Analysis Overview
SHA256
60656031502c4feeedcd375ac611cdad0c6dccd8c245a35efeef82a08d8860e5
Threat Level: Known bad
The file 2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:12
Reported
2024-05-29 19:14
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GPoTZwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OzRomeW.exe | N/A |
| N/A | N/A | C:\Windows\System\FdldROP.exe | N/A |
| N/A | N/A | C:\Windows\System\kZZsRnS.exe | N/A |
| N/A | N/A | C:\Windows\System\ebgLSRe.exe | N/A |
| N/A | N/A | C:\Windows\System\kRBfHhT.exe | N/A |
| N/A | N/A | C:\Windows\System\emRbESm.exe | N/A |
| N/A | N/A | C:\Windows\System\BxRIfXz.exe | N/A |
| N/A | N/A | C:\Windows\System\ytCLAla.exe | N/A |
| N/A | N/A | C:\Windows\System\YfTsrgf.exe | N/A |
| N/A | N/A | C:\Windows\System\JHWveGt.exe | N/A |
| N/A | N/A | C:\Windows\System\MjrUzNr.exe | N/A |
| N/A | N/A | C:\Windows\System\DRYJXVf.exe | N/A |
| N/A | N/A | C:\Windows\System\tAmUKhK.exe | N/A |
| N/A | N/A | C:\Windows\System\CdKMVAM.exe | N/A |
| N/A | N/A | C:\Windows\System\XrYASWo.exe | N/A |
| N/A | N/A | C:\Windows\System\YxwRsqs.exe | N/A |
| N/A | N/A | C:\Windows\System\TTRSbes.exe | N/A |
| N/A | N/A | C:\Windows\System\HcLDNVt.exe | N/A |
| N/A | N/A | C:\Windows\System\lqOLpBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jHgbosR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GPoTZwZ.exe
C:\Windows\System\GPoTZwZ.exe
C:\Windows\System\OzRomeW.exe
C:\Windows\System\OzRomeW.exe
C:\Windows\System\FdldROP.exe
C:\Windows\System\FdldROP.exe
C:\Windows\System\kZZsRnS.exe
C:\Windows\System\kZZsRnS.exe
C:\Windows\System\ebgLSRe.exe
C:\Windows\System\ebgLSRe.exe
C:\Windows\System\kRBfHhT.exe
C:\Windows\System\kRBfHhT.exe
C:\Windows\System\emRbESm.exe
C:\Windows\System\emRbESm.exe
C:\Windows\System\BxRIfXz.exe
C:\Windows\System\BxRIfXz.exe
C:\Windows\System\ytCLAla.exe
C:\Windows\System\ytCLAla.exe
C:\Windows\System\YfTsrgf.exe
C:\Windows\System\YfTsrgf.exe
C:\Windows\System\JHWveGt.exe
C:\Windows\System\JHWveGt.exe
C:\Windows\System\MjrUzNr.exe
C:\Windows\System\MjrUzNr.exe
C:\Windows\System\DRYJXVf.exe
C:\Windows\System\DRYJXVf.exe
C:\Windows\System\tAmUKhK.exe
C:\Windows\System\tAmUKhK.exe
C:\Windows\System\XrYASWo.exe
C:\Windows\System\XrYASWo.exe
C:\Windows\System\CdKMVAM.exe
C:\Windows\System\CdKMVAM.exe
C:\Windows\System\YxwRsqs.exe
C:\Windows\System\YxwRsqs.exe
C:\Windows\System\TTRSbes.exe
C:\Windows\System\TTRSbes.exe
C:\Windows\System\HcLDNVt.exe
C:\Windows\System\HcLDNVt.exe
C:\Windows\System\lqOLpBZ.exe
C:\Windows\System\lqOLpBZ.exe
C:\Windows\System\jHgbosR.exe
C:\Windows\System\jHgbosR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1808-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1808-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\GPoTZwZ.exe
| MD5 | c200ea265e277303742dd41a6ab45743 |
| SHA1 | c30320750b02187ccdba341b26810647a460cb92 |
| SHA256 | d3cce61f793417a1feefc0ddec91fea17d37c674fa1a9de28ab4d016b2e5206d |
| SHA512 | dee0655b23b3e6c58b197d414876b0f39b7c802ecf32a2deed16623d398a6d88796ba76d241b25bde97824e2432a17b39e80f0d5cf559cd0ab6313e926447117 |
memory/2256-9-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1808-8-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\OzRomeW.exe
| MD5 | 380db07920cfb69bd37cc94581b6c8a3 |
| SHA1 | 3305bb54e7bfeb4bea733a885b556427874d19ff |
