Analysis Overview
SHA256
b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc
Threat Level: Known bad
The file 2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 09:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 09:34
Reported
2024-05-30 09:36
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OxIeEre.exe | N/A |
| N/A | N/A | C:\Windows\System\ykvmnWq.exe | N/A |
| N/A | N/A | C:\Windows\System\mbvhqVD.exe | N/A |
| N/A | N/A | C:\Windows\System\AwIunkD.exe | N/A |
| N/A | N/A | C:\Windows\System\UgowYkn.exe | N/A |
| N/A | N/A | C:\Windows\System\TPjnksV.exe | N/A |
| N/A | N/A | C:\Windows\System\eyJhdYO.exe | N/A |
| N/A | N/A | C:\Windows\System\qXjfiFV.exe | N/A |
| N/A | N/A | C:\Windows\System\rVkEMLS.exe | N/A |
| N/A | N/A | C:\Windows\System\JecGwJq.exe | N/A |
| N/A | N/A | C:\Windows\System\XKIvUZo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbiixIk.exe | N/A |
| N/A | N/A | C:\Windows\System\kbRyijo.exe | N/A |
| N/A | N/A | C:\Windows\System\GJjfyDd.exe | N/A |
| N/A | N/A | C:\Windows\System\xzGtGSt.exe | N/A |
| N/A | N/A | C:\Windows\System\WrbIHQG.exe | N/A |
| N/A | N/A | C:\Windows\System\fheEzaU.exe | N/A |
| N/A | N/A | C:\Windows\System\gkyPiiU.exe | N/A |
| N/A | N/A | C:\Windows\System\CmoWDPs.exe | N/A |
| N/A | N/A | C:\Windows\System\XfXCDje.exe | N/A |
| N/A | N/A | C:\Windows\System\yKDrFGo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OxIeEre.exe
C:\Windows\System\OxIeEre.exe
C:\Windows\System\ykvmnWq.exe
C:\Windows\System\ykvmnWq.exe
C:\Windows\System\mbvhqVD.exe
C:\Windows\System\mbvhqVD.exe
C:\Windows\System\AwIunkD.exe
C:\Windows\System\AwIunkD.exe
C:\Windows\System\UgowYkn.exe
C:\Windows\System\UgowYkn.exe
C:\Windows\System\TPjnksV.exe
C:\Windows\System\TPjnksV.exe
C:\Windows\System\eyJhdYO.exe
C:\Windows\System\eyJhdYO.exe
C:\Windows\System\qXjfiFV.exe
C:\Windows\System\qXjfiFV.exe
C:\Windows\System\rVkEMLS.exe
C:\Windows\System\rVkEMLS.exe
C:\Windows\System\JecGwJq.exe
C:\Windows\System\JecGwJq.exe
C:\Windows\System\XKIvUZo.exe
C:\Windows\System\XKIvUZo.exe
C:\Windows\System\ZbiixIk.exe
C:\Windows\System\ZbiixIk.exe
C:\Windows\System\kbRyijo.exe
C:\Windows\System\kbRyijo.exe
C:\Windows\System\GJjfyDd.exe
C:\Windows\System\GJjfyDd.exe
C:\Windows\System\xzGtGSt.exe
C:\Windows\System\xzGtGSt.exe
C:\Windows\System\WrbIHQG.exe
C:\Windows\System\WrbIHQG.exe
C:\Windows\System\fheEzaU.exe
C:\Windows\System\fheEzaU.exe
C:\Windows\System\gkyPiiU.exe
C:\Windows\System\gkyPiiU.exe
C:\Windows\System\CmoWDPs.exe
C:\Windows\System\CmoWDPs.exe
C:\Windows\System\XfXCDje.exe
C:\Windows\System\XfXCDje.exe
C:\Windows\System\yKDrFGo.exe
C:\Windows\System\yKDrFGo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1868-0-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/1868-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\OxIeEre.exe
| MD5 | 9fd53c1d3d2afd2c1556bd654be540f9 |
| SHA1 | 24d57f87634cd604bd7f45fd0cce044a50a68b4d |
| SHA256 | db3e02fca869ba89ef7e9c3df8da717fd1e71a610516f75d00cce6b7fb3f9d10 |
| SHA512 | b189df42fcda726b58a409e48f7f86196d5de66abbeb35cc54ec1ca77b3d528f5de07a9759eee769bb8d7258aa5deb1f4ec697c2e2ddd8d4b0386a659f035ce8 |
memory/1592-7-0x000000013F340000-0x000000013F691000-memory.dmp
\Windows\system\ykvmnWq.exe
| MD5 | 615109a05c8d9b924be02661d1d74d70 |
| SHA1 | 60fbf361a4ceb8252cda364a023d57546b87a4dd |
| SHA256 | 2e3d13dc8721eddf4500429366528a1b347c18fea3a1c5508e3215196bd762d1 |
