Analysis Overview
SHA256
1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d
Threat Level: Known bad
The file 2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:23
Reported
2024-05-25 15:26
Platform
win7-20240220-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nsKZNpf.exe | N/A |
| N/A | N/A | C:\Windows\System\YGWcFal.exe | N/A |
| N/A | N/A | C:\Windows\System\uDouGko.exe | N/A |
| N/A | N/A | C:\Windows\System\qNYOfPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fBxdPJS.exe | N/A |
| N/A | N/A | C:\Windows\System\KoiIMsS.exe | N/A |
| N/A | N/A | C:\Windows\System\hCLhjfu.exe | N/A |
| N/A | N/A | C:\Windows\System\XgKcGTS.exe | N/A |
| N/A | N/A | C:\Windows\System\kATeXYu.exe | N/A |
| N/A | N/A | C:\Windows\System\yqqWoLC.exe | N/A |
| N/A | N/A | C:\Windows\System\frJgmoA.exe | N/A |
| N/A | N/A | C:\Windows\System\RkFoZqO.exe | N/A |
| N/A | N/A | C:\Windows\System\RsEBWBt.exe | N/A |
| N/A | N/A | C:\Windows\System\FmBorrD.exe | N/A |
| N/A | N/A | C:\Windows\System\Ferzrsc.exe | N/A |
| N/A | N/A | C:\Windows\System\TOJtNiW.exe | N/A |
| N/A | N/A | C:\Windows\System\sKCvpEm.exe | N/A |
| N/A | N/A | C:\Windows\System\TSlYYsY.exe | N/A |
| N/A | N/A | C:\Windows\System\jSzFnew.exe | N/A |
| N/A | N/A | C:\Windows\System\xKgwMmp.exe | N/A |
| N/A | N/A | C:\Windows\System\HMjHqSa.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nsKZNpf.exe
C:\Windows\System\nsKZNpf.exe
C:\Windows\System\uDouGko.exe
C:\Windows\System\uDouGko.exe
C:\Windows\System\YGWcFal.exe
C:\Windows\System\YGWcFal.exe
C:\Windows\System\qNYOfPQ.exe
C:\Windows\System\qNYOfPQ.exe
C:\Windows\System\fBxdPJS.exe
C:\Windows\System\fBxdPJS.exe
C:\Windows\System\KoiIMsS.exe
C:\Windows\System\KoiIMsS.exe
C:\Windows\System\hCLhjfu.exe
C:\Windows\System\hCLhjfu.exe
C:\Windows\System\XgKcGTS.exe
C:\Windows\System\XgKcGTS.exe
C:\Windows\System\kATeXYu.exe
C:\Windows\System\kATeXYu.exe
C:\Windows\System\yqqWoLC.exe
C:\Windows\System\yqqWoLC.exe
C:\Windows\System\frJgmoA.exe
C:\Windows\System\frJgmoA.exe
C:\Windows\System\RkFoZqO.exe
C:\Windows\System\RkFoZqO.exe
C:\Windows\System\RsEBWBt.exe
C:\Windows\System\RsEBWBt.exe
C:\Windows\System\FmBorrD.exe
C:\Windows\System\FmBorrD.exe
C:\Windows\System\Ferzrsc.exe
C:\Windows\System\Ferzrsc.exe
C:\Windows\System\TOJtNiW.exe
C:\Windows\System\TOJtNiW.exe
C:\Windows\System\jSzFnew.exe
C:\Windows\System\jSzFnew.exe
C:\Windows\System\sKCvpEm.exe
C:\Windows\System\sKCvpEm.exe
C:\Windows\System\xKgwMmp.exe
C:\Windows\System\xKgwMmp.exe
C:\Windows\System\TSlYYsY.exe
C:\Windows\System\TSlYYsY.exe
C:\Windows\System\HMjHqSa.exe
C:\Windows\System\HMjHqSa.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1636-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp
\Windows\system\nsKZNpf.exe
| MD5 | ef6da47b49384f92e6dd1713aa878b64 |
| SHA1 | 95998db508d7052b911eed34bc94a805cb27a898 |
| SHA256 | 80ae0f36cda9260c1c006a990d8cbb54b03823ebaac83b3debf5920de1a35e22 |
| SHA512 | 880423a87ac007435a2c4359ae868747effe7dab6603248eaecf646147dc5130843802193c38d914a723f865943d63df399999c8ba58539ea363749556c727df |
memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\qNYOfPQ.exe
| MD5 | 996e8d7f4e2f45f927fdb1e49b997666 |
| SHA1 | 9b4a32900495e315a57e956bc0ea3568caacb037 |
| SHA256 | 93e6e575afb8a1ed33103e5f0ca63ba4a8404746bd1f929d14bc8b59d488efa6 |
| SHA512 | f245818ea420efc69df8bd96ad90cc49686626dffe489dbd4be5d1cb3909463d26499bde4458ac82782b5723929c5a4fe9803ac3d90c84601d4d7998d28b9219 |
\Windows\system\uDouGko.exe
| MD5 | 46798ed08206fc5c84464267f462469c |
| SHA1 | ad6926c861bdd3e4a56278adcec451e9a55cda0d |
| SHA256 | 5c6cc0eafe4e27d6683f4d81049562e8c8d276cb8ab355984de17517a94ebee6 |
| SHA512 | 38d45d856cebebe15ce057296e39fe0a7c1b78149a61b541c1ea0375226e466b49ace015d033b203548f1c7f356f8356ead193e2ca47969b03e4bb4507d79179 |
memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1636-16-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\YGWcFal.exe
| MD5 | e7398fad780a7df97150c1f6a28afaad |
| SHA1 | 007d17c2c506fa2e54de58d46408edd3583a8193 |
| SHA256 | f7a22c05982bf64a6aa66991a80fd84bb596f5ced17a146ca273e9558e50a48f |
| SHA512 | 8b2c73cac5cae6171cd9418b4ee53a2e5a44fbb6a12a1b47ef982c6bb2c234cb59a9bb51c87cc00ca3159a77b2f791b866054651810a9176df74d689b80894f7 |
C:\Windows\system\KoiIMsS.exe
| MD5 | 4b208de24ecd1d5d7b72e510e47cf419 |
| SHA1 | bf486189cb6e38eda977d1a04abfb7e4b7257543 |
| SHA256 | 5ebd8d9193bdeb8dcb5c4694645460c1baa30da409e9a61964d1e03b07140b77 |
| SHA512 | de928cc65680c6a90a04619ed2a266396d17f4655babc361d7762be46d5f7d6b543d20beffea7aa44395418524db82a42abec06607bc235db2dc6841deae3719 |
memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1636-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\fBxdPJS.exe
| MD5 | 90a10a7f7f5160830b280cc690db36ef |
| SHA1 | aa74f39e947037fefe60d63f6d0f76aa5438d296 |
| SHA256 | d6b6c01b551e5e8967f6a6671acd93dda7feb7dce6f5cf29dbadda1801d61b1a |
| SHA512 | 0d947397d2d1f4d702a9730bbd696892b865803248c491c03f8b5739e6d64ce29e37c60a87d9e3ccd9681fdcf273671ad689ea73837ca9cb1e667c853f5d6702 |
memory/1636-20-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\hCLhjfu.exe
| MD5 | 5a82c99a6d7a2fa38825c126e43da7f5 |
| SHA1 | db4918c25b0fa4b7e28d379095d8be6eefa62e6f |
| SHA256 | e99cc74a693216b317e12ddfbe0324ce9f9523c5314bc009487457b8e4da6040 |
| SHA512 | acbd6ca4a065ba27e419eb60971db9ff06a6246248687652b57ef9ea51946d54a415f239ade593448ef20ddbbf7896ad8eff1405d85092ff0222bf6e4bca37df |
memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1636-49-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\XgKcGTS.exe
| MD5 | 53fe11e954d2fb13775a156d31b6c2e1 |
| SHA1 | 6b72f230d6f24eb4fb8d252e9227cc5566756bc1 |
| SHA256 | 020b5c7b3674acbb7102a0041e80a18ff883d73bc19219cb513e2b32445365e3 |
| SHA512 | eadceff0316e4b01dcfe783fd27cd921791663e6e14695809ba4f139ea38fc6386e109d1cdaff0e31117e48e90abe97807cdef96556cbce9ad2f64a9ba79ff8d |
memory/1636-62-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\kATeXYu.exe
| MD5 | ae4fbee4f525934e1ee6cb86c5cd0d96 |
| SHA1 | 37f0e650e5326e3af89317a38f7cc5533c05ebdd |
