Analysis Overview
SHA256
244dde1488ccb843597cf0a81bf57806e615e4675c0af931798bdf40a60e2fcb
Threat Level: Known bad
The file 2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 07:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 07:04
Reported
2024-05-30 07:06
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zojupTh.exe | N/A |
| N/A | N/A | C:\Windows\System\EuoCRTF.exe | N/A |
| N/A | N/A | C:\Windows\System\NsmgrxR.exe | N/A |
| N/A | N/A | C:\Windows\System\CSWQLYv.exe | N/A |
| N/A | N/A | C:\Windows\System\JsEcApY.exe | N/A |
| N/A | N/A | C:\Windows\System\MkxcUfc.exe | N/A |
| N/A | N/A | C:\Windows\System\domPiWd.exe | N/A |
| N/A | N/A | C:\Windows\System\SmHvTDf.exe | N/A |
| N/A | N/A | C:\Windows\System\WjkRjZx.exe | N/A |
| N/A | N/A | C:\Windows\System\VGyWrno.exe | N/A |
| N/A | N/A | C:\Windows\System\engBmme.exe | N/A |
| N/A | N/A | C:\Windows\System\VHtMYte.exe | N/A |
| N/A | N/A | C:\Windows\System\hWNYuuP.exe | N/A |
| N/A | N/A | C:\Windows\System\FJGoDok.exe | N/A |
| N/A | N/A | C:\Windows\System\PkcTbSd.exe | N/A |
| N/A | N/A | C:\Windows\System\pmnYoLH.exe | N/A |
| N/A | N/A | C:\Windows\System\nLbwDsA.exe | N/A |
| N/A | N/A | C:\Windows\System\duhyMAK.exe | N/A |
| N/A | N/A | C:\Windows\System\KqAngdE.exe | N/A |
| N/A | N/A | C:\Windows\System\rtJPnik.exe | N/A |
| N/A | N/A | C:\Windows\System\RLOMkin.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zojupTh.exe
C:\Windows\System\zojupTh.exe
C:\Windows\System\EuoCRTF.exe
C:\Windows\System\EuoCRTF.exe
C:\Windows\System\NsmgrxR.exe
C:\Windows\System\NsmgrxR.exe
C:\Windows\System\CSWQLYv.exe
C:\Windows\System\CSWQLYv.exe
C:\Windows\System\JsEcApY.exe
C:\Windows\System\JsEcApY.exe
C:\Windows\System\MkxcUfc.exe
C:\Windows\System\MkxcUfc.exe
C:\Windows\System\domPiWd.exe
C:\Windows\System\domPiWd.exe
C:\Windows\System\SmHvTDf.exe
C:\Windows\System\SmHvTDf.exe
C:\Windows\System\WjkRjZx.exe
C:\Windows\System\WjkRjZx.exe
C:\Windows\System\VGyWrno.exe
C:\Windows\System\VGyWrno.exe
C:\Windows\System\engBmme.exe
C:\Windows\System\engBmme.exe
C:\Windows\System\VHtMYte.exe
C:\Windows\System\VHtMYte.exe
C:\Windows\System\hWNYuuP.exe
C:\Windows\System\hWNYuuP.exe
C:\Windows\System\FJGoDok.exe
C:\Windows\System\FJGoDok.exe
C:\Windows\System\PkcTbSd.exe
C:\Windows\System\PkcTbSd.exe
C:\Windows\System\pmnYoLH.exe
C:\Windows\System\pmnYoLH.exe
C:\Windows\System\nLbwDsA.exe
C:\Windows\System\nLbwDsA.exe
C:\Windows\System\duhyMAK.exe
C:\Windows\System\duhyMAK.exe
C:\Windows\System\KqAngdE.exe
C:\Windows\System\KqAngdE.exe
C:\Windows\System\rtJPnik.exe
C:\Windows\System\rtJPnik.exe
C:\Windows\System\RLOMkin.exe
C:\Windows\System\RLOMkin.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2188-0-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2188-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\zojupTh.exe
| MD5 | 4b419c7332a754dbfc40b6bf0cd2682c |
| SHA1 | b41e646f8f53e9e3ea9aa48a4997e89d446b410f |
| SHA256 | a537fae2ccede527997cbad71c9e709298268063a430dff51eb9dd69e900b605 |
| SHA512 | c9372743a39f534d0ee1691b8dc89b4aa436338eb6cb5899593a112ff0478ebcde5a7e09d5f97f3c6a00fda6aca7b2f6b6cb307529755cb212a805d902745889 |
memory/3016-8-0x000000013FBB0000-0x000000013FF04000-memory.dmp
\Windows\system\EuoCRTF.exe
| MD5 | a64c6a14426e54ca01dcc95ef799a281 |
