Analysis Overview
SHA256
ea08bb104b32bb812df7622bf24f990860b5ca7dab866d88eb9b7f69e13a0b63
Threat Level: Known bad
The file 2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 22:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 22:50
Reported
2024-05-29 22:53
Platform
win7-20240215-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UuvZGKq.exe | N/A |
| N/A | N/A | C:\Windows\System\nMmyuqu.exe | N/A |
| N/A | N/A | C:\Windows\System\EiyCOev.exe | N/A |
| N/A | N/A | C:\Windows\System\bGfvSWK.exe | N/A |
| N/A | N/A | C:\Windows\System\yfuffHC.exe | N/A |
| N/A | N/A | C:\Windows\System\JJgCJJs.exe | N/A |
| N/A | N/A | C:\Windows\System\YqqYhII.exe | N/A |
| N/A | N/A | C:\Windows\System\dzJBVFv.exe | N/A |
| N/A | N/A | C:\Windows\System\GXJQJwi.exe | N/A |
| N/A | N/A | C:\Windows\System\inJcDXF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLXCvIA.exe | N/A |
| N/A | N/A | C:\Windows\System\AlYpvZN.exe | N/A |
| N/A | N/A | C:\Windows\System\cCigySK.exe | N/A |
| N/A | N/A | C:\Windows\System\YVXVJtK.exe | N/A |
| N/A | N/A | C:\Windows\System\TarzKJG.exe | N/A |
| N/A | N/A | C:\Windows\System\UZRuUQG.exe | N/A |
| N/A | N/A | C:\Windows\System\TVFSCJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jlfcLVt.exe | N/A |
| N/A | N/A | C:\Windows\System\hJqtThQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kaeabXr.exe | N/A |
| N/A | N/A | C:\Windows\System\oIbbvak.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UuvZGKq.exe
C:\Windows\System\UuvZGKq.exe
C:\Windows\System\nMmyuqu.exe
C:\Windows\System\nMmyuqu.exe
C:\Windows\System\EiyCOev.exe
C:\Windows\System\EiyCOev.exe
C:\Windows\System\bGfvSWK.exe
C:\Windows\System\bGfvSWK.exe
C:\Windows\System\yfuffHC.exe
C:\Windows\System\yfuffHC.exe
C:\Windows\System\JJgCJJs.exe
C:\Windows\System\JJgCJJs.exe
C:\Windows\System\YqqYhII.exe
C:\Windows\System\YqqYhII.exe
C:\Windows\System\dzJBVFv.exe
C:\Windows\System\dzJBVFv.exe
C:\Windows\System\GXJQJwi.exe
C:\Windows\System\GXJQJwi.exe
C:\Windows\System\inJcDXF.exe
C:\Windows\System\inJcDXF.exe
C:\Windows\System\ZLXCvIA.exe
C:\Windows\System\ZLXCvIA.exe
C:\Windows\System\AlYpvZN.exe
C:\Windows\System\AlYpvZN.exe
C:\Windows\System\cCigySK.exe
C:\Windows\System\cCigySK.exe
C:\Windows\System\YVXVJtK.exe
C:\Windows\System\YVXVJtK.exe
C:\Windows\System\UZRuUQG.exe
C:\Windows\System\UZRuUQG.exe
C:\Windows\System\TarzKJG.exe
C:\Windows\System\TarzKJG.exe
C:\Windows\System\TVFSCJJ.exe
C:\Windows\System\TVFSCJJ.exe
C:\Windows\System\jlfcLVt.exe
C:\Windows\System\jlfcLVt.exe
C:\Windows\System\hJqtThQ.exe
C:\Windows\System\hJqtThQ.exe
C:\Windows\System\kaeabXr.exe
C:\Windows\System\kaeabXr.exe
C:\Windows\System\oIbbvak.exe
C:\Windows\System\oIbbvak.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1660-0-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1660-1-0x0000000000200000-0x0000000000210000-memory.dmp
\Windows\system\UuvZGKq.exe
| MD5 | 137476a7edec52f60a47a9392e485944 |
| SHA1 | 5f994d3c491f3dd056f9e591af2b36ea41d34eee |
| SHA256 | fa8068e3b32a28c2fa4dd1ca597b347b65fa5278416023de2def1fdd2f86de09 |
| SHA512 | 69333a01515992958f59d07f7107fdd8223347845186df5836b4b871ef4ab13baf4f8959ebde98ecb6fb124fce92a9819782547780053b9feb2c683077a90cbb |
\Windows\system\nMmyuqu.exe
| MD5 | 30cb41265a4975d5ed6c4a3249568c3f |
| SHA1 | 3396d48cf786a9e146f64c7e57111edb518ded0a |
| SHA256 | 69edd98ea57062862dc5c5c08f857e24d13d0077b954f092390cb2d8f0302fc1 |
