Analysis Overview
SHA256
777086a86d24fe9e3719915d1b2cc3aa3bc53389d0907d07da451cf8eef51700
Threat Level: Known bad
The file 2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:47
Reported
2024-05-30 00:50
Platform
win7-20240419-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YgSCoXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\idrgFrx.exe | N/A |
| N/A | N/A | C:\Windows\System\wszFfcO.exe | N/A |
| N/A | N/A | C:\Windows\System\stlfYOm.exe | N/A |
| N/A | N/A | C:\Windows\System\doVPBtt.exe | N/A |
| N/A | N/A | C:\Windows\System\rcodMRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JRHsrqn.exe | N/A |
| N/A | N/A | C:\Windows\System\yQiDCJe.exe | N/A |
| N/A | N/A | C:\Windows\System\ExNRKTo.exe | N/A |
| N/A | N/A | C:\Windows\System\JjKKPFb.exe | N/A |
| N/A | N/A | C:\Windows\System\LpRXKtr.exe | N/A |
| N/A | N/A | C:\Windows\System\VqnuzWr.exe | N/A |
| N/A | N/A | C:\Windows\System\qkiVbmP.exe | N/A |
| N/A | N/A | C:\Windows\System\hfueTXi.exe | N/A |
| N/A | N/A | C:\Windows\System\TbBBJEf.exe | N/A |
| N/A | N/A | C:\Windows\System\stJFrfg.exe | N/A |
| N/A | N/A | C:\Windows\System\TkrvOto.exe | N/A |
| N/A | N/A | C:\Windows\System\ihwQUdO.exe | N/A |
| N/A | N/A | C:\Windows\System\PdiUZHn.exe | N/A |
| N/A | N/A | C:\Windows\System\GYBCYxz.exe | N/A |
| N/A | N/A | C:\Windows\System\OMzcoCJ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YgSCoXQ.exe
C:\Windows\System\YgSCoXQ.exe
C:\Windows\System\idrgFrx.exe
C:\Windows\System\idrgFrx.exe
C:\Windows\System\wszFfcO.exe
C:\Windows\System\wszFfcO.exe
C:\Windows\System\stlfYOm.exe
C:\Windows\System\stlfYOm.exe
C:\Windows\System\doVPBtt.exe
C:\Windows\System\doVPBtt.exe
C:\Windows\System\rcodMRJ.exe
C:\Windows\System\rcodMRJ.exe
C:\Windows\System\JRHsrqn.exe
C:\Windows\System\JRHsrqn.exe
C:\Windows\System\yQiDCJe.exe
C:\Windows\System\yQiDCJe.exe
C:\Windows\System\ExNRKTo.exe
C:\Windows\System\ExNRKTo.exe
C:\Windows\System\JjKKPFb.exe
C:\Windows\System\JjKKPFb.exe
C:\Windows\System\LpRXKtr.exe
C:\Windows\System\LpRXKtr.exe
C:\Windows\System\VqnuzWr.exe
C:\Windows\System\VqnuzWr.exe
C:\Windows\System\qkiVbmP.exe
C:\Windows\System\qkiVbmP.exe
C:\Windows\System\hfueTXi.exe
C:\Windows\System\hfueTXi.exe
C:\Windows\System\TbBBJEf.exe
C:\Windows\System\TbBBJEf.exe
C:\Windows\System\stJFrfg.exe
C:\Windows\System\stJFrfg.exe
C:\Windows\System\TkrvOto.exe
C:\Windows\System\TkrvOto.exe
C:\Windows\System\ihwQUdO.exe
C:\Windows\System\ihwQUdO.exe
C:\Windows\System\PdiUZHn.exe
C:\Windows\System\PdiUZHn.exe
C:\Windows\System\GYBCYxz.exe
C:\Windows\System\GYBCYxz.exe
C:\Windows\System\OMzcoCJ.exe
C:\Windows\System\OMzcoCJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2948-0-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2948-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\YgSCoXQ.exe
| MD5 | dcba41a721f6d1d4c7618c79215c3fab |
| SHA1 | abf7a6469aaf7ee55160f82789ff43196749c800 |
| SHA256 | 44d4894a58d6505cd5a413bd28786d1d5d78f9996a60e5de2c8ff2bb14d60122 |
| SHA512 | 6e287b2746c8fd7afdda21979b1e06c8901712f6d0b7abd3bc8220d0956448767ad99a372100381384456301b4b77139cb4bc7c7a2335be9e25c3cc73fe5f953 |
memory/3028-7-0x000000013F610000-0x000000013F961000-memory.dmp
\Windows\system\idrgFrx.exe
| MD5 | 6b16ee9e0859122b188005178accdc09 |
| SHA1 | 17229497ea7b3a7aea688f0787b518fb8134f077 |
| SHA256 | a9fa60b0d2fcc77bf643c867066cd114d6f1c0b5b78df3547a2c2d2ddfcfedf8 |
