Analysis Overview
SHA256
f39875c1523d321881abaa9c06e6e0294292cc998115f18203a093df12b15eb9
Threat Level: Known bad
The file 2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:19
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:19
Reported
2024-05-29 19:21
Platform
win7-20240215-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DxKMyfu.exe | N/A |
| N/A | N/A | C:\Windows\System\YjRNVNX.exe | N/A |
| N/A | N/A | C:\Windows\System\TAwILIm.exe | N/A |
| N/A | N/A | C:\Windows\System\xAuvTlN.exe | N/A |
| N/A | N/A | C:\Windows\System\xEcMMep.exe | N/A |
| N/A | N/A | C:\Windows\System\hqOYwxm.exe | N/A |
| N/A | N/A | C:\Windows\System\iAdnYXX.exe | N/A |
| N/A | N/A | C:\Windows\System\UFdOzeD.exe | N/A |
| N/A | N/A | C:\Windows\System\NxlNMhB.exe | N/A |
| N/A | N/A | C:\Windows\System\ithSLkS.exe | N/A |
| N/A | N/A | C:\Windows\System\EXzjbiq.exe | N/A |
| N/A | N/A | C:\Windows\System\JWxuRpu.exe | N/A |
| N/A | N/A | C:\Windows\System\BtywuiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\RNixXau.exe | N/A |
| N/A | N/A | C:\Windows\System\edTFSYc.exe | N/A |
| N/A | N/A | C:\Windows\System\bFbdeIt.exe | N/A |
| N/A | N/A | C:\Windows\System\JVQCiAK.exe | N/A |
| N/A | N/A | C:\Windows\System\JkAykVh.exe | N/A |
| N/A | N/A | C:\Windows\System\kCkoRis.exe | N/A |
| N/A | N/A | C:\Windows\System\WhwKooo.exe | N/A |
| N/A | N/A | C:\Windows\System\vOZBwtd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DxKMyfu.exe
C:\Windows\System\DxKMyfu.exe
C:\Windows\System\YjRNVNX.exe
C:\Windows\System\YjRNVNX.exe
C:\Windows\System\TAwILIm.exe
C:\Windows\System\TAwILIm.exe
C:\Windows\System\xAuvTlN.exe
C:\Windows\System\xAuvTlN.exe
C:\Windows\System\xEcMMep.exe
C:\Windows\System\xEcMMep.exe
C:\Windows\System\hqOYwxm.exe
C:\Windows\System\hqOYwxm.exe
C:\Windows\System\iAdnYXX.exe
C:\Windows\System\iAdnYXX.exe
C:\Windows\System\UFdOzeD.exe
C:\Windows\System\UFdOzeD.exe
C:\Windows\System\NxlNMhB.exe
C:\Windows\System\NxlNMhB.exe
C:\Windows\System\ithSLkS.exe
C:\Windows\System\ithSLkS.exe
C:\Windows\System\EXzjbiq.exe
C:\Windows\System\EXzjbiq.exe
C:\Windows\System\JWxuRpu.exe
C:\Windows\System\JWxuRpu.exe
C:\Windows\System\BtywuiJ.exe
C:\Windows\System\BtywuiJ.exe
C:\Windows\System\RNixXau.exe
C:\Windows\System\RNixXau.exe
C:\Windows\System\edTFSYc.exe
C:\Windows\System\edTFSYc.exe
C:\Windows\System\bFbdeIt.exe
C:\Windows\System\bFbdeIt.exe
C:\Windows\System\JVQCiAK.exe
C:\Windows\System\JVQCiAK.exe
C:\Windows\System\JkAykVh.exe
C:\Windows\System\JkAykVh.exe
C:\Windows\System\kCkoRis.exe
C:\Windows\System\kCkoRis.exe
C:\Windows\System\WhwKooo.exe
C:\Windows\System\WhwKooo.exe
C:\Windows\System\vOZBwtd.exe
C:\Windows\System\vOZBwtd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\DxKMyfu.exe
| MD5 | 9a7bf31b3323e556cab055192eb9095a |
| SHA1 | 3527da6a27f0a742b6c13a42eee45695e29ad20b |
| SHA256 | 90f532301046ae73e54b790d62cef53a591f7f9b1f4571e75c72d4acb829ddee |
| SHA512 | 35018a3cb52390a2c486ce2493219679dc4d00169c558a3ad6a72a1b3fc52c47ab1a3cd66d0d885c37513174fcc770c84bd000cc8a3e3726dba3eca273c1c686 |
memory/2280-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\YjRNVNX.exe
| MD5 | ba7a5b669d151d589f6ce151ea20075b |
| SHA1 | d8c66a56b2618a2729497fab8bfa333d6578f25f |
| SHA256 | 6725a88e08d12be71b4ac2127197dd0bb14e2db37cd950c82ec83e8b4997ee75 |
