Analysis Overview
SHA256
0e91816f751514c1baefb68f7ec4e3725a05b11401783ef906ea48561c00c343
Threat Level: Known bad
The file 2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:54
Reported
2024-05-22 20:57
Platform
win7-20231129-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DllqyYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ChDqjQS.exe | N/A |
| N/A | N/A | C:\Windows\System\pNBBNxC.exe | N/A |
| N/A | N/A | C:\Windows\System\HfYHrvL.exe | N/A |
| N/A | N/A | C:\Windows\System\nGVaQNq.exe | N/A |
| N/A | N/A | C:\Windows\System\FwOuhNO.exe | N/A |
| N/A | N/A | C:\Windows\System\RGvvKto.exe | N/A |
| N/A | N/A | C:\Windows\System\pxAnStU.exe | N/A |
| N/A | N/A | C:\Windows\System\gLgKYlF.exe | N/A |
| N/A | N/A | C:\Windows\System\TtzMnyk.exe | N/A |
| N/A | N/A | C:\Windows\System\HenOThx.exe | N/A |
| N/A | N/A | C:\Windows\System\uyYWBCz.exe | N/A |
| N/A | N/A | C:\Windows\System\hNJiGEr.exe | N/A |
| N/A | N/A | C:\Windows\System\pQuiNyA.exe | N/A |
| N/A | N/A | C:\Windows\System\sTfvfsS.exe | N/A |
| N/A | N/A | C:\Windows\System\lLOsSeo.exe | N/A |
| N/A | N/A | C:\Windows\System\ftIKnpE.exe | N/A |
| N/A | N/A | C:\Windows\System\gmirPeK.exe | N/A |
| N/A | N/A | C:\Windows\System\JSnEzBM.exe | N/A |
| N/A | N/A | C:\Windows\System\VfqGyoU.exe | N/A |
| N/A | N/A | C:\Windows\System\DIiTYmr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DllqyYJ.exe
C:\Windows\System\DllqyYJ.exe
C:\Windows\System\pNBBNxC.exe
C:\Windows\System\pNBBNxC.exe
C:\Windows\System\ChDqjQS.exe
C:\Windows\System\ChDqjQS.exe
C:\Windows\System\HfYHrvL.exe
C:\Windows\System\HfYHrvL.exe
C:\Windows\System\nGVaQNq.exe
C:\Windows\System\nGVaQNq.exe
C:\Windows\System\FwOuhNO.exe
C:\Windows\System\FwOuhNO.exe
C:\Windows\System\RGvvKto.exe
C:\Windows\System\RGvvKto.exe
C:\Windows\System\pxAnStU.exe
C:\Windows\System\pxAnStU.exe
C:\Windows\System\gLgKYlF.exe
C:\Windows\System\gLgKYlF.exe
C:\Windows\System\TtzMnyk.exe
C:\Windows\System\TtzMnyk.exe
C:\Windows\System\HenOThx.exe
C:\Windows\System\HenOThx.exe
C:\Windows\System\uyYWBCz.exe
C:\Windows\System\uyYWBCz.exe
C:\Windows\System\hNJiGEr.exe
C:\Windows\System\hNJiGEr.exe
C:\Windows\System\pQuiNyA.exe
C:\Windows\System\pQuiNyA.exe
C:\Windows\System\sTfvfsS.exe
C:\Windows\System\sTfvfsS.exe
C:\Windows\System\lLOsSeo.exe
C:\Windows\System\lLOsSeo.exe
C:\Windows\System\ftIKnpE.exe
C:\Windows\System\ftIKnpE.exe
C:\Windows\System\gmirPeK.exe
C:\Windows\System\gmirPeK.exe
C:\Windows\System\VfqGyoU.exe
C:\Windows\System\VfqGyoU.exe
C:\Windows\System\JSnEzBM.exe
C:\Windows\System\JSnEzBM.exe
C:\Windows\System\DIiTYmr.exe
C:\Windows\System\DIiTYmr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2884-0-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2884-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\DllqyYJ.exe
| MD5 | 6363371abce02c077615732582b8356c |
| SHA1 | a3ccdb92a7737fef064f9a625ff7785a4ea16881 |
| SHA256 | 5d092e72ee76c2ad95455e7729f3c40be998b894f5a931cc7407ba9378c2993f |
| SHA512 | e001062f35ed6800b8c468908487e3ca20414b7da97ee100731672b6a351c644556e35da2857a11087c22f6baa09bc54a10d24425f4696c32c1feadbc9cf493c |
\Windows\system\ChDqjQS.exe
| MD5 | 41e261fe1ce7a5e541c6358c955b2928 |
| SHA1 | 55683fba00273f7fa032f825c867b7093ee13fe7 |
| SHA256 | 371c86773c02e9b6fecc0db20f756b5e12f19e98f7d9da11cb73cffc85394a85 |
| SHA512 | 6b0f300dd881edf1ba55c0c1729806290d3cddef522f40ab6e12d6c736d1e2e17ca5a5daa2741e87fafe0d3651295bf7b5c1e3ca7315bbe8e5204319dff85f7a |
