Analysis Overview
SHA256
9a8aadaffcf9f3a903dd4b743947d612f755ad9543d1fd2839288af7321ed0cb
Threat Level: Known bad
The file 2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:54
Reported
2024-05-30 00:56
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\epKzsBU.exe | N/A |
| N/A | N/A | C:\Windows\System\oCdoMHX.exe | N/A |
| N/A | N/A | C:\Windows\System\chAPLGz.exe | N/A |
| N/A | N/A | C:\Windows\System\HeWRbAU.exe | N/A |
| N/A | N/A | C:\Windows\System\zmrBHyL.exe | N/A |
| N/A | N/A | C:\Windows\System\iKhOJVM.exe | N/A |
| N/A | N/A | C:\Windows\System\lzVbLkR.exe | N/A |
| N/A | N/A | C:\Windows\System\iTmvGqn.exe | N/A |
| N/A | N/A | C:\Windows\System\FrsdQQN.exe | N/A |
| N/A | N/A | C:\Windows\System\ceCMNhE.exe | N/A |
| N/A | N/A | C:\Windows\System\CJkrhLs.exe | N/A |
| N/A | N/A | C:\Windows\System\hjZPJON.exe | N/A |
| N/A | N/A | C:\Windows\System\jUPBufv.exe | N/A |
| N/A | N/A | C:\Windows\System\SKeSxLh.exe | N/A |
| N/A | N/A | C:\Windows\System\whegALI.exe | N/A |
| N/A | N/A | C:\Windows\System\MSrAknR.exe | N/A |
| N/A | N/A | C:\Windows\System\EuUldpp.exe | N/A |
| N/A | N/A | C:\Windows\System\RNXUwJg.exe | N/A |
| N/A | N/A | C:\Windows\System\IcVJfSB.exe | N/A |
| N/A | N/A | C:\Windows\System\khJMyHd.exe | N/A |
| N/A | N/A | C:\Windows\System\uVPxsVy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oCdoMHX.exe
C:\Windows\System\oCdoMHX.exe
C:\Windows\System\epKzsBU.exe
C:\Windows\System\epKzsBU.exe
C:\Windows\System\HeWRbAU.exe
C:\Windows\System\HeWRbAU.exe
C:\Windows\System\chAPLGz.exe
C:\Windows\System\chAPLGz.exe
C:\Windows\System\zmrBHyL.exe
C:\Windows\System\zmrBHyL.exe
C:\Windows\System\iKhOJVM.exe
C:\Windows\System\iKhOJVM.exe
C:\Windows\System\lzVbLkR.exe
C:\Windows\System\lzVbLkR.exe
C:\Windows\System\iTmvGqn.exe
C:\Windows\System\iTmvGqn.exe
C:\Windows\System\FrsdQQN.exe
C:\Windows\System\FrsdQQN.exe
C:\Windows\System\ceCMNhE.exe
C:\Windows\System\ceCMNhE.exe
C:\Windows\System\CJkrhLs.exe
C:\Windows\System\CJkrhLs.exe
C:\Windows\System\hjZPJON.exe
C:\Windows\System\hjZPJON.exe
C:\Windows\System\jUPBufv.exe
C:\Windows\System\jUPBufv.exe
C:\Windows\System\SKeSxLh.exe
C:\Windows\System\SKeSxLh.exe
C:\Windows\System\whegALI.exe
C:\Windows\System\whegALI.exe
C:\Windows\System\MSrAknR.exe
C:\Windows\System\MSrAknR.exe
C:\Windows\System\EuUldpp.exe
C:\Windows\System\EuUldpp.exe
C:\Windows\System\RNXUwJg.exe
C:\Windows\System\RNXUwJg.exe
C:\Windows\System\IcVJfSB.exe
C:\Windows\System\IcVJfSB.exe
C:\Windows\System\khJMyHd.exe
C:\Windows\System\khJMyHd.exe
C:\Windows\System\uVPxsVy.exe
C:\Windows\System\uVPxsVy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1232-0-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1232-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\oCdoMHX.exe
| MD5 | 8d40d6f4d74881e1b00eefa89661e0b7 |
| SHA1 | d0cefb559c6a02ae66031e8f0a6e6444ee25142d |
| SHA256 | b501d5709d1016eb2552fac0dbc0767e61abb5a4f2258fc9ed75eaf40c147bf6 |
| SHA512 | c2999eccfffb3dc4e9be0df70895928dc71519f5652d7d59c236edb833b76f50d1c4e6c03e49a4f97e5c3c16205840f50b3434f33cab2005f89aba35dc67050d |
C:\Windows\system\epKzsBU.exe
| MD5 | eaf66943e145923022c171744dfa6585 |
| SHA1 | 14f5b7ff18687e39d300d1e3d66258d29918f82f |
| SHA256 | 0f212e4d1e13c2f74a0ca0a57c4d83e4624d77749ce3b21abd39f97aafaf6d8e |
| SHA512 | d6d5194b8c77a299423c2daa476482596b211f8b2e058ad231aae7c84b43db4187d5cdbe109f09db50f79e70c0fe2b57c835d289e03f82efa1719447c9c33219 |
