Analysis Overview
SHA256
9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a
Threat Level: Known bad
The file 2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:04
Reported
2024-05-22 21:06
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fTylfxk.exe | N/A |
| N/A | N/A | C:\Windows\System\pYLDGGS.exe | N/A |
| N/A | N/A | C:\Windows\System\VJbjlGu.exe | N/A |
| N/A | N/A | C:\Windows\System\hwHUPYG.exe | N/A |
| N/A | N/A | C:\Windows\System\xBoxoYD.exe | N/A |
| N/A | N/A | C:\Windows\System\IcvOsLL.exe | N/A |
| N/A | N/A | C:\Windows\System\NkdGRIU.exe | N/A |
| N/A | N/A | C:\Windows\System\goNrisV.exe | N/A |
| N/A | N/A | C:\Windows\System\zEdOJfl.exe | N/A |
| N/A | N/A | C:\Windows\System\kRAlTkh.exe | N/A |
| N/A | N/A | C:\Windows\System\ofpBoYG.exe | N/A |
| N/A | N/A | C:\Windows\System\GXkxAtq.exe | N/A |
| N/A | N/A | C:\Windows\System\UdwMaqs.exe | N/A |
| N/A | N/A | C:\Windows\System\hCqykSY.exe | N/A |
| N/A | N/A | C:\Windows\System\JFtdwWw.exe | N/A |
| N/A | N/A | C:\Windows\System\YdkfoDX.exe | N/A |
| N/A | N/A | C:\Windows\System\jXVkUnR.exe | N/A |
| N/A | N/A | C:\Windows\System\csupAYW.exe | N/A |
| N/A | N/A | C:\Windows\System\BksRsts.exe | N/A |
| N/A | N/A | C:\Windows\System\ZSHuVmd.exe | N/A |
| N/A | N/A | C:\Windows\System\TWjVPSD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fTylfxk.exe
C:\Windows\System\fTylfxk.exe
C:\Windows\System\pYLDGGS.exe
C:\Windows\System\pYLDGGS.exe
C:\Windows\System\VJbjlGu.exe
C:\Windows\System\VJbjlGu.exe
C:\Windows\System\hwHUPYG.exe
C:\Windows\System\hwHUPYG.exe
C:\Windows\System\xBoxoYD.exe
C:\Windows\System\xBoxoYD.exe
C:\Windows\System\IcvOsLL.exe
C:\Windows\System\IcvOsLL.exe
C:\Windows\System\goNrisV.exe
C:\Windows\System\goNrisV.exe
C:\Windows\System\NkdGRIU.exe
C:\Windows\System\NkdGRIU.exe
C:\Windows\System\zEdOJfl.exe
C:\Windows\System\zEdOJfl.exe
C:\Windows\System\kRAlTkh.exe
C:\Windows\System\kRAlTkh.exe
C:\Windows\System\ofpBoYG.exe
C:\Windows\System\ofpBoYG.exe
C:\Windows\System\GXkxAtq.exe
C:\Windows\System\GXkxAtq.exe
C:\Windows\System\UdwMaqs.exe
C:\Windows\System\UdwMaqs.exe
C:\Windows\System\hCqykSY.exe
C:\Windows\System\hCqykSY.exe
C:\Windows\System\JFtdwWw.exe
C:\Windows\System\JFtdwWw.exe
C:\Windows\System\YdkfoDX.exe
C:\Windows\System\YdkfoDX.exe
C:\Windows\System\jXVkUnR.exe
C:\Windows\System\jXVkUnR.exe
C:\Windows\System\csupAYW.exe
C:\Windows\System\csupAYW.exe
C:\Windows\System\BksRsts.exe
C:\Windows\System\BksRsts.exe
C:\Windows\System\ZSHuVmd.exe
C:\Windows\System\ZSHuVmd.exe
C:\Windows\System\TWjVPSD.exe
C:\Windows\System\TWjVPSD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1736-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1736-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\fTylfxk.exe
| MD5 | 13d8936bac7073b08c05dfb01e0f20cc |
| SHA1 | 8b9a74737879f955040550351ba722a79203261c |
| SHA256 | 03eeb55ee595d20094f1a036d6008661928b4a5a540e4af3c6d2ae166bcba0cd |
| SHA512 | c1aeff95aae832d7cc839180bd91c727be4c30f09f1b31d35fc762282bbe99826be189d328675bfea5667b20a93d104b8afe6f8d7b074a0ff177f5dd1a538f42 |
memory/1736-6-0x00000000022A0000-0x00000000025F1000-memory.dmp
\Windows\system\pYLDGGS.exe
| MD5 | 2fe73be978fbbfe5e754159b486590a6 |
| SHA1 | ae9688c8578c22d690ac58f4cdb8062141edd373 |
| SHA256 | 118c1033cfba6e6571165da4264dcfed58a333554e14549486a3567dea535ea2 |
