Analysis Overview
SHA256
6ab2aaad508b8ccf96101fdbcee0f6fb02b6d33b292a2da73c5834b943bcd690
Threat Level: Known bad
The file 2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 02:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 02:06
Reported
2024-05-27 02:08
Platform
win7-20231129-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LbVGGFk.exe | N/A |
| N/A | N/A | C:\Windows\System\EBHVfpl.exe | N/A |
| N/A | N/A | C:\Windows\System\CwNwtFB.exe | N/A |
| N/A | N/A | C:\Windows\System\DTZtXZn.exe | N/A |
| N/A | N/A | C:\Windows\System\QYfXUJe.exe | N/A |
| N/A | N/A | C:\Windows\System\hLnkUPV.exe | N/A |
| N/A | N/A | C:\Windows\System\xzmHyov.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhUjAPC.exe | N/A |
| N/A | N/A | C:\Windows\System\RbFxRxX.exe | N/A |
| N/A | N/A | C:\Windows\System\ITHhkAa.exe | N/A |
| N/A | N/A | C:\Windows\System\snyDlGe.exe | N/A |
| N/A | N/A | C:\Windows\System\kXLUDPP.exe | N/A |
| N/A | N/A | C:\Windows\System\oXNCMAE.exe | N/A |
| N/A | N/A | C:\Windows\System\dTYspjL.exe | N/A |
| N/A | N/A | C:\Windows\System\uAodUGY.exe | N/A |
| N/A | N/A | C:\Windows\System\kyKjHpl.exe | N/A |
| N/A | N/A | C:\Windows\System\cWtLIrt.exe | N/A |
| N/A | N/A | C:\Windows\System\CHaaJef.exe | N/A |
| N/A | N/A | C:\Windows\System\snynvDT.exe | N/A |
| N/A | N/A | C:\Windows\System\oCRuHgg.exe | N/A |
| N/A | N/A | C:\Windows\System\YhOmhLZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LbVGGFk.exe
C:\Windows\System\LbVGGFk.exe
C:\Windows\System\EBHVfpl.exe
C:\Windows\System\EBHVfpl.exe
C:\Windows\System\DTZtXZn.exe
C:\Windows\System\DTZtXZn.exe
C:\Windows\System\CwNwtFB.exe
C:\Windows\System\CwNwtFB.exe
C:\Windows\System\QYfXUJe.exe
C:\Windows\System\QYfXUJe.exe
C:\Windows\System\hLnkUPV.exe
C:\Windows\System\hLnkUPV.exe
C:\Windows\System\xzmHyov.exe
C:\Windows\System\xzmHyov.exe
C:\Windows\System\ZhUjAPC.exe
C:\Windows\System\ZhUjAPC.exe
C:\Windows\System\RbFxRxX.exe
C:\Windows\System\RbFxRxX.exe
C:\Windows\System\ITHhkAa.exe
C:\Windows\System\ITHhkAa.exe
C:\Windows\System\snyDlGe.exe
C:\Windows\System\snyDlGe.exe
C:\Windows\System\kXLUDPP.exe
C:\Windows\System\kXLUDPP.exe
C:\Windows\System\oXNCMAE.exe
C:\Windows\System\oXNCMAE.exe
C:\Windows\System\dTYspjL.exe
C:\Windows\System\dTYspjL.exe
C:\Windows\System\uAodUGY.exe
C:\Windows\System\uAodUGY.exe
C:\Windows\System\kyKjHpl.exe
C:\Windows\System\kyKjHpl.exe
C:\Windows\System\cWtLIrt.exe
C:\Windows\System\cWtLIrt.exe
C:\Windows\System\CHaaJef.exe
C:\Windows\System\CHaaJef.exe
C:\Windows\System\oCRuHgg.exe
C:\Windows\System\oCRuHgg.exe
C:\Windows\System\snynvDT.exe
C:\Windows\System\snynvDT.exe
C:\Windows\System\YhOmhLZ.exe
C:\Windows\System\YhOmhLZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2392-0-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2392-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\LbVGGFk.exe
| MD5 | 4b54f1c3569226bcd770f0116cc0f976 |
| SHA1 | 7017ae777e6c03c4ead7e6535796e7ad43291172 |
| SHA256 | 4ac3c27f4fe163608c9c5848c84449fb77339298c29d77955b644f4713ba452d |
| SHA512 | d30cf44664e8b76bcbe214543867103b7cf26e68bd79d394f91b6c37fb87eeb2dc72cd1cc41f71f7af985d9ed8681eceb8e21da3e9c55bae5dac8e95c129257d |
C:\Windows\system\EBHVfpl.exe
| MD5 | b101e13a203992549325581276760b9b |
| SHA1 | e3dfef74cb716d2db5c328dbd455a84671f18c4f |
