Analysis Overview
SHA256
91e286870059f96d287582b3edf38f41bfc6d1f2df1fcd165ecbf487b3381269
Threat Level: Known bad
The file 2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 13:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 13:42
Reported
2024-05-25 13:44
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vZcTEHE.exe | N/A |
| N/A | N/A | C:\Windows\System\GnGtxTO.exe | N/A |
| N/A | N/A | C:\Windows\System\HSyrPtM.exe | N/A |
| N/A | N/A | C:\Windows\System\tqWsHlG.exe | N/A |
| N/A | N/A | C:\Windows\System\WnEIUSz.exe | N/A |
| N/A | N/A | C:\Windows\System\zdoIMYm.exe | N/A |
| N/A | N/A | C:\Windows\System\indwijP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmxMaJc.exe | N/A |
| N/A | N/A | C:\Windows\System\ibLqvFq.exe | N/A |
| N/A | N/A | C:\Windows\System\uvVUIAU.exe | N/A |
| N/A | N/A | C:\Windows\System\xSpNZpH.exe | N/A |
| N/A | N/A | C:\Windows\System\AXtRAvE.exe | N/A |
| N/A | N/A | C:\Windows\System\hoHldyu.exe | N/A |
| N/A | N/A | C:\Windows\System\vzFewTj.exe | N/A |
| N/A | N/A | C:\Windows\System\KzDMNAS.exe | N/A |
| N/A | N/A | C:\Windows\System\DHVNGXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\auWLUJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\myWvcmh.exe | N/A |
| N/A | N/A | C:\Windows\System\JNwlrZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LEpqppY.exe | N/A |
| N/A | N/A | C:\Windows\System\oPuYJdR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vZcTEHE.exe
C:\Windows\System\vZcTEHE.exe
C:\Windows\System\GnGtxTO.exe
C:\Windows\System\GnGtxTO.exe
C:\Windows\System\HSyrPtM.exe
C:\Windows\System\HSyrPtM.exe
C:\Windows\System\tqWsHlG.exe
C:\Windows\System\tqWsHlG.exe
C:\Windows\System\WnEIUSz.exe
C:\Windows\System\WnEIUSz.exe
C:\Windows\System\zdoIMYm.exe
C:\Windows\System\zdoIMYm.exe
C:\Windows\System\indwijP.exe
C:\Windows\System\indwijP.exe
C:\Windows\System\ZmxMaJc.exe
C:\Windows\System\ZmxMaJc.exe
C:\Windows\System\ibLqvFq.exe
C:\Windows\System\ibLqvFq.exe
C:\Windows\System\uvVUIAU.exe
C:\Windows\System\uvVUIAU.exe
C:\Windows\System\xSpNZpH.exe
C:\Windows\System\xSpNZpH.exe
C:\Windows\System\AXtRAvE.exe
C:\Windows\System\AXtRAvE.exe
C:\Windows\System\hoHldyu.exe
C:\Windows\System\hoHldyu.exe
C:\Windows\System\vzFewTj.exe
C:\Windows\System\vzFewTj.exe
C:\Windows\System\KzDMNAS.exe
C:\Windows\System\KzDMNAS.exe
C:\Windows\System\DHVNGXJ.exe
C:\Windows\System\DHVNGXJ.exe
C:\Windows\System\auWLUJJ.exe
C:\Windows\System\auWLUJJ.exe
C:\Windows\System\myWvcmh.exe
C:\Windows\System\myWvcmh.exe
C:\Windows\System\JNwlrZJ.exe
C:\Windows\System\JNwlrZJ.exe
C:\Windows\System\LEpqppY.exe
C:\Windows\System\LEpqppY.exe
C:\Windows\System\oPuYJdR.exe
C:\Windows\System\oPuYJdR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2032-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2032-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\vZcTEHE.exe
| MD5 | dd9489e7d635ac0ce719b11e975744af |
| SHA1 | 51cc4bbe45cf0b7008ff5fe675ef12b6456d0499 |
| SHA256 | 13daa08c003b95196360c3f84b31ef501623e8000c92c7f28ba17873f5e2d9df |
| SHA512 | 74344a15ca58a13ded31b179a3c66832eb3bd444570d5f4c6e232cfe1369fdccc9ecd0f704744a901f5be88a26bb6b09564c0e4dc3516d0ef3a57585129cb3ef |
\Windows\system\GnGtxTO.exe
| MD5 | 852df8af322d9e6c618aad9e50204471 |