| SHA512 | 00b52ca4835862a854c348880011df77b0fb5b7389ccb1b0f87a4c09c92afdc4f5ceff3408dfb340538e0c60f3506684ef01a6737f2828c669281c1cf8491da4 |
memory/2192-14-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1660-13-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1980-11-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\EiyCOev.exe
| MD5 | 204a897f4f25be88a48a184cca569813 |
| SHA1 | 266f532784f4b69fb42faf785ebda510e28ca8c9 |
| SHA256 | 320e0eca289e85557571b89fc0138f475d67395e31c91017d290037e6e6874e5 |
| SHA512 | fd537893ee4219747e31ea8c84eb8d1759543a275a8222d24d4047edc1660453956d31eb2582016796a0f5cc686b8f44e2c2c27efa62941558e310708b541db4 |
memory/2604-22-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1660-20-0x000000013F840000-0x000000013FB91000-memory.dmp
\Windows\system\JJgCJJs.exe
| MD5 | 9f2976ad0724a32e84eb119801fce850 |
| SHA1 | fcd4554c57a7fa8a5f8f61b38bcfce11bad65c94 |
| SHA256 | f236b65693293711260b96bc3ed0d86cf09d60cf6a64ea6a8c0ad6eec7edbf82 |
| SHA512 | bf2d298cace5a53c8ae8a42203ff0052ce8a3e831373b420d87c6c1f2a85bb3cc617245c3915e982b756cc87c2b87d18474676f6d2c7f234087a2a131e53cd79 |
memory/1660-48-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1660-47-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1344-45-0x000000013F6D0000-0x000000013FA21000-memory.dmp
C:\Windows\system\YqqYhII.exe
| MD5 | 67291b3f5e85e79e0bcf1711fa976d67 |
| SHA1 | ac9ad4f13629100a4f2e0b98823f758376a25cc9 |
| SHA256 | e4884909a8310118f52d4f7c956cd29719fa5bb7704c65e5c0cf6fdf7392e3a7 |
| SHA512 | 9be7c4c01f9f035f4f46388ba65158fc2082dc1235cc011b7cbf0778d87503cf9411cd4b06fded267780e91c4619a076de9e1595da69eef9a48cee585d4dae2f |
memory/2740-50-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2564-49-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1660-41-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2556-36-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1660-34-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\yfuffHC.exe
| MD5 | 7dbbd1f93db6270ac490019a7992c1bb |
| SHA1 | d20bccddf392bc3d0a2eb4280866562d4de1c688 |
| SHA256 | aeea98626e453aa21b3610e7c410ab9d06669804cc5eaedd89a4ad11b577d986 |
| SHA512 | 145074c04effe458a807dc7a60c8ff5043e23475b49a5de23ee364e3c02e60a91a464c4e8cd50870ad5b60d114d4df991880879e8fd18764d30cdc1926da7a42 |
C:\Windows\system\bGfvSWK.exe
| MD5 | e590f816213f4cb4b7bcae197988140f |
| SHA1 | d4d7a044aec08c2f79502648decb9a1f38d37961 |
| SHA256 | f0093f406f2e464bb2e8e17c19d02b91f5f03c2afca8326abe1a65caf0556364 |
| SHA512 | 4824b0bfcfce809398393e313dfd55962bb237a0aac17a07784ab580a710e3d1fbe6f7c9006fd958048d140ef1dd0d4a0944502f165e2d2fc1e056b15bc71137 |
C:\Windows\system\dzJBVFv.exe
| MD5 | be34652434e6d15fecd680db20d6e760 |
| SHA1 | 979e08402a786bfdf0539ea8c4c7a5bc1af92648 |
| SHA256 | 0ad13e55ba564531affafb1e56b7b3ca15002f33c2dd956bd5c82eb3febe506a |
| SHA512 | 037af29ea135a8de1a4227c8f75c81fd90a320cbc790c256f1ee9d3c1fdc654d84eb9c2d88f846aaa1559c34569a67eded1cd180fc758d5a83a35ae38c08b8b6 |
memory/1660-55-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\GXJQJwi.exe
| MD5 | 7ce660f919d7ca1fca12e0896a2c0e1a |
| SHA1 | 2150d758f729e8768b2758e02c6b9647fd79a2a2 |
| SHA256 | 34cc844f6091e494a98e96eb946c0ec44ce3cc8d29bb4ac34687afa9df7a6148 |
| SHA512 | 6547d30e6892c71628608259ce35575869a480bb1b85b2baef5bb9e23e0621f44ebdb9e749d57be31ddcb136e9827909a8706c808e6e1372bd58007bf368ddae |
memory/2456-62-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2404-61-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\inJcDXF.exe