| SHA256 | 29dc2b515ed499aa97ac51591718b9b9703db6402fbd9c1f13fc7ed98ac2995e |
| SHA512 | 9c85d933563f0c433123035b8408d2392f023713f845d223e9cb447b589a617fc709a8b8a6836d2ed487d91d43ec87b3478c2effa6320cef04c4e19b9299a8de |
memory/772-30-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2392-29-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2392-28-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2668-26-0x000000013F400000-0x000000013F751000-memory.dmp
C:\Windows\system\DTZtXZn.exe
| MD5 | 27d0e844ea4fc4c438f0ec11498e8d01 |
| SHA1 | c57ecdef5f03be9ff679a59a32dc44e14540c116 |
| SHA256 | 14550ff4fd9f859dee1a3c21902ea9c6e3434e2c6b955285aef0f83fee784b48 |
| SHA512 | fcfd596837a0196edf151644d82324599d11788de0496287b58fa64c30c38940930bfdd811d1a5558c83ce315555b126a3392981ae2ac5da942cf48c18c189c5 |
memory/2392-24-0x000000013F400000-0x000000013F751000-memory.dmp
memory/3012-23-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2984-21-0x000000013FDE0000-0x0000000140131000-memory.dmp
C:\Windows\system\CwNwtFB.exe
| MD5 | 6f8c7358ab04436594e0d25210cdfda2 |
| SHA1 | d14e4cc887df69ac61d760fa8394e48a1ddae2b2 |
| SHA256 | b8508110cb455e9f52468794d3d2aac7389a3aa2d4a5a790b5afddef0d883e01 |
| SHA512 | e7ae8dad2466166b04eb6f3bd2f474afc3d6c4862cfbe6cecfc09c04fc6b5adfbabe9bc41bb3b7144ae861d9c5eb645ed1f4822ba4955ca8241dd6be3848b928 |
memory/2392-9-0x000000013FDE0000-0x0000000140131000-memory.dmp
C:\Windows\system\QYfXUJe.exe
| MD5 | 22f23cd727f7964ec48d19706c5bc7e9 |
| SHA1 | 409e1a330ecd0343a24c9fb4bc1b197f665fb0b4 |
| SHA256 | 4ccd285f19feac4a73b1667d8928735af950f4880ac0e530618c2b57565e3230 |
| SHA512 | a603da3dba8d3044170702a03ac4cd9d307ef0d554c6fef73809762d47cebb7e5ebbca308a2e9ea916fb8f076a1947eb9e88505941b7ffa742b961b9eb77e559 |
memory/2652-36-0x000000013F950000-0x000000013FCA1000-memory.dmp
C:\Windows\system\hLnkUPV.exe
| MD5 | a390c7c64cf7faf11e56f3fd63b56f87 |
| SHA1 | 48a5fbd52a6a80e59fdd3c487fb7e1f79be7ee01 |
| SHA256 | c4cb3a475ec05647a8fce6498907fe780589257ccc8f2e17f6e8de0d58fe7b53 |
| SHA512 | 5eec7cd1547b5c0659485a6f8dca8ba9fcbbd727075bf3227904074c712054c20d3eb1d170c846eb248eba8928aef1ac0cf0bc6ba9ec564b11b6a6709fd4d347 |
C:\Windows\system\xzmHyov.exe
| MD5 | 13b8306fc4089fbdcbe2441a735dc58f |
| SHA1 | fffb5b6ce1512ef12f7767bfc93593d7830ac602 |
| SHA256 | 14a1647740268c6359585d66efed1fa9f925aaa7b509c2117dd4b9b8c1d36786 |
| SHA512 | 6c62d71c607e3c2aa8eb462d083f04fd9e8bc0af9ddcc774cef8749023c3655b055883776f95fb547881a21f2256c9bbe08d3107d463ea4584d6a1f212f2e320 |
memory/2952-49-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2956-48-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2392-50-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2392-46-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\ZhUjAPC.exe
| MD5 | 06c141744b9e885c26dea4e282205066 |
| SHA1 | 0cd939628421223c14011420ee7ff4056dbe8300 |
| SHA256 | 87739b7634adf3d3085d371031ddcb0f3e43415f2ccca985c8a0c805ceacf9c1 |
| SHA512 | 49cb4c6db2e2f8cd278957cef5359b1b5aab364b84a1fdc862c4d67ac863fe7176d0bb2eb2206d23ccc9f8eed75c2cc2bb1f13bfc931bb4ceb2cc03fbe731c87 |
memory/2912-62-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2732-61-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\ITHhkAa.exe
| MD5 | 5845b8f27bed273d7cb7d148c59fdca1 |
| SHA1 | b868cdaf57a0b0a45762a397948b4d7064fc82da |