| SHA1 | 21a6f182b0447e1c9b90d1ca9e30a40c83b6637a |
| SHA256 | 2a5cc44ad2b425f50e866f5992a23312ca5bbcb3e2f7a82f98e5d0b6b69b2549 |
| SHA512 | 8aa487ab533f68dc90c64c5ac045433375da5bc02c2c694b0da9faba2939e2329d353536ed8a8ed1c78710c7b33c48a3406a7157eda2ff420bf0f702c42daee3 |
memory/2536-12-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2796-14-0x000000013F6D0000-0x000000013FA24000-memory.dmp
\Windows\system\HSyrPtM.exe
| MD5 | d0db72172985ee5f22f228571ad0816e |
| SHA1 | 9a3a5925b5088a3257ff79da158acbcd51ed0b03 |
| SHA256 | 5c744328d71403d04a31571d6c51498d4424c384974e63c9ced40c9ee7ed33fa |
| SHA512 | c1d7cb8a44f0674a99156edf94e3249146d808e4d4a75e2b08c09d7e93a413ef58ce87d27cc13c3f94c00273fe00169d5084c7326b7adeb76ade01db1f736070 |
memory/2032-18-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\tqWsHlG.exe
| MD5 | 6d74fb1025417ed1f2bea8f34cf40a67 |
| SHA1 | a2f92b046281c7d30172649fd3195408e181992f |
| SHA256 | 73f3b5d3e008dc7209d59df26b737cb843759d74d48ded13f1914127f709f5ef |
| SHA512 | 332b078666079c1b1e77e2d7fc6a8096a49a6c95c2e8150a6d8492e53bbfe646709faef9ac5532a4bc30b06d5ee50b20cfdc037492858eed461eb8c94fa2f87f |
C:\Windows\system\WnEIUSz.exe
| MD5 | 8bf16bcd6a287c3a57a21c5826c89fa9 |
| SHA1 | a3b451262cac9d8695c4e1dab349d25255d1a220 |
| SHA256 | 9f658852778f13a5ab7b3a223fbfdea9c545b1da201671c5a9204ee82baa79e7 |
| SHA512 | e82b3b719f7c0bdd6a325a165acf018ffb754df6bab0e4eca19cb277ec0bbdbf71623457a300429885a6d4c0dc24c81742c9a6b457c68dc5f9f04d1f402290cc |
memory/2688-31-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2600-33-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2584-37-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2032-40-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\zdoIMYm.exe
| MD5 | 256516edc90906ea55e72587a4368fb0 |
| SHA1 | dea2ea3b595765fccd6b3978e0f5f758220bba29 |
| SHA256 | 2e21f11c51004bda51d01ca37eb27db49486b3cecd0ee9745826c54308738926 |
| SHA512 | 9280d2cc767402d633eee6bfaae984fe3b3943148acba2b05ec1ebd2c29363f1aac1a0d37112a9783ad003dc1f4cfa27f6e8b371c9f343cb1c9933ba08be7d56 |
\Windows\system\indwijP.exe
| MD5 | 4a327bb3a1b911fdb890105648be9d68 |
| SHA1 | b8e6b2648673a09b3e210ab58276989ca56f9636 |
| SHA256 | 0f35589fea93cc7e6a131ed94e317520e345878f4361e05c04c924cb8361b238 |
| SHA512 | 2b2b6feb19df926509beff10320078934259983cc590c18db49bf1b9219c8ef4b8c09e23691405f856d19c19aaee770b4228674eb28af4e0bc60cc14f5aa671c |
memory/2032-43-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2632-41-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2032-32-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2628-54-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2484-47-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2032-66-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\uvVUIAU.exe
| MD5 | a3ac94f0756dfbd779682371481fdd88 |
| SHA1 | 8a39f78fe982d2ed0f4985fa3015b9a074d45c88 |
| SHA256 | 3327202551fa3a3938cb88b0a268182b1f36d860d07a2b7c71ab1c8536876bc5 |
| SHA512 | d7e6f589474f946fddd4d061db6314e1e0e03af3195fecb108293bc64250518480efae981f2f5aab98ac3c01eb5d7a2e09610517dbb13c9ee8d85333203b4d65 |