| MD5 | 4e4010fa9fbd18cd2c08887e12b5a278 |
| SHA1 | 8d149de33b90fb61ca9b7885befca8876b886c6e |
| SHA256 | 0900535ae3af05a537ddcb96879a9b7791f306a607d785db0e8c6a6eb06d8c21 |
| SHA512 | 22054aacdf06d02e234b7978584a5d7b119119fed9136d441de9ef4b6a97ae7dcee2131207964f6d405f803fb12949ccb8a9db92f936b8e656ef2a5abc4be9ea |
memory/2872-70-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1660-69-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1660-74-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2692-77-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1660-76-0x000000013F4D0000-0x000000013F821000-memory.dmp
C:\Windows\system\ZLXCvIA.exe
| MD5 | c902090eb84336a38c912f47d3acd99b |
| SHA1 | 265f6506fed4aaf52c4faad83bae204453fdf0ea |
| SHA256 | a3da49163aec0fd9a73d20285c295a98f2268067eade3a107550acdc6b876591 |
| SHA512 | 73e4c295f37c0725b75a242dbcb3d665d33b5bd1dba7e29bbd31c0d2941961dce392911bd9b50773144f739b380651d0852e3763ad92028e84fd632c364fe5e8 |
C:\Windows\system\AlYpvZN.exe
| MD5 | a6b8ee3626663e67afd9ba60176bc296 |
| SHA1 | a97f98f1702a312d7e4948e2a012f21830446a67 |
| SHA256 | 9ea1d49b110e247303b712c2bc895ab5ef0ddecadc52d1f08e03a98334ca6aab |
| SHA512 | e35088fa4fc36b418ab4a049f31d17e7a5809379bfce398c4e8b9aba8b93d00b9e7daa970a6098da3d194a782b136a8f9bf75e3f959862ce934ffcb3540aaf52 |
memory/1660-84-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2748-85-0x000000013F930000-0x000000013FC81000-memory.dmp
\Windows\system\UZRuUQG.exe
| MD5 | 6c7a72e6af7088fb7d7598ce02983372 |
| SHA1 | 5a337ccc1ec4823183dce41d70c9930d129b29ba |
| SHA256 | 99ec096b25e65b4c98c35085e129dc6a533965618efeaa7a5b82f843bf61ee23 |
| SHA512 | cd9d1d4aeb5a2baf24bc3c3838ba824a6e54c97f397a7c1b8cf7fac3629ef74513a7ef1aa9cb4133a0c8451f97a474e42b8a0ceca8b3d6bdf76b7d455759ae28 |
C:\Windows\system\TarzKJG.exe
| MD5 | e90b89844bafbfcff7d799556ac58526 |
| SHA1 | 60966695b75bc46bd3f5e9a957f427d558a3ba15 |
| SHA256 | 4668b4622f5d9702621f6c621bd05727dd5b741cf74d63ee1051e508834d530c |
| SHA512 | 793490f5b6e466e498622be8af7a9f45671f15f0c95bf1e5eb969eda4448f676d681302b9ec9fbc16062acce4124b941bc70d0299f7129f873bd7846fcfd1433 |
memory/1660-103-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2192-106-0x000000013F780000-0x000000013FAD1000-memory.dmp
C:\Windows\system\jlfcLVt.exe
| MD5 | 51bffa6f923b361cef9ac20b7d7321c1 |
| SHA1 | 7237c49d77932ef6bd0754ad7a7d031e7a3e1456 |
| SHA256 | af7a51b8c5f8df067d08cd3ff9c9f4f10d54c1bf76f47023da768dce82a65556 |
| SHA512 | bacc64f9b6e4a2ac023c2ed93b838b56dd0f01ca6a241b76a9034928806c85c1ea50d58c3324bf35f67671841f6bda409f1aa1458f53a8327c60623bef0371f0 |
\Windows\system\hJqtThQ.exe
| MD5 | df3339a162803453bba1dd4ee34beb1e |
| SHA1 | 820ebd5e27292e60b838518be61dc4a0b92ea0fe |
| SHA256 | 539f92bc2aebdab803dffc1baa973fd478a9112dce876485b45225f749ccf22d |
| SHA512 | 9e44fefdec218bf17afae6541c187009630af75f6ed1ba1ccefe3ecec5d56fc87e386d53a72ea1e9550a63e0e189cf0e5e02837bc6fd6202b3044857bb004ac4 |
\Windows\system\oIbbvak.exe
| MD5 | 1dd2a5b496b3d5d052fa9e6c3787d7f8 |
| SHA1 | 930b75eaa1063fa4fe856a785c837a680e547de0 |
| SHA256 | 42e6ab6e2c957c6094f54e832947d027f21d1d4286017fbb2635fa1965473156 |
| SHA512 | d35715f95c0de9b417ce19ed99695ecce0f0576d0acbb73356c3e767cfea7b13c83d739c9c1178561f5923ce1fab4d04ab512c3f4c2546f53181007e50b93eed |
memory/1344-118-0x000000013F6D0000-0x000000013FA21000-memory.dmp
C:\Windows\system\kaeabXr.exe
| MD5 | 3b1baf30b742a51a514f26bc898e43ce |