| SHA256 | 56276a959f59fb46065bfec8ab2160b05ca2cca7aa39d47d79ec3347c298247d |
| SHA512 | 851af1dcbc9129426d798939e1411eb723ff6eafbab1a7f4be4f43a8b74690843977a1297052631dffe93bd018b5a440626e4c07859c7a9dc313388f487890d7 |
memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\yqqWoLC.exe
| MD5 | c3538a2499bae672a63e5d5c74b6593f |
| SHA1 | 38c2b03c08d9a51abbadbc251333e831ae52fd9b |
| SHA256 | f81a461d50d8c65c4af09b9b57986aedfb745e0ac96759960997374682bac9c8 |
| SHA512 | b6de9dc1e40ea4a3bb057099bbfa8b0d67141d23ab22dd0dddc87abf5a7f2da3d374dbab1d04121d29360905034bcbf0aac3da70a5b82dc2a45c39f9d1233046 |
memory/1636-70-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp
\Windows\system\frJgmoA.exe
| MD5 | 1163e4e2813427d9dbfc28eb38a33609 |
| SHA1 | 1a9072cfa624f955107022ffdf341afdaca7561a |
| SHA256 | 8587c83cfe5bb47e277534713b7307f46f6c4479bf8e783a4ac1455222c2bb3f |
| SHA512 | 17db6d7bb630b950aec65f1e738e14b3eb75fe2da4826c9eef842d6aaa18a40f540bc43544c8f0e922d2e9522ac36bf67529c2e1560a443adf7579f9577c66c8 |
memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1636-78-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\RkFoZqO.exe
| MD5 | c80a33da50cf0d7484deacabfa820a00 |
| SHA1 | f3e39f5a57388c1a9035aecf6ab9a170252ae0b9 |
| SHA256 | 946bbf3ac109feb22f51264cfe879bc51dc4ea0161fcd3ef4509f25de0c5ab26 |
| SHA512 | 0dd98a48acf4e9aebe1ab40cee41d45892c81fa14b1857a73e05f26da30e85a0a459169d4d0122e92da772f2f38531f4e480e1d01f9ff884ef9301287ba16968 |
memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1636-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp
\Windows\system\RsEBWBt.exe
| MD5 | 0229095cddc449588226b156728af038 |
| SHA1 | 2dcf65477b7b9b5e4e14370124a4b753ca86e1f5 |
| SHA256 | 0a1bccb3d02a5d66fe98fece0c723ec9fd52d52bf790ff44ab6956b737cc4e7e |
| SHA512 | 2f8196affddef1db6d7f2112ee11c3582e16d3e91d1ffd43b9f73c78fe87d3ac764d6cb4de63e93ff5580662f304e549ef024f26ac224ed6fad29b14f7eb29b7 |
\Windows\system\xKgwMmp.exe
| MD5 | 1797c7494b62f923d1dd0c06c3a86f3c |
| SHA1 | 512d7c234b4aeeac6a8cb5f6756f39cbcdaa52d2 |
| SHA256 | 66f977149952d4a2eedd734053a9505a22d70f5069dfb17510ab10d203a78fc8 |
| SHA512 | b0247452e1ff974a389efc87a76b44cf421dfdc7a3ffd84cc30661eb91a0aead1d72001ceb42b789b18df1738f9ef47a06929ef3a8dd0ffba4ed6556ff1bd6ea |
C:\Windows\system\FmBorrD.exe
| MD5 | f805a25bc4a930da1c587d030629b20d |
| SHA1 | 9c843f8843f55b15d0ed26cdcc330cd563c2b5aa |
| SHA256 | 0df5d9532b2067cc7b8d24227103d88eda2c1bff98f7b571a47d5fc18213f58c |
| SHA512 | c74dc01afa4c51caef37de83391d666bafc1f28903a4dee751cea6eb2b008371ad5b69f8d303417332311550118c5238b4984486ee882227f3e8d05c3c11cde4 |
C:\Windows\system\jSzFnew.exe
| MD5 | 453e100a5af0683255c8b4c2cc0db03a |
| SHA1 | d56bcc48d6b79b420e181153ac5586760d4e5dea |
| SHA256 | 8f439bac237b46445879df46ead91647993dcee5cf3dc86eeeb3d7c14af704a2 |
| SHA512 | 00213eb1c00331625f78036268a16b1f0ee3c0d9460343d90d30e6fce0eb61e838a6a421100b5b1a9cf5a2b076add78843bbc6469367c93f742229e227d2c8cc |
C:\Windows\system\TSlYYsY.exe