| SHA512 | 4ab95c27244f383df2a8a78872b2d6c16d3274753ef3e92338738be962d745abb69da89cb5ad1f3e5b63de5b5757d36703ebbc786e50ea3ba965f2ae5d6e363b |
memory/3008-13-0x000000013F0C0000-0x000000013F411000-memory.dmp
\Windows\system\wszFfcO.exe
| MD5 | e4b905407f7191e249d847081a59201e |
| SHA1 | fdd72017ddd9c22bf61ffbe0276b75ef1f744f1a |
| SHA256 | 48a8d45ea70d9468b011193ef61b88f2306d92a5f59b91eb4e08697f62ababd5 |
| SHA512 | 796aced9aae880be614d0c116ff2c7c61ac03169ab375979fcdf704853dfa96cdb81395af29ef69c5be2df220cb7406c181ceeee0c3df82bbe644ccf07eb20eb |
memory/2948-27-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2700-25-0x000000013F2C0000-0x000000013F611000-memory.dmp
C:\Windows\system\stlfYOm.exe
| MD5 | bf5b2ae13f08fe945ce5922f965c5a9a |
| SHA1 | 60d958529da5dc761b0511ceace68048c9651d4d |
| SHA256 | 9acf476b549232188e67334a8aff3b50a0b3b1f99a7922f439aa2fd5b7a16b78 |
| SHA512 | 11d6e591de6414be3ad19f7da4cbd6df4d8611541a75f1af2d477ed15d27b74776082ae85ab43c561dec4c788bc61606dc9d1c044a331767e48122ce3fc3c938 |
memory/2948-19-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2660-33-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\rcodMRJ.exe
| MD5 | f7fe8b6cac1b3c8d252a20eb2c3c589f |
| SHA1 | 6a31f2f112eccf1645a4811c53c90203def0a4bf |
| SHA256 | 011e2dbaccb872a5d2cc9bc118b706b3c7ed89af5d1dd8d53272bf051d4ce283 |
| SHA512 | 5cf3ee9e0f12e78613b0e6f79593dae0731b4e28704085d1d167330a85ca72b0f74acdd3b39eb2967eb0a81a659b76a5bf1b62058827d542fa4323714072f8cf |
memory/2304-40-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2948-54-0x000000013FF30000-0x0000000140281000-memory.dmp
C:\Windows\system\yQiDCJe.exe
| MD5 | ee49a0f3f1348d68fba9616fd03b5f1f |
| SHA1 | 2329f1ab70bf47c9cfa9eb6595fb9fc21afdaa27 |
| SHA256 | a384649daadd49ce5b279a63b810eeff2045c34de7ba3dce28a24e9a22cdd63b |
| SHA512 | 992d359e8ba2d670f5677f8a20ae0c4c958b7623d5f5a13dfc893fd41addcff6424eee1a13f5079dc3724a4d3bfa2e4d2b72b37c9e299edd079d57fa2c9340ff |
memory/2536-67-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2840-48-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2948-83-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2436-78-0x000000013F290000-0x000000013F5E1000-memory.dmp
C:\Windows\system\hfueTXi.exe
| MD5 | dfd3bf156d31f0d56c8e4340bc1b80d9 |
| SHA1 | 54354ea84e2edc380da9b338f1380d430014ef56 |
| SHA256 | c2bc402ae6caecdf1af01c0010628ca53e16a35088bfa823fbb9e6766778dc2c |
| SHA512 | 9a2acc178b34411eed8b293fd30287daefaf66dadbc7c3c76ffdfdf0e4dbb5f997cbc26c0f1f25715a0f283b39033a047758ecab4f7053300b95e0a099fb7490 |
C:\Windows\system\stJFrfg.exe
| MD5 | 87bb2b6775d1328ece4b10ff755f9777 |
| SHA1 | fe32b6cc3935f811b19dcec4f5d448185fdb7663 |
| SHA256 | ec06facf3322fc02d44e24590d862b0b3040b4d2eb3891196811aa580b7842b1 |
| SHA512 | e50699302755631aec2db3ef1acf4febe959220fdd7581a011ebf816074b1a4e94aa5df856e4c8ea29d4a1c24df8911ba6a4c1d095bcda1dae96b8da20fbf853 |
C:\Windows\system\PdiUZHn.exe
| MD5 | 796be207f15bcf0acc846dfcaa4250da |
| SHA1 | be8792ab95ab4fbed02753ffdfb6c019f50834e3 |
| SHA256 | 26012c567eda85ad89c96801af611c985ecfd46ed3851ce6e08c61e94e559bd2 |
| SHA512 | 481431cb051e79eff31b9656e8c368bde695af3a10de6b79d7481346976aacd1c231102ed08d1056a613a92a7829c0ce3bb230ec40b54ddd7ded8f0a499a73a8 |
C:\Windows\system\GYBCYxz.exe
| MD5 | 372ffe298985e9d00ba92c626a37590f |
| SHA1 | c2a640e93098ebc4c362d1f3542c8de6a1ebaa7f |
| SHA256 | b61ae677b4c4a29aac16ae86572c6ef19fa3f7c5ebedddd1975777d4d8b27382 |