| SHA1 | 0bb1d312021e15ae579333d625d0dd9245d15649 |
| SHA256 | 4491a94cb1f3f50dc351cb0060a68296a96a9dd605c3b1bf6d6c7a15c279f4eb |
| SHA512 | e26da4aa87098d2706b185bd3e60328a965dec12d2c3d9a0125f1a318b0866111059dc2b3189580240dcc6ee4ce152b4948179e431ab0aa06e98a497ee5779c4 |
C:\Windows\system\TVFSCJJ.exe
| MD5 | 796ed3c2257e5bd8a9edbebde5fcb8a5 |
| SHA1 | 4ed8394af4048d28989b279ed0d5a09b16163ac2 |
| SHA256 | 90f537bf97ce1b17db202ebf77f291868b518fed0dd477945657f8efea115d8f |
| SHA512 | 3cbbf548994f164ef3431dbde39da958d5b60375d9d933cb52ddce74d38d999ecfddcf271e320b50c94fec4f16d6c6ee3e2b11e7748adfc41fd8d470180b28ce |
memory/1660-116-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1660-115-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1660-113-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1812-112-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1660-111-0x000000013FD80000-0x00000001400D1000-memory.dmp
C:\Windows\system\YVXVJtK.exe
| MD5 | 82cf58e3c009db7df303cfdfda852251 |
| SHA1 | 2c05955e82979d9989842bf85744df8c33dcf266 |
| SHA256 | 3e86be327591c82c55f761f15f862811c29d1ed71f78a300e6e785eccae81cf3 |
| SHA512 | 96e426679db3f622ec39c2ed25fd0fd40734dbd35bb6094bba4fa69468cb9e0742039ce35fc37cecd55a382c7a1f1e1abc84c75a085af0854f965c3afede386b |
memory/1980-93-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\cCigySK.exe
| MD5 | 3dd7aebb0796a29c65968773c064d943 |
| SHA1 | cb0353afc5b86925fc10555669aec3b107a62ddc |
| SHA256 | 8afc514b6c86749e1f7095a97fe7ad2f12886e2cd0d0ba2ce6ee559f50db7a17 |
| SHA512 | 3f8e08346f0869347ec5cf49a9b263a4ad410b3766823516060720da97db77704aa5640439434fd5f53992b4b0476d581c881510b07168afd3a520f5d2ed253d |
memory/2404-139-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/1660-140-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2456-147-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1660-144-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2692-153-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1624-159-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2128-161-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1380-163-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1260-162-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/1464-160-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2288-158-0x000000013F410000-0x000000013F761000-memory.dmp
memory/1768-157-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2864-156-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1660-164-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1660-176-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1660-187-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1980-211-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2192-213-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2604-215-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2556-224-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1344-228-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2564-227-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2740-230-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2404-232-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2456-234-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2872-236-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2748-251-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2692-250-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1812-253-0x000000013FD80000-0x00000001400D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 22:50