| SHA256 | 09051e4cf9b2bdce819bb3bcd61e502bd42d923c9cc9dc3fe41113588d78690c |
| SHA512 | e3587d42a059028032aa7318aaf5064fd42a991f9d30c0309daa53046e4d2bb884fa55f807de35be4fe77baa14b5189cc367e539eb9fd7fbdfbd94cfc571dbec |
memory/2512-69-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2392-67-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/3020-76-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2392-77-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2392-75-0x0000000002290000-0x00000000025E1000-memory.dmp
C:\Windows\system\snyDlGe.exe
| MD5 | 28d39d354e880e1b19c01f83027e4bdf |
| SHA1 | 10c9181ad7a61b0600f81d93ab2f1f12c325a4e5 |
| SHA256 | 5dd3b328f7d02fa93e120426e35582f1494c1af444da315a0ded7e406dc8d22f |
| SHA512 | 17e1f591e29ef9a3fad17f7673dbeaa3c64956f3b381d8fd9b7207dab01f264828c418118c3c02b3bc3f37c9f62e427ea9935eff85412933d798933c92d0e42b |
C:\Windows\system\kXLUDPP.exe
| MD5 | ddfc23fec82f7fb931ea38ae7216ce9a |
| SHA1 | 26e6448eb766c23c0edca4363644a25ff76dea2d |
| SHA256 | 522798b0beab6e70233c96b7bf155ed5d3605b3d7a88b68c94b50c0a62696d0d |
| SHA512 | 455272d6b5bb26651d0ab88da9b6bfc87707910916b82737ebba4064459b6aa55d89344d6353cf9cd0f4859bdc9068aef7e581c60b5bc91e38894f15fe1111fb |
memory/1980-85-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2984-84-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2392-83-0x000000013F040000-0x000000013F391000-memory.dmp
\Windows\system\dTYspjL.exe
| MD5 | 838ef49541ec334b2dcf68cef24f1789 |
| SHA1 | 99c806081437106469ef82ec243864f6183fd4b1 |
| SHA256 | c4b954cb3f1b21ece70c17ff7bf12d3ec4dd629e01abee3c328eec90fe0fd7f8 |
| SHA512 | b8efdcb28f8ce03516185707c3c929a0d5fd8518423e30d054eabd4af817f9f1d9436f42421d98ccac16a90f39e42c394fdc9e6fe05a6dc9b5bb30b85ca19e7f |
memory/2392-105-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2884-104-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2392-102-0x000000013F560000-0x000000013F8B1000-memory.dmp
C:\Windows\system\uAodUGY.exe
| MD5 | 6be67e97bb360f3fa4128eadd56f6ed9 |
| SHA1 | 8a5d01f51cb59eae4ec90fa7ecc326305d6853ce |
| SHA256 | d4657c2fefa0e5ba1fecbe459382531cce404844491a55d02b0f0cfbb297a826 |
| SHA512 | 1716cb4374e4a2f57be2f41b8eec47cd69ab3171cda38741455341f016444986b16732520124c1fdfdf89b6cc2a2c82b618cb9d226d91264140663b3c23943b6 |
memory/2632-100-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2392-99-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\oXNCMAE.exe
| MD5 | ddf05584ef2a6f17e305374d92ec0ba0 |
| SHA1 | 111852f5f931af70912dc6c48886aaa59f3ffc09 |
| SHA256 | 9268411dca91110a970c13dbf519fba2eab46705fb9e15fd89586d165d9860d4 |
| SHA512 | e91b669fab303c3baeb35e06713713fe4ce53f3f37fd24bf9576a919fe26a522b9347a43819c96afa21da4d6dbf06e3f9ce52a6a0101c67fbce8f93c881346fd |
C:\Windows\system\kyKjHpl.exe
| MD5 | 72d4242b6e3878a4e8c1b24f1db886cf |
| SHA1 | 28a7f698a9f4d910fbb4e24b28a8c69d8ae43205 |
| SHA256 | 66c5cd2e8852e4b06e26491b247b46a4507ad823b037315bc7ad6b74b47172ca |
| SHA512 | a41f7a4d72a2cd1bc809d5022fd6d42c39b959f63f6fb8c44137b7c44b1713cf03029732d4a6ca6af6b341474bac13c57251c901e8ce778ea2627bb7f47db675 |
\Windows\system\oCRuHgg.exe
| MD5 | 3c07efbb0b2aa0edce37e64def73bdff |
| SHA1 | 6611373c75d4799fb93e17d444b9b463f1cc6dfc |
| SHA256 | e5dd50098e1280c9ca91b5d07d749c3934a5964c0abb41ec17c454cee3bac2c3 |