memory/2536-67-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2528-69-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2032-68-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2796-80-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3056-76-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\AXtRAvE.exe
| MD5 | 8d5f93510e35ad94c9a86aa6ac54059a |
| SHA1 | e13266ef2b9aad34fd2d90cf13d0897b39d0c690 |
| SHA256 | e59faefaded84056c8ff10fa20d7a36aec71064df2c01c8e686994ab6f314953 |
| SHA512 | f9b1e5164574b5e9c25a207d613e44c4ed6410ccccc3b884410949ba7c5cb51adaa25b58c6934ae45509d7d9118892df0c3a4bcf55b88f989d140cc8163d2221 |
memory/1276-83-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2032-75-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/3068-96-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\KzDMNAS.exe
| MD5 | fd9e752f77812d8c0969f658693b95a3 |
| SHA1 | 00d2986a7cc868da3bb5aaa4d0c35a88094f495a |
| SHA256 | 438168f2d8e09d18d43b2deb60fd42215cfc8216ae0e7b417d312f978ce16921 |
| SHA512 | db178f25a28c099c68f2b3410cca333827c32e1e5a484c648b3054aed7b211fa67074401370e6235db2165927336d6ad6657798b2a3eb4e1992934cf308c5fd1 |
C:\Windows\system\myWvcmh.exe
| MD5 | a0503380449bbec70457737d6da1052a |
| SHA1 | 58788ff33d60d5080bc4bb097aaf6f63e4cf637c |
| SHA256 | 8e097c42c22c9b9296e967604b29c2ccf4b8680d10ae112089b7b39978992779 |
| SHA512 | d392cae0f05d059fae0b8b9d6293549864e950746f5cae1e0a247a74d0eb846325f2e4d30c697a8b8938801c0957d37e6a3db2183e968fd11c93ba59cfa413a5 |
\Windows\system\oPuYJdR.exe
| MD5 | 2647ebd327635008da49af6e4cae94b4 |
| SHA1 | 21ed66f5ce48d5b1cccb1df5b92c20042fb6bf86 |
| SHA256 | 1e089a780572eb3fb369ff408d0301d3c4b14dce38d9cdf8e216706ec81c43ae |
| SHA512 | dd0fa23938aace1b0a3313d3ed9e518f34f2fdd89de08af3244166433f93d7c4fc610c3fba694e13a3459de091fc09834c555099be3983f9e579f18c778b4a33 |
C:\Windows\system\JNwlrZJ.exe
| MD5 | 8609b77859219b4262a21f4867a01235 |
| SHA1 | 7009ee5912a80052392e42224a006536bf2bc29d |
| SHA256 | 7277da74a998f682bd6af768ed3905d1df99ce690473af0f17ff801a7b1e1d58 |
| SHA512 | 53e8924edc0c2c5264ad1d4292cdbca44789aa1db6b4c35df25b7ed09a7065ec618acd308d3379b9930a3ebaa055e25f6a401b7ae310491bbbd9b424dc15da5e |
C:\Windows\system\LEpqppY.exe
| MD5 | 7be00242436b1dde4e160a65548241c4 |
| SHA1 | 02af82d1bc9f9c02c3108749083b6014aaa22331 |
| SHA256 | 27b72c725be54033ef89568277fb54e75783579df0eba87ad40174ff27541a2e |
| SHA512 | f6c15eb5f1b9c5d780da4739516c033916e36c58b6c5cde3ea6fa463760fa8efb8e52c89070593beaeeb0389cfd72c44338af448312709a08cd1d71e1d850f99 |
C:\Windows\system\auWLUJJ.exe
| MD5 | 87b505cac3cb87bd4baa7a1fee7c6cfa |
| SHA1 | 4d918ba09a8ecd541400a4ed5710b0cf0be6addc |
| SHA256 | 6a41ab1e7f4ca30769bb89261247ffae7e8762ea16c308da7272ab9b98d5128c |
| SHA512 | 3c480b4b99a462b7a4cd1b148ff882a86b8c475f215c42aad05af19a5ae7cea066707c6b0f45b9e0c5b18444e43bf0bfc99747dd82e973a685250487e9515886 |
C:\Windows\system\DHVNGXJ.exe
| MD5 | a2e76482966bebd50c7e2cc16e580c67 |
| SHA1 | 3ae41fd7777a1eceb1197aeed1ab263cfa71c9bf |
| SHA256 | e31312386cd9249c45ea81cc0d68d05b08989c42bef996513930e6d4f3279b20 |
| SHA512 | 705f17ba725e20900c792356a4d1cfe2401dcb7085efe2ea7074413fe5e1412d161323b3fc1fb9be3623cce848a65acb764b682f01e88fc4d8f6fdcd434eb1a2 |
memory/2484-134-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2032-100-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2032-95-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\vzFewTj.exe