| SHA1 | 9dd765879bc94f06ae0a1e7cdf2574ff7c2adf98 |
| SHA256 | d9f3dd3de28b97d2dc3d1f0d8bc67f9b4f6bf57480b8a44bdbe45baa4099ed4d |
| SHA512 | 775a157f6eb79b3d047e7d2a866828061c7d9ebaae6218e23dc5279aa3e386deced317d7e2474d3de7ade28e27cf132a3ad372b4c4f9229e16ac0d9c61771d81 |
memory/2188-12-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2848-14-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\NsmgrxR.exe
| MD5 | 2b4e9da5365bad0b1aace20b1ab589af |
| SHA1 | 514da9db004844063294d487288826448e33e65f |
| SHA256 | 9dd8cd8a7fc58879f52c44f9947b56ffe8b382a5fd180f6d8806f1402b161863 |
| SHA512 | 9ade2034ed657803cfe49fc633019f7bc73be0faabf21b8063ea7bd099c8c01c19fa73161b3eac33ab82c35856e0788d8b35f4ca999c338899ca1dad9244177e |
memory/2688-22-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2188-19-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\CSWQLYv.exe
| MD5 | 35844412e101cb79f4d777b45076f36e |
| SHA1 | f1ee733d5b5d258b143cf0a5d5c184481fdf7d3d |
| SHA256 | 2627a03056f5dd95c571b649a2333e657cd85b3d6fe9382a8f7a35b26b6f90f8 |
| SHA512 | bca098474178c0803fa079c10a5eead979eb652944d8b0881c26cfded367977b0dd3eeba1935a17bd7e3345946a717010a91bb52a9f8291d66977abb6ee37eec |
memory/2596-28-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2844-35-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\domPiWd.exe
| MD5 | 677d4f6c674541a07a023ee4ed1c012a |
| SHA1 | 7e7933ffea9f2fd50415d65afb0556f4e198a7e6 |
| SHA256 | e9e00d3302e989e67cc6a2fc33c0005fb98f8b66883798b0fe53d3efa15461e6 |
| SHA512 | 1147e83ea3e3642a9173d6ed2a6380d3246c78f66648b8722e4e6a93aee1e716017a4e170e0862586b4956751eff8ab4c4dd1aafef5906204c544ba6decaa8a7 |
C:\Windows\system\SmHvTDf.exe
| MD5 | 0f8212b4de65f2adfc22de79e084c654 |
| SHA1 | 9a39eb1c128d6138364d8a9b324b2625fa94aed8 |
| SHA256 | 5f26bbf1817fcae8b9a699aa92809c49a8e29beacfd3bf5851ee3090ac5e4c84 |
| SHA512 | eb6994fb1a5d3d713f9947a6560b0103bcaa75498662f863df3f4d1a9b798a41945c0e3dd95b13417de5e6bd45173b7bd4a9c878c5adce0be1389d3bb7eaac87 |
memory/2188-53-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/3016-67-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2848-80-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1032-82-0x000000013F960000-0x000000013FCB4000-memory.dmp
C:\Windows\system\duhyMAK.exe
| MD5 | 6861dcdcae4c5cd11c568993b6a08b41 |
| SHA1 | df5e3b3521c25fa1366dac1d2c4161317b92112d |
| SHA256 | 2f715966cc4779c9aafb5e12e88180bae27566da6980ed891680e3ed37cde281 |
| SHA512 | 199fe616fd86d2143effed68a3530658809c96da07bf61226bcef8c96e889e1b0974d2f991d4fb3d149b81a384d8974108341b8ff95094535f2af17ffe7c23d6 |
\Windows\system\RLOMkin.exe
| MD5 | c05cc3145b462a097bc527e0eda0a85c |
| SHA1 | 9bfaadbcd78b50f50312249cb56a1fa47ef41d65 |
| SHA256 | 2ca177407170e0ab7e207b45b87b505f283feaf4b5108f321a0294d192c27b02 |
| SHA512 | 562a6f22e56c5313e5743b00991947a30581a6640378bc309f0c725ee1be388fdadf9a12c24d8b0af08270e6e52284f628dc284dfbcaa4967ba0a276be332757 |
C:\Windows\system\rtJPnik.exe
| MD5 | 8a1235fb0eee32ad69b862e4206c3777 |
| SHA1 | 639b8f498447273f2747a350860da519df172e3a |
| SHA256 | 452ff2e23397b63f6242daea1af2c3c0408c15a6530e4ca1ca95bf1d573c9db7 |
| SHA512 | d3399b6926f2b72258ac5667379bd839efcbc6d1c75dc297cad90745ae95606f05abc9c931a2af0cc2488d5bd8e5f899a93623b88d5238f5feff5ec35fc55518 |
C:\Windows\system\KqAngdE.exe
| MD5 | c48d95d5d7b87cb501a4f8f5e978af9c |