Reported
2024-05-29 22:53
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UuvZGKq.exe | N/A |
| N/A | N/A | C:\Windows\System\nMmyuqu.exe | N/A |
| N/A | N/A | C:\Windows\System\EiyCOev.exe | N/A |
| N/A | N/A | C:\Windows\System\yfuffHC.exe | N/A |
| N/A | N/A | C:\Windows\System\bGfvSWK.exe | N/A |
| N/A | N/A | C:\Windows\System\JJgCJJs.exe | N/A |
| N/A | N/A | C:\Windows\System\YqqYhII.exe | N/A |
| N/A | N/A | C:\Windows\System\dzJBVFv.exe | N/A |
| N/A | N/A | C:\Windows\System\inJcDXF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLXCvIA.exe | N/A |
| N/A | N/A | C:\Windows\System\GXJQJwi.exe | N/A |
| N/A | N/A | C:\Windows\System\AlYpvZN.exe | N/A |
| N/A | N/A | C:\Windows\System\cCigySK.exe | N/A |
| N/A | N/A | C:\Windows\System\YVXVJtK.exe | N/A |
| N/A | N/A | C:\Windows\System\UZRuUQG.exe | N/A |
| N/A | N/A | C:\Windows\System\TarzKJG.exe | N/A |
| N/A | N/A | C:\Windows\System\TVFSCJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jlfcLVt.exe | N/A |
| N/A | N/A | C:\Windows\System\oIbbvak.exe | N/A |
| N/A | N/A | C:\Windows\System\hJqtThQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kaeabXr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_af079aa3400563833efc3c4835e57a45_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UuvZGKq.exe
C:\Windows\System\UuvZGKq.exe
C:\Windows\System\nMmyuqu.exe
C:\Windows\System\nMmyuqu.exe
C:\Windows\System\EiyCOev.exe
C:\Windows\System\EiyCOev.exe
C:\Windows\System\bGfvSWK.exe
C:\Windows\System\bGfvSWK.exe
C:\Windows\System\yfuffHC.exe
C:\Windows\System\yfuffHC.exe
C:\Windows\System\JJgCJJs.exe
C:\Windows\System\JJgCJJs.exe
C:\Windows\System\YqqYhII.exe
C:\Windows\System\YqqYhII.exe
C:\Windows\System\dzJBVFv.exe
C:\Windows\System\dzJBVFv.exe
C:\Windows\System\GXJQJwi.exe
C:\Windows\System\GXJQJwi.exe
C:\Windows\System\inJcDXF.exe
C:\Windows\System\inJcDXF.exe
C:\Windows\System\ZLXCvIA.exe
C:\Windows\System\ZLXCvIA.exe
C:\Windows\System\AlYpvZN.exe
C:\Windows\System\AlYpvZN.exe
C:\Windows\System\cCigySK.exe
C:\Windows\System\cCigySK.exe
C:\Windows\System\YVXVJtK.exe
C:\Windows\System\YVXVJtK.exe
C:\Windows\System\UZRuUQG.exe
C:\Windows\System\UZRuUQG.exe
C:\Windows\System\TarzKJG.exe
C:\Windows\System\TarzKJG.exe
C:\Windows\System\TVFSCJJ.exe
C:\Windows\System\TVFSCJJ.exe
C:\Windows\System\jlfcLVt.exe
C:\Windows\System\jlfcLVt.exe
C:\Windows\System\hJqtThQ.exe
C:\Windows\System\hJqtThQ.exe
C:\Windows\System\kaeabXr.exe
C:\Windows\System\kaeabXr.exe
C:\Windows\System\oIbbvak.exe
C:\Windows\System\oIbbvak.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1480-0-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp
memory/1480-1-0x00000188503D0000-0x00000188503E0000-memory.dmp
memory/3368-7-0x00007FF788280000-0x00007FF7885D1000-memory.dmp
C:\Windows\System\UuvZGKq.exe
| MD5 | 137476a7edec52f60a47a9392e485944 |
| SHA1 | 5f994d3c491f3dd056f9e591af2b36ea41d34eee |
| SHA256 | fa8068e3b32a28c2fa4dd1ca597b347b65fa5278416023de2def1fdd2f86de09 |
| SHA512 | 69333a01515992958f59d07f7107fdd8223347845186df5836b4b871ef4ab13baf4f8959ebde98ecb6fb124fce92a9819782547780053b9feb2c683077a90cbb |
C:\Windows\System\nMmyuqu.exe
| MD5 | 30cb41265a4975d5ed6c4a3249568c3f |
| SHA1 | 3396d48cf786a9e146f64c7e57111edb518ded0a |
| SHA256 | 69edd98ea57062862dc5c5c08f857e24d13d0077b954f092390cb2d8f0302fc1 |
