Analysis Overview
SHA256
451e7d32777061de43a5fb3d3c982ba801cb3ea62fac22d71af49dc52715c2b9
Threat Level: Known bad
The file 2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:46
Reported
2024-05-27 17:49
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RyaAart.exe | N/A |
| N/A | N/A | C:\Windows\System\ELCWnaR.exe | N/A |
| N/A | N/A | C:\Windows\System\HeKDwsb.exe | N/A |
| N/A | N/A | C:\Windows\System\eXjyWZh.exe | N/A |
| N/A | N/A | C:\Windows\System\OApGcMK.exe | N/A |
| N/A | N/A | C:\Windows\System\QrVXtoV.exe | N/A |
| N/A | N/A | C:\Windows\System\nUaTYZA.exe | N/A |
| N/A | N/A | C:\Windows\System\PifCZwU.exe | N/A |
| N/A | N/A | C:\Windows\System\YCiLWEk.exe | N/A |
| N/A | N/A | C:\Windows\System\dZVLfrN.exe | N/A |
| N/A | N/A | C:\Windows\System\KcCKmmy.exe | N/A |
| N/A | N/A | C:\Windows\System\JttvypX.exe | N/A |
| N/A | N/A | C:\Windows\System\vmipcGq.exe | N/A |
| N/A | N/A | C:\Windows\System\ohWPxUg.exe | N/A |
| N/A | N/A | C:\Windows\System\PUROHti.exe | N/A |
| N/A | N/A | C:\Windows\System\YWhbHMF.exe | N/A |
| N/A | N/A | C:\Windows\System\eZyQnBW.exe | N/A |
| N/A | N/A | C:\Windows\System\bfZHCkG.exe | N/A |
| N/A | N/A | C:\Windows\System\hruLRWF.exe | N/A |
| N/A | N/A | C:\Windows\System\UIzvxRu.exe | N/A |
| N/A | N/A | C:\Windows\System\IAwAoFw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RyaAart.exe
C:\Windows\System\RyaAart.exe
C:\Windows\System\ELCWnaR.exe
C:\Windows\System\ELCWnaR.exe
C:\Windows\System\HeKDwsb.exe
C:\Windows\System\HeKDwsb.exe
C:\Windows\System\eXjyWZh.exe
C:\Windows\System\eXjyWZh.exe
C:\Windows\System\QrVXtoV.exe
C:\Windows\System\QrVXtoV.exe
C:\Windows\System\OApGcMK.exe
C:\Windows\System\OApGcMK.exe
C:\Windows\System\nUaTYZA.exe
C:\Windows\System\nUaTYZA.exe
C:\Windows\System\PifCZwU.exe
C:\Windows\System\PifCZwU.exe
C:\Windows\System\YCiLWEk.exe
C:\Windows\System\YCiLWEk.exe
C:\Windows\System\dZVLfrN.exe
C:\Windows\System\dZVLfrN.exe
C:\Windows\System\KcCKmmy.exe
C:\Windows\System\KcCKmmy.exe
C:\Windows\System\JttvypX.exe
C:\Windows\System\JttvypX.exe
C:\Windows\System\vmipcGq.exe
C:\Windows\System\vmipcGq.exe
C:\Windows\System\ohWPxUg.exe
C:\Windows\System\ohWPxUg.exe
C:\Windows\System\PUROHti.exe
C:\Windows\System\PUROHti.exe
C:\Windows\System\YWhbHMF.exe
C:\Windows\System\YWhbHMF.exe
C:\Windows\System\eZyQnBW.exe
C:\Windows\System\eZyQnBW.exe
C:\Windows\System\bfZHCkG.exe
C:\Windows\System\bfZHCkG.exe
C:\Windows\System\hruLRWF.exe
C:\Windows\System\hruLRWF.exe
C:\Windows\System\UIzvxRu.exe
C:\Windows\System\UIzvxRu.exe
C:\Windows\System\IAwAoFw.exe
C:\Windows\System\IAwAoFw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2440-0-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2440-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\RyaAart.exe
| MD5 | 12a65a7389be8950a3fcf216fc8f1ccf |
| SHA1 | 65df17bc39612d95c350a7a703c264360e2e380b |
| SHA256 | f76c556cd10c1f00ae69bc94dc8c8ab96faf433fc5d718befa8a464963295c57 |
| SHA512 | 62f3f874ff939ccea99cfbbd7028683a19993c2178d79208904ac66b3835c7d6f721bd2f276c607380a6f75c60ee04a4ef75f4a23546711a957b5bfc176c0a9c |
\Windows\system\HeKDwsb.exe
| MD5 | c2ef880df6cf52390a7827e01ba3c628 |
| SHA1 | fdebbfef45dd95f2270b4041e67a4425af6c22f9 |
| SHA256 | e6fd8fe6642c0a6136615773368f656ac3c66e4793c9b0a654cbe0d9a04179d8 |