| SHA1 | 29f4d6c89c7e9898b0696c8c1f0990f903896e28 |
| SHA256 | 31ca76293581323df32f3d25939e7a28eba2e3650cbf36bdfb0c9c0934c2ebf4 |
| SHA512 | b9406d5db5deeadaa272048e23b3c76546a91461b646b7f8c01db6034c747837aedf0e930b7dfe21720ea7eb2bbd991586eb705098cf995a6ece71a41dc87f0b |
C:\Windows\system\nLbwDsA.exe
| MD5 | 5976681610f35267c88c28ed1aafa479 |
| SHA1 | d304b8be96e021913250f88b4fc54c03365c3c82 |
| SHA256 | 9517a64172e4a0b83a080043186d50173b55d888d85ae789008404c91b3e63e3 |
| SHA512 | c57fcb6ea46e56f002858e64352a8d148037d465fab8e4fda4275342f41d8f8c0b4f74ec90e5d848d51d9164a2071730f70a595eb3b1689ed0cb692edc21ad3c |
C:\Windows\system\pmnYoLH.exe
| MD5 | cae1c7a7867969070cbfaa1d090257e7 |
| SHA1 | 18e143936b09988754344ce3af6d10f58483355d |
| SHA256 | 3fc6992ca6c18a876a2391a0befe91063b8738da6113683b269b131852bbd974 |
| SHA512 | b94dd0bdcd010927933698a557f628e0daceff25c2b9cc98122f5c6267fbebaa20f7fb5498fe877203c7f03579097bc328e3b575eae61d72364c746b98caba03 |
memory/2808-136-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2188-104-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\PkcTbSd.exe
| MD5 | 7dc4384a5351c1647ec8a566e5124213 |
| SHA1 | 7613d2c3995be89b5d71c90be4850226d894966c |
| SHA256 | 545659de33b886e6398a0d0ff0b9bfd247c24468c780dbf0384a794cee376b3d |
| SHA512 | 8d9576cb759afc70bd9cbe90cb7e59e93992d375af58b31fc3f10837db93bee652071b36e9ba23374997e0c22e16b6aefa99ff784464a7b5383f64e516121cbe |
memory/868-98-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2188-97-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\FJGoDok.exe
| MD5 | 1f4efaa89668a098bbace2c3ab7f71ac |
| SHA1 | c3cf11be8ffbf44bd1edd90048900a2d6f3b6b06 |
| SHA256 | 45cb3ae1e780a1332efc0760dbd54b29fa183942b3610c0f436cc2b870d1a423 |
| SHA512 | 814f8d6560b28eee26e84645b4ef70be916612e381b527beab063246ebce331a62599df063bf7130d92ca0b5054db932c651f3e43a5098b76ab13b5a9bd4bef1 |
memory/620-91-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2188-90-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/2688-89-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\hWNYuuP.exe
| MD5 | e55d3ab6b69caacf51c0972f4dae90d0 |
| SHA1 | 6899cca2e52611f0eae0b671c825881043fbfcd1 |
| SHA256 | 27861499f45ec537ee32c1b1abcb8c0ff399f35029f075638d057351e9c84803 |
| SHA512 | c7662e40c2d5be87d8be54ff1cde6882982a0d34e5b8e0f0cd6c98aaa6dcb3c35ba33b86f0ccd44f6d57ecdd62570bee6e8ba92559c4286b56a0936041230566 |
memory/2188-81-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/2428-75-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\VHtMYte.exe
| MD5 | 774dbfdec31205fc9a5f64b5d69696f9 |
| SHA1 | 3e0c07d1864c4fab7518d46ec3a389ace190cb51 |
| SHA256 | e46e7965162dca791bc15fb323f3e126bf0de3803b7284dd618575f7f1a33f13 |
| SHA512 | a106eae4de79bb8d94f068848caf96e194203128b2a02070b64d4f1e6c94b15a4ecde5f2b3fcb85b8f2e9b8bb54eab58e658e6eb8d4d291f5a11eaed3e867b3d |
C:\Windows\system\engBmme.exe
| MD5 | 8bf37ece0f64abee45a4059af065886c |
| SHA1 | 1bff4401356abbdcf79db23059f264e3f0ac1989 |
| SHA256 | e856be1599f86b57a307999ae4c0bc7f378b18fd8a6cc17a55b8e931fefa27da |
| SHA512 | c8c4975dd5620e1fc0dce0347e77bb9f2b05038cae8f45fc1f2f3fe3a111407e5f4fcfa1fa9813d5bc5a4d1b407ec177219b3dd7c1f5d4410469e71f0e4fbb02 |
memory/2528-69-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2188-68-0x0000000002560000-0x00000000028B4000-memory.dmp
