Analysis Overview
SHA256
8eb295fa5533ba5f03e0053c166f7c1e4296cdef80d8d307a209736e541e5ed7
Threat Level: Known bad
The file 2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 20:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 20:01
Reported
2024-05-29 20:04
Platform
win7-20240221-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xdkILSj.exe | N/A |
| N/A | N/A | C:\Windows\System\IcPxMbg.exe | N/A |
| N/A | N/A | C:\Windows\System\fGkEWEJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JkMWpDV.exe | N/A |
| N/A | N/A | C:\Windows\System\DosVLMA.exe | N/A |
| N/A | N/A | C:\Windows\System\kVnlEOz.exe | N/A |
| N/A | N/A | C:\Windows\System\LNIrDgN.exe | N/A |
| N/A | N/A | C:\Windows\System\zAdetgs.exe | N/A |
| N/A | N/A | C:\Windows\System\uIPpedE.exe | N/A |
| N/A | N/A | C:\Windows\System\JJEzLYV.exe | N/A |
| N/A | N/A | C:\Windows\System\oZtMOWs.exe | N/A |
| N/A | N/A | C:\Windows\System\EoJedcU.exe | N/A |
| N/A | N/A | C:\Windows\System\SVVGZyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KHCSfcP.exe | N/A |
| N/A | N/A | C:\Windows\System\FPStyNU.exe | N/A |
| N/A | N/A | C:\Windows\System\oRWdcrz.exe | N/A |
| N/A | N/A | C:\Windows\System\yZBExeV.exe | N/A |
| N/A | N/A | C:\Windows\System\tIkSZdj.exe | N/A |
| N/A | N/A | C:\Windows\System\sXZGJnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HvZIqwx.exe | N/A |
| N/A | N/A | C:\Windows\System\TyFFMAL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xdkILSj.exe
C:\Windows\System\xdkILSj.exe
C:\Windows\System\IcPxMbg.exe
C:\Windows\System\IcPxMbg.exe
C:\Windows\System\fGkEWEJ.exe
C:\Windows\System\fGkEWEJ.exe
C:\Windows\System\JkMWpDV.exe
C:\Windows\System\JkMWpDV.exe
C:\Windows\System\zAdetgs.exe
C:\Windows\System\zAdetgs.exe
C:\Windows\System\DosVLMA.exe
C:\Windows\System\DosVLMA.exe
C:\Windows\System\JJEzLYV.exe
C:\Windows\System\JJEzLYV.exe
C:\Windows\System\kVnlEOz.exe
C:\Windows\System\kVnlEOz.exe
C:\Windows\System\oZtMOWs.exe
C:\Windows\System\oZtMOWs.exe
C:\Windows\System\LNIrDgN.exe
C:\Windows\System\LNIrDgN.exe
C:\Windows\System\EoJedcU.exe
C:\Windows\System\EoJedcU.exe
C:\Windows\System\uIPpedE.exe
C:\Windows\System\uIPpedE.exe
C:\Windows\System\SVVGZyJ.exe
C:\Windows\System\SVVGZyJ.exe
C:\Windows\System\KHCSfcP.exe
C:\Windows\System\KHCSfcP.exe
C:\Windows\System\FPStyNU.exe
C:\Windows\System\FPStyNU.exe
C:\Windows\System\oRWdcrz.exe
C:\Windows\System\oRWdcrz.exe
C:\Windows\System\yZBExeV.exe
C:\Windows\System\yZBExeV.exe
C:\Windows\System\tIkSZdj.exe
C:\Windows\System\tIkSZdj.exe
C:\Windows\System\sXZGJnJ.exe
C:\Windows\System\sXZGJnJ.exe
C:\Windows\System\HvZIqwx.exe
C:\Windows\System\HvZIqwx.exe
C:\Windows\System\TyFFMAL.exe
C:\Windows\System\TyFFMAL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1756-0-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/1756-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\xdkILSj.exe
| MD5 | 22ba9721c2a73f7dc6e9dbe966e219c4 |
| SHA1 | 5fac9764d157d07e567b9a3125200d19b2aceac3 |
| SHA256 | 23ab4d9ee336e088bb97b767d4ced9bfa7470f7ea9ed7d739461907135a69557 |
| SHA512 | d4d1ef2b2380755091ffcbac0f9a270815b6544f0231e70ffaaa593a56dc3101ce1dd53800f869daed664ac1961c776c10c396ce3ec3b036ad53a095992f179c |
C:\Windows\system\IcPxMbg.exe
| MD5 | c53848d7d775fe6036bf8d9e1d42c818 |
| SHA1 | c3c38c08c2564e1d4fe6d7faf15d02e6f2b590eb |
| SHA256 | 9d7d6c782c22a3a0a44346a4a270d65eab823c03e12e38bde334ad30c9cc4817 |