| SHA512 | 7f1330789951cc04730306a82bb7465c7dbc665f79674ba848798c56591181fd5a24568eb0566884fec9178dea779ca137d503689f9a25fa9db604a50a42f7be |
C:\Windows\system\ELCWnaR.exe
| MD5 | cc0d5efe9815bca0ab888bbb92465656 |
| SHA1 | b4ffd31c0bd06accee178496c806e2034a8f978c |
| SHA256 | d38d9ce9b71fb587515056239cd02fe8b5b47dad630800a367a5952ef568f929 |
| SHA512 | 3d9146145d3ae91266ebf260877a8186c837d069be6eba7e3044c0e85e552c60880ede28a03a14b5db9d04780891cbf416c6500468cf5c5f8c9b5cd2af6f4822 |
memory/2448-19-0x000000013FE70000-0x00000001401C4000-memory.dmp
\Windows\system\QrVXtoV.exe
| MD5 | f005e7556d56c517f26ff8bf3dc1eb57 |
| SHA1 | 5ef31fc4d63c69d7a861606a28757f635ed42171 |
| SHA256 | bbaac9fa25bf63521b9836d6ce2d877a60a950976e3625204a84d4f3c7ac19a8 |
| SHA512 | 23a3ddcec88cbf2021b3eb27a6d87e1e6b3eff0e9bdad44d4dbdddf86861dc9610b729946a2e169fec796e5b7277e9cd2d286d51e1714b1e8ca8fbe779e97dc9 |
\Windows\system\nUaTYZA.exe
| MD5 | 47fe9ea9667334837b35a54cdf0e78e4 |
| SHA1 | 6e19068e0050f4782a79fa6260ea4c169ba5ba35 |
| SHA256 | e60078e459353aa991b93d6a8d0f99ccd67290b38ac881944b174cbcc98a61e9 |
| SHA512 | 2911a43ff6c243fd477e01b0ce5c85f271653734b1d088c91173a67a4654bf795034db3c4575af86a4900d597e854b5024e19dc26f0753c5043e41909fa25d9e |
C:\Windows\system\eXjyWZh.exe
| MD5 | dcb8e39aa68551bbf3bd31124031587b |
| SHA1 | e9f856bb89da78d527caa6d8ef07edc36da0cf2e |
| SHA256 | 7bbba67eec1d7bbbe56bb4750c4923f0923f34baee0272bc7afc7ccb53636c9a |
| SHA512 | 426bc62148ca93f3fd96233227198b892eec7b9e231fda2089d559bf34324fb7d2072d4556981c6414e871a16ccd950e7c87ee4f37125f80c26ce73eb8e829a8 |
memory/2440-26-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2456-49-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2484-46-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2472-44-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2440-42-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2620-40-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2440-39-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2440-55-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2440-67-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2420-68-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\KcCKmmy.exe
| MD5 | 4a87b2fcac8a5c0c4fad6230d5d7f186 |
| SHA1 | b518d15ed6883be00b67f3b38dafcb817bfeb22e |
| SHA256 | 817b51b18bd5a36360f807b62c260ea0ee9e9c4445cfc48e036a56bc2e515553 |
| SHA512 | 3863d3b5fcb2857a810c51fb1c0649a1cba071ac372a560aadcf88ef178446aa67d3cd8e4f89701eaa2d66f0c47d9bf9da92f775bb9cb3d55f838a532a3b59de |
\Windows\system\JttvypX.exe
| MD5 | 4303ab8d255b4127bbf6259ba9a072b6 |
| SHA1 | bf0f8a9a8f55aa274e6810546337342ea2821ace |
| SHA256 | 2b1ad2a3dc39054fe15ac3962e40e2bd101601b6da59217ea2b8a2166fdded54 |
| SHA512 | 883af0cac920342e634872e37a991f5905077e19f76307d9cda96cf79f43273033c748b208358be7ca03e66634a00c90019d577cf5b6e506a536ccb86a282ea1 |
C:\Windows\system\dZVLfrN.exe
| MD5 | d3edda6f5d5203cdc8161e341825e0d3 |
| SHA1 | e2d2b0e60f3695045c4e243de5770f58937e3231 |
| SHA256 | 3c9a3bf28f040a86159dbb30393d38e912e3c47d4e52001bbed6a516055d883c |
| SHA512 | 0f80f4e7ddebf20f339f080c9fc056fe16350853f49efca28324426dea6490a0053af390dd69735bf870f1f4c2eb8b0a309d8bcac0d7ae34fac3e15ac96135af |
memory/1188-80-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2440-74-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\vmipcGq.exe
| MD5 | bc4e5237e6f105fe33cb38f51ad9556f |