C:\Windows\system\VGyWrno.exe
| MD5 | d043fb2f146c0c82923ffdbe82747989 |
| SHA1 | 2dcbf0d730590644e82321e088720d0f02b32dd4 |
| SHA256 | f1ea356fb309afea77f79e541c93ea645f5c614cd4de4e6f5b5318a11c397e1d |
| SHA512 | cb97132ce7d40aeaba306c285b0c27cf475fe4bdcd41359be4251c18864733c1b1c084566b748b0338d55f66f872cf566f052c1fef5c96e1401deffea1c2674e |
memory/2592-61-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\WjkRjZx.exe
| MD5 | 0b46753604505c5f1d24e27493ccf8e8 |
| SHA1 | c664f67c92ac0dfab72944c38ebc3a0d2405b3b3 |
| SHA256 | e221180209290d6ed401c74525e5f6dc71ae74252650135857f5bd19852425d7 |
| SHA512 | 6dcd9cc701e2a51f2675d2ff442d7130e3403a5676fa4010e457162aa919d1699e77a168491b1a4accb6f0ae6ebbdbe474d06355e48c66b91825b0ec5b18dcb5 |
memory/2464-54-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2636-49-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2188-48-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/2464-137-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2808-40-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2188-39-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2188-34-0x0000000002560000-0x00000000028B4000-memory.dmp
C:\Windows\system\MkxcUfc.exe
| MD5 | 545badb76c89688b2692f3db5d591f9f |
| SHA1 | 977dd0b981da7367a4bc834e78b5d95bcd943e51 |
| SHA256 | a54fc56bbe94b031025d0f7bbf242f403572d8d0741759586845d19294c78184 |
| SHA512 | 270d6dad85826fdc0c0aeb8df0481ad5365d46854771dda6622b2b438392e6cc679aa8bed447358f3b25d74d466de47e52a3e0d790a4f67023df06cc2672c4c8 |
C:\Windows\system\JsEcApY.exe
| MD5 | d48aa17c3b5b742110c93dea4d83bdc1 |
| SHA1 | ec50800a55f659204a50ee0e269468f862327b92 |
| SHA256 | 71140192078bb9fe8ceefca0e39e412556f531b60fce8a01d493404184169935 |
| SHA512 | 8279a3fcdeb35af23ad795d000f4b4d25a506f77ca4e058d2eaa23cd9b052e3b7f961f9b4bafbba319d14a0f3ef197fbd851ae4245a7978ef48e8227aed61cc7 |
memory/2188-27-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/2592-138-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2528-139-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2188-140-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2428-141-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2188-142-0x0000000002560000-0x00000000028B4000-memory.dmp
memory/1032-143-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/620-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/868-145-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2188-146-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/3016-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2688-148-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2848-149-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2844-150-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2636-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2808-152-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2464-153-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2592-154-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2528-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2428-156-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1032-157-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/620-158-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/868-159-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2596-160-0x000000013F650000-0x000000013F9A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 07:04