| MD5 | 19574b307362e8af522ddfe846b816ac |
| SHA1 | d5802d2236f591e0e653b8ea97cf51197c9f9162 |
| SHA256 | 14ff0a9c1016cd93df7507e4d05468219333ea0b5f3c29c05047d6bc55bfd67c |
| SHA512 | 39f64119bb2b02f91dcb77da3780d2a53ff7cb63ff4531bca1e814b2bb7c1425243716e347f27715eaacf682249a0a6bb81ced2ea77ad1c614b4e36c87688b59 |
memory/2788-89-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\hoHldyu.exe
| MD5 | f7592c30781ab4dba3f5c3683436bed0 |
| SHA1 | d33b1d382e8e0ece8843955ec8732f81a8a59b30 |
| SHA256 | 959b32dbfb671750a078d4eaf30fb14d11d3183c7f0574d28250200e56f5b7a8 |
| SHA512 | 745d6fe347bf22bc45400bc3ae6a6f3694ddb806b6efe3e0d1d2758927f68c5320e49022c3670b261930b3f82bfd471a0c16dae769aa6bd4b1a8832a7c22bd7d |
C:\Windows\system\xSpNZpH.exe
| MD5 | 76ebfeb4b1f3b3bdf4fd5904c5a8334c |
| SHA1 | 01574dfa610db56eae6022e261a11fe76b5e8083 |
| SHA256 | 5e18ddb7b971557d78d7c258c40d18ed21a7aba57755bcb17694ccf2c8366c15 |
| SHA512 | 71d0c0a0124a8dfc78b1c7f41a09527c0700403f446dc2d87012539f556e15d0314522716f365d3e327f5f3df11b009eb70a54c3dcba1ba34fbbd048e1b37017 |
memory/2628-135-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2460-60-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2032-59-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\ibLqvFq.exe
| MD5 | cedebead0a55919a29617428e528f0c4 |
| SHA1 | cc0127c995d458e8969ae59a666606fcf891a9f8 |
| SHA256 | e2ef9e29523b34d01008f4e43e15532dad95f837b44a8c0c47849607540dc84d |
| SHA512 | 71ac17a1a854c1bf3c33a89626977c8d052ed415aa8862242cb037ef131f6fb2ab4cf80e21aed4747cd12aed590098044856e6edda5673348cb5ef5ac57f88c7 |
memory/2032-53-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\ZmxMaJc.exe
| MD5 | 210b62da7ed2f6f567d273d087c143a5 |
| SHA1 | 8b9e1db5c7b97ceed7c05f9a681838986fea1e2d |
| SHA256 | 4f8bbe5eea9ff38cc1c82789809888d9953c5c51064fbe3dab70a9ee589e2d6c |
| SHA512 | 0dbd59a339b114f8a045fb1c3b7b4c8acb40ecbcb3e792080818ed0193bfca5671f56993dcb2fcef1f2e2ca2301975aca4316e71bf783b0f967b97e37d14358f |
memory/2460-136-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2032-137-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2528-138-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3056-139-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2032-140-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1276-141-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2788-142-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/3068-143-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2032-144-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2536-145-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2796-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2584-147-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2688-148-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2600-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2632-150-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2484-151-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2628-152-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2460-153-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2528-154-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3056-155-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1276-156-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2788-157-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/3068-158-0x000000013F6C0000-0x000000013FA14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 13:42