| SHA512 | 185924c6e19bdfcc91530eb9b692a8287005d1fe1c35e10502d027e0f9b5cafa4fd01cc5d1d3ca76b3d7b8219ddc70c6e11c95d2684f034f46e61363902f48a9 |
memory/2112-15-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1736-14-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2340-12-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\VJbjlGu.exe
| MD5 | cab326a0752721388557ae834b50d6e6 |
| SHA1 | e20d5cf0b1c3dc17b91fac89f6e4f239ccee1a8a |
| SHA256 | d4fb0a7c46142cd09e88bcd942cf7c1006c40060c78fec5730a424189d136016 |
| SHA512 | f168c11f3cbe40727b016af034cdf53b68f8f1f6e29b89d8caf36d60040717cae55243d84d323750244047830beec12e9931f1d7a70726c106127bc23d3451c5 |
memory/1600-22-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/1736-21-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/1736-28-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2992-29-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\IcvOsLL.exe
| MD5 | 10d1b51883a5dc8262ad5f6bbbe892d6 |
| SHA1 | dd14e98d56a6a5fb01427b98930d4a7d48a1ef12 |
| SHA256 | 5bac7ba3023981f5ba6b4e3f6c39caed039ea1c042241d80883318af4265e941 |
| SHA512 | b5aeed41ba14fa83f39fe89b1c992a4f955023fc376c85996cee5e04615aed3640329ee24be9d7f87bfa156fce0941fa4e8cc33c99b559776048e1cb35047469 |
memory/1636-40-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/1736-41-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\NkdGRIU.exe
| MD5 | 106ba4e4d5e4717e8d6803966fec3650 |
| SHA1 | 6cd88a46e7f906dd832e8544f18ec432306037fa |
| SHA256 | 0602480b05f0ddedc1acad2687993ec77509b43f039396839053c390d7504c6c |
| SHA512 | 2d6a0735f68094ce19f3d5ae1b4901df90395e3ea19a23053a84f91f089ffdbe5630fad0328a861bc4cc50def9909c7270395273c72e2cf8dc856a7d2d99ad75 |
C:\Windows\system\xBoxoYD.exe
| MD5 | ac866a3506d6b4ca18e4d116bb94205e |
| SHA1 | f2b08901557bbe7e756408233557daa19f811c41 |
| SHA256 | bf7399c14b715321913ee7c81d96fc7e41c927f05135c26b7f2b7df56dfba8b1 |
| SHA512 | d2050635cedf21f9320fa87d340fad1d4a81f006fa58832626ea95668848ab7fb81fce9d95244ca265773bff37aabc94751e10d6a66c50b2eed2e1c37e6f7b72 |
memory/2676-54-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1736-53-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\goNrisV.exe
| MD5 | 2065ca03a9a4572c878674e572150dbb |
| SHA1 | c960d49ef1a1d92e54e138a5b1baf4b35441a14e |
| SHA256 | 686eb5d7c902b71c0556730bb4b4c26c3799436dca1d27e4d9e8e5a4778e1149 |
| SHA512 | f92dc413b49db970a0926ee8223965199663e00a5f08a709e7b9031ac906c1ff31602047d5bea4febdd40adc49f758c7c0cb74fedb92df799e3ec355514d6e70 |
memory/2648-56-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\kRAlTkh.exe
| MD5 | cd3767ee0f8468a50c3e83205aa2a30d |
| SHA1 | b6a266a6d1f1c0461755a26deffac1c788b79942 |
| SHA256 | 4b441e3181587bd7b77ecd8d7ce51681ad600772875e868603520d1c34d11a00 |
| SHA512 | 9fd46070aea69a6def32773b38658f574647366b84e934085a01f26a89ab76f929c2e0166bb5ab46ebc21bc17b3ce993697618c5dda7724890ace38d237d2b9a |
memory/2236-68-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2528-76-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2684-85-0x000000013FD10000-0x0000000140061000-memory.dmp
C:\Windows\system\UdwMaqs.exe
| MD5 | 680c798d229c6d2a2027f1a187dbf2c1 |
| SHA1 | 8ed779a83fe0b3a7d1b1e856124feb58b69e1605 |
| SHA256 | ade0a182a9fc7248890d5dad87d5529da57a5191c11a1ce0c111a514f7d02ac4 |