memory/2348-13-0x000000013F960000-0x000000013FCB1000-memory.dmp
\Windows\system\HeWRbAU.exe
| MD5 | bbbd0f8fd586e04a474ac5208f03dc25 |
| SHA1 | 31ea629261efd058c74185acd335326c81995c3a |
| SHA256 | 795904cc59010255fabdbf0f4e3b80ca1145f3983492ce25dd3900c8c77c6f9e |
| SHA512 | a754677ebba05781f23e6f68b05d079ec2345f9a433c3a7d7f76fc8dc7f9ef924d08395580d0a6e0c08f40d56a1f9ee6c5aff1f9b1af3c19c1b9727219b2c706 |
memory/2128-22-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\zmrBHyL.exe
| MD5 | bbe9a5087070114cd47b8eefc095475a |
| SHA1 | b3ff9ad2ab6bf09fe555c0f79e5c2eda313ed886 |
| SHA256 | 2baed592ebb73d23a563298b497b28df32570e96b4bc15541d2a3bc0194259a4 |
| SHA512 | 15dbaab3062252c3a44c692963449f504e0d344281b58ae7a352b1f231dcb95c3d23a728ed7458480110df1019554c60d5c5d77fa6173052c4f9a513ab774c78 |
C:\Windows\system\iKhOJVM.exe
| MD5 | 6e49e8750a0ad58a589f5af9fd55ca52 |
| SHA1 | 65657587d1d90983c125f62641448f8f54bf0279 |
| SHA256 | c134bc7398bd2f827b20cb99801923330d786fd3f7e7a080d17adf78db61c258 |
| SHA512 | 4b5a4e70d1eb22c12067fb36a6422f9ad70f8422293dcf312a3f99d2a747b1c108c5d228349966f632ba4a27e3ec9378ded7199dbc45c0e1f7b3b061191a33fe |
memory/2756-35-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1232-39-0x0000000002150000-0x00000000024A1000-memory.dmp
memory/2820-50-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\lzVbLkR.exe
| MD5 | 02ece032be23996f9577de7c4fd9d7e8 |
| SHA1 | 09ff8d9ab75c38adaa9717a06f8161455f726f23 |
| SHA256 | 379fb32d5a203c75891ecd3aadb98d8e1140db1228e52211d5dafc1ebe428108 |
| SHA512 | 19f1be7936a0ec1e16e2150bbed9267b6706d691c67992dca09c4c788121ec86bf1cc6176c214767c800c6f9fce766a4fb1ed2837af9a5e4c5cc7e02a55c8068 |
memory/1232-47-0x0000000002150000-0x00000000024A1000-memory.dmp
memory/2516-46-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2072-33-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1232-32-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2612-30-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1232-29-0x0000000002150000-0x00000000024A1000-memory.dmp
memory/1232-27-0x000000013F950000-0x000000013FCA1000-memory.dmp
C:\Windows\system\chAPLGz.exe
| MD5 | 6248affe3858272086715f8d5c6eb8e0 |
| SHA1 | f40be002b54038ceb12932ece7742fff0c3923c1 |
| SHA256 | 952070dfc90c3b84d852f34720c6ea0a3218e53252d6970ac7aa0fb12a4455df |
| SHA512 | 76237fbbfd8c0b76e4692fc941f39f3a1e51f0ca0fa516d4e72dbb38bab65be12cc9d3b661a30ebb04e330f7359eb5c163dd29a390c7eacaf766b18960c9d509 |
memory/1232-17-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1232-9-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
\Windows\system\iTmvGqn.exe
| MD5 | 3f544109ae8fd85d0abfec169343df66 |
| SHA1 | f5efeb5ddd5149d9eb9f7b0d5da9a891aea8fdf1 |
| SHA256 | c19b44059afdfffc5081e78d60153bfd298f402b086988eb6941a03b1682ddca |
| SHA512 | 20d8f4b6443c313dc0449763dfb7053bcbb5739e8e3b05a5fce1b02e2abb78f5fb1db7902f41f638da258e3917e6cd4407e5c9eb63c7cdfa9731386282b21a41 |
\Windows\system\FrsdQQN.exe
| MD5 | e78b8bb757c996f974bae8b110db2485 |
| SHA1 | 65fbb908f3750b54c397f4761f9781d9758c55b3 |
| SHA256 | 620993456636ee00a0b9bf5e5467bef206ee9b285fc266ce2ed8148bdb2c20bc |
| SHA512 | 234b41720c2a05b57405cfaa0b63d6fadf9f12584b06456f4e5aac3fa692a2e78188d5843050741e721d8b568c559c84d36959840aa2e70a8d9ce491df993c62 |