| SHA512 | 44a7d47c04f039fb0cd50be58491bb1789a7d4d7ac8e382a20c0118128c1349fa456267e148443ba6a13b5853476deaee5278643dd314b36b32738eedf789881 |
\Windows\system\OMzcoCJ.exe
| MD5 | 9dd2daff20aeed3fb067a69566ac6997 |
| SHA1 | 8fadeec8cc6562a463593f2ce581cdb6d2aa3e48 |
| SHA256 | a9bbbd04ab6e498f4d2e4edf2589d10875489b71406265ffce983ebeaa7bed4a |
| SHA512 | 60ba3e83f3d878b48c06682fffc771d7fabca8bc8c0215b299c98776682b6aeeb2ec36989023cfca2f0e8ca753039fbeaf023887d8a2e632688ae22db8808e2b |
C:\Windows\system\ihwQUdO.exe
| MD5 | 6511aefc5fc06574c0fe22a643563f83 |
| SHA1 | ec81c93051194bba28e65f0841689ca5dd77b407 |
| SHA256 | 9b1c522f127eaeae17164384a1013d81f6beb75ba1a0913749da3f8e54f03b98 |
| SHA512 | abc25d56db060b375d455b928f23f4b419b92a0e5bf1969d263ad451f0cb3f7670907b8c5a386bca0aba3110a8f60d4cf060e570a788d08e2728598036942c47 |
C:\Windows\system\TkrvOto.exe
| MD5 | d5a82993ca49c849ab0ac0ffc0aec7b7 |
| SHA1 | 60f6865e129b287e240682c4a31ef072e8f7ce14 |
| SHA256 | 2cb3d3ab8b78f7e2ea04cfd7eac1ddb0f29d310ba352c0ab1b47db9adff4c7c9 |
| SHA512 | c1bcad676aeea635abbce87908bd0947d52f2423a3558ebf69071d74db74826bd7c92dee021fcfa6a3eb09c39f1cb251f6922bcdc9ea417082a0743a1b772f51 |
memory/2428-139-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2948-108-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2840-107-0x000000013FD50000-0x00000001400A1000-memory.dmp
C:\Windows\system\TbBBJEf.exe
| MD5 | 69575c054922e30a286dada63085681b |
| SHA1 | 239a24fb80c0e434ca49c6b6591ad0813d4540f7 |
| SHA256 | fdbe05a198ebab4cbbef5216b4e0c5c25056aaa94c432eb42082b3e3f85891fc |
| SHA512 | c7c39d16cf69c56be0e7afd703c358a9b9bfb60847533454387a1493cf7a069e68b77f4c2c07a9b84c262a5993479c609ba93e02b86201289c48ac2a3ae982d2 |
memory/2448-101-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2948-100-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2304-99-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2976-92-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2948-91-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2660-90-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\qkiVbmP.exe
| MD5 | 0b454c656537c0ea338571535f48dff7 |
| SHA1 | 5a5c095bd200890235f0eb1ded520d012f91ffb3 |
| SHA256 | b2b6f1c1e841f3cb348c87ab828e7337008731b9ad0866692f94e473aee5e068 |
| SHA512 | 2f7ef8d51fcc64f8c86c328fbb3178579d7b00ef095767f51915879c39b4950b0ea334c9f7262bcb0216beba0030fff3fd9e7a35838cbf476fcc60f33535fe39 |
memory/2700-77-0x000000013F2C0000-0x000000013F611000-memory.dmp
C:\Windows\system\LpRXKtr.exe
| MD5 | ae802754c53e89f910e0a19c5f98adca |
| SHA1 | c3c536e7ca0eb45b58a68194c08eb9bdd79a3d1d |
| SHA256 | 4a41754891bffd6d238bcfb08a0f40560e68dab880ba37360312cb5b72ea2111 |
| SHA512 | 19a57a5db96c2740e3a6d6e1273360eb935b246f3cd96577f4bb65292d77057ed8ff64a6dc89a9fc56d075693600fb1ee5627efdd8cb575f2cb8e905b03964c1 |
memory/2948-75-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/3056-74-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/3008-73-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2836-84-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2788-63-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/3028-62-0x000000013F610000-0x000000013F961000-memory.dmp
C:\Windows\system\ExNRKTo.exe
| MD5 | 60df4760e619d2c55ec5193aca74b3ca |
| SHA1 | 2f3b7cda0983c2d770a114c19689f8b822ce1290 |
| SHA256 | ca9e972692c95740a22c2658cde5e43f299f7066c6ffdea0579e8e2098e3f5c3 |
| SHA512 | 32d325dd02d9d0096835dc62b89fbcd3e03656c1bdc042247aa942b40ee5e1031f8ce0f428457a313637d44fb509f50ae58480fe584c7f6f1f1fbff05df4713c |