| MD5 | 7606c825524e7dff9f0d2d5dd055032d |
| SHA1 | 6c7ce36263edc3caa56d0506ee0ee7dccf699bd4 |
| SHA256 | ab6ab378435dc2785c8b7977e65c21db7b80b3c1eb9ba307f5bdadf2860ccb9c |
| SHA512 | 69a0cc7c130a07ce688968a152cb0e3c2adee2540cfea62c15bcaa80057b593fa4fa2d1414ed33d554672340fffea972a60392c8279fd8abdd67ac5ccefb8277 |
C:\Windows\system\sKCvpEm.exe
| MD5 | 2a7e219914c9d73f74bd3580ad1a88a5 |
| SHA1 | 6099fa0f3eed593ca196246cb0f1ef5fed794ed7 |
| SHA256 | 654fe4b4f21e134f1b42683e19fa0a153eff1ad2c7d078b75cf96c75b5c093dc |
| SHA512 | a0838b81df7f5aca6f746aab7bda0448ecf25ec3e0bf8af94a4f657bd189f0faf4b9873cd5f0fc2d683a9c0a7012c2ce7132d42bbcfda127b97d5c469a472576 |
C:\Windows\system\TOJtNiW.exe
| MD5 | 1069c1a4498510990f2fa5895c5a45e2 |
| SHA1 | 0324c84d2a4e083a0f2f885aa26302d6e3126754 |
| SHA256 | 445bd01008820febd1adfd1d7d2ce7fbed5e05025307cfd0351aa2d84d461ebd |
| SHA512 | c92399abe85ee5c77ac6d42e136c84eac6b441de000d8465cd9c1a8146d18ef5d573c873920441c36ade544bab6d910decb364717abf9264f3c8c7ab7bed96fe |
C:\Windows\system\Ferzrsc.exe
| MD5 | 2f7b79474d871d3a3d1a3568580f12d8 |
| SHA1 | 9cf722d5741b844a92229aa9e3fc0f65fac2010f |
| SHA256 | 18ea12819f7f3409091f71c5a4ae57c1994566a577a9ee42ea74a81fda824e27 |
| SHA512 | e6f17911aef2273bf846537f418605896bc0563e02601e96bf57475a195b362c0cb082b9f632431750187bdc3423f28024f8c2670e440e48efccfdc64e1e3311 |
memory/1636-118-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1636-111-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1636-109-0x00000000023E0000-0x0000000002734000-memory.dmp
\Windows\system\HMjHqSa.exe
| MD5 | c4e449c14766983b9f799a1076166d86 |
| SHA1 | 28dd31dc5e85fb9a619e67f6df9b94736fc6095b |
| SHA256 | 050036f56df99474c1649c998452281b45d19025a56d455af5f7ac40bb984bc7 |
| SHA512 | c5cbc0fb3667d7fe25fa583287425c47d9cb1aecafcfae95443b9737d935d8b8a26b1a0baf5c68362ac829381a50a20094a5a07d8f50946d1a3505ff1b24a02b |
memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1636-92-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1636-138-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1636-139-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1636-140-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1636-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:23
Reported
2024-05-25 15:26
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xpaPJRI.exe | N/A |
| N/A | N/A | C:\Windows\System\wEUCMeH.exe | N/A |
| N/A | N/A | C:\Windows\System\QhQRwGu.exe | N/A |
| N/A | N/A | C:\Windows\System\YMRBiuh.exe | N/A |
| N/A | N/A | C:\Windows\System\kugObyK.exe | N/A |
| N/A | N/A | C:\Windows\System\RgWfLoC.exe | N/A |
| N/A | N/A | C:\Windows\System\LtudMsO.exe | N/A |
| N/A | N/A | C:\Windows\System\jKRYFqn.exe | N/A |
| N/A | N/A | C:\Windows\System\ixufXpA.exe | N/A |
| N/A | N/A | C:\Windows\System\xSiEPXl.exe | N/A |
| N/A | N/A | C:\Windows\System\CjBvHRl.exe | N/A |
| N/A | N/A | C:\Windows\System\RCtDZhW.exe | N/A |
| N/A | N/A | C:\Windows\System\kRJkmZK.exe | N/A |
| N/A | N/A | C:\Windows\System\eKRcJgC.exe | N/A |