| SHA512 | 06a44332645649fea909447642ef1c2c580c399122f635a7e3560ed7d0af09c188a5da675f066e0c9f69a865fc0ced41d59e6c540dbacdad85a1e81c8d8465d2 |
C:\Windows\system\fGkEWEJ.exe
| MD5 | ec68c56ec6c3abf84a9f584cbe08fbcf |
| SHA1 | 0d8c971c938ae48ccd2a13ba995eebe2d68ad9cd |
| SHA256 | e6d8a672e8b72e593b413d703239a46308c6005d4db83dcb23dc71124e9ea279 |
| SHA512 | b66a5e71a39470ec423a0bb8832964559267dbffbca1b03c1cb6e9fac713f3dcae74b8468f25f559c1feb334fec852d057ed065cf90b80c55e7b1c35595a4331 |
memory/1756-9-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2944-30-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\DosVLMA.exe
| MD5 | 969cbe7fc5f8a0fd8f8e9c9a3bf98851 |
| SHA1 | 7532b2e7311cd5e6c0684f7de35b950cf415a2a1 |
| SHA256 | 93ac71175db2007c228e151ec813264addb6a2a176c4fea4a4d7c413b0597793 |
| SHA512 | e115417ee6161da159f5678d50353ed314a811dda4920908c88ef1e4331fa06aa81d0cc0236e55550f41ff70db39185d677b09297adf83f0c4ed8e4f6c76c88e |
C:\Windows\system\LNIrDgN.exe
| MD5 | 2f43a63acbdb60ed8a81e3372a002e28 |
| SHA1 | 617ba8865ba69656338ddf12698499abf837f8d9 |
| SHA256 | b47c08563b1bcc0fb5e4993ccb88e31ab0dcc54f63e5472525b94b43d1f4bbeb |
| SHA512 | 14636f79ec7b6256f1f1968ace020a7bf11bf1f3267565b4e0b06eefccab4761e632106b972b317f4749cc895050c4d448a4a436d1691200a6a2713c4f69198b |
memory/1756-62-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2792-72-0x000000013F3B0000-0x000000013F701000-memory.dmp
\Windows\system\uIPpedE.exe
| MD5 | 3bf269d5d2235d687afeea391933f81b |
| SHA1 | 12f18fe2ae3271be7a7eeb7e87314d54081d0ecc |
| SHA256 | 68332c2c699705ae0be7bdade2ddb93609598ebb8d44901bc138afa4d1c65fbf |
| SHA512 | 401176ea1d2a088b0667e64883e477b829cf198f168d8300055b190557802903f23a44e18fb2f82b5628f149da7a7493aae9612ebde66f19bc42c959ce4b94d2 |
memory/1756-61-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2664-48-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2200-90-0x000000013FA80000-0x000000013FDD1000-memory.dmp
C:\Windows\system\SVVGZyJ.exe
| MD5 | 59eeaeb8917707a5924e33a60eae4a60 |
| SHA1 | 5ede9035b52a16804b5191c1b2be2600478126eb |
| SHA256 | c259f5637bbf7f13edb3e883a90e2a15641e43b74a9f52ca5f975245c12bd20b |
| SHA512 | b4378e0ab8bac61c350da6f87497d029e5c7ca836908fb68fb3904243b18690e697a885e065128019fa66022828433c6a09bd80bd937e017f20e00520fb1bb32 |
memory/2524-88-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\EoJedcU.exe
| MD5 | 3ab50e559f69c88adc64a89c434c850a |
| SHA1 | eddd018a5ea756fa23cb794020cdfa1414a73286 |
| SHA256 | 2fab00edffebf0123ee319e13992d1fba11086e24b18b8740d9fa000e31995a5 |
| SHA512 | 4b2cae6cd4068fef3200dd581811b6dfa1b21de7a8a3f51ee61a6932280ae188cdf10fe0fdb3f8531b86adb55b65ada2a7aff5a591d361e432c90f8c06244a50 |
memory/2692-84-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\oZtMOWs.exe
| MD5 | 7f6a87f6fa60471db5c9c0b75dda7402 |
| SHA1 | 80b6501230979ccb7f3a02717d8702c0d445dbc4 |
| SHA256 | cb1daa64db08e9f0e2e72e120621bff3699fc0b8cdc81b7ee5836cd19de92b5c |
| SHA512 | 72bc9159cada7e273f22022eff4cf6e69a8507f0406d4f469e46138f51489c73d96b9c62ef0c9b66a64605244542e35916dfb6dd7f0811491ebc0f4a0b7a8202 |
memory/2644-81-0x000000013F690000-0x000000013F9E1000-memory.dmp
C:\Windows\system\JJEzLYV.exe
| MD5 | d040cb46e54d259af992eb861d60dcda |
| SHA1 | d7fa1a89be04e36e2389b0a1d50693dd373f9879 |
| SHA256 | 5e88e040866d8afc8b703600101e051f664a67aa1c58386c3dd7bffacd2d96e5 |