| SHA256 | bfe9455491209d22589b7a44de2893b82a19219b6378168ec5a3ba8137585651 |
| SHA512 | 0142a73bf6d860d1fa1a98601a9139e7a193be32500367d0fd4f0169c06a247e37fc36b97adcb6f7e14851b8bdc76e313203c1477ef621fd9a5370bbde94ac76 |
memory/1112-14-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\FdldROP.exe
| MD5 | cd14a1a278013b2fb62e3ce49639545f |
| SHA1 | f3b644815b92b688f9f78404d2f32da714922e05 |
| SHA256 | fd13f80b42254103fc9cc1be36c83abf27eef9e003355fdc8f58c38cddd77328 |
| SHA512 | ac143a55426e47e178430d759b1f418ff8fe5603e919e20506a09433971c59d64aab37623da01050eb22f76910226a6f875db6d9df1d7008e0080be8c7cc570f |
C:\Windows\system\kZZsRnS.exe
| MD5 | d6bbc1dac5f9b8de213fb2904f18577d |
| SHA1 | 8716be35f68bd3345d151c541bc44c1aa6e949da |
| SHA256 | 87585fcd1e93e0a64d3e691b4696ad66d33d67167c11ba2fb112287cda34091f |
| SHA512 | b92deaa70f08956114b0bd4551cf62803ffd4ed60048f74b08c235dbf3ae323ef813bf5a04c30f91c904eb2bfe628185fc64a4f82f2084852c6f309b10a12416 |
memory/1808-27-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2640-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2576-26-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\ebgLSRe.exe
| MD5 | 16ff9866bb4230c01d610ce84e46b8a5 |
| SHA1 | 9f78a690c0144fac6660aaf1de9ae02a64142a1b |
| SHA256 | d3946e477b88391271e36cda46c140087f16c9f79021db8294f7bb4f24bd0421 |
| SHA512 | 7a24b789e3f27208d2679bd7d41cdf0a6134763b1babac8775234c391b2120fb7d2b2f89513d3b8032caf4953887c4b80e4c18d42abce790c0802e5ae26855d7 |
C:\Windows\system\kRBfHhT.exe
| MD5 | 06e33224405ce8605bf64f2e679bb697 |
| SHA1 | 72d4be68c3eb705f5abaff3b58d0bca758b46d12 |
| SHA256 | a14558806e1653a4915ebcfe779b804bdee45c5673b0690130e7e97abcc6a2bf |
| SHA512 | c0c81f7b0758740d33e2d7bd91c6496a6a811fed21f522611d40600fe32c3cdf180cb1cd6580f9538a22caafb544aed57005b3e5d817149d6bd01bf7634d59d1 |
memory/1808-40-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2552-42-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2580-35-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1808-34-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\emRbESm.exe
| MD5 | e265057478a7f7b35dd78ebc3a47ceaa |
| SHA1 | a7d6500a9cb83f531aebc8a39187630d7cd22a12 |
| SHA256 | cd3c20e797f5b3deb0b42d315b7330004b9433ff8ba488d0f93f1855658a5a69 |
| SHA512 | b6fe635fc24c44a325c0ba2c1bd8e1d531fcaa0517e0c117cb4e7044507e93fe962f2493b530c7cc7d0fc7c5359f66ba41394acdf221079bd15549a590067e2d |
memory/2536-48-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1808-47-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
\Windows\system\BxRIfXz.exe
| MD5 | fa97fe678a0e25a59f94d4ebc3c02b99 |
| SHA1 | 2da139a12e328652825511894b0cfd59f716e0f1 |
| SHA256 | 0b229033f6689c3f50214392457142d1ca8fa7348c128114c63333b89c829543 |
| SHA512 | 0ffef361f53ad767b87ea64095d5fa636767e0e14c627aaf7c49c63a08a57877e78cc65c3c6f947815ff0723e3f83dc74e9e3ce93cd20aecb35954fac96294cc |
memory/2428-56-0x000000013F890000-0x000000013FBE4000-memory.dmp
\Windows\system\ytCLAla.exe
| MD5 | 91eb3e93720e193024ccd31c483bd1d9 |
| SHA1 | 09ee8b8681ac82eadad6fbe62671d234843c2c29 |
| SHA256 | 50004630db95e032e7cbde689b026ce4350f1d74a5a4284beba352d4d6f59ba5 |
| SHA512 | 0248c586cb686fff8f992b09c9a8c4feba6eb2313b9b4268d92fcac9ef5fdee4884928e276ba695c059de318326b19e21306c6e09e2b0bd616f23c9e64b3324b |