| SHA512 | 864a5417fcda8a40096c3215ef56fe098017654a81060700a591a31942f0c07926b377d7f5976e159cbb08a70a0895b1f598f4d9c9d43aa1306597ebfb94b24b |
memory/2580-14-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1868-13-0x000000013F930000-0x000000013FC81000-memory.dmp
C:\Windows\system\mbvhqVD.exe
| MD5 | 99f3e57e1fb3967997179473ae17d725 |
| SHA1 | 096eec5a9cc59d98979a9c8329a8abf420131db6 |
| SHA256 | bc84112f9fd113f40e2932c28189e1709444b67bfd92976f0d188292206f6664 |
| SHA512 | 98a4ba30ea352a025ac7110d14e246705b596f5a4563f032090e438616026e16205e46cb897a4ccbe7e398c1753584b1096cc8dca6156ffed8f25f32e8ff4e96 |
memory/2616-22-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1868-19-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\AwIunkD.exe
| MD5 | 204662c5aa2dfc9f8d4032d1e82dbfec |
| SHA1 | 9ba45e3243107f08692b2c33a3c38a53c50a2ef1 |
| SHA256 | 1d105dcbb411701d7f8968722851add9ab65671da9d60c265900ca8c5242cdf4 |
| SHA512 | a49f11e378cae2540141eb2f4c61d7b8326c4b389ce6fe92d957d74672079f544a57a06507fe44f34bdab6beaf0caf4ea78ea3c546f4d212857a74d66b28f636 |
memory/2824-29-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/1868-28-0x000000013F4E0000-0x000000013F831000-memory.dmp
\Windows\system\TPjnksV.exe
| MD5 | e18a5e143e7a25ed12053b315b93b2c8 |
| SHA1 | 368743c6f5eaf7735c36e0afe9392c9ebc637e6a |
| SHA256 | a04e3875ac1fe474dcb89c8f98732e3f77840f7fde5ad3c0694d30b312bfad60 |
| SHA512 | c6bff5b604b7b7dfcb9817ade0556b24375c4f312ada8e154e023af9b68a58ee5b34916c6aa73ae34552dbf9c7100982c0cdb6e29ca8984a7860fb69976c7fc8 |
memory/2620-35-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2604-43-0x000000013FB40000-0x000000013FE91000-memory.dmp
C:\Windows\system\qXjfiFV.exe
| MD5 | a3b081fed06c96b2baccebe46430dc4b |
| SHA1 | f28c9c6836e291ba9aa143c4076f0274fa37fec0 |
| SHA256 | 6d7d1fe90388eb024b3cf631017967a0b64646b9d1c6afca16e48b54419dd5ab |
| SHA512 | 11d31779ebdb7649b3162d73edfe2bd09a85724ec477c7b2e24cdf03922ce77224ab3ba61d69d643dcbd2ac96de94c639ef7991f4b9ab19cee887dd8fa0a7e56 |
memory/1868-56-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2652-57-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2580-68-0x000000013F930000-0x000000013FC81000-memory.dmp
C:\Windows\system\ZbiixIk.exe
| MD5 | 83d01689a9f4f79be0b4263d036ba13a |
| SHA1 | 52d30ce1d8e8f02b6cf8631fdda92fd8d6b20e2d |
| SHA256 | a8fb4ea1599a942aa8b6cfff77eeadc5e13acb5d6492d516f49ef9bc20accb5a |
| SHA512 | 4d44535ab7c61255c510326518368e7070f1d0d637f3f73e154caff49594913fa01c5ac2169e8bcf7c1498ebf52e3b33944574a6b1b9913c00ea3843c670e793 |
memory/1692-86-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2460-101-0x000000013F690000-0x000000013F9E1000-memory.dmp
\Windows\system\XfXCDje.exe
| MD5 | 0f2ddf9c836960db5951da656cefa354 |
| SHA1 | b9ef3b00494d75849498f386a6a5795e239f9005 |
| SHA256 | 5f4b36d40bb8de23984d66ec2529ce98a56f304688f39346e4a5368374df390f |
| SHA512 | 25a4d26f8c52df4d48ccbb53579b5cfbcb84f57d0a4fe8282effea9f333fa94a759ae918a94f5778e5f535382c6571441501ac5f8d11f3c0070a79fa134bee55 |
\Windows\system\yKDrFGo.exe
| MD5 | 9cf878dcd77d5ebcb2db27ee99b3954f |
| SHA1 | 31d8d572b056ffad19ec02e7439adc9035bd796b |
| SHA256 | 54125f4b87d85903653ea3d5441a8a225a9ebb7c5e12ee9db28e7827a409118c |
| SHA512 | 8e34232dee9f85ff865c19e66eb390bb764b74c1566282ab4f33933f92227b1b1e16656caf195968614e5f6d3447ea2c20e54741af602b83e8c2db98a3bcbac9 |
C:\Windows\system\CmoWDPs.exe