| SHA512 | 7b7353b2e2700d191ed4e919b762346cf1394a3c89710bf7fdbf804f651ea6974a00a9211f8b824d30f3aa4691940293cce390527cf713ff5e6ae107cf35d7e6 |
C:\Windows\system\TAwILIm.exe
| MD5 | 12903d5408477f8b4f58201eb000674a |
| SHA1 | 4ba2932876140d0a36c836b2a4d8fdcf429a5676 |
| SHA256 | 823300d2a0b048b0f05d136d871eef8298c43c8d15f0c278ce75a76cffb914c1 |
| SHA512 | 606971499442e2e4fd84fa9297ebc5ced62ce26c763edceeefa56b942a213cc798d2dca87d2d08a9099527f47382a4fa98bc8ffa8d502cd0573659b943844732 |
memory/2208-21-0x000000013F3C0000-0x000000013F714000-memory.dmp
\Windows\system\xAuvTlN.exe
| MD5 | f7e900695f326c98645628d6cd863a14 |
| SHA1 | 4b6e8c12ebb894cd89f9940f0b23d3339dcd0bd3 |
| SHA256 | 9e7fc6610150ab26f01bcf4da81f87f7568deccb78f4d1a6451a438c54da187c |
| SHA512 | 00ca52b30f041143dc2f004978a493d882422947710d18a17b410ab6b7924a58d00b212fbdb8122ed74b224eb977fee7ec1632c3cddfd2fa628c31c62fcd2c05 |
C:\Windows\system\xEcMMep.exe
| MD5 | 5ca6a6f09dc2b081fc0277330bc59d0e |
| SHA1 | abbe987cd63a3f5b268d10d97ef406f7049e3222 |
| SHA256 | 433dbc65d72f5aa273a54c10e5d33854a659e4829ccc81eab448d3f45e6fc375 |
| SHA512 | f18eb2df47f0776eaffee87eb46e03f092441824e247861cf5051fe78093f823bc12257c1ff16a4e04014a3871ca3c7532f6302b78587b3c2106cebdd5974dcb |
memory/2668-35-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\hqOYwxm.exe
| MD5 | 92ec7fb53443b48238adf53994062b95 |
| SHA1 | 1f524e4cd05b3dda0eabb02e0196f6e16a3e974c |
| SHA256 | 0a77f61c09077d5cfea8b5c93b7a4157e08a0cac5c9512a813cf2c9bb36a2f53 |
| SHA512 | 3fa5735f19b1cafe1a419060a0948d920f74d43bcd85da9c5d3cc52c97617131c5b6004173ac2480c1023be9dcb0b18a2c1e6241aafa8ada5fea7be4fbfd9dcd |
memory/2868-42-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\iAdnYXX.exe
| MD5 | 47e4b694befb82e85c1247ea78ce347a |
| SHA1 | 2ca9e69e275cf7ac210afd82772ca9e19b2db766 |
| SHA256 | cad6a15ece84593d5bc7fd6fe239b71f56ba2c9c2a17db489b474c76d8f359ef |
| SHA512 | 843aa3c6cfb21592ae2baf7cc048bf99149ccd89054d1a25a52ade9cfa0315edbc9f8410d7ba35a8801737f8d9a4d94198a83096ea7a94631c1e276bacc0200f |
C:\Windows\system\UFdOzeD.exe
| MD5 | ef06349e6b44aa41d7c0e317fde69db4 |
| SHA1 | 12e3f5dd3d59971b37890c8259930fc5ee5a97cb |
| SHA256 | a4cb5bfbf09c48efe2abea7d463904287065ba5b93e627c6366d7415fd60a038 |
| SHA512 | 15432efc7098729052e34614a9abe1e430b85a429b3aea8904f615370238f4e242ca9801074bc12b323b4793f1ddbf461f6332b779d8f7a0e458dbc1469a3ab1 |
memory/2592-50-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2492-56-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2280-68-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2524-61-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2488-73-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2208-72-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\JWxuRpu.exe
| MD5 | 2e150af7dd38ab26c616236ccee9b9db |
| SHA1 | 725c7b4851fa299e5a68b787d08a7b09252361df |
| SHA256 | a160b22b71371fa2407186a27d762b4dbf6148f7767edb580e4adf4e918ce7cd |
| SHA512 | a29b4c80af4190a51189c9433bd12696e716e60697eaf50c7948276f36c57d65d88355d01c97f512db9cb70570cbed413d156c42c46e455bc88d562ac7b49c33 |
memory/2208-92-0x000000013FC40000-0x000000013FF94000-memory.dmp
C:\Windows\system\kCkoRis.exe
| MD5 | 63404870d40a424180155f7030b4c9e9 |
| SHA1 | b48f495639f6113932237699d35547c094c5b6ba |
| SHA256 | f45d935670380c7ae9338bbd2fca8fae042d5d8bfe36bf4543659b92f2fa0120 |