memory/1808-60-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2500-64-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1808-63-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1808-55-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\YfTsrgf.exe
| MD5 | f4a59af062573c3fd8cbb042ca90cdfb |
| SHA1 | 87ab5c93c3250c975342e94c506eb57f6df2b6a8 |
| SHA256 | 875f449fe096ee8d947ca804a2729341f5c27b8187cf85efdfa3742602655851 |
| SHA512 | 892e4d52c686d8d1adc7eec89211431cb6ded42a3437013f54ed387b759253139ae44d5f795df315266a668c0e8b932869836b6bca149f683fb105bcd1e07c1d |
memory/1808-70-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1232-71-0x000000013F860000-0x000000013FBB4000-memory.dmp
\Windows\system\JHWveGt.exe
| MD5 | e6f620fb3e944a925081d7165fd05a91 |
| SHA1 | 7532830aebb190922e065fa62982df57b7b640ed |
| SHA256 | 367ea63f76e4da729fcf1ca9935845aacc2615afdfa827c669db1e15f1a497a3 |
| SHA512 | 086d2f6786212d37a21d5a27a2ca2dc3eaeb94addad4a6820a1e57cb943f6da55661ba9610d9820a8fec50c70111dbd75752ce06855c297f9647cda64a1573bd |
memory/1808-81-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1112-78-0x000000013FCE0000-0x0000000140034000-memory.dmp
\Windows\system\MjrUzNr.exe
| MD5 | 682b9184d5ee2ff0120a18e84cabb6c4 |
| SHA1 | f834055d1f9a71ded59136916415355931a32384 |
| SHA256 | d4417ca2304fe995818a37aa785b5c03b5c5d62b406f118f90e0bd953d55e4db |
| SHA512 | 93bcbec1cb17b7ce669eee207246044384de33373da0029fc171b6e30c26b7ed26e82b8102da99f8f282b927a12a78111b058aecf63c60a870076950156078ce |
memory/2576-92-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\DRYJXVf.exe
| MD5 | 444fe516735e3a07d22a1cfa5c38842d |
| SHA1 | 980f0f770a845ad1d38e2a43f98e9b53aea97ab2 |
| SHA256 | 25ee02b576153020e5a46e3c55ef5f478b26b38ffa65cae2898c95fb62cebf99 |
| SHA512 | 1f1a27fc4880112b521c2087b0a86636091b386b3263e8126455e967bfa7287909b2f1de1d36d1197b86ef7f3c7b4fec69e5e14b6ec219dd504defb3b40e760a |
memory/2492-94-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1808-90-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\tAmUKhK.exe
| MD5 | d8096d49dd45b06cd973dcc01dea3643 |
| SHA1 | 3fa6e7da62f386a2db0981bf608d999b30da0a30 |
| SHA256 | c6a62d760fe9a4ac3cabd7a54dbbb938a13a4a7290d3dcd8edd0cfd0c6439b39 |
| SHA512 | ad3d37d695b2948c59da755a757336f58974db2e92eb6a238893a0f2499c1b07b26e0d40150f025548c9be4ecd6df4e54dd287b18b1953a34ef63fc3393dcc71 |
\Windows\system\CdKMVAM.exe
| MD5 | cf7e65957db0f5c4d548f0cf1cb8f804 |
| SHA1 | c53ea581e25439b15c82b9b9df7744c11aae07c9 |
| SHA256 | 3d28a380fb5a32849180541d96bfc2e34cdbb712f802b79353e4f5a19efe8578 |
| SHA512 | 9f84376288651bdcc0bef5420b7c88608f48cb7ea21111222a980476cb7a9cf71b696344e2e5ec3e6f4ea8041a15194dcc7d370d6cf00a3ce697017914949fdf |
C:\Windows\system\XrYASWo.exe
| MD5 | 16f6d7e642750c32dd5a3d1584bee400 |
| SHA1 | 434bc0114c1f349f9975fbf00bfb97e6af028f37 |
| SHA256 | e523d1c1aa920dd3b0a8324b5056e3a64c72fc2fefd477b330eccc1f735b4de2 |
| SHA512 | ac209d7871d20f5d8050c36f3f35147c86b4bf951b923791965b3abf2a7c96a51f266280758ba8097c6b1a2a9cd5fc9bda872a24d18d8e46df10a72ec29acde6 |
C:\Windows\system\lqOLpBZ.exe
| MD5 | 0a4f618a0440795fdea56904ce85dd6f |
| SHA1 | 065585ea31c07de423c82af4ed112cedd925fb3a |
| SHA256 | 7208ef0fb1e60cbb11e29d08c60439c2b6936a55b31eaa8f8670d91ba3e38a55 |
| SHA512 | 23bace17201bb084f42a8b3bb9f94e54c20c9ac7be129386868fc3f3e41ce49ea20387986eddfbeb2a477763b6afe365c3702ad29dfe5951528a2023efc544e0 |