memory/2948-59-0x000000013F610000-0x000000013F961000-memory.dmp
C:\Windows\system\VqnuzWr.exe
| MD5 | a422acf0cdb4844a4193ad8d56957f12 |
| SHA1 | 23199314aee8a9940f76f080319aba94a4aedfd4 |
| SHA256 | cfc5d7609d307aa09cdc57584322432b4f9d04b7a69960ee2700f016aaedbd93 |
| SHA512 | 81d9f7f43c25c6a0e6bf84e2e199409bbb227b0a9bd4385190a027d886e94adab579af5d65ba335b5fdffdbe2619a61584beb89f29abe069db4591ba5706d17c |
memory/2948-47-0x00000000023F0000-0x0000000002741000-memory.dmp
C:\Windows\system\JRHsrqn.exe
| MD5 | 903f2b1e7617a2027738dd5a211fcb57 |
| SHA1 | 1f03f6733aad4d5e41eec3fadaabcf3f0680fbe1 |
| SHA256 | 8a37cfbe8ccbbcd2c790f67f037bb927d09b621261121bf1a656a0ee885ad7e5 |
| SHA512 | c3928d3a47bdaef29554b9b1ba33978985ebc192bb5a83f0d9853f7f95e107a92b206d7c13a16aaa44b33c54d25939c1a74ccde177ae6991e067f0459db5f1f5 |
C:\Windows\system\JjKKPFb.exe
| MD5 | a5bb4415b170727de148f4efc8112a82 |
| SHA1 | 561d01e99ed72808db6716b7802c494551b3d03f |
| SHA256 | be9cd002e9c8e91806b183732083a4c0c74c7f095b8b5c0789e0915192fea102 |
| SHA512 | aed88f11a43e599e90a98ee4e48b2f0d4c629ddc05dd96f7a105d76d595bc69d4a46d851f29b699a61a6eb556308a52efedf7b8070c3144523645f5814656440 |
memory/2948-39-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2948-32-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\doVPBtt.exe
| MD5 | 4dfc1b1b55580ec1fac1cf806217a11b |
| SHA1 | c208655efccb3027f241364d5ead509c2a763c5f |
| SHA256 | a3cf55beadd86c3e7916b5f656043c1b2d2dce88b4c13a5696ad834df333db57 |
| SHA512 | bef97cf5ec11f81e549cf749d26b9136873b760822a52231db6997ccdee5c40e5cb83b0c579163cf7fb3c644b99ae788248b6da52c6a077fe65605892f4553d4 |
memory/3056-23-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2948-140-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2436-151-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2836-152-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2536-150-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2188-158-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2480-157-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2948-162-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/1516-161-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2740-160-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2768-159-0x000000013F630000-0x000000013F981000-memory.dmp
memory/300-156-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/316-155-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2448-154-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2976-153-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2948-163-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2948-164-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2948-171-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/3028-210-0x000000013F610000-0x000000013F961000-memory.dmp
memory/3008-212-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/3056-214-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2700-216-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2304-219-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2660-220-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2840-222-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2428-224-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2788-226-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2536-228-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2436-236-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2836-242-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2976-244-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2448-246-0x000000013FCD0000-0x0000000140021000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:47
Reported
2024-05-30 00:50
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bRnhyyI.exe | N/A |
| N/A | N/A | C:\Windows\System\DMkgHam.exe | N/A |
| N/A | N/A | C:\Windows\System\fkikomS.exe | N/A |
| N/A | N/A | C:\Windows\System\SBOxtqX.exe | N/A |
| N/A | N/A | C:\Windows\System\tXSKXao.exe | N/A |
| N/A | N/A | C:\Windows\System\ttSRizW.exe | N/A |
| N/A | N/A | C:\Windows\System\TCEcjgw.exe | N/A |
| N/A | N/A | C:\Windows\System\RfbzzLA.exe | N/A |
| N/A | N/A | C:\Windows\System\GhFgqtq.exe | N/A |
| N/A | N/A | C:\Windows\System\VKbbQJE.exe | N/A |
| N/A | N/A | C:\Windows\System\VQjdfEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wsygvsI.exe | N/A |
| N/A | N/A | C:\Windows\System\hIxwxom.exe | N/A |
| N/A | N/A | C:\Windows\System\JkAJZCE.exe | N/A |
| N/A | N/A | C:\Windows\System\SHerMTH.exe | N/A |
| N/A | N/A | C:\Windows\System\BRxJGPi.exe | N/A |
| N/A | N/A | C:\Windows\System\kkEmkXU.exe | N/A |
| N/A | N/A | C:\Windows\System\flbYdCb.exe | N/A |
| N/A | N/A | C:\Windows\System\ADihPZM.exe | N/A |
| N/A | N/A | C:\Windows\System\VJigUtE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZGHroNa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_2e6b7cc770979aafd121ae9579933f00_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bRnhyyI.exe
C:\Windows\System\bRnhyyI.exe
C:\Windows\System\DMkgHam.exe
C:\Windows\System\DMkgHam.exe
C:\Windows\System\fkikomS.exe
C:\Windows\System\fkikomS.exe
C:\Windows\System\SBOxtqX.exe
C:\Windows\System\SBOxtqX.exe
C:\Windows\System\tXSKXao.exe
C:\Windows\System\tXSKXao.exe
C:\Windows\System\ttSRizW.exe
C:\Windows\System\ttSRizW.exe
C:\Windows\System\TCEcjgw.exe
C:\Windows\System\TCEcjgw.exe
C:\Windows\System\RfbzzLA.exe
C:\Windows\System\RfbzzLA.exe
C:\Windows\System\GhFgqtq.exe
C:\Windows\System\GhFgqtq.exe
C:\Windows\System\VKbbQJE.exe
C:\Windows\System\VKbbQJE.exe
C:\Windows\System\hIxwxom.exe
C:\Windows\System\hIxwxom.exe
C:\Windows\System\VQjdfEZ.exe
C:\Windows\System\VQjdfEZ.exe
C:\Windows\System\wsygvsI.exe
C:\Windows\System\wsygvsI.exe
C:\Windows\System\JkAJZCE.exe
C:\Windows\System\JkAJZCE.exe
C:\Windows\System\SHerMTH.exe
C:\Windows\System\SHerMTH.exe
C:\Windows\System\BRxJGPi.exe
C:\Windows\System\BRxJGPi.exe
C:\Windows\System\kkEmkXU.exe
C:\Windows\System\kkEmkXU.exe
C:\Windows\System\flbYdCb.exe
C:\Windows\System\flbYdCb.exe
C:\Windows\System\ADihPZM.exe
C:\Windows\System\ADihPZM.exe
C:\Windows\System\VJigUtE.exe
C:\Windows\System\VJigUtE.exe
C:\Windows\System\ZGHroNa.exe
C:\Windows\System\ZGHroNa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/3548-0-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp
memory/3548-1-0x0000024D3B6B0000-0x0000024D3B6C0000-memory.dmp
C:\Windows\System\bRnhyyI.exe
| MD5 | 5f43da69cb9f518f2b228a4d9fea558b |
| SHA1 | ecc2aac38395ffac0c35e01e0b069d9177583fbf |
| SHA256 | 58547383167fd1838ca0f73c2dd1894e34c8a53956f187a60fb962484c1dd581 |
| SHA512 | 43ec4ed28bbc6471944bc570b37998d3151a5497a5ec74801753fd6466f2dd9d7f015a33665d539e67e23d255d82807e78a9685b61470bbe83ee10490a5b4aad |
memory/3892-8-0x00007FF79E720000-0x00007FF79EA71000-memory.dmp
C:\Windows\System\DMkgHam.exe
| MD5 | a933392bf662631b4f0423d836e9d774 |
| SHA1 | ac92cd00a38e3b5f2357127c6a87069ae402b743 |