| SHA1 | 65febb1207e47f1a6bad435cf487586c3f226c4b |
| SHA256 | 04f94ab3ad6b740c24903e69381bb62c29c9bf2f7c53a2e8fa7c46d07433c7db |
| SHA512 | 21f2153f48614a00b8bd1d13cb124f0aa3b0e94127ee21aadf6a9c944d6f67930579d9c7427112ef079e6fb2d52b78ecd82ffeb2cbcdd94126401f843a4aaab5 |
memory/2440-78-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\YWhbHMF.exe
| MD5 | f29ee1a24414e5b48792b232e89bcbac |
| SHA1 | 840fe4d8b44b7fff8b58e3caf442d6cb3b0db406 |
| SHA256 | a1553c5dcd988b52d20b401120e3f5332cf17fb351c24fad72920b0c877c4e87 |
| SHA512 | 7f2d922bb6f6b736cfd96bf97c76a74c8bc9651c700d2a9ce435e0176f366dc561f0439774429fb59474cd3bcc7f7e4e634dfbfc8ed245ffc31eab9ec99a595b |
C:\Windows\system\bfZHCkG.exe
| MD5 | 3e28f4aa27beb82dbe1aae116239afc7 |
| SHA1 | 38b83c01ef0db991961e6dec2634bda2fce19730 |
| SHA256 | 6d2a5948452bcfaef0b9100361eb75618751b7cf8c6fe9a8f828995e62fd990c |
| SHA512 | 51578d9340ea62c09ce98872bd2c50fa2ef1012f803af64c014dd41970eb514126c35742572c8c32edec70c899c5477676741aecb41ef7a13c9363674e4ebc2f |
\Windows\system\IAwAoFw.exe
| MD5 | 4224dd054a5dedb0af1ff7e23ea36b6a |
| SHA1 | 0e451bc7ffe65cad18aa0a533c8e0e629c1d0e50 |
| SHA256 | 56e2346f5d27510e74d2747f7e5b62c2f4c9103d31f2189c060b9de4ebc14204 |
| SHA512 | acdfe435025217ef4d57147bc581119694c9cd441cb9f876c0da9073672c40f2af151bcdf2fe8d783a696a42bfbf4fb63938c87be13739405aaea40b2f0925b7 |
C:\Windows\system\UIzvxRu.exe
| MD5 | 2edb40524236c158ba35c621b5041051 |
| SHA1 | d2bc13a4486887f1ff3514633d058b488e466023 |
| SHA256 | 2b31517885a2f4d6d4f3c9792199d1add251924b190fba135b43a464f30b0eb6 |
| SHA512 | 448b53956c4be2c0474caec560dfe1477c58aa9b0a4e6ceaa341de633c305c30f3c94d31ae91ecbb29356646888f509ec8d4554f52832cac9d3c32c14be6d460 |
C:\Windows\system\hruLRWF.exe
| MD5 | 2727822e805c5e069ed51389b627ecd4 |
| SHA1 | d474ff4869466647600a8adf3b561f0a1cf52655 |
| SHA256 | 6c5fd6342660ea411c58e6b082d78ea2f12c7401701997ad4bd12157cc874860 |
| SHA512 | bf87f46919abc46fc7fc1300b8c602f1025433fb4598d00e2781af7ddd511ab161dd1629451d64928f8a7b0cb8e90e74d89052195aca55cb07fb3759929c2d8d |
C:\Windows\system\eZyQnBW.exe
| MD5 | 418a1c7bf99fb7c22e9e783b8f27a5b9 |
| SHA1 | 0e41a4be4253da24d7b9e4cda8686b92c0769e98 |
| SHA256 | e9b47caa341c12caf3e7097575a41add7c726ca0753d0764c6ed92ebc91cbb39 |
| SHA512 | 37a1c3419e546e4eed855afa442d7d416689693c283e82f89767a7ca8fa4a576950a63fc6b1055d95761cefe65e323230b02176c2b23730c272f39e10af99b38 |
memory/2440-103-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\PUROHti.exe
| MD5 | aac88b7ea291c3a409f8eefef3cc41a3 |
| SHA1 | ec76555247b8ba38556b9d31d6a23da04bca5403 |
| SHA256 | e556a87f4979c6d052813f09461553ea91e386b5a50f7ba510e1643cb00e8eb4 |
| SHA512 | a99d0029de2508df5c5cac045e523e76bee3a4c933b44af437db39f5e666e241d51528027118d2f129e95daed28e536bed5a81d23125453651b4c290bf884feb |
memory/1452-99-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2440-98-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2484-97-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\ohWPxUg.exe
| MD5 | df7cb3490a5cf2f92cb72964dd9d7613 |
| SHA1 | ea8f9b395dda41692a2505eaf686434d78ca1300 |
| SHA256 | 4390c0770ca848391c3c02ccb7db56aae4755bd91f2d9a1d0002a049a2f548ad |
| SHA512 | f0598c40ff370249f16a5fc2d294d9bb8717c66a4099aeb5c8aa60c318866a8f5a5b46bd104705ec53ac761e9351c687d5cef2305c0f1ea9634ec31371311b3d |