memory/2128-67-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2572-66-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1232-65-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2504-64-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2348-63-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1232-61-0x000000013FCE0000-0x0000000140031000-memory.dmp
C:\Windows\system\ceCMNhE.exe
| MD5 | 0a1c7c4c2b1206c38eb285fb299a5c45 |
| SHA1 | df13d6ad617b87a91b07916fc7d76b680b026358 |
| SHA256 | d67f19982fd28b3864517fbc18b31c51f89c9fd0c3ec95bca53092b3ef09ab4d |
| SHA512 | a407a864c817dfe2832a021fb723b08b284294ee5563d2071ca74f9760175335755b42a235ca17a75cc4264e67078d1af04f894dd62336bd5addf08c2b7c6258 |
memory/2680-74-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1232-73-0x0000000002150000-0x00000000024A1000-memory.dmp
memory/2160-80-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1232-78-0x0000000002150000-0x00000000024A1000-memory.dmp
C:\Windows\system\CJkrhLs.exe
| MD5 | e9de26cb3b45423645849d4b95e7bc53 |
| SHA1 | d4642afc284346275d1731ebf3b6284d2d0eb30c |
| SHA256 | 467a2e4dfe14101c1b1233caeb7ab4c861cd049d54980445891df4be820916ce |
| SHA512 | 5ff37515ad5ebf6025409b644397cb17e37a3dd22507214ecca77a57ffe6eee66dae3dd5044dd01830baff4d9520d93427d1522b27df7867594d8fe1a98c1188 |
C:\Windows\system\hjZPJON.exe
| MD5 | 1042243c427357eaea9dc3bf1ac89d70 |
| SHA1 | 043e75aeb2a98a2449b7affd7d983bbb1bd4dfc3 |
| SHA256 | a883997ce353dafc72eb4ce7e032dcff556ea7ec4135029147572ecb0f8d891f |
| SHA512 | 91dcaf9b376a5c469d0fa73638855c456029b68b41d9361963b4d33cad7144e1147aee55477b2ea3d1e96816d4b92b1ca26ab03999e38c1397f9170d99327a9f |
C:\Windows\system\SKeSxLh.exe
| MD5 | 9f08cc2bd3c1152ba372c2d81a8124fe |
| SHA1 | ec644c2ce8e1e124944f3b5f3ee78a15e0f527bc |
| SHA256 | dbba218726b88d8c94963aa53ba34d11a079fb41e4a5f8a786f530e5688193d7 |
| SHA512 | f96b1c5a1b7de54d0e2f0be9d892bfd688eba0c1ed2c90118cbb7bec47b6ab31df1eb20854ac8826381805ee17024b1ec45b981af7e144fbdc097895b9fb1c39 |
C:\Windows\system\jUPBufv.exe
| MD5 | aefe78864e890207c99b29193a661130 |
| SHA1 | d69628cba6eb14f58db939490478d9d520597479 |
| SHA256 | bb4eb7e77819e61db0094bd3a7af127f0ab0ff39f349fd999b9cae24bd760919 |
| SHA512 | e1dda21d8c0a64bd0c7196248124e46f1592d8491ba8f5381f9a9453d7473a574964db88295a816af680a5593f6c4f1db5b294e0ee7ef201e8bf1c14dd9c36e3 |
C:\Windows\system\RNXUwJg.exe
| MD5 | 6d1fb14133be8789c96046fa09146550 |
| SHA1 | 130e6c93f8ff099cfc5a2ce8c94ca661a4b45582 |
| SHA256 | 489ffe0a2bec13e5f93cfc2565757c815bfa6e01e824eceb5355655157c32986 |
| SHA512 | aa97337446d6f5771e1ba05777c9dfbf30347b4b4c1ead0121070869efa72de9f6b6e7a72fcef929fce99eb3bc363d92fdcfd7a1d5cf292b9d0b31cd152543ff |
C:\Windows\system\EuUldpp.exe
| MD5 | e17f541d188f485263dab3deb36f2512 |
| SHA1 | 5cfb15ad151861fc48547165959c5c45f2285658 |
| SHA256 | 4fed298099d0902b434fcffda8655a0c68a7a025e1dfb0e000b1eee05193ea71 |
| SHA512 | 6f8aa02f6a7a4f9e7d5be39c0ef2fb6bcaef186c185a4e98123232b5b13f0b635d1c708a57bfb772a8c7f741a6639dda07cc0e49761574ab08c96a91aaefb843 |
C:\Windows\system\uVPxsVy.exe
| MD5 | a951ebbdc7e7ff8d5b5c8ad3deb0dc76 |
| SHA1 | f554e5f9ffde7fa5307ac2bb7d5fef94a8b29b3d |
| SHA256 | f25984565db695420eedff26f348455c0e3f2ee3e50d5e0c0b835810a555920e |
| SHA512 | 897d6d881dbbe2941be7214ff4f0efaadb0e43292253adcc6d79174a82bef6181e909134b3a693c740ca1b784f9800169e6ec042ae88d21e857c8dd3cc7813cf |
C:\Windows\system\IcVJfSB.exe
| MD5 | 0189a54fff376300f4d93f7395b98a75 |
| SHA1 | 65b0326fe739c3dfd91a7c159c183aaa784942e4 |
| SHA256 | 9cf5da1b87e259cd10bbda9b3aec68368b2e5bf9722a784439a6156311447e09 |
| SHA512 | 19b16a98ef8b21a6a551660dfbe6e7568b89ac048425adfc30a2ddc9b6d2ab5554f099f637a6b3e2048923f3ee5aee3a300f4822b8f37574a99895af6d297a91 |
C:\Windows\system\khJMyHd.exe
| MD5 | c9e6e544b50b2c6288409a22b9626226 |
| SHA1 | 43edbc6c0c0bd679e4c97deafcfba6b8bdf43fd0 |
| SHA256 | 50e2a53df51497bf4a2b3ba1d42233ef3cba2595ccfed5d7229a534fe8a9caeb |
| SHA512 | dc11d4044e92c55341afc856b78dc532d175b0496b303eed7ee7795f1ae3c0e518ca0db7ee6adec4dd07bfaebdd0dea377d82e1e83addabb7c593f35be3598c6 |
C:\Windows\system\MSrAknR.exe
| MD5 | ef1642356a67789465a8a866fabd3d96 |
| SHA1 | 2313f06fcda780f8e13bbfbf778e7089c9a3fa8f |
| SHA256 | 0ee1bea5debd1dbd667500a9212d1b03869735d3736ce176fe9a72cf13c30529 |
| SHA512 | c7092e018367a0c42ca8387485926b55af552f8a3d5df70715abe79d05aab972c492f72ae62340bb62b206b8de3c5f0bb3314291c73bfcbc6c7631de4dce9d9c |
C:\Windows\system\whegALI.exe
| MD5 | 52c8a6ff59b25a64570fc2d42a9253b6 |
| SHA1 | 1b4c9aaa5588edf1ed32a5372a55233c880748bc |
| SHA256 | a3d61c91bd74cfe21ebf1426481b6c2044106093946ff32bf738e1f9cb3372d9 |
| SHA512 | 838a09adfdfdd2171256a8bbcf767f9768ce5a8a934a7693ed369d806ba6fed983c45fe50928cc2f38978c4ba36c3cdf1e739c3e5e5a0dca20df0864f1bebce6 |
memory/1232-130-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2840-134-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2896-136-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/1232-135-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2072-138-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1232-133-0x0000000002150000-0x00000000024A1000-memory.dmp
memory/2836-131-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2820-144-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2516-143-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2756-142-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2160-148-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1032-152-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2724-158-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/1640-157-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/1928-156-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1952-154-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1856-153-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1848-155-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1232-159-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1232-167-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1232-168-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2348-206-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2128-215-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2612-217-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2516-220-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2072-221-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2756-223-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2820-225-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2504-227-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2572-229-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2680-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2836-237-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2840-239-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2896-241-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2160-251-0x000000013FFB0000-0x0000000140301000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:54