| SHA512 | ebfa4a9fd49c264261bfa2bff993e4086105a86a4b341c499c48c42b3989106a284f920f2e747b3fcafa5f6b16efc9923693bbe8df10cf357b5b28560727daff |
C:\Windows\system\WhwKooo.exe
| MD5 | 72828e3b5228509b95742c093470d79a |
| SHA1 | 84dca47c801ed30934afe1272ebe3249103b51c3 |
| SHA256 | dad243cabd2de801381f06d331fab2aea7f53ad6d424bb54cb7f2943111cd32c |
| SHA512 | 4319ce83ef08bbb24cc762bb0e16a596f6e26b5edb861bd848b49b8427e60c54c722dee61562c68e56fc4e038d8faf9979ce1a000e93d84c1fd05d286374ecf3 |
\Windows\system\vOZBwtd.exe
| MD5 | 05bf191a8c84ebc60d00a59783cc89e0 |
| SHA1 | 6275ed16ad5b265fa77d402e3db5e573a249b939 |
| SHA256 | 39a09490c92a3d6cddef9884fac72636f653cd4e35b92c0bbbb345933f54a4bf |
| SHA512 | 1ec2e9cb0d4e42c8189f01440c7586a3064408aa10877b31d2f4cfd1bbba2746c3c8a18ca5955f5b281fdba0bc74031f60815ddaa67f0c3e36639148b97c055c |
C:\Windows\system\JVQCiAK.exe
| MD5 | 364002800f4c119fc6b5d66cd85fbcfb |
| SHA1 | 5aa45f8eb9763b4ca0060380cf5c4a51ed5f47c2 |
| SHA256 | 0f76ff3c5220c76fb1e0777905f0a50b33edda2fbf3463cbca14808565db9faa |
| SHA512 | 9f33ec2182dccdc8b8e5ea506074490329b3b1ab7c4a9b2599ac8844e67d4f52de4d765aba427fc7f66c60c8a2cff5474f48b1533b841a3ac8ac092a10476369 |
C:\Windows\system\JkAykVh.exe
| MD5 | 5a23da7297d50e4a59198419526902b2 |
| SHA1 | 11eb6d6242040f2131db5d5130e83f269de476f3 |
| SHA256 | 44f85021a6eced75ba0da24fabbc3888d037286012ba4fbe84db98e8d7248be3 |
| SHA512 | 274b77b03fd60afc7eca7a9401547426397b7c97fb987b42dc3237fe358fa9a4f7215d3e56fe8b54dcdd1010c894a0cc088d2b672776ff2a17be91811f2bc0b4 |
memory/2208-106-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\edTFSYc.exe
| MD5 | bb2b04850154f86a8ec845f5e88d0763 |
| SHA1 | 0d31755bb2ac16d686a2b4c5bcc741d10d746582 |
| SHA256 | 118e6710ec224a0c022c5b9b32c4bfd0e1368eaf607dda5a0781c2a824d1edf2 |
| SHA512 | 466aafda56789b99adc1b3f732eb76910a38859bbcc52ee7bab5d9de767e653a268f5f286caf169611454014bcdabf704b796c03e547cd013dbe83990dad3840 |
C:\Windows\system\bFbdeIt.exe
| MD5 | 8136269455fb96d132e3585c33b5f6da |
| SHA1 | df45e711f959964875ce66afb37db5e505d2a704 |
| SHA256 | 14b07ce96a699d6477e66fbe666799c139cf035574674c484e3e643278591a0a |
| SHA512 | 106e8f3f2b392b5e3b7887f1d381162212a49c11a2ac1eb3ac2dc99b38626bdcf927f60e99a7d3723c131f589ee2f2a2fcddf8aa3dba08db8d26a142bd2c18d6 |
memory/2960-93-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2208-100-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2668-99-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\BtywuiJ.exe
| MD5 | 28ee9c7363c94483436a58c4105aa56a |
| SHA1 | 42c3167e4c0ebeb5b35e9916ac9c20e7fb0b4e7c |
| SHA256 | 6b202ffe89c5242f22afd323fbb1188c19f31997368e2c63d64fc19b6d4fd239 |
| SHA512 | a2802a0b83eaf9c757375865e1c1f5d9b397af7aab00dfbce06d1738a5254c990919f4eb5f984f6111ca13885eb5f7da0f322e1eda9c4c96e69f20006d970456 |
C:\Windows\system\RNixXau.exe
| MD5 | 96555639d7ad5012f7a8b6507e5f6c1a |
| SHA1 | f16e62edb627cc6aa3bc5f2dafc0e3791d15ebfe |
| SHA256 | 6903f4baba8395ff742b186dbf99aa4ef077ca0ab66735034e32c94d856add18 |
| SHA512 | e85f8de032a0436e5af48cb77c4e3bee445501b4f6b1c6c9cc1a941dcdcb1541af3e37b77cd6024a9ab29b2f1e6925645706113dfb972e37f5ad7c4756e8d209 |
memory/2652-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2208-85-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1816-78-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2208-77-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\EXzjbiq.exe