memory/2672-90-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2440-87-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1280-86-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2428-63-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2440-62-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\YCiLWEk.exe
| MD5 | 2d70e42bd9a8927f2dcc99983d0528c7 |
| SHA1 | 27e7297adfdaf13ca8cf24b1d800bad9b0629f47 |
| SHA256 | 31343b527661a8bc0c69c943dd8b75576c50d3bf087dc7339a3ce8c0d5d756e9 |
| SHA512 | 1e05db418cb2c2f107418b11cf1a22f1961dad6d9d87b2d74d544e2ac163b1c68445be4c722902711489d35b2898e44fe4b805dbd5a3aa3cc0ddd0eb0f0ad525 |
memory/2456-135-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2356-56-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\PifCZwU.exe
| MD5 | d85c39225f506efe40860130715aade4 |
| SHA1 | 313e2aeaa3770b10ea495f95589ecd5f2d4e75a4 |
| SHA256 | 8ef79355e880b5cb8544af85a2bf56859ea7e4e694515591630938df6af8c361 |
| SHA512 | 7ecae822fc8c12228033119020a3907098de18e17979c5179d6cde78986403ab6f8268faeca0e6a06677e6656a8b99d5c88c2064b649c62b43af9f0dff89e29b |
C:\Windows\system\OApGcMK.exe
| MD5 | 90bd266d9ca5e597bb4c52e52d0cd9fc |
| SHA1 | c6b6a6e301ed2201e0bd88eb447bb37f05ff66fd |
| SHA256 | 77d1125c980b7a1d0a548859636d8ce58ad2c2c358dd7a41f10672a2b94e84c7 |
| SHA512 | 314991cbb9d1d0c00b3ae36877167ab9f7af6fb0e40ff7d8aeed122f6069eefc4c09bf6adfbc4901548037a281444531c265e889ac0676af31acc0cb6afd6968 |
memory/2588-37-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2440-33-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2912-30-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2440-14-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2440-136-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2420-137-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1188-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1280-139-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2440-140-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2672-141-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2440-142-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2448-143-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2912-144-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2588-145-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2620-146-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2472-147-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2484-148-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2456-149-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2356-150-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2428-151-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2420-152-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1188-153-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1280-154-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2672-155-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1452-156-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:46
Reported
2024-05-27 17:49
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UbugkRm.exe | N/A |
| N/A | N/A | C:\Windows\System\YuwWpJG.exe | N/A |
| N/A | N/A | C:\Windows\System\qWtqFDe.exe | N/A |
| N/A | N/A | C:\Windows\System\MXNIrBa.exe | N/A |
| N/A | N/A | C:\Windows\System\gSKSOVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QRTuytW.exe | N/A |