Reported
2024-05-25 13:45
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MzpecYg.exe | N/A |
| N/A | N/A | C:\Windows\System\NocYQqb.exe | N/A |
| N/A | N/A | C:\Windows\System\yIVmUqb.exe | N/A |
| N/A | N/A | C:\Windows\System\lHQCkBI.exe | N/A |
| N/A | N/A | C:\Windows\System\DrhTbrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DIwujip.exe | N/A |
| N/A | N/A | C:\Windows\System\GWnjqFn.exe | N/A |
| N/A | N/A | C:\Windows\System\MyYFiug.exe | N/A |
| N/A | N/A | C:\Windows\System\CxIOIhy.exe | N/A |
| N/A | N/A | C:\Windows\System\rTAPTWT.exe | N/A |
| N/A | N/A | C:\Windows\System\DUnOUIr.exe | N/A |
| N/A | N/A | C:\Windows\System\ccSqTUY.exe | N/A |
| N/A | N/A | C:\Windows\System\wUvRSjY.exe | N/A |
| N/A | N/A | C:\Windows\System\hTimulK.exe | N/A |
| N/A | N/A | C:\Windows\System\MgmoKcL.exe | N/A |
| N/A | N/A | C:\Windows\System\KyJkegL.exe | N/A |
| N/A | N/A | C:\Windows\System\CgLQANW.exe | N/A |
| N/A | N/A | C:\Windows\System\eKptDDv.exe | N/A |
| N/A | N/A | C:\Windows\System\CGcRdgy.exe | N/A |
| N/A | N/A | C:\Windows\System\UvevEgD.exe | N/A |
| N/A | N/A | C:\Windows\System\hKxiNDG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_31a87d131824685f777c39e90b336a30_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MzpecYg.exe
C:\Windows\System\MzpecYg.exe
C:\Windows\System\NocYQqb.exe
C:\Windows\System\NocYQqb.exe
C:\Windows\System\yIVmUqb.exe
C:\Windows\System\yIVmUqb.exe
C:\Windows\System\lHQCkBI.exe
C:\Windows\System\lHQCkBI.exe
C:\Windows\System\DrhTbrQ.exe
C:\Windows\System\DrhTbrQ.exe
C:\Windows\System\DIwujip.exe
C:\Windows\System\DIwujip.exe
C:\Windows\System\GWnjqFn.exe
C:\Windows\System\GWnjqFn.exe
C:\Windows\System\MyYFiug.exe
C:\Windows\System\MyYFiug.exe
C:\Windows\System\CxIOIhy.exe
C:\Windows\System\CxIOIhy.exe
C:\Windows\System\rTAPTWT.exe
C:\Windows\System\rTAPTWT.exe
C:\Windows\System\DUnOUIr.exe
C:\Windows\System\DUnOUIr.exe
C:\Windows\System\ccSqTUY.exe
C:\Windows\System\ccSqTUY.exe
C:\Windows\System\wUvRSjY.exe
C:\Windows\System\wUvRSjY.exe
C:\Windows\System\hTimulK.exe
C:\Windows\System\hTimulK.exe
C:\Windows\System\MgmoKcL.exe
C:\Windows\System\MgmoKcL.exe
C:\Windows\System\KyJkegL.exe
C:\Windows\System\KyJkegL.exe
C:\Windows\System\CgLQANW.exe
C:\Windows\System\CgLQANW.exe
C:\Windows\System\eKptDDv.exe
C:\Windows\System\eKptDDv.exe
C:\Windows\System\CGcRdgy.exe
C:\Windows\System\CGcRdgy.exe
C:\Windows\System\UvevEgD.exe
C:\Windows\System\UvevEgD.exe
C:\Windows\System\hKxiNDG.exe
C:\Windows\System\hKxiNDG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3172-0-0x00007FF792F50000-0x00007FF7932A4000-memory.dmp
memory/3172-1-0x0000026023DE0000-0x0000026023DF0000-memory.dmp
C:\Windows\System\MzpecYg.exe
| MD5 | 99c7cd74b3364a40dba3427c22b74a2d |
| SHA1 | 6d8df3ca3f6a9bfffb1e6f94f1de32305fa817f0 |
| SHA256 | 51d61965504d85a049a2dde84741973cd9981aa73d9c662ba796bf8b4ba2b3c9 |
| SHA512 | bcb5770daeb2d4f4f4039580041e25061ae7adbd5dc13e2920d561767e149a0211ce1af29635db0f59d1d1b35bcd30f40a74bdc149b056a47c04132e1223c73f |