| SHA512 | 00b52ca4835862a854c348880011df77b0fb5b7389ccb1b0f87a4c09c92afdc4f5ceff3408dfb340538e0c60f3506684ef01a6737f2828c669281c1cf8491da4 |
C:\Windows\System\EiyCOev.exe
| MD5 | 204a897f4f25be88a48a184cca569813 |
| SHA1 | 266f532784f4b69fb42faf785ebda510e28ca8c9 |
| SHA256 | 320e0eca289e85557571b89fc0138f475d67395e31c91017d290037e6e6874e5 |
| SHA512 | fd537893ee4219747e31ea8c84eb8d1759543a275a8222d24d4047edc1660453956d31eb2582016796a0f5cc686b8f44e2c2c27efa62941558e310708b541db4 |
memory/3044-22-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp
C:\Windows\System\yfuffHC.exe
| MD5 | 7dbbd1f93db6270ac490019a7992c1bb |
| SHA1 | d20bccddf392bc3d0a2eb4280866562d4de1c688 |
| SHA256 | aeea98626e453aa21b3610e7c410ab9d06669804cc5eaedd89a4ad11b577d986 |
| SHA512 | 145074c04effe458a807dc7a60c8ff5043e23475b49a5de23ee364e3c02e60a91a464c4e8cd50870ad5b60d114d4df991880879e8fd18764d30cdc1926da7a42 |
C:\Windows\System\bGfvSWK.exe
| MD5 | e590f816213f4cb4b7bcae197988140f |
| SHA1 | d4d7a044aec08c2f79502648decb9a1f38d37961 |
| SHA256 | f0093f406f2e464bb2e8e17c19d02b91f5f03c2afca8326abe1a65caf0556364 |
| SHA512 | 4824b0bfcfce809398393e313dfd55962bb237a0aac17a07784ab580a710e3d1fbe6f7c9006fd958048d140ef1dd0d4a0944502f165e2d2fc1e056b15bc71137 |
C:\Windows\System\AlYpvZN.exe
| MD5 | a6b8ee3626663e67afd9ba60176bc296 |
| SHA1 | a97f98f1702a312d7e4948e2a012f21830446a67 |
| SHA256 | 9ea1d49b110e247303b712c2bc895ab5ef0ddecadc52d1f08e03a98334ca6aab |
| SHA512 | e35088fa4fc36b418ab4a049f31d17e7a5809379bfce398c4e8b9aba8b93d00b9e7daa970a6098da3d194a782b136a8f9bf75e3f959862ce934ffcb3540aaf52 |
C:\Windows\System\dzJBVFv.exe
| MD5 | be34652434e6d15fecd680db20d6e760 |
| SHA1 | 979e08402a786bfdf0539ea8c4c7a5bc1af92648 |
| SHA256 | 0ad13e55ba564531affafb1e56b7b3ca15002f33c2dd956bd5c82eb3febe506a |
| SHA512 | 037af29ea135a8de1a4227c8f75c81fd90a320cbc790c256f1ee9d3c1fdc654d84eb9c2d88f846aaa1559c34569a67eded1cd180fc758d5a83a35ae38c08b8b6 |
memory/4220-70-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp
C:\Windows\System\UZRuUQG.exe
| MD5 | 6c7a72e6af7088fb7d7598ce02983372 |
| SHA1 | 5a337ccc1ec4823183dce41d70c9930d129b29ba |
| SHA256 | 99ec096b25e65b4c98c35085e129dc6a533965618efeaa7a5b82f843bf61ee23 |
| SHA512 | cd9d1d4aeb5a2baf24bc3c3838ba824a6e54c97f397a7c1b8cf7fac3629ef74513a7ef1aa9cb4133a0c8451f97a474e42b8a0ceca8b3d6bdf76b7d455759ae28 |
memory/4224-93-0x00007FF619F50000-0x00007FF61A2A1000-memory.dmp
memory/3996-98-0x00007FF61B700000-0x00007FF61BA51000-memory.dmp
memory/4488-97-0x00007FF7AE060000-0x00007FF7AE3B1000-memory.dmp
memory/4872-96-0x00007FF7A20D0000-0x00007FF7A2421000-memory.dmp
memory/4732-95-0x00007FF7D5520000-0x00007FF7D5871000-memory.dmp
C:\Windows\System\TarzKJG.exe
| MD5 | e90b89844bafbfcff7d799556ac58526 |
| SHA1 | 60966695b75bc46bd3f5e9a957f427d558a3ba15 |
| SHA256 | 4668b4622f5d9702621f6c621bd05727dd5b741cf74d63ee1051e508834d530c |
| SHA512 | 793490f5b6e466e498622be8af7a9f45671f15f0c95bf1e5eb969eda4448f676d681302b9ec9fbc16062acce4124b941bc70d0299f7129f873bd7846fcfd1433 |
memory/892-90-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp
memory/4504-87-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp
C:\Windows\System\YVXVJtK.exe
| MD5 | 82cf58e3c009db7df303cfdfda852251 |
| SHA1 | 2c05955e82979d9989842bf85744df8c33dcf266 |
| SHA256 | 3e86be327591c82c55f761f15f862811c29d1ed71f78a300e6e785eccae81cf3 |
| SHA512 | 96e426679db3f622ec39c2ed25fd0fd40734dbd35bb6094bba4fa69468cb9e0742039ce35fc37cecd55a382c7a1f1e1abc84c75a085af0854f965c3afede386b |
C:\Windows\System\cCigySK.exe