| N/A | N/A | C:\Windows\System\xFYDQPB.exe | N/A |
| N/A | N/A | C:\Windows\System\ixQyWzp.exe | N/A |
| N/A | N/A | C:\Windows\System\amZaCWm.exe | N/A |
| N/A | N/A | C:\Windows\System\pHmTovq.exe | N/A |
| N/A | N/A | C:\Windows\System\hoibZht.exe | N/A |
| N/A | N/A | C:\Windows\System\JModeYO.exe | N/A |
| N/A | N/A | C:\Windows\System\BvzBwUc.exe | N/A |
| N/A | N/A | C:\Windows\System\ImjuDzu.exe | N/A |
| N/A | N/A | C:\Windows\System\OACEDIS.exe | N/A |
| N/A | N/A | C:\Windows\System\huVnOnA.exe | N/A |
| N/A | N/A | C:\Windows\System\uaEzJfB.exe | N/A |
| N/A | N/A | C:\Windows\System\YcEHKJU.exe | N/A |
| N/A | N/A | C:\Windows\System\aZuYHoW.exe | N/A |
| N/A | N/A | C:\Windows\System\jshZuNz.exe | N/A |
| N/A | N/A | C:\Windows\System\TtDXnQN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0dc5c534051e7224201d3edf5f7cf8c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UbugkRm.exe
C:\Windows\System\UbugkRm.exe
C:\Windows\System\YuwWpJG.exe
C:\Windows\System\YuwWpJG.exe
C:\Windows\System\qWtqFDe.exe
C:\Windows\System\qWtqFDe.exe
C:\Windows\System\MXNIrBa.exe
C:\Windows\System\MXNIrBa.exe
C:\Windows\System\gSKSOVQ.exe
C:\Windows\System\gSKSOVQ.exe
C:\Windows\System\QRTuytW.exe
C:\Windows\System\QRTuytW.exe
C:\Windows\System\xFYDQPB.exe
C:\Windows\System\xFYDQPB.exe
C:\Windows\System\ixQyWzp.exe
C:\Windows\System\ixQyWzp.exe
C:\Windows\System\amZaCWm.exe
C:\Windows\System\amZaCWm.exe
C:\Windows\System\pHmTovq.exe
C:\Windows\System\pHmTovq.exe
C:\Windows\System\hoibZht.exe
C:\Windows\System\hoibZht.exe
C:\Windows\System\JModeYO.exe
C:\Windows\System\JModeYO.exe
C:\Windows\System\BvzBwUc.exe
C:\Windows\System\BvzBwUc.exe
C:\Windows\System\ImjuDzu.exe
C:\Windows\System\ImjuDzu.exe
C:\Windows\System\OACEDIS.exe
C:\Windows\System\OACEDIS.exe
C:\Windows\System\huVnOnA.exe
C:\Windows\System\huVnOnA.exe
C:\Windows\System\uaEzJfB.exe
C:\Windows\System\uaEzJfB.exe
C:\Windows\System\YcEHKJU.exe
C:\Windows\System\YcEHKJU.exe
C:\Windows\System\aZuYHoW.exe
C:\Windows\System\aZuYHoW.exe
C:\Windows\System\jshZuNz.exe
C:\Windows\System\jshZuNz.exe
C:\Windows\System\TtDXnQN.exe
C:\Windows\System\TtDXnQN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1948-0-0x00007FF6DE490000-0x00007FF6DE7E4000-memory.dmp
memory/1948-1-0x0000025892DC0000-0x0000025892DD0000-memory.dmp
C:\Windows\System\UbugkRm.exe
| MD5 | f61f4daebd054c93f45a34b7e536e3b2 |
| SHA1 | e8cbd2512d750217af9c0a27d58e3f1ad06a10ca |
| SHA256 | 13886a270d7c6f618014fc1b6f8a0e00077f0a24ad4b235d50d8f626e32ee0be |
| SHA512 | f10ea7c14d241b9832da3b0de68b9cadbb1aabdf823a8108d13f679755c084194b1ee9f0175bda4a1ed74b4722b010c969640a3b3df7adf6bde117af0674619f |
memory/4920-8-0x00007FF7CE470000-0x00007FF7CE7C4000-memory.dmp
C:\Windows\System\qWtqFDe.exe
| MD5 | 85c5497de04831248e726938a53a19d1 |
| SHA1 | 7e8ef731c0d08398035b2c6d9fc48d2accd03bf7 |
| SHA256 | d232c4175aaf69ad5e3f28966c71ad67e035684dfb4929a50ca26d4245f2c2f5 |
| SHA512 | 1618edeb9a698a847080445ae0a8c388814a8d776a4569bccf34b228907bdbd2218f365b73a31448c0c1fa4f9cc35f4783410432e474820828244a1ed140c5cc |
C:\Windows\System\YuwWpJG.exe
| MD5 | e4ce478b503cf783b05bd64f2d2f7f4d |
| SHA1 | 79b10d1aa8360a14b3534ec32d6aa7a2e767405b |
| SHA256 | 73b74fe59cc8cbf7c6bb99e86a72d51ec10f9cae76e67777b4d9e911bc77f582 |