| SHA512 | 8531060f828592402c147487f048a655a3925f0408d0aa0ff6c9b8eb3476bdd42215caf7d03fd399aaf1ddbb6f370e9d87175fbaf5225507fc6eea9202faa18d |
memory/1756-78-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2868-77-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/1756-75-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2484-68-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1756-67-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1756-64-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1756-39-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1756-37-0x000000013F410000-0x000000013F761000-memory.dmp
memory/1756-27-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2616-60-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\zAdetgs.exe
| MD5 | 2c337b84d0860de5898000a8e10d8058 |
| SHA1 | 6220e486d7cd6290aa22db9a565853355451fa71 |
| SHA256 | bf51288e4e4a8a48e1755255d61efa20774d19b230666d5bba427e809307521b |
| SHA512 | f4d84635f1e8538e4119e13eb2e637dc6e60def239045abdbaef92d39365e1d948501a245ee5281cf3de13cff93586a10a406ef90f3770820068df92ddeee3c0 |
memory/1756-55-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\kVnlEOz.exe
| MD5 | 9d5db982689804a7078c606ca09caf85 |
| SHA1 | 69ba4e6e35b35e217acc452300de05eaf70db8ec |
| SHA256 | 01ccdc3d517eeaabd061a09408f4ff692f4d29c46932c3e738e23a96af0a42c5 |
| SHA512 | 6143bff57b44f9618e093744030c9e2619ae4c95a913372c8fb0d2dedde49fabef1ecea2cd277a8379081823efef3b45fd083ba556e63d830de5f45f4bb9c33f |
memory/3000-25-0x000000013F440000-0x000000013F791000-memory.dmp
memory/3000-94-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1744-93-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1756-92-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2572-51-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1744-17-0x000000013FA10000-0x000000013FD61000-memory.dmp
C:\Windows\system\JkMWpDV.exe
| MD5 | 965d9f7710243f85266bf839d90bbb6a |
| SHA1 | b4c26bf92e04266b7aca406f8816b4a7a105bbf9 |
| SHA256 | 94aa36fa545a0014d46133e629cf55278ea887a654f01d63a6c5dd0a81fc4672 |
| SHA512 | 8d1c07cd5a52ad68cc28c896bbc3c40154de5d8d43ae452e0c1c1be36fe420013f3426b6b407b066318e31200a24c416e31e93de1bb5bd74c6b066a07498a1ef |
memory/1756-21-0x000000013F440000-0x000000013F791000-memory.dmp
\Windows\system\KHCSfcP.exe
| MD5 | 0d2c4548a704e4e23a195150342d208d |
| SHA1 | 1f42f2da7cd77fa7bdabdb9877b2fbc9a702f043 |
| SHA256 | b61ab509efae29233715a4dfa4c360ce40861393abb48c36e8e84dc68964c161 |
| SHA512 | 91d3a6024c079423e394a5b077f690f56f65eee4eeb5da42570f893760958e3c750b0197c3e866a81268e89511656d92a8dda3c466587ec1d40312ccbcaa9409 |
C:\Windows\system\FPStyNU.exe
| MD5 | a8120b8e71d160b67aaea469e53b8c75 |
| SHA1 | cf1a9a8a2e99993be033b99fb9d2c736f5d9cf5f |
| SHA256 | 7e1b3c3b6cac6e5d1cc23c1cb2853c74de4d423c0549a60f504a12441973dcc5 |
| SHA512 | 94e03e882f3242823d90b2872013a6aa2a91ab9e32c6c00cc72b95a4ece8b7a87dc47953d4bf9392799d3e057d80f5a556c05cde2289fc35eb15b4724da751be |
memory/1756-107-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2240-109-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1756-108-0x000000013FA60000-0x000000013FDB1000-memory.dmp
C:\Windows\system\oRWdcrz.exe
| MD5 | 87093181e8162a0dadc75d315a2db0a3 |
| SHA1 | e50b22256632be1f89c5a81a33470a2fbbe3e398 |
| SHA256 | b278c0b5a7835bb1637cc7e131e3f6c664d07f452542a0aa8bbf42480f9b7f51 |
| SHA512 | a362efb95ce2f1e956fa4fd42d540b4b491df640272c1fabe4b9d1419809a7871ccc2b248909ecaab9d87bdcc7e63c07fdd0189acf265dad0244a4b156fff531 |