| MD5 | aac6711d28aafaa9e63834bd8fea8d3f |
| SHA1 | ea08276f244a92a9489f3f1118593a50cc2ce92c |
| SHA256 | 2cc8d5da6c87aa8fc7b465048793fb32ac7f2edc42b5c14ed9526b167a7a5e71 |
| SHA512 | 9a6184f28cf680a855da7278e762c9915ae7ee451a1ffdd26e4d2050a5d9d5b66e39d9b5b7d1d772910aacbc017630fabf7c31197ed788e839f201db8a42fa6b |
memory/3056-70-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2208-69-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\ithSLkS.exe
| MD5 | c7d49b3957cfd32afbee72a2f69c54d2 |
| SHA1 | 7ce992e353be80d4d5889fc64001017ddc3371c4 |
| SHA256 | 863befce98b048a64325b53647c94ad131ea19d47907caf7c006487ac453b1cf |
| SHA512 | 4a3785cdc969a7f07fdaf8aa50918278c2dca158e276d3f09f720a5d3c8f56b640e77a8921f9d959fb721c5f805ef1983fff739a09219befbcc0a64a3036905f |
memory/2868-137-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\NxlNMhB.exe
| MD5 | d22e3b84d017d5c4533bfb4d42538ac6 |
| SHA1 | 401fd6283a4de4ecef408824655ad9673222cb4b |
| SHA256 | 9c67287b58f3b15352f991dded8f8354e741e513dcb56babdd2fba77bccb3ebd |
| SHA512 | 0b30d35748eeb00a56187cb03425c4d78d2a2a7035001ffcb716435aa4d75383d5d95aac6050e2b29d05052b288981293132a3f925332b776b53fcbade8c99e3 |
memory/2208-55-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2208-49-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2208-37-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1992-33-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2208-31-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2208-30-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1828-29-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/3056-27-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2208-18-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2492-138-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2524-139-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2208-140-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1816-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2652-142-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2208-143-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2960-144-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2208-145-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2644-146-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2280-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1828-148-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/3056-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1992-150-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2668-151-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2868-152-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2592-153-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2492-154-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2524-155-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2488-156-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1816-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2652-158-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2960-159-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2644-160-0x000000013F3C0000-0x000000013F714000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:19
Reported
2024-05-29 19:21
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JKGfjZf.exe | N/A |
| N/A | N/A | C:\Windows\System\NBEVZXB.exe | N/A |
| N/A | N/A | C:\Windows\System\dkHStls.exe | N/A |