| SHA512 | 53ca42051feda10e6a7604171e74749f9a4aa895aaa30f0460cc355ba8f1d75ad705c5e10b011abd9b6c3589a235ef431157b20f37efb2a57896bcc0361e9150 |
memory/3372-15-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp
C:\Windows\System\MXNIrBa.exe
| MD5 | bba0da8100853b0cadf89b4f75a8c503 |
| SHA1 | a535d1fc4906d0f6f5bcba95295ce7fa4caa9e1b |
| SHA256 | dcd60d045af229ce7c527052c6dd4e9989a9317261f91488e55aa3870bf69477 |
| SHA512 | 200576a96ed9731c4a0f33049510526054671e9e8f331d8aac175fb3f4608d7089c974349fdc895594a21ba5558fcacddbd1b386ceab36341282bb1570c84038 |
memory/4020-19-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp
memory/1676-29-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp
C:\Windows\System\gSKSOVQ.exe
| MD5 | 3946e974172c54348ee06d41380fec37 |
| SHA1 | 7a534d3aab18a67bee96ad212188497675339e08 |
| SHA256 | b2ddc793941481fa4b8f2d8dc6d59b3fc8824d57b8b85ee68214b9073ebe9abf |
| SHA512 | 78278eb9f9117db29a1b09a241eee3635422f1ae5d495cc8fe5f254bd4ee3666cfe19b96aaad0119fcdbce896a20a814661f2cfe33d031894f99dea4cf639b5e |
memory/1724-28-0x00007FF672A60000-0x00007FF672DB4000-memory.dmp
C:\Windows\System\QRTuytW.exe
| MD5 | 6d58af3cb61a270cb1a151182282ed22 |
| SHA1 | 56b47f888f10872d1237126bc4f694bb691cae79 |
| SHA256 | 6af66b95603dbc3fcd3fe892a4df20b8d9bb0595bca93449c6faf033e9d76fde |
| SHA512 | 84da1769a4368d3ffd5e5cb23f3ac65f1d57e9fecdf73a4c30c22dbd8248c0f1f1dadad324eb93f7c7a4e12a6355f87ac175c163a7013fea90e1871b87b9a993 |
memory/448-38-0x00007FF7191A0000-0x00007FF7194F4000-memory.dmp
C:\Windows\System\xFYDQPB.exe
| MD5 | 6f234a640267d836c5c0911c7205b5a3 |
| SHA1 | 5dc0c48ab788bcfb53a0703979bedca4e317e8e8 |
| SHA256 | b00b83361ec8f9623a777499444ac49e62d955dc7b0c73aee2968c6d3cf43def |
| SHA512 | 14efc04f5853af25591700a0dcbc8ec1917ec1de4ce49df458c60464945d5d2bf4feef16a74c50ce0558176b56382fe3d12eff1ebcd28888eb7f0d3aacbb4c01 |
memory/3688-42-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp
C:\Windows\System\ixQyWzp.exe
| MD5 | e16699fb3526a0b9c85b9327c6bc4821 |
| SHA1 | 9fdf7727167f45c08d2832d218be378dc03afa2e |
| SHA256 | a4213efd66b2b43187e00601175b7c5fe19462223d378c0f750dce81528c280a |
| SHA512 | 513f79bb80968cc71c6a929d7ae6a7fc4c5cb1b1222c19f0df8fb65a2ec5fa1f593dbc84648130cbc4b4d964d9ce8a682610f79ca6819d32f6b67f9003d64d80 |
memory/1460-48-0x00007FF70A400000-0x00007FF70A754000-memory.dmp
C:\Windows\System\amZaCWm.exe
| MD5 | d6918215bdf2736dd94e695c9506fd89 |
| SHA1 | 3d006686a0662136d87f45d622b961a62107cc8c |
| SHA256 | bf924592e508396975860351d6c2c2d2263188980edf889ce3e0dcb8e0d531d6 |
| SHA512 | 6bc3c07ac602a8513e89140b25000287fa895141704dc82a37009547d6200a2956870059aaa989dc4693ea13f243499c3927cc61f83a841dff9b71bcaa089725 |
memory/3116-58-0x00007FF715430000-0x00007FF715784000-memory.dmp
C:\Windows\System\pHmTovq.exe
| MD5 | d11e3815a815edd08e0c98c936f234d5 |
| SHA1 | 5067e9bbc171c9d8ef03733450963fa54cbe6060 |
| SHA256 | ff92aa350f7a9e695cac7936f8b69fd4647e8658f4e4d5f82d539e420fff01dc |
| SHA512 | 70bad11e17ab96a8ed519ccfbea216fbadeefbc8c90ba9326729b22e627fb9c6f113ba90dd2768111d08a0cfae247a46d756340b3876952e6a73daceae84fdec |
C:\Windows\System\hoibZht.exe
| MD5 | 1921f1a7fcb84cc5affb7f916499b863 |
| SHA1 | 9cea40aa1b322e2875498d765e3da4cb1fae0a31 |
| SHA256 | 036012641e87b2e642b9cd92e317bbabcd7cebdac913d1a8d54ed751ac1e5d3b |
| SHA512 | 34df64ffcb931c800b2ddbe508eaf5cf6a6d01f1d55c084f403d0fc9906d1a0f99a077a350846214c3bc5d1e852572f5547d7be56b851dd4f3811f564f7a8eee |