| SHA512 | 9307cb7532568286de18fbc70b71e7797df68433bcc2ffc67fe6d644f7c8f17ba97e7f16d2073bad4321843122090df0fde2a424b8068e7cef067e8ca2db7537 |
C:\Windows\system\ZSHuVmd.exe
| MD5 | 89bc63d26b945701333e7dcdb8eafc60 |
| SHA1 | 1ca6d2131c9c235f300dcf5a9c1c5fd943eef99e |
| SHA256 | e8501dd3cfe47178ad8b85b1e84d3f8a8a624dfe85db6a374c3e347aab83f973 |
| SHA512 | a2e5224f25e0c7e551ac7b94cdff71ebcbc4f4c1d27bf0a1880957cb4214d1944fad00018c1db70e74b43f38c5f1a597146a71c897cb994a3a3c6f4ef52f59b6 |
\Windows\system\TWjVPSD.exe
| MD5 | 71ff6a9ac38fbf7642bc60fe5adf4177 |
| SHA1 | c9b510b0092c736c92b4980d5556e563a6bc4d62 |
| SHA256 | bbdde8139d86db33a5ae5dcf2d1d12af1550d9759150250ba0418e3ce4856128 |
| SHA512 | 326fa6a802e01630c088b667956eada435c80b1bc553dcce05853dcb8c8e3e036cb1723422b1ba7151f06a752cf8902281a0425f675ac07e132812299aa50cf2 |
C:\Windows\system\BksRsts.exe
| MD5 | 1471d91c1779873aaf334e7705585703 |
| SHA1 | 9e98c74cd4985432b440f3ac6fb0b7fa72a5fbed |
| SHA256 | b7c05323bcdd60d5b53400d08ab52f2b947419118b76d64e269b772b48e4f1b6 |
| SHA512 | b274985abe4724836381ce76d4eded961f07a83f7016ee87e8288e512505c3a5914ecaea301fa8d57751cc4561c11888eafa1820a5328d53f292b574962639eb |
C:\Windows\system\jXVkUnR.exe
| MD5 | 1b4575c94df0111482c2239798dea09c |
| SHA1 | 7fd2b192b0a5a94a94022de28b7f99cdf278ad90 |
| SHA256 | 2cf54ca5f002a691070848088e1eb998a463e195b5df6edee5ad2554f519eab8 |
| SHA512 | 50bc5cb10d9a8e13ef28b598fccc357c96004de7b48204c292ba87fb1f99d75b64cc265067f7ec31747e9f87e3f7882961a81ccab1c233059981aeb7ccedb443 |
C:\Windows\system\csupAYW.exe
| MD5 | 1fe42373993db169203f8dbda4214443 |
| SHA1 | 1bc9bbd18aa297c2e2e9582ee47121ab54e29ff1 |
| SHA256 | 006fe168089ebfa6936c46942ad90f74ae336b5abac0c1c2de431d6ae7d7b76e |
| SHA512 | 05ff0ade7556a6b1efca279276b8acaaa162c0b774f5522140798c83baf18cd4812a5d5dfb683c4382e9bd76599e8d4a639dbf345b960282b1ada836d7699489 |
C:\Windows\system\YdkfoDX.exe
| MD5 | 8650bcc6469762d6378dc27c8368cfdb |
| SHA1 | 30a56e75f7f663e1ea264d6d43d4f356787a146c |
| SHA256 | 3b94d034aa93cff283838d5a5afcc9e07ba105603d5ce46912dcedee22414331 |
| SHA512 | edae04a88e2cb4a8ff17284789a50d1688ecd672f79fcfd71da3341a19b47c93b3e4b20e93714142ca0893251191487631b3991c22cc1d9d47ec775496f34e0c |
C:\Windows\system\JFtdwWw.exe
| MD5 | 9f02885f21d9485589092ee3267648ee |
| SHA1 | 2b1cbc6104d9ea71d3a54275e86e5e050d46168b |
| SHA256 | 9bb79e30b92da979e023d63238ee863363c6e97c29c221c64617e720ca0047e8 |
| SHA512 | dd2eb88f3626bd57eb3e924737c5bc9f9cbab27437ffffcaa723db22fa6e91e33fa5ee575f336a10ebf222d6b76c88a5bb1db9d25851813e7d01967372141589 |
memory/1736-106-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2792-105-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1636-104-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2984-93-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1736-92-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2992-91-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1292-100-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/1736-99-0x000000013F560000-0x000000013F8B1000-memory.dmp
C:\Windows\system\hCqykSY.exe
| MD5 | c61fda51628c0e27751e1c015a63bb16 |
| SHA1 | 40b604ca230a351325d8917356585d5995a39287 |
| SHA256 | deb94a4d4e45382184a4767f7a18ee413e9b241121d4a18ffa649cc4b854f777 |