| N/A | N/A | C:\Windows\System\FAKYIps.exe | N/A |
| N/A | N/A | C:\Windows\System\lOOCDlm.exe | N/A |
| N/A | N/A | C:\Windows\System\lRYzgML.exe | N/A |
| N/A | N/A | C:\Windows\System\FcIGBqC.exe | N/A |
| N/A | N/A | C:\Windows\System\COPzAvi.exe | N/A |
| N/A | N/A | C:\Windows\System\JKUrgZx.exe | N/A |
| N/A | N/A | C:\Windows\System\NCHresP.exe | N/A |
| N/A | N/A | C:\Windows\System\FvLhBQg.exe | N/A |
| N/A | N/A | C:\Windows\System\JWobdFL.exe | N/A |
| N/A | N/A | C:\Windows\System\OKnTitp.exe | N/A |
| N/A | N/A | C:\Windows\System\OfBHjkf.exe | N/A |
| N/A | N/A | C:\Windows\System\bhgARBn.exe | N/A |
| N/A | N/A | C:\Windows\System\tJwlAar.exe | N/A |
| N/A | N/A | C:\Windows\System\qXjciqU.exe | N/A |
| N/A | N/A | C:\Windows\System\McBFBTA.exe | N/A |
| N/A | N/A | C:\Windows\System\GKlNGTa.exe | N/A |
| N/A | N/A | C:\Windows\System\AKMSZhy.exe | N/A |
| N/A | N/A | C:\Windows\System\SJpnMHT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JKGfjZf.exe
C:\Windows\System\JKGfjZf.exe
C:\Windows\System\NBEVZXB.exe
C:\Windows\System\NBEVZXB.exe
C:\Windows\System\dkHStls.exe
C:\Windows\System\dkHStls.exe
C:\Windows\System\FAKYIps.exe
C:\Windows\System\FAKYIps.exe
C:\Windows\System\lOOCDlm.exe
C:\Windows\System\lOOCDlm.exe
C:\Windows\System\lRYzgML.exe
C:\Windows\System\lRYzgML.exe
C:\Windows\System\COPzAvi.exe
C:\Windows\System\COPzAvi.exe
C:\Windows\System\FcIGBqC.exe
C:\Windows\System\FcIGBqC.exe
C:\Windows\System\JKUrgZx.exe
C:\Windows\System\JKUrgZx.exe
C:\Windows\System\NCHresP.exe
C:\Windows\System\NCHresP.exe
C:\Windows\System\FvLhBQg.exe
C:\Windows\System\FvLhBQg.exe
C:\Windows\System\JWobdFL.exe
C:\Windows\System\JWobdFL.exe
C:\Windows\System\OKnTitp.exe
C:\Windows\System\OKnTitp.exe
C:\Windows\System\OfBHjkf.exe
C:\Windows\System\OfBHjkf.exe
C:\Windows\System\bhgARBn.exe
C:\Windows\System\bhgARBn.exe
C:\Windows\System\tJwlAar.exe
C:\Windows\System\tJwlAar.exe
C:\Windows\System\qXjciqU.exe
C:\Windows\System\qXjciqU.exe
C:\Windows\System\McBFBTA.exe
C:\Windows\System\McBFBTA.exe
C:\Windows\System\GKlNGTa.exe
C:\Windows\System\GKlNGTa.exe
C:\Windows\System\AKMSZhy.exe
C:\Windows\System\AKMSZhy.exe
C:\Windows\System\SJpnMHT.exe
C:\Windows\System\SJpnMHT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4276-0-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp
memory/4276-1-0x000001434D520000-0x000001434D530000-memory.dmp
C:\Windows\System\JKGfjZf.exe
| MD5 | 6f10c360019f41a33ee92bc73119306d |
| SHA1 | b5fbdbab85d5befeff028d0f6be617e6c6295ac2 |
| SHA256 | 742e974803ecf2fb998fb0a4ffe6d1eef5bbec9831c00a835c272a0aeaebf0b2 |
| SHA512 | 296454142ea538905091c03025d9ae1426bbf294a8eccaafa01559ff2abbcae6c21ee20e640c67cfac9e339058d4b02aebf74adacb1fa6552f8020321f4e2652 |
C:\Windows\System\NBEVZXB.exe
| MD5 | a81586582b60f91a9f3a56b5c99a23c5 |
| SHA1 | cfb197aff48a3c97277cfb7bae81eb056d86f5dd |
| SHA256 | a69614b2f6e15da7f03ed502b8e88475428dc625134ce09117b65e8ebc9c1f0f |
| SHA512 | e6c5987f293ca671fddf3272a50b118d81679b7812da3a0e3be3440dc65444634ef72de48832bcfbabd82b6526a24373b0b96519dd9fc818697e697c9ca36f7a |
memory/1676-24-0x00007FF70D300000-0x00007FF70D654000-memory.dmp
C:\Windows\System\lOOCDlm.exe
| MD5 | 711665b67ad710d2baf38afe461c0a30 |
| SHA1 | 474a26979a96cd83b97a754c3e3bc7e7262da16b |
| SHA256 | 792b32e39f6240e79935befe7f34ce781c59a107ccf15518fc1d6a3754cbd4ee |