C:\Windows\System\BvzBwUc.exe
| MD5 | ab8535111834b686ac580d135a925193 |
| SHA1 | f60dcffe53d8c03ffb530bf09935b07e8efede7e |
| SHA256 | 02b4703bc115c963bbef3e57d2f79490664ff7a2f66dbf70aea4ebfad1a22647 |
| SHA512 | 341e07766735ada3a290b7b91885fa2bd46392986ed163ca68009adb09a9bf9de7649d2bb32ff476086d7698c82f946d21b957e3dc28e892c0110c393cc2c4d0 |
memory/2600-81-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp
C:\Windows\System\OACEDIS.exe
| MD5 | 864917b5ff3f46dd4beb4868a966a2b8 |
| SHA1 | 8aad7b855b81d494908e744365389044ae07acb1 |
| SHA256 | 5a739eb0a14c00bada179527f4472abc8a207aa1c4b1b0b1fc5d816fdccb3a1c |
| SHA512 | 15c84fa37d369dcbb3b98cd6c3a84ae6cacd6c4cc41eef0def1e10d67dea67a5415aec50b648ddf5823deaf01a62bbb95d6b9ca99593bf1bcded6e0920f2e1f3 |
C:\Windows\System\huVnOnA.exe
| MD5 | ab432deb4ba114e460a69750a980acf2 |
| SHA1 | bf58a6cea329ef4ae8066d981028df9a72b8f963 |
| SHA256 | db4fcb8b1a1a8f0c4dde0b349112728a9725459febcfc559c5cc2191fcf3671c |
| SHA512 | 74dfcdfb1f0b54cd263bd3a53163a8837ff43e0401dbf874106d57705304751d73868c50900fa3f2d962e07b5f728ffc56ed3da5769ec01e598ec96eab1073fa |
C:\Windows\System\YcEHKJU.exe
| MD5 | 129f8a495c73edd351bba5089d2f3afd |
| SHA1 | 57446de12e822943ce2d2eb1dc11a8388812fdc2 |
| SHA256 | de803301db08b8766427d384d90464d18c95e871993e5b07343f29c8ba0d0801 |
| SHA512 | eb5d01432176630f7354ae147a50599ff9ee49f794e6cf0a161028009807152b50c7333895255274bafe2b0a7b5c4a68fcfcf4375ac21a4e2e27d63b216571f7 |
C:\Windows\System\uaEzJfB.exe
| MD5 | b1bab5c19c283ba3cdb8eb1677ee304a |
| SHA1 | 37899b8bcfac8bbe72980071812165393b39aba4 |
| SHA256 | 659f2a0d881bdb242beaf682c0ddb6f36dfefc7c999b1d334c0ecca9a8d06ffa |
| SHA512 | a2549d5227433fb61a2eb2f4b34a62d1b51c90cd4ba30645fcd4a0797a8510a6829f3b3c01ec77cc9f05727ce213160c3890676df096f483fdbea22cba4542aa |
memory/4020-111-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp
memory/5080-112-0x00007FF6E3E40000-0x00007FF6E4194000-memory.dmp
memory/3744-110-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp
memory/2320-103-0x00007FF786740000-0x00007FF786A94000-memory.dmp
memory/1692-100-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp
C:\Windows\System\ImjuDzu.exe
| MD5 | 39da6152117572cf24068341085269ae |
| SHA1 | 2c65aecb80f076cb9bb5a896f918ad824790aac7 |
| SHA256 | 6562e7834fbd11502dc53903ccf4a63fada01eee0e834d7a91b8749f2bbd618e |
| SHA512 | 57a691b62338442ec08e683b2ef8da6fd25ebc93a8a70d32b08646ceb2db8821629e5d56114c7d3c633d8af22fa192e230df45b739792cec1bd0d6d569ed3623 |
memory/5024-94-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp
memory/3372-93-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp
C:\Windows\System\JModeYO.exe
| MD5 | c61f845b1b89422dd6dc563f52b3a422 |
| SHA1 | e1813e32b3fcfd6e9e14d5ee7f68947b4a67c2de |
| SHA256 | e5157659d5a1cf155ee341252b0da08795849c5111acfa4083918fd5e49f89e4 |
| SHA512 | 781f3ade96e55a9d23cea2aba26e9a8bd3e24f76fd3ef935dd6cb41a7f1191d840512333ae1fb9101ea184427c029ca8409d1466f0ff47dccb5f869b83d6676b |
memory/3216-76-0x00007FF780350000-0x00007FF7806A4000-memory.dmp
memory/3992-70-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp
memory/1948-67-0x00007FF6DE490000-0x00007FF6DE7E4000-memory.dmp
memory/2676-64-0x00007FF7F97D0000-0x00007FF7F9B24000-memory.dmp
C:\Windows\System\aZuYHoW.exe
| MD5 | 9a7fe9d5662a18f7fcc154b76b39c45f |