| SHA512 | 2caeee9392b97ce346a1dde36f73d32b4faf40fca7d4b4eb496a08caeac1820398452622833a7e5737c701016a1d9d0cea4cfd91cefc6bfeb8ed9e5910e9f258 |
C:\Windows\system\snynvDT.exe
| MD5 | 31751baa28ab2c49ece063d88475e947 |
| SHA1 | 3320a70d2de8eeedb6335bd8218032c3a923d4d2 |
| SHA256 | 8f96a6ab0d2dedfab882d25bea6b894b016c7104322f06d191aea4bcdb1035d6 |
| SHA512 | d15c89691413620ff06f4cc19a90a4b2d194887a04ea77b5b08e2f8340aa12fa4c0b69358de9b0303f9e9b9ec4f8dd87bee822c46868cc0c8c1b71d6f5464766 |
C:\Windows\system\YhOmhLZ.exe
| MD5 | fd70da0ee175680e51e8283a0f63bbf3 |
| SHA1 | 63eb7b2c5b898adaef5926ddbba63b027beb1612 |
| SHA256 | 0cc2af575a7acbe69e3f4bac483bf45286c42073597ba9af00f8501a6f2c56cb |
| SHA512 | fd177626b617052e7619fc9a4b3da7c42ec7c0588c3afbf6bd749d685600a02a49bba80e68a6707c359cee26d2d6389fc5dcd1c07330597f7bd5700cc4c27541 |
C:\Windows\system\CHaaJef.exe
| MD5 | 2fb6780d5df59335a502e6c91bc5fe56 |
| SHA1 | 18fa6e3a43800ea1c5281c1f072f7c87b8050a8e |
| SHA256 | 03eb0caa9bb63df716f9729cd1a5ecc125639b2cb9d4569af16b80d0375179a9 |
| SHA512 | 4fedc2759e4af483ce7ab5163b37d15d67c98e9d295b5e13e9e92df016389a34af1ce58d845c7849a001b52d96d74a51548460110885163f79182b1d048a00dd |
C:\Windows\system\cWtLIrt.exe
| MD5 | fa748ddc715e4be8c2ca5efe24f9b1f5 |
| SHA1 | d5247839e7bebfcb10e1788a749dcadddd2c286d |
| SHA256 | 2187fbcf06d50c88afcb69f4ddf02e6bd5ef11ab94909f6866f95489a22708b1 |
| SHA512 | f75244c334b0eb1e7ebbeb71635c01a5f671e058cab0d18f3dad9041f80e6ca0057f5f33661cd6d5a15a85af7cd36999f288aae6210c1ba2caa826c38b2c1e69 |
C:\Windows\system\RbFxRxX.exe
| MD5 | 6fda34475faf75aa96d964c6fc58a10f |
| SHA1 | 7ea4b53bbbd4725dfa443a54dea7ffab01f7d768 |
| SHA256 | ef82b514cfcd0849062828f3b4ee13327259885fbed898116175991cbd71a549 |
| SHA512 | 40f44f47c0440f1f03a5ab1d9ed976a1b1ec7487f58004b56d432a56131eb3cff261d619c0eb24d13ccbe94fa877fd51163848d45194e6b53fbfae14cf2ab72e |
memory/2392-135-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2392-136-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2392-137-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2512-147-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2888-157-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1996-158-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2864-156-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/1456-154-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2524-152-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2760-155-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2856-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2392-159-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2392-181-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2392-182-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2984-208-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/3012-207-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2668-210-0x000000013F400000-0x000000013F751000-memory.dmp
memory/772-212-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2652-214-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2956-216-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2952-218-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2732-220-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2912-222-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2512-224-0x000000013F120000-0x000000013F471000-memory.dmp