| MD5 | 910c78d2d56923170b20a2811cf51a37 |
| SHA1 | a41be74091273c616d2b1b1550ebf6bb1b30ee71 |
| SHA256 | bfd299bcfe65d17e2bfc99743627555f7691737f43991aaf54f300d5c92b4acc |
| SHA512 | 62790370601479d7e4f20f1615dd532447c3f52926bd482da9a2af7766d845bde0ce04dde26e716f2b39f40b0930aca4106246cb7337d3d012db431c498b8bb5 |
C:\Windows\system\fheEzaU.exe
| MD5 | 878f7a31887a0fb1cc41865046d47862 |
| SHA1 | e74e57e08c5bb82558be803b9f666cc20eaefc74 |
| SHA256 | 8e76084df1514ab03b5b1c02914073d9e3d65c33016871d980ab46fbc9b0a3ef |
| SHA512 | 4b3b9d47f7b6dd2ab205cec895dbf9ea001a527305e2f8af5c85c71aef2694009a520739819cb63212ffd581a10dd9be209aa03bb94353f6c5e51f8f2b60e7ac |
C:\Windows\system\gkyPiiU.exe
| MD5 | 53e534c8cbcecdec68b998f271c7c4a0 |
| SHA1 | 767c4fa5973da9648bfa2fbc972103cdac64f7fa |
| SHA256 | df6a6ea7173197d1b7137c1b228c08bbb41bed61d09330949909263b636c39a1 |
| SHA512 | 1f1fa1078b553317a7c5ec1980ee057239eed24686894711533f33ef6f97b62874e3b54504f6658e36030702a8fdc93692583564bc0dadf3bb9607be8f44567d |
C:\Windows\system\WrbIHQG.exe
| MD5 | 0c84d219721afda25605e12c6d81af34 |
| SHA1 | c11356823a169a52fe3a1e89b1b7431168800c6c |
| SHA256 | 5ff8e7067323fcfd4418b3fc6843acb8745b3dd3e9315461d1bc2a11e6337430 |
| SHA512 | 42c614d0faef3ea652169481bd2156d13804bd30a66288a828b60cdd7d59659a0453538a7c819e9b61750e360404c672eeccf59c611faa617e994becc1828683 |
memory/1868-107-0x00000000024F0000-0x0000000002841000-memory.dmp
C:\Windows\system\xzGtGSt.exe
| MD5 | cbf08152c87077ad4628726cb6f2e8f5 |
| SHA1 | 20d3f87220a473e7c05e77ef51b48d888a579c93 |
| SHA256 | df06969016c23f0726b960f24e164e5f5be2f7c1e16ba8016e34e8be3edce94c |
| SHA512 | e659d42f092e0c4086b42f725a859c9a9b87cc39430f80ac209041ab3d6b21d0ad2ed675256304c39804563786f837abfcb86985aa14e124b283be051525b9c0 |
memory/2784-138-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1868-100-0x000000013F690000-0x000000013F9E1000-memory.dmp
C:\Windows\system\GJjfyDd.exe
| MD5 | cad72596e5650e1d00fe77503e1c65f4 |
| SHA1 | 39469a5846140c16065fff015d6ec884cb35624d |
| SHA256 | e501af565b31ab6a668b30dcc4765bbfe55de902a9d229c02743788cb12e5359 |
| SHA512 | 9f6d867e1fa1d8bd8376111cc23684f749c9d94c8babd070400af4b5b0d105fa51b316d424eab72c4a89febf0e222af8ed4ca683fba8a657ca67369f13ff4ec2 |
memory/1460-93-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1868-92-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2620-91-0x000000013F3D0000-0x000000013F721000-memory.dmp
C:\Windows\system\kbRyijo.exe
| MD5 | abe9db469ce1d492831f9c26a8bc4498 |
| SHA1 | e4ccb533f3695929fb2013da8e54368daed41602 |
| SHA256 | b4ba906ccd1beec40b82472bc5bfb153741a6978c1fc516748d29883098231c9 |
| SHA512 | a074bc48359539c0856a858b1fa7a5b217274c8260ad6d814953649698c96b41ff65b046932ecf2192d6f03beff8cfd76b1184f092f8b30cd1dc26d826e0fb0f |
memory/1868-85-0x00000000024F0000-0x0000000002841000-memory.dmp
memory/1876-78-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1868-77-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2616-76-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\XKIvUZo.exe
| MD5 | 77bfc1e4481b6cf220fdb38bbd67ae0e |
| SHA1 | 4b0c3671b56df5602addff255a007b35622cc6f2 |
| SHA256 | fdf843677932d203454bbf4f08a156eabcd541ca0445ba9a41467de28c75c03d |
| SHA512 | dd5d2e123e162da7849288f2e19275e7ece0b7585c0fb750eb6ba07df2b8cd4b7d27b48c0e2a007d45539f0facc62d3eec800995787fece32545a3bdce2266c3 |
memory/2904-70-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1868-69-0x00000000024F0000-0x0000000002841000-memory.dmp