| SHA256 | 1ab69767ab3a160624d8f6afbedebd3ca4a17a7c20f02043beb7dda0cb6757ae |
| SHA512 | 47d9d26b0b7614f07086725c55c6eefa08e390a9b34e1f58552365cedc465e15d761b67ebeedf9d4e9ea184cb25e6ecd69ddece84c8d5374065350eddede2d89 |
C:\Windows\System\fkikomS.exe
| MD5 | 59c905e31124faf7314a5bb2425afea5 |
| SHA1 | f53409bcdfe595a8a17db878c49326eb58e57ede |
| SHA256 | d4791e15cc3f0688f866b0f8e018a5d0e0f1e453ee1c5c4e26fe0dc4d98ab5e3 |
| SHA512 | 299426b3f6cab2221e89a4a8505e0835c403c9f0fce2f219fc94a7f07337789fca6eb03b2ffee31eb54cb917ff0ad037a97b4f9b069c1356077006b3267c8ff9 |
memory/4332-18-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp
C:\Windows\System\SBOxtqX.exe
| MD5 | 51305c59ff7182d4056383a9e304d0ea |
| SHA1 | 8f7e9c1d9ed402e80b19e6b8f24fc1022e1a4690 |
| SHA256 | f7e549e555af5bfb9dbbb7861e3f7fd212b1f39fdf830080dd7917482d7dd65b |
| SHA512 | a411ff4d0f9a96f336affc0bbbbb339545563794f49d55b03ef09d99ae0018c13773fc7c1b1002d2cf508d333c570d049612d1467f9e8ed376c277cbb1ad679d |
memory/1396-26-0x00007FF7FCBB0000-0x00007FF7FCF01000-memory.dmp
memory/4676-17-0x00007FF7BD390000-0x00007FF7BD6E1000-memory.dmp
C:\Windows\System\tXSKXao.exe
| MD5 | 36537cc1fb1bc4cafbc0ca86688c9a93 |
| SHA1 | a906f39d411d4a342fe8dc88d8edf0eb419888b2 |
| SHA256 | 5d440a37fdd25874a95e5fa2d00531b31541d201201491e87e03b23cecfb5709 |
| SHA512 | e2ea07300aae80002ff3ebd1b46bbc742c5591568e9e9857c8b47f075ee7d8b502212466e2d3130f4e6c7cfae7d621233307cf374c24d5cc593603bf2c1c78bf |
memory/4312-32-0x00007FF789210000-0x00007FF789561000-memory.dmp
C:\Windows\System\ttSRizW.exe
| MD5 | 18886959b5ba7d7cf0751b4b823c5c99 |
| SHA1 | 9e69699797e9ab0751aa0077e5f30d94e69f9372 |
| SHA256 | f5bac6d26c6ad3f7f102ca957f5dc82faa5d8799269771bfa86bac69c4e635ea |
| SHA512 | fe6c1c523aba1cec45efe7ac71d3b098c150bf410f4e2e4e2ac9eddcd825a24ec0bc291e33147c254d674b877c8cb6852d9e01741bfe5897e339b46171f13615 |
memory/4260-38-0x00007FF602410000-0x00007FF602761000-memory.dmp
C:\Windows\System\TCEcjgw.exe
| MD5 | 1022fc24f4504b84103414d2e1e4aea8 |
| SHA1 | 32041f64d5bd705f8f44a0a8b3bd8fe8641b0c7b |
| SHA256 | e20dee7bd0404bd90914bcdd2ab3931698990db90a863f64a1f3a5e54d8dc866 |
| SHA512 | 7f121486aad4b8a0b60d2c0718d62568a54cddb770c2b97b1b0c8d3733bd2f83e1c5f18c0bcf1a37430bd103803e2c13529bb3183dc1abd0559ef3e0cbbe7be0 |
memory/1312-44-0x00007FF657550000-0x00007FF6578A1000-memory.dmp
C:\Windows\System\RfbzzLA.exe
| MD5 | aa66647bc9e82d948bcd9ff7c5e1e684 |
| SHA1 | 49ea99f0322513218e781525f68254dca34ddf53 |
| SHA256 | 0aad216e3cf7aa5d3465e6133f19a76c91fa6f270b1e579a87f05345829edd36 |
| SHA512 | a31f965388df57ce926ac6e69909e78e48db868d0a8cd7f4ae261c4305df6b16d5594a54703bc5c9f96f8bc8928b668788ffc7ae8b2b223b3adcf57894a3aa95 |
memory/4492-50-0x00007FF7895A0000-0x00007FF7898F1000-memory.dmp
C:\Windows\System\GhFgqtq.exe
| MD5 | f812247357bab1c379b2f5cad2ebd2b5 |
| SHA1 | 75e3b3a803fdb89e66ae7b2c413c6972be2f7648 |
| SHA256 | bac2c93421803ec810ec97240e48cc5bb16e6e58a0818bfd654d263925a9c965 |
| SHA512 | 430d404ee495fd9cf7515cb311d51ec60b1e453ca7192ea1aaef49f102e7df067a0c679c317a5ba74abd3556118d41b3c34ac3b9f63345cc6c4792d5bfe0aaac |
C:\Windows\System\VQjdfEZ.exe
| MD5 | d1f6873e9466d528f5243537bb0060b6 |
| SHA1 | 8deb7be74e1e0e0717e9f7164fd2a0ff97624bde |
| SHA256 | 9f04f0c71571c0464ba2b6f0e79a8b86971fa44c3ceeb4fcd23684409e29468a |
| SHA512 | b7cf2b64794611d76e2ee00561fa54cfa3298cabae495bf603bd4f543a3685e397e1b91f77225d2b607aab3894ce618a1d8e9f3d81296905c2fd421fb839e44f |
memory/3052-75-0x00007FF737680000-0x00007FF7379D1000-memory.dmp
memory/4908-73-0x00007FF722540000-0x00007FF722891000-memory.dmp
memory/2792-72-0x00007FF602290000-0x00007FF6025E1000-memory.dmp
C:\Windows\System\hIxwxom.exe
| MD5 | 7b72fea3767a6fd99f1bf988874ae4dd |
| SHA1 | 838f7b6c17980293617c64b317abfd3eb4984e60 |
| SHA256 | 44c82a3bae298aa075505ccddcfb353cc3766f16ec951f9d81956bfcfa1b13cb |
| SHA512 | a4f604619b8afa8f3da692718a8aa12d14b7d620d8dcd3743f6e61fb96ba2a995b71d51f0fdd629818e7b4cb1515474ef02c46b4ce6e30190371a312b546342f |
C:\Windows\System\wsygvsI.exe
| MD5 | 4846119f71f3ba73234f45ca0a1fad44 |
| SHA1 | 1d10ed27a740fd31b60ec748d026aaa80d835dcf |
| SHA256 | 66c1c2f40bb085cf728449e9240d0d78191837aaf15a9ce2f556e008b794d55f |
| SHA512 | 4f01c044cd237bf0a2327d92b4509fadefe2fa7405ea5cee29dc76ae44b1e404617993c84691f354ce709de8be1a9cd43f909ee9f7239760ae245920dd34cfa9 |
C:\Windows\System\JkAJZCE.exe
| MD5 | 852006e834adb6c1ae81a07f77d6e194 |
| SHA1 | 4a183b9a5f37d83e1441d09c7cdf6da283da7559 |
| SHA256 | 607efe11eb8eda2138c528bcd8237f08b3a1875b99c7072aa059fba804c6dabc |
| SHA512 | ef384414fbc3895062056ba3df6bdb336d38ca7eb1990b30ee25b182ccf627df2b555b598b07716dec4f500ce7ffe831d6d5f745d29229421a4406c966ade00e |
memory/3896-85-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp
C:\Windows\System\SHerMTH.exe
| MD5 | f46dbd0a11984190da9aa06e1af6862e |
| SHA1 | 9eb753fc565df526ff64299170711ed36c837d7f |
| SHA256 | aba7f0b8eff6a8d8b606ef72cfa69ddac690439e21f6953ef7f1ba22ff92c676 |
| SHA512 | 9a41b5874f9f38de8262aa807269a945b9e28133ad96a1ecb9b6b1f4fda95b46837d03265c8ebc75cb8f923cb0e1f3ba49210952e4ef4751118261d36f379550 |
memory/4332-99-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp
memory/4980-100-0x00007FF7CE120000-0x00007FF7CE471000-memory.dmp
C:\Windows\System\BRxJGPi.exe
| MD5 | f64808c5182b593196004723c1e95d93 |
| SHA1 | ce263b63f87c9337e24dfc2af65d05ac7921ce40 |
| SHA256 | 23dc0e5dfe21fde0859969dd943a8721f2327d26fffba26e19450ea29283b2b2 |
| SHA512 | 8e07530e70ed40769d4b15591dc8e2595d6aa5dc06feae0b596f80194b6a0148f6a178d1abf55fae33224f94b121e5bec07b0d8a3aca7672f54f6a6ad4d29c11 |
memory/1720-92-0x00007FF7350D0000-0x00007FF735421000-memory.dmp
memory/2944-86-0x00007FF681060000-0x00007FF6813B1000-memory.dmp
C:\Windows\System\VKbbQJE.exe
| MD5 | 3660d68fdc68051b66c55af50253772d |
| SHA1 | 28592cb60fb742353761bd4dadda3d02bc209d1f |
| SHA256 | cd6f48db3e1c6c55a50399a51d46afce49cb6bfa3b1a8521d7b1a52655920cf8 |
| SHA512 | 08b705ac62690c9a486f5005b7eb0d915b81d1d32afd741f49780f01e61d583b4754927c7e8b279fca5267dcd6839555a3bdbb358d9cd85a38b592dd0fd2af4f |
memory/3548-64-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp
memory/3992-61-0x00007FF610E70000-0x00007FF6111C1000-memory.dmp
C:\Windows\System\kkEmkXU.exe
| MD5 | ee57bb919aa1e1ccaf9c744314cd7433 |
| SHA1 | ee5883d8b942712878425990189eb657b9a62af3 |
| SHA256 | 64cb72a3862d3745a1697ce34ea73b00c61a28137920db01200c3096ea96e108 |
| SHA512 | 059c89e5c8baabe4822903b40a3e2d81254e9df936fd86b02ef12625cb4b994acd2e6dab4311d0846ad4d9eb822072011b7e8659ac1cb370eedcdea230e5404d |
C:\Windows\System\flbYdCb.exe
| MD5 | e37fe4fd149315f5ce1fb036fe60da29 |
| SHA1 | f5bd8e71fc3c42b8b79e0f64b97203d7d93979aa |
| SHA256 | 642c3c8e3a47990e385e0f2ea26945c63df07d7a8ad67d0c0adfa3cbf92f8a14 |
| SHA512 | c20581db877d9e4c26aedaa65625d6b9eb0f3b8d29d6a60ca01a51c0fb2ec918cb234d3dea3a13383df80689883d6a1fe60e1bf6158638a993383820b9027433 |
C:\Windows\System\VJigUtE.exe