Reported
2024-05-30 07:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zojupTh.exe | N/A |
| N/A | N/A | C:\Windows\System\EuoCRTF.exe | N/A |
| N/A | N/A | C:\Windows\System\NsmgrxR.exe | N/A |
| N/A | N/A | C:\Windows\System\CSWQLYv.exe | N/A |
| N/A | N/A | C:\Windows\System\JsEcApY.exe | N/A |
| N/A | N/A | C:\Windows\System\MkxcUfc.exe | N/A |
| N/A | N/A | C:\Windows\System\domPiWd.exe | N/A |
| N/A | N/A | C:\Windows\System\SmHvTDf.exe | N/A |
| N/A | N/A | C:\Windows\System\WjkRjZx.exe | N/A |
| N/A | N/A | C:\Windows\System\VGyWrno.exe | N/A |
| N/A | N/A | C:\Windows\System\engBmme.exe | N/A |
| N/A | N/A | C:\Windows\System\VHtMYte.exe | N/A |
| N/A | N/A | C:\Windows\System\hWNYuuP.exe | N/A |
| N/A | N/A | C:\Windows\System\FJGoDok.exe | N/A |
| N/A | N/A | C:\Windows\System\PkcTbSd.exe | N/A |
| N/A | N/A | C:\Windows\System\pmnYoLH.exe | N/A |
| N/A | N/A | C:\Windows\System\nLbwDsA.exe | N/A |
| N/A | N/A | C:\Windows\System\duhyMAK.exe | N/A |
| N/A | N/A | C:\Windows\System\KqAngdE.exe | N/A |
| N/A | N/A | C:\Windows\System\rtJPnik.exe | N/A |
| N/A | N/A | C:\Windows\System\RLOMkin.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d16925436e9c6cd319eaefb48fd73ddb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zojupTh.exe
C:\Windows\System\zojupTh.exe
C:\Windows\System\EuoCRTF.exe
C:\Windows\System\EuoCRTF.exe
C:\Windows\System\NsmgrxR.exe
C:\Windows\System\NsmgrxR.exe
C:\Windows\System\CSWQLYv.exe
C:\Windows\System\CSWQLYv.exe
C:\Windows\System\JsEcApY.exe
C:\Windows\System\JsEcApY.exe
C:\Windows\System\MkxcUfc.exe
C:\Windows\System\MkxcUfc.exe
C:\Windows\System\domPiWd.exe
C:\Windows\System\domPiWd.exe
C:\Windows\System\SmHvTDf.exe
C:\Windows\System\SmHvTDf.exe
C:\Windows\System\WjkRjZx.exe
C:\Windows\System\WjkRjZx.exe
C:\Windows\System\VGyWrno.exe
C:\Windows\System\VGyWrno.exe
C:\Windows\System\engBmme.exe
C:\Windows\System\engBmme.exe
C:\Windows\System\VHtMYte.exe
C:\Windows\System\VHtMYte.exe
C:\Windows\System\hWNYuuP.exe
C:\Windows\System\hWNYuuP.exe
C:\Windows\System\FJGoDok.exe
C:\Windows\System\FJGoDok.exe
C:\Windows\System\PkcTbSd.exe
C:\Windows\System\PkcTbSd.exe
C:\Windows\System\pmnYoLH.exe
C:\Windows\System\pmnYoLH.exe
C:\Windows\System\nLbwDsA.exe
C:\Windows\System\nLbwDsA.exe
C:\Windows\System\duhyMAK.exe
C:\Windows\System\duhyMAK.exe
C:\Windows\System\KqAngdE.exe
C:\Windows\System\KqAngdE.exe
C:\Windows\System\rtJPnik.exe
C:\Windows\System\rtJPnik.exe
C:\Windows\System\RLOMkin.exe
C:\Windows\System\RLOMkin.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/1724-0-0x00007FF79FAA0000-0x00007FF79FDF4000-memory.dmp
memory/1724-1-0x000002283E7F0000-0x000002283E800000-memory.dmp
C:\Windows\System\zojupTh.exe
| MD5 | 4b419c7332a754dbfc40b6bf0cd2682c |
| SHA1 | b41e646f8f53e9e3ea9aa48a4997e89d446b410f |
| SHA256 | a537fae2ccede527997cbad71c9e709298268063a430dff51eb9dd69e900b605 |
| SHA512 | c9372743a39f534d0ee1691b8dc89b4aa436338eb6cb5899593a112ff0478ebcde5a7e09d5f97f3c6a00fda6aca7b2f6b6cb307529755cb212a805d902745889 |
memory/3024-8-0x00007FF7212A0000-0x00007FF7215F4000-memory.dmp
C:\Windows\System\EuoCRTF.exe
| MD5 | a64c6a14426e54ca01dcc95ef799a281 |
| SHA1 | 9dd765879bc94f06ae0a1e7cdf2574ff7c2adf98 |
| SHA256 | d9f3dd3de28b97d2dc3d1f0d8bc67f9b4f6bf57480b8a44bdbe45baa4099ed4d |
| SHA512 | 775a157f6eb79b3d047e7d2a866828061c7d9ebaae6218e23dc5279aa3e386deced317d7e2474d3de7ade28e27cf132a3ad372b4c4f9229e16ac0d9c61771d81 |
C:\Windows\System\NsmgrxR.exe
| MD5 | 2b4e9da5365bad0b1aace20b1ab589af |
| SHA1 | 514da9db004844063294d487288826448e33e65f |
| SHA256 | 9dd8cd8a7fc58879f52c44f9947b56ffe8b382a5fd180f6d8806f1402b161863 |
| SHA512 | 9ade2034ed657803cfe49fc633019f7bc73be0faabf21b8063ea7bd099c8c01c19fa73161b3eac33ab82c35856e0788d8b35f4ca999c338899ca1dad9244177e |
memory/1220-14-0x00007FF65E310000-0x00007FF65E664000-memory.dmp
C:\Windows\System\CSWQLYv.exe
| MD5 | 35844412e101cb79f4d777b45076f36e |
| SHA1 | f1ee733d5b5d258b143cf0a5d5c184481fdf7d3d |
| SHA256 | 2627a03056f5dd95c571b649a2333e657cd85b3d6fe9382a8f7a35b26b6f90f8 |
| SHA512 | bca098474178c0803fa079c10a5eead979eb652944d8b0881c26cfded367977b0dd3eeba1935a17bd7e3345946a717010a91bb52a9f8291d66977abb6ee37eec |
C:\Windows\System\JsEcApY.exe
| MD5 | d48aa17c3b5b742110c93dea4d83bdc1 |
| SHA1 | ec50800a55f659204a50ee0e269468f862327b92 |
| SHA256 | 71140192078bb9fe8ceefca0e39e412556f531b60fce8a01d493404184169935 |
| SHA512 | 8279a3fcdeb35af23ad795d000f4b4d25a506f77ca4e058d2eaa23cd9b052e3b7f961f9b4bafbba319d14a0f3ef197fbd851ae4245a7978ef48e8227aed61cc7 |
memory/3664-32-0x00007FF61E240000-0x00007FF61E594000-memory.dmp
memory/3928-24-0x00007FF691BE0000-0x00007FF691F34000-memory.dmp
memory/3568-21-0x00007FF75ECC0000-0x00007FF75F014000-memory.dmp
C:\Windows\System\MkxcUfc.exe
| MD5 | 545badb76c89688b2692f3db5d591f9f |
| SHA1 | 977dd0b981da7367a4bc834e78b5d95bcd943e51 |
| SHA256 | a54fc56bbe94b031025d0f7bbf242f403572d8d0741759586845d19294c78184 |
| SHA512 | 270d6dad85826fdc0c0aeb8df0481ad5365d46854771dda6622b2b438392e6cc679aa8bed447358f3b25d74d466de47e52a3e0d790a4f67023df06cc2672c4c8 |
memory/5056-36-0x00007FF7588C0000-0x00007FF758C14000-memory.dmp
C:\Windows\System\domPiWd.exe
| MD5 | 677d4f6c674541a07a023ee4ed1c012a |
| SHA1 | 7e7933ffea9f2fd50415d65afb0556f4e198a7e6 |
| SHA256 | e9e00d3302e989e67cc6a2fc33c0005fb98f8b66883798b0fe53d3efa15461e6 |
| SHA512 | 1147e83ea3e3642a9173d6ed2a6380d3246c78f66648b8722e4e6a93aee1e716017a4e170e0862586b4956751eff8ab4c4dd1aafef5906204c544ba6decaa8a7 |
C:\Windows\System\SmHvTDf.exe
| MD5 | 0f8212b4de65f2adfc22de79e084c654 |
| SHA1 | 9a39eb1c128d6138364d8a9b324b2625fa94aed8 |
| SHA256 | 5f26bbf1817fcae8b9a699aa92809c49a8e29beacfd3bf5851ee3090ac5e4c84 |
| SHA512 | eb6994fb1a5d3d713f9947a6560b0103bcaa75498662f863df3f4d1a9b798a41945c0e3dd95b13417de5e6bd45173b7bd4a9c878c5adce0be1389d3bb7eaac87 |
memory/1964-44-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp
memory/2256-49-0x00007FF622390000-0x00007FF6226E4000-memory.dmp
C:\Windows\System\WjkRjZx.exe
| MD5 | 0b46753604505c5f1d24e27493ccf8e8 |
| SHA1 | c664f67c92ac0dfab72944c38ebc3a0d2405b3b3 |
| SHA256 | e221180209290d6ed401c74525e5f6dc71ae74252650135857f5bd19852425d7 |
| SHA512 | 6dcd9cc701e2a51f2675d2ff442d7130e3403a5676fa4010e457162aa919d1699e77a168491b1a4accb6f0ae6ebbdbe474d06355e48c66b91825b0ec5b18dcb5 |
memory/3768-56-0x00007FF7BB080000-0x00007FF7BB3D4000-memory.dmp
C:\Windows\System\VGyWrno.exe
| MD5 | d043fb2f146c0c82923ffdbe82747989 |
| SHA1 | 2dcbf0d730590644e82321e088720d0f02b32dd4 |
| SHA256 | f1ea356fb309afea77f79e541c93ea645f5c614cd4de4e6f5b5318a11c397e1d |
| SHA512 | cb97132ce7d40aeaba306c285b0c27cf475fe4bdcd41359be4251c18864733c1b1c084566b748b0338d55f66f872cf566f052c1fef5c96e1401deffea1c2674e |
C:\Windows\System\engBmme.exe
| MD5 | 8bf37ece0f64abee45a4059af065886c |
| SHA1 | 1bff4401356abbdcf79db23059f264e3f0ac1989 |
| SHA256 | e856be1599f86b57a307999ae4c0bc7f378b18fd8a6cc17a55b8e931fefa27da |
| SHA512 | c8c4975dd5620e1fc0dce0347e77bb9f2b05038cae8f45fc1f2f3fe3a111407e5f4fcfa1fa9813d5bc5a4d1b407ec177219b3dd7c1f5d4410469e71f0e4fbb02 |
memory/3024-69-0x00007FF7212A0000-0x00007FF7215F4000-memory.dmp
C:\Windows\System\VHtMYte.exe
| MD5 | 774dbfdec31205fc9a5f64b5d69696f9 |
| SHA1 | 3e0c07d1864c4fab7518d46ec3a389ace190cb51 |
| SHA256 | e46e7965162dca791bc15fb323f3e126bf0de3803b7284dd618575f7f1a33f13 |
| SHA512 | a106eae4de79bb8d94f068848caf96e194203128b2a02070b64d4f1e6c94b15a4ecde5f2b3fcb85b8f2e9b8bb54eab58e658e6eb8d4d291f5a11eaed3e867b3d |
memory/2072-70-0x00007FF7A79A0000-0x00007FF7A7CF4000-memory.dmp
memory/1820-68-0x00007FF7D85B0000-0x00007FF7D8904000-memory.dmp
memory/1724-63-0x00007FF79FAA0000-0x00007FF79FDF4000-memory.dmp
memory/3688-76-0x00007FF7ACB30000-0x00007FF7ACE84000-memory.dmp
C:\Windows\System\hWNYuuP.exe
| MD5 | e55d3ab6b69caacf51c0972f4dae90d0 |
| SHA1 | 6899cca2e52611f0eae0b671c825881043fbfcd1 |
| SHA256 | 27861499f45ec537ee32c1b1abcb8c0ff399f35029f075638d057351e9c84803 |
| SHA512 | c7662e40c2d5be87d8be54ff1cde6882982a0d34e5b8e0f0cd6c98aaa6dcb3c35ba33b86f0ccd44f6d57ecdd62570bee6e8ba92559c4286b56a0936041230566 |
C:\Windows\System\FJGoDok.exe
| MD5 | 1f4efaa89668a098bbace2c3ab7f71ac |
| SHA1 | c3cf11be8ffbf44bd1edd90048900a2d6f3b6b06 |
| SHA256 | 45cb3ae1e780a1332efc0760dbd54b29fa183942b3610c0f436cc2b870d1a423 |
| SHA512 | 814f8d6560b28eee26e84645b4ef70be916612e381b527beab063246ebce331a62599df063bf7130d92ca0b5054db932c651f3e43a5098b76ab13b5a9bd4bef1 |
memory/840-93-0x00007FF6273A0000-0x00007FF6276F4000-memory.dmp
C:\Windows\System\nLbwDsA.exe
| MD5 | 5976681610f35267c88c28ed1aafa479 |
| SHA1 | d304b8be96e021913250f88b4fc54c03365c3c82 |
| SHA256 | 9517a64172e4a0b83a080043186d50173b55d888d85ae789008404c91b3e63e3 |
| SHA512 | c57fcb6ea46e56f002858e64352a8d148037d465fab8e4fda4275342f41d8f8c0b4f74ec90e5d848d51d9164a2071730f70a595eb3b1689ed0cb692edc21ad3c |
C:\Windows\System\pmnYoLH.exe
| MD5 | cae1c7a7867969070cbfaa1d090257e7 |
| SHA1 | 18e143936b09988754344ce3af6d10f58483355d |
| SHA256 | 3fc6992ca6c18a876a2391a0befe91063b8738da6113683b269b131852bbd974 |
| SHA512 | b94dd0bdcd010927933698a557f628e0daceff25c2b9cc98122f5c6267fbebaa20f7fb5498fe877203c7f03579097bc328e3b575eae61d72364c746b98caba03 |
memory/3548-98-0x00007FF633790000-0x00007FF633AE4000-memory.dmp
C:\Windows\System\PkcTbSd.exe
| MD5 | 7dc4384a5351c1647ec8a566e5124213 |
| SHA1 | 7613d2c3995be89b5d71c90be4850226d894966c |
| SHA256 | 545659de33b886e6398a0d0ff0b9bfd247c24468c780dbf0384a794cee376b3d |
| SHA512 | 8d9576cb759afc70bd9cbe90cb7e59e93992d375af58b31fc3f10837db93bee652071b36e9ba23374997e0c22e16b6aefa99ff784464a7b5383f64e516121cbe |
memory/3928-88-0x00007FF691BE0000-0x00007FF691F34000-memory.dmp
memory/1252-87-0x00007FF7F4930000-0x00007FF7F4C84000-memory.dmp
C:\Windows\System\duhyMAK.exe
| MD5 | 6861dcdcae4c5cd11c568993b6a08b41 |
| SHA1 | df5e3b3521c25fa1366dac1d2c4161317b92112d |