memory/3020-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1980-234-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2884-236-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2632-238-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 02:06
Reported
2024-05-27 02:08
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fVKCyBj.exe | N/A |
| N/A | N/A | C:\Windows\System\HLVcAcX.exe | N/A |
| N/A | N/A | C:\Windows\System\oOEXFsG.exe | N/A |
| N/A | N/A | C:\Windows\System\SDsXGXi.exe | N/A |
| N/A | N/A | C:\Windows\System\RuFlsmO.exe | N/A |
| N/A | N/A | C:\Windows\System\DnGPQBr.exe | N/A |
| N/A | N/A | C:\Windows\System\EoNAvHi.exe | N/A |
| N/A | N/A | C:\Windows\System\ppsbyIr.exe | N/A |
| N/A | N/A | C:\Windows\System\VVPALZb.exe | N/A |
| N/A | N/A | C:\Windows\System\znrweZs.exe | N/A |
| N/A | N/A | C:\Windows\System\eXifUEA.exe | N/A |
| N/A | N/A | C:\Windows\System\bPmyCxe.exe | N/A |
| N/A | N/A | C:\Windows\System\TNVVsqo.exe | N/A |
| N/A | N/A | C:\Windows\System\jPNUhGR.exe | N/A |
| N/A | N/A | C:\Windows\System\gNlGPaH.exe | N/A |
| N/A | N/A | C:\Windows\System\uIcQPdm.exe | N/A |
| N/A | N/A | C:\Windows\System\YqsdzXh.exe | N/A |
| N/A | N/A | C:\Windows\System\uuupOPd.exe | N/A |
| N/A | N/A | C:\Windows\System\TXKSSwv.exe | N/A |
| N/A | N/A | C:\Windows\System\fNtKSho.exe | N/A |
| N/A | N/A | C:\Windows\System\guBELRe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_dbdb46463a64e885d36daf22f44f3e93_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fVKCyBj.exe
C:\Windows\System\fVKCyBj.exe
C:\Windows\System\HLVcAcX.exe
C:\Windows\System\HLVcAcX.exe
C:\Windows\System\oOEXFsG.exe
C:\Windows\System\oOEXFsG.exe
C:\Windows\System\SDsXGXi.exe
C:\Windows\System\SDsXGXi.exe
C:\Windows\System\RuFlsmO.exe
C:\Windows\System\RuFlsmO.exe
C:\Windows\System\DnGPQBr.exe
C:\Windows\System\DnGPQBr.exe
C:\Windows\System\EoNAvHi.exe
C:\Windows\System\EoNAvHi.exe
C:\Windows\System\ppsbyIr.exe
C:\Windows\System\ppsbyIr.exe
C:\Windows\System\VVPALZb.exe
C:\Windows\System\VVPALZb.exe
C:\Windows\System\znrweZs.exe
C:\Windows\System\znrweZs.exe
C:\Windows\System\eXifUEA.exe
C:\Windows\System\eXifUEA.exe
C:\Windows\System\bPmyCxe.exe
C:\Windows\System\bPmyCxe.exe
C:\Windows\System\TNVVsqo.exe
C:\Windows\System\TNVVsqo.exe
C:\Windows\System\jPNUhGR.exe
C:\Windows\System\jPNUhGR.exe
C:\Windows\System\gNlGPaH.exe
C:\Windows\System\gNlGPaH.exe
C:\Windows\System\uIcQPdm.exe
C:\Windows\System\uIcQPdm.exe
C:\Windows\System\YqsdzXh.exe
C:\Windows\System\YqsdzXh.exe
C:\Windows\System\uuupOPd.exe
C:\Windows\System\uuupOPd.exe
C:\Windows\System\TXKSSwv.exe
C:\Windows\System\TXKSSwv.exe
C:\Windows\System\fNtKSho.exe
C:\Windows\System\fNtKSho.exe
C:\Windows\System\guBELRe.exe
C:\Windows\System\guBELRe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/824-0-0x00007FF782E40000-0x00007FF783191000-memory.dmp
memory/824-1-0x000001C261410000-0x000001C261420000-memory.dmp
C:\Windows\System\fVKCyBj.exe
| MD5 | 25056e6a76efa85c0c2536db2b9c80f5 |
| SHA1 | dd147adb522c2a2e92ed610bd1c38748f1e95c64 |
| SHA256 | e35f813728dc7b25a4388efeeedd4c7f20bd0f15ebafef808f0444043d9afd20 |
| SHA512 | fd040da931ae6a60565aab2b6d7bfdd4d2c7d42bd24f268eb9362081635bdded76c43e467d56826d6c6aaad345eceedbd3cb3415611573ecd7758bffb5a59abd |
memory/2128-7-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp
C:\Windows\System\HLVcAcX.exe
| MD5 | a2946a0b0dbf7a4ac23ccc73530010c1 |
| SHA1 | fb367c40abb92d0f7f4db2704817673ba80bf8bf |
| SHA256 | b5ebba03c718f9ef896919adc7311621fb5eeafe6284b4ac328ccd9cdd892905 |
| SHA512 | 17d30431776d64a5f59e7307367e88f06dae4917d4c3b5c75cb1363e65d7a37d4b555a89edff20bf69a0d1b5154ef16b1672efe9c875dc83d78119a1622b017d |
C:\Windows\System\oOEXFsG.exe
| MD5 | d1b121d24a06b7e82eba9f1312148b46 |
| SHA1 | 2b6ae343c8aea47a3d8e97e2fdec4fa5edf436f1 |
| SHA256 | 4d8549116da2f12bb6b8b85e964a6ade3cd397041a8fa22c826bf24bbe54213b |
| SHA512 | 61cd303f60c240406e0d7454e325a1032399a815a94b7e2e2155ebb0e5fe847c8a4113dde1dbbca37c659561f7af3acde6dc3cf34f8a579619c0bbf849d0fcfa |
memory/3264-14-0x00007FF75FF20000-0x00007FF760271000-memory.dmp
memory/1920-18-0x00007FF705220000-0x00007FF705571000-memory.dmp
C:\Windows\System\SDsXGXi.exe
| MD5 | ac2490ec781ea6517cde0d6d048c3550 |
| SHA1 | 44b0057183359ad21635007ce7f9c07b85537b90 |
| SHA256 | 0d201671223be7a87b614f9658072332aa5cf15d6e764afe5f724e560652a355 |
| SHA512 | daf066f5a012dcb12dc9a3a991c0e38f04f0e1b8538e80611dccb13165e43cb4da807741e1953467d8be56ae2b30029824e145ba0d1a341a67da1a5205cd2868 |
memory/2612-26-0x00007FF681A90000-0x00007FF681DE1000-memory.dmp
C:\Windows\System\RuFlsmO.exe
| MD5 | 628a9861b18c62c1c422b6e247a2a5a1 |
| SHA1 | 05aad97322728fa68803244d18009b6192c212ad |
| SHA256 | 56ed32ef914146c1b33cf73857ff92525cf72c4dfff5afca7c3e06297920f5d8 |
| SHA512 | bd03bd17d68068e887e35917bf81fdf71986e850c90cb33cfc1f463744f09990844f9169b8a40af0c1e9d97a4abc9e04991bd917840a97684ded06668720107e |
memory/2352-29-0x00007FF745450000-0x00007FF7457A1000-memory.dmp
C:\Windows\System\DnGPQBr.exe
| MD5 | f2ddce00f7834fa27ac1a18ab3a7e019 |
| SHA1 | c457c8a158567f377ce67271bcf8d4852fe32057 |
| SHA256 | 0d72964f75adf4213ddfa5444e7f3122547fe9f61979d6b49b007855c2d81c90 |
| SHA512 | 96a70fc7c5b48bacd4bda34cf0d927eca724ff46266f7c8a570023e8207bffc8b639a2d6180483c186cb3afd009fb0c163296920b531c1ee165311ee88d98f4c |
memory/4668-38-0x00007FF7CE970000-0x00007FF7CECC1000-memory.dmp
C:\Windows\System\EoNAvHi.exe
| MD5 | 1b69109c2451f6e745df1684ac62a247 |
| SHA1 | b7e36fc32384a2b5fd7d38d47a8fd8c4278c1f40 |
| SHA256 | 43b4a0824da6e986a881e304d7e93124d76ef2d896dbc977054a62363484c046 |
| SHA512 | 1f6cd83455b1973c69dba2a0a457bfed44ff94e4ef47d05b583d2addeef64626f15ef6a8d304799b209c96b2568857d5aa8efaa26e998e3078cc05df91a8cc15 |
C:\Windows\System\ppsbyIr.exe
| MD5 | 5919b16777945a04dba6116958c191c7 |
| SHA1 | 41c665ec2ec22b768f1ff760e221ebe6f8689f04 |
| SHA256 | 3d10ed4387add5e59b654bc8b1b4b4493faeba79d193e9cdf3d87f2041dc0150 |
| SHA512 | 4c1f5b104f0377691b90563f29cd3bfe753c43b6af51c627feaf83e72621d3446f4fb14e09950bd0b1cf7c4af8b4494dfcb33bf738b4a13fbae7481ed27cd295 |
C:\Windows\System\VVPALZb.exe
| MD5 | dc6301ea31196d4c900d6b941ff67e5c |
| SHA1 | c444fb5213a9678e04a6a2a50c44fe1c3d0baf3c |
| SHA256 | 9099cd5f96e5734cc9f0dbf3782879a66f1416c98d33c9ef1949b5359ef2f950 |
| SHA512 | 0930171c20d8e26657c584ebc68f53428f317a1d1c49f5eb81259fdbd3105ca6f14aff4d24c24d61827bab7787e8f82556fe955b1d6a86affa62092f12e2628a |
C:\Windows\System\znrweZs.exe
| MD5 | ec4061d2696e4432e45ad27cac97636b |
| SHA1 | c6ef53a09d46e7d8121c15bbc175652d883609f0 |
| SHA256 | 8b83c870a3b1863c1e5eb8d511765536de82c9176fd4f57a35437e3ae00d0724 |