| SHA512 | 6ce6ed5b48cdcf13c79a69a9f7889cd840edfdc171b710fef98239fcea220b5ebb90ed91a588ac4e9e6e464027b45fa49db3da74779e38fb5117dcac840758e6 |
C:\Windows\System\FAKYIps.exe
| MD5 | fff41208026bc28971592c42d3d54c53 |
| SHA1 | db88d0d937aa5e1aca40080eadc234ea12aa35ac |
| SHA256 | bc3d6dda3952739942dd4dba98b84c82c6775b725e34da7dc9a7949568730e89 |
| SHA512 | 2e08fb398267620eaa44cfead2e15d1dff3ba3fe7586c41866b50e002fa4e1fab3060924fc5832f914b462e6cc5163965a18dfc8050ca074910cc2bf33f77afe |
memory/2776-12-0x00007FF621A10000-0x00007FF621D64000-memory.dmp
C:\Windows\System\dkHStls.exe
| MD5 | befc0c3f403ea8848ac10b7971109d70 |
| SHA1 | 06af5c4141a5050008d1aa6ac74c48990c1aeb57 |
| SHA256 | aa55e7d447407b290c536e95e4c3c46e7d128348930685239c928861aca5d2a2 |
| SHA512 | eea6292037077e23eb56b44ffc172756d24853a748e650f9ca7b4f40e707d00d8a5bb4e59f2480499116aadcfc4a65b21d9d0173f655213f1ab6e30c4e97c62f |
memory/4792-36-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp
C:\Windows\System\COPzAvi.exe
| MD5 | 9ed815bf9e453559d9c9bdb911733518 |
| SHA1 | 7ae5146e07384003c2ebe11243a7a9e83f3bbd25 |
| SHA256 | 6867f438aa743e19c616fb43b9e4df624d8999034823f7500b82ac31c906573c |
| SHA512 | 04bd85566254f4e71f40679677a5df555a7fba25698419a61f7e598b8c308288880efa54dce90ed11b17894fad9c168c961b52c269137a1c52302b23e58d6c38 |
C:\Windows\System\FcIGBqC.exe
| MD5 | 106ec3c6a4ef1f75f57836f4c3abfb04 |
| SHA1 | 3db662c16eea7df480564f9a1eec9b4693d6fea9 |
| SHA256 | 5a70cce253694d190346f5ac3f91d16b53d83dc83aa17b2ff0c922d0219c6291 |
| SHA512 | d9d4c814dac968f9204bce422c62f6435db8e6fe8d4beddc91fcfaada57a3f1dd11b2bffeb6b393a410fa494ce1f8f735041afe4ce762c3fa6ba731000fb70cd |
memory/1792-42-0x00007FF727760000-0x00007FF727AB4000-memory.dmp
C:\Windows\System\lRYzgML.exe
| MD5 | 82428a246feb9e81bdbd419d0b323fd6 |
| SHA1 | dc9563ee79b7de75d9a3e49220611a77eca00b35 |
| SHA256 | dfdca2ca9ab65df4ae05d24c9a821c89737d5332632b623468c51504351e4ab3 |
| SHA512 | 605ca8d6cef08f27592b2b0326ca4ad71508c7d1c293a05a6709d60a36c36be7a24db44a1595ea002d1f3df95e16e9c8a739a8ea36207a1313a14232987477c8 |
memory/5004-35-0x00007FF653CC0000-0x00007FF654014000-memory.dmp
memory/2036-29-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp
memory/888-53-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp
memory/4640-52-0x00007FF724FF0000-0x00007FF725344000-memory.dmp
C:\Windows\System\JKUrgZx.exe
| MD5 | 6cf3e99e49df873452f75987e58f627a |
| SHA1 | 941c8dfd598e5a55f67bf02c8749065c8d02c42e |
| SHA256 | 16ba25ee5b9ef6b8ed9f05635c003fc3eb61435c258bddecd783f979d56cc8b6 |
| SHA512 | 2d96579aaef8367c9f9b36c6ee5d170c7e43b99e9d83eb949878928a7b35a3e8ef82e4d63c935c293685287448e4ba0ec7dd499fb153afb0c57a749121ffd01b |
memory/4536-78-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp
memory/5028-86-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp
memory/1556-98-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp
memory/4276-111-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp
memory/3860-114-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp
memory/1620-113-0x00007FF739530000-0x00007FF739884000-memory.dmp
memory/2556-112-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp
C:\Windows\System\tJwlAar.exe
| MD5 | e83dc697c821095642291bde162f0190 |
| SHA1 | b722247b6cdba5a6b3ab6be6b11a33e71bd921be |
| SHA256 | 9891e8b26d17536df5ef338e84ae7d2719c11c34d1f776ca66309a612fa8991b |