| N/A | N/A | C:\Windows\System\uGqrscQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CpSOrkW.exe | N/A |
| N/A | N/A | C:\Windows\System\hUYOJqt.exe | N/A |
| N/A | N/A | C:\Windows\System\sHrCOTL.exe | N/A |
| N/A | N/A | C:\Windows\System\EyZarqw.exe | N/A |
| N/A | N/A | C:\Windows\System\NfjKOhf.exe | N/A |
| N/A | N/A | C:\Windows\System\htzPFrg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xpaPJRI.exe
C:\Windows\System\xpaPJRI.exe
C:\Windows\System\wEUCMeH.exe
C:\Windows\System\wEUCMeH.exe
C:\Windows\System\QhQRwGu.exe
C:\Windows\System\QhQRwGu.exe
C:\Windows\System\YMRBiuh.exe
C:\Windows\System\YMRBiuh.exe
C:\Windows\System\kugObyK.exe
C:\Windows\System\kugObyK.exe
C:\Windows\System\RgWfLoC.exe
C:\Windows\System\RgWfLoC.exe
C:\Windows\System\LtudMsO.exe
C:\Windows\System\LtudMsO.exe
C:\Windows\System\jKRYFqn.exe
C:\Windows\System\jKRYFqn.exe
C:\Windows\System\ixufXpA.exe
C:\Windows\System\ixufXpA.exe
C:\Windows\System\xSiEPXl.exe
C:\Windows\System\xSiEPXl.exe
C:\Windows\System\CjBvHRl.exe
C:\Windows\System\CjBvHRl.exe
C:\Windows\System\RCtDZhW.exe
C:\Windows\System\RCtDZhW.exe
C:\Windows\System\kRJkmZK.exe
C:\Windows\System\kRJkmZK.exe
C:\Windows\System\eKRcJgC.exe
C:\Windows\System\eKRcJgC.exe
C:\Windows\System\uGqrscQ.exe
C:\Windows\System\uGqrscQ.exe
C:\Windows\System\CpSOrkW.exe
C:\Windows\System\CpSOrkW.exe
C:\Windows\System\hUYOJqt.exe
C:\Windows\System\hUYOJqt.exe
C:\Windows\System\sHrCOTL.exe
C:\Windows\System\sHrCOTL.exe
C:\Windows\System\EyZarqw.exe
C:\Windows\System\EyZarqw.exe
C:\Windows\System\NfjKOhf.exe
C:\Windows\System\NfjKOhf.exe
C:\Windows\System\htzPFrg.exe
C:\Windows\System\htzPFrg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x00007FF656620000-0x00007FF656974000-memory.dmp
memory/2124-1-0x00000219AA1C0000-0x00000219AA1D0000-memory.dmp
C:\Windows\System\xpaPJRI.exe
| MD5 | 1b66d455a400c476cca1c79fb0f8d598 |
| SHA1 | 99aed1319323ddb94c0e7069574e3d0256290560 |
| SHA256 | 09d64b784153333800589a37bcf43d3001b5b757b04212210978da700107b209 |
| SHA512 | c79a346243204c0b44965101cf73bfa2de7e41308aec37db7f0fe49c44b75d392b885e32c79bcf6ab0664c8df10e6211fe2d2ad584dd5115a481c9e0988d5974 |
memory/3400-7-0x00007FF7345F0000-0x00007FF734944000-memory.dmp
C:\Windows\System\QhQRwGu.exe
| MD5 | 761a0f8d85a07ba36ef03be9c3122e9f |
| SHA1 | a89cf559825becc1b42fcdfdb77485edf50c9abd |
| SHA256 | 5acba74fe2d1213fb2b4104606e77e3b8050af6763fbe15d33907822141320d2 |
| SHA512 | 153fbcb4b8e24dd060955ae65ea6a2696196b38c3378c5c354d73361c19a9d9612669335b04f7cd6d2f21108262e0b504a973a7f90288720d8afea7d7c9e8de5 |
C:\Windows\System\wEUCMeH.exe
| MD5 | 3a62a57556138b74d2c41a1bbd6868ce |
| SHA1 | 51100dd2694629aa1a4cef79a38454940eb6a887 |
| SHA256 | c2cbf9c5a9663ba059f3e31b003b5dab54a9c060c3b20be160786db9cafed063 |
| SHA512 | fe0ee9bfd055b6c4a3aba089ba3ce6db3288b26e1fff89072c846ac5f743bec6184998d011eb480a051f4c8e14cbf663dee610522f1d9ced68a9347bb89fed10 |
C:\Windows\System\YMRBiuh.exe
| MD5 | 5ce7de4e5065e55919b3326fd5261da9 |
| SHA1 | cb5aa70784df230e3d4f73bbc6cd8b6723ca160b |