| SHA1 | 813af5677004d10a7f259bfdcfb0e1b0ddfab589 |
| SHA256 | 30c7ff47aea130fa8bce34e74e60365f117ec828ea9d4dd9ff9213524ef7372a |
| SHA512 | 7dd8a4eb29e9a37003e704eb39958315da2a208e88293fc18acced30efb2a4cc67295564ebf0795f30daadafed78abaa0533e229f0b5f9beedcf1dccc7d9e2cf |
C:\Windows\System\jshZuNz.exe
| MD5 | 5fd3da96539d8186a78959c37185f007 |
| SHA1 | 63900ef848052550555f473555a02f6bc7047767 |
| SHA256 | c077fedd51d13a8b6d7f57153271f82d6ac3d6c4a8e6bb83e952d109d48f39c1 |
| SHA512 | b48210dd55258602ca9547e7f39a90ebf9e6c9e9bce1aa989c4e6b528c13435259fd950d4f1a06b66cd417f7088ad9a832a4be50671f47162d5891cad3ef67ac |
memory/1676-119-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp
memory/2440-124-0x00007FF773C20000-0x00007FF773F74000-memory.dmp
C:\Windows\System\TtDXnQN.exe
| MD5 | 86c5ec9f1cf0e225487e97247df78d7f |
| SHA1 | 96c9ee94263c3c582d5cf06bb9e09e71214ea564 |
| SHA256 | 741516b914c5a4ea3ce70cf1b4938a9e8684870eb4f97209a9e7bdc470b843b1 |
| SHA512 | 99e065c79da2878b22bde648199227b5037564ecf919ea01b694ba1251a0ccc5df8860bd21ee51814585cbafd0ceeed4850d5a6c259af05858c3b176c5a44b0c |
memory/3688-131-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp
memory/2276-132-0x00007FF773580000-0x00007FF7738D4000-memory.dmp
memory/1216-127-0x00007FF629AC0000-0x00007FF629E14000-memory.dmp
memory/1460-133-0x00007FF70A400000-0x00007FF70A754000-memory.dmp
memory/3116-134-0x00007FF715430000-0x00007FF715784000-memory.dmp
memory/3992-135-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp
memory/3216-136-0x00007FF780350000-0x00007FF7806A4000-memory.dmp
memory/2600-137-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp
memory/1692-138-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp
memory/5024-139-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp
memory/2320-140-0x00007FF786740000-0x00007FF786A94000-memory.dmp
memory/3744-141-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp
memory/2440-142-0x00007FF773C20000-0x00007FF773F74000-memory.dmp
memory/4920-143-0x00007FF7CE470000-0x00007FF7CE7C4000-memory.dmp
memory/3372-144-0x00007FF66B150000-0x00007FF66B4A4000-memory.dmp
memory/1724-145-0x00007FF672A60000-0x00007FF672DB4000-memory.dmp
memory/4020-146-0x00007FF7BD9D0000-0x00007FF7BDD24000-memory.dmp
memory/1676-147-0x00007FF72C810000-0x00007FF72CB64000-memory.dmp
memory/448-148-0x00007FF7191A0000-0x00007FF7194F4000-memory.dmp
memory/3688-149-0x00007FF62B2D0000-0x00007FF62B624000-memory.dmp
memory/1460-150-0x00007FF70A400000-0x00007FF70A754000-memory.dmp
memory/3116-151-0x00007FF715430000-0x00007FF715784000-memory.dmp
memory/2676-152-0x00007FF7F97D0000-0x00007FF7F9B24000-memory.dmp
memory/3992-153-0x00007FF6179B0000-0x00007FF617D04000-memory.dmp
memory/3216-154-0x00007FF780350000-0x00007FF7806A4000-memory.dmp
memory/2600-155-0x00007FF6F54F0000-0x00007FF6F5844000-memory.dmp
memory/5024-156-0x00007FF677AB0000-0x00007FF677E04000-memory.dmp
memory/1692-157-0x00007FF7A1A60000-0x00007FF7A1DB4000-memory.dmp
memory/3744-159-0x00007FF7FBFB0000-0x00007FF7FC304000-memory.dmp
memory/5080-158-0x00007FF6E3E40000-0x00007FF6E4194000-memory.dmp
memory/2320-160-0x00007FF786740000-0x00007FF786A94000-memory.dmp
memory/1216-161-0x00007FF629AC0000-0x00007FF629E14000-memory.dmp
memory/2440-162-0x00007FF773C20000-0x00007FF773F74000-memory.dmp
memory/2276-163-0x00007FF773580000-0x00007FF7738D4000-memory.dmp