C:\Windows\System\NocYQqb.exe
| MD5 | 887c744d94829305b6e7087afb68254a |
| SHA1 | 887b7e40ec4dc882d1115fd7d161d7f909f3706e |
| SHA256 | 12681cbf44f931b077bb13b4ab211646969d6bf3f8157485f9402256672e247f |
| SHA512 | 0e082843da914c6b2f3953ddecc10c22a39c3c4c5318338653549e0e0971cee72c659032382a128055bc1df2ad9643b9694f3a1dd11676c490f0bbf63801a75e |
C:\Windows\System\yIVmUqb.exe
| MD5 | c9605272ef6df9586f15a397fd00655e |
| SHA1 | 032321c1c1f4e8830df8d58646ce90dfa0975663 |
| SHA256 | 61572ceaa794b1051726f89437167e23387a49c0354321e684bfa81e94b1679b |
| SHA512 | e690e413803d3b4c8e8d8d5da48066f4a4e349f99171659eb4e227af2f4035ea73affc069f203065c7a4dd5891bf136d8a84720f3fa7922f4ff0f62775d02098 |
memory/3252-20-0x00007FF6FC200000-0x00007FF6FC554000-memory.dmp
C:\Windows\System\lHQCkBI.exe
| MD5 | 278a98b7cb7c940edcfff03aba7ddf9d |
| SHA1 | 9637eb38c17c59bc2ea1613e69eefe8df9f2b533 |
| SHA256 | 33074c9e3b18606cce5cf8f4ddc986379daae77f78a38b085d1447290cb756d8 |
| SHA512 | db33c6b7f35dff56dc2f556df98287bfb480b69e39f5c0887d72bd89f9c37d6fdb535acd36e215662accf7455e880015225b2903b7be21ae3264bb8b7f01d200 |
C:\Windows\System\DrhTbrQ.exe
| MD5 | 1e01f5d8bb971088de3a7238dc473981 |
| SHA1 | 8d06fc7ad2e88cf0fcdcf1ccf046e9748416a83c |
| SHA256 | 298df40233b24c4fae73d31f2e8b49be52ee32560b07c278f555214a87b3459a |
| SHA512 | 485bc4ceea2c2c005035412830c444ceee2dc39d465fdbb0045b89ab820877ab1a4fbd44c5632af0c36ec866017ec91bc6d81ff460bf91b3f074cc81b382b76b |
C:\Windows\System\DIwujip.exe
| MD5 | d43b7cb21421e64b8f04146e8646003e |
| SHA1 | a5b3aaa62051780387904fe7086aaeed49099703 |
| SHA256 | f31aad49d99523f2050c7f7e8eb67148ffb64cc0936bd1d5859d593f6055573d |
| SHA512 | 4ab1fea8266452a368e0c4a0519d65571c8553b1c40ef1dcc09d9050f88d7d18a602618b1c84fb57420c5b89c66f2b92a4cf76edc83a57ade0097c33b1b35477 |
C:\Windows\System\GWnjqFn.exe
| MD5 | 2a3f09670c0f265cff5e464766a1f10e |
| SHA1 | bd15c3a19746d4da389fe7121f32f040c2c2552e |
| SHA256 | b9c546c0f052cad2d5640fc04b81bb4623e08cd7fea7b8c610b50a39757e3e35 |
| SHA512 | 761b5fac3f0d625e604cd40434ad5ab7c2838dc64b1539b290c8bcd695efdc6268d03eb9b3fe524397b3c7ac6f8ff317db7b9cc98ec284277a092b37e3e9c0d9 |
memory/4424-37-0x00007FF6269A0000-0x00007FF626CF4000-memory.dmp
memory/4236-41-0x00007FF689B90000-0x00007FF689EE4000-memory.dmp
memory/4652-45-0x00007FF64BD30000-0x00007FF64C084000-memory.dmp
C:\Windows\System\MyYFiug.exe
| MD5 | 51012d10ef95fe1cfce43353c7f0aab8 |
| SHA1 | a7f1b2efce0c541d092740b98203034e59f6f3a8 |
| SHA256 | 3c5944e2f6760e09ae6d4bcd381aa82e18b5974c0d100690e6172c2864505223 |
| SHA512 | 5e5fb4bdd037e2e7f7d79c048a9c74ef7bc6717c07c211d6dde2c67c8f6dc75ee8b2882689c66991f669ef6098c13f6e1635bf3ef8ee8b6d34e3bf09c8715f9c |
memory/4908-46-0x00007FF7F4F90000-0x00007FF7F52E4000-memory.dmp
memory/3772-47-0x00007FF636280000-0x00007FF6365D4000-memory.dmp
memory/1848-12-0x00007FF799E30000-0x00007FF79A184000-memory.dmp
memory/4752-8-0x00007FF680460000-0x00007FF6807B4000-memory.dmp
C:\Windows\System\CxIOIhy.exe
| MD5 | 9bacdb9898e92b62a1db4de610fff77f |
| SHA1 | 1414cf83b97cb798d74223e20dadd89847d11b59 |
| SHA256 | 9b7270f8a22818e1f6774a62e7f0003d5f067f8744e4beb04e1b646f643fb281 |
| SHA512 | 0981068c8a0d8fd0c8800a94829098c64410f869edc4e1fbc1baa8da4831325ea20fc08d829726985943cefb02354e986564531a9ec22ebd3458a8a337fc4a73 |