| SHA256 | 2f715966cc4779c9aafb5e12e88180bae27566da6980ed891680e3ed37cde281 |
| SHA512 | 199fe616fd86d2143effed68a3530658809c96da07bf61226bcef8c96e889e1b0974d2f991d4fb3d149b81a384d8974108341b8ff95094535f2af17ffe7c23d6 |
C:\Windows\System\KqAngdE.exe
| MD5 | c48d95d5d7b87cb501a4f8f5e978af9c |
| SHA1 | 29f4d6c89c7e9898b0696c8c1f0990f903896e28 |
| SHA256 | 31ca76293581323df32f3d25939e7a28eba2e3650cbf36bdfb0c9c0934c2ebf4 |
| SHA512 | b9406d5db5deeadaa272048e23b3c76546a91461b646b7f8c01db6034c747837aedf0e930b7dfe21720ea7eb2bbd991586eb705098cf995a6ece71a41dc87f0b |
C:\Windows\System\rtJPnik.exe
| MD5 | 8a1235fb0eee32ad69b862e4206c3777 |
| SHA1 | 639b8f498447273f2747a350860da519df172e3a |
| SHA256 | 452ff2e23397b63f6242daea1af2c3c0408c15a6530e4ca1ca95bf1d573c9db7 |
| SHA512 | d3399b6926f2b72258ac5667379bd839efcbc6d1c75dc297cad90745ae95606f05abc9c931a2af0cc2488d5bd8e5f899a93623b88d5238f5feff5ec35fc55518 |
memory/2280-117-0x00007FF7C6C10000-0x00007FF7C6F64000-memory.dmp
memory/448-119-0x00007FF6B2C20000-0x00007FF6B2F74000-memory.dmp
memory/1652-123-0x00007FF75BF90000-0x00007FF75C2E4000-memory.dmp
C:\Windows\System\RLOMkin.exe
| MD5 | c05cc3145b462a097bc527e0eda0a85c |
| SHA1 | 9bfaadbcd78b50f50312249cb56a1fa47ef41d65 |
| SHA256 | 2ca177407170e0ab7e207b45b87b505f283feaf4b5108f321a0294d192c27b02 |
| SHA512 | 562a6f22e56c5313e5743b00991947a30581a6640378bc309f0c725ee1be388fdadf9a12c24d8b0af08270e6e52284f628dc284dfbcaa4967ba0a276be332757 |
memory/5056-122-0x00007FF7588C0000-0x00007FF758C14000-memory.dmp
memory/2080-120-0x00007FF7B7AE0000-0x00007FF7B7E34000-memory.dmp
memory/4128-118-0x00007FF6D3830000-0x00007FF6D3B84000-memory.dmp
memory/2704-131-0x00007FF724DD0000-0x00007FF725124000-memory.dmp
memory/840-132-0x00007FF6273A0000-0x00007FF6276F4000-memory.dmp
memory/3548-133-0x00007FF633790000-0x00007FF633AE4000-memory.dmp
memory/448-134-0x00007FF6B2C20000-0x00007FF6B2F74000-memory.dmp
memory/2080-135-0x00007FF7B7AE0000-0x00007FF7B7E34000-memory.dmp
memory/3024-136-0x00007FF7212A0000-0x00007FF7215F4000-memory.dmp
memory/1220-137-0x00007FF65E310000-0x00007FF65E664000-memory.dmp
memory/3568-138-0x00007FF75ECC0000-0x00007FF75F014000-memory.dmp
memory/3928-139-0x00007FF691BE0000-0x00007FF691F34000-memory.dmp
memory/3664-140-0x00007FF61E240000-0x00007FF61E594000-memory.dmp
memory/5056-141-0x00007FF7588C0000-0x00007FF758C14000-memory.dmp
memory/1964-142-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp
memory/2256-143-0x00007FF622390000-0x00007FF6226E4000-memory.dmp
memory/3768-144-0x00007FF7BB080000-0x00007FF7BB3D4000-memory.dmp
memory/1820-145-0x00007FF7D85B0000-0x00007FF7D8904000-memory.dmp
memory/2072-146-0x00007FF7A79A0000-0x00007FF7A7CF4000-memory.dmp
memory/3688-147-0x00007FF7ACB30000-0x00007FF7ACE84000-memory.dmp
memory/1252-148-0x00007FF7F4930000-0x00007FF7F4C84000-memory.dmp
memory/2280-149-0x00007FF7C6C10000-0x00007FF7C6F64000-memory.dmp
memory/840-150-0x00007FF6273A0000-0x00007FF6276F4000-memory.dmp
memory/3548-152-0x00007FF633790000-0x00007FF633AE4000-memory.dmp
memory/1652-151-0x00007FF75BF90000-0x00007FF75C2E4000-memory.dmp
memory/4128-153-0x00007FF6D3830000-0x00007FF6D3B84000-memory.dmp
memory/448-154-0x00007FF6B2C20000-0x00007FF6B2F74000-memory.dmp
memory/2080-155-0x00007FF7B7AE0000-0x00007FF7B7E34000-memory.dmp
memory/2704-156-0x00007FF724DD0000-0x00007FF725124000-memory.dmp