| MD5 | fe4eae12fd1f07a23eeb946ae431126b |
| SHA1 | 50706ad69994e02f3abe270a920d1171992e8014 |
| SHA256 | 6a0d6f60dd7e6d987b846125d177f92b7883c835555aec5846e801b4dee8a681 |
| SHA512 | 9a37de1f77083e69835c426a9fbab8f6f222198d59f877cfc60a01d17dcaf7603d3ce35d4176acfb9a588d7f0045a764eafceb45359843941dc143d93fdf43de |
C:\Windows\System\ADihPZM.exe
| MD5 | 0d1b268e4b7ce7f0901d9ca151269ecb |
| SHA1 | 5ed537bb2b4e603cb3a32d8c144fde1d9f8b77a4 |
| SHA256 | 03177a38443ceaa5696d22ea0c41acbc08c393c13924d856e27e4632c0b20311 |
| SHA512 | 6b210167bcea0eb540bd638214614fdf3e888a8f857bdde3b1ebb2a9ecad9c68fa88a8a157804abed92a27ab97c07716405a16571ee424f56b61120551f9fcd5 |
memory/3160-133-0x00007FF6F2680000-0x00007FF6F29D1000-memory.dmp
memory/2000-134-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp
C:\Windows\System\ZGHroNa.exe
| MD5 | fccdc0b7921c555af03288641ea9caf1 |
| SHA1 | 33abc2019761b7d8c1c54df63b99669f92721f4d |
| SHA256 | 9ebb7c6a3206a6034a1e8e909bb9c503678b11601b18cdbc636b992f41a0a956 |
| SHA512 | 93f33724e0fdce5bb92ca79d33f1f44099567bede73ededc19c29a7d6178d450b0afe5990c82e88e91cae1be23b041aa06aa0c62cc47175d7745f20c8ad7be4f |
memory/4260-127-0x00007FF602410000-0x00007FF602761000-memory.dmp
memory/4000-125-0x00007FF654020000-0x00007FF654371000-memory.dmp
memory/4352-124-0x00007FF6D1090000-0x00007FF6D13E1000-memory.dmp
memory/4048-114-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp
memory/2792-141-0x00007FF602290000-0x00007FF6025E1000-memory.dmp
memory/1720-146-0x00007FF7350D0000-0x00007FF735421000-memory.dmp
memory/4908-144-0x00007FF722540000-0x00007FF722891000-memory.dmp
memory/4048-148-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp
memory/3896-143-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp
memory/3052-142-0x00007FF737680000-0x00007FF7379D1000-memory.dmp
memory/3548-149-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp
memory/4000-157-0x00007FF654020000-0x00007FF654371000-memory.dmp
memory/2000-159-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp
memory/3548-171-0x00007FF7F09B0000-0x00007FF7F0D01000-memory.dmp
memory/3892-194-0x00007FF79E720000-0x00007FF79EA71000-memory.dmp
memory/4676-201-0x00007FF7BD390000-0x00007FF7BD6E1000-memory.dmp
memory/4332-203-0x00007FF79C880000-0x00007FF79CBD1000-memory.dmp
memory/1396-205-0x00007FF7FCBB0000-0x00007FF7FCF01000-memory.dmp
memory/4312-212-0x00007FF789210000-0x00007FF789561000-memory.dmp
memory/4260-214-0x00007FF602410000-0x00007FF602761000-memory.dmp
memory/1312-216-0x00007FF657550000-0x00007FF6578A1000-memory.dmp
memory/4492-218-0x00007FF7895A0000-0x00007FF7898F1000-memory.dmp
memory/3992-229-0x00007FF610E70000-0x00007FF6111C1000-memory.dmp
memory/2792-231-0x00007FF602290000-0x00007FF6025E1000-memory.dmp
memory/3896-234-0x00007FF7E87B0000-0x00007FF7E8B01000-memory.dmp
memory/2944-235-0x00007FF681060000-0x00007FF6813B1000-memory.dmp
memory/4908-239-0x00007FF722540000-0x00007FF722891000-memory.dmp
memory/3052-238-0x00007FF737680000-0x00007FF7379D1000-memory.dmp
memory/1720-241-0x00007FF7350D0000-0x00007FF735421000-memory.dmp
memory/4980-243-0x00007FF7CE120000-0x00007FF7CE471000-memory.dmp
memory/4048-247-0x00007FF6E8F80000-0x00007FF6E92D1000-memory.dmp
memory/4352-248-0x00007FF6D1090000-0x00007FF6D13E1000-memory.dmp
memory/4000-252-0x00007FF654020000-0x00007FF654371000-memory.dmp
memory/3160-251-0x00007FF6F2680000-0x00007FF6F29D1000-memory.dmp
memory/2000-254-0x00007FF657AC0000-0x00007FF657E11000-memory.dmp