\Windows\system\jHgbosR.exe
| MD5 | b3f347b285ae59e6195f4297680d9aae |
| SHA1 | f300d097473437ce0d5b4d197a4f9dac50887adb |
| SHA256 | c0d5855bb44f8f6c11d643feec2a78b424c060aeec8ae5136ec83f5f99748070 |
| SHA512 | bd54e66dc5fe3090a58c8c99ecd2327f01359c7489438e8ecabe73a9b75123abeb1d8d117c3012a02a8364d932c5177d800b6da460837c89d069e1bc7a280803 |
C:\Windows\system\HcLDNVt.exe
| MD5 | ffcad429098f9a28a9f298bb171d201d |
| SHA1 | 8ed5291d5e6972d9d882ee7821ff3e7bbe673e24 |
| SHA256 | 1fd5e970bfbb817af6d224c9b377416d7570a2b70d3e49d8f5746573773d8371 |
| SHA512 | fa9826332cddb4885f75f562cc26a2978b7b9e2bcbd308d7f014f498372ea4a52e77b694c185903fa3016ddc7eef6e66370bd3195236232472554aa7d9098a8c |
C:\Windows\system\TTRSbes.exe
| MD5 | 9c78e335eee14f22cb224a9073c59e72 |
| SHA1 | 212450672bbce09ac19aad30b06bd9324ae73719 |
| SHA256 | 6586474d5d8ad14c4aa896b8a3de70367804ea0b64aa2a3cc4617d2e96b3bd7a |
| SHA512 | 10a2cf3bafcb3dcc626a565d05ed99e752b674cf8cb5844dea092b45d029eacd1fbee41c317f37dd7d1e8a5836296b76d80a41c277e07a4597bb4c9b8ade3746 |
C:\Windows\system\YxwRsqs.exe
| MD5 | 0ff6a831f510b16bcb0de173469dfc6f |
| SHA1 | e80d9f954f8d100d90a59ace14a0a1551f33e120 |
| SHA256 | 0fb388b67e3f56bc43ac6eaf9ac35dfffd6220f69ee9da2da31186f901a3d027 |
| SHA512 | 0f61928f1e47c328aaa0b12ff58a73401d5f3d5b34a9bd571090fbd7356800dbc860b06ca10f9e864234cf2ab122a441af5169925a332b70af0f9f1be993c05a |
memory/2160-104-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1808-111-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2552-109-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1808-100-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1808-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1568-85-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/888-84-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2536-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1808-139-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1808-140-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1568-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1808-142-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2492-143-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1808-144-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1808-145-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2256-146-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2640-148-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2576-147-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1112-149-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2580-150-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2552-151-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2536-152-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2428-153-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2500-154-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1232-155-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/888-156-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1568-157-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2492-158-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2160-159-0x000000013F760000-0x000000013FAB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:12
Reported
2024-05-29 19:14
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JrIysXR.exe | N/A |
| N/A | N/A | C:\Windows\System\bqKwpGL.exe | N/A |
| N/A | N/A | C:\Windows\System\oVNIaZS.exe | N/A |
| N/A | N/A | C:\Windows\System\KZDDmOM.exe | N/A |
| N/A | N/A | C:\Windows\System\uCdGnqh.exe | N/A |
| N/A | N/A | C:\Windows\System\oPGExzn.exe | N/A |
| N/A | N/A | C:\Windows\System\migTdPn.exe | N/A |
| N/A | N/A | C:\Windows\System\UMCEciV.exe | N/A |
| N/A | N/A | C:\Windows\System\sduagDc.exe | N/A |
| N/A | N/A | C:\Windows\System\sFcBskH.exe | N/A |
| N/A | N/A | C:\Windows\System\EJmCfoa.exe | N/A |
| N/A | N/A | C:\Windows\System\fTCTZBo.exe | N/A |
| N/A | N/A | C:\Windows\System\JZoVrbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NGrzQMh.exe | N/A |
| N/A | N/A | C:\Windows\System\WPApVkY.exe | N/A |
| N/A | N/A | C:\Windows\System\LJrQkjP.exe | N/A |
| N/A | N/A | C:\Windows\System\oyBAOLX.exe | N/A |
| N/A | N/A | C:\Windows\System\sJLPEwK.exe | N/A |
| N/A | N/A | C:\Windows\System\YQnSjvy.exe | N/A |
| N/A | N/A | C:\Windows\System\Aawpdxe.exe | N/A |
| N/A | N/A | C:\Windows\System\uAoqoDi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JrIysXR.exe
C:\Windows\System\JrIysXR.exe
C:\Windows\System\bqKwpGL.exe
C:\Windows\System\bqKwpGL.exe
C:\Windows\System\oVNIaZS.exe
C:\Windows\System\oVNIaZS.exe
C:\Windows\System\KZDDmOM.exe
C:\Windows\System\KZDDmOM.exe
C:\Windows\System\uCdGnqh.exe
C:\Windows\System\uCdGnqh.exe
C:\Windows\System\migTdPn.exe
C:\Windows\System\migTdPn.exe
C:\Windows\System\oPGExzn.exe
C:\Windows\System\oPGExzn.exe
C:\Windows\System\UMCEciV.exe
C:\Windows\System\UMCEciV.exe
C:\Windows\System\sduagDc.exe
C:\Windows\System\sduagDc.exe
C:\Windows\System\sFcBskH.exe
C:\Windows\System\sFcBskH.exe
C:\Windows\System\fTCTZBo.exe
C:\Windows\System\fTCTZBo.exe
C:\Windows\System\EJmCfoa.exe
C:\Windows\System\EJmCfoa.exe
C:\Windows\System\JZoVrbZ.exe
C:\Windows\System\JZoVrbZ.exe
C:\Windows\System\NGrzQMh.exe
C:\Windows\System\NGrzQMh.exe
C:\Windows\System\WPApVkY.exe
C:\Windows\System\WPApVkY.exe
C:\Windows\System\LJrQkjP.exe
C:\Windows\System\LJrQkjP.exe
C:\Windows\System\oyBAOLX.exe
C:\Windows\System\oyBAOLX.exe
C:\Windows\System\YQnSjvy.exe
C:\Windows\System\YQnSjvy.exe
C:\Windows\System\sJLPEwK.exe
C:\Windows\System\sJLPEwK.exe
C:\Windows\System\Aawpdxe.exe
C:\Windows\System\Aawpdxe.exe
C:\Windows\System\uAoqoDi.exe
C:\Windows\System\uAoqoDi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.133.100.95.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/680-0-0x00007FF6EA390000-0x00007FF6EA6E4000-memory.dmp
memory/680-1-0x00000245E5840000-0x00000245E5850000-memory.dmp
C:\Windows\System\JrIysXR.exe
| MD5 | ed6a7e51ecb631c754dcb964320ca463 |
| SHA1 | cc628f5109514c9b8fd9a28ee7de527fd5842a3b |
| SHA256 | b52036f5c1c999d48be7040335f3b8ebd8846d9254a48417d5fa04555e472014 |
| SHA512 | 3348752b1ba795e73b5d13deaf1cf585e41d07a2fcb885a919dac230ef7701a5918b24b95b21a99400f0dcd24fe6ca79235c1f744bcc43c1c6b7facff8ae8e4d |
C:\Windows\System\bqKwpGL.exe
| MD5 | 2272b0ae1a2094663fc78a2c36749afa |
| SHA1 | 2d974d3d44c695507cdebd3071cfe9f664de2242 |
| SHA256 | 358c21447dc9ca6a749052b78e6bf712015164a48b619380ac8045a521ae20d3 |
| SHA512 | e1ad7a7cf14e0d9519a414db626dc8d4c69fdc9a9854e412f9d68090ea803992ad0013f1e72beb24a7758f0841dee67d669038ed3daa68e88725e1778d0e28bc |
memory/4256-11-0x00007FF632460000-0x00007FF6327B4000-memory.dmp
C:\Windows\System\oVNIaZS.exe
| MD5 | 2782128d1fea03269402f1e52b14d78c |
| SHA1 | ca027b7f199c0ea8bb7a65f33df7fa01c5979db6 |
| SHA256 | 8fee02373d81536a3196622d2f9f800e8e64f0f366951caaae6728adfa259163 |
| SHA512 | 7759219e932c5f351bdb5458c303fb3c43cdfce684a27fd050dfa003db3ba83a48a14153548f6ad726da18025aafaf2f70bac7ef9331b3e9dbd555695fd94c8e |
C:\Windows\System\KZDDmOM.exe
| MD5 | d8b478c8c16c45d21315751706fab285 |
| SHA1 | fb2cb769dcb2bd831a0ca13aeac6d0314274c169 |
| SHA256 | d62611452cecb1d51092c3478dab659d2e723c9453641938cafb4252dbfd132b |
| SHA512 | de71181aa5d23bbbcb605c55bf2e28eed00d9988f8e52899fd2a067ee3295ce5c87e13db26f6ff3934a2d4757e4ceb91bb93c9641b6b36a18a917d092ab5b4a6 |
C:\Windows\System\UMCEciV.exe
| MD5 | 4e23209b6f525d461622ed3869d19caf |
| SHA1 | 64164f9b5602f543cd1f1e4cca9a924022050b72 |
| SHA256 | 86d17e25f5598b103415cb36b07d6ce4808ed139d5f879fa03b830aeb204e4f8 |
| SHA512 | d18edf24e5b6c96c6af2c9b04537dbff046c5668ad53dea9633e59c46c82bf3850d2e548eedffd2cfe84ce5a5ad9a423ae8d546a1aa9aabc1a9c526beb37825c |
C:\Windows\System\oPGExzn.exe
| MD5 | db0450d3ee74cc1d849ada87e70360cf |
| SHA1 | baff138558fa066a659c095aa19dd6df8d248ae8 |
| SHA256 | cc345f3e5c047736cb948936ed9d65337d81ddc5ad34a5c741622037536e5f32 |
| SHA512 | 1f162c9eb879b76b7fdb425f824c69179c919bc8b4471c84b98a41ef34cd6203c33451c3e56519fc2e34d576459b563ef9117d620e74dfed44977770db3cd722 |
C:\Windows\System\sFcBskH.exe
| MD5 | 7a0860b0fae17248543abd137af4bc46 |
| SHA1 | 5221577629113d42b28d4fdac062da58812fc533 |
| SHA256 | b949da3146bc3ceaba1ca4568070cbd940d9ccdd697e986b37bfe2fe20daf62e |
| SHA512 | 2e3f94864bb5dcd98bfbbb2467438b320e88b29ff90b7d5739fb6d664be2ff71ead3f7292569d5cd0972c19f88cf54b5b057b1d3e916516e06d0eaaf187a82b4 |
C:\Windows\System\NGrzQMh.exe
| MD5 | 5fe0e146d4139862fd46efdf8586d546 |
| SHA1 | aadeba824b2a4ae4455d171bd6b118d3a2707e98 |
| SHA256 | 20637d7a50702b8e9b3c5713b243e14bcf38b2bfdef2a335dbd22f671caa9353 |
| SHA512 | 7f4de776e8360b5fc00bec13d2a36dbc772b35af17692593f33c7a6257994cb135be3c4d3f2dfe3f9aa5ffa75c3426461d76645004ca8db90ce8afd88ffdf246 |
memory/432-81-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/2364-87-0x00007FF727B40000-0x00007FF727E94000-memory.dmp
memory/4064-91-0x00007FF7A2320000-0x00007FF7A2674000-memory.dmp
memory/5012-90-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp
C:\Windows\System\WPApVkY.exe
| MD5 | 0264f71b176a3d493865ccb5d0329bc9 |
| SHA1 | 5ce17ff137fcda70511ed4a2a39ae96fb1d467f0 |
| SHA256 | 0ae82ea35b9d5e447cc3bbc6ab9799eb72c94253f2ff52611442ea53b23e80e8 |
| SHA512 | c4d26c5620c3bf115b27c87ed6a80d81f26a6d268aca146d116a7e298b89db11f706cb848b53e470d653c647a9c7a38b031afa4ce91f1ec23c338d7f8f0acc8f |
C:\Windows\System\JZoVrbZ.exe
| MD5 | 4f5b835e578363e224c767164d330dc1 |
| SHA1 | 2205b348880e62e43faa1528cabb9dd499c04e36 |
| SHA256 | 728d36e6188839a91d797b3a640b764bef3605e9304c674d12f4279c88ac2dd0 |
| SHA512 | a8e51793e7b231b26fdb0533f2a66be279f9906cc1bb74ee3714ed300ff6a76ef6e61b51d789715164d33aa73eda6c3b894ac84deb1754bf1d9e0aa57158da00 |
memory/3928-82-0x00007FF672490000-0x00007FF6727E4000-memory.dmp
C:\Windows\System\fTCTZBo.exe
| MD5 | ee015bdb8d4317a225e9b67874b62bc1 |
| SHA1 | 6c673a61bf4b0035024455fe1ff0e85ccc6646be |
| SHA256 | dcbf417196cc92f62d08eaff6363ca2b2a256ad8d35f7c1fa35a8eb5812d5ac2 |
| SHA512 | a9dc792e54d880e5a0a302a8864413fccf8199f2123219cf68f821ad46fceb330b3193621d89aa72e806c1ec33a82f44ebe83c503149496e4ab1fa45b9bb2b47 |
C:\Windows\System\EJmCfoa.exe
| MD5 | 5a54533c21b69e493e7569ed0319d175 |
| SHA1 | 344c185e724826fef107f0cbf7f62dfb7dedae8b |
| SHA256 | 05d0290313333fa8a36e5537cdefac97d9a1ea53884fb9ea031762b0b2dd6de2 |
| SHA512 | ea930e4219ef7156a33b021d5b9388a9fcb0ee6b76eb863f35d82944538c619d4b360c5417942e8c7d960148ba915ee954da9d0636f14c91a0cc12556cf2b982 |
memory/4792-75-0x00007FF756B20000-0x00007FF756E74000-memory.dmp
memory/2236-69-0x00007FF60C6F0000-0x00007FF60CA44000-memory.dmp
C:\Windows\System\sduagDc.exe
| MD5 | 6bf00e20dd0e9dfb143b618ebe110ecf |
| SHA1 | f03794ed28d5cc24603e553de5ae398005694860 |
| SHA256 | a7fcb5e150112d6c30bece0d9eab065491948dd6c8f164eb5fd6cc11dcf64c85 |
| SHA512 | 70e08c58d2f28a3edace63ae26d298471d1dc9a762f7749046561a6b85c3cb0b11871058c304d4de327613047b9a11b3f5944e4b3830441a8be965b5959e64c3 |
C:\Windows\System\migTdPn.exe
| MD5 | 50189b91c5dc8f2422421b3daf0de381 |
| SHA1 | 75c110d4fb74fafdef43825598c772b0672b86e3 |
| SHA256 | 83acf065be083efff06654d64497d25e51b26371abb4d6fd4ef61672b914ee6a |
| SHA512 | 6f23c5a74065ffd19c968dc3177a166e9b220c5af426fde62b5033ae0c6219cc698412722352cbfa61d3c12194b8673a93dfb8edb9c91eff9d7ab5264d867923 |
memory/3272-51-0x00007FF737310000-0x00007FF737664000-memory.dmp
memory/4684-48-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp
memory/1968-46-0x00007FF753C10000-0x00007FF753F64000-memory.dmp
C:\Windows\System\uCdGnqh.exe
| MD5 | dd6d7330b9237e0b8c74574a5a9a2d64 |
| SHA1 | d0709ce2192fb9b3fcff083910bacf0130b9474f |
| SHA256 | ef24defb15798a2f2bd5bca3d1a7ed7c719a457bea9968e8acaa0d2706047356 |
| SHA512 | 88779d64eb2fa933c60bb343b0b5215eb5ea715db263ea007191a8954345defd1312d5c93d8467a6953b99eb360c2429e61c9bc784f055014e030f034a0cf30d |
memory/2376-35-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp
memory/3232-26-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/2576-23-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp
memory/3324-15-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp
C:\Windows\System\LJrQkjP.exe
| MD5 | f830b06e839d5125f3763045192ddf09 |
| SHA1 | e594b0b7f0c620f6fc41a5514a263719b726b13d |
| SHA256 | 214e4169b13545467c6c82c7cd2d814ab5a58ec4da322917ac926a33a1b6b360 |
| SHA512 | c9ca609b04db5c6e02d7c3dc018d2ad53e51276f9bf0f5245633ad52592b2e5fa45182406f3d54e3ac88958fb32c502ef1b06cc44a3341d364da30507ffe20b5 |
C:\Windows\System\oyBAOLX.exe
| MD5 | 4320c78dd59b557ea4ff24e68b2b0167 |
| SHA1 | 932a6637b03c158fc5e0a5c62bd0b52f7ee11981 |
| SHA256 | 9698cb3f82b8e66beccfc2d22bb85875b160b010e7bc495d88a9a1609e02f50b |
| SHA512 | ff791e15a013b1470c97c56d234925e0fdb10cb88b90d049c2ce584d1ba95cddfd41337d044810e5001ee293ccfa01aee31c76617c420f9071a777e25e0f6403 |
C:\Windows\System\sJLPEwK.exe
| MD5 | 5d32f6a8545db3df7a37df0d3f1a16c4 |
| SHA1 | b2eda805b2f89499afdbb974cd034e0e2497b335 |
| SHA256 | 46ca1902ba8ce1e9c4757762416dec1841de4d892e6480c361f445d844e755a8 |
| SHA512 | b18652193d64d79b3b8fa30a00d6b22dba3c0250f07baac049155055b190e6fb8a92bdd04596470d9fde8d0af3b5f9365f8c6cd43a66eec3a89cafe86f1b8418 |
memory/2600-112-0x00007FF70E6E0000-0x00007FF70EA34000-memory.dmp
C:\Windows\System\YQnSjvy.exe
| MD5 | 58aab2ca284dab165cbd528a2a8debd3 |
| SHA1 | 8e0568949ccf775d3319a8568d6f1758b6773721 |
| SHA256 | f29b59d2c62f3aeb5c01bc1d16d449bbcc62359bf0533fa6ddcfefa7795bf5e5 |
| SHA512 | 65501573c41521ac8587d1199d7fe50e72b88b47f06d40f9b73c3d2f4218ccd4597f463d4b154c04b2db7223537d3b50862a0c550957cce7e0271fb5a7e376ad |
C:\Windows\System\Aawpdxe.exe
| MD5 | 572c66fa45805a73896e72b693b5a7a8 |
| SHA1 | 333f8bf6e71c7e8e9923c5033664e5cfa85bbc04 |
| SHA256 | d0e056a57278918147fe67ed48d28cc0868681d0655b93ffcaf79276a952d101 |
| SHA512 | 1a53d8f0761f18b9ba0e6bf4d8d17784cdd9571cef1dff3264fa11cef8185a371f7d66eacdcfe59e73b1828f9da8769114718e41fdacaad8df7c09e4874299f1 |
C:\Windows\System\uAoqoDi.exe
| MD5 | b99c7556630e688f12c8f7f737e3f730 |
| SHA1 | df3585ebb245cec5c1d680f33fc26e0c52372dff |
| SHA256 | 8be43e6a01bb39f2845704c9ec0c442ac38926d5e09d0a64e3574cc1893be021 |
| SHA512 | dfc807b609bba7ab1540eeee91f7799459ad1c4c946d7de8cc3fe828730a87efa13c35daf375bf01884c35cc0a58e78f350bf3ddef56ee9ee5b8414767179565 |
memory/2960-128-0x00007FF789910000-0x00007FF789C64000-memory.dmp
memory/3324-127-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp
memory/2988-125-0x00007FF614670000-0x00007FF6149C4000-memory.dmp
memory/4368-123-0x00007FF69FF00000-0x00007FF6A0254000-memory.dmp
memory/3868-120-0x00007FF78B280000-0x00007FF78B5D4000-memory.dmp
memory/4256-118-0x00007FF632460000-0x00007FF6327B4000-memory.dmp
memory/680-117-0x00007FF6EA390000-0x00007FF6EA6E4000-memory.dmp
memory/3880-100-0x00007FF627720000-0x00007FF627A74000-memory.dmp
memory/3232-131-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/2376-132-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp
memory/1968-133-0x00007FF753C10000-0x00007FF753F64000-memory.dmp
memory/3272-134-0x00007FF737310000-0x00007FF737664000-memory.dmp
memory/4684-135-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp
memory/4792-136-0x00007FF756B20000-0x00007FF756E74000-memory.dmp
memory/432-137-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/3928-138-0x00007FF672490000-0x00007FF6727E4000-memory.dmp
memory/2960-139-0x00007FF789910000-0x00007FF789C64000-memory.dmp
memory/4256-140-0x00007FF632460000-0x00007FF6327B4000-memory.dmp
memory/2576-141-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp
memory/3324-142-0x00007FF6ED360000-0x00007FF6ED6B4000-memory.dmp
memory/3232-143-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/1968-144-0x00007FF753C10000-0x00007FF753F64000-memory.dmp
memory/2376-145-0x00007FF6BDCE0000-0x00007FF6BE034000-memory.dmp
memory/2236-146-0x00007FF60C6F0000-0x00007FF60CA44000-memory.dmp
memory/3272-147-0x00007FF737310000-0x00007FF737664000-memory.dmp
memory/4684-148-0x00007FF64AB90000-0x00007FF64AEE4000-memory.dmp
memory/2364-149-0x00007FF727B40000-0x00007FF727E94000-memory.dmp
memory/4792-150-0x00007FF756B20000-0x00007FF756E74000-memory.dmp
memory/432-151-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp
memory/3928-152-0x00007FF672490000-0x00007FF6727E4000-memory.dmp
memory/5012-154-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp
memory/4064-153-0x00007FF7A2320000-0x00007FF7A2674000-memory.dmp
memory/3880-155-0x00007FF627720000-0x00007FF627A74000-memory.dmp
memory/2600-156-0x00007FF70E6E0000-0x00007FF70EA34000-memory.dmp
memory/4368-158-0x00007FF69FF00000-0x00007FF6A0254000-memory.dmp
memory/3868-157-0x00007FF78B280000-0x00007FF78B5D4000-memory.dmp
memory/2960-159-0x00007FF789910000-0x00007FF789C64000-memory.dmp
memory/2988-160-0x00007FF614670000-0x00007FF6149C4000-memory.dmp