C:\Windows\system\HfYHrvL.exe
| MD5 | 31d9934efaf8779a5149294989c49e82 |
| SHA1 | dadd960d342c7371ac3e751aa5fbaf4adcaf8e37 |
| SHA256 | 4ee655c9cfeab489d98d25f92f8d54515f5721f65c3b42865c740f3139741015 |
| SHA512 | 272b5ba73ec6972a230e6c4e3c4768915789ec4b91e3eb8c9761350e1e9ae7a02c5b73f10f1b250d08da1c92fa7a1a51f14406d6219126fc1cd1164e2889e0ec |
C:\Windows\system\pNBBNxC.exe
| MD5 | 3548da63e6ac187f28f25e63563f35cb |
| SHA1 | 387c8a8b95ed45019177aa9bcda484df7c6ce9a3 |
| SHA256 | 9665ba16920338461efab488ec5a7003ec25d867ecf1be137c54ae7ca8f32d3f |
| SHA512 | e4cd899e41bbbfbbeed4481d79f464f1a2d03ef56fe2ff3de938b8b3729363c7af16137d3b936e0e01cfbcbc02f9bbbfa6e1b2096425c7732be39679205ff3b4 |
memory/2824-29-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2152-28-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/3032-25-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2884-21-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2884-19-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2884-17-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2988-12-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2884-35-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\nGVaQNq.exe
| MD5 | 616fa5ddd0e31457274db54388beb1b7 |
| SHA1 | 39b89528f5fe6599ed126769c5b0974a3a76a400 |
| SHA256 | b12b41f8cfcabf835ea5223c38ee45c6838a82c145276b6fde04ccb15cc3bbab |
| SHA512 | 28aa1648ad03713058bca5669a5d013d0e5737e0a28c7e6e05b82e28270c001ec49df32ba76a949bc521e8cf9caa253200f5e6a638a80744538be9f8c85e3ba7 |
memory/2716-36-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\FwOuhNO.exe
| MD5 | e3c59b1e4d798a0f54dc39587d7d63bd |
| SHA1 | 97e85f9198ac0ccf5c47bba1348564b732442e8d |
| SHA256 | 37b24f714ac804d52e2c98c82ee7040d90a4b7af4119806142037de89d6b546f |
| SHA512 | 17876eb22968e99799aac9d85a8218f4e04fba298844b259f9fb762be79f8f89c8330b3e38ae3fbe5f805ae21ce70bb36723ef382f56adab8c5389e64082a63b |
memory/2884-46-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\pxAnStU.exe
| MD5 | 853a18533dd2808578a86d2b986eb30f |
| SHA1 | 355e5dc5f206c5e2d0a8a9ed7a9aef849b638cb5 |
| SHA256 | 3a2d96914868a7e3a9d55901cdd1b1743f8c5332ed4586ee08b03ab0f8f30c15 |
| SHA512 | 8768bdc1a2b7b93bbede5da50ae5f596541bbfd471eccb3f08026f677c853f1a2d7738dca1717a51940f7dbf3f6102ab7f403e43fcf41e95bc7918a774ffdadf |
memory/2508-56-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2832-57-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2884-55-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2884-51-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
\Windows\system\gLgKYlF.exe
| MD5 | 76d93929c3042b14294397f9a359906a |
| SHA1 | 6961d44014cd10c516710fa0ee60995dfbaee995 |
| SHA256 | a2f144285a04d898b250b5df87dc171edca08608b8c3cfcffafedc5c94082f9c |
| SHA512 | db19a4819c5c8d6ed9bd36e9af6dbab3e171520e4e9c5456896d9247dcfbbe14a6d87e00ed63e10704796e431a9a4e59247c3e216d413c2a0368905660803a88 |
memory/2728-64-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2988-62-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2884-61-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\RGvvKto.exe
| MD5 | ce271ead2563b6b125aa60e93820ece0 |
| SHA1 | 6d502e8780d6f8ae373adcbef138a49ff524506f |
| SHA256 | 0748e4ed2003fd9201eaf1a62d9d4e1b8cbc6295d86f8118292405d6d3b5328f |
| SHA512 | 11415a1dca3342262312f7007a48fbc1f3df3156f3af672e91f89152a7ec747f2089dd1e9c8aadc18cd641b88af14d726517bb7eba3fbc66f1f0c499bf7f35e9 |