Reported
2024-05-30 00:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rmxbXiP.exe | N/A |
| N/A | N/A | C:\Windows\System\zYDHukJ.exe | N/A |
| N/A | N/A | C:\Windows\System\iVGwsKX.exe | N/A |
| N/A | N/A | C:\Windows\System\CgeZYht.exe | N/A |
| N/A | N/A | C:\Windows\System\PVowdXG.exe | N/A |
| N/A | N/A | C:\Windows\System\lTMBXCY.exe | N/A |
| N/A | N/A | C:\Windows\System\vkTLDaa.exe | N/A |
| N/A | N/A | C:\Windows\System\BaXrMBI.exe | N/A |
| N/A | N/A | C:\Windows\System\HTjtwiP.exe | N/A |
| N/A | N/A | C:\Windows\System\wFMVOmh.exe | N/A |
| N/A | N/A | C:\Windows\System\YdQQcGn.exe | N/A |
| N/A | N/A | C:\Windows\System\gJVxpow.exe | N/A |
| N/A | N/A | C:\Windows\System\qcnNWsp.exe | N/A |
| N/A | N/A | C:\Windows\System\mYswDrE.exe | N/A |
| N/A | N/A | C:\Windows\System\vGPdvRs.exe | N/A |
| N/A | N/A | C:\Windows\System\VygErWU.exe | N/A |
| N/A | N/A | C:\Windows\System\VvaczKU.exe | N/A |
| N/A | N/A | C:\Windows\System\PJCTEal.exe | N/A |
| N/A | N/A | C:\Windows\System\BKNWVlS.exe | N/A |
| N/A | N/A | C:\Windows\System\AZrquDi.exe | N/A |
| N/A | N/A | C:\Windows\System\FPXMAgP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_73be24e1c1418d45e07aaf1b46adee10_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rmxbXiP.exe
C:\Windows\System\rmxbXiP.exe
C:\Windows\System\zYDHukJ.exe
C:\Windows\System\zYDHukJ.exe
C:\Windows\System\iVGwsKX.exe
C:\Windows\System\iVGwsKX.exe
C:\Windows\System\CgeZYht.exe
C:\Windows\System\CgeZYht.exe
C:\Windows\System\PVowdXG.exe
C:\Windows\System\PVowdXG.exe
C:\Windows\System\lTMBXCY.exe
C:\Windows\System\lTMBXCY.exe
C:\Windows\System\vkTLDaa.exe
C:\Windows\System\vkTLDaa.exe
C:\Windows\System\BaXrMBI.exe
C:\Windows\System\BaXrMBI.exe
C:\Windows\System\HTjtwiP.exe
C:\Windows\System\HTjtwiP.exe
C:\Windows\System\wFMVOmh.exe
C:\Windows\System\wFMVOmh.exe
C:\Windows\System\YdQQcGn.exe
C:\Windows\System\YdQQcGn.exe
C:\Windows\System\gJVxpow.exe
C:\Windows\System\gJVxpow.exe
C:\Windows\System\qcnNWsp.exe
C:\Windows\System\qcnNWsp.exe
C:\Windows\System\mYswDrE.exe
C:\Windows\System\mYswDrE.exe
C:\Windows\System\vGPdvRs.exe
C:\Windows\System\vGPdvRs.exe
C:\Windows\System\VygErWU.exe
C:\Windows\System\VygErWU.exe
C:\Windows\System\VvaczKU.exe
C:\Windows\System\VvaczKU.exe
C:\Windows\System\PJCTEal.exe
C:\Windows\System\PJCTEal.exe
C:\Windows\System\BKNWVlS.exe
C:\Windows\System\BKNWVlS.exe
C:\Windows\System\AZrquDi.exe
C:\Windows\System\AZrquDi.exe
C:\Windows\System\FPXMAgP.exe
C:\Windows\System\FPXMAgP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/4864-0-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp
memory/4864-1-0x000002642A080000-0x000002642A090000-memory.dmp
C:\Windows\System\rmxbXiP.exe
| MD5 | d1eaec6976177f29f7ff631b624a9c6e |
| SHA1 | 631e1c7613d51a4c270649a3a8487801514e71ee |
| SHA256 | 3cb9127e863ee04821f72fc52169b3bf4a953810ff6783f16d5ffa5d348ddd6a |
| SHA512 | bd55ed05373e7798375957adea082b78932503d5137f63b80750fb76b3a661ecf5298404d0d0cc47efddebfc15bd5892a6b6f9607a5152d5afc8fd9e55d5f042 |
memory/4604-8-0x00007FF64D510000-0x00007FF64D861000-memory.dmp
C:\Windows\System\zYDHukJ.exe
| MD5 | e9413e94a922d874bdf51e802ef2d075 |
| SHA1 | 7233f69864eca6c6215039d3818677c8c3273124 |