memory/2616-106-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\tIkSZdj.exe
| MD5 | ed8ef6de53cba273dc84cfbd25b35c4e |
| SHA1 | 359f3fd242a8f837e7ee621637a44440c98ce701 |
| SHA256 | 6916c2124bf1c4771b3114d6896a4868ff52316402944d05b50f8b0020228545 |
| SHA512 | 5d82da33575eaf7832f3117593b4ec0f951b6d9e6eaded2811ffa3ca21f34a9699ee3e61b73a03b124070b9f5f6e870eefc548b1ed4f7d6126f657f8d927e275 |
\Windows\system\sXZGJnJ.exe
| MD5 | 6c0d5d7a45ccb706df1f2789aff26ee9 |
| SHA1 | 0cc2372dfdc6b8d5db38122a6d7a4705b380c23f |
| SHA256 | 34d4bfc097447666beed09ba4302a58cf0dcd232e6c8506972f1b76040ef0c91 |
| SHA512 | 81cc9ce5bdb5f08fa4d96e9fffe259dad9f255a800f54906eedd5f483c4e1d5e5bf306ad8c1ea8bd67da53dbf5e35bd91eebdccaf382979e88097470da656132 |
C:\Windows\system\yZBExeV.exe
| MD5 | 81e84cc6a4bccb73554cf35a0ec919ca |
| SHA1 | 29fd284e918f0039c32935ea60517ec17705bd44 |
| SHA256 | 04f37a4177c4e24b8839d9e0f6b7b008d6350f307b295172897bd0e46a8e1fd4 |
| SHA512 | f0ffad62dbc0996403dbe038edcb2b5aa2a4b5bca7e520c62226c55e032781f7c93c97f2bd063e1b58b39ff74ff2127f54ad731b78b1671bca37e2576ad08fc2 |
C:\Windows\system\HvZIqwx.exe
| MD5 | 8b15dd2fd9bcb3958e088591345378c9 |
| SHA1 | d731d2714fb32c7e45ff7579a14abdfc02247481 |
| SHA256 | 08c336194588df1bac33afde7244f63b556bede32b6638753e90a5ebd63e1264 |
| SHA512 | 665f9b9b1bd93d259ae59ab4bdcb257d528cf6cd63f5fdfef49b70d02ea08acb26adad45222fd8a1dfa05da689cd1cd460bbaadaa0949537d8abf46503503396 |
C:\Windows\system\TyFFMAL.exe
| MD5 | c76d54951d763e58da9c71c37d93f2e3 |
| SHA1 | d215bb184bd8a7672e31cf77def0043b1ca65bb1 |
| SHA256 | 8712bd2a2bdda2f6cf04ae3af34e79b547b4ddde3fe767f9091992f8685afbc1 |
| SHA512 | 2d18e238f6d1b9b109c9b176971c2818e5093943dced791c7f58cb1d3f601a7d50162b645c24048fbeb1ae36d1b803531dc7db15d864448dcbf847ab678491e0 |
memory/1756-139-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2644-146-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2868-152-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/1756-151-0x0000000002200000-0x0000000002551000-memory.dmp
memory/2200-154-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/1728-162-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2244-161-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1336-160-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/1236-159-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/868-158-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2360-156-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2024-157-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1756-163-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/1756-185-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1756-186-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2944-210-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3000-212-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2664-228-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2572-230-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2616-232-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2792-236-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2484-235-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1744-227-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2868-238-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2692-240-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2644-242-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2524-244-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2200-246-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2240-252-0x000000013F790000-0x000000013FAE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 20:01
Reported
2024-05-29 20:04
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aVpCyrL.exe | N/A |
| N/A | N/A | C:\Windows\System\MnJVoQl.exe | N/A |
| N/A | N/A | C:\Windows\System\JkBXECu.exe | N/A |
| N/A | N/A | C:\Windows\System\IHclOAT.exe | N/A |
| N/A | N/A | C:\Windows\System\wPudVqc.exe | N/A |
| N/A | N/A | C:\Windows\System\gBHYxvO.exe | N/A |
| N/A | N/A | C:\Windows\System\mxXxsLc.exe | N/A |
| N/A | N/A | C:\Windows\System\DGbQtVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CJsgZSN.exe | N/A |
| N/A | N/A | C:\Windows\System\rQtJIIu.exe | N/A |
| N/A | N/A | C:\Windows\System\NPlNoDb.exe | N/A |
| N/A | N/A | C:\Windows\System\eTcjlBT.exe | N/A |
| N/A | N/A | C:\Windows\System\PkiQOEK.exe | N/A |
| N/A | N/A | C:\Windows\System\wcIiqoV.exe | N/A |
| N/A | N/A | C:\Windows\System\gEWImYr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCyeWhA.exe | N/A |
| N/A | N/A | C:\Windows\System\svhoKVz.exe | N/A |
| N/A | N/A | C:\Windows\System\kkdoCUH.exe | N/A |
| N/A | N/A | C:\Windows\System\miLIzHg.exe | N/A |
| N/A | N/A | C:\Windows\System\XiRJnQh.exe | N/A |
| N/A | N/A | C:\Windows\System\KAHfFff.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bf99aa5b69915ee7614baab51b8409d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\aVpCyrL.exe
C:\Windows\System\aVpCyrL.exe
C:\Windows\System\MnJVoQl.exe
C:\Windows\System\MnJVoQl.exe
C:\Windows\System\JkBXECu.exe
C:\Windows\System\JkBXECu.exe
C:\Windows\System\IHclOAT.exe
C:\Windows\System\IHclOAT.exe
C:\Windows\System\wPudVqc.exe
C:\Windows\System\wPudVqc.exe
C:\Windows\System\gBHYxvO.exe
C:\Windows\System\gBHYxvO.exe
C:\Windows\System\mxXxsLc.exe
C:\Windows\System\mxXxsLc.exe
C:\Windows\System\DGbQtVQ.exe
C:\Windows\System\DGbQtVQ.exe
C:\Windows\System\rQtJIIu.exe
C:\Windows\System\rQtJIIu.exe
C:\Windows\System\CJsgZSN.exe
C:\Windows\System\CJsgZSN.exe
C:\Windows\System\NPlNoDb.exe
C:\Windows\System\NPlNoDb.exe
C:\Windows\System\eTcjlBT.exe
C:\Windows\System\eTcjlBT.exe
C:\Windows\System\PkiQOEK.exe
C:\Windows\System\PkiQOEK.exe
C:\Windows\System\wcIiqoV.exe
C:\Windows\System\wcIiqoV.exe
C:\Windows\System\gEWImYr.exe
C:\Windows\System\gEWImYr.exe
C:\Windows\System\ZCyeWhA.exe
C:\Windows\System\ZCyeWhA.exe
C:\Windows\System\svhoKVz.exe
C:\Windows\System\svhoKVz.exe
C:\Windows\System\kkdoCUH.exe
C:\Windows\System\kkdoCUH.exe
C:\Windows\System\miLIzHg.exe
C:\Windows\System\miLIzHg.exe
C:\Windows\System\XiRJnQh.exe
C:\Windows\System\XiRJnQh.exe
C:\Windows\System\KAHfFff.exe
C:\Windows\System\KAHfFff.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.43.201.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3560-0-0x00007FF675F00000-0x00007FF676251000-memory.dmp
memory/3560-1-0x000001C2D4960000-0x000001C2D4970000-memory.dmp
C:\Windows\System\aVpCyrL.exe
| MD5 | faf6b29c4f34fa309b044448258c72a0 |
| SHA1 | 7653d5127dcc64cd78fbc921fd1748780aa1eecc |
| SHA256 | cf6c307b8ae30ffd66ae12d0304329e7e6a47c38620b29ad8b7e714e862a82f5 |
| SHA512 | 6e1ab44d251239540496f3325fba4bc189da0104e919965ec951dcad9c023620d1269fddc64af52c8385d49b66377df9cba31ac865024b786c02def459c0514b |
memory/3552-8-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp
C:\Windows\System\MnJVoQl.exe
| MD5 | fc6ee45252a0f516de5067a2ae53033e |
| SHA1 | ba65253849bda21e64ccc0aa829273cfe9dcc2b0 |
| SHA256 | e00756fd446296b19658c9a95412d89e43c7f9dfe138dba324fb5012fb6965ce |
| SHA512 | 6304dce45ae1235551abeab521c66e3f70d157af87a365a12f273cc4f4e4c411aa96bb4268af34116836eb666631b2e5deb5c0e4e01e5d7ed31bbe9549fc337e |
C:\Windows\System\JkBXECu.exe
| MD5 | 36421678a85001913b01e0b80f7a82e5 |
| SHA1 | bb3127783b4066ab1dc21cfb01b004e40ec37261 |
| SHA256 | cce31fc2e26fdee14800fa761ff13bb2dabde4adbf0e9263ea43d03f2af7941a |
| SHA512 | 242435f2fc787051d6d8be2444e28fc43736fc1a9afd3ec0ed53f01246929ef518aa56550c7c59636fa34baaec928036d96658bbabbfb756aa0d26b4579d7235 |
memory/380-24-0x00007FF746870000-0x00007FF746BC1000-memory.dmp
C:\Windows\System\IHclOAT.exe
| MD5 | 11f493eb7e41f463ccc0c2e12adb5bd1 |
| SHA1 | b88ed2afb3182c2dffb5002b0b87583777332912 |
| SHA256 | e30aa91b3e2cdb67062f40b495ecacd64ff3e66689e3d2142a82f9663e34cd8f |
| SHA512 | 8e21ab5d3e359d6885a41d9ab57fd3a087da6eee27a03b925e7939cf2b8b0ecefacae16815ee5c365ad84d246422e7475f083eebac2f78cae840161041586554 |
memory/3324-20-0x00007FF7610E0000-0x00007FF761431000-memory.dmp
memory/2572-14-0x00007FF696E50000-0x00007FF6971A1000-memory.dmp
C:\Windows\System\wPudVqc.exe
| MD5 | 0f867467e8bfeb9602f77f5f97b28d7c |
| SHA1 | ef2297f8b4cf13ff887121e3e86ca2a352a9524c |
| SHA256 | 81d0043efba07099a20faaa75cae19df70d2eef9be6e4aa294ec829e6d424d4c |
| SHA512 | a09eab20b4b2931af42ba6bd77c29817f2268dc876646e635971d4164129efa9e5a728798c690167d6f71ff39cf5d37c4a376b058f034561581eef882933a60b |
C:\Windows\System\gBHYxvO.exe
| MD5 | b8f318949bc09b06162327801cd8a74a |
| SHA1 | cb4c407a9cccb4376f978396a98e77a9b021a7c7 |
| SHA256 | ee2a24c8b46ca08e8cbf1997934816e208e096f379bd7d92d9193549b22dd0a9 |
| SHA512 | 8ff1291a6c2e5e9af1ad4fa2fa7a52bcdee8e6f89bbacab854e742d8c6b8a74b2cfdf2d88f3e410a76ecc2e4d86f156d06de945971a9ed81fa82e7c318cf72df |
memory/1948-38-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp
C:\Windows\System\mxXxsLc.exe
| MD5 | 964aecd2ef553d271d92865ca63b1833 |
| SHA1 | e0602424ff15602cb8caccb9400f99066225eb68 |
| SHA256 | 0a3e9e5d3ccbdbbc013092173c3a018dd12363a0e267a583446fb3e87135d38e |
| SHA512 | 4c85cf59cebbbc5b108a380c6bd53bc16cbf6babd2df2cffe746c0a6da53f96979c6ec31b45ab1aec6a183c6da17f1d266970585a323174ae307bbb1a6f7900c |
C:\Windows\System\DGbQtVQ.exe
| MD5 | 8487720a616b7ae4647cd5d9f73e793c |
| SHA1 | 0e1eb2d56d90a1469c2a3b0c1cd2f2e3ae1e2176 |
| SHA256 | 526f7625b97692f7a1b0780352c369ced5ae03c5dfcfc7b64c82c7235f21dd6d |
| SHA512 | 21220ec6dc00767ec3a727d4761c41994275d64381161fa402235adc7c0acbbf647e68957528eef846d274ea57c61bcb025bce4c608ed7f7e86e72980a3f7de8 |
memory/4688-30-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp
C:\Windows\System\CJsgZSN.exe
| MD5 | b55b2e2fa2afd93dbd2644f29713aaba |
| SHA1 | c742925c35780af99f475b7aec5941ae451e4786 |
| SHA256 | 0f7f3f5d5571b66435072831e103721d676b4f7fee94d94d758199d47a5ece0e |
| SHA512 | 38d9b4ff4a4fc77729164bffcab2861084675c92c7c3d52e5706aedb7343d62d62cbd0f48749904967c381ea2fc9a567ae38252366eb377d38790bb486ad9c2c |
C:\Windows\System\rQtJIIu.exe
| MD5 | f053e1f82d77c56c1d559738b453ca06 |
| SHA1 | 781542b1bd22ec061999ddd20b92e5c6e5cf6443 |
| SHA256 | c95b9faac029e9cc5feb58859e91844f262be0386e200ca9c8c32e8d2b6de124 |
| SHA512 | 6f5863f4b7a358c793e40dd23077d3a29adb24ec77fc7aa38afe281dc09c5f743af2a88402b51f637cb6bbe5867a72210c5b3e4a5f0637f5216efb1f818aaac4 |
C:\Windows\System\gEWImYr.exe
| MD5 | cb53b51e069a941c947eed01bf937018 |
| SHA1 | c75f6c0c65ad35750878e5715b9dceb11799ccad |
| SHA256 | d5cb9694a65333fe9c342992bbb7cc7014f78148072d14a15d01f1aa9a5edab9 |
| SHA512 | d8b060bc3caac8366436277ca8637843396e566c78b8fecd879d137cd7f7d990b2c6616beffa0909081d6d2c0d8fa84fe98777cf82e96fa2d19b83e34d4b3ee4 |
C:\Windows\System\ZCyeWhA.exe
| MD5 | e2bb22990a6d56492ba8a2611cca307e |
| SHA1 | ddf5f62d0f869a32c8fe62a6fc2eecd4e5d5b721 |
| SHA256 | 8780e02e957b867b0e86762ca150000dc3744c76dbf016c9036e2695f8b13ae9 |
| SHA512 | 46e29f94ff62c5fd05682b2188c4ab835752dba966969189f214e1f4c56c4272e77bed9ab4d29c57329215faabec0a34d58542c41450a061e657802dc1cbd792 |
C:\Windows\System\miLIzHg.exe
| MD5 | 5a89f304524c7e49004d421445980f61 |
| SHA1 | 7dec6965391f519b854df72cc3382e0780999bb1 |
| SHA256 | 88f453b8e677498d5b3c9cee506b3b86989b76fea2d1897f1b8b1bce00b8a3c4 |
| SHA512 | 53556aefd7fcece9177ae2e20ec163a83d80880c81623d91ab314e42ca0bf64d16b250eadababc5608ace44ab38e050311bdc5152d3ca90fcff5467ad9bffaf6 |
C:\Windows\System\XiRJnQh.exe
| MD5 | ef3c5d717a3f3335182d8f2793544d1b |
| SHA1 | 121627cfc39c8737a66426d5cf27a31872557727 |
| SHA256 | 269977bebc6263ba795f10d38e9c4bfd159b1e832885c3ae0d8748b71926fbbe |
| SHA512 | e8da2c49283974f838d4df457d0893cff22fee00d4bc33c9c03b1f8781d70b48b0ed9cf5804c047d26dcf3a22428aa65c2e2b302f4e02acb1e7aa251018a2d08 |
C:\Windows\System\KAHfFff.exe
| MD5 | 807989f32a6c983e09c766c78b0cb8a1 |
| SHA1 | b1fea8a0532bb5fbedc5b129c8e05eb8c5ac3036 |
| SHA256 | 47d610019308af3e642b398c482d02a60ccc23831694b86f2956961f5da9f5a7 |
| SHA512 | 858eeb5330117a506a3feafb10e94fe09cddbd500bc46e8a5ce8275203763d4fe8e7e4839527acd1fb81355d2493913706ac729b67707057abc2b3702c51bfee |
C:\Windows\System\kkdoCUH.exe
| MD5 | 2161ee46c954372ef0c71b5f1225abf3 |
| SHA1 | 5128ad42c1ade9b8191d212834f2d324789443a6 |
| SHA256 | fae4d26ba8b6e4c0baac99c4cc93beb42abffb58610e0125b47534a01c287b2c |
| SHA512 | 1f999d425b72f16826cdb449304c5114a8c5f92a72b6dc4113982d8f68a191facea3a9a94d15fa19ea82853d3a96018cc25605962ec9699d48f5346af9d22336 |
C:\Windows\System\svhoKVz.exe
| MD5 | 823ec2c63181ed5feaa6aaca04e30dd2 |
| SHA1 | 3d1c6e790cc6f13b597b849e9cf0f4a3813a6add |
| SHA256 | 758119086b3db881aea1f7be4ff3ce16b96abc6f4efb10d6582224f870e97241 |
| SHA512 | 71820a14d1809318a700030a6eb85f1d421e54912c249e40195be16a1f8fcea096f80aa9fa2f20ee72ee8bd6a61de5a88eacd55a40fabc2ed3e71589b60dc4a1 |
C:\Windows\System\wcIiqoV.exe
| MD5 | 7d7ecb83128ac67aade7b57981d20403 |
| SHA1 | 5723850c55349cad056810f5ce02a8ff626cfb4e |
| SHA256 | a1cc10b400447ddf36b282934db2f909e87daf119f82e9e4e9d893a4dca4c187 |
| SHA512 | 5ccc43674485b2822731c915271477a61ed225f199e01ecb4ae472ba8a1dc0429e65942b3418ec4dfa0f909814d54d9df52793ec2ef94130248f70efe6e6bf5b |
C:\Windows\System\PkiQOEK.exe
| MD5 | 7555fb472e6eff1974c29796f538c753 |
| SHA1 | d37ea11ca5dc96ecf6bff420bbdfe16a5a140859 |
| SHA256 | 8f2bcf8a76e561417bb2fb8776cf3f64d5dab4227f7df3b80474e800fcc5ec08 |
| SHA512 | abd43d8d7b85ec5721e1ef13b38e7a8ad3ddf575ce7172ecbca6f095cda9fbd8f7a240b8426ded30b7982214a2ae39bdca38dcbb9f88d78b9be8fc65bab38291 |
C:\Windows\System\eTcjlBT.exe
| MD5 | 6f301cbef8af48635d78ac1da028588e |
| SHA1 | 62abffe5f9634bf0b76399b0a49db5100ac792f7 |
| SHA256 | 3086c379566fa7a7599beda88c512f8b0ca26f9fffd1a47dab80d8fd95144e04 |
| SHA512 | 14c1c179725f0d7a295324ad5b227dee6712ce0bcb69a4fa10df904388ee57fb2405d1940c0d15b171c3adae54db7ab8f116fbae124660fd3d17be1b694edea0 |
C:\Windows\System\NPlNoDb.exe
| MD5 | db2f63679fc5d0ec4fbcc983ce9f1241 |
| SHA1 | 54021d26c73f89281db783f3e720c8311fa135a5 |
| SHA256 | afe4ed2b106159e9780b12802433e1e30d9bf967720bdc36e5a6e2d7dcc470cb |
| SHA512 | 0063b4f9c0b2c380dee04082af0ab2494935a166f6d3ebe39eb227d26e3474cc9019848ae77c77ddae7b6ed5c7f9bfe9539bc5fa662b1f3cb1a9c3a33d1b50da |
memory/3280-57-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp
memory/5116-56-0x00007FF73D8B0000-0x00007FF73DC01000-memory.dmp
memory/3328-52-0x00007FF658A20000-0x00007FF658D71000-memory.dmp
memory/4628-116-0x00007FF7C8AA0000-0x00007FF7C8DF1000-memory.dmp
memory/3560-117-0x00007FF675F00000-0x00007FF676251000-memory.dmp
memory/3552-118-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp
memory/380-121-0x00007FF746870000-0x00007FF746BC1000-memory.dmp
memory/3328-124-0x00007FF658A20000-0x00007FF658D71000-memory.dmp
memory/3280-126-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp
memory/1948-123-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp
memory/2104-129-0x00007FF716570000-0x00007FF7168C1000-memory.dmp
memory/1860-128-0x00007FF716150000-0x00007FF7164A1000-memory.dmp
memory/4688-122-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp
memory/2808-130-0x00007FF785C00000-0x00007FF785F51000-memory.dmp
memory/4472-135-0x00007FF6C3960000-0x00007FF6C3CB1000-memory.dmp
memory/5024-134-0x00007FF7BC370000-0x00007FF7BC6C1000-memory.dmp
memory/3320-133-0x00007FF66F040000-0x00007FF66F391000-memory.dmp
memory/1068-132-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp
memory/2376-131-0x00007FF6DF150000-0x00007FF6DF4A1000-memory.dmp
memory/4296-137-0x00007FF7DAED0000-0x00007FF7DB221000-memory.dmp
memory/3036-138-0x00007FF79D370000-0x00007FF79D6C1000-memory.dmp
memory/592-136-0x00007FF67A1F0000-0x00007FF67A541000-memory.dmp
memory/3560-139-0x00007FF675F00000-0x00007FF676251000-memory.dmp
memory/3552-185-0x00007FF69D560000-0x00007FF69D8B1000-memory.dmp
memory/2572-187-0x00007FF696E50000-0x00007FF6971A1000-memory.dmp
memory/3324-189-0x00007FF7610E0000-0x00007FF761431000-memory.dmp
memory/380-191-0x00007FF746870000-0x00007FF746BC1000-memory.dmp
memory/4688-199-0x00007FF6A2B50000-0x00007FF6A2EA1000-memory.dmp
memory/1948-201-0x00007FF785B60000-0x00007FF785EB1000-memory.dmp
memory/5116-204-0x00007FF73D8B0000-0x00007FF73DC01000-memory.dmp
memory/3328-205-0x00007FF658A20000-0x00007FF658D71000-memory.dmp
memory/3280-207-0x00007FF7CAA30000-0x00007FF7CAD81000-memory.dmp
memory/4628-209-0x00007FF7C8AA0000-0x00007FF7C8DF1000-memory.dmp
memory/2808-212-0x00007FF785C00000-0x00007FF785F51000-memory.dmp
memory/1860-215-0x00007FF716150000-0x00007FF7164A1000-memory.dmp
memory/2104-214-0x00007FF716570000-0x00007FF7168C1000-memory.dmp
memory/2376-217-0x00007FF6DF150000-0x00007FF6DF4A1000-memory.dmp
memory/1068-229-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp
memory/4296-231-0x00007FF7DAED0000-0x00007FF7DB221000-memory.dmp
memory/592-228-0x00007FF67A1F0000-0x00007FF67A541000-memory.dmp
memory/3320-225-0x00007FF66F040000-0x00007FF66F391000-memory.dmp
memory/5024-224-0x00007FF7BC370000-0x00007FF7BC6C1000-memory.dmp
memory/4472-222-0x00007FF6C3960000-0x00007FF6C3CB1000-memory.dmp
memory/3036-220-0x00007FF79D370000-0x00007FF79D6C1000-memory.dmp