C:\Windows\system\TtzMnyk.exe
| MD5 | 88f7942eb74b249ee020c99a28b1aecc |
| SHA1 | 26e53b2c5a9069e40be7e14329cebc8374b3926d |
| SHA256 | 3d0ce4c10cc850a31e4e8c4863bfe779287a261ff2feb0fc3aff957744bd2811 |
| SHA512 | 90841e42c0c786ec891d5e8b4915239dddd404d26c21307f6029b7529b0883df9689430b9fd560a47f68937b675296e4197f5270fc8e9418f7f5af6ba4cd9027 |
memory/2152-70-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2884-71-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2532-72-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2620-49-0x000000013FD70000-0x00000001400C1000-memory.dmp
\Windows\system\uyYWBCz.exe
| MD5 | 3386a19c5c41c1c2770dbbad9cb379b0 |
| SHA1 | 434489cc5e6247b237ac47fdec9b7ce19447b27c |
| SHA256 | 981b29be38d2e5b3b69b5e7e5d3e98d7e4fba6a03b703aadf309159735b2534a |
| SHA512 | f49deb2a22be7e15739eb8ec3caeeafe5708df1c1bcd5a5b6de512d8868497dd9f6b843238148d2e914a69219246530b4078d4986a8bd2d15fd8c60c88bc1303 |
memory/2884-86-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2164-78-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2884-77-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2344-87-0x000000013F0E0000-0x000000013F431000-memory.dmp
C:\Windows\system\HenOThx.exe
| MD5 | 13765ad1b655f1d07d122697cf5d08bf |
| SHA1 | 5674a37c6423984016b13daecfb99c024571b287 |
| SHA256 | 91dd4e11a08da8e9d13f6c601e78f36c92d844049b6de230364fd43a3b15d2f5 |
| SHA512 | 794fce627cd4f5388403c6ce43b810bff44f6437afb5b56b6fb2704defab0fe4fdb2a8978d9b71dbd61d7c680836c211bc65739d08451a0dafb91f1d6309ef3b |
\Windows\system\hNJiGEr.exe
| MD5 | 8a6d8defd8a98132ebb2b1e564f01ded |
| SHA1 | 758c4cab6e8cdb359fb81729eaad5878a9547052 |
| SHA256 | 29c376f8826f089ebd3350556e336555067bb4d30a62371006122676df638bb9 |
| SHA512 | 527e41967aded49cf76ded3b0918f2e63ff234e31d042dd179eb95845685c5e9b13034ad84e3776ad8f9b8e8d19ede4e1cb0a4fe9b741887f853c19cdc94617a |
memory/2448-93-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2884-92-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\pQuiNyA.exe
| MD5 | 3855c1b7b36edd988b6dbd3a992a5f4e |
| SHA1 | e6d841c2cc25fb6f4b9d16745fdb4adc71bc2197 |
| SHA256 | 300b3c39f32d0fcfb18b475584e7f1561bfa98f93b3f23d199e2e0a5a8e81929 |
| SHA512 | ee84f8023af4ec74009acea18014c70994d6dd56b7346eb2d8ba2f0e949e141b03bb7c9fae355f5a842975316cde84036c836b3120b4b9247176cc3fd08ba5f7 |
memory/1816-101-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2884-100-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\sTfvfsS.exe
| MD5 | 468f0b65b0cc09bf35d19e2cf27b1d12 |
| SHA1 | f280b998e7da1d44a4a389d9367669f588be8a86 |
| SHA256 | e863f709826a6c6f1f0777e31770ab1abcc92075996a5f259b7fa78defd34a82 |
| SHA512 | a3bfea4a985163e921bf00f2c8a18134e2945f6b94c4fdce49cca853038609f360d122ec4058e2a1e78b380b89e0f8782f467106246eb41f912581f43b47058f |
memory/2884-106-0x000000013FD00000-0x0000000140051000-memory.dmp
\Windows\system\lLOsSeo.exe
| MD5 | 8583c7ce441937c86a51b9e90525abef |
| SHA1 | 429434632c6fafe44ae24c285e6dd635a7fafe90 |
| SHA256 | 216cdfd7ff323f4e1aad09a458a1aafdc4834277edaed7a3cf8d1008537314ab |
| SHA512 | 1ef38e59504663e885c1051066078f6147d9b3f04b01e1a921913b2832046808cb56bd979f411b8425588dc9b525da687968d2a8ae7f4e68c91ffdadfa06cbc3 |
C:\Windows\system\JSnEzBM.exe
| MD5 | e15b23d176f31a73a3d27847d5aab02e |
| SHA1 | 57a58e74b5eeac0e818f5fcf8d85d6ed5729c747 |
| SHA256 | 95639a75e86b4ec4958a679cd4100d18bf16aed7b91cf552dfbfc8307e6c81de |