C:\Windows\system\JecGwJq.exe
| MD5 | 3c49cd7bcdd16768a24dfae4f7a5833d |
| SHA1 | 86d2879342f67dbd7eb0100255024d8bd43786d7 |
| SHA256 | a82d4893db29286b7053c5c671cbfa9be19b1510db6851a9d3cac060877c4ab6 |
| SHA512 | f059468a6fdb1fc868b3333462be205348ab3f6cfe5ef1545c6f16f83814a664eb7ec6984f42077e36f05c12f79af4b081053a67dc11bf134c2e4003e98b2ff0 |
memory/2528-63-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1592-62-0x000000013F340000-0x000000013F691000-memory.dmp
C:\Windows\system\rVkEMLS.exe
| MD5 | 82fc484f087584527ba152369ed6abb9 |
| SHA1 | 90a3484cae7770c951104e8623846b72b8a5a215 |
| SHA256 | 5719ee83992e71180453b77c6949c0b12a593dccfc5bfdbe780e8b1f700ce5fc |
| SHA512 | 24182f2c91f07ed4db52e88df601d6d60af7d3c4c880cb01dcc848320e9df16f591880e285e26e859d86f231bc072c507be8356888f10e409aa51db04b7afe80 |
memory/2784-49-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1868-48-0x00000000024F0000-0x0000000002841000-memory.dmp
C:\Windows\system\eyJhdYO.exe
| MD5 | c4dcc74edad33183e2b703a733eb73bb |
| SHA1 | fb2b09ed9f657db57b38ab637a8f463c6bb82e49 |
| SHA256 | c925f9f45fefad55dcc4f902dce309532690f4c5066dbc075ce7a793d144a73b |
| SHA512 | 24e46615b623438d1a5ab557650bb0d5198b7f57e1e765f487ae6530c35b233fc13ff4be06ce9be7b938b8cc133964a91312b0c1ae503fc2ce42dd5e73799b6b |
memory/1868-38-0x00000000024F0000-0x0000000002841000-memory.dmp
memory/1868-34-0x000000013F3D0000-0x000000013F721000-memory.dmp
C:\Windows\system\UgowYkn.exe
| MD5 | 2e286be490a445e6db43cd86f10855dc |
| SHA1 | c62cd19f67d6e7f86160e38a19bb4bb7f4598627 |
| SHA256 | 805da2b2683bac9d987f2346079617ec3a40dd2845f15bea135df31525c3b04a |
| SHA512 | ce1234ba4b2d75a288a2f572fbbb4bcdbc72b5cb86498a7930bf1cc412f18bfad9638c2b6f1e59261a58cbba9967f7a1c7e4e3084656fb89a67697c50753489c |
memory/1868-139-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2904-149-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2528-152-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1692-151-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1876-150-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1460-153-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2380-156-0x000000013F040000-0x000000013F391000-memory.dmp
memory/1432-161-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1868-162-0x00000000024F0000-0x0000000002841000-memory.dmp
memory/1028-160-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/1448-158-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1580-157-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/324-155-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2460-154-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1856-159-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1868-163-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1868-164-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/1868-174-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1868-187-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1592-215-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2616-218-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2580-219-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2824-221-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2620-223-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2604-225-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2784-227-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2652-229-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2528-231-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2904-233-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1876-235-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1692-247-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1460-249-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2460-251-0x000000013F690000-0x000000013F9E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 09:34