| SHA256 | 68ea716eb21e54c72d65e2c12d82d6b8ccc25b1cff840f28e6054235609d5036 |
| SHA512 | 75f419bfa16505b38cedd4e9aca8aded164a754db7d17940fc8d73cb0b6eb095d880012609588900fcef6d5b358822cbe96656533d63ef53e2f6bca4023bcac6 |
C:\Windows\System\kugObyK.exe
| MD5 | a15c77a66640ffe40f5a146acdc4e003 |
| SHA1 | 09359c9e92a414a3bb6f90c04656e40ba1380cb9 |
| SHA256 | e07f2884c7337d160abbacbbe718157ee336783321c0d9b8b2e54c2db6b46d22 |
| SHA512 | c4352d058b03bff7cfbf5d336f162acc4c13087168c305b841534afb6536fabcb302d64f217bdaa2587d43bcd898b404f2f2eccda18f5a1b65834be5272bd35d |
C:\Windows\System\RgWfLoC.exe
| MD5 | e16e8c4baafed2d8ed5f933ceb4bb89b |
| SHA1 | 97fd5b2e6ac78d97fd4a9fb27c6cc5e376fc6e67 |
| SHA256 | 72fa2c254fd5b6d03d9969bab824aa8a8c008274f4c2a255f7e537bf12dd2888 |
| SHA512 | d8a570064138d74a77c9ccb87896b3f700588a1f5faef6b44eca9cda8e4bb3d25a66a9950d44f4074125384ca30b71b154e6729b8f0ade024eb16686719c15af |
memory/436-42-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp
C:\Windows\System\CjBvHRl.exe
| MD5 | bfb220dc8a3ff8cecda49cf02f35affb |
| SHA1 | 09dcc6228b31ca5c530f7a5a093dcb0a1b04fc69 |
| SHA256 | 0805d7dafb554e41345e79c52754499556d1cb2a46c15f5e17677d33709ecd57 |
| SHA512 | 6c226842ab826bc4f4d6523bb3df583bfdb5f41fa09179416d089beafe58b417114a9e6ddf3d5bdbf7e04df655185181469d79d4847ef7a193213899d5a905b2 |
C:\Windows\System\eKRcJgC.exe
| MD5 | 6f68feb1463a6527678d297f6d41c87b |
| SHA1 | 4640bc30597c8841ff8c42adc45c669cb7cfcbd1 |
| SHA256 | 0b29f7a25332687f440b8c6b72771ca40ea9a2604d749d82b40170629e5db6f4 |
| SHA512 | 484e5fbd27edf604f6ee46b21585e8622764a6188bd930cc4a7a37260a9d3660bcde9087753f74c09b91c6a4e5f936207d12fbaf18518e955e0ed3759cc0ef9b |
C:\Windows\System\sHrCOTL.exe
| MD5 | 79e926f43341cc6579e391c537f4f288 |
| SHA1 | a4fef9bbaf5ead5a86f55d95bfe7cb0dc0c7eab6 |
| SHA256 | 89225619df74dbd0bd3a482f03d0a32c21ba4f98a1df10dd0c325abaac47357f |
| SHA512 | 9d0b86e8526f04602f35baae1fd54712d10ea425f4676dbd2e61b3629faf46bdf1ebdf5fef192759373c1bea3b2d61d3968b5c0a927b045473834ad56e97ad59 |
C:\Windows\System\htzPFrg.exe
| MD5 | 37a145dbf452cb928c6a854326b6d120 |
| SHA1 | 586632d449236e217891ea32617a12afd0b869a5 |
| SHA256 | e9161790ea26c269afea239df0dc8a48d032b22ab0c5c38042b8055dc8f7afe4 |
| SHA512 | a9709e85e266ccf14ee1783057a70b426ce790c32442d3be64d2cb7ce2654204b98edc3a6bfe663fc6dbb7f65ac4292ae93a59b5e9c78155bae8f3e779ec38b1 |
C:\Windows\System\NfjKOhf.exe
| MD5 | 1ec7eb4050bf977d7d6e90cdc934c9c1 |
| SHA1 | c8376ff119b22fc3f3d21974a8e682ef59bf9df1 |
| SHA256 | 9d575e28aa5754401e90fa26ede8526bc92a6622783c00c1f58e97376708c502 |
| SHA512 | 8043cefd1d98e259e0665f5a32d74000f0f1c0089ccd9f5fe1f2138d4c4a645c458a870e9383a21613e295254f40b1b442d32d46ec68855f077b29a879ea78c8 |
C:\Windows\System\EyZarqw.exe
| MD5 | be20456fd34809f83bced88d8c33a573 |
| SHA1 | 74fc5d14f625907a7716f5f4eec24e443be95bf8 |
| SHA256 | ad9b6b0b866c289c4978f91f6676a8570d6b31fe4afcfc29ab54abc6a9a09722 |
| SHA512 | 7c20b9ba511cd9188ed9e6798b6dc6a784f78d55fa624dee448b90393f036993eebc81eb69bab47b2e35e43bf449f33ad840986c73e7de1338a04a73a25c405c |
C:\Windows\System\hUYOJqt.exe
| MD5 | 7b280dc74117c37291cac13c98421656 |
| SHA1 | ec21c35b62d37bcd4aa9e4204e99cce1eba677f0 |
| SHA256 | e7ab5622838e64752cd7988f0a30cbecb4f8ca4db6bc89b147f112fb10cfba32 |
| SHA512 | 47ef5625616933ecc6aacdedc5be3cbcd4760fdbb3c76c9137ee2da6c4905caa009a1a6b51413bbbf078c01596ae9a86247fdea6088b88103056af106f9a9a48 |
C:\Windows\System\CpSOrkW.exe
| MD5 | ec545cbdcdc8e9444d799d57898369e9 |
| SHA1 | afdcf6a575376170acc119e8a4ee12da47117a24 |
| SHA256 | 6c89af8ce72e5bbc4418ed8a3a630c1a95289728fa26c795b6a6c9ed63dad09c |
| SHA512 | 9447fea94a55640e5c68ed29ae1237eb5e9381e78d34625c10b6e9693b2fde2fae55f2ba8c0c0bf086db37a2b78ef18a2c2db31b12a37ecf361dfc8871e37f4c |
C:\Windows\System\uGqrscQ.exe
| MD5 | 6119e1b668df983e8d470f0c324716f3 |
| SHA1 | e678128dab4ff09f92c0a3a3b4b176773368f02e |
| SHA256 | 0a454ea6454785aa6f2fa72905059d763178efbf4a545747e635b21f864ad09c |
| SHA512 | 19c3f305ad8179e7a186887f840075dd582e447478870eba20f26c37037fb7583417cce4117c8263f85631a5a113fd43745f8837012fa4a45da418d3e9cf8516 |
C:\Windows\System\kRJkmZK.exe
| MD5 | 2b2a64426b2abbd822ac3213a65a8160 |
| SHA1 | 590ecca68b64ed4d8461c5ecac02645e60fe956b |
| SHA256 | 08d2454435fc4dff54e368afe932850e017986002c65d26bdd9cbae65f84820a |
| SHA512 | 7dd98fea3543bcffbbd1028b05d65be0159b62d812b78f59c3c68fe0752113ce83577c2f1daadbd16113425e873b9a71db46ec864562be3ae55b5eba99fedda6 |
C:\Windows\System\RCtDZhW.exe
| MD5 | f14b021dd578fd5acdb23dcbb742bded |
| SHA1 | fe0ac18895ee7dcac84ed4172c8282345b56b9c5 |
| SHA256 | 1ecf5790b332ab1b036c0c875a5e4c61e6f556c2a4c3853d7a90eb379edc4c82 |
| SHA512 | f6ac46f4b115946bc806e136d0b9883ab549efa50a86dc3fad17493bc5d1f7171446d4476b8ee27161add34b57e8752e53c53b9ff8ebaa556990fd929dc69d65 |
C:\Windows\System\xSiEPXl.exe
| MD5 | 4ef3f1bed284cada17e4c3b7b773bc99 |
| SHA1 | 2f5bb6c06e37b45ae9f4e370e873ac61625422a4 |
| SHA256 | b0067214d472b034ba2365f2fc9fc52cc4f208551100ca876b879144cf7b4942 |
| SHA512 | 2aec2045b5656e1ce286f7e68ebb88d19bc5a4410ea921415ff1dcaca4a0dc1fdcede7939891a45d0c5a060d793f62dd98c2f7d58a99a42ccd859559e9c5e19b |
C:\Windows\System\ixufXpA.exe
| MD5 | 44ebc699b35531c4dc7bd870193ebc67 |
| SHA1 | 89186ae0b4d136ecac28541d060fe1e48caff4a7 |
| SHA256 | e8679cd290caf2fafecea2e8bc772a2a72afd338561ebaa0cf340b2875f919d2 |
| SHA512 | 79a84a7f456dd6508708f8b6fc93143153e143adcfcbd5c7255ec47cba921e811c538fb9b6e7bef80284c5915751d5dfc54bf013543a16355643357bcebd1d56 |
C:\Windows\System\jKRYFqn.exe
| MD5 | 33e61ff27d98a34d4f4f12beaa16a21f |
| SHA1 | 9b1b02a4dc791a1234e7d8d16b7c795323a5468e |
| SHA256 | 2ba4df53f1b0a9c12cf9745b3b950db0caf3a692a393d686c10fe63975100684 |
| SHA512 | d0545b9af8412d04076d37eb2afd8f9c7544f0c544a47e532d810fd8d4a616fbf3e52e6cf613f868c27759181dd108895c26eaed21e23c3e1829a19b5a7aba2b |
memory/4140-47-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp
C:\Windows\System\LtudMsO.exe
| MD5 | 10a5f2a37242d1e5588f726b6630de44 |
| SHA1 | 7fe46280f6e6032771e4df33f3b0e5d041f8439b |
| SHA256 | 48ab444b29438cf8b8eb4e81179bf6d2c5ad029af5cc0da123bff793e2424da0 |
| SHA512 | 355eafda0a2c9c332a04cf28754fa7e11a0d4998aaaa52fd2890823745947cbee14d81967ca1a3d4fa4a773348ff700fea5410c2f6b1463328cbb6ca1715c386 |
memory/2732-43-0x00007FF6745B0000-0x00007FF674904000-memory.dmp
memory/4348-37-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp
memory/3340-34-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp
memory/4540-113-0x00007FF711710000-0x00007FF711A64000-memory.dmp
memory/4628-114-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp
memory/1860-115-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp
memory/2864-116-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp
memory/4796-117-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp
memory/2684-118-0x00007FF770B00000-0x00007FF770E54000-memory.dmp
memory/1096-120-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp
memory/4612-119-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp
memory/1384-121-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp
memory/4968-122-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp
memory/4424-124-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp
memory/904-125-0x00007FF766110000-0x00007FF766464000-memory.dmp
memory/3240-126-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp
memory/1140-127-0x00007FF6071B0000-0x00007FF607504000-memory.dmp
memory/4960-123-0x00007FF63B610000-0x00007FF63B964000-memory.dmp
memory/2124-128-0x00007FF656620000-0x00007FF656974000-memory.dmp
memory/3400-129-0x00007FF7345F0000-0x00007FF734944000-memory.dmp
memory/4140-130-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp
memory/3400-131-0x00007FF7345F0000-0x00007FF734944000-memory.dmp
memory/3340-132-0x00007FF6DCE40000-0x00007FF6DD194000-memory.dmp
memory/904-133-0x00007FF766110000-0x00007FF766464000-memory.dmp
memory/4348-134-0x00007FF6E15E0000-0x00007FF6E1934000-memory.dmp
memory/436-135-0x00007FF6C14B0000-0x00007FF6C1804000-memory.dmp
memory/2732-136-0x00007FF6745B0000-0x00007FF674904000-memory.dmp
memory/3240-137-0x00007FF6A5C00000-0x00007FF6A5F54000-memory.dmp
memory/4140-138-0x00007FF70FAC0000-0x00007FF70FE14000-memory.dmp
memory/4540-139-0x00007FF711710000-0x00007FF711A64000-memory.dmp
memory/1140-140-0x00007FF6071B0000-0x00007FF607504000-memory.dmp
memory/4628-141-0x00007FF78DF50000-0x00007FF78E2A4000-memory.dmp
memory/1860-145-0x00007FF6349C0000-0x00007FF634D14000-memory.dmp
memory/4612-146-0x00007FF6E4B80000-0x00007FF6E4ED4000-memory.dmp
memory/2864-144-0x00007FF78A770000-0x00007FF78AAC4000-memory.dmp
memory/4796-143-0x00007FF6DDBA0000-0x00007FF6DDEF4000-memory.dmp
memory/2684-142-0x00007FF770B00000-0x00007FF770E54000-memory.dmp
memory/1384-150-0x00007FF735F50000-0x00007FF7362A4000-memory.dmp
memory/4968-151-0x00007FF7CC470000-0x00007FF7CC7C4000-memory.dmp
memory/4960-149-0x00007FF63B610000-0x00007FF63B964000-memory.dmp
memory/4424-148-0x00007FF614C60000-0x00007FF614FB4000-memory.dmp
memory/1096-147-0x00007FF67E6A0000-0x00007FF67E9F4000-memory.dmp