e90eaaf992e0f706fa1d7016909273f145984b936403a829604ec146e45b76fcb7f678ebb00e259b6ecdef764370fa5a39c4a4841360ff2bf |
C:\Windows\System\zvoQIHh.exe
| MD5 | 42e07e4a04a27f851dd047c8bbf2bcb0 |
| SHA1 | 93157423695caa09566d27b6be7475ffacf58787 |
| SHA256 | 27edb89ba20bfe6ecd6c4d4c2ae581798ef6fa590eeb14f9912f003ae7b8c07f |
| SHA512 | ed6b5ec50550c4f2ead81f999e71cda3f69e0f9ad158589a63964d82d2a7582ad5c7e901d776ddc06dcaefb070cc5cad4e5e9afe460f9b01c8e6d22517e85f56 |
C:\Windows\System\PqClPnq.exe
| MD5 | 262ad90a9e40962f12ca126d7d3a000f |
| SHA1 | ec86f8f4cc159fc4f69592a47021c9d9bc9f87d8 |
| SHA256 | fd80fc3b1ce91b193c73f52d0cc20df3b31d9ecc8ef79d15e2911db6b5e41421 |
| SHA512 | 7c3688569bf8e678d7ed2719066d956c6767f1c9445ec71de5d4d307dd4d3f2c786f5dfb781f7e89efa45964ff53c94c38d55c70a5bf5edd96505031e37a4b43 |
C:\Windows\System\bCoCdXn.exe
| MD5 | f9fc273f2497db9668a38197cc8ed594 |
| SHA1 | 938f70a55649f1197a45907891d0eb764227cde7 |
| SHA256 | 1b38f8101545cec1c28a262f730c1088527f2160e4eb195ab972573d9991582e |
| SHA512 | cd0b1951608c06e3965f37872c92181715ac12144799f70da6c0efeccb9f268d8b79c42c955d933388044e5d3c72ae63decdf56999b6ced3e7bd947e92b5a74c |
C:\Windows\System\twluoDU.exe
| MD5 | 18cb15f8eb3f634c07ca6c5f15940c65 |
| SHA1 | ac4a5a3b0526c18b82d8241ab4815c9a0d243446 |
| SHA256 | 4984a34bf9cf7676fc3f7a890dcf5f288ab6b06c868e560d93fea98c19fcf0b2 |
| SHA512 | 0a6e25a6391e91083522b75014c8e63f102449ba787c3af51a6699043af1f9a46f91119efbf3110697b8f4dfc2bbe8d0c79458f207d1ba716f7fa8b7aa259e97 |
memory/1892-25-0x00007FF73AE90000-0x00007FF73B1E4000-memory.dmp
memory/1268-111-0x00007FF6CDC80000-0x00007FF6CDFD4000-memory.dmp
memory/2116-112-0x00007FF6E9930000-0x00007FF6E9C84000-memory.dmp
memory/5056-113-0x00007FF6CD1B0000-0x00007FF6CD504000-memory.dmp
memory/4920-114-0x00007FF7BF650000-0x00007FF7BF9A4000-memory.dmp
memory/3524-115-0x00007FF69E050000-0x00007FF69E3A4000-memory.dmp
memory/2004-116-0x00007FF707D90000-0x00007FF7080E4000-memory.dmp
memory/3480-117-0x00007FF649F90000-0x00007FF64A2E4000-memory.dmp
memory/1192-118-0x00007FF6DE880000-0x00007FF6DEBD4000-memory.dmp
memory/4460-119-0x00007FF68C760000-0x00007FF68CAB4000-memory.dmp
memory/3552-120-0x00007FF683CC0000-0x00007FF684014000-memory.dmp
memory/2480-121-0x00007FF7AAE10000-0x00007FF7AB164000-memory.dmp
memory/2180-122-0x00007FF6CA6F0000-0x00007FF6CAA44000-memory.dmp
memory/1708-124-0x00007FF61BB60000-0x00007FF61BEB4000-memory.dmp
memory/2888-125-0x00007FF674A90000-0x00007FF674DE4000-memory.dmp
memory/3508-123-0x00007FF687F20000-0x00007FF688274000-memory.dmp
memory/2956-126-0x00007FF76BD50000-0x00007FF76C0A4000-memory.dmp
memory/3788-127-0x00007FF688750000-0x00007FF688AA4000-memory.dmp
memory/3820-128-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp
memory/3124-129-0x00007FF79A800000-0x00007FF79AB54000-memory.dmp
memory/1892-130-0x00007FF73AE90000-0x00007FF73B1E4000-memory.dmp
memory/3124-131-0x00007FF79A800000-0x00007FF79AB54000-memory.dmp
memory/1540-132-0x00007FF7C2730000-0x00007FF7C2A84000-memory.dmp
memory/3200-133-0x00007FF746950000-0x00007FF746CA4000-memory.dmp
memory/1268-134-0x00007FF6CDC80000-0x00007FF6CDFD4000-memory.dmp
memory/1892-135-0x00007FF73AE90000-0x00007FF73B1E4000-memory.dmp
memory/2116-137-0x00007FF6E9930000-0x00007FF6E9C84000-memory.dmp
memory/5056-136-0x00007FF6CD1B0000-0x00007FF6CD504000-memory.dmp
memory/4920-139-0x00007FF7BF650000-0x00007FF7BF9A4000-memory.dmp
memory/1192-141-0x00007FF6DE880000-0x00007FF6DEBD4000-memory.dmp
memory/4460-143-0x00007FF68C760000-0x00007FF68CAB4000-memory.dmp
memory/3524-142-0x00007FF69E050000-0x00007FF69E3A4000-memory.dmp
memory/3480-140-0x00007FF649F90000-0x00007FF64A2E4000-memory.dmp
memory/2004-138-0x00007FF707D90000-0x00007FF7080E4000-memory.dmp
memory/2180-144-0x00007FF6CA6F0000-0x00007FF6CAA44000-memory.dmp
memory/1708-149-0x00007FF61BB60000-0x00007FF61BEB4000-memory.dmp
memory/3788-148-0x00007FF688750000-0x00007FF688AA4000-memory.dmp
memory/3508-151-0x00007FF687F20000-0x00007FF688274000-memory.dmp
memory/2888-150-0x00007FF674A90000-0x00007FF674DE4000-memory.dmp
memory/2480-147-0x00007FF7AAE10000-0x00007FF7AB164000-memory.dmp
memory/3552-146-0x00007FF683CC0000-0x00007FF684014000-memory.dmp
memory/2956-145-0x00007FF76BD50000-0x00007FF76C0A4000-memory.dmp