| SHA256 | 35ac77a77aed21db7c9485ea080e5d3f8a9d3e9b6ea32a77e44de9ae03e0ee00 |
| SHA512 | b40bc6a798e5bfce61136bc310e42937871b403cd7bd8c71d6c74a96b23f7e49ec433defdf23bb66f545c1bd8ab38196947b1d48ba0348aac7a7eaca552c105c |
memory/3052-13-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp
C:\Windows\System\iVGwsKX.exe
| MD5 | e5070f39ebc4befc7e8693f27495d6bf |
| SHA1 | 375bbc9a1efa80c79a49b49e14c324d4b6354cc0 |
| SHA256 | 09f774727eeb18d64a5900ba79c0aecdd1d2a600c0a7b53ae41e87697db32db4 |
| SHA512 | d47a31d09a2cdcc126542eeb70550ccbcd500d61401eb71b669f5ed9564da9a6ae38ec361fbf3ea144d76f7b7f662dc3baeece0d457a7df24daacebff9954238 |
memory/3780-20-0x00007FF75A340000-0x00007FF75A691000-memory.dmp
C:\Windows\System\CgeZYht.exe
| MD5 | f5fbc41679f3988a47e12b395e4e3053 |
| SHA1 | 71e7c96747ccfb160e1621d3e60ac95098ee6463 |
| SHA256 | 7108158ad21e1eed246173132d28ebc6b23a39cfe9f8a98d1a798d9daceacf6c |
| SHA512 | 60a89d6e00e7f9066a0a1e2891f1aefcea4d0c34d1bf0579f665e5daa42d5fea7aaccd2bf6d6fc606027c7d7e666cf781c8f274a348362e8bbfe6845a5ea4b8b |
C:\Windows\System\PVowdXG.exe
| MD5 | c1b449fddf567147c5826744487d7d36 |
| SHA1 | a203792a15c505dd4068679de4fa53a842dda844 |
| SHA256 | 555f40414caf1b1fd93d846038530572ee4e7d0586809b8db25f6bfe1337db91 |
| SHA512 | 5c9bd59c279b5883466d3033558b7bfe501acda9f0916cc7f418e859042d4eb78a3ba554ff5658eb836093cea0199d64405f689d1906be140ee4d0e02f451439 |
memory/2208-26-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp
memory/5056-30-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp
C:\Windows\System\lTMBXCY.exe
| MD5 | 3c0fe7cfddc6b0211e5bfc2679f70d0a |
| SHA1 | fa458eed5305c52f46c244c8e4f57b898ac35b00 |
| SHA256 | 98c3215b587287630119d95a2f82be06d746ee00041de7bd128b9904f1d29a9d |
| SHA512 | 26a012eaf51c4ee45a6dd030141a978b7655c01f2c8278aeebeb6e200e4d56721803e225b807b8941718f77890fa9ceced109273ab4abca0c8d3f19bb3a9d90e |
memory/4944-40-0x00007FF7C8C30000-0x00007FF7C8F81000-memory.dmp
C:\Windows\System\vkTLDaa.exe
| MD5 | 330504a8f5e733187a719bbbb9e14d25 |
| SHA1 | 7a8cac41b445e4f474cc5bd6d1362f3079eba801 |
| SHA256 | ab169fdc03ca8bb3ff649ab7c779539159b9104a6764713a605e3518d590beb8 |
| SHA512 | c9130cf1489d35f4b34a678e6549d454d23f64f24b714a4c75f0b33b2864829e1a69b99159f5be3342f24015743910d3163a5a278b62e17638c400f59810ffe6 |
C:\Windows\System\BaXrMBI.exe
| MD5 | 0cd258bde27870d16d3b7baa96ef00d0 |
| SHA1 | c28a0b50dc9d291253ce81c87bd1bbb6a9663a96 |
| SHA256 | 75555fb59d7f1c387b516da058ab8398ae4dee16bee24b4c63d95cf8ae032265 |
| SHA512 | 9da79b117912b86151ffac414fdc835ca7389fc51b88bfdd4eec3cad72564164cfa07255c71002060168cf3b44557449964f468c330d152abdce62e5d8bea757 |
memory/3964-46-0x00007FF70EA30000-0x00007FF70ED81000-memory.dmp
memory/1072-48-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp
C:\Windows\System\HTjtwiP.exe
| MD5 | 50cd13377b8363d746926e013fbbd0d6 |
| SHA1 | ef816c602c33d121782d06fccf06d6dc7e91669b |
| SHA256 | 28b9962ce570b02a71cf38542c2a23c057705e6d8f50949bef704bf66710e74c |
| SHA512 | fce4567207611a3b760f7aa3873cd6e6c4e425288d7d6384abd889819c31120eecf14d3b32693836951289705b91ebac873311c99588b6786f85f86edcf06dc9 |
C:\Windows\System\YdQQcGn.exe
| MD5 | db804f1d1997708d6d06b9f82eaffae9 |
| SHA1 | 186471bf168fd23c0464abba77f08dfc08264a45 |
| SHA256 | c267c8503a5fc3eddc295630c61f1de7e8c55bab8c2ad35b30353aa981daeb72 |