Reported
2024-05-30 09:36
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ShkJORX.exe | N/A |
| N/A | N/A | C:\Windows\System\STompFf.exe | N/A |
| N/A | N/A | C:\Windows\System\NTWMHnO.exe | N/A |
| N/A | N/A | C:\Windows\System\avmEILp.exe | N/A |
| N/A | N/A | C:\Windows\System\kPdruSp.exe | N/A |
| N/A | N/A | C:\Windows\System\dZNbGap.exe | N/A |
| N/A | N/A | C:\Windows\System\ojGRNOP.exe | N/A |
| N/A | N/A | C:\Windows\System\JeUjfQr.exe | N/A |
| N/A | N/A | C:\Windows\System\tFbUsdU.exe | N/A |
| N/A | N/A | C:\Windows\System\dFtPGNK.exe | N/A |
| N/A | N/A | C:\Windows\System\tewTPUj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBeQdrT.exe | N/A |
| N/A | N/A | C:\Windows\System\qkpJCoa.exe | N/A |
| N/A | N/A | C:\Windows\System\iOpJMjz.exe | N/A |
| N/A | N/A | C:\Windows\System\wXrqBgc.exe | N/A |
| N/A | N/A | C:\Windows\System\fOIUPzJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wisnVwH.exe | N/A |
| N/A | N/A | C:\Windows\System\lgdPyzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nThjuiR.exe | N/A |
| N/A | N/A | C:\Windows\System\mQFgAfj.exe | N/A |
| N/A | N/A | C:\Windows\System\JDLGERE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ShkJORX.exe
C:\Windows\System\ShkJORX.exe
C:\Windows\System\STompFf.exe
C:\Windows\System\STompFf.exe
C:\Windows\System\NTWMHnO.exe
C:\Windows\System\NTWMHnO.exe
C:\Windows\System\avmEILp.exe
C:\Windows\System\avmEILp.exe
C:\Windows\System\kPdruSp.exe
C:\Windows\System\kPdruSp.exe
C:\Windows\System\dZNbGap.exe
C:\Windows\System\dZNbGap.exe
C:\Windows\System\ojGRNOP.exe
C:\Windows\System\ojGRNOP.exe
C:\Windows\System\JeUjfQr.exe
C:\Windows\System\JeUjfQr.exe
C:\Windows\System\tFbUsdU.exe
C:\Windows\System\tFbUsdU.exe
C:\Windows\System\dFtPGNK.exe
C:\Windows\System\dFtPGNK.exe
C:\Windows\System\tewTPUj.exe
C:\Windows\System\tewTPUj.exe
C:\Windows\System\ZBeQdrT.exe
C:\Windows\System\ZBeQdrT.exe
C:\Windows\System\qkpJCoa.exe
C:\Windows\System\qkpJCoa.exe
C:\Windows\System\iOpJMjz.exe
C:\Windows\System\iOpJMjz.exe
C:\Windows\System\wXrqBgc.exe
C:\Windows\System\wXrqBgc.exe
C:\Windows\System\fOIUPzJ.exe
C:\Windows\System\fOIUPzJ.exe
C:\Windows\System\wisnVwH.exe
C:\Windows\System\wisnVwH.exe
C:\Windows\System\lgdPyzZ.exe
C:\Windows\System\lgdPyzZ.exe
C:\Windows\System\nThjuiR.exe
C:\Windows\System\nThjuiR.exe
C:\Windows\System\mQFgAfj.exe
C:\Windows\System\mQFgAfj.exe
C:\Windows\System\JDLGERE.exe
C:\Windows\System\JDLGERE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2348-0-0x00007FF760430000-0x00007FF760781000-memory.dmp
memory/2348-1-0x0000021843D50000-0x0000021843D60000-memory.dmp
C:\Windows\System\ShkJORX.exe
| MD5 | 3b1d2cd30ddf48ffda3009fe874393f0 |
| SHA1 | cbc1822e93c025f143d0698bd6903dd152a767db |
| SHA256 | 281b5a7f0260a1ddc5deb79bb13d191a7cd1a2cb299cdae1165b59ebe097c8a6 |
| SHA512 | e166b1667b7eda187fdfba73bd221c17457a27968a97b5e074aa3e45cf5d2317195f81e45a6dc51ce4a1cba40906c2939d1be682f82e4c4317dc527b5b9e7c88 |