C:\Windows\System\rTAPTWT.exe
| MD5 | 1b540d7391e1356a18a59ee66f261da6 |
| SHA1 | a5aa9a7b0643838a2dd5ced9b581e5d109afba9b |
| SHA256 | 0eb633b2a19b41b80558b67db2544b2061a0d288f064c24dae5cee062a60c87e |
| SHA512 | 9893418082f3f766237d06a29b92f9c1802246b85cdd8de041f2e2b8ded255aad6322f6ad0641cab2df85f9fb8ad88a2fa6618cb7e8a9810db6b43f3475ca71c |
C:\Windows\System\DUnOUIr.exe
| MD5 | 6b62f0a9965513f97c4b9e881c8fad6e |
| SHA1 | 637cfacd80a1fd19af9668aabc99e442bd18a90d |
| SHA256 | ec7a9b15ce8358d9337fe8e26be7ecc5df85aa0bb030eee73e1d301fd1092948 |
| SHA512 | cbcf4c71edfdaec46c2b2269c5ae9abbfa6181c3f5730cd2e041cc610e26bef3f51e7683cc7be8ca9475dd2d0db4f29532533a238f20bdfd3b72cc62ae7ad7b6 |
C:\Windows\System\wUvRSjY.exe
| MD5 | 3308fb34b3c08bd6e8605a21d579d347 |
| SHA1 | 9c1e17cfae2b2d260ac6dacd4bd3bcc5362fec7e |
| SHA256 | aa77efd8a2685b600784770ced947e901b4210331499370ce2aa45f06bbc3e6d |
| SHA512 | 33f597f28dab33121e59bb1e89871b9b7050648bfd2d504ac474b563c9fc7224f707feaf8dc6a5caf932b590f335c29196f805b26a3d7f070de90a9e2cdcad97 |
C:\Windows\System\CGcRdgy.exe
| MD5 | 99634a4d44245189f347e1057007ebfb |
| SHA1 | ab3e1da3d177bb8d5c69ed6e62b4246cf7d8d4e9 |
| SHA256 | 33b7138ed8f50e2c0f5149aa24e4074a079271c0e87ed07dbc501523e1d049c9 |
| SHA512 | 8cf51b3fb5444a766f74af2c9b4721d662be58145e17164852f055c0bdb4583d8016af79470cdb52017ee5299f5a057eaeb09b1f253293baf9f349461721c8a7 |
C:\Windows\System\UvevEgD.exe
| MD5 | 557313f4eb2cf5f5277a978a27ae8462 |
| SHA1 | 3d0b482b9c6e79713e561a47aca0b3647499fcc5 |
| SHA256 | 0efaaf5c974d5d53fa5feaad3c19d177b964731835ee526671ce2f948dea94e9 |
| SHA512 | 957dd8a57497a88f99f7f27ab58eadbbed110c901e931271fc1d297e57024330f01a5afffaf77cde0a7e4747efe8b09d1f4c786cef77788afff2c8bd858d1252 |
C:\Windows\System\hKxiNDG.exe
| MD5 | 2e1305305a5b6b9d082dad3ce69274b1 |
| SHA1 | 4cf703dcbe3bea1931b8999e820a416fce82202f |
| SHA256 | 2b48d2819fb5ad9f26b21646c117e1c9f0312627ee48f39423bc853ac17a7e7f |
| SHA512 | 5fca7d92337ae4d2fad726d1995b1f4e50fbf4a78f914c9a71ce607cbb139b505d9fd3d33af183eb2b067617b012f6e069e7c2c0a595d1ee6ba2b9f175ec7ba2 |
C:\Windows\System\eKptDDv.exe
| MD5 | 3ee029030784b59300d06ef62502917c |
| SHA1 | ca68ba72f7d82011b03f6ee29adeaf86a84175c2 |
| SHA256 | 7ebe024f0d22cc60c30794627b39ec833c64a1fe8adbe6f847bd95b742b6288d |
| SHA512 | 979aa3cd0b3ed77f11ea739d3973cfe42e677a7b2702c4390f0880565d3a00ca051d526ccba880932bd6da7b317e50f0319c137069e5db0f7ac7d179c71f33c6 |
C:\Windows\System\CgLQANW.exe
| MD5 | 76e63a4f16f6ac38d1c44f643a9e29f8 |
| SHA1 | e0aa921e577ba4726b028d96b904a595c1a0a117 |
| SHA256 | 46567515c78d4b7316ba9e2e270e1a3ed6dfd4a5cac92858f470e998c5d353ca |
| SHA512 | c3a2e8305790aea9a5b940bd10b3e08a7863528ed65dbac8f34de439ff007bceecc3bfde6ec74da4f7348da86e8a843d57197ec290c8457c5e0f5c47a9a05875 |
C:\Windows\System\KyJkegL.exe
| MD5 | 48d8eb69d3d6b19cae465b1357b4740b |
| SHA1 | 0a5c352add907d4dd5732ea37bbab52e3a9eb702 |
| SHA256 | 22bf590b8a21c3cd9f824aa2cc46753159cdd866b4d88b6041b25dce8f1f96dd |
| SHA512 | 7aa6884ff6a56d1207808ae2e3ac9094d3e6fe6e8d1565169b86c6990cd760ed64a880e182781a68a9de004c25c5989222cbeb03c2e374b4bbb6d7bf54f72b27 |
C:\Windows\System\MgmoKcL.exe
| MD5 | 6d9aa643213135e3cc3b7c49bbe2fa81 |
| SHA1 | afcd2d7dd1f7ab70adc1a539f6396701ccd3a918 |
| SHA256 | 1a91e029f1433d175725a21cf29107dd8b9b9442a98516113e28bc54d644315b |
| SHA512 | 7f2403ef0d6adf81feffb40f35084ba42ea0d22ad4a3846527b7c101c451be2a499baa2b346cc4946107ad6e677f0ce3c4e5295e411544c51eddaf9bf97c12f3 |
C:\Windows\System\hTimulK.exe
| MD5 | cfc810815c406f397415857bf6d55fef |
| SHA1 | a140e4000e6530893df72617a3659f4d36f03aad |
| SHA256 | 87c975f05ed69d5795e564af8e30d3dc83c797ecd495abe33e542b5fcac395d7 |
| SHA512 | 8fa52d33413afbd65a6f54d150ab903a01537e988591e0f7a63e630071cd4bedebb566fd574bbad778b9d8f020912702ec12b9beb08d67fb9f63948b493a13bb |
C:\Windows\System\ccSqTUY.exe
| MD5 | 97377fb73dad929029b5ee28280df8c5 |
| SHA1 | 8056db981845e2fb49c5503973c47764e83f7743 |
| SHA256 | d0299b1957087056858da6ad04c93541a115d2e2ffad204b397838f261535b1a |
| SHA512 | 055373d9a83d7521f0f51610dc0c49688bc0da8424c029345acc2cc46ee0dee171a5e7a2c257d3b39627c58d486d537cab6914cb17459ea2b5ad528e52a587e9 |
memory/3888-115-0x00007FF6B10D0000-0x00007FF6B1424000-memory.dmp
memory/4952-116-0x00007FF775A90000-0x00007FF775DE4000-memory.dmp
memory/4332-117-0x00007FF6E9080000-0x00007FF6E93D4000-memory.dmp
memory/5020-118-0x00007FF61D500000-0x00007FF61D854000-memory.dmp
memory/3436-119-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp
memory/2808-120-0x00007FF7BF370000-0x00007FF7BF6C4000-memory.dmp
memory/1420-121-0x00007FF649010000-0x00007FF649364000-memory.dmp
memory/3204-122-0x00007FF770400000-0x00007FF770754000-memory.dmp
memory/1216-123-0x00007FF62D330000-0x00007FF62D684000-memory.dmp
memory/932-124-0x00007FF787450000-0x00007FF7877A4000-memory.dmp
memory/1932-125-0x00007FF6A7720000-0x00007FF6A7A74000-memory.dmp
memory/4676-126-0x00007FF708210000-0x00007FF708564000-memory.dmp
memory/3324-127-0x00007FF664DA0000-0x00007FF6650F4000-memory.dmp
memory/4752-128-0x00007FF680460000-0x00007FF6807B4000-memory.dmp
memory/1848-129-0x00007FF799E30000-0x00007FF79A184000-memory.dmp
memory/4424-131-0x00007FF6269A0000-0x00007FF626CF4000-memory.dmp
memory/3252-130-0x00007FF6FC200000-0x00007FF6FC554000-memory.dmp
memory/4236-132-0x00007FF689B90000-0x00007FF689EE4000-memory.dmp
memory/4652-133-0x00007FF64BD30000-0x00007FF64C084000-memory.dmp
memory/4908-134-0x00007FF7F4F90000-0x00007FF7F52E4000-memory.dmp
memory/3772-135-0x00007FF636280000-0x00007FF6365D4000-memory.dmp
memory/3888-136-0x00007FF6B10D0000-0x00007FF6B1424000-memory.dmp
memory/4952-137-0x00007FF775A90000-0x00007FF775DE4000-memory.dmp
memory/5020-138-0x00007FF61D500000-0x00007FF61D854000-memory.dmp
memory/2808-140-0x00007FF7BF370000-0x00007FF7BF6C4000-memory.dmp
memory/4332-139-0x00007FF6E9080000-0x00007FF6E93D4000-memory.dmp
memory/3436-141-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp
memory/1420-142-0x00007FF649010000-0x00007FF649364000-memory.dmp
memory/3204-143-0x00007FF770400000-0x00007FF770754000-memory.dmp
memory/1216-146-0x00007FF62D330000-0x00007FF62D684000-memory.dmp
memory/4676-145-0x00007FF708210000-0x00007FF708564000-memory.dmp
memory/1932-148-0x00007FF6A7720000-0x00007FF6A7A74000-memory.dmp
memory/932-144-0x00007FF787450000-0x00007FF7877A4000-memory.dmp
memory/3324-147-0x00007FF664DA0000-0x00007FF6650F4000-memory.dmp
memory/3172-149-0x00007FF792F50000-0x00007FF7932A4000-memory.dmp