| MD5 | 3dd7aebb0796a29c65968773c064d943 |
| SHA1 | cb0353afc5b86925fc10555669aec3b107a62ddc |
| SHA256 | 8afc514b6c86749e1f7095a97fe7ad2f12886e2cd0d0ba2ce6ee559f50db7a17 |
| SHA512 | 3f8e08346f0869347ec5cf49a9b263a4ad410b3766823516060720da97db77704aa5640439434fd5f53992b4b0476d581c881510b07168afd3a520f5d2ed253d |
memory/3708-82-0x00007FF71F080000-0x00007FF71F3D1000-memory.dmp
memory/1156-79-0x00007FF745370000-0x00007FF7456C1000-memory.dmp
C:\Windows\System\GXJQJwi.exe
| MD5 | 7ce660f919d7ca1fca12e0896a2c0e1a |
| SHA1 | 2150d758f729e8768b2758e02c6b9647fd79a2a2 |
| SHA256 | 34cc844f6091e494a98e96eb946c0ec44ce3cc8d29bb4ac34687afa9df7a6148 |
| SHA512 | 6547d30e6892c71628608259ce35575869a480bb1b85b2baef5bb9e23e0621f44ebdb9e749d57be31ddcb136e9827909a8706c808e6e1372bd58007bf368ddae |
C:\Windows\System\ZLXCvIA.exe
| MD5 | c902090eb84336a38c912f47d3acd99b |
| SHA1 | 265f6506fed4aaf52c4faad83bae204453fdf0ea |
| SHA256 | a3da49163aec0fd9a73d20285c295a98f2268067eade3a107550acdc6b876591 |
| SHA512 | 73e4c295f37c0725b75a242dbcb3d665d33b5bd1dba7e29bbd31c0d2941961dce392911bd9b50773144f739b380651d0852e3763ad92028e84fd632c364fe5e8 |
C:\Windows\System\inJcDXF.exe
| MD5 | 4e4010fa9fbd18cd2c08887e12b5a278 |
| SHA1 | 8d149de33b90fb61ca9b7885befca8876b886c6e |
| SHA256 | 0900535ae3af05a537ddcb96879a9b7791f306a607d785db0e8c6a6eb06d8c21 |
| SHA512 | 22054aacdf06d02e234b7978584a5d7b119119fed9136d441de9ef4b6a97ae7dcee2131207964f6d405f803fb12949ccb8a9db92f936b8e656ef2a5abc4be9ea |
C:\Windows\System\JJgCJJs.exe
| MD5 | 9f2976ad0724a32e84eb119801fce850 |
| SHA1 | fcd4554c57a7fa8a5f8f61b38bcfce11bad65c94 |
| SHA256 | f236b65693293711260b96bc3ed0d86cf09d60cf6a64ea6a8c0ad6eec7edbf82 |
| SHA512 | bf2d298cace5a53c8ae8a42203ff0052ce8a3e831373b420d87c6c1f2a85bb3cc617245c3915e982b756cc87c2b87d18474676f6d2c7f234087a2a131e53cd79 |
memory/3944-55-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp
C:\Windows\System\YqqYhII.exe
| MD5 | 67291b3f5e85e79e0bcf1711fa976d67 |
| SHA1 | ac9ad4f13629100a4f2e0b98823f758376a25cc9 |
| SHA256 | e4884909a8310118f52d4f7c956cd29719fa5bb7704c65e5c0cf6fdf7392e3a7 |
| SHA512 | 9be7c4c01f9f035f4f46388ba65158fc2082dc1235cc011b7cbf0778d87503cf9411cd4b06fded267780e91c4619a076de9e1595da69eef9a48cee585d4dae2f |
memory/4396-42-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp
memory/2440-31-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp
memory/1552-12-0x00007FF647810000-0x00007FF647B61000-memory.dmp
C:\Windows\System\TVFSCJJ.exe
| MD5 | 796ed3c2257e5bd8a9edbebde5fcb8a5 |
| SHA1 | 4ed8394af4048d28989b279ed0d5a09b16163ac2 |
| SHA256 | 90f537bf97ce1b17db202ebf77f291868b518fed0dd477945657f8efea115d8f |
| SHA512 | 3cbbf548994f164ef3431dbde39da958d5b60375d9d933cb52ddce74d38d999ecfddcf271e320b50c94fec4f16d6c6ee3e2b11e7748adfc41fd8d470180b28ce |
memory/3944-114-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp
memory/4504-120-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp
C:\Windows\System\jlfcLVt.exe
| MD5 | 51bffa6f923b361cef9ac20b7d7321c1 |
| SHA1 | 7237c49d77932ef6bd0754ad7a7d031e7a3e1456 |
| SHA256 | af7a51b8c5f8df067d08cd3ff9c9f4f10d54c1bf76f47023da768dce82a65556 |
| SHA512 | bacc64f9b6e4a2ac023c2ed93b838b56dd0f01ca6a241b76a9034928806c85c1ea50d58c3324bf35f67671841f6bda409f1aa1458f53a8327c60623bef0371f0 |
C:\Windows\System\kaeabXr.exe
| MD5 | 3b1baf30b742a51a514f26bc898e43ce |
| SHA1 | 0bb1d312021e15ae579333d625d0dd9245d15649 |
| SHA256 | 4491a94cb1f3f50dc351cb0060a68296a96a9dd605c3b1bf6d6c7a15c279f4eb |
| SHA512 | e26da4aa87098d2706b185bd3e60328a965dec12d2c3d9a0125f1a318b0866111059dc2b3189580240dcc6ee4ce152b4948179e431ab0aa06e98a497ee5779c4 |
C:\Windows\System\oIbbvak.exe
| MD5 | 1dd2a5b496b3d5d052fa9e6c3787d7f8 |
| SHA1 | 930b75eaa1063fa4fe856a785c837a680e547de0 |
| SHA256 | 42e6ab6e2c957c6094f54e832947d027f21d1d4286017fbb2635fa1965473156 |
| SHA512 | d35715f95c0de9b417ce19ed99695ecce0f0576d0acbb73356c3e767cfea7b13c83d739c9c1178561f5923ce1fab4d04ab512c3f4c2546f53181007e50b93eed |
memory/4128-140-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp
C:\Windows\System\hJqtThQ.exe
| MD5 | df3339a162803453bba1dd4ee34beb1e |
| SHA1 | 820ebd5e27292e60b838518be61dc4a0b92ea0fe |
| SHA256 | 539f92bc2aebdab803dffc1baa973fd478a9112dce876485b45225f749ccf22d |
| SHA512 | 9e44fefdec218bf17afae6541c187009630af75f6ed1ba1ccefe3ecec5d56fc87e386d53a72ea1e9550a63e0e189cf0e5e02837bc6fd6202b3044857bb004ac4 |
memory/2044-138-0x00007FF6385E0000-0x00007FF638931000-memory.dmp
memory/5060-137-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp
memory/4048-135-0x00007FF68AEB0000-0x00007FF68B201000-memory.dmp
memory/64-132-0x00007FF7BD540000-0x00007FF7BD891000-memory.dmp
memory/1156-116-0x00007FF745370000-0x00007FF7456C1000-memory.dmp
memory/4220-115-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp
memory/2440-111-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp
memory/4396-110-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp
memory/3044-109-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp
memory/1552-108-0x00007FF647810000-0x00007FF647B61000-memory.dmp
memory/3368-107-0x00007FF788280000-0x00007FF7885D1000-memory.dmp
memory/1480-106-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp
memory/1480-145-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp
memory/5060-165-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp
memory/2044-166-0x00007FF6385E0000-0x00007FF638931000-memory.dmp
memory/4128-164-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp
memory/1480-167-0x00007FF734D60000-0x00007FF7350B1000-memory.dmp
memory/3368-199-0x00007FF788280000-0x00007FF7885D1000-memory.dmp
memory/1552-201-0x00007FF647810000-0x00007FF647B61000-memory.dmp
memory/3044-203-0x00007FF6D6BE0000-0x00007FF6D6F31000-memory.dmp
memory/2440-205-0x00007FF742E90000-0x00007FF7431E1000-memory.dmp
memory/4396-208-0x00007FF6E3F70000-0x00007FF6E42C1000-memory.dmp
memory/3944-209-0x00007FF6E1D40000-0x00007FF6E2091000-memory.dmp
memory/4224-211-0x00007FF619F50000-0x00007FF61A2A1000-memory.dmp
memory/4732-213-0x00007FF7D5520000-0x00007FF7D5871000-memory.dmp
memory/4220-219-0x00007FF6AB9F0000-0x00007FF6ABD41000-memory.dmp
memory/3708-221-0x00007FF71F080000-0x00007FF71F3D1000-memory.dmp
memory/4872-218-0x00007FF7A20D0000-0x00007FF7A2421000-memory.dmp
memory/1156-216-0x00007FF745370000-0x00007FF7456C1000-memory.dmp
memory/892-227-0x00007FF7818A0000-0x00007FF781BF1000-memory.dmp
memory/4488-229-0x00007FF7AE060000-0x00007FF7AE3B1000-memory.dmp
memory/3996-225-0x00007FF61B700000-0x00007FF61BA51000-memory.dmp
memory/4504-224-0x00007FF6538F0000-0x00007FF653C41000-memory.dmp
memory/64-242-0x00007FF7BD540000-0x00007FF7BD891000-memory.dmp
memory/4048-244-0x00007FF68AEB0000-0x00007FF68B201000-memory.dmp
memory/2044-246-0x00007FF6385E0000-0x00007FF638931000-memory.dmp
memory/4128-248-0x00007FF74F900000-0x00007FF74FC51000-memory.dmp
memory/5060-250-0x00007FF7C3920000-0x00007FF7C3C71000-memory.dmp