| SHA512 | 23dc9560291ce09e84b29b8a6f0c856a15a07d5f57ebf17a1fd172d8146a3b8b2b7fb1f8a6b504537fbfe3ecb2f644170acc4072c28a8d43bf409865e257e6ff |
C:\Windows\System\qcnNWsp.exe
| MD5 | ebbb9a5a23688db2a75f895caff6c6bf |
| SHA1 | 418ee9499572bb85d96fe95cfb9d39ff9581558a |
| SHA256 | ed2726691f82e214c93888fdeaf3621b86c8b37e1c68518134cd9c17e2ae7f7e |
| SHA512 | d4ca09a73bf47159c0278e39f18790b13975b7905562039043b114a51828dc779ff2082268cdd822d997227c6dfecaa57d24a8e13d08f9a6e8150135badc589e |
C:\Windows\System\VvaczKU.exe
| MD5 | b5a3c284ea290a60e7238e602e633532 |
| SHA1 | 296bf5c6444e31e5b0e77f6aeede5a29e18a6723 |
| SHA256 | 65e2dc1c6a51d4d429b823e78793d2093c1f6d45ef19fa5bd89063e1f25094aa |
| SHA512 | 77830647346aaa66d6262e2dc7d38691a1622aa4154de30e7b61d1100f670cb843640fdf732640f3cc9296a704a930dbc8d13a1ca0336c49d1eda3dc56fe4013 |
C:\Windows\System\BKNWVlS.exe
| MD5 | 1a81796b9afbe13906a5c415f3657f10 |
| SHA1 | 82d5f99c5af275cd4af8288832431aadbee926fa |
| SHA256 | efa9a4ef2d0cd7caaef4ebe2db9c6844e1db21d0d37ae0474a23796051204b12 |
| SHA512 | 3a66bb75e66892d2b6adc0875ed6c019610d2d7a3371d17c45a9d968d65cde6636836708db7644c43c4ecdd41f6b3c8d52b071a1a602c4a120e63f29238b1f36 |
C:\Windows\System\FPXMAgP.exe
| MD5 | acc2388e29b27e2da3e607814198dc74 |
| SHA1 | ccd58c16505fa87a811ddc23a6aa7770cecb84a0 |
| SHA256 | 4e40e40e29777bd1a5b1d676202944d6e67ec6540d2aa2153c6b215b8c55fe9d |
| SHA512 | 46cfa8eb4b247245d2ca51f1b0fe6f080a89a77bd1322836e83f2ad7150e8e35dbc0913f9a2596c92dead27daf38c2914d134ff58cd0e72a4f714085ebd10ed0 |
C:\Windows\System\AZrquDi.exe
| MD5 | b1e0bbcd40661d15a7d91af929d65a74 |
| SHA1 | 93b8ac81fcb91d21ac977f88d2aab651ffd067a7 |
| SHA256 | b08aa7f1593c983cfa843c59ce4eb81dbbf2cac545189b6cd360c01194c9397f |
| SHA512 | 91875e3c165f4680802c172186382e5743614df2fb3747b969961d178aec7c26f3f1d15d48a8dc23f533252ff2d76cc09d2559dc4733f701b7366c90d45fb58d |
C:\Windows\System\PJCTEal.exe
| MD5 | 10ebb500667c928565573338967a7f16 |
| SHA1 | eed4a1daa040cc09b6e178fb8b9f0632df67f655 |
| SHA256 | c15126988090d60a4ba5f6b3e5d1b9de7154072ab01e8024b7255bff272160ec |
| SHA512 | adfd102b3ea2a15a040b418e2ef54d34510a9553a1d28d29e476b4d4f2508c13f69e6b9f3412da25edda7dbbb01c38d2ef286e5b7062380e641eb7b373468734 |
C:\Windows\System\VygErWU.exe
| MD5 | 4aeef3d9d0d2288a035409458063b8f6 |
| SHA1 | a28576bf27528dbf2cb6a6792a1e09557c5892a6 |
| SHA256 | f67a3e1ce7f7c625719c1dfed64373263c7ba9349ad68249ab14d05e8b49de99 |
| SHA512 | c27cfe789140a57447daf1876c35105e94dbdf8b9f28d5b6a5e73e1bf82e49aeac7c87fd7050c72f5dfc3ff0ad0940d35dc9142fc330ff5b8f105b9d5fffe3b3 |
C:\Windows\System\vGPdvRs.exe
| MD5 | 940a101e653a1fb34d1e026d33103eae |
| SHA1 | 4bce5fe88a73cee05abec7cd2f411826b23c9f14 |
| SHA256 | 6ecf99c942344facd0695e917b462af53bcc56004d350b8e7cd3f08bd90d08e4 |
| SHA512 | 1d418b482cc6720673074eec584bc928f34afe17dec706eb48e2451db68f21f82644a310d110d8ae2f03bc492c03ef5ce2503dc1b9366b2b96f01025da0769d8 |
C:\Windows\System\mYswDrE.exe
| MD5 | c67420bde789ceb1d2839141fd9865b2 |
| SHA1 | 7aa8ae936d2dfabce002df6ce7e8b9f66d23b30c |
| SHA256 | f50c47cc464155c051ea542ef0fc34314abf2029c0bbee1e71414008426c0dd7 |
| SHA512 | 06889390638f8f75127f6107aa41eb9ec316f650fb91eeda596fdcfd252b2d5858558c7281dea08fc38049a50d0eefe1fc9e5e0c69e83c22b6dd3959881c0543 |
C:\Windows\System\gJVxpow.exe
| MD5 | c4a42e9acdd909122d424709ac2b6a02 |
| SHA1 | 16d10a7be562ab042e90725b2e5758a55f783d12 |
| SHA256 | 1039823edaf20b166affcf493c85fe0e85099bfec8b37cec29fb7d17676958e2 |
| SHA512 | b292597a19e6736b381e1f2f1cf4dbd91712c1573305092c2b5f840eee94152645d62761f12b7b79328f4a8f0160ed096b87d1c319b69e200d01dbe8b557de9e |
C:\Windows\System\wFMVOmh.exe
| MD5 | e661ece5f7a8739fdedaecc77347f71e |
| SHA1 | 4c9e7cb9cb2b86c730a159c701636471ec44de4a |
| SHA256 | bb175f3027219f4e31e3fc043a4d83ad556de668609edeb16ec5139677b14efd |
| SHA512 | a321a90b7f6c529728a5aac9455b659837d407aa20f743b2ec3dcb9ba26f09784cf3f70cfd99d019d296b84bc16eec179a4057ce02a7cc80649b487d8349429c |
memory/2208-119-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp
memory/4864-115-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp
memory/5056-120-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp
memory/3904-125-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp
memory/2072-132-0x00007FF681020000-0x00007FF681371000-memory.dmp
memory/4644-133-0x00007FF657890000-0x00007FF657BE1000-memory.dmp
memory/2852-136-0x00007FF70A4B0000-0x00007FF70A801000-memory.dmp
memory/5072-135-0x00007FF6922E0000-0x00007FF692631000-memory.dmp
memory/2944-134-0x00007FF67C560000-0x00007FF67C8B1000-memory.dmp
memory/940-131-0x00007FF725100000-0x00007FF725451000-memory.dmp
memory/1492-130-0x00007FF79A170000-0x00007FF79A4C1000-memory.dmp
memory/1240-129-0x00007FF6EAA50000-0x00007FF6EADA1000-memory.dmp
memory/3912-128-0x00007FF7EFA00000-0x00007FF7EFD51000-memory.dmp
memory/4488-126-0x00007FF7B88F0000-0x00007FF7B8C41000-memory.dmp
memory/4228-124-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp
memory/1072-123-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp
memory/1364-127-0x00007FF6E1260000-0x00007FF6E15B1000-memory.dmp
memory/3780-118-0x00007FF75A340000-0x00007FF75A691000-memory.dmp
memory/3052-117-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp
memory/4604-116-0x00007FF64D510000-0x00007FF64D861000-memory.dmp
memory/4864-137-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp
memory/4864-141-0x00007FF684AD0000-0x00007FF684E21000-memory.dmp
memory/4604-187-0x00007FF64D510000-0x00007FF64D861000-memory.dmp
memory/3052-189-0x00007FF7EA1C0000-0x00007FF7EA511000-memory.dmp
memory/3780-191-0x00007FF75A340000-0x00007FF75A691000-memory.dmp
memory/2208-194-0x00007FF60DE50000-0x00007FF60E1A1000-memory.dmp
memory/5056-197-0x00007FF6AC7B0000-0x00007FF6ACB01000-memory.dmp
memory/4944-199-0x00007FF7C8C30000-0x00007FF7C8F81000-memory.dmp
memory/3964-201-0x00007FF70EA30000-0x00007FF70ED81000-memory.dmp
memory/1072-203-0x00007FF6BF560000-0x00007FF6BF8B1000-memory.dmp
memory/4228-205-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp
memory/3904-207-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp
memory/4488-209-0x00007FF7B88F0000-0x00007FF7B8C41000-memory.dmp
memory/1364-214-0x00007FF6E1260000-0x00007FF6E15B1000-memory.dmp
memory/3912-212-0x00007FF7EFA00000-0x00007FF7EFD51000-memory.dmp
memory/1240-217-0x00007FF6EAA50000-0x00007FF6EADA1000-memory.dmp
memory/940-219-0x00007FF725100000-0x00007FF725451000-memory.dmp
memory/1492-215-0x00007FF79A170000-0x00007FF79A4C1000-memory.dmp
memory/5072-224-0x00007FF6922E0000-0x00007FF692631000-memory.dmp
memory/4644-228-0x00007FF657890000-0x00007FF657BE1000-memory.dmp
memory/2072-229-0x00007FF681020000-0x00007FF681371000-memory.dmp
memory/2944-226-0x00007FF67C560000-0x00007FF67C8B1000-memory.dmp
memory/2852-221-0x00007FF70A4B0000-0x00007FF70A801000-memory.dmp