| SHA512 | ef94d8332bd5c6b069905316efb8b38f7e8b658df3bec8df780b50c62c80ab6ecab838d162a74ba92c523f05b4575a94290657aa76d2bed0789c551729f89af3 |
C:\Windows\System\eXifUEA.exe
| MD5 | 16cc7967cfc41d77899b162d4ac7e3de |
| SHA1 | 8e2969c4738229d7e47df4e746d699d29c6f152e |
| SHA256 | b950c3e96bcaa043f8f019b1691040487bc00f1d8bc5d80898db87e7cb241660 |
| SHA512 | e10ea04f5c047d61846465254a961976a4a3b1e51a6e782ad64251c8805fd19f08fb348e9d91fe51496eec216f0f2b6f5b3be3285ebabd370e7accec1f1fbeeb |
C:\Windows\System\bPmyCxe.exe
| MD5 | 7ca776c2cf8d69eff4c20e14275f6d74 |
| SHA1 | 21e0f148c6ce29911e9e488fb9fb212b2dcfd5e5 |
| SHA256 | 1f67c42fe31276ac0a5fcf8d8c1d8b3080018031332191f22120f888fb21cfd5 |
| SHA512 | 9d1cd5321bae1c3e82bb61cbadd1e15e0d6f9c8053a5b556014f04bc77c227929aa1f7b61442f7c66f5b7fc8b29421866cc47ceb711f0e2ea4dab762164fabff |
C:\Windows\System\TNVVsqo.exe
| MD5 | 68cfd2ac81b259fff2c94a248c4cc2c9 |
| SHA1 | e3cb8e4d5acbb00df8450665414348825f0b3cc1 |
| SHA256 | f77b098b8028d2fc5e51c3da4ccc1bb5b8458430a57ae3512beda00d3802f150 |
| SHA512 | 9115f62da00ac7259693d26402d1a35ba5aef75d8622afbb02970b7905cc7428edb64bffd853a2f2afacd18736c930337597ef6e39774ac36f93efb0117574de |
C:\Windows\System\jPNUhGR.exe
| MD5 | 272aa38d92be9467ea7e90dc4d4607c4 |
| SHA1 | 0a7d2c28816efb6316e20d6eb5a3cfb80d194b87 |
| SHA256 | 58a2c2db46e6552ca837a8e6485c91d34c6922cec38b24f5058a82a9f3bc8526 |
| SHA512 | ef185ad7a05a0f653e548d66bacba3752a8c9c0a69ec99eed03377ab6f6d3fedab18e12c3228f336f604c918254b3cd3ea99fa09b333641f8a010c8ee1f11c8f |
C:\Windows\System\gNlGPaH.exe
| MD5 | 32d0bb49be116c84fb63ddb9056b1ec4 |
| SHA1 | a22a7f748a63b1d15b48c9a0454752db7d2dc112 |
| SHA256 | 5043bf5c71956d7b06b94493214b414bdc388db93258000398d7c7583e9db3ed |
| SHA512 | be014c168eb4beca800c7480ae9f63eaf74ad79693908c85ad0ec20d9a985b28a4597c62fe1d18e3d45c6909329d640b1e0a1e716eaf9a784bd604e16930cb17 |
C:\Windows\System\uIcQPdm.exe
| MD5 | 629222eaa80001c5c91c3c318ffa5926 |
| SHA1 | e5f6bc4f9d095a62bbdd3cb1c588445e341953a7 |
| SHA256 | f0e431ee9694ac9f9b086036d055959eb56734a510adbd1f200ef8c02128709f |
| SHA512 | 76fa22d5bae2e574c8e1b668c3e99e1efdef6f7dddfa9fd4669e4b81c1c381644589ea387befe29172f8bdd10a55b2712a31e1c7f3179ca9d919ababbd658507 |
C:\Windows\System\YqsdzXh.exe
| MD5 | 5eb5a81f77cacc89b8dadfe5dbbce73d |
| SHA1 | dc508167e0b7d4da0cc25c7dbc17df574ceeb6d1 |
| SHA256 | f208083d7f91eda74d05567873294fa6820f8a36fb582677a8ca0640df221d76 |
| SHA512 | 47277da64fe35468badaa4bccfe8791d8651a0fb0c421b75f534ecd8078c982cdcc462c319ff9cf5dbb8128593de2a00ab0d99d323db3250806d5dc2b875bc9f |
C:\Windows\System\uuupOPd.exe
| MD5 | 916f79e1f2236b0097eef80f18283b16 |
| SHA1 | 277516a8d07d09954f897239c076190ded07ae3d |
| SHA256 | 32d3c3d1d744012dd8eb9c5e1133b0aca9a63f5a2430ddc26870f4f837646887 |
| SHA512 | e5338d13dec101149f415b357ec788cedb87fbef7016375d9ec2e2e49ff098017a7f95d9a6e0e58d881daea7dadbc1ddeefe8f89bd725e5e654bd1f0c9d567fb |
C:\Windows\System\TXKSSwv.exe
| MD5 | 3baeb732b89165092c443ee8d061b145 |
| SHA1 | 07bbd8861b2d56408c6f8319096c87ff6669c89d |
| SHA256 | ff1c615e5fcbaafc29a5b0bbcae8003018437bdba788878c06a18634bfaeb49d |
| SHA512 | feef8ca9a8964bb62717d3acd415e893c967e5dc872b857b41136ec34edc183263443049c4ea7b52988303ba8c927a9f1604865e38e50d67ead6b451d59ab408 |
memory/3084-104-0x00007FF645450000-0x00007FF6457A1000-memory.dmp
memory/2928-110-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp
memory/3652-114-0x00007FF7EC910000-0x00007FF7ECC61000-memory.dmp
memory/684-118-0x00007FF708AA0000-0x00007FF708DF1000-memory.dmp
memory/3544-121-0x00007FF6553F0000-0x00007FF655741000-memory.dmp
memory/4636-122-0x00007FF6E8740000-0x00007FF6E8A91000-memory.dmp
memory/4500-120-0x00007FF7025D0000-0x00007FF702921000-memory.dmp
memory/1988-119-0x00007FF7108B0000-0x00007FF710C01000-memory.dmp
memory/1336-117-0x00007FF7E9B30000-0x00007FF7E9E81000-memory.dmp
memory/1292-116-0x00007FF796010000-0x00007FF796361000-memory.dmp
memory/1136-115-0x00007FF7B1290000-0x00007FF7B15E1000-memory.dmp
C:\Windows\System\fNtKSho.exe
| MD5 | 1f2c7a8831cdc38d767c4039bc1748f0 |
| SHA1 | 1e300f8516f2e4278206768be3fec96e7ced890e |
| SHA256 | 56663d3deebf1b747377c6cc0ebea44d5c22c08641c85da331f1a1fd1c43a96b |
| SHA512 | ca565c4eca51c0083effa724c8ced7025f29727b8d47f70d4b61a4489fbc5bcdc28139bf3f9c0f3fe736419ebb0d1edc9f92a75e4dbea8d4b3fb39f6c08f228d |
memory/644-111-0x00007FF76E1F0000-0x00007FF76E541000-memory.dmp
memory/2112-109-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp
memory/1636-107-0x00007FF694690000-0x00007FF6949E1000-memory.dmp
C:\Windows\System\guBELRe.exe
| MD5 | 957bd37f38190c2ee5336fb30a029508 |
| SHA1 | 58281b39bafd7ba6876dec24705d52c2d812a192 |
| SHA256 | fc838349d91197fd9e7b10bb274cbe2e0b83e951c11c0a18f9cceacc6810ff43 |
| SHA512 | bfa74b3ae2c9532f03f72918a3e136965cf6edffdd2792c8f7ea5a7d7a8aeabb38d5476da69ca583a2cd403e4b39a1de02db8ba2aff1f4e88ad2b8efc10047a8 |
memory/1920-130-0x00007FF705220000-0x00007FF705571000-memory.dmp
memory/2128-126-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp
memory/824-125-0x00007FF782E40000-0x00007FF783191000-memory.dmp
memory/2352-132-0x00007FF745450000-0x00007FF7457A1000-memory.dmp
memory/924-143-0x00007FF7B7DB0000-0x00007FF7B8101000-memory.dmp
memory/824-150-0x00007FF782E40000-0x00007FF783191000-memory.dmp
memory/824-151-0x00007FF782E40000-0x00007FF783191000-memory.dmp
memory/2128-201-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp
memory/3264-203-0x00007FF75FF20000-0x00007FF760271000-memory.dmp
memory/1920-205-0x00007FF705220000-0x00007FF705571000-memory.dmp
memory/2612-207-0x00007FF681A90000-0x00007FF681DE1000-memory.dmp
memory/2352-209-0x00007FF745450000-0x00007FF7457A1000-memory.dmp
memory/4668-211-0x00007FF7CE970000-0x00007FF7CECC1000-memory.dmp
memory/3084-216-0x00007FF645450000-0x00007FF6457A1000-memory.dmp
memory/1636-218-0x00007FF694690000-0x00007FF6949E1000-memory.dmp
memory/2112-220-0x00007FF7D2F10000-0x00007FF7D3261000-memory.dmp
memory/2928-222-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp
memory/644-224-0x00007FF76E1F0000-0x00007FF76E541000-memory.dmp
memory/3652-226-0x00007FF7EC910000-0x00007FF7ECC61000-memory.dmp
memory/1136-228-0x00007FF7B1290000-0x00007FF7B15E1000-memory.dmp
memory/1292-230-0x00007FF796010000-0x00007FF796361000-memory.dmp
memory/1336-232-0x00007FF7E9B30000-0x00007FF7E9E81000-memory.dmp
memory/684-234-0x00007FF708AA0000-0x00007FF708DF1000-memory.dmp
memory/1988-238-0x00007FF7108B0000-0x00007FF710C01000-memory.dmp
memory/4500-240-0x00007FF7025D0000-0x00007FF702921000-memory.dmp
memory/3544-242-0x00007FF6553F0000-0x00007FF655741000-memory.dmp
memory/4636-244-0x00007FF6E8740000-0x00007FF6E8A91000-memory.dmp
memory/924-248-0x00007FF7B7DB0000-0x00007FF7B8101000-memory.dmp