| SHA512 | 3dc537fb8540cc8b12db636397ad8b6b0118c89842dbf34914a8aa388c7612928a0821a206a1f7ebc72d22767ec29f8a98d918e69279efdf49edc7dd437b4d9f |
memory/1736-84-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1600-83-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2112-75-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2340-74-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\GXkxAtq.exe
| MD5 | 143d82960889d0c0e094523c93f8a29e |
| SHA1 | b2bd684ed5b50c8dfe21b439f8afdcf4201544b9 |
| SHA256 | ea7557ee8f39314345cb37d94b1d2b41d3680ac662f79c41efcb425cda351ebb |
| SHA512 | 159e676a253113475cacc497efb2c8393b1e0f223b0073efd4f0753bd040eae43e909c1ffa8949a7eea4a01c2150e1c79bc2352a3be0ff76a4baf9127e863196 |
C:\Windows\system\ofpBoYG.exe
| MD5 | 22f33f2fc579477421df7d9ba90fc01f |
| SHA1 | 82de1d99854d5c839ecb85be1214bcaa0ce3c3dd |
| SHA256 | 457383c80988358ba87e2aaf7c4a6fb41c8520d093c8703e74b205f7fd9a99fa |
| SHA512 | ff21a3e13815dae57246fc98b7f8766f245dd0d21ef55590cc98ffb16c207d2c719a33e5fa2c16575b05836e0be82ff5905f794e41084c5b0988c42517a3c592 |
memory/2544-63-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/1736-62-0x000000013FAE0000-0x000000013FE31000-memory.dmp
C:\Windows\system\zEdOJfl.exe
| MD5 | 4f7f828c39a69158aaa81348578bd944 |
| SHA1 | 5b1aea6ca8b5e6aec88ea77177f49e531c40c7a8 |
| SHA256 | 168669b1c946978ba9f3e0fed6400a7e916cc5816462307c38d0ffd3d464ca24 |
| SHA512 | 81fd18ede0fc25f9b76a48e1f25a6a8494678675ef094012d12a12d95bff6bbe994fad44359758c1d2d912ca463c72d75b35dbbf83b39f03a40cb93c640ea8a3 |
memory/1736-34-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2792-42-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2648-139-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\hwHUPYG.exe
| MD5 | a0d2879a80724ba09ad14eebc3d54ce9 |
| SHA1 | 9d3dead1aededeb3582cd2d1d0876e421778ada2 |
| SHA256 | 5aa9480e43571382a230039f6d8e8039c0f8d1edc43a2dfdd31670a8ce36c479 |
| SHA512 | bfd4e0e41bfa6f56d72aa5c1e797de189c4b19147acdb3036398419a4967f1de9118b53cd9bbeabc5e18a98fc2eb0118ea89a3f8e0d0aca1c4e82d4028f2ff9e |
memory/2236-150-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2528-151-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1736-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2184-159-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1876-158-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1972-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/1340-160-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1008-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/1952-156-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/856-155-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1292-154-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2984-153-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2684-152-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1736-162-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1736-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1736-172-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1736-186-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/1736-187-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2340-215-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2112-217-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1600-219-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2992-221-