memory/2816-6-0x00007FF762560000-0x00007FF7628B1000-memory.dmp
C:\Windows\System\STompFf.exe
| MD5 | e3f55f1b5a040896d8356725bb333d71 |
| SHA1 | a57cce631893d0e25267402869808645051c7547 |
| SHA256 | 1b1eeedb59f0fc58a2afea9b299e6b79716544ea21c80726ce5a18ecb1148946 |
| SHA512 | aa8fbded958d0288779d06feffce64adab1a23ef07b8d5e080c989405ae43dd5aff791049d4263497d761f2ed94a37104dfc758a0db40ba6e1e93bc28871fb2d |
C:\Windows\System\NTWMHnO.exe
| MD5 | 078ae1879b58d400f5b7b25b40441a2c |
| SHA1 | 80a50fdb8f32d39f1e1d54593d74966f2f534618 |
| SHA256 | 2e66d88c7fe780177d58874599e726cf7f0be7dd51aebbf7efd44be8555149d1 |
| SHA512 | 2b9272f3b1504bbe0f5052be9a9f19278836412b8cf2062105d5413e443d80c1a323d196514455d17207c754c103ef0fe7cc8a5fee9558d2f699f1a6fbb82b64 |
memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp
memory/1052-20-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp
C:\Windows\System\avmEILp.exe
| MD5 | cf1479e784ee45ba0954cac5c2b8ab25 |
| SHA1 | a51c6c267321c22b6aa29b0ef859eeb6ac27822d |
| SHA256 | c28fa468cbc09569715bdc1b01f66899ce9acf7247af6c627b6a054f1384a287 |
| SHA512 | b09e8ea21aebaa62214fae348ba74d1ed97ece6e31f4a1396a443f1b18d5b15bd3fc3a18475f4d261823e654e000f5c260fb9fffd0a7e656e57f3ace08a9345d |
memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp
C:\Windows\System\kPdruSp.exe
| MD5 | 55cf3231dea085eb0443e000a26fe44b |
| SHA1 | 00dc401f5dcafcbe9c962f9ce99db431dd183d69 |
| SHA256 | c37c7bb34d4aab390c2887ca80251a349d0a6e3d52d3bb34dbd8b711405988d6 |
| SHA512 | 8e56e51442175e9c6d329c5951b0fd21a40e51076211ebd249cfbf07ea92ca8164e9333d523ae0d5fc15d79eb535cc038e1b18676a6fe679c31fc19eb9b4dff9 |
memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp
memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp
memory/4468-47-0x00007FF656CD0000-0x00007FF657021000-memory.dmp
memory/3820-52-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp
C:\Windows\System\dFtPGNK.exe
| MD5 | 834fd0f948e3730cb7fc46a4c7170c7a |
| SHA1 | 82de6056c70a00c5c552509256fab052c27de379 |
| SHA256 | 9a1c3dfcacb8a87992e592c3b78692f707a9ecb86e6fedee8fed940b655146f7 |
| SHA512 | dc7306f4a03db0450da9261e567ec10bef1468ee125eeaa43f351e64c87bc536f4723733481170e6343642d4fe6119a75ba214b7cc831617a096d364bf5d9ef3 |
C:\Windows\System\qkpJCoa.exe
| MD5 | 9ea4418f412d7e1420ee0708f2693478 |
| SHA1 | 6f7c4a094350df13446394182c9af9a74a1342ed |
| SHA256 | dcd04d07fa73a3a2379e2356fc1d2d8448b981dffec2403dba6d01d3d7f4456a |
| SHA512 | 0b08e600349d616f77e601fb68625ad4ff282c9d4c7d0f681e5ba1354b972a2d762e62dffbcaa3b85596cbc503cdef5f91895e82df73f79df93f30c24a561129 |
memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp
memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp
memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp
memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp
memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp
C:\Windows\System\iOpJMjz.exe
| MD5 | 54f49817441783f43999cd59e302148c |
| SHA1 | fb724210f7b8e1a6484cd18adf3bbd2fa8c3c78f |
| SHA256 | 27514bd162d31aa80bde7d30cd90b11621d1e01e075f53a3dd9b8433b0b7e167 |
| SHA512 | e1c34eafd2a3335725ecdf5acb4d622c1d0bbaef74fed794ed2ce98a64387afef7451a4880564fa270680d51307f7456a185ee50c8f9162ab86fb8a1798082df |
memory/5068-81-0x00007FF716CF0000-0x00007FF717041000-memory.dmp
memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp
C:\Windows\System\ZBeQdrT.exe
