Analysis Overview
SHA256
b3ddfdc6b8488e80f8065e707c814a15e9d880b342adbfc645c30c7de6002339
Threat Level: Known bad
The file 2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 02:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 02:03
Reported
2024-05-27 02:05
Platform
win7-20240221-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PCYsZyD.exe | N/A |
| N/A | N/A | C:\Windows\System\NSbPBrJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HYqrZga.exe | N/A |
| N/A | N/A | C:\Windows\System\FoObuKz.exe | N/A |
| N/A | N/A | C:\Windows\System\sCfqrmK.exe | N/A |
| N/A | N/A | C:\Windows\System\YRTXbXp.exe | N/A |
| N/A | N/A | C:\Windows\System\OvNjmRa.exe | N/A |
| N/A | N/A | C:\Windows\System\YrXdVWD.exe | N/A |
| N/A | N/A | C:\Windows\System\uPueXWK.exe | N/A |
| N/A | N/A | C:\Windows\System\wthwNxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BATULQi.exe | N/A |
| N/A | N/A | C:\Windows\System\AgZunbG.exe | N/A |
| N/A | N/A | C:\Windows\System\kEFXhyD.exe | N/A |
| N/A | N/A | C:\Windows\System\yTmXyup.exe | N/A |
| N/A | N/A | C:\Windows\System\pXKQlyd.exe | N/A |
| N/A | N/A | C:\Windows\System\AeYofRS.exe | N/A |
| N/A | N/A | C:\Windows\System\SgDAtGt.exe | N/A |
| N/A | N/A | C:\Windows\System\faDGZqw.exe | N/A |
| N/A | N/A | C:\Windows\System\NZSaWXq.exe | N/A |
| N/A | N/A | C:\Windows\System\FNmKGTC.exe | N/A |
| N/A | N/A | C:\Windows\System\EgmjSPv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PCYsZyD.exe
C:\Windows\System\PCYsZyD.exe
C:\Windows\System\NSbPBrJ.exe
C:\Windows\System\NSbPBrJ.exe
C:\Windows\System\HYqrZga.exe
C:\Windows\System\HYqrZga.exe
C:\Windows\System\FoObuKz.exe
C:\Windows\System\FoObuKz.exe
C:\Windows\System\sCfqrmK.exe
C:\Windows\System\sCfqrmK.exe
C:\Windows\System\YRTXbXp.exe
C:\Windows\System\YRTXbXp.exe
C:\Windows\System\OvNjmRa.exe
C:\Windows\System\OvNjmRa.exe
C:\Windows\System\YrXdVWD.exe
C:\Windows\System\YrXdVWD.exe
C:\Windows\System\uPueXWK.exe
C:\Windows\System\uPueXWK.exe
C:\Windows\System\wthwNxJ.exe
C:\Windows\System\wthwNxJ.exe
C:\Windows\System\BATULQi.exe
C:\Windows\System\BATULQi.exe
C:\Windows\System\AgZunbG.exe
C:\Windows\System\AgZunbG.exe
C:\Windows\System\kEFXhyD.exe
C:\Windows\System\kEFXhyD.exe
C:\Windows\System\faDGZqw.exe
C:\Windows\System\faDGZqw.exe
C:\Windows\System\yTmXyup.exe
C:\Windows\System\yTmXyup.exe
C:\Windows\System\NZSaWXq.exe
C:\Windows\System\NZSaWXq.exe
C:\Windows\System\pXKQlyd.exe
C:\Windows\System\pXKQlyd.exe
C:\Windows\System\FNmKGTC.exe
C:\Windows\System\FNmKGTC.exe
C:\Windows\System\AeYofRS.exe
C:\Windows\System\AeYofRS.exe
C:\Windows\System\EgmjSPv.exe
C:\Windows\System\EgmjSPv.exe
C:\Windows\System\SgDAtGt.exe
C:\Windows\System\SgDAtGt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2552-0-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2552-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\PCYsZyD.exe
| MD5 | 1920ab857005e55129ff78045bdc468e |
| SHA1 | 73b23ff1982991f2e74a833a7f32d3c4bb10b923 |
| SHA256 | 5afbd2cfdcdc28f440abc7f68e3d7cd95e7f59511110589c24dd04e341cf16cc |
| SHA512 | 31eaadaa24f489356ee0f7220b7cfe75cb7a1a965b85afe6df0aec6f654ed4864eaa35b8a240267a306a74b55ab233c43afb3cd4f37f9b8809d9991f374f324a |
C:\Windows\system\HYqrZga.exe
| MD5 | 077647a25e3097d3bbf4b5d023fcb168 |
| SHA1 | 405ea42b4a558503e874c9edc24299cd6429b416 |
| SHA256 | fc04a56f8f991a528fa66c9f176e19e6f1d4216f745d88707a103e51bc2812bb |
| SHA512 | cced1b6fae0d70282644c277e6f58db217116ce722862b13437ff853d33e375d57477bbe852227b8d08337a8111dfaecf541f11a6e6813a8814eabb9911fd096 |
C:\Windows\system\NSbPBrJ.exe
| MD5 | 639277c4a10a60616f96671ef03811e6 |
| SHA1 | 14c0e257f4b3530a8d247dd16b13b42db4c5d363 |
| SHA256 | b2e84d2bc5e223e8161c3e2e9feedff3c8b1d8f5a70a66080b1173bf45ba33dd |
| SHA512 | cfb56d03481ce08fe192a88a3b0a608f8bc1913a9801b30f0e0488489fc34f1bfb5c52e9b4690761841bd588458d8de74c11c33a5c2180d3e4db840815c1f04c |
memory/2552-8-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2036-17-0x000000013FC80000-0x000000013FFD1000-memory.dmp
\Windows\system\FoObuKz.exe
| MD5 | e4ad8442a75893e3157c5675a8157db1 |
| SHA1 | 3fa8b61e1914c84029a25cac9a53a70333f47f95 |
| SHA256 | 6a60078c6702b06fdc263c01a820c8381951cdea8ba40a85d577aae19f7e37e4 |
| SHA512 | c081250fa2905580c997931666738c6c26d5b79f6694cc3bce8125134ad1315f8bc1c633899ecb334a10f7b38d3c797fb6b2d64f4deee9bdc2ee2b026f45159a |
C:\Windows\system\sCfqrmK.exe
| MD5 | 2b06db7db3e2c59e9148332d2c4af030 |
| SHA1 | d564429ee60edcd052258afada26f4a36f0e5db2 |
| SHA256 | 50d30772d437e64b2c2d0950a76be438725e410435366db1a5761f238dc22b4b |
| SHA512 | 76da6c9905475c695385a8731fe010771ff174e3648cd5676d62865992f2bf9e9e6b42504ffd128eb8c915e6760d8ed9d48b7670aa32d89caa6ef0b65e7f90d4 |
C:\Windows\system\OvNjmRa.exe
| MD5 | baa9c14a8248edfff5fcf30cd230ea69 |
| SHA1 | b59edc7a5ce0ac56d56ee20833bff058ae7f2d4d |
| SHA256 | 3dc36570b68aa073f468bc93690850e6024405fd3e9d3cc03c840490577e0b3f |
| SHA512 | ff98b3b517563f83e9de246a9fdb30d794e39b1afc3fad55b48aa3e63cc59fb3c6d851a3e7aec652f95be99ea4350e5885f2db3388086327fad2b9ccdd4abbe7 |
memory/2552-44-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2372-48-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2624-46-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2552-49-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2552-50-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2948-63-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\wthwNxJ.exe
| MD5 | 63ad101eddbb483bf84c5cef4a015561 |
| SHA1 | b0aa3cd6cc5769c349542de4d1956afbeb51bada |
| SHA256 | deb6e3c34060198f140e0b84cfc9c0107180c739cbc6a5e407d81673f80c69f1 |
| SHA512 | 7b5c031730ed588d5ba80ab8f4766aa5e91ac7f056bccd1f591868629495dfb62804008827fda4c999f8d47042a5daab99c603bbd85670056c3ca31bd0d3cc79 |
C:\Windows\system\BATULQi.exe
| MD5 | b8d12b9294c8c6d0fa6d023bd60ec683 |
| SHA1 | f4fc3c12c7d50dd36ea6d8cd8e56ad11396366fe |
| SHA256 | 9c6d6c38af6855649e92242bb24d0923b7643b69466ca80ee38ceb9474cdb272 |
| SHA512 | 3cb3c5dfd1a659c182161a4c84aa72aa079de04b887b5af607eaf1a626ec01efd1cbcce25deb5b542a70c8152e02a9e181a990262f84a27b6d149d44d75225a7 |
C:\Windows\system\AgZunbG.exe
| MD5 | b7f74c29ef427721b0489924317ac5bf |
| SHA1 | 59aa21e18236bbc78d60ee19ed2b59f30167f0ec |
| SHA256 | 7faba8401c46a6c90f51c1fc4df20ed787e197e8daf593bbe5af9b6d55efbc63 |
| SHA512 | 005078726041d8a2643499ff23d27c384344131522334dde29db0e218af9d14a4e093811a9bea568bfe891c3936333ff96d81e79e59cb20116cf4e99ffd10f61 |
memory/2552-123-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\FNmKGTC.exe
| MD5 | a18a6c03fc8ba182ccc619a1f29b971b |
| SHA1 | d40f9d6ae2711e7c710212747b1f3e4b2e62dac6 |
| SHA256 | 369fcb2447ed490b4b0b431c21480a500f6976a4f9fc620578ad8858ef7012d6 |
| SHA512 | 925db6b83320294471d9b3ec6a170fff029a250cdb2a54c5c92e701e766293a46b661e89ef4240850ddf2ea82c25046c24029222ab15e9ba81e0f5ef7ec1a40c |
memory/2552-116-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\EgmjSPv.exe
| MD5 | d50850b68589d606179bb23d7733cc0c |
| SHA1 | 49643a4b00725e0180e11b0a274330aa294fafbe |
| SHA256 | 0398985c0fb9c8ee0730b9e540039d00cb11ba235cedec0097e65a58896b2406 |
| SHA512 | 04e5ed6c119824cf4248a14f4d6a61d21ae9bbd0bc8a9433147c25ee428c24540ebdf3ef52987e31760f00941b29a950354d050bf00393b740bb9bcb0a5c8bdb |
\Windows\system\NZSaWXq.exe
| MD5 | 9a52fa66b1292ff5e57fa0eb0b405223 |
| SHA1 | 61fe58bc49d328127e03106b138e1b3cac7af661 |
| SHA256 | 2b51c112be759a229c5e13ef345641bef4a55977445ce5a13ef6e2da88febbb5 |
| SHA512 | 1476ac25510896e15e11b8ec34e1221704fd3aea3487f6dde6ce266881372bf3cc921aae02a630f50e5f64466ea275595ae4bbe482f2fcc3225892ba3b0e95b8 |
memory/2744-127-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\faDGZqw.exe
| MD5 | 89e31f2ddc062b87965d79d4ec45c94a |
| SHA1 | 6c5fe6943c8fe6e4ee7291665d41e4668b638c70 |
| SHA256 | 0b045102f5971c073162c0c27c0c6db767d4d4dbcf55f175cdb6c92b4741b178 |
| SHA512 | a426388a8f1b123e6b426ea1b1c8f2c6b1bb6f3730321850711771a3f96a8e23973c709ec2d4523fcc2b519ce0bb3d7b7bade86ef3d52d91a9e5ea8704fff67c |
memory/2552-122-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2716-121-0x000000013F1E0000-0x000000013F531000-memory.dmp
C:\Windows\system\SgDAtGt.exe
| MD5 | 75b97fa9642b8c5585a01223a49e2f2b |
| SHA1 | 7a58c2d20d9d75be0ea9eca3485b4164cd55e119 |
| SHA256 | 9de0f4e275e214d14e3f8e43d28cc1d66567dc65ad4f1844da411d352c3632ab |
| SHA512 | 6976d9aa88520ec66d0b35b5d3608c177afad96889e67d8e5c868643e1ce6260a5ea4bd13e8ce06695d845cfde268d8f334589311c09603ec69ec6a73706fefe |
C:\Windows\system\AeYofRS.exe
| MD5 | 9b4a2b5176f1da0d88a8927fdba38f3a |
| SHA1 | 5622d4ae1cbf324a8cf213a2e606ab094ab97c31 |
| SHA256 | 4d7695a7b10cabce95d9bbbd298f158f3fd5a079a535986431966daaefbfdd27 |
| SHA512 | 6a8bf24ac759cd0f8de302192b207de083a20033d38bd17c12dd2df71f14dc42dcf530316cc6e287327b59c0526395447b4f799a030710f10c45f6dcd6d4feca |
memory/2596-84-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\pXKQlyd.exe
| MD5 | 027323bb6129c6d0d1c5ce14dddd2e15 |
| SHA1 | 89078f01fab3477b6d4cbec8e8d5e97034c4a17a |
| SHA256 | 3192438b8fcd7e28a1203f6a3ecc45953335118ccce117351a1d67ab73f96d4e |
| SHA512 | 15db42f5fd9e272c44464362d8084819f73ed109d52b4d7239e96dec91826ee6368e6759d693533d8e95128bfee4d3f2e9b2d7779bede05d90612b915a68cad7 |
memory/2552-83-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\yTmXyup.exe
| MD5 | b7e4c5296481b3bd25eb397bc17763cb |
| SHA1 | c3464ff9ea1df0197de1d059f990ce84a3e53952 |
| SHA256 | 72cfef6b0770161596fb2886ed05ec2676e0bd208590bb20c8923faf22234a8c |
| SHA512 | ccfb6893c4a05c77193cf1985213d065aaede967dd63037579c20507405053514e717264776cbe7afd3c6b2f422998053a7c030fe240cbfba3c1a7119b98da98 |
C:\Windows\system\kEFXhyD.exe
| MD5 | 06453d7043d1e806f5d81db4ac2ce67f |
| SHA1 | bf423f2399d11a7e522109c9b22d58a7a10b4d3c |
| SHA256 | 18d90e7f3842ec838d2055bc6353bca065e7bcab72825d53038f81c195ab80ca |
| SHA512 | f42dbf6e5ad55113dcac4081b3244b58f482885eadf00a165625542a38ebddc9117e1120a90b44963382c802e1ebc7b0f171ba9bd4af71de3ecaa32325948234 |
memory/2424-78-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2552-74-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1528-68-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2552-67-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2364-58-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2684-57-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2552-56-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2552-55-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2552-54-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2528-53-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2552-52-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2388-51-0x000000013F540000-0x000000013F891000-memory.dmp
C:\Windows\system\uPueXWK.exe
| MD5 | 92f4fe99cb05ca1f0ad2f22ed6924ea7 |
| SHA1 | 2d90b84564bb71da4f40ca63100213ff3f0d4b9e |
| SHA256 | 503f61643c45f12080c5f5e4d57d0f75a05eb9a8138490e7dff042086e2507f0 |
| SHA512 | 905bc5df66b13b6ca91082d45f7b8c1ae79f0f12ff6e1fa6f3831292897ba9564f88a5f18282c123aa0e6ad57b627cd462480b2e55069f516061bb34e713e5bf |
C:\Windows\system\YrXdVWD.exe
| MD5 | 8768a90f8c5ac0a8207e9e4147419fbd |
| SHA1 | 1f34aba63a0cc24509510685ca22ddc43a4ce4c0 |
| SHA256 | 6e34ac5eb81b972d1e941bd05703920f1c6444c561bc292cf593450f58b2ffe1 |
| SHA512 | 246ddedc6ea75c2021b9c1443af33d8a540f8421c0bac59caf64f0033be77bbdb2452519bbd7bbcec0542a4595338494b74ecb295b5f3051660f20b7a24a8823 |
C:\Windows\system\YRTXbXp.exe
| MD5 | 7e875761111e35baeb15ad9bb6fafef0 |
| SHA1 | a1a145426f9c2742fafbe694c79458882e9d6b3c |
| SHA256 | 81925635a41fcd7133e61c5a53fe15fd3cf918dc86d53d2ca428bd309dd0dec1 |
| SHA512 | 9f9de190c69ea78e192a388b381e91731b04744ef52431ea5edd4529b12b9e2003b796f2e935dc4c1733f5118384b67b79ada73e4dfac427a6e3c2c0fc39df1e |
memory/2640-27-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2640-136-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2552-135-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2552-137-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2552-151-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2596-149-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2424-148-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2712-153-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/1528-147-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2948-146-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2552-150-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/1568-159-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/900-158-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/240-157-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1584-156-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/500-155-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2100-160-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2552-161-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2036-206-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2372-210-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2624-209-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2640-212-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2684-214-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2388-216-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2528-218-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2364-220-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2948-227-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1528-238-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2424-240-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2716-242-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2744-244-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2596-246-0x000000013F980000-0x000000013FCD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 02:03
Reported
2024-05-27 02:05
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iwFoQuC.exe | N/A |
| N/A | N/A | C:\Windows\System\RcpfOeD.exe | N/A |
| N/A | N/A | C:\Windows\System\tSVVHzt.exe | N/A |
| N/A | N/A | C:\Windows\System\VvtCIcg.exe | N/A |
| N/A | N/A | C:\Windows\System\sYFEIHu.exe | N/A |
| N/A | N/A | C:\Windows\System\utuKXJK.exe | N/A |
| N/A | N/A | C:\Windows\System\VlwcjrN.exe | N/A |
| N/A | N/A | C:\Windows\System\oyCVMHr.exe | N/A |
| N/A | N/A | C:\Windows\System\yRMZRyO.exe | N/A |
| N/A | N/A | C:\Windows\System\nNZDHWa.exe | N/A |
| N/A | N/A | C:\Windows\System\mkLotWD.exe | N/A |
| N/A | N/A | C:\Windows\System\rZAZnJO.exe | N/A |
| N/A | N/A | C:\Windows\System\OCOyFnm.exe | N/A |
| N/A | N/A | C:\Windows\System\letaKNC.exe | N/A |
| N/A | N/A | C:\Windows\System\cgrBtVY.exe | N/A |
| N/A | N/A | C:\Windows\System\QjlHeTr.exe | N/A |
| N/A | N/A | C:\Windows\System\dsJjUdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wzzRLEA.exe | N/A |
| N/A | N/A | C:\Windows\System\XzRMyiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jOhGhtQ.exe | N/A |
| N/A | N/A | C:\Windows\System\atqKYLG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_4cd60e26e9548a9a63dbfe0bb48bbc23_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iwFoQuC.exe
C:\Windows\System\iwFoQuC.exe
C:\Windows\System\RcpfOeD.exe
C:\Windows\System\RcpfOeD.exe
C:\Windows\System\tSVVHzt.exe
C:\Windows\System\tSVVHzt.exe
C:\Windows\System\VvtCIcg.exe
C:\Windows\System\VvtCIcg.exe
C:\Windows\System\sYFEIHu.exe
C:\Windows\System\sYFEIHu.exe
C:\Windows\System\utuKXJK.exe
C:\Windows\System\utuKXJK.exe
C:\Windows\System\VlwcjrN.exe
C:\Windows\System\VlwcjrN.exe
C:\Windows\System\oyCVMHr.exe
C:\Windows\System\oyCVMHr.exe
C:\Windows\System\yRMZRyO.exe
C:\Windows\System\yRMZRyO.exe
C:\Windows\System\nNZDHWa.exe
C:\Windows\System\nNZDHWa.exe
C:\Windows\System\mkLotWD.exe
C:\Windows\System\mkLotWD.exe
C:\Windows\System\rZAZnJO.exe
C:\Windows\System\rZAZnJO.exe
C:\Windows\System\OCOyFnm.exe
C:\Windows\System\OCOyFnm.exe
C:\Windows\System\letaKNC.exe
C:\Windows\System\letaKNC.exe
C:\Windows\System\cgrBtVY.exe
C:\Windows\System\cgrBtVY.exe
C:\Windows\System\QjlHeTr.exe
C:\Windows\System\QjlHeTr.exe
C:\Windows\System\dsJjUdQ.exe
C:\Windows\System\dsJjUdQ.exe
C:\Windows\System\wzzRLEA.exe
C:\Windows\System\wzzRLEA.exe
C:\Windows\System\XzRMyiZ.exe
C:\Windows\System\XzRMyiZ.exe
C:\Windows\System\jOhGhtQ.exe
C:\Windows\System\jOhGhtQ.exe
C:\Windows\System\atqKYLG.exe
C:\Windows\System\atqKYLG.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4756-0-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp
memory/4756-1-0x0000023B527C0000-0x0000023B527D0000-memory.dmp
C:\Windows\System\iwFoQuC.exe
| MD5 | 415898f96ebaf0f3d9d24ecd7a68596b |
| SHA1 | 1e90ce80cb1dba3365a9e23271bb2e982cfd11d4 |
| SHA256 | d86423acafcebc1089fe320fdd872a7706ad0f3070f8118d3365673e4c9a49a3 |
| SHA512 | a7c8b95ecf6f1b220bf20e441f2674502d384ca6957e84c97c83e795f9c18d6b482ad4f92932ee5e5f90b8e02d4a9334879b27be7a23d7bcdece85d87f41a5b7 |
memory/5028-7-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp
C:\Windows\System\RcpfOeD.exe
| MD5 | c71cb3302623e10f07c56b281d7d8444 |
| SHA1 | da195a0ed46186b3c92b7fd4b2ce18f0968599f9 |
| SHA256 | 6fb687651c4dda014706f5c5e4178c76adf4707840086bf344cb60fa48834de0 |
| SHA512 | 3e7f58cdaaebed84e00a94252573d0841519ed437418d25aed1556930af6055923bc34a931242564d904dbb328c9abcf35758fed768082ef1ddcfd16d1ccad7f |
memory/1172-14-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp
C:\Windows\System\tSVVHzt.exe
| MD5 | e24e2bbe62e3b2a1fd32172af6f1ccfb |
| SHA1 | d9f529f3a00e32912ca03c55e3b7b88153148666 |
| SHA256 | 79dd602f9ab06d6157f92c136b4ee38b2b2d3e9487ed05b830943f41e6075068 |
| SHA512 | 8358582257d570252db93246340d9b1bca82bbc2476693d3123fa3279ec4ec42eaddc839e9e6c0765bfffebda53c34a2c300c49867d781a2c369d4aa83a77383 |
memory/408-20-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp
C:\Windows\System\VvtCIcg.exe
| MD5 | 2769f6786f0d7c4ab9744b2db972f013 |
| SHA1 | f2dfabf1b366b8512f4099b959f959d7d6a69f06 |
| SHA256 | 68356bc24d45069df6ac8dad1aab70b92d6087addf2e59de9db95efc2592be5d |
| SHA512 | c979e926c470616225ea26841848d022863c2fa781d357fded49a26498baffee80820627f6d55a95d70c0a82adbeb5f1e662ba5c3fe3f813756ce00186d98d27 |
memory/968-25-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp
C:\Windows\System\sYFEIHu.exe
| MD5 | f46e67264b092aea2e33c2fe0f8f3a53 |
| SHA1 | f4986136c37d83969eef7ab692e057451991acca |
| SHA256 | c99f5336322f413a95de2a310deea5880edb54e23b04ec0e297ff5ce4d62e08a |
| SHA512 | f6e7c434a12fe3ae17576529996a0df071dfc92a9c8fcf09967ec7408107c19f142f623321b3508587cbdf6ada2cabbbbd2ba13b4c1bf8199b55253011cce07b |
memory/2452-31-0x00007FF7464D0000-0x00007FF746821000-memory.dmp
C:\Windows\System\utuKXJK.exe
| MD5 | 1540ff8b17aa62c4f586f743326fee3e |
| SHA1 | 54bdb62fd11c13acc72edf1bcbbddeffb83106e9 |
| SHA256 | 488c6c9a1037088e99f78f96fa91291238d75f1570e155050f5d595fd430afc0 |
| SHA512 | e813b9d09c0f2f881311d3ea66e396ac5102c0bb1a1d6dc432296fde07c6056e3c314e3cf4c88108b999747f8b4c0bf1ffef066b18dc82d6b78449a4e705546b |
memory/3380-37-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp
C:\Windows\System\VlwcjrN.exe
| MD5 | d7a5844fbfd5dcccda62d5ce058c76ec |
| SHA1 | 73f3734c49fc890904045d1cd51c7823fb818baa |
| SHA256 | 2f069e4d5652806c780b9221b3711c37c86fbb79cf93039c3fb0d380ccfd4ed8 |
| SHA512 | 25bd4d8f17aa47f9d14a25b0835ef7de605e3c6cf1e2b5e2f425fb818d88e9bcef4b3e6398c6a8c29162444a92b059fee955c482edb8341ab0124ec2b603a2c4 |
memory/3456-44-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp
C:\Windows\System\oyCVMHr.exe
| MD5 | a56b6f00f065d110155cad4e6be7b964 |
| SHA1 | c9135e414e4afdafd49ce3a96490cb6e62b792fa |
| SHA256 | 983484fa96e7dbf02f93384f47d6f0d53f2790fc32c22314c8ad1c91c917780e |
| SHA512 | 35763d6690b900e7c177cc78c58d4be2317cdce89410fb3796ac0a26d77da0dadb9a42424ebeca9d0144e1833b47e91a3f97f44b7d235ba8f5dd4da7d6be9a16 |
memory/888-50-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp
C:\Windows\System\yRMZRyO.exe
| MD5 | 7fe529b8842a738b0b749f1e49bed706 |
| SHA1 | ff28ccb6670fc4885882e1cc90f717d2dea31032 |
| SHA256 | b0c629b92f80b50b9f56a4aa6fa2649398d4339823f7d6eefb485878edd3e567 |
| SHA512 | 1f64488929d562184d6cb5e2c22646b317cee342667b06b717eeeb2bb81d000f3236ece49aec974956df14a74478e01ea493caf848b0436d359fd657c134eaa4 |
memory/2344-56-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp
C:\Windows\System\nNZDHWa.exe
| MD5 | 60c660ac579b4cbc656614021f384335 |
| SHA1 | 4f365f0a75074d001aefb13bb9288f299c88f40b |
| SHA256 | 98bb310d071354d2b14a7c891e79eb12d37e775b1781b77efcf477a9daeb3dbf |
| SHA512 | 5c3105d638b7e8a91e6cd3f67a6c54ea77651585f38205ac54eaf86f59ffaba4d41aed5dd3b8ae1aeaa20758cdc9a333f31613d181371579c36a6f6dadcac5ab |
memory/4756-62-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp
memory/5056-63-0x00007FF617C90000-0x00007FF617FE1000-memory.dmp
C:\Windows\System\mkLotWD.exe
| MD5 | 2a671f6a57717ba49bdcbdfe9bbb270a |
| SHA1 | 3f43752f8794e6be7fd7757b871e54fbbd0a0dfb |
| SHA256 | efd13326f7cfdd80f7d9c07453347f04ef0eb4d3b5d9266be890e93a7d2a6e25 |
| SHA512 | 2f0d688df6b86c52e1fbd44dc595d53cacc62bf8f780f31383793c166bdf3302c2a23e8fde4a327395b2d82ecdada58e8ed080441091c615f6b7810733926ce3 |
memory/5028-69-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp
memory/3856-70-0x00007FF7AF620000-0x00007FF7AF971000-memory.dmp
C:\Windows\System\rZAZnJO.exe
| MD5 | 4bc3c10b199981a4a4e20d65700a6794 |
| SHA1 | 3010554a32a4f72bc36b0f65967bee14bc22ae2c |
| SHA256 | 680a5c1b5e41a1ca8fd658a89aad6dee544dff5e54f019450198ceef13af7b6f |
| SHA512 | 5c462470cf5c6c584917d7ef8ea55a5e149bc0dba26dc87531b0b0fa027b7662bf51607424a0815193b119e6ebcf6801ca98545bb30ecce8f1fdd058b751ea32 |
memory/1624-79-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/1172-76-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp
memory/408-84-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp
C:\Windows\System\OCOyFnm.exe
| MD5 | 49c4165603608ba580d46ac4d5e9ebaa |
| SHA1 | 622f240f17971b83ad8bfbcead73411f085bcb82 |
| SHA256 | 5d33526389be19359a7023ea85d9b5ae8c97a5213ac304357766ea1cda20beee |
| SHA512 | ea9239ac10c38a1c966a46c542131299c9f29eb52a3ed87bc834e7ab279074b21b51246ce738b037b0fb25d0f7c62680b4ed580230029e77e81838effd59f1b2 |
memory/1844-86-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp
C:\Windows\System\letaKNC.exe
| MD5 | 13b35c4ef8f149e6c26847e8a48821f2 |
| SHA1 | d5a2d9c6d379741d137037b9e93d6daeacc8ac6a |
| SHA256 | 662c44d40e89532ff426be57c477465f351f3b54ae813358f91767ed163ef982 |
| SHA512 | d11f6b423f3d4de625e24be0e3fe9257b248e71b95103a2b41884d139d7d743754b822e25da64d89ec54c2d108170149c911aacc1e0680766c3eddcfcaa98c7b |
memory/968-91-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp
memory/4780-93-0x00007FF6D20C0000-0x00007FF6D2411000-memory.dmp
C:\Windows\System\cgrBtVY.exe
| MD5 | 9e1983914b3bc0eb613f4f5f2e8a1668 |
| SHA1 | e42f6c6dded975dfcbf31e65822c993ae7260d3a |
| SHA256 | 58b15d7dd603183a3de2714bbba5748a831f33d5f994def632f21fddca50d41f |
| SHA512 | b5ae54c1ee13fd411621d65e17faba65dda3e2b70140e591dd8af18b638d1ab336e0f8218d54eb34ebca9ea3e2d0ab22857367862e52a553e2e41cc0029bfd4b |
memory/2452-103-0x00007FF7464D0000-0x00007FF746821000-memory.dmp
memory/3920-104-0x00007FF681BB0000-0x00007FF681F01000-memory.dmp
C:\Windows\System\QjlHeTr.exe
| MD5 | 752d2902451cc32e4195170d223b2ecc |
| SHA1 | 6c1f7e6b1ac86bb1de9998715784c7afc8f1cfc8 |
| SHA256 | 3178945fbd17d6f81e1bbe5210e176cbc7670b349ece4b61e82177e4356838a5 |
| SHA512 | 5ec7cfadfcbe248308b3297f0c6d7ad5a9e2aa0d29628ae2a97d825df94a7236917e2aabfafc797ef2d0af92743676ebdd465c4485d31565004d0280083b1c97 |
memory/2844-112-0x00007FF7A2120000-0x00007FF7A2471000-memory.dmp
memory/3380-110-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp
C:\Windows\System\dsJjUdQ.exe
| MD5 | 412076397f35340b518c9ab35d5c7edb |
| SHA1 | f136ce451453689685babafbe169bd1aebd333c5 |
| SHA256 | b3a30414726045626e5637f2919545b59da570d5e7fa971e589e7b1d1a63bc11 |
| SHA512 | 9beb1dccb07eb74f3e99602fe9f810200d418c35fde069bafa29d2d0b090cc1f49f9d8804335a49cb7665d1bb1a089496057dbcbd2b494e9eea24fdd0f419146 |
memory/3456-117-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp
memory/1264-119-0x00007FF623710000-0x00007FF623A61000-memory.dmp
C:\Windows\System\wzzRLEA.exe
| MD5 | ec35d3ef7652ef29c20713f954088378 |
| SHA1 | e49f8a2031a898262025cf65db654b85ffcf6c34 |
| SHA256 | 6dda8458cc3de3b2f59a9fbe30be45a91067729a6df2f49e35e7e5dde3340054 |
| SHA512 | 04475fd894be060b430eb652dbb0d7929c419e443726121b80e5684d32ff6840b35d7c7fe2ca1dd4366643517e34fb2866006dc57319b234aef4e91df6d879b3 |
memory/888-125-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp
memory/4172-127-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp
C:\Windows\System\XzRMyiZ.exe
| MD5 | 9c20161e60833c8535963d99e0b781a8 |
| SHA1 | 86c414be02b3172a1e491579657d0c2bf834e2d3 |
| SHA256 | 82e578ca010cf48f6708c665278724212b2e9d2f7aa1f4f92e0ba66f1c255af5 |
| SHA512 | f64a2f25e3862c75113269643fa278c28ce89452c8cbda4f4f712bcd01fd49767f2700d7700f798704174e7ae142f64287cc22060472f5ccf969a47616af6026 |
memory/2344-133-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp
memory/560-135-0x00007FF7EA5D0000-0x00007FF7EA921000-memory.dmp
C:\Windows\System\jOhGhtQ.exe
| MD5 | 574a314bf159c5ef80e4c51e6014fb16 |
| SHA1 | e9cd0b6ed10cd10e689018990505f1bb43dfc494 |
| SHA256 | dc9111e4077feab32abd3e96a7fe4e0b4534706b38c2df01eea31298825f86af |
| SHA512 | da9a254b17797c50086c4799c3c3bd817c5f59a49c9ad7d50bb91b89152690f22d52194860d1fcede6ee3a0870b8d15a39365052b845e5de9ef44aae12e6a690 |
memory/2456-141-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp
C:\Windows\System\atqKYLG.exe
| MD5 | b364cdff3b522e3a88c4dbfdfe7cb31f |
| SHA1 | ca2993cfb8060689a63ae38c2b261093c1b4c4a9 |
| SHA256 | 9d128b234c27d52085415eb0032e1590472f17306fd67cec54f66bbbd82ab05f |
| SHA512 | ef73a1e322937ef68a6361aff365720bf91148a5c8473713cd04f8f3666228f9ec5effdd82992e7cd73004464465c21bac9f63034b6d2365e65b40baf2b4bcce |
memory/4856-148-0x00007FF7611E0000-0x00007FF761531000-memory.dmp
memory/4756-149-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp
memory/1624-151-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/1844-152-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp
memory/4172-164-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp
memory/4756-165-0x00007FF6D6770000-0x00007FF6D6AC1000-memory.dmp
memory/2456-171-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp
memory/5028-198-0x00007FF6B3040000-0x00007FF6B3391000-memory.dmp
memory/1172-200-0x00007FF65C660000-0x00007FF65C9B1000-memory.dmp
memory/408-207-0x00007FF6E4660000-0x00007FF6E49B1000-memory.dmp
memory/968-209-0x00007FF74FFB0000-0x00007FF750301000-memory.dmp
memory/2452-211-0x00007FF7464D0000-0x00007FF746821000-memory.dmp
memory/3380-213-0x00007FF7E1460000-0x00007FF7E17B1000-memory.dmp
memory/3456-215-0x00007FF74DF80000-0x00007FF74E2D1000-memory.dmp
memory/888-220-0x00007FF7EB070000-0x00007FF7EB3C1000-memory.dmp
memory/2344-222-0x00007FF76EC50000-0x00007FF76EFA1000-memory.dmp
memory/5056-224-0x00007FF617C90000-0x00007FF617FE1000-memory.dmp
memory/3856-232-0x00007FF7AF620000-0x00007FF7AF971000-memory.dmp
memory/1624-234-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/1844-237-0x00007FF7E2160000-0x00007FF7E24B1000-memory.dmp
memory/4780-239-0x00007FF6D20C0000-0x00007FF6D2411000-memory.dmp
memory/3920-242-0x00007FF681BB0000-0x00007FF681F01000-memory.dmp
memory/2844-244-0x00007FF7A2120000-0x00007FF7A2471000-memory.dmp
memory/1264-246-0x00007FF623710000-0x00007FF623A61000-memory.dmp
memory/4172-249-0x00007FF75EA40000-0x00007FF75ED91000-memory.dmp
memory/560-251-0x00007FF7EA5D0000-0x00007FF7EA921000-memory.dmp
memory/2456-255-0x00007FF67EA50000-0x00007FF67EDA1000-memory.dmp
memory/4856-257-0x00007FF7611E0000-0x00007FF761531000-memory.dmp