| SHA512 | 5f4b46e38b6f1e0871fa7b0eaf7d4283f1e99833c9f05b28184c690f7391f1890d46e84645f00329459524c5d6fb4d6b4b9ced50684d8bdf0b458c22af2322f0 |
C:\Windows\system\VfqGyoU.exe
| MD5 | 3521a592ba5ec78769d46532e5c16c6c |
| SHA1 | f4cdbb832a4522c8070b092a75678b08506fc8e5 |
| SHA256 | 38f9c76a3e75250137239eb150588e2ff9cb409c33996d50cb547c1a7791a736 |
| SHA512 | 1bee8b68c7b50622db03d56b4d77c72c69032be8b927f5923e9abe5ec7c27c176dc7d977dd2c7038212029b89333c63c222f32f61dd394e85f5e3b3895f2e43e |
\Windows\system\DIiTYmr.exe
| MD5 | 3a96331b4c67e309ac9ff89a63f305ab |
| SHA1 | f132281d1cc4a5ff7182b6dbfa39f63ec5c80bf1 |
| SHA256 | 4bf0123e128afd411b0fd00f07350312832af44054295c5a1c7f92ab70a38111 |
| SHA512 | 58492e99fa24e5ad03239b405fef11fc606b6046b649c11a429f1d84118a8286981c30d11225d206f474aa5f558f2569496d638bc6364585b7b2d7b63d7373b2 |
C:\Windows\system\ftIKnpE.exe
| MD5 | 0110335b528f6bde3fbccdafb8cbbde6 |
| SHA1 | 780abd13e2af9468fdf53964cf7ef942fad7f15a |
| SHA256 | ba4515a02976a1037cbc195df33c62a4af2d5664e8b5c89d91ab7ed088a66212 |
| SHA512 | 5867e4d9599b772de3b58e2d27f48cd53864d1ea1a6c1b81416c544ac8c3a3329e52871f5ea36e4c9da370e3359449b036123ca609f4b56f1bb308866b5b661e |
C:\Windows\system\gmirPeK.exe
| MD5 | 4771964c311eaa2c244beb1940826be7 |
| SHA1 | 68f2c86ac53acb1d2bae466053a87020890f4428 |
| SHA256 | a2a4947b5b0a2d834b524cdb21d1573a6e088ec3e22af818c4add6960ff3b05e |
| SHA512 | 4925751f65855a338e694e33ac10aa7fb8cf2c0d532b5795007300b28dc0bd7e449c871547c4cf5d9bc7b08344d4788c3275b85cfc538498b1030a73e6c2235b |
memory/2884-137-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2728-142-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2164-149-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2448-151-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2884-152-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2532-148-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2684-158-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1596-160-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/1776-159-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1780-157-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/940-156-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1972-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/936-154-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2884-161-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2884-162-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2884-175-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2884-185-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2988-209-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/3032-211-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2824-215-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2152-214-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2716-224-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2620-226-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2508-229-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2832-230-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2728-232-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2532-234-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2164-236-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2344-238-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1816-244-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2448-245-0x000000013F960000-0x000000013FCB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:54