| MD5 | 0785fea7dd66dec2130c2ec5a7ca1f70 |
| SHA1 | 3b3ef960d136b16d624fbc4d73e2fc6ba4169ab1 |
| SHA256 | 1b537091e861936bcb7bd6f723b9509811900cdbc6a4546f1af544e30197fea3 |
| SHA512 | 01359c53bf6f0e1e69197d10b39aa9051f5957144b56ec99036b5e788e14a35df85e192886ef9874cc2c55686ccb50d67695131ee4fc1b8e0bcaf168eba8d49e |
C:\Windows\System\tewTPUj.exe
| MD5 | 8231afc5a3207995276d2ea432a743e3 |
| SHA1 | 55cbb303c874a357f4539b09fedb24ee02d308b4 |
| SHA256 | 878b624bad8f5ec4b2d3b4fc9bb1fa974a0569971f1d2559b11a40c5e353111c |
| SHA512 | d7e8311cbb037c187444cda1797b78c9747d251ad1497e3cda32d16c945517161e699ef8b6adbea82c934dca3b23577a69459583141faadf78a5ecbe940f7ea6 |
memory/2864-62-0x00007FF60A430000-0x00007FF60A781000-memory.dmp
C:\Windows\System\tFbUsdU.exe
| MD5 | 843baa6df3ccf6ad8019d388cec46e36 |
| SHA1 | 57eba8f672fe7ed5ab804518009cf5f09dda5cd2 |
| SHA256 | fafeabc6f900ce05205e737d86bdfc2d8f8009e1880d4a10e9f77eda7091d04e |
| SHA512 | 7f99aaf746f6129ac3bd853bcabadf6e27576a5eb8f51d60f7ea3f95b44e480465ef3c89762078a17e944fd1c03b9c26d4819ad05f64ffdc5bfb574cdd18e315 |
C:\Windows\System\JeUjfQr.exe
| MD5 | bdbf24eb091efb2a04a3a00f6643daf9 |
| SHA1 | a6cee34328a6f788e2408a5e7c270f14260a01a9 |
| SHA256 | 350c267ea4d59d3333c4078ae377cda5249fa8e6fd9059346929b65287bbbe1d |
| SHA512 | 714591e586f640be1758b40353f398cb833a9d2d5bebf6105116a1e906e12057531a24c9e81f9cc73963b8c8e1f3b3d0197b1ce3ac92dd8b633e0a6aa06acc35 |
C:\Windows\System\ojGRNOP.exe
| MD5 | 9b72fb1ad6709dafcc2bc107cbaa0987 |
| SHA1 | 8e282ebe529ba4d3f8926023af17155952461765 |
| SHA256 | 8888a1198d48f83bf813f8a11613e2ed25748b4ebb60e0210cac7c672ad5649e |
| SHA512 | a616ea5e99d9ec8ee00a1af083f493d3f928ddbaf924ad8cb2d8761832eecaf5675cb06b3310151349b442e51ef114d876a84e02c3fa85c88c3dd81eaf171955 |
memory/3860-45-0x00007FF692980000-0x00007FF692CD1000-memory.dmp
C:\Windows\System\dZNbGap.exe
| MD5 | ad650abef55b7591aba7c5b5aae11b59 |
| SHA1 | 33b4af0959a777b6bf424777d40fe56552ae6025 |
| SHA256 | f1d8fdf4777bd6fa06834b7e5733dc3feee8c2d94425fc4633506fca426aafb7 |
| SHA512 | cb38586e3d4738399fa79b1ecbbcd7da9f23af466561cebf04ff9fce539648f190feb2b6804f49dc588e89728cde87eeacbb9ff54a7d04b639578742ae51cf9c |
C:\Windows\System\wXrqBgc.exe
| MD5 | 07c88d1c9ca4b2a5135a74881fa47223 |
| SHA1 | c62b183b5bae662d3e8d8ee2840785e1e2c19ede |
| SHA256 | 5fe18ae6e3937cf6cf5556c3467991147b76ba0988612495b652b81f6aadd96c |
| SHA512 | 2bf4ca4f42f4ba84906900a05b5011c8684668989785ffd78a5f27083230e9fc30023e09f8eb58086be0e8f4d8061507eec40b8d4426adcc2806568294904422 |
memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp
memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp
C:\Windows\System\fOIUPzJ.exe
| MD5 | 1483ef5dec1fa44cbda3ff2566120b70 |
| SHA1 | f4b0622254c0a89a6b8113ef67eeb5de9d8dd65d |
| SHA256 | d3a39f3566a88d95217c62fc67c5f6424a28ec7c781b6a40dca983f0920f62c4 |
| SHA512 | 820206ab20bdabe193cf513b34695a95650f8ebf9c3c2e34f569d67e1a8c9f9d1243b324068246b1015256274c0a74bceffda3829d2b320655b361e9eb49b8b3 |
C:\Windows\System\wisnVwH.exe
| MD5 | b79b91abe32d09a789e21c2721cc4963 |
| SHA1 | 33d839f41bfe3748df6f5bd3870d0eb015e16777 |
| SHA256 | fc355971d7a57721494120a5a7c1d72d2ff1e5ec24f31280fbc624de59f10116 |
| SHA512 | 437b0a00c427879421e5992dfbc936e7ffa82debe1db45e9aab649e51da495075b64148fee65efe4de503fb8b03e4a2ad6ec1e3af315f7e3296a51a8e9036102 |
memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp
memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp
C:\Windows\System\lgdPyzZ.exe
| MD5 | 1c2eab634874e0a1b0dcd5a19cd0f87c |
| SHA1 | 9bbc2c227f64f953fa97ef1cdc342c04fd39ae87 |
| SHA256 | 33a398f9ce8f6d6589c3fa79d4c8d29d620481111b54fb109abed7ac8288b6da |
| SHA512 | 14fb0537a534a9a7c354f44c577291a35459b04ceb7c85b4f0476a4db12930e043964b808eeb69c8497ac7cba60b5002c232935583dcf7dc67e14838a9586dcb |
memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp
memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp
C:\Windows\System\nThjuiR.exe
| MD5 | a95f23ebad58c58de7809a72cacc34b1 |
| SHA1 | ce55b4ae53d5a26199586533036be7ca5679b825 |
| SHA256 | 8a3ba6e694b07ba109e5ad8fa6849b19bbfb250d063575ac1792f92fb21d0ce4 |
| SHA512 | 318d1356b2b0963578e2bd15bd3b3557ed04edb11bf57a92d0b07b617211d2736ff50f3edc936a90afc96433d894deef14a8dbc06d7b2a8aaaf160497404a0a0 |
C:\Windows\System\mQFgAfj.exe
| MD5 | 8759b45b815fb788ea0cbae73170753a |
| SHA1 | a80ba893ac161653a5bb4444d92b02d702796fa7 |
| SHA256 | 9c6c6894bccb7001aa471c1e5e7c55cc64c6e6e797344a1a4d21b791de170df4 |
| SHA512 | 66883932767816a6fad72d8667f66224abfad2d44f872c56e3e3c6325d60c3dc15488b26ecee0f5a33a0cbb39025e9e1c92edcaead2f9c3c7ef0c3bb9c711d0b |
C:\Windows\System\JDLGERE.exe
| MD5 | e5fbd52da7ecb2111908c3d9537d4471 |
| SHA1 | ec7381a20fa6380d5cb8229fbcdc0f4933655473 |
| SHA256 | de583db6a9ae0183526ff5993feff6ca87cbf01201b4a791b396a3505ade1d84 |
| SHA512 | f5bea2543635e05956321ff1a8be1501b9191e290de467970005e29e0b6c038fd2b92f385d90e5159ac0940c3888290da41e86a4e2ba336023dc3931a8e0ec12 |
memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp
memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp
memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp
memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp
memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp
memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp
memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp
memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp
memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp
memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp
memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp
memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp
memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp
memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp
memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp
memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp
memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp
memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp
memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp
memory/2864-224-0x00007FF60A430000-0x00007FF60A781000-memory.dmp
memory/464-228-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp
memory/3224-227-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp
memory/5068-232-0x00007FF716CF0000-0x00007FF717041000-memory.dmp
memory/1224-231-0x00007FF6100C0000-0x00007FF610411000-memory.dmp
memory/816-235-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp
memory/4584-237-0x00007FF707FB0000-0x00007FF708301000-memory.dmp
memory/3620-239-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp
memory/4512-241-0x00007FF767F40000-0x00007FF768291000-memory.dmp
memory/2384-244-0x00007FF653DB0000-0x00007FF654101000-memory.dmp
memory/1276-247-0x00007FF646C00000-0x00007FF646F51000-memory.dmp
memory/1996-248-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp