Analysis Overview
SHA256
7465ebabba677948946966a179f6b27b2c849b54db4dbe4b772fb9dd99acff56
Threat Level: Known bad
The file 2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
Xmrig family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 06:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 06:12
Reported
2024-06-01 06:15
Platform
win7-20240508-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PWvmdKu.exe | N/A |
| N/A | N/A | C:\Windows\System\uMwycWF.exe | N/A |
| N/A | N/A | C:\Windows\System\LqFrWgZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GfKgsxI.exe | N/A |
| N/A | N/A | C:\Windows\System\IPWyFhm.exe | N/A |
| N/A | N/A | C:\Windows\System\XBaSDBg.exe | N/A |
| N/A | N/A | C:\Windows\System\HuTtPKK.exe | N/A |
| N/A | N/A | C:\Windows\System\BmdlfTv.exe | N/A |
| N/A | N/A | C:\Windows\System\TCmrVkO.exe | N/A |
| N/A | N/A | C:\Windows\System\kQDiuIG.exe | N/A |
| N/A | N/A | C:\Windows\System\YHCLfDf.exe | N/A |
| N/A | N/A | C:\Windows\System\RLfMqpX.exe | N/A |
| N/A | N/A | C:\Windows\System\DMekFef.exe | N/A |
| N/A | N/A | C:\Windows\System\ezlveql.exe | N/A |
| N/A | N/A | C:\Windows\System\wAfsCqf.exe | N/A |
| N/A | N/A | C:\Windows\System\yKLqqyi.exe | N/A |
| N/A | N/A | C:\Windows\System\CJCBcAp.exe | N/A |
| N/A | N/A | C:\Windows\System\EjoeAdT.exe | N/A |
| N/A | N/A | C:\Windows\System\zFJgoHg.exe | N/A |
| N/A | N/A | C:\Windows\System\veLpnQo.exe | N/A |
| N/A | N/A | C:\Windows\System\wBzrRdn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PWvmdKu.exe
C:\Windows\System\PWvmdKu.exe
C:\Windows\System\uMwycWF.exe
C:\Windows\System\uMwycWF.exe
C:\Windows\System\LqFrWgZ.exe
C:\Windows\System\LqFrWgZ.exe
C:\Windows\System\GfKgsxI.exe
C:\Windows\System\GfKgsxI.exe
C:\Windows\System\XBaSDBg.exe
C:\Windows\System\XBaSDBg.exe
C:\Windows\System\IPWyFhm.exe
C:\Windows\System\IPWyFhm.exe
C:\Windows\System\HuTtPKK.exe
C:\Windows\System\HuTtPKK.exe
C:\Windows\System\BmdlfTv.exe
C:\Windows\System\BmdlfTv.exe
C:\Windows\System\TCmrVkO.exe
C:\Windows\System\TCmrVkO.exe
C:\Windows\System\kQDiuIG.exe
C:\Windows\System\kQDiuIG.exe
C:\Windows\System\YHCLfDf.exe
C:\Windows\System\YHCLfDf.exe
C:\Windows\System\RLfMqpX.exe
C:\Windows\System\RLfMqpX.exe
C:\Windows\System\DMekFef.exe
C:\Windows\System\DMekFef.exe
C:\Windows\System\ezlveql.exe
C:\Windows\System\ezlveql.exe
C:\Windows\System\wAfsCqf.exe
C:\Windows\System\wAfsCqf.exe
C:\Windows\System\yKLqqyi.exe
C:\Windows\System\yKLqqyi.exe
C:\Windows\System\CJCBcAp.exe
C:\Windows\System\CJCBcAp.exe
C:\Windows\System\EjoeAdT.exe
C:\Windows\System\EjoeAdT.exe
C:\Windows\System\zFJgoHg.exe
C:\Windows\System\zFJgoHg.exe
C:\Windows\System\veLpnQo.exe
C:\Windows\System\veLpnQo.exe
C:\Windows\System\wBzrRdn.exe
C:\Windows\System\wBzrRdn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1988-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1988-1-0x000000013FC20000-0x000000013FF74000-memory.dmp
\Windows\system\PWvmdKu.exe
| MD5 | 6c332cbbafe6e7304f6c762fe4faed91 |
| SHA1 | 816792c00db880448ecdc7cca893b5302c0b38ab |
| SHA256 | e8dc2d6287cc541ac6869e27fadc82a5b82e8768c78f86fbe0af33d61b804b38 |
| SHA512 | 8e5e1bedb639c979a509754b744b940521d6fe5c6c88aeb62644b5c63c1e1efb0bde77102b12d3354c9a80fcdc8418583264fd2580c58255fcfa5dd5863d8cb0 |
memory/1988-6-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\uMwycWF.exe
| MD5 | 989b7aca7d41f93e0b52ca39ccf68481 |
| SHA1 | c83519105dcce6dd1b2872f156fb8719e1bb036f |
| SHA256 | 0d1cdfeadcc8a36497f4bf02f7cc380e0445904b05bbcb3d8f87e650bfc6e500 |
| SHA512 | 076d67a2aac20a262844f841b07a9d6468d55eaeed64aa54cc6c5aa0f3be4998fdf79e72ef1e230dc7ad2630942325ee62f4250af81f5fbc45be3d1aa757aaae |
memory/2632-15-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2148-14-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\LqFrWgZ.exe
| MD5 | 99932577a1e57a66859068054452c031 |
| SHA1 | 2266840b4d1d5ec1f7a1f1e51e8ba3f342f4f33e |
| SHA256 | 5b670c8476f659616e520fcb0c81947f0c90e17bb9b73f4e4d3f68b6e0e09c45 |
| SHA512 | 4ec2e6ab3edfe1539c93523013c20103bc2972d7e003dc0ddefdabfc4e9d28cf1b15f9fe82290310396a9655bb0dcaf1fccd24db5ca9b43edb54681bd5acf9fe |
memory/2708-21-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\GfKgsxI.exe
| MD5 | a55090e5092fafcf4d351f2cc9192f42 |
| SHA1 | 3ba300862daa0f65a90a03e9aaf748362105b0f2 |
| SHA256 | 9d90ecac08da1f37ec0fcfa92b6ecf8f8d7bc563ef680470a5e0b60ddb893dd0 |
| SHA512 | ec978aa3c824a37d5486d501f80a7029dc16f7d0d15ec169055ecc2c5f8211305efb41e8c98eb0679da5cc5fc32f8e0b4ed190acd2c12bdcaad9c8b81c09b4f9 |
C:\Windows\system\IPWyFhm.exe
| MD5 | 47d8f8760d3490a26de0b170baa2e7db |
| SHA1 | 5090e2dc1d5854730c7a51c6510af345494449bf |
| SHA256 | 43b34229ec9d4aa2fd49e1f8ef5a6ab5ef7a1ed3f636485f87b1b83b3421fe6b |
| SHA512 | 710b5e4b729cf756b0eca9859b409b7e135ed9957407bebf606a837bde8941b60fad252d6a5d88d642fb31c134fe20095d0a612759454c022c6b113aafcba197 |
memory/2120-38-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\XBaSDBg.exe
| MD5 | e0278d96bcf0fb31898d54436b3b1769 |
| SHA1 | 9d984dfae4969d007cca6b518d3560817d25657b |
| SHA256 | ea3c314f976f41bcfa2843f663d948254916e11df6dda4d23604cb3f0c8d9056 |
| SHA512 | fdfd883381b8f254fbb0c4ddc3be43bb44336da190d46338c2451687a1436e85c2e7f557a84d4dac7633d1d3ff10f91d4896584509141d5ac788d7fb3d81bf16 |
memory/2524-41-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2516-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1988-36-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2492-47-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\BmdlfTv.exe
| MD5 | 5b05470c17e628d93303cbb9efa58831 |
| SHA1 | da7b1a8014f34d71eca49ff16d2870d056415e82 |
| SHA256 | 20f8db63f46a36a14bf738f31f16fec4e882ad5c870be17c2caafdbb58028996 |
| SHA512 | 0678f7ed958cf76453d035b482b9a5810882bae35810690f1028a5d809bc318e92f5177c061654c771debdd051cc54ff6af972492568a69d2b7465ed04b5b270 |
C:\Windows\system\kQDiuIG.exe
| MD5 | 5d4e743cb9323ec472f16050ab30d67d |
| SHA1 | 0b537fb7c1cd2f4000de9ce54d2ca0f0b0978b5e |
| SHA256 | ea9eb741413520a3f447f8dba92525c73cda2a9931c34fffd1209cadfa7cef1d |
| SHA512 | dc180e0e87bb71593482821afd9195c60955fe9933db4595cbb5f56f5551b4c1c2047a0ab0dfdc5ef8534db4b0ff2730296438281508ba07ba59c60559277cd4 |
C:\Windows\system\YHCLfDf.exe
| MD5 | bf0dc07a8afc2067f745e87ceceb4f4d |
| SHA1 | c3f5b243eb6de2410da0e42efe1f9d983498dc81 |
| SHA256 | 1286a9dc68ecdb31173aab88cec8f44ecd5c746405e4529b70379349503aba68 |
| SHA512 | a5c8f841983018de011563b61e00f870bb58b353322bc4e6fe1f05431d8f9d7bdbf001a1b6ebbfba9c1678290a72fee0d3d09cc508fe0d150529db2e403b7dfe |
C:\Windows\system\ezlveql.exe
| MD5 | c372bc04790de23e3eed15a081fb747d |
| SHA1 | 65a5e609104d48f82b8d2c05007682cb407f02e6 |
| SHA256 | d9da8b81a61a83318b56690dc27bf74ee7281bdef6db9cfc366c48eb3156ea3b |
| SHA512 | 88bdf74ed459f1aab20b86a283241550b30123f6d8e6423c9c1aa674fd0dd00c0b3698352137b37631af6940cf9958b817d0183ae2f45a8f09d200ee977f8145 |
C:\Windows\system\wAfsCqf.exe
| MD5 | 189bf55258525640e0d5c7ebaa1bf792 |
| SHA1 | 05eb3373eb9ea41fa4ce6ecc65aa5dbe16098b9b |
| SHA256 | c9bc8140cae7611fa919fa21944fe3749b84e05df0ce60a7de2b9a8863994ba1 |
| SHA512 | d51dcc869ce73978bf1efb44e398ed1ec8f27dd54dea410277ee5ee08fbc21b358261f42df50d0bf5dc3f90256732adedb4679cb6e01f6bbea6d543053f4855a |
C:\Windows\system\yKLqqyi.exe
| MD5 | ac7f73aff9eb8ce49cb57a216629c0b6 |
| SHA1 | 46d8fbc1826795d75af373300f578a4a999296c1 |
| SHA256 | 9bf1a1838e486e8cb5df2d5e74dfe39e99df824a3f79be7bfa06ce867045f6e3 |
| SHA512 | 7f9362f3843c1d8e1e0436e706b6c0749611a3ac812cb011c04ef1453fa16346833ec672993fb61975370bac4ecc3967923c9893838cd42ed66421f737cda8a9 |
C:\Windows\system\CJCBcAp.exe
| MD5 | aea8fb3272e1b7c1dc30f1c8a39c4610 |
| SHA1 | c2055445d2fbc7f36612180a9b505b9e628d4333 |
| SHA256 | d4ce31297df9b3b6b7c3e386c123ad4830f21abd2f7db6c900679eed05a3dc1f |
| SHA512 | ab377f3ad07138a6732d574c3f607c43c520788a067214ade34a2b9ca816c8e4c28c6cf0b8ecd5ca9c856ea8b3503c8afbf2f6b4666f574b69aad35ac606b989 |
C:\Windows\system\EjoeAdT.exe
| MD5 | ed327fe1cdf3e0292555ad5bc4e4c379 |
| SHA1 | 2fe61bc6e51ae31b87159672d1cbf09fcc5d6752 |
| SHA256 | 254dc11a802df3c4a47c70504681157bf2e305d5deb2a030b3705afe02f55ca8 |
| SHA512 | 74fffd25ac951db8056c81ef262e58bc3def317ef08a40e984748b530b7fd356d5d87bafc724558bec17deab8b570028cbbdf3cd9a671f673bd6b5241baa82bc |
C:\Windows\system\veLpnQo.exe
| MD5 | 55e70a16452266d92bae821cfb828ed1 |
| SHA1 | f9fef1c51b52de2e630b1abaf05c565284d2f2d9 |
| SHA256 | 18aff6f5205dc312c11a1809338d3842192d7fac983b79514459d9be7c5bf2c4 |
| SHA512 | 86c694ec89b930cdb8ec3caaabcae9af30b45bb7c9e4dd256feb2a4de8a02536aaf20a93062bb1ca3ed6015da5b73b8f2127b883d2908c044e513f430cbcf49a |
\Windows\system\wBzrRdn.exe
| MD5 | c3bd723f11240d4f4a5239f87515e028 |
| SHA1 | d52e55b06bec367ee36e70f492e0cfaa14ffabde |
| SHA256 | b683ed70df57b6b0871da5095c661aa01208d9ff4eec9fdde935aa21547931b9 |
| SHA512 | 53906588c0078b5de5c0a60f6531cf9adef6d7c27cf40d0e30229df52003c17b20698a9d915c865f045973f225ca117b2321bc2a7a2dd9fb1f84c3685d20ba66 |
C:\Windows\system\zFJgoHg.exe
| MD5 | 8005fb7e3e099f98420eaa785d94c219 |
| SHA1 | a5723951b94fa7b29e257d048a62168fc116f465 |
| SHA256 | a431a27dc1c47daa7354be7a7f6ecbb8a2094915021493fe804c1fef8fe34392 |
| SHA512 | 5270454b2267668241ddaba01425325306e49297665eff8b159577e4a079a9fb3d9c26e2c7d0b6cd1335ef7fb2b7953ad88b4ad9f6577a074643049b35d9f5bc |
C:\Windows\system\DMekFef.exe
| MD5 | 11e3080e1a42ffd7ff18419c4e5555e7 |
| SHA1 | 49e8774f965a8275bc9932fb42398df8d680cf52 |
| SHA256 | 798428e0f169570deef14e3690937a22c511503af7b4def7bb6999974ae5e853 |
| SHA512 | af4c0ac635225e3b8080d9765daaa9d9fef92a44c42c6e0c14267c2254260a0bcd4731ebae27e4f34b794e735ccccbb0df2a4a413e76d9cd9295519b441f3eeb |
C:\Windows\system\RLfMqpX.exe
| MD5 | e6f95d8d3b82d1e05f9f84a84af732ea |
| SHA1 | 87e38102a05257314290b5efebf75a0d1bf60eed |
| SHA256 | 8d026f0c1efbcdf9d026f29a88ad9708fe6501409896e1a3d89679e3e653e240 |
| SHA512 | 0ae1ded7420d3af6dc22233d8576ec9ca7a8da2d0bbe7096b5acef2ac94679c357b327b3196b43e97fcd476de47f340a0a82232663b46b6e870b5025eadca52a |
C:\Windows\system\TCmrVkO.exe
| MD5 | 007577eaaee4a9f62539b3c4ec2984a8 |
| SHA1 | e9238d5dc0ee45f644bc3d96f55db5be64c9bd3b |
| SHA256 | e8ebf3eacd67166e706f52e495fef6db02fd8a790abe4f1390363bf52def26f0 |
| SHA512 | e652920708f61cd1a5589207c13ee540f3001bc8e7f362e9c22b78f5c4d4933ee55955179849a480b4fddc6bdf02e108ab35b33e23125061b097359b2b2dab16 |
memory/1988-46-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\HuTtPKK.exe
| MD5 | ef3e921d87dad085219b1db0f974ac0b |
| SHA1 | 8f4a70b6c26771a5c49175f16f204a3a09f905de |
| SHA256 | 4a370ac35032fb9b6716b31fcd7c6d9edfe08d4ea444c369dcf4e578a1243ff5 |
| SHA512 | 574191211e14022812f4e4c679d3068a50fd5019c21bb479aa693309e504e25e2cdda0491b17464dfad451614e652798c78afbc5e6ab1916ad4cbfceebc75ef4 |
memory/1988-34-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1988-33-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1988-120-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2564-119-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2996-121-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1988-122-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2504-123-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1560-125-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1988-124-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2800-127-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2816-129-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1988-132-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1988-133-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2836-131-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1988-130-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1988-128-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1988-126-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2148-134-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1988-135-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2524-136-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2492-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2632-139-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2148-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2708-140-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2120-141-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2516-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2524-144-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2564-143-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2996-145-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2504-146-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1560-147-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2800-148-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2816-149-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2836-150-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2492-151-0x000000013F7B0000-0x000000013FB04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 06:12
Reported
2024-06-01 06:15
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SyXRvkm.exe | N/A |
| N/A | N/A | C:\Windows\System\PvqGexu.exe | N/A |
| N/A | N/A | C:\Windows\System\mipWnyk.exe | N/A |
| N/A | N/A | C:\Windows\System\gfoqNZB.exe | N/A |
| N/A | N/A | C:\Windows\System\vkXNYaj.exe | N/A |
| N/A | N/A | C:\Windows\System\KgtmTOy.exe | N/A |
| N/A | N/A | C:\Windows\System\RXQdHzT.exe | N/A |
| N/A | N/A | C:\Windows\System\UtWhkVR.exe | N/A |
| N/A | N/A | C:\Windows\System\VneGBKH.exe | N/A |
| N/A | N/A | C:\Windows\System\wzUrEMj.exe | N/A |
| N/A | N/A | C:\Windows\System\uTijSya.exe | N/A |
| N/A | N/A | C:\Windows\System\JUuwZjR.exe | N/A |
| N/A | N/A | C:\Windows\System\RlaCWPG.exe | N/A |
| N/A | N/A | C:\Windows\System\GFqZsNH.exe | N/A |
| N/A | N/A | C:\Windows\System\nZIpyEO.exe | N/A |
| N/A | N/A | C:\Windows\System\HpAuxak.exe | N/A |
| N/A | N/A | C:\Windows\System\TKIsydU.exe | N/A |
| N/A | N/A | C:\Windows\System\CfTeIuZ.exe | N/A |
| N/A | N/A | C:\Windows\System\snJtmix.exe | N/A |
| N/A | N/A | C:\Windows\System\KOtTbNl.exe | N/A |
| N/A | N/A | C:\Windows\System\IDHOYoD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_c89d384a864c326d03abaf8522cffc1e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SyXRvkm.exe
C:\Windows\System\SyXRvkm.exe
C:\Windows\System\PvqGexu.exe
C:\Windows\System\PvqGexu.exe
C:\Windows\System\mipWnyk.exe
C:\Windows\System\mipWnyk.exe
C:\Windows\System\gfoqNZB.exe
C:\Windows\System\gfoqNZB.exe
C:\Windows\System\vkXNYaj.exe
C:\Windows\System\vkXNYaj.exe
C:\Windows\System\KgtmTOy.exe
C:\Windows\System\KgtmTOy.exe
C:\Windows\System\RXQdHzT.exe
C:\Windows\System\RXQdHzT.exe
C:\Windows\System\UtWhkVR.exe
C:\Windows\System\UtWhkVR.exe
C:\Windows\System\VneGBKH.exe
C:\Windows\System\VneGBKH.exe
C:\Windows\System\wzUrEMj.exe
C:\Windows\System\wzUrEMj.exe
C:\Windows\System\uTijSya.exe
C:\Windows\System\uTijSya.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
C:\Windows\System\RlaCWPG.exe
C:\Windows\System\RlaCWPG.exe
C:\Windows\System\JUuwZjR.exe
C:\Windows\System\JUuwZjR.exe
C:\Windows\System\GFqZsNH.exe
C:\Windows\System\GFqZsNH.exe
C:\Windows\System\nZIpyEO.exe
C:\Windows\System\nZIpyEO.exe
C:\Windows\System\HpAuxak.exe
C:\Windows\System\HpAuxak.exe
C:\Windows\System\TKIsydU.exe
C:\Windows\System\TKIsydU.exe
C:\Windows\System\CfTeIuZ.exe
C:\Windows\System\CfTeIuZ.exe
C:\Windows\System\snJtmix.exe
C:\Windows\System\snJtmix.exe
C:\Windows\System\KOtTbNl.exe
C:\Windows\System\KOtTbNl.exe
C:\Windows\System\IDHOYoD.exe
C:\Windows\System\IDHOYoD.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4228-0-0x00007FF7AC8D0000-0x00007FF7ACC24000-memory.dmp
memory/4228-1-0x000001D2F4270000-0x000001D2F4280000-memory.dmp
C:\Windows\System\SyXRvkm.exe
| MD5 | 0d90e2bf0bef5d7384814d3f9b27198c |
| SHA1 | be5786f817724f5f63307a41e1f883077328c9bd |
| SHA256 | 93a0d5fa9d72796cdabd7e27a5eeb922f9c2fb1f380e70cb009f999faad63b53 |
| SHA512 | 2f55f2887355ba21740509b10ef7c58381a4235d822b4bbf7e17a9b5d6340328b45fab38863e8034b95c6a7ce8716a0357164c6f3bb475122cd6c6ac52edbb7a |
memory/1484-6-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp
C:\Windows\System\PvqGexu.exe
| MD5 | a1e6fcfc9d02215f4437a960177f5a56 |
| SHA1 | 0e76431123188bbcc36be440ea69a26880ac4f58 |
| SHA256 | 03e8886053f6a2046a5088f5fdea50dec98836f5c27e3aa713bd3607c0150f24 |
| SHA512 | b3f07dca54828ad1d01138efde34b6e6a318815cc9a9d55654da86e9fe39436545ed81626508cabf09cf4ada60538391b351fda9c7bcca5783e8bb7a98331774 |
C:\Windows\System\mipWnyk.exe
| MD5 | 666bd03e8de1bf04c66b5526937a7cfb |
| SHA1 | 8ccc8b2e126b54a2aa656663e594f76fbd7a537c |
| SHA256 | bdb6ad71b2cfc07707764fe3ff2e1edb1a5d5cf9369bb8ecaf534705d7824a39 |
| SHA512 | e98bb6cc55c9b09b7e4dce8608014c9a71c7a5e816145e3f6e7ab1f48dd259b89f09a5358006c43eb6d869d6850ee7c515a0c7232ba73a5c16706c52f1173bcb |
memory/2800-15-0x00007FF752140000-0x00007FF752494000-memory.dmp
C:\Windows\System\gfoqNZB.exe
| MD5 | 8554c87d07daf07e35e4d6a822931b82 |
| SHA1 | 9739470a45c130311dc95d689a7e0eafb46c2a19 |
| SHA256 | 154e03aa7853eb64b1c80aff464404d496c2d5db578b4ab68588eb94fbe72cc7 |
| SHA512 | 03b9a4703a9642bf1d74da2df799134dbaa5b0b9d568f752f37d729cd074b82b2a4121abc775196aab7ec30829f098f8982e8d8c9685501d2d1d4c1568a6a75a |
memory/4476-27-0x00007FF61FB50000-0x00007FF61FEA4000-memory.dmp
C:\Windows\System\vkXNYaj.exe
| MD5 | fcd55e65f31f17d9c9f51a9e22716a05 |
| SHA1 | bb10f34d4c2290e85414388148c8427d3f8117fb |
| SHA256 | f45e0b9e453afad500bd9681f734675d17ea0c24b3d9a7cf75ff729989020395 |
| SHA512 | 5d676e72f058d7db7e8f286b7e01e0699c8aac6fb3830d890510c777b7bf3bf670540f5a22d9e28f3b1b476bf0bb741d1f6cbfa066a4c775978f3735ccd45c5a |
C:\Windows\System\KgtmTOy.exe
| MD5 | 2a9bf715e759588adb9e82a898ad816a |
| SHA1 | 9b98cfe2091dbd998b6e940eaff1e7e3fc4dffc7 |
| SHA256 | dbb247e6273e71f1af434518a1cd77c5d534cd4720d3b5d0b04516da2af2dd32 |
| SHA512 | ba6d745ecb0d0c59f5c10c62908f79d7ebca9acfe5e4a12677ee17a27ac16bad6c6698bce03f3b4e6c6a916a95e85e576c522ed10c56d3fb6f89050a7627d6cd |
memory/2284-52-0x00007FF7AD0D0000-0x00007FF7AD424000-memory.dmp
C:\Windows\System\VneGBKH.exe
| MD5 | 6a12e3833e168db5bd0d3bcf8b9a0a86 |
| SHA1 | 81bcfaf20b202eb36f054c23e6c2102ec6bf7358 |
| SHA256 | 667d33a3cd776e7e641e4c255bc887035cf0a1d1f64b56d14b37a6f8847bd500 |
| SHA512 | 74cebe8eafb89b746f300237163e54f789fff0151d34a8b31ea1dcec541f22c0228e515495c8f78dc7a352ca7268f49a3ac6c43c58d9551f9cac43c9bf9c507b |
C:\Windows\System\wzUrEMj.exe
| MD5 | d80ceac0df0c9824b05321f5d6114b9e |
| SHA1 | ad4a54203238bc15b9de43da7f9d8e1e93a6946a |
| SHA256 | f6d388855475d419313340f30a2d4bbc750f45d8b26839b9dfc871d4614f34aa |
| SHA512 | 91ec402e9007e1f09c87e57f033740d698407f0d69a5627126a8eec95e3977bc43be73682638b8e193890f27cd92cec4c20246e8fdd61b56a0be150c754b8e0d |
memory/428-60-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp
memory/324-59-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp
memory/3268-55-0x00007FF69BC60000-0x00007FF69BFB4000-memory.dmp
C:\Windows\System\UtWhkVR.exe
| MD5 | 7b945ccc94d938fa202d9101afefb47b |
| SHA1 | 0ced7a706d004b10dda765dca9b5bb02f064cb66 |
| SHA256 | 8fda9130ffeb5553d793fa8f6d9cc995654aacb14070e744009627176f2ac6e2 |
| SHA512 | 598747e306034069ffed2aa784438bdd31743ed1009ca560bce1d78d60e4e792322235ab454534ed9dc481a6efa452833f50a14d347208ec93e9a867bddf3305 |
C:\Windows\System\RXQdHzT.exe
| MD5 | d5e273cf72545a23a97fb0e89aedcc7c |
| SHA1 | 005d0427f744128a50a75d8ea7a53ddd462f4627 |
| SHA256 | 79ccb52565f9546946fedd83e7f270804c229d05975e138546b6eeab1094adf2 |
| SHA512 | 9a7f13a4ab0c5feda126775521160e5ed8b563b3152cb11c3034d9bd6e7403bd4d88908100c6f09281ae92250929fbadc76aeb2a3d581b4214f365fbf493dad7 |
memory/1212-36-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp
memory/1004-35-0x00007FF60E710000-0x00007FF60EA64000-memory.dmp
memory/2736-32-0x00007FF630870000-0x00007FF630BC4000-memory.dmp
C:\Windows\System\uTijSya.exe
| MD5 | 8a140b4c90927722d422a7a4075c5f3e |
| SHA1 | e55c417b094237c477812b9daca256e303f56992 |
| SHA256 | 65b210972df7cb670fe6e2891496c23c7506ae5596a47dcc13943d1bbf91eb69 |
| SHA512 | 4938b6d4c4bf8f03699392ed8f935748b267fddbbbe668c16f53effc412a890744af4c185031221f2f87b618db2487afbbc5501a126b80757dbf2296cc1638f5 |
C:\Windows\System\RlaCWPG.exe
| MD5 | 121546437fd786e56dc939fa9877ee4a |
| SHA1 | 50d87d5a0706e59911153b1d62ca14ab0b964997 |
| SHA256 | 407616a165b5df844788d13c330038da8221d7d1517c36cac11147291e4ec54d |
| SHA512 | 78b2869c994537ec9235bf8cdf6bc88b19e59558901b43e789466430c50b07712262c4c8d709b1c168926e2c6427643de38973f62539aa13009e50cff5e17dfd |
C:\Windows\System\GFqZsNH.exe
| MD5 | 70ef3663d3c417fce036ec249079412e |
| SHA1 | 02642c81bcbf6e6c880bfe20a604a05b394e36ae |
| SHA256 | 949cba9766076f8c2cd5697efd214af4e8215ebe425e4eb44beac7996eaee1f8 |
| SHA512 | 87eec9ad7edd51aa49d86f5849e57e8ad16e931c5a7ff05161ce21d5c5e352b07095d140cef4003830a327709085352ec908d5743fdc6c6782262bcfd006d792 |
memory/2280-84-0x00007FF633000000-0x00007FF633354000-memory.dmp
memory/5100-82-0x00007FF76AF60000-0x00007FF76B2B4000-memory.dmp
C:\Windows\System\nZIpyEO.exe
| MD5 | 9cc5fc6813165236b6c7050970e1a404 |
| SHA1 | 3923fe9c36865a75e2eaa9235b9d81c7378b8fce |
| SHA256 | e59a13892f5ea7b2d7a93d0ccd3d44b2965e01b80323091756bee8c88ef24e57 |
| SHA512 | ebd6f1d3c8a44930a71e074ed9bac5e08452cf43a64637734698d920b8eabe6e18cb49090d8106429d601cb618ffced9805283b412385137d06550706887e8f2 |
C:\Windows\System\HpAuxak.exe
| MD5 | 3e7746c4ecc741953f44388dbd7c7585 |
| SHA1 | db8b3172d1c354bd8fa66b1712c48584d85905ad |
| SHA256 | 6d80315e16f56e920eb64eb6acc6fe38b85f958c73feabc47f92850e4ab00629 |
| SHA512 | 2235fd5db48065baea028888485041214e0e4ef4ad9667ba40334df320e6d600ae192f68a432ae7fc4ffdfb7e7371c7323256fa7435efea5c0966bdd6ac7c623 |
memory/2692-93-0x00007FF6040B0000-0x00007FF604404000-memory.dmp
C:\Windows\System\JUuwZjR.exe
| MD5 | 5a29efce7b3fa48801f79c7ec2dd5b56 |
| SHA1 | aceb76d885245577ff4ebbe4bb2349f0cc4ca504 |
| SHA256 | 0061a9b27c943d489dc6420595b9ffe200b2f73ee157de4e38684631f348eff5 |
| SHA512 | 9180f5fae8f9d49e3e3b61def6221086e8cc16d5fe012487169b4c23890b3b5a6232d12f0ee028de5e93198255491598e765655926ec48411c5af915adec6918 |
memory/4036-72-0x00007FF7C4A50000-0x00007FF7C4DA4000-memory.dmp
C:\Windows\System\TKIsydU.exe
| MD5 | b9b9a3d74724492851b720e9238ab69c |
| SHA1 | c55656815ce12aeb0262f8c8474c835baaff451f |
| SHA256 | d8eb935f0fed8ccb6eb48c6af7d7dd25e7a8caa58f2cb76b0bcf043173d0f2e6 |
| SHA512 | a9a495da0b4dd378e996260b2c231435e97273cf453248b8f9b0a2307363516a22a5eb75f63f17882e02d4a652c83d31bfd22a31521714ad5855d02572d57eda |
C:\Windows\System\CfTeIuZ.exe
| MD5 | 5e6febf3bd017f098620335cb73be981 |
| SHA1 | fb09ef4ccebd4f92bca9fd9d3581d140bdb6aef2 |
| SHA256 | d87bec6a6c51c82930385cbd29675bea01e31cd4ff64209e57ea4d296b715d59 |
| SHA512 | 754b191f71d9cf9e5789bcd9ab1000b634f16d4b296c2840c299e5c2807fc909fb1e61f8b0155b87d960135021c34946b958cddb719867904b9f08fb4c4f648c |
C:\Windows\System\snJtmix.exe
| MD5 | 3c66b07b65f13836103852288c2e0153 |
| SHA1 | bc05e5978673034639876889fda1fd4a83914461 |
| SHA256 | 40347b6a5e3a8b6236787b69b64fa6fdea1a5df4cab6a67101ccad85ec31f488 |
| SHA512 | 120ec15a5b2a41a78954a92c5b79ef7e6300815ad6cc86bb5c03b30ad6dfd6ca9b90dbf1b9e701fe197ba73d7837a400ffed90005e2f0eea4a3d7a731e061dab |
memory/2736-116-0x00007FF630870000-0x00007FF630BC4000-memory.dmp
C:\Windows\System\KOtTbNl.exe
| MD5 | 448e62c46b8df6b69b5e8cab1508e3c7 |
| SHA1 | 156ceaf11b1ce12e937a56ac2db2c2dbeb70fa68 |
| SHA256 | 6d25c5e281fe3a8a5c7a74650adc87d3cfcb5c4325045e7077087629a2282035 |
| SHA512 | 56fa9dcfe58e71ef63d1894d9974c920a07cad7b8edf4b430b469cfd51c087cc7c12ae6b067bc78744f7b3e09d3c2c8eb4bd9f7517229a7b30692e3d93a364a8 |
memory/1440-117-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp
memory/2332-115-0x00007FF7BE250000-0x00007FF7BE5A4000-memory.dmp
memory/1484-113-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp
memory/3764-112-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp
memory/1136-105-0x00007FF73FF70000-0x00007FF7402C4000-memory.dmp
memory/4228-102-0x00007FF7AC8D0000-0x00007FF7ACC24000-memory.dmp
memory/1252-100-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp
memory/320-125-0x00007FF7F3700000-0x00007FF7F3A54000-memory.dmp
C:\Windows\System\IDHOYoD.exe
| MD5 | 3115a0a9e47ee03c2699b2afd69f4996 |
| SHA1 | 13bade81ce1c056ef4022ee33ebe746f5236848d |
| SHA256 | fc5461e9f17751e67fd4f908af72c3283ee1582ba6a726b12b9f024320a578ad |
| SHA512 | 978e3a392a934d6eb4060175bfa30633c0608384b7b64787676fb9588a3a302bd83a5927112c0f2e5cb3de53a2c3cd862aea84da493adc25548e5e13266282ec |
memory/1212-130-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp
memory/4980-132-0x00007FF7BE0C0000-0x00007FF7BE414000-memory.dmp
memory/324-131-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp
memory/428-133-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp
memory/2280-134-0x00007FF633000000-0x00007FF633354000-memory.dmp
memory/2692-135-0x00007FF6040B0000-0x00007FF604404000-memory.dmp
memory/1252-136-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp
memory/3764-137-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp
memory/1440-138-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp
memory/1484-139-0x00007FF6088B0000-0x00007FF608C04000-memory.dmp
memory/2800-140-0x00007FF752140000-0x00007FF752494000-memory.dmp
memory/4476-141-0x00007FF61FB50000-0x00007FF61FEA4000-memory.dmp
memory/1004-142-0x00007FF60E710000-0x00007FF60EA64000-memory.dmp
memory/1212-144-0x00007FF70F730000-0x00007FF70FA84000-memory.dmp
memory/2284-145-0x00007FF7AD0D0000-0x00007FF7AD424000-memory.dmp
memory/2736-143-0x00007FF630870000-0x00007FF630BC4000-memory.dmp
memory/3268-146-0x00007FF69BC60000-0x00007FF69BFB4000-memory.dmp
memory/324-147-0x00007FF72E170000-0x00007FF72E4C4000-memory.dmp
memory/428-148-0x00007FF66CDA0000-0x00007FF66D0F4000-memory.dmp
memory/4036-149-0x00007FF7C4A50000-0x00007FF7C4DA4000-memory.dmp
memory/5100-150-0x00007FF76AF60000-0x00007FF76B2B4000-memory.dmp
memory/2692-151-0x00007FF6040B0000-0x00007FF604404000-memory.dmp
memory/2280-152-0x00007FF633000000-0x00007FF633354000-memory.dmp
memory/1252-153-0x00007FF6E8AB0000-0x00007FF6E8E04000-memory.dmp
memory/2332-155-0x00007FF7BE250000-0x00007FF7BE5A4000-memory.dmp
memory/3764-156-0x00007FF66B5A0000-0x00007FF66B8F4000-memory.dmp
memory/1136-154-0x00007FF73FF70000-0x00007FF7402C4000-memory.dmp
memory/1440-157-0x00007FF71D800000-0x00007FF71DB54000-memory.dmp
memory/320-158-0x00007FF7F3700000-0x00007FF7F3A54000-memory.dmp
memory/4980-159-0x00007FF7BE0C0000-0x00007FF7BE414000-memory.dmp