Reported
2024-05-22 20:57
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TvGyXBX.exe | N/A |
| N/A | N/A | C:\Windows\System\XoVJYJz.exe | N/A |
| N/A | N/A | C:\Windows\System\FjzpJRp.exe | N/A |
| N/A | N/A | C:\Windows\System\yuYPseH.exe | N/A |
| N/A | N/A | C:\Windows\System\QBytTJg.exe | N/A |
| N/A | N/A | C:\Windows\System\HThEWdb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPLlHRX.exe | N/A |
| N/A | N/A | C:\Windows\System\exmaLUn.exe | N/A |
| N/A | N/A | C:\Windows\System\jcGpdnH.exe | N/A |
| N/A | N/A | C:\Windows\System\qmaLZbY.exe | N/A |
| N/A | N/A | C:\Windows\System\WusSWsY.exe | N/A |
| N/A | N/A | C:\Windows\System\lRDKVKY.exe | N/A |
| N/A | N/A | C:\Windows\System\NvupTop.exe | N/A |
| N/A | N/A | C:\Windows\System\SzdfAqk.exe | N/A |
| N/A | N/A | C:\Windows\System\eIzaXxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\eyAVTru.exe | N/A |
| N/A | N/A | C:\Windows\System\KFttJzE.exe | N/A |
| N/A | N/A | C:\Windows\System\icYyMiv.exe | N/A |
| N/A | N/A | C:\Windows\System\GbiRSeS.exe | N/A |
| N/A | N/A | C:\Windows\System\YIApajd.exe | N/A |
| N/A | N/A | C:\Windows\System\AcNOChf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5b6b0168a9149690585949c2dbd9d340_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TvGyXBX.exe
C:\Windows\System\TvGyXBX.exe
C:\Windows\System\XoVJYJz.exe
C:\Windows\System\XoVJYJz.exe
C:\Windows\System\FjzpJRp.exe
C:\Windows\System\FjzpJRp.exe
C:\Windows\System\yuYPseH.exe
C:\Windows\System\yuYPseH.exe
C:\Windows\System\QBytTJg.exe
C:\Windows\System\QBytTJg.exe
C:\Windows\System\ZPLlHRX.exe
C:\Windows\System\ZPLlHRX.exe
C:\Windows\System\HThEWdb.exe
C:\Windows\System\HThEWdb.exe
C:\Windows\System\exmaLUn.exe
C:\Windows\System\exmaLUn.exe
C:\Windows\System\jcGpdnH.exe
C:\Windows\System\jcGpdnH.exe
C:\Windows\System\qmaLZbY.exe
C:\Windows\System\qmaLZbY.exe
C:\Windows\System\WusSWsY.exe
C:\Windows\System\WusSWsY.exe
C:\Windows\System\lRDKVKY.exe
C:\Windows\System\lRDKVKY.exe
C:\Windows\System\NvupTop.exe
C:\Windows\System\NvupTop.exe
C:\Windows\System\SzdfAqk.exe
C:\Windows\System\SzdfAqk.exe
C:\Windows\System\eIzaXxZ.exe
C:\Windows\System\eIzaXxZ.exe
C:\Windows\System\eyAVTru.exe
C:\Windows\System\eyAVTru.exe
C:\Windows\System\KFttJzE.exe
C:\Windows\System\KFttJzE.exe
C:\Windows\System\icYyMiv.exe
C:\Windows\System\icYyMiv.exe
C:\Windows\System\GbiRSeS.exe
C:\Windows\System\GbiRSeS.exe
C:\Windows\System\YIApajd.exe
C:\Windows\System\YIApajd.exe
C:\Windows\System\AcNOChf.exe
C:\Windows\System\AcNOChf.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1780-0-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp
memory/1780-1-0x000001DF0F9A0000-0x000001DF0F9B0000-memory.dmp
C:\Windows\System\TvGyXBX.exe
| MD5 | e2f3dbbb20b58e5315bbda4a15f521fd |
| SHA1 | a38af86aea55d4a8e62f787162e19f4e66fcc200 |
| SHA256 | 0cf529ef18e335eddebb45e672c564f1ed99347b13d46a3d4489857864f7cb7e |
| SHA512 | 6f58e7fb382ea74a05fc482d677198d10e206ec28fabea272a1cae6f920dbd68b51a0c4126afb476282b17674b04b9b825589368207c5cd2825784d6c2d780c9 |
memory/3360-8-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp
C:\Windows\System\XoVJYJz.exe
| MD5 | 0673d003bf67f0e46b752b7485b77df2 |
| SHA1 | cbefecd8285208cd7a68b223e58dc4b6613b08c6 |
| SHA256 | 0bbc5e267cdf702d819b54ee15e55fd42049fcc4a69e9927812bd665fb4c5098 |