| SHA512 | 9671c295ae96612fb5fd81ccd679228cef85829c78e85aff4a0ab0a3ec0d4cfdfdd3805935e1843e935982b111f50a9ee7b8c7cb55e4c7fe8ef06011f0c2ed56 |
C:\Windows\System\qXjciqU.exe
| MD5 | c1c9ab2eab762e7637aad696bc9b7834 |
| SHA1 | f38d064b08d91a34d95996ca1f0ac70ca87b07ce |
| SHA256 | a0ad79cb295262e890ecca05f9ee9a9290ef9f5b11664cf992278341ddda7568 |
| SHA512 | c45bc3dc07c63873a66894d359f71c16dce7764e0fd68d1184288304d9653fb1cde196934cd3100a1a04bafa8ce44d5468abb320e8fe54a127cbb6a166845c2f |
C:\Windows\System\AKMSZhy.exe
| MD5 | 60369095fd946619bd3b4f9b58ea853e |
| SHA1 | add84c39b25d08956192d3fb8196f8c3f9d59288 |
| SHA256 | dd51b5612587731895e66fc1995e836c133a7ab22499f0e09c6bafe60bbed87c |
| SHA512 | f7ca9999a073485329b97808a0c7c5d524f54d92c628aee9090fa1d46025ef3e9207b312538222898688742d48da5993ad13cfd18e2750e8fd6f29ae8048dd6f |
C:\Windows\System\GKlNGTa.exe
| MD5 | 95b7b91897fe14c65c0fbbac0b8e11ab |
| SHA1 | c06f300262148262e370e6d188a31e2d166a8338 |
| SHA256 | 5a66ff86debe4b56a4cc556b02821e77f9aaa1595351105bc42ea869cf9d5559 |
| SHA512 | 47f5eda504e799d78809505cca250030a2ddb82f9c0eb87f2e061cf8e3c8fd67d7ef762e3174a4cad3d53ff7e41ff3c25c9d0b025cb542ed4020db0b755e3c4a |
C:\Windows\System\McBFBTA.exe
| MD5 | 9d6f5ca47d46743200a90a00eb28b95a |
| SHA1 | b27d7a1eac2f8aa06fdb05fffea5d2e418cedd1e |
| SHA256 | d87d5b828d4b1c8de019550f8be46efeae267f84ab9b8ab6ebdcddd560b8b3e3 |
| SHA512 | 72e98aab0f933eee17bc71241ca51583f62e8969b0d0c222c66e4eadba8eaae10e1aad3dfb6ca8826709c3f6782f8c0d78d4855bee813bbe89de3af80db45dc5 |
C:\Windows\System\bhgARBn.exe
| MD5 | d81c810b5fd75d6afd408c279176f672 |
| SHA1 | e2a563904841d02a27441c807d48d21ab1d3fc7c |
| SHA256 | f9a2b640b66d05f1f734230255e2daac19aab1bd4c918feb58528597147476ff |
| SHA512 | 4035539a921853a03b1373325766d8f5f3629821a88e8b82f1e60fe319bc14e1e28b1cc9468077025de80d8c9beae26a94101d010d9c5919c6303356bdc37c56 |
memory/3324-96-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp
memory/2524-97-0x00007FF752720000-0x00007FF752A74000-memory.dmp
C:\Windows\System\OKnTitp.exe
| MD5 | 45459b4b4de665bd0fbe7237f5c8be69 |
| SHA1 | 2c5d251921faa391cfe0f24159e45dcc1c8cbf9b |
| SHA256 | 6468a34de1138728029fd2ff62fec0367bc03465bf3b1df115f2a5d1c59a1e8d |
| SHA512 | a94986468bf442dc6c6e13928dbbf63c8bea6642190f6ce56d9ea23a370a3d9d6f5459c40acac36f612e5742453c2bb3f03e2b66532133b22ac94d51fa47d5e7 |
memory/4564-91-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp
C:\Windows\System\OfBHjkf.exe
| MD5 | 89179cfc8a5e54139d16793532a834d6 |
| SHA1 | dc0c3fe583a5736cf72c0ab61395d3baed602ffb |
| SHA256 | 14a47b82e5e6d43b3ca8bc32e1ac7fbb6c380847eace9322f307ca2c1b89a5cf |
| SHA512 | 7e075422b328ec3a8c62389092871f429e09e3af80ae01a1dbabebd7c09322db4af1973c36905c270b2de52598e052606f427d97bfaec05912a1841488ed1732 |
C:\Windows\System\FvLhBQg.exe
| MD5 | 60da67c0054987f7fe0cc2c3758d36a7 |
| SHA1 | 0b6238c6340604d38dfe8967c9a2a3949859e268 |
| SHA256 | 9074a07ea9b69c5d8100bb3752b1f3e977c903534150b7ed99cf12f06093b3c5 |
| SHA512 | 5067bd031a4a61858b72c6f7fa5fed1e27dae1b1a8590b0e8161f51337e5e8fbcb0f7d7bffcc2c766ed05cfcefb1f6712da749cf3794b57092a3f560b6d4d188 |
memory/4068-73-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp
memory/2212-70-0x00007FF633340000-0x00007FF633694000-memory.dmp
C:\Windows\System\JWobdFL.exe
| MD5 | c57a76759b4bd496d3d37ed2a79f465a |
| SHA1 | 047d8c9f11361504f3751607d5bbad11b729f7f5 |
| SHA256 | 31542a5ca415b519517e0bb27752e247349222211161ab62eabd6e960be06a04 |
| SHA512 | d3dc84ad4c57369959035883e056479a574af3028c9f8bf42454b97ff6eab567a1c0c8f717d1c3a3f1106b8cc358633297935ae07530cf454f95c670fcb1bdbe |
C:\Windows\System\NCHresP.exe
| MD5 | aeabd90e84cb0740e97a722391a33ba1 |
| SHA1 | 4f82756ec89b7da6f98984d9b1a85229a7b74acf |
| SHA256 | 99caf59de4b24e3cf2467a39062a9cf9efbde2087df92638b7b05290727a7521 |
| SHA512 | fa11e18477481117b26a7568e8fcb08c3b3578066fa4569ded3472cae5ced509c20fde0c5d96c4a07bf5365f6c725b3d30d9ffd8f376c2b5ceb7060c91610d09 |
memory/4016-56-0x00007FF655130000-0x00007FF655484000-memory.dmp
C:\Windows\System\SJpnMHT.exe
| MD5 | 8fdc6546b6330de09a6f7806b3541d1d |
| SHA1 | 990af01bfd3830e101a7b85a40fe7d7a2b7b8b52 |
| SHA256 | 5938f78e1c5903fce1e996fc59ad6e3252c14b8f65b00bb145d3b601d288cbd2 |
| SHA512 | 02975597314cd5302b984ad75d63cc37e7dd618da49660d9e3a6c38abe9a087586311b3320e9b0e854dcac85615ef0f9c2cfeac9c63231ea02c7cb339fbcf0db |
memory/2036-129-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp
memory/1676-128-0x00007FF70D300000-0x00007FF70D654000-memory.dmp
memory/3340-130-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp
memory/4792-131-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp
memory/4016-132-0x00007FF655130000-0x00007FF655484000-memory.dmp
memory/4068-133-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp
memory/5028-134-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp
memory/4564-135-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp
memory/2524-136-0x00007FF752720000-0x00007FF752A74000-memory.dmp
memory/1556-137-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp
memory/2556-138-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp
memory/3860-140-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp
memory/1620-139-0x00007FF739530000-0x00007FF739884000-memory.dmp
memory/2776-141-0x00007FF621A10000-0x00007FF621D64000-memory.dmp
memory/5004-142-0x00007FF653CC0000-0x00007FF654014000-memory.dmp
memory/1676-143-0x00007FF70D300000-0x00007FF70D654000-memory.dmp
memory/2036-144-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp
memory/4792-145-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp
memory/1792-146-0x00007FF727760000-0x00007FF727AB4000-memory.dmp
memory/4640-147-0x00007FF724FF0000-0x00007FF725344000-memory.dmp
memory/888-148-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp
memory/4016-149-0x00007FF655130000-0x00007FF655484000-memory.dmp
memory/2212-150-0x00007FF633340000-0x00007FF633694000-memory.dmp
memory/4536-151-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp
memory/4068-152-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp
memory/3324-153-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp
memory/5028-154-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp
memory/4564-155-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp
memory/2556-157-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp
memory/3860-159-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp
memory/1556-158-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp
memory/1620-156-0x00007FF739530000-0x00007FF739884000-memory.dmp
memory/2524-160-0x00007FF752720000-0x00007FF752A74000-memory.dmp
memory/3340-161-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp