Analysis Overview
SHA256
1aa8b57da2a6a4bbdd6dcaaf1f3eb358046bcb27da475e4a1dac513ae096c078
Threat Level: Known bad
The file 2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 20:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 20:45
Reported
2024-05-29 20:48
Platform
win7-20240221-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\depYSMP.exe | N/A |
| N/A | N/A | C:\Windows\System\PWBQaiY.exe | N/A |
| N/A | N/A | C:\Windows\System\FRvSJQt.exe | N/A |
| N/A | N/A | C:\Windows\System\bbslQCI.exe | N/A |
| N/A | N/A | C:\Windows\System\RbCAmnD.exe | N/A |
| N/A | N/A | C:\Windows\System\kTqVaZP.exe | N/A |
| N/A | N/A | C:\Windows\System\GrhYwwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GerMiTp.exe | N/A |
| N/A | N/A | C:\Windows\System\PEFsJCB.exe | N/A |
| N/A | N/A | C:\Windows\System\rkFgYLg.exe | N/A |
| N/A | N/A | C:\Windows\System\fPlKHhT.exe | N/A |
| N/A | N/A | C:\Windows\System\jWEysbB.exe | N/A |
| N/A | N/A | C:\Windows\System\buaTQQS.exe | N/A |
| N/A | N/A | C:\Windows\System\ckAgqrE.exe | N/A |
| N/A | N/A | C:\Windows\System\qGqPKDw.exe | N/A |
| N/A | N/A | C:\Windows\System\hEzHtQP.exe | N/A |
| N/A | N/A | C:\Windows\System\kXFEGdd.exe | N/A |
| N/A | N/A | C:\Windows\System\orzWCnv.exe | N/A |
| N/A | N/A | C:\Windows\System\ieUQYdq.exe | N/A |
| N/A | N/A | C:\Windows\System\ulwFruR.exe | N/A |
| N/A | N/A | C:\Windows\System\LcAeCIS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\depYSMP.exe
C:\Windows\System\depYSMP.exe
C:\Windows\System\PWBQaiY.exe
C:\Windows\System\PWBQaiY.exe
C:\Windows\System\FRvSJQt.exe
C:\Windows\System\FRvSJQt.exe
C:\Windows\System\bbslQCI.exe
C:\Windows\System\bbslQCI.exe
C:\Windows\System\RbCAmnD.exe
C:\Windows\System\RbCAmnD.exe
C:\Windows\System\kTqVaZP.exe
C:\Windows\System\kTqVaZP.exe
C:\Windows\System\GrhYwwZ.exe
C:\Windows\System\GrhYwwZ.exe
C:\Windows\System\GerMiTp.exe
C:\Windows\System\GerMiTp.exe
C:\Windows\System\PEFsJCB.exe
C:\Windows\System\PEFsJCB.exe
C:\Windows\System\rkFgYLg.exe
C:\Windows\System\rkFgYLg.exe
C:\Windows\System\jWEysbB.exe
C:\Windows\System\jWEysbB.exe
C:\Windows\System\fPlKHhT.exe
C:\Windows\System\fPlKHhT.exe
C:\Windows\System\ckAgqrE.exe
C:\Windows\System\ckAgqrE.exe
C:\Windows\System\buaTQQS.exe
C:\Windows\System\buaTQQS.exe
C:\Windows\System\hEzHtQP.exe
C:\Windows\System\hEzHtQP.exe
C:\Windows\System\qGqPKDw.exe
C:\Windows\System\qGqPKDw.exe
C:\Windows\System\orzWCnv.exe
C:\Windows\System\orzWCnv.exe
C:\Windows\System\kXFEGdd.exe
C:\Windows\System\kXFEGdd.exe
C:\Windows\System\ieUQYdq.exe
C:\Windows\System\ieUQYdq.exe
C:\Windows\System\ulwFruR.exe
C:\Windows\System\ulwFruR.exe
C:\Windows\System\LcAeCIS.exe
C:\Windows\System\LcAeCIS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2104-0-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2104-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\depYSMP.exe
| MD5 | 3b52287b629aa21ce36cb88bc2fb847d |
| SHA1 | 3ea1a9488225432231372575b24acf37b8cbcb78 |
| SHA256 | 6c66db6dd23e2b56ad916962873a1c0be167315f787cc94634bb13ceb489c37a |
| SHA512 | b8c406a23e40747bd8d75fd79acf8ddab7553f4b381cb845364c80018e59494b3bd40dd300d3792619e6199100c773a4ab5510c1cc54961b27ac915b0644490f |
memory/1280-8-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2104-6-0x000000013FD20000-0x0000000140071000-memory.dmp
\Windows\system\FRvSJQt.exe
| MD5 | 4364237905b73aa08e3c6de5ef6ec0ba |
| SHA1 | 88f31a49f7413e6b7cb19343f344a0f0c0df158f |
| SHA256 | 1263f774474586beba557437875ff5d9b28513f105d3af8707e1d7d7e67bff21 |
| SHA512 | 79f85fadd38fc6fe402ed7ac76f25b6f31783a90d02e975bf6c2a8728c92fa11e974961f043f24c1aa22fa2a8325d9f268dc2debdd26344de551ad8dba325eb2 |
\Windows\system\PWBQaiY.exe
| MD5 | 188956f89a1d76464b5cd3580c939054 |
| SHA1 | 745963b23d9b7eb26cf15613098f45b7b7577880 |
| SHA256 | 95a64aad484dad60069638691743539f20c9f8b85fa54e86d5e39ddb47e40e73 |
| SHA512 | d557c48406169ac91e986fa1725cbc2ca766cbc7f183a36d521c478f1a44561c92d10eb770def435652d19932ff1e57c1b5e2011b2fbfb4526352b53561d2549 |
C:\Windows\system\bbslQCI.exe
| MD5 | 13112d0319c85a71320b4ae7d48150bf |
| SHA1 | 04ba9bda68d6297a069bed9eda7d2c1f4c40b7d6 |
| SHA256 | 3a8049a02be678405e4a08298d895845829c541d839dfa7b2c5f51bc63c6235c |
| SHA512 | 8da36d6fd6ddf58be74503ca3629227d35577f4759a06c5b1ed74fdc83e77c4e175aa59aca71f5f178b23ddb043c203b99aaa79dc09078a313794f1f29f2c4ba |
memory/2104-17-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2072-26-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2568-28-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2756-18-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2104-24-0x000000013F8D0000-0x000000013FC21000-memory.dmp
\Windows\system\kTqVaZP.exe
| MD5 | 8652ecb9c1d960be0bd33787b5ec011b |
| SHA1 | 812122a3674cc4db289cd3560fa58dabc7554103 |
| SHA256 | 11df86af99703a335b965d47fd6d681afbefd3960f053ba6fca89d5cd515d3c7 |
| SHA512 | b239c133a120532010f28cffac5c9f42eb0911382080092941019a66ff9b8b7f3952dc91119f4a9c6fc658907c9301c6beda1deb352d3e178b75f91e53c94173 |
memory/2728-41-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2104-38-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2616-50-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/1280-49-0x000000013FD20000-0x0000000140071000-memory.dmp
C:\Windows\system\GrhYwwZ.exe
| MD5 | 1ae89a05497fad62aa5aa9365a3021e1 |
| SHA1 | c79cbdbe03ee734d78f39c14ad7eb8275965d0b0 |
| SHA256 | 79d9e26cdc65133446f1602f2d9d865e3e11937a8ec4847f4213977a24f47d85 |
| SHA512 | 784c09fca7de6017c98be6b1f428230576da4a7e079018d095d664c6813ddab46002d07210cf9aeb984357ea19c7608f36cf043792e65911fa8631df175afd95 |
memory/2104-35-0x0000000002140000-0x0000000002491000-memory.dmp
C:\Windows\system\RbCAmnD.exe
| MD5 | 1ca7929025cd40819ad40592b1f460c5 |
| SHA1 | 40e6a4062ff98f0d935c4bfe65df91b18cc77e39 |
| SHA256 | be7c4ca3fa2d8ddf31cc21a1c9de446aea0c70b0de44143febb04f737db193be |
| SHA512 | 5fc23b90c4b8961e44dd4419263c660d081e2442ab154b77a4d11d8b4969fdb7967ba38c83c1aa4d93ab166add7e9ecd3d9253bf6bed9e4c1b922ce7c7902a43 |
memory/2104-22-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1860-57-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\rkFgYLg.exe
| MD5 | bd187dd3596d90df131b57e21beac632 |
| SHA1 | ae1e0f8303185396d0e3b04a2f9423a659869902 |
| SHA256 | 8a7680e40b02123817f3fc8a7d6ce7a0313894425c2656155a7d6a6041621f77 |
| SHA512 | 03ab50952685251f8936e6ac35a774a7db50b82cad13ba6c6ed4478a013ba7a4f6eb26b81725dc8a39d540602652f597e1875508eabc3b50182f3be84726a3e9 |
memory/1032-72-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2432-65-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2984-97-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\qGqPKDw.exe
| MD5 | dad1c3db718030dc5935c828008f5bd4 |
| SHA1 | 63f9c229e049b2bbdd61683fba0162efb7f21106 |
| SHA256 | e89508042238c361f9a677047bdc0ce28bf4cf622fd5dc9a25001345cc77739a |
| SHA512 | 86ef616da809cc3de4a137874e4fe4e14cd86131dea75753bd47df8a8c25b57ddef77534538ee480ddc287a8690ef559755429c41b1dbf5a15bc86f965587e2f |
C:\Windows\system\hEzHtQP.exe
| MD5 | 5d7e1f13279bdde705f235d9b8bf567d |
| SHA1 | 6e29cec5a7352109adad934fadc3e83eb61d9a38 |
| SHA256 | 12d7bfdaf54d275d3b579c545ed57eb6c06ca1ed336a25cc46542cec2e5acd59 |
| SHA512 | 7070a17950385e5d35e280b92b14885b725d66c95933ce7bb16d01bbeccf9b41d84cba8b615c0b08b2d8386af702e42a4bb5b96c6f9d08583e65d4749a573427 |
\Windows\system\LcAeCIS.exe
| MD5 | c937e2fdf61c35c4e54e3743671a55b5 |
| SHA1 | 2b9d7960531907d07d720e83cf7ed43167b572b7 |
| SHA256 | 884bf5d8327645d4ee34ad06f55b0fe2bd71fc3cb96f7ea70eb6ac6c82f06b1c |
| SHA512 | 7d1cfef6884672cfec858e0e3f957379b02b731052c9e9af3ff6df9160efdf80f263f5c346d5a3690d3df1f5819e90141f6511096ed87f21bc558491e54180d9 |
C:\Windows\system\ieUQYdq.exe
| MD5 | 08db4fa1bd6b9e3a12476b1ebc11dd94 |
| SHA1 | 5442cbc34c237a1e47563014c0425937523d470a |
| SHA256 | 88e56f88b064c77c20402a5c87e8c0b54ec785babecd9c17e5d043d3d9f8a246 |
| SHA512 | ad5e30af5653e296c5a16eb67a254bc2b26be7256bd7b3980e73ec7a25366bddc620f66068488f81107f7c07dc745fa8fa2c215cb41b9f0ff6e30b578b762e4c |
C:\Windows\system\orzWCnv.exe
| MD5 | aef84ebf123a8340b123e3b44ffb165a |
| SHA1 | c5023500bc50c55a7b8e90bd728bd5e6f5be2721 |
| SHA256 | 9f41320259d67e217655df88d0dd612624b4376191ee035d709e938f07503c5d |
| SHA512 | 286237049fad0d26b02f2e644a4bf8bdaa9a54b7423629a2123a29abfd9df4be702351d982016f2ed52bb52b0d088429f7b6f2de660a659e300b493d757dd2b4 |
C:\Windows\system\ulwFruR.exe
| MD5 | 2fc4b824a78de1a09ee18e42dbc3db88 |
| SHA1 | 9d6772109dfe61ea3a5f765d77517133511f1755 |
| SHA256 | efdd3ecf615b930eab0a5b96fac9c6779791a7933dc2f76a0ce28bc3f529b902 |
| SHA512 | bd2dafbb22aa02d444c7370b94b6b47133fa5ddd21824d1d4fdf8cedfd2c13a32074a43d1ccb081e9082e295c409b179c9604a3c6babe82ced30dd5916cbece9 |
C:\Windows\system\ckAgqrE.exe
| MD5 | 19fc917b0d2c52911de9afc1cc5f5630 |
| SHA1 | 4b8ddc5ff92d1b69f100b40a0d5071c022f65fbb |
| SHA256 | b3fd6dde2eaf17da3f61598cae653e4f4436ef5976c3884e64037e81d8e95594 |
| SHA512 | 030c5e8684fc8a4fb2e0536dc4d57bb1e06c885f450e5e5dbc314355d2428bb49acae340fb9f3f280a5d5afc5647850a63dd308ebb8e97ce25adba9594f6f7f3 |
memory/2104-101-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2104-100-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\kXFEGdd.exe
| MD5 | cac275d058eeb0b91fa6a4035e608a3a |
| SHA1 | c88c717aa6da6c0fe4501d27d1b067318569c19a |
| SHA256 | c8d9eafc2c0d2c53e9b2ff677289d945422d24e01b2d046e352c39cef4f4c0c4 |
| SHA512 | 79543d49a3e87dcb345942ea9685f6739416ebeeaf6f56f6bb72c8c58d14f536fc69bacbe8ba02bc1c57447fc54187815dbb100e508b22632f5b9bb156055142 |
memory/2060-92-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\jWEysbB.exe
| MD5 | ee0e921e93d43e1f4c843fc7e4625f11 |
| SHA1 | c3964c1fa725ab2f3f21f0ae810368f1b2f40e58 |
| SHA256 | 88d0e0365401f108aa7137eaf7ee8821cd76e420e4901fd76badede23a7f6df9 |
| SHA512 | b5e5b741dd032da707a36888b032664940f95a4308dc2918b6b6dd645369355496d8c5b69ff1c700ed25f110e2d8beda8605c8eacb3b77c54b95b03351e21960 |
memory/2104-88-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2728-87-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2104-75-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2852-74-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2932-108-0x000000013F200000-0x000000013F551000-memory.dmp
memory/1860-107-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\buaTQQS.exe
| MD5 | 595a608e5ea6bb0972f0e29d9ac9c352 |
| SHA1 | 7b8afaf97637d92f092d5235b4e9d27e9a3ce34f |
| SHA256 | 80a105faeae66160f67b4bd6075a60cb5f3bb6934f88e8009b0c560fe38c6d5e |
| SHA512 | 62483820705d3ba9c9db43cbe5e79e51c01e669abaf9ba6e157f7af188fe199f5b3c2878c880c5e913c6e2e158783d8930689d1ad25c1bc1714b31e409e50bff |
memory/2072-64-0x000000013FB90000-0x000000013FEE1000-memory.dmp
C:\Windows\system\PEFsJCB.exe
| MD5 | eb7c73e00a45af36031d32dd05ffe3eb |
| SHA1 | d48ae138adf8048f4d1d78a8a4d71c410644fbf0 |
| SHA256 | cf80da28fed88e2654e4d5c3411f8993cc9ec5d413640010dfa342321a97387a |
| SHA512 | bed98203cebb74b0ffa931780f5171ed162368bba66b290768b2a6d4488c751f4d6a670d18606c350fcfb76f73afc2d0ea9742ea6fdc76274e63710ca9aa8082 |
memory/2104-59-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/808-84-0x000000013FC10000-0x000000013FF61000-memory.dmp
C:\Windows\system\fPlKHhT.exe
| MD5 | 8f00d419472e8ebc85a027952120fc00 |
| SHA1 | 13b0aec0c74ba1da98084ded82475996e24fc5b1 |
| SHA256 | 09a883114024e5a266dde6279bd8023810f308651a25968f814906d3d476797e |
| SHA512 | 2c398e719802ccfc0daeeba387db95d9f7a849203fe4d77eee1cab86614408f53bbbedf1b5e616d92c8f059c51940690aa47e28e8a876127a3da6f8f4e54a97d |
memory/2104-71-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2568-70-0x000000013F8D0000-0x000000013FC21000-memory.dmp
C:\Windows\system\GerMiTp.exe
| MD5 | ff101100430cf6a588c6135bd67caf30 |
| SHA1 | c22ec489a742a793c3ade28be724db9207c26dc4 |
| SHA256 | 738744c9f825c84d3ce58cf64d11cb8e28653dc6760d44112186a67a0826327e |
| SHA512 | d15b65cd36d0a8d1f852b107486d7d0ed8da82f9d8b6bbaf3ce312ac0b0e8764e25b9232d387071f953e9725cf87952cc022af6a0128fc76bb5268dc4ee691df |
memory/2104-55-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2756-54-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2432-140-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1032-142-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2104-141-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2104-152-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2104-143-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2984-158-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2932-157-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2812-165-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2676-163-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/1916-161-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/2380-159-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/808-166-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2060-155-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2768-164-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/272-162-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2424-160-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2104-167-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2104-168-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2104-190-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/1280-216-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2072-218-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2756-220-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2568-222-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2852-224-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2728-226-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2616-228-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/1860-242-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1032-244-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2432-246-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/808-248-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2060-252-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2932-255-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2984-250-0x000000013FD40000-0x0000000140091000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 20:45
Reported
2024-05-29 20:48
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\depYSMP.exe | N/A |
| N/A | N/A | C:\Windows\System\PWBQaiY.exe | N/A |
| N/A | N/A | C:\Windows\System\FRvSJQt.exe | N/A |
| N/A | N/A | C:\Windows\System\bbslQCI.exe | N/A |
| N/A | N/A | C:\Windows\System\RbCAmnD.exe | N/A |
| N/A | N/A | C:\Windows\System\kTqVaZP.exe | N/A |
| N/A | N/A | C:\Windows\System\GrhYwwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GerMiTp.exe | N/A |
| N/A | N/A | C:\Windows\System\PEFsJCB.exe | N/A |
| N/A | N/A | C:\Windows\System\rkFgYLg.exe | N/A |
| N/A | N/A | C:\Windows\System\jWEysbB.exe | N/A |
| N/A | N/A | C:\Windows\System\fPlKHhT.exe | N/A |
| N/A | N/A | C:\Windows\System\ckAgqrE.exe | N/A |
| N/A | N/A | C:\Windows\System\buaTQQS.exe | N/A |
| N/A | N/A | C:\Windows\System\hEzHtQP.exe | N/A |
| N/A | N/A | C:\Windows\System\qGqPKDw.exe | N/A |
| N/A | N/A | C:\Windows\System\orzWCnv.exe | N/A |
| N/A | N/A | C:\Windows\System\kXFEGdd.exe | N/A |
| N/A | N/A | C:\Windows\System\ieUQYdq.exe | N/A |
| N/A | N/A | C:\Windows\System\ulwFruR.exe | N/A |
| N/A | N/A | C:\Windows\System\LcAeCIS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1d8f35be68791c0bac8fadb309353e63_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\depYSMP.exe
C:\Windows\System\depYSMP.exe
C:\Windows\System\PWBQaiY.exe
C:\Windows\System\PWBQaiY.exe
C:\Windows\System\FRvSJQt.exe
C:\Windows\System\FRvSJQt.exe
C:\Windows\System\bbslQCI.exe
C:\Windows\System\bbslQCI.exe
C:\Windows\System\RbCAmnD.exe
C:\Windows\System\RbCAmnD.exe
C:\Windows\System\kTqVaZP.exe
C:\Windows\System\kTqVaZP.exe
C:\Windows\System\GrhYwwZ.exe
C:\Windows\System\GrhYwwZ.exe
C:\Windows\System\GerMiTp.exe
C:\Windows\System\GerMiTp.exe
C:\Windows\System\PEFsJCB.exe
C:\Windows\System\PEFsJCB.exe
C:\Windows\System\rkFgYLg.exe
C:\Windows\System\rkFgYLg.exe
C:\Windows\System\jWEysbB.exe
C:\Windows\System\jWEysbB.exe
C:\Windows\System\fPlKHhT.exe
C:\Windows\System\fPlKHhT.exe
C:\Windows\System\ckAgqrE.exe
C:\Windows\System\ckAgqrE.exe
C:\Windows\System\buaTQQS.exe
C:\Windows\System\buaTQQS.exe
C:\Windows\System\hEzHtQP.exe
C:\Windows\System\hEzHtQP.exe
C:\Windows\System\qGqPKDw.exe
C:\Windows\System\qGqPKDw.exe
C:\Windows\System\orzWCnv.exe
C:\Windows\System\orzWCnv.exe
C:\Windows\System\kXFEGdd.exe
C:\Windows\System\kXFEGdd.exe
C:\Windows\System\ieUQYdq.exe
C:\Windows\System\ieUQYdq.exe
C:\Windows\System\ulwFruR.exe
C:\Windows\System\ulwFruR.exe
C:\Windows\System\LcAeCIS.exe
C:\Windows\System\LcAeCIS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1112-0-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp
memory/1112-1-0x0000027788180000-0x0000027788190000-memory.dmp
C:\Windows\System\depYSMP.exe
| MD5 | 3b52287b629aa21ce36cb88bc2fb847d |
| SHA1 | 3ea1a9488225432231372575b24acf37b8cbcb78 |
| SHA256 | 6c66db6dd23e2b56ad916962873a1c0be167315f787cc94634bb13ceb489c37a |
| SHA512 | b8c406a23e40747bd8d75fd79acf8ddab7553f4b381cb845364c80018e59494b3bd40dd300d3792619e6199100c773a4ab5510c1cc54961b27ac915b0644490f |
C:\Windows\System\FRvSJQt.exe
| MD5 | 4364237905b73aa08e3c6de5ef6ec0ba |
| SHA1 | 88f31a49f7413e6b7cb19343f344a0f0c0df158f |
| SHA256 | 1263f774474586beba557437875ff5d9b28513f105d3af8707e1d7d7e67bff21 |
| SHA512 | 79f85fadd38fc6fe402ed7ac76f25b6f31783a90d02e975bf6c2a8728c92fa11e974961f043f24c1aa22fa2a8325d9f268dc2debdd26344de551ad8dba325eb2 |
C:\Windows\System\bbslQCI.exe
| MD5 | 13112d0319c85a71320b4ae7d48150bf |
| SHA1 | 04ba9bda68d6297a069bed9eda7d2c1f4c40b7d6 |
| SHA256 | 3a8049a02be678405e4a08298d895845829c541d839dfa7b2c5f51bc63c6235c |
| SHA512 | 8da36d6fd6ddf58be74503ca3629227d35577f4759a06c5b1ed74fdc83e77c4e175aa59aca71f5f178b23ddb043c203b99aaa79dc09078a313794f1f29f2c4ba |
C:\Windows\System\GrhYwwZ.exe
| MD5 | 1ae89a05497fad62aa5aa9365a3021e1 |
| SHA1 | c79cbdbe03ee734d78f39c14ad7eb8275965d0b0 |
| SHA256 | 79d9e26cdc65133446f1602f2d9d865e3e11937a8ec4847f4213977a24f47d85 |
| SHA512 | 784c09fca7de6017c98be6b1f428230576da4a7e079018d095d664c6813ddab46002d07210cf9aeb984357ea19c7608f36cf043792e65911fa8631df175afd95 |
memory/1120-42-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp
C:\Windows\System\GerMiTp.exe
| MD5 | ff101100430cf6a588c6135bd67caf30 |
| SHA1 | c22ec489a742a793c3ade28be724db9207c26dc4 |
| SHA256 | 738744c9f825c84d3ce58cf64d11cb8e28653dc6760d44112186a67a0826327e |
| SHA512 | d15b65cd36d0a8d1f852b107486d7d0ed8da82f9d8b6bbaf3ce312ac0b0e8764e25b9232d387071f953e9725cf87952cc022af6a0128fc76bb5268dc4ee691df |
C:\Windows\System\PEFsJCB.exe
| MD5 | eb7c73e00a45af36031d32dd05ffe3eb |
| SHA1 | d48ae138adf8048f4d1d78a8a4d71c410644fbf0 |
| SHA256 | cf80da28fed88e2654e4d5c3411f8993cc9ec5d413640010dfa342321a97387a |
| SHA512 | bed98203cebb74b0ffa931780f5171ed162368bba66b290768b2a6d4488c751f4d6a670d18606c350fcfb76f73afc2d0ea9742ea6fdc76274e63710ca9aa8082 |
C:\Windows\System\jWEysbB.exe
| MD5 | ee0e921e93d43e1f4c843fc7e4625f11 |
| SHA1 | c3964c1fa725ab2f3f21f0ae810368f1b2f40e58 |
| SHA256 | 88d0e0365401f108aa7137eaf7ee8821cd76e420e4901fd76badede23a7f6df9 |
| SHA512 | b5e5b741dd032da707a36888b032664940f95a4308dc2918b6b6dd645369355496d8c5b69ff1c700ed25f110e2d8beda8605c8eacb3b77c54b95b03351e21960 |
C:\Windows\System\fPlKHhT.exe
| MD5 | 8f00d419472e8ebc85a027952120fc00 |
| SHA1 | 13b0aec0c74ba1da98084ded82475996e24fc5b1 |
| SHA256 | 09a883114024e5a266dde6279bd8023810f308651a25968f814906d3d476797e |
| SHA512 | 2c398e719802ccfc0daeeba387db95d9f7a849203fe4d77eee1cab86614408f53bbbedf1b5e616d92c8f059c51940690aa47e28e8a876127a3da6f8f4e54a97d |
memory/4684-84-0x00007FF791360000-0x00007FF7916B1000-memory.dmp
C:\Windows\System\qGqPKDw.exe
| MD5 | dad1c3db718030dc5935c828008f5bd4 |
| SHA1 | 63f9c229e049b2bbdd61683fba0162efb7f21106 |
| SHA256 | e89508042238c361f9a677047bdc0ce28bf4cf622fd5dc9a25001345cc77739a |
| SHA512 | 86ef616da809cc3de4a137874e4fe4e14cd86131dea75753bd47df8a8c25b57ddef77534538ee480ddc287a8690ef559755429c41b1dbf5a15bc86f965587e2f |
C:\Windows\System\orzWCnv.exe
| MD5 | aef84ebf123a8340b123e3b44ffb165a |
| SHA1 | c5023500bc50c55a7b8e90bd728bd5e6f5be2721 |
| SHA256 | 9f41320259d67e217655df88d0dd612624b4376191ee035d709e938f07503c5d |
| SHA512 | 286237049fad0d26b02f2e644a4bf8bdaa9a54b7423629a2123a29abfd9df4be702351d982016f2ed52bb52b0d088429f7b6f2de660a659e300b493d757dd2b4 |
C:\Windows\System\ieUQYdq.exe
| MD5 | 08db4fa1bd6b9e3a12476b1ebc11dd94 |
| SHA1 | 5442cbc34c237a1e47563014c0425937523d470a |
| SHA256 | 88e56f88b064c77c20402a5c87e8c0b54ec785babecd9c17e5d043d3d9f8a246 |
| SHA512 | ad5e30af5653e296c5a16eb67a254bc2b26be7256bd7b3980e73ec7a25366bddc620f66068488f81107f7c07dc745fa8fa2c215cb41b9f0ff6e30b578b762e4c |
memory/2660-121-0x00007FF664C00000-0x00007FF664F51000-memory.dmp
C:\Windows\System\LcAeCIS.exe
| MD5 | c937e2fdf61c35c4e54e3743671a55b5 |
| SHA1 | 2b9d7960531907d07d720e83cf7ed43167b572b7 |
| SHA256 | 884bf5d8327645d4ee34ad06f55b0fe2bd71fc3cb96f7ea70eb6ac6c82f06b1c |
| SHA512 | 7d1cfef6884672cfec858e0e3f957379b02b731052c9e9af3ff6df9160efdf80f263f5c346d5a3690d3df1f5819e90141f6511096ed87f21bc558491e54180d9 |
C:\Windows\System\ulwFruR.exe
| MD5 | 2fc4b824a78de1a09ee18e42dbc3db88 |
| SHA1 | 9d6772109dfe61ea3a5f765d77517133511f1755 |
| SHA256 | efdd3ecf615b930eab0a5b96fac9c6779791a7933dc2f76a0ce28bc3f529b902 |
| SHA512 | bd2dafbb22aa02d444c7370b94b6b47133fa5ddd21824d1d4fdf8cedfd2c13a32074a43d1ccb081e9082e295c409b179c9604a3c6babe82ced30dd5916cbece9 |
memory/2412-124-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp
memory/2744-123-0x00007FF627F30000-0x00007FF628281000-memory.dmp
memory/764-122-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp
memory/2968-120-0x00007FF757800000-0x00007FF757B51000-memory.dmp
C:\Windows\System\kXFEGdd.exe
| MD5 | cac275d058eeb0b91fa6a4035e608a3a |
| SHA1 | c88c717aa6da6c0fe4501d27d1b067318569c19a |
| SHA256 | c8d9eafc2c0d2c53e9b2ff677289d945422d24e01b2d046e352c39cef4f4c0c4 |
| SHA512 | 79543d49a3e87dcb345942ea9685f6739416ebeeaf6f56f6bb72c8c58d14f536fc69bacbe8ba02bc1c57447fc54187815dbb100e508b22632f5b9bb156055142 |
memory/1112-113-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp
memory/2928-112-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp
memory/2012-104-0x00007FF779710000-0x00007FF779A61000-memory.dmp
C:\Windows\System\buaTQQS.exe
| MD5 | 595a608e5ea6bb0972f0e29d9ac9c352 |
| SHA1 | 7b8afaf97637d92f092d5235b4e9d27e9a3ce34f |
| SHA256 | 80a105faeae66160f67b4bd6075a60cb5f3bb6934f88e8009b0c560fe38c6d5e |
| SHA512 | 62483820705d3ba9c9db43cbe5e79e51c01e669abaf9ba6e157f7af188fe199f5b3c2878c880c5e913c6e2e158783d8930689d1ad25c1bc1714b31e409e50bff |
C:\Windows\System\hEzHtQP.exe
| MD5 | 5d7e1f13279bdde705f235d9b8bf567d |
| SHA1 | 6e29cec5a7352109adad934fadc3e83eb61d9a38 |
| SHA256 | 12d7bfdaf54d275d3b579c545ed57eb6c06ca1ed336a25cc46542cec2e5acd59 |
| SHA512 | 7070a17950385e5d35e280b92b14885b725d66c95933ce7bb16d01bbeccf9b41d84cba8b615c0b08b2d8386af702e42a4bb5b96c6f9d08583e65d4749a573427 |
memory/1564-97-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp
memory/3160-91-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp
memory/2620-89-0x00007FF689040000-0x00007FF689391000-memory.dmp
memory/2032-85-0x00007FF6F1DC0000-0x00007FF6F2111000-memory.dmp
memory/2712-77-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp
C:\Windows\System\ckAgqrE.exe
| MD5 | 19fc917b0d2c52911de9afc1cc5f5630 |
| SHA1 | 4b8ddc5ff92d1b69f100b40a0d5071c022f65fbb |
| SHA256 | b3fd6dde2eaf17da3f61598cae653e4f4436ef5976c3884e64037e81d8e95594 |
| SHA512 | 030c5e8684fc8a4fb2e0536dc4d57bb1e06c885f450e5e5dbc314355d2428bb49acae340fb9f3f280a5d5afc5647850a63dd308ebb8e97ce25adba9594f6f7f3 |
C:\Windows\System\rkFgYLg.exe
| MD5 | bd187dd3596d90df131b57e21beac632 |
| SHA1 | ae1e0f8303185396d0e3b04a2f9423a659869902 |
| SHA256 | 8a7680e40b02123817f3fc8a7d6ce7a0313894425c2656155a7d6a6041621f77 |
| SHA512 | 03ab50952685251f8936e6ac35a774a7db50b82cad13ba6c6ed4478a013ba7a4f6eb26b81725dc8a39d540602652f597e1875508eabc3b50182f3be84726a3e9 |
memory/1900-58-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp
memory/1848-46-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp
memory/2072-45-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp
C:\Windows\System\kTqVaZP.exe
| MD5 | 8652ecb9c1d960be0bd33787b5ec011b |
| SHA1 | 812122a3674cc4db289cd3560fa58dabc7554103 |
| SHA256 | 11df86af99703a335b965d47fd6d681afbefd3960f053ba6fca89d5cd515d3c7 |
| SHA512 | b239c133a120532010f28cffac5c9f42eb0911382080092941019a66ff9b8b7f3952dc91119f4a9c6fc658907c9301c6beda1deb352d3e178b75f91e53c94173 |
memory/3092-35-0x00007FF7127E0000-0x00007FF712B31000-memory.dmp
C:\Windows\System\RbCAmnD.exe
| MD5 | 1ca7929025cd40819ad40592b1f460c5 |
| SHA1 | 40e6a4062ff98f0d935c4bfe65df91b18cc77e39 |
| SHA256 | be7c4ca3fa2d8ddf31cc21a1c9de446aea0c70b0de44143febb04f737db193be |
| SHA512 | 5fc23b90c4b8961e44dd4419263c660d081e2442ab154b77a4d11d8b4969fdb7967ba38c83c1aa4d93ab166add7e9ecd3d9253bf6bed9e4c1b922ce7c7902a43 |
memory/4728-26-0x00007FF662670000-0x00007FF6629C1000-memory.dmp
memory/2912-25-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp
memory/4504-18-0x00007FF707590000-0x00007FF7078E1000-memory.dmp
C:\Windows\System\PWBQaiY.exe
| MD5 | 188956f89a1d76464b5cd3580c939054 |
| SHA1 | 745963b23d9b7eb26cf15613098f45b7b7577880 |
| SHA256 | 95a64aad484dad60069638691743539f20c9f8b85fa54e86d5e39ddb47e40e73 |
| SHA512 | d557c48406169ac91e986fa1725cbc2ca766cbc7f183a36d521c478f1a44561c92d10eb770def435652d19932ff1e57c1b5e2011b2fbfb4526352b53561d2549 |
memory/2744-8-0x00007FF627F30000-0x00007FF628281000-memory.dmp
memory/4504-130-0x00007FF707590000-0x00007FF7078E1000-memory.dmp
memory/2968-148-0x00007FF757800000-0x00007FF757B51000-memory.dmp
memory/764-151-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp
memory/2012-147-0x00007FF779710000-0x00007FF779A61000-memory.dmp
memory/1564-145-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp
memory/2412-152-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp
memory/2928-150-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp
memory/3160-146-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp
memory/2620-144-0x00007FF689040000-0x00007FF689391000-memory.dmp
memory/1900-140-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp
memory/2072-138-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp
memory/2912-134-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp
memory/1848-139-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp
memory/1112-131-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp
memory/1120-137-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp
memory/1112-153-0x00007FF7DF740000-0x00007FF7DFA91000-memory.dmp
memory/2744-210-0x00007FF627F30000-0x00007FF628281000-memory.dmp
memory/4504-212-0x00007FF707590000-0x00007FF7078E1000-memory.dmp
memory/4728-214-0x00007FF662670000-0x00007FF6629C1000-memory.dmp
memory/2912-216-0x00007FF7A0E90000-0x00007FF7A11E1000-memory.dmp
memory/3092-218-0x00007FF7127E0000-0x00007FF712B31000-memory.dmp
memory/1120-220-0x00007FF6A5590000-0x00007FF6A58E1000-memory.dmp
memory/2072-222-0x00007FF78A4D0000-0x00007FF78A821000-memory.dmp
memory/1848-224-0x00007FF7DF260000-0x00007FF7DF5B1000-memory.dmp
memory/1900-226-0x00007FF62B980000-0x00007FF62BCD1000-memory.dmp
memory/4684-230-0x00007FF791360000-0x00007FF7916B1000-memory.dmp
memory/2712-229-0x00007FF7B4CF0000-0x00007FF7B5041000-memory.dmp
memory/2032-232-0x00007FF6F1DC0000-0x00007FF6F2111000-memory.dmp
memory/2620-234-0x00007FF689040000-0x00007FF689391000-memory.dmp
memory/1564-236-0x00007FF7A2880000-0x00007FF7A2BD1000-memory.dmp
memory/3160-238-0x00007FF6BA080000-0x00007FF6BA3D1000-memory.dmp
memory/2968-244-0x00007FF757800000-0x00007FF757B51000-memory.dmp
memory/2660-242-0x00007FF664C00000-0x00007FF664F51000-memory.dmp
memory/2012-241-0x00007FF779710000-0x00007FF779A61000-memory.dmp
memory/764-246-0x00007FF7078A0000-0x00007FF707BF1000-memory.dmp
memory/2412-248-0x00007FF654BB0000-0x00007FF654F01000-memory.dmp
memory/2928-251-0x00007FF6B0540000-0x00007FF6B0891000-memory.dmp