| SHA512 | ef31ce8b5d8677d9efe22e05588cf5a3c05f67e9e56b1f364384f93e461b3687c3e4140ab43a61d373a85fce2aa3b4ed3bd7ebee77e20765c157e060af88d7e9 |
memory/2028-12-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp
C:\Windows\System\FjzpJRp.exe
| MD5 | cdaf5953bafbb2068b2ecc4c71054105 |
| SHA1 | 9d5b71c332b6e638954c0769c150e40faedba236 |
| SHA256 | 2779ee2196862dcafc5606cfb63a4d661fd0c53d9c88c9d6c65983ede07600a2 |
| SHA512 | a26a215f6a4a69bd15df809e94c9f1f127aba52b459582bc033afcfa02fc1e91c94a2f803541fa8ad6772f1f43009a6a829fc2d1d2f3b141f7e96bfbe805a78a |
memory/3788-19-0x00007FF685E20000-0x00007FF686171000-memory.dmp
C:\Windows\System\yuYPseH.exe
| MD5 | 5d7f47d048ea3202df302f2d7396a685 |
| SHA1 | ef2ab536425620c857aa3afd72b278198016b14a |
| SHA256 | 9a874a73e7fb2ed3fc40660090207c5686dda4f5ef1e078be5c9d4bafdc2dd7c |
| SHA512 | 86f07a99fed5be4671267da05437189b6e6cb3f23d315315baecb7774d60a8222ac2c4a0bcb6942a44f0de2a93450cb360b3156d93f04f406006df893d1cdf5a |
memory/552-25-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp
C:\Windows\System\QBytTJg.exe
| MD5 | c4a4c997456aa28551d1a33d487553db |
| SHA1 | 6a5dfacaf9a83f604d22f2e85df17af505d5804e |
| SHA256 | ffa20fec74aa58e6dfd8d82988c26e852dcdf427e05f3f56199985698c4de7af |
| SHA512 | 46218b89e5afe80153d2299bf272796af3204144dd61556758274313567d44ea03f3da9d417465969e4ca5fe0b5621bc64829f672a2f566c5febb1f3abe4b8d2 |
memory/3772-30-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp
C:\Windows\System\HThEWdb.exe
| MD5 | c800d3eb9c512c5a618c5c874faa953f |
| SHA1 | d92108f283119e960d70120f700e6bd69a1c4a36 |
| SHA256 | 8c526c155498ba2ef60b21412ad77c8408fd14efe30ac2a932bb4022658a6da3 |
| SHA512 | 636f4b673100a1686d86f878197000cb3862d95e5eba9dbc1c8560a7cfe5095d2b771cbd84cd3523b2113d4e7b99ed36e5043bb35b3b027607fffb6179ed27db |
memory/1652-43-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp
C:\Windows\System\ZPLlHRX.exe
| MD5 | c4bab380295ded935dccfd5b6933d2ea |
| SHA1 | 24f502710041afac36687c8cf3173ce4c09237cf |
| SHA256 | ae425a6e65c1bf228562c5f725de64a4358a91f9a3648f0e508dd618ed6e1650 |
| SHA512 | ce33ddd5c7d607349982227f9605455dc179db442f3201202f97787491ef5a3f9a0ee0c26e646504f206362a730e839245ed19b5767902a72555131d10f8e158 |
memory/4160-47-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp
memory/2368-45-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp
C:\Windows\System\exmaLUn.exe
| MD5 | cfa0b1f2fe934b7e742144f0edfd3914 |
| SHA1 | 3ad682ae53116df176602e14d950d3548c0ee8e8 |
| SHA256 | 9f90efcf925f266d90882f5df380ad3b9a18895c5aa2076565f2c58a9afcfa42 |
| SHA512 | 1190da55405138a5efd49f703dea17a9f373146f22a7aa1fae2029f0ef954bd0722d90e2de0c3d57354783624515a39216edf5ab212c6a1c629c6ffc8a7bdc7f |
C:\Windows\System\jcGpdnH.exe
| MD5 | d7aa99e099de28601468183eca56a560 |
| SHA1 | b920be842241b564109c0278e8386a4c7b98a14a |
| SHA256 | 5a44ed75d79196e2cd074bfbf316b2717c96f0c7523578007959ca2698d75009 |
| SHA512 | 25818e7cac2c2385bb498777427f96c46207b7a67af4ea32d31feab61246e27b7413c3a1ed88c86d51f12b79fae39e02773e7b234ac6983380782e6464cd5e97 |
C:\Windows\System\qmaLZbY.exe
| MD5 | 3e293c9a456e436ea659e9725c1f63ae |
| SHA1 | 5b45a92c12c1844bdef04b1a2d79f66eb8c420f0 |
| SHA256 | fdbba8a16850db587e121f7d8eafa14139b8e7aec3633b8dab20035b78b35367 |
| SHA512 | e8428fd5b9410675068b95344a9462728914f55b26bc4bacd3675bb49735b0126d11ac62d14c980acc6e527c8ee56128783f5fc4d71a719ea0ed488c0ddd9cc9 |
C:\Windows\System\WusSWsY.exe
| MD5 | af1691226f074d69894d00e26ec859d6 |
| SHA1 | a00e2b1aae592bbaebf717a8cab45d522a574799 |
| SHA256 | ba1521e321c6a7394cf907fb4cfe14cca0d89653c5b2d0282746765f177feec2 |
| SHA512 | f8f78d4705bb93a7d7d5688d7bc90febc01606bb36ab7e5deb153859d8eb8f65a35e4e6a69e42c42462563931978a8bd057a1406c2729b13c9517f543838ddec |
memory/2480-61-0x00007FF71B100000-0x00007FF71B451000-memory.dmp
memory/1040-66-0x00007FF6BB750000-0x00007FF6BBAA1000-memory.dmp
memory/1780-67-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp
memory/2280-68-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp
C:\Windows\System\lRDKVKY.exe
| MD5 | 8f8a7787fc840e2908357a18af907a04 |
| SHA1 | bddfe39bd57a98edc718128c226ae0b62257e3ae |
| SHA256 | e06fdb2a81ef07eae4001bed79578c553570a1e87fdf6f8066b381fa70b9ad8a |
| SHA512 | 05d60d71723a9296c8c14dd768408de92ff357bc43e78fe0513ddfa81a788221d5ebc2c36db313a79122ba6dedaebee8a1faf62090f9d21ce494d4580d6e64d0 |
C:\Windows\System\NvupTop.exe
| MD5 | 1c187ca8649a3a82378bebf69823e20a |
| SHA1 | c6e432e872f92d806c50c811803b88efd6fb051c |
| SHA256 | 72ba12d628b3217f6fc262035f7b07327b58debb794ad835bd99d696c493519d |
| SHA512 | dc02601c49f3da1a51e6047d7a35c7fdf99876f360bfea035588cd238009a8c98745e588180bb3ebc431d5d9369563c456345f72c9c1cee1971553e25a7e6487 |
C:\Windows\System\SzdfAqk.exe
| MD5 | d977fae96ede175fa8aa4ed4a6ee84e1 |
| SHA1 | 1ff24a0d88d91789a9ca7620ec08b6185b64e2e8 |
| SHA256 | 7a88821adae995483f4dcb46a2b2b29f4b3159a9e19f506b126502eefdd7897f |
| SHA512 | 3f19ed7f89511a8bd81d062e4b4368326ee02ad5d4fe111f95cab7098889ef6069ad51d434afe0d0247395661df9e1d312d2e9a53abe91d27f6a156507053ae7 |
C:\Windows\System\eIzaXxZ.exe
| MD5 | c79ee47030bb7db2975b07e168315d27 |
| SHA1 | c86649ccc0181b547cbd654b65abd4e2ddedcd98 |
| SHA256 | 75e1679e05b02b20769032f88868c61a3f63b7a3be7ebc281558dad627c7af35 |
| SHA512 | ef6faf6dd9fbea43689ff85fd0a60a8f84f7bda1483c752fc4b9bf428c9cd0ba6e9afa84a00120402594c2bdc0214202d339ef2477b2a0b08ed03cd42943b59e |
memory/3360-89-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp
memory/1724-96-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp
C:\Windows\System\eyAVTru.exe
| MD5 | 111778930861e7f590b2b84b1d8ec1d1 |
| SHA1 | fe1a7c0ecd5da6899e10eac3f864916e9f0581c5 |
| SHA256 | 37e122f7b12b3d126f8bab926e0d87f3e85cb98369a9dc2c875ff1ffe5be83e5 |
| SHA512 | cd3efc18c240d19305a72cf8d26c2fa9533dc5deb0b0473372edf3bebb156a96be204a42d1ab8fe4ab861d74be9687d5c8754613d995b0173f84b95a52c226bf |
memory/3632-103-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp
C:\Windows\System\KFttJzE.exe
| MD5 | f968883b7e6720ea0ad57627aa8fed05 |
| SHA1 | b4ae81eacb9a1e6360f7ec87c92938f8afbea6c4 |
| SHA256 | 35aa24a747fa7c626a7d00f7b368ab32b76e81601c048ea9f042dc0558f43d02 |
| SHA512 | 0d9bd0ce03503e244a57ffd9057ea12436b9b9e95e37c55f75d73b52424387fa71af335234910dd7dc50de6f48e2b886c88e180e9f67261c67cccf4d83e66ad6 |
C:\Windows\System\icYyMiv.exe
| MD5 | 54357c477ccaf080f69bf11cc38c7b57 |
| SHA1 | bde4ba74f1c2df366e2257af828a10ba8e43707d |
| SHA256 | 068d5863d834314f1ed748c862724a744b4d3c201b1832c5a547a6f2a38db936 |
| SHA512 | 279b9cd70b5d9c545915b39538b5ee83ca2f15c5c2c3e36468ee6ce4707c6f8b3b05eeec2a59621d3cf35d8b2deaf02cf30ec27221f4dd4ef34a68a163a56b87 |
C:\Windows\System\GbiRSeS.exe
| MD5 | 56e6f85ec3b56c89a4d0fe16025d64e0 |
| SHA1 | 6433c09db79c8f05175222c86619ce7335f0af20 |
| SHA256 | aeffb75b36fbdcef22a18dd4813f8451b6d925f056ea32daaf63279f6b5991a0 |
| SHA512 | 6136ad4195bd0e29e503e53af56382ad5366c02725d6481c0d2ab5406753e3b413909177a34522463e0439478d4b59b13bb049a7f28644940378cf12cdd122e8 |
C:\Windows\System\YIApajd.exe
| MD5 | 5960a5902da9720030d2e6ae246ec11e |
| SHA1 | 137fed0ca6d3d68c416b0e4e6a062d2cd51de747 |
| SHA256 | 2470ac0a8a3d582f6419015282581616998a2d9f260e8c8056e4734af0ec594b |
| SHA512 | 2a7f9177ddf95be1b9e44d1b31f99de8cc8fd9415db62f0ba5eb58973c32581744a5eb7b4ed29e921779d2e04355073b92f4f4a9c32383899ff7e5aeeee7bd7e |
C:\Windows\System\AcNOChf.exe
| MD5 | 5357c1a3781cca123914d3c90b97d4c2 |
| SHA1 | 08ad0537ae9a51d7dec65949862e0cc0eee227b1 |
| SHA256 | 21c3f902a390880384a26785ebfa038802964b07f619ffb0821742e3131a4e97 |
| SHA512 | 38b324ef440309567d89a47766e4b44a220aba2530b4d5693d1ad2bdce62531e7fb2793db12ebf7bafe4d5c149206c5169aa94f547ea0346cf9bb5514de591b5 |
memory/4572-109-0x00007FF629810000-0x00007FF629B61000-memory.dmp
memory/2028-101-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp
memory/1500-97-0x00007FF7BD510000-0x00007FF7BD861000-memory.dmp
memory/3256-95-0x00007FF748090000-0x00007FF7483E1000-memory.dmp
memory/1400-93-0x00007FF761020000-0x00007FF761371000-memory.dmp
memory/1780-127-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp
memory/2368-133-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp
memory/552-131-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp
memory/2480-136-0x00007FF71B100000-0x00007FF71B451000-memory.dmp
memory/2280-138-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp
memory/4160-135-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp
memory/3460-140-0x00007FF73ACA0000-0x00007FF73AFF1000-memory.dmp
memory/3656-142-0x00007FF6C4930000-0x00007FF6C4C81000-memory.dmp
memory/4000-141-0x00007FF756C40000-0x00007FF756F91000-memory.dmp
memory/1824-139-0x00007FF7123F0000-0x00007FF712741000-memory.dmp
memory/3772-132-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp
memory/4572-148-0x00007FF629810000-0x00007FF629B61000-memory.dmp
memory/3632-147-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp
memory/1780-153-0x00007FF7CF620000-0x00007FF7CF971000-memory.dmp
memory/3360-198-0x00007FF7D4A90000-0x00007FF7D4DE1000-memory.dmp
memory/3788-205-0x00007FF685E20000-0x00007FF686171000-memory.dmp
memory/2028-207-0x00007FF7EA090000-0x00007FF7EA3E1000-memory.dmp
memory/552-209-0x00007FF757B50000-0x00007FF757EA1000-memory.dmp
memory/1652-211-0x00007FF60B1D0000-0x00007FF60B521000-memory.dmp
memory/3772-213-0x00007FF7B35F0000-0x00007FF7B3941000-memory.dmp
memory/2480-220-0x00007FF71B100000-0x00007FF71B451000-memory.dmp
memory/2368-222-0x00007FF7A27D0000-0x00007FF7A2B21000-memory.dmp
memory/4160-226-0x00007FF65FC00000-0x00007FF65FF51000-memory.dmp
memory/1040-225-0x00007FF6BB750000-0x00007FF6BBAA1000-memory.dmp
memory/1400-228-0x00007FF761020000-0x00007FF761371000-memory.dmp
memory/3256-230-0x00007FF748090000-0x00007FF7483E1000-memory.dmp
memory/1724-232-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp
memory/1500-239-0x00007FF7BD510000-0x00007FF7BD861000-memory.dmp
memory/2280-241-0x00007FF6B9250000-0x00007FF6B95A1000-memory.dmp
memory/4572-245-0x00007FF629810000-0x00007FF629B61000-memory.dmp
memory/3632-244-0x00007FF6E5250000-0x00007FF6E55A1000-memory.dmp
memory/1824-247-0x00007FF7123F0000-0x00007FF712741000-memory.dmp
memory/3460-249-0x00007FF73ACA0000-0x00007FF73AFF1000-memory.dmp
memory/4000-251-0x00007FF756C40000-0x00007FF756F91000-memory.dmp
memory/3656-253-0x00007FF6C4930000-0x00007FF6C4C81000-memory.dmp