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2792-223-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2676-227-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1636-226-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2544-229-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2648-231-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2236-233-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2528-246-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2684-248-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2984-250-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1292-252-0x000000013F560000-0x000000013F8B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:04
Reported
2024-05-22 21:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iESZxYd.exe | N/A |
| N/A | N/A | C:\Windows\System\CGEDJhH.exe | N/A |
| N/A | N/A | C:\Windows\System\wBKOuZx.exe | N/A |
| N/A | N/A | C:\Windows\System\HEkfkAr.exe | N/A |
| N/A | N/A | C:\Windows\System\NklsJFx.exe | N/A |
| N/A | N/A | C:\Windows\System\LtZBGtX.exe | N/A |
| N/A | N/A | C:\Windows\System\qZKbShf.exe | N/A |
| N/A | N/A | C:\Windows\System\grOCOKq.exe | N/A |
| N/A | N/A | C:\Windows\System\thddqFn.exe | N/A |
| N/A | N/A | C:\Windows\System\EsRBcoK.exe | N/A |
| N/A | N/A | C:\Windows\System\LrVRbTB.exe | N/A |
| N/A | N/A | C:\Windows\System\GxgoocZ.exe | N/A |
| N/A | N/A | C:\Windows\System\alVYvwe.exe | N/A |
| N/A | N/A | C:\Windows\System\KHvcqxn.exe | N/A |
| N/A | N/A | C:\Windows\System\IlWbAlg.exe | N/A |
| N/A | N/A | C:\Windows\System\hBYjvmR.exe | N/A |
| N/A | N/A | C:\Windows\System\zYjbyJx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoZwIxc.exe | N/A |
| N/A | N/A | C:\Windows\System\mSkeiTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\oCpYRih.exe | N/A |
| N/A | N/A | C:\Windows\System\fPqkOdU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iESZxYd.exe
C:\Windows\System\iESZxYd.exe
C:\Windows\System\CGEDJhH.exe
C:\Windows\System\CGEDJhH.exe
C:\Windows\System\wBKOuZx.exe
C:\Windows\System\wBKOuZx.exe
C:\Windows\System\HEkfkAr.exe
C:\Windows\System\HEkfkAr.exe
C:\Windows\System\NklsJFx.exe
C:\Windows\System\NklsJFx.exe
C:\Windows\System\LtZBGtX.exe
C:\Windows\System\LtZBGtX.exe
C:\Windows\System\qZKbShf.exe
C:\Windows\System\qZKbShf.exe
C:\Windows\System\grOCOKq.exe
C:\Windows\System\grOCOKq.exe
C:\Windows\System\thddqFn.exe
C:\Windows\System\thddqFn.exe
C:\Windows\System\EsRBcoK.exe
C:\Windows\System\EsRBcoK.exe
C:\Windows\System\LrVRbTB.exe
C:\Windows\System\LrVRbTB.exe
C:\Windows\System\GxgoocZ.exe
C:\Windows\System\GxgoocZ.exe
C:\Windows\System\alVYvwe.exe
C:\Windows\System\alVYvwe.exe
C:\Windows\System\KHvcqxn.exe
C:\Windows\System\KHvcqxn.exe
C:\Windows\System\IlWbAlg.exe
C:\Windows\System\IlWbAlg.exe
C:\Windows\System\hBYjvmR.exe
C:\Windows\System\hBYjvmR.exe
C:\Windows\System\zYjbyJx.exe
C:\Windows\System\zYjbyJx.exe
C:\Windows\System\ZoZwIxc.exe
C:\Windows\System\ZoZwIxc.exe
C:\Windows\System\mSkeiTJ.exe
C:\Windows\System\mSkeiTJ.exe
C:\Windows\System\oCpYRih.exe
C:\Windows\System\oCpYRih.exe
C:\Windows\System\fPqkOdU.exe
C:\Windows\System\fPqkOdU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/748-0-0x00007FF771FD0000-0x00007FF772321000-memory.dmp
memory/748-1-0x00000234A4410000-0x00000234A4420000-memory.dmp
C:\Windows\System\iESZxYd.exe
| MD5 | b3971e1317e2d31d14a406d1c0b2d8fb |
| SHA1 | 52b3ee5a619ff10fc0539665d8f783f98926ba50 |
| SHA256 | 8befb05a3536fc3d1db3c2c415a270df52c711dbda425324e95119a1c23735a2 |
| SHA512 | def9b36fc599f50eff1ae1cc7c8685f7710107e75e8ca74c61265fb239f64ccba6bc756c0c06f38b4acacb4dcaa72ea36ebffdbfb01e13e03e4eb9ffb3e7f509 |
memory/4788-7-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp
C:\Windows\System\wBKOuZx.exe
| MD5 | 8a248dc667310319e56f0f1fced33b69 |
| SHA1 | d026a31867f29307528292f6e00639ffad99b44e |
| SHA256 | 707f8f20ee1ce976a62eb4313f4157b91edbd80640222dfdd04f10a6ad783cae |
| SHA512 | 373a39f7bd1b55e9cbf3fb40873d1325f04bfed386f31a7d4abb435c0018d749b2542037a9719959264d1da9b1efba99eeeb0a40a75098737ec5bcc819b7b024 |
memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp
C:\Windows\System\CGEDJhH.exe
| MD5 | cea6502b1277d9919c01d82b66a549aa |
| SHA1 | baa6504275bac30084dc7053a0c6b1b50439b7b2 |
| SHA256 | 8ab2b5698ff8d4086d549eca430b0fbb1036abe34cbaa02ba55ad6f333dcd9a9 |
| SHA512 | 7c58fbae35d30eb0daea53f758b3d5b7fa7d94f0e7d3f0016e13d2399e8035372b0071def8fc391579ad7a37c6e993e6c73ce54f4a3420963997778019ed2831 |
C:\Windows\System\HEkfkAr.exe
| MD5 | 9da102b655ae538d64136ac2b72a10d4 |
| SHA1 | 8058596651ec4a06881019d04d34a8d19f3ddf8c |
| SHA256 | ac6d7ea362459c2d41c5b5db2d87ba2792c7c00c6c81cd509d311cb590740dd2 |
| SHA512 | 3b5f032b30125ba7628712b73344428ff65e6d96e1ac023ccbf6ec8a1dc9705b976614c2c1c2c99236d11011234db1cf9f7a948605ba7e2c825bce73c1920963 |
C:\Windows\System\NklsJFx.exe
| MD5 | e9259a901df6de5e30e76c0f7b8393e2 |
| SHA1 | 80331116b863b24a7bec7c87a9a11c4d1f2a5ea7 |
| SHA256 | 0a1d7d634499483762c7d50f368785903e0ff96aa6fcb0dbaea50d324f1cd51b |
| SHA512 | 38fae0d9ace03af56633ca4d006ebdfb9d09df033fe6c559b32da1eda45c3b840500b91c880738efa85ce099ca6f7efd4b203b74bc89f84df65bd8813a5dc275 |
memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp
C:\Windows\System\LtZBGtX.exe
| MD5 | 4c7823e95417bb6ee85ba0840e82c5b5 |
| SHA1 | a6cd76aa95f3172a04a695b70813c8936a00c260 |
| SHA256 | e82faf366a1981468f7285a0270f9e7630ad4691799c25e3712e5f552a091f31 |
| SHA512 | d8107c6618044227d562b34e44f9e5647997320eb7b2a371854515669d10c259f188afc797ac2e55c4a9136cef8d79b953152482319e945ae3596c1c9d41c400 |
C:\Windows\System\qZKbShf.exe
| MD5 | dafaee27e204df2cf95395174bd04d88 |
| SHA1 | 797da11736f883d8fae4580fbfc446da84230ed4 |
| SHA256 | 2bfd21c7ccbc88058274285a628bd9ab099b3f8681fb2cbe9aa932a41b689346 |
| SHA512 | 8520c6d13cc95c1dd6610f224dd7c9df9316c0c90d5e84bb373072fc1c7d7a4d46710cd3ba7946b86bace4230256c7cf587273388304fc8c3032eae565fc2ae0 |
C:\Windows\System\grOCOKq.exe
| MD5 | 2cb1a0fd7fa7686004e3b519a3c65c56 |
| SHA1 | 489ffaf1f16581c1735e02641283db8db1ac7d5e |
| SHA256 | 3e5e0ad1105efc44bca84b586f8a20e63190db6bb56ca407bfe530c8f723635f |
| SHA512 | 2886476fd9f53e741169bdf90b9c923e5b825df698aafda241e1547f04d63160aa6b2d7b9ce74464a877b6388db1a2a440a6fbc0eae6ba3f9c9f26daaf22a697 |
C:\Windows\System\thddqFn.exe
| MD5 | 0e9ad77de0907fd14e36ca3004a6d609 |
| SHA1 | 749aa234bebe3f2df1138ff00a4eaa0929b3621e |
| SHA256 | 67377ad17f668fe3028fb8ca7ae9cd8dac510293d59256bca18c84db08f943f8 |
| SHA512 | 5dd99f07645f7cffdfd06fd5c3981f01db3804ae4a45a6273da9fc38a11bc603fb8ee66528ccb0d8630c902c0babee58ff2493fcf4dbbecad4313d519d6504e8 |
C:\Windows\System\LrVRbTB.exe
| MD5 | cb83e9a007cf5df3cdeade56b5ff7fa8 |
| SHA1 | 0290dd8acfd9e4154490456399f766e2d7ab54b4 |
| SHA256 | ef70b1411929252f5915e7b337cc11df48496dfa6cfc68c186c20dc984bdb249 |
| SHA512 | 65fefee1b7ea74a4a5e2ac57bce01780891b93dca81fc999e1cafbe6bfa2c1a9bddc3e93df489615f91fa5c54f7e2bd6f28047376f0db1c67b85dd6f91a5fc4f |
C:\Windows\System\GxgoocZ.exe
| MD5 | 5ed152469f775d22eb833fdbd60485e5 |
| SHA1 | 8a0604306f3d3ceea7d3d92b98187ac2598a26eb |
| SHA256 | d93ef0fd8a1dad32d039a5abc360c83f75e04f5d84cdf4ca83524aaa314518f7 |
| SHA512 | 4adc4312ca85f261ed53c564a28ee73b6698ed65a7cab36de5c8cf60049e303e115365797d792c00ece530d180e7ee62835bf59ca1c8e4a7770d05de1931617c |
C:\Windows\System\KHvcqxn.exe
| MD5 | f8204e11d852bf9fe0edbff1e30f9e39 |
| SHA1 | 018671c89cf95cd92252356142a27a6055f6f58a |
| SHA256 | c8c1913acdd00413052602045c2f11e2531688c30ccedb38061e0a435bbf6346 |
| SHA512 | a6df314e06e65a3bb3fab17e7dd131b44dfb4aae5462c1b109ea1db29b9d21ecb6e6efe061788e0a0af5e35fb9fddacb0b876688a5be4ee8a539b696427b5cea |
C:\Windows\System\zYjbyJx.exe
| MD5 | d04615d1b3decebf4bdce9ea62c8c343 |
| SHA1 | 96c9272d76ffe3422eaff89091b3de9155e50c95 |
| SHA256 | 8893702b7a4d3b00594f7d653f4b4938121445aa569000f18b1d77744b03f4c2 |
| SHA512 | db37984e6812ab68cb78381c42cff26c052e050fb3d8140c63c18fbf6f631ff4a55c5107eb111547679e29135af9584d2360c7102f9415566a64bf8518582d3a |
C:\Windows\System\ZoZwIxc.exe
| MD5 | 78c9facc2466840c356e01cfe6a7b098 |
| SHA1 | d031fc7f598c2c90dba0613d114f84d12b86817b |
| SHA256 | 8bfc26dc1610f74b36c237c81ec0bc0c667edee9129752c5bf0c5f1acf74ac39 |
| SHA512 | 5a5f3f61816cfffc0d7062a131babbad417b18bad26d40f240b168bce7bcf494001ffe6e41274163e688b7ff232bb143e13a8e44448b177ab7eb15d71efd1ec1 |
C:\Windows\System\oCpYRih.exe
| MD5 | 6901ec577b94c4da7e4830e3dad6a72a |
| SHA1 | 263890e77df1218817843a987b32fc4e48f0962d |
| SHA256 | 8b8c843849cd39bd2ca511ff2e6e017f2eb21c4f4cfd981675fe811b67b06a71 |
| SHA512 | 4f35a1b652139666dc9e1e1b54dc66405c4cc264232da24d316036fc3e3a939e69d445b474d7b7efb0c3907dc4ddc651b6ad84061e02c26589a55b15e3386a83 |
C:\Windows\System\fPqkOdU.exe
| MD5 | 4c665c1dbd393856f72a69fafbed5a1d |
| SHA1 | 7cf5892f764f2ff7b67b8c910268cf784015e3a6 |
| SHA256 | 1baa8a85901c3623e5ad7fe5020cb2aa6807e5187262ce73c9621f54ab0fb89f |
| SHA512 | 296a8770a306cee513b645eb92a4802389caba390ad75be13e0a13260e6e37d0c2c54454ab8338559d689f347b17ce553726e53b644d473fc4743b1c3a57d3f9 |
C:\Windows\System\mSkeiTJ.exe
| MD5 | 972df430b591e9addd79a02d6b0da356 |
| SHA1 | 9eb95546d1a62ecd707d909bdcddee2d187af1d2 |
| SHA256 | 4991bcfd3b9ca280142d1f7377055b4cb31bf60abb4aad39e48c2e67a4e9b696 |
| SHA512 | ac11afea4de6c67f9ade1868a61bf35722c271f54c4b8e48a288d3a13a2856a7f2a123ebc6258d484b0efc6c46b1c9c33d27fd1aed769e702a0f8dc5fa1558dd |
C:\Windows\System\hBYjvmR.exe
| MD5 | d80ef78674ba84bdcf357e3702d1a867 |
| SHA1 | 96742e0b832e61ffe605faf9e2af2d9fe651658c |
| SHA256 | df93a4e008258d943e22de532c5b971fece939d843574e1dbf3557c836b16c9d |
| SHA512 | b2bf337fcb2a4191ac1789e70bb3785017c6802934cd29cbb1d45a4e12717cb6813689cdafcc59add9d92b796d9e1bae326aff41b2267232b72d5755f6a707b5 |
C:\Windows\System\IlWbAlg.exe
| MD5 | f05e809c46642ba3aa7ef9e304092de9 |
| SHA1 | 44240e7d325e76d7900723578c5bc04b089085a4 |
| SHA256 | 72f4ba6e1d3d9077b3cd89d4d2d357f6ea897fd8c13bfbf204aba51c63737136 |
| SHA512 | ecb0d5eae10071b890381024ee739f9b953f4cb787d593367bca4fa55a364494583ee04d9679e8b15e1ce7f2a93adc62232be546d77b6b4c5cabfedfc4ad0c37 |
C:\Windows\System\alVYvwe.exe
| MD5 | 143c58d70d491ff821098ef9584dc43b |
| SHA1 | 2f3ea0b06b91ed1439b2bb2df3cb0573c96d8f4e |
| SHA256 | 6640610a46141c9668543417678fb9e5975249d20a074c3afa6fdd67c233ec59 |
| SHA512 | 11d29b2557be7fed9d33b8c70c6b6e821d56beaad4ca81a90a505cddebcc5e7bc8de89c4ab920d110dc755b7ee0a49a3900ab26be64cd02cef66fd4db0b576e0 |
C:\Windows\System\EsRBcoK.exe
| MD5 | b07ef4a5a1cd9b01d2e389acb34f13c8 |
| SHA1 | aa5d2625e534b505a8ca6cb6554a8f3df8bfdb2d |
| SHA256 | f9957bb81f599ca22e41f84a6611802ea3c0fb35a5c9731943d21830cb777562 |
| SHA512 | ca605eb0a4247cb2afb170193e973a71f6e9ec7c63234a5681fa968a42eb35140a1d7b87ab261dd84c521d5895bfa306d525a3d7b0c9a048f7df0b058affef4a |
memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp
memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp
memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp
memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp
memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp
memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp
memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp
memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp
memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp
memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp
memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp
memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp
memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp
memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp
memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp
memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp
memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp
memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp
memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp
memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp
memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp
memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp
memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp
memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp
memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp
memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp
memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp
memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp
memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp
memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp
memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp
memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp
memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp
memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp
memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp
memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp
memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp
memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp
memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp
memory/2796-221-0x00007FF755EF0000-0x00007FF756241000-memory.dmp
memory/5100-224-0x00007FF607200000-0x00007FF607551000-memory.dmp
memory/4036-223-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp
memory/1712-219-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp