Analysis Overview
SHA256
d36e2dd9ca091d8b9e5e3e60c380bf1531c07f6acd55d656fafe856faae0addb
Threat Level: Known bad
The file 2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 06:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 06:49
Reported
2024-06-01 06:52
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qaFQoUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GplJdOq.exe | N/A |
| N/A | N/A | C:\Windows\System\PXsMjRv.exe | N/A |
| N/A | N/A | C:\Windows\System\zYAOxMo.exe | N/A |
| N/A | N/A | C:\Windows\System\GBwTjPO.exe | N/A |
| N/A | N/A | C:\Windows\System\VwAnCST.exe | N/A |
| N/A | N/A | C:\Windows\System\JWPrWOT.exe | N/A |
| N/A | N/A | C:\Windows\System\PKycaQY.exe | N/A |
| N/A | N/A | C:\Windows\System\mkayeoI.exe | N/A |
| N/A | N/A | C:\Windows\System\aiENEak.exe | N/A |
| N/A | N/A | C:\Windows\System\unkwGQk.exe | N/A |
| N/A | N/A | C:\Windows\System\ZsInDNu.exe | N/A |
| N/A | N/A | C:\Windows\System\BHlHQqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lABenGK.exe | N/A |
| N/A | N/A | C:\Windows\System\GiRqgam.exe | N/A |
| N/A | N/A | C:\Windows\System\ApbndBA.exe | N/A |
| N/A | N/A | C:\Windows\System\kTldAPm.exe | N/A |
| N/A | N/A | C:\Windows\System\lMpPblu.exe | N/A |
| N/A | N/A | C:\Windows\System\eDVFBCT.exe | N/A |
| N/A | N/A | C:\Windows\System\rxfVXcX.exe | N/A |
| N/A | N/A | C:\Windows\System\kTcphYE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qaFQoUZ.exe
C:\Windows\System\qaFQoUZ.exe
C:\Windows\System\GplJdOq.exe
C:\Windows\System\GplJdOq.exe
C:\Windows\System\PXsMjRv.exe
C:\Windows\System\PXsMjRv.exe
C:\Windows\System\zYAOxMo.exe
C:\Windows\System\zYAOxMo.exe
C:\Windows\System\GBwTjPO.exe
C:\Windows\System\GBwTjPO.exe
C:\Windows\System\VwAnCST.exe
C:\Windows\System\VwAnCST.exe
C:\Windows\System\JWPrWOT.exe
C:\Windows\System\JWPrWOT.exe
C:\Windows\System\PKycaQY.exe
C:\Windows\System\PKycaQY.exe
C:\Windows\System\aiENEak.exe
C:\Windows\System\aiENEak.exe
C:\Windows\System\mkayeoI.exe
C:\Windows\System\mkayeoI.exe
C:\Windows\System\ZsInDNu.exe
C:\Windows\System\ZsInDNu.exe
C:\Windows\System\unkwGQk.exe
C:\Windows\System\unkwGQk.exe
C:\Windows\System\BHlHQqQ.exe
C:\Windows\System\BHlHQqQ.exe
C:\Windows\System\lABenGK.exe
C:\Windows\System\lABenGK.exe
C:\Windows\System\GiRqgam.exe
C:\Windows\System\GiRqgam.exe
C:\Windows\System\ApbndBA.exe
C:\Windows\System\ApbndBA.exe
C:\Windows\System\kTldAPm.exe
C:\Windows\System\kTldAPm.exe
C:\Windows\System\lMpPblu.exe
C:\Windows\System\lMpPblu.exe
C:\Windows\System\eDVFBCT.exe
C:\Windows\System\eDVFBCT.exe
C:\Windows\System\rxfVXcX.exe
C:\Windows\System\rxfVXcX.exe
C:\Windows\System\kTcphYE.exe
C:\Windows\System\kTcphYE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2380-0-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2380-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\qaFQoUZ.exe
| MD5 | 9b537eb38417138508ba8d23c5290f66 |
| SHA1 | b71b4728665f9f7dd451652d8caf039a3a509448 |
| SHA256 | e9319de42494b169a89a1703d078375715414306548f9617f63bde3a7ac195b7 |
| SHA512 | b7edb2e87e51096a57969c86581d79ba2115ca6cfe3b5b87cf76c06d49d36cca5f3d91f01eed350347f760e971ea7f4a56aac71801f1e0b9285d9fe8ecfaaf8b |
memory/3048-8-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\GplJdOq.exe
| MD5 | 70c0704938303ae5ae2d8e90397b70dd |
| SHA1 | f78ab13db879223776ae3bbb7e9131d7221b911c |
| SHA256 | a20812f5ae4c28ed22201e64fdd78c433f8aca2b6b115d326a65f9074aef4852 |
| SHA512 | 55f35475c38b44331804cbb3b6fae4b95c291c7e54d558e5c3dfd88e2517b3832b8549853c8056d2e06cb47ea5cf86fbf15bff3eb447029ee22604e624a770b2 |
memory/2380-12-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2932-14-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\PXsMjRv.exe
| MD5 | ec1fc1740164be463bb4831d4ea37ff7 |
| SHA1 | 810159a3344e278925e8c88486cf3902f5e600a1 |
| SHA256 | 42115993b25aff50c5e8c7b7f86afc9bf1279b200f67f1229ea627bce9e1f169 |
| SHA512 | 1a2731b5ad29741813cc93a16b8dd37d43ca5c22eff2add1d427bbc45deae4960256490cbfbc6a5a81899030343252a0fe4366c6933ba09fb3989d18a2da477d |
\Windows\system\zYAOxMo.exe
| MD5 | 3d749b00abe37443fdbf8354e4008ad0 |
| SHA1 | f15c3ae420e693aab35a62d5835e554249258ce2 |
| SHA256 | 29a2cd97c2141fba88e4407487d38d4fac5183d930cd9f3fb611362e3d2d3e6e |
| SHA512 | 732c95872291b0f8e194b53d68594e39c0af05be4f46186ff7fbec9fe21a16a02f58a438763d6200a74c4ae3c61e4d64ed7f7cb683e4107191c2dd6629dd0334 |
memory/2380-19-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1208-21-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2716-26-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2380-23-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\GBwTjPO.exe
| MD5 | ad5ff85a9661ee4c479953b0b9ae74b9 |
| SHA1 | c8467781634c572a534cdfe7bff33200cd5635d8 |
| SHA256 | f1a318ab19a534c62e7798d0e8c02bfa36ba9c86d7c9c76f61ca9134da0359b2 |
| SHA512 | 23db6109a2fd2daa0918da5a33f7f8d168c35ebd8c85d21af6744ff15addb41b8b85e7dfa236d1a33b9323ce0f97e3b23733d3189ef21164c885fe4778fa7909 |
memory/2148-36-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\VwAnCST.exe
| MD5 | e4ceac14845b9c1250dac39b1cc521a8 |
| SHA1 | 53995527d8ab0ee7dc46104564225d482212720a |
| SHA256 | 4574313e3e7cf97cc21d57f6642eaa27ff8764f2b6ce3142ff44eda168daac6c |
| SHA512 | 2c989e7326a0c3fcd60174da252e21bfd0cec063e6d8510eff1bab5b98185eb22cf1ef632da92057107fc38f67003c235518510b95c085abd4f76c1f8bae8dab |
memory/2756-41-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2380-38-0x000000013FA90000-0x000000013FDE4000-memory.dmp
\Windows\system\JWPrWOT.exe
| MD5 | 610ebe78bdf2045d9d88b5593bdadffc |
| SHA1 | 7f19d15f4e18ad9804b850d5c176d4ecd5758c05 |
| SHA256 | c367a533fd34c3ca63ca2075eb9c10392fa50738aed09ae175ebf644bafef3e9 |
| SHA512 | 76858309698cfdecfddde0be68fc657c2accd72891e3013ae550daafc17ecf41d93e15138c13aaa7f806941913810335e6a5fccba0d0cc89ed81ec52da0e2ac5 |
memory/2344-52-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2380-57-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1668-59-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2380-50-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/3048-45-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1208-58-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\PKycaQY.exe
| MD5 | a7d8e152bb668cd8deae0291eba7dbec |
| SHA1 | aeaadb5f03c216663252f865dd3c20ccbd2ffdbc |
| SHA256 | 99db29209a8e16bf39dac9e2160c0c9a900a2a3ebadbe4dad023d5080fc00523 |
| SHA512 | 0b7e94460a05a302fb7b2cd9e6486928bbecaa65278b807a066a4830d3b0b0e321bced4062b89392136a966b4ec0d88994d977f9f2157153c8c310e9405a0914 |
memory/2932-55-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2380-31-0x000000013FE10000-0x0000000140164000-memory.dmp
\Windows\system\aiENEak.exe
| MD5 | dd7bf1d36f46c70c942ccb99d94a53eb |
| SHA1 | da6265f3eb542b02ee60f605bedefca02a41fec8 |
| SHA256 | bd6c2a1c12508347f09b2c485c3ff9b170e1176106fe6936d90467a0528c0cc5 |
| SHA512 | cf5ffc8d85a91702a0b4dc7b83323f4add2765eb1ae82ea114d14e778ca92c82279ed854ce88c6ac1351310ec20909628c129b49cea87a98d58337b12bb039e5 |
C:\Windows\system\unkwGQk.exe
| MD5 | a52fee08a7ab5fd3b9aa270c63e50aad |
| SHA1 | e273b4eceff366953d5d9c58eac664e806675efb |
| SHA256 | 8f2a0df6e62e0eb64270b31e3d6e595707974badf73c6d9a76253a3f7e07e4ad |
| SHA512 | 30ec494dc45741675c502329643e396d576e37410e550149426c0c9a82a445fa9cc9a91e1548a73b9411841649b05f0779a7f25c6b29ad52d677eb91adb08a13 |
\Windows\system\ZsInDNu.exe
| MD5 | 1f635c9af23ada8f1348e3f6747c4088 |
| SHA1 | bb6c6de6fcc25a4c4179ed8e544a88e5a44a5cd6 |
| SHA256 | 4fe925f383aac23fe3bf66418d01f4f84144e926ed1ae61e99a242446d99ff1d |
| SHA512 | d643e3ac0fa8e5b46f188c29a377f85eda7039c110c0f2892ec5a45f3cbe43b28770ed84297cfd3909e280227d8afdcb64ada05765f3ad71c5fd5f07168e45a3 |
memory/3028-83-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2600-82-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2380-80-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\BHlHQqQ.exe
| MD5 | 343fc9ad15531115f3d1ccf8bf7abd1d |
| SHA1 | 1eb4dded9da8ffdfe388b0bc2dc4f21f9c103755 |
| SHA256 | 7670244036d4b50b51fc4cf3b0608c65fcd9db1907af283012baecdd3311f018 |
| SHA512 | 83fa96f0d07c15b02facf505004443fddec35df964a37909bf7be042cb0279fbaa4db1f57884e6d9e91dc13b50e08d80bf614451c073305585fee370ca47e4c0 |
memory/2704-93-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\lABenGK.exe
| MD5 | 06bc7824ec07a0ee9c378e1a4872f7d2 |
| SHA1 | 6b4e06225596f8c2a433c283daf34c624ae0c74e |
| SHA256 | cba0c60561f3e4eae97e19aae5d870cf2fa2a7ac9bd4d67e42a70707249955a0 |
| SHA512 | f044b57fd06228a41cbf1910ff308fff42577ee98a039c30dbb1738f61fb5a3427523bb04c888fb505e0906c6e19dd7805450356788589916b743d772751c3c0 |
memory/2176-101-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\GiRqgam.exe
| MD5 | d9dfdf5d1f13dd3ed95878b43af4fb3d |
| SHA1 | 712fc66953d71151b9b4ad8c558d476eae94bccf |
| SHA256 | c6ce4facda1dd65525183c3fb5e71997de7e95d553652357ffd94d8bc8276490 |
| SHA512 | 39532e8bb6f1f2d14d091d52cb7a410fe77e5dd73ea6e43bf9e7966b6e7be46958f2678286dacf5c60168c70f830d542b29cdc1b60c1a35f84189b6f3369ff18 |
C:\Windows\system\rxfVXcX.exe
| MD5 | 58a54f897fce528bb763cdbcc04281cc |
| SHA1 | 28c6643078234d105a24728bb46944ae1484f27e |
| SHA256 | 19b8e6c207427787768e81aa8b69554ee2ab63999b7533e317eba5207f867e0d |
| SHA512 | b192f18c33ba5515638666b738410a25764a885b8e7d35b6a2c6c6af43f5e36258fa2c5a53e97ce7ac1f8a320220d839a8fe4266f420bd03afa2e594075e22e3 |
\Windows\system\kTcphYE.exe
| MD5 | 9cc3b8c88b5a364f1ef8cd4a04a6ec21 |
| SHA1 | 73764f1f7c382b89f4d4de85bc1cf99572e4ab68 |
| SHA256 | 0a3313e42fc4e0b1b824b02777440121d28a022cf667423ac79824c7357aa25a |
| SHA512 | 63a262d5af5ee20691e92b8fa11c2a648511421707319a16d513e04c269045642a59782eede2ccc816430fcb67262e374c5b3ce2650e34af319585013a012de5 |
C:\Windows\system\eDVFBCT.exe
| MD5 | 63a2b3476b96515bdd9e97b4dd1c9713 |
| SHA1 | 4aa4eaa4ee01657c5f98bff5d75fa72b7f607957 |
| SHA256 | 5ad84a77ce9f2c9f655516c22d226cf02641fec18adf55677e8b49972dd76c46 |
| SHA512 | b67ec08972741771324b5667545025b395ea9617075eeb7de6d89dd7046de644e81551c2c714811e0f6985399e7aff7bfc7c564030164a7574d0d86f1e3203af |
C:\Windows\system\lMpPblu.exe
| MD5 | 0506721ecb75a3bf80dba982c8509d2e |
| SHA1 | 6a256dac38a57f864607c186fcc7244e27d97369 |
| SHA256 | 1231299ee41582e2eb4df2ba6a15542ce11aee90ab797746374cf3b223ba22eb |
| SHA512 | 78bf865a3fe0dc07a4e90d39a6989a5548b78971e60d5ee1f9cd3aa39d652c87f5cd4dbe74cf5b07e44e0fe146233a02b849eef340d23a3ee0e2f6a71810f1ed |
C:\Windows\system\kTldAPm.exe
| MD5 | 4664fa838a4464fa8803e37cbfbd073b |
| SHA1 | 26e0bb7b952111acfad8a0c416980a75affe9def |
| SHA256 | 53418513d5921a2d8393b26aefb688348a19f031fe4147949faca908905d3971 |
| SHA512 | 60844f41c0578ea0670e9d424ad306b88d445bc069529764cabdfcc6a2b31ce4fc4e6fc556d2bfb7e435782ebb6f903d789f112906bbcd78b8270659958e65e1 |
memory/2380-108-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\ApbndBA.exe
| MD5 | 09132c294df432f7f6053c7de0fba3d7 |
| SHA1 | e439d8bf52465f78cba7d84564bdb7b38b21351d |
| SHA256 | d11ca35d0fe2b9fd80e9d1ab3e05884f057389feba34b9e8069ac6817a191676 |
| SHA512 | 6a6ad9bd713b707f9b74c3d10ede12d32d207f15d19dad24650b9e13106d882642fb66727901a598fb5ae81e0b79a4736daddf8eb6ecec6bd35c8f9a99b95195 |
memory/2380-107-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2756-92-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/3064-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2792-89-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2380-88-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2380-75-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\mkayeoI.exe
| MD5 | bab4e3e2f8e4e8c6cc92d6189d6ea8d2 |
| SHA1 | 3a602f8f96f00ce0a53603e02b0a65d10cec6b89 |
| SHA256 | 85ad0a2a15978d0a33adedea37a2b8c2c18f607230170089328b9380cce29807 |
| SHA512 | 3bf0a78304fb376deb59b7b8d7d8374337c7beed52c3f85c473126dd4261fd45db1821df9da6a4586dfd6ac50d5e3dbb5f68aa84493bda4cd29d7b8d8b2147a9 |
memory/2380-67-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2716-64-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1668-139-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2380-140-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2380-141-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2380-142-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2380-143-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/3064-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2704-145-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2176-146-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2380-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/3048-148-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2932-149-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1208-150-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2716-151-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2148-152-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2756-153-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2344-154-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1668-155-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/3028-156-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2792-158-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2600-157-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3064-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2704-160-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2176-161-0x000000013FDE0000-0x0000000140134000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 06:49
Reported
2024-06-01 06:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uKZvHuR.exe | N/A |
| N/A | N/A | C:\Windows\System\bYfRfxf.exe | N/A |
| N/A | N/A | C:\Windows\System\yObrscy.exe | N/A |
| N/A | N/A | C:\Windows\System\hfeZSwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WctOEwR.exe | N/A |
| N/A | N/A | C:\Windows\System\YGfbQAf.exe | N/A |
| N/A | N/A | C:\Windows\System\SHEcGEU.exe | N/A |
| N/A | N/A | C:\Windows\System\iSjYXSt.exe | N/A |
| N/A | N/A | C:\Windows\System\cLEdksm.exe | N/A |
| N/A | N/A | C:\Windows\System\GKrHfsl.exe | N/A |
| N/A | N/A | C:\Windows\System\vEoMqIp.exe | N/A |
| N/A | N/A | C:\Windows\System\uFgmuyb.exe | N/A |
| N/A | N/A | C:\Windows\System\IPBTsvC.exe | N/A |
| N/A | N/A | C:\Windows\System\ONGJtlg.exe | N/A |
| N/A | N/A | C:\Windows\System\FGCgkpW.exe | N/A |
| N/A | N/A | C:\Windows\System\JNQrkkC.exe | N/A |
| N/A | N/A | C:\Windows\System\sTzUWlR.exe | N/A |
| N/A | N/A | C:\Windows\System\iQMPjCI.exe | N/A |
| N/A | N/A | C:\Windows\System\XdVRsVs.exe | N/A |
| N/A | N/A | C:\Windows\System\GhNyTZc.exe | N/A |
| N/A | N/A | C:\Windows\System\nMjMpjV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uKZvHuR.exe
C:\Windows\System\uKZvHuR.exe
C:\Windows\System\bYfRfxf.exe
C:\Windows\System\bYfRfxf.exe
C:\Windows\System\yObrscy.exe
C:\Windows\System\yObrscy.exe
C:\Windows\System\hfeZSwZ.exe
C:\Windows\System\hfeZSwZ.exe
C:\Windows\System\WctOEwR.exe
C:\Windows\System\WctOEwR.exe
C:\Windows\System\YGfbQAf.exe
C:\Windows\System\YGfbQAf.exe
C:\Windows\System\SHEcGEU.exe
C:\Windows\System\SHEcGEU.exe
C:\Windows\System\iSjYXSt.exe
C:\Windows\System\iSjYXSt.exe
C:\Windows\System\cLEdksm.exe
C:\Windows\System\cLEdksm.exe
C:\Windows\System\GKrHfsl.exe
C:\Windows\System\GKrHfsl.exe
C:\Windows\System\vEoMqIp.exe
C:\Windows\System\vEoMqIp.exe
C:\Windows\System\uFgmuyb.exe
C:\Windows\System\uFgmuyb.exe
C:\Windows\System\IPBTsvC.exe
C:\Windows\System\IPBTsvC.exe
C:\Windows\System\ONGJtlg.exe
C:\Windows\System\ONGJtlg.exe
C:\Windows\System\FGCgkpW.exe
C:\Windows\System\FGCgkpW.exe
C:\Windows\System\JNQrkkC.exe
C:\Windows\System\JNQrkkC.exe
C:\Windows\System\sTzUWlR.exe
C:\Windows\System\sTzUWlR.exe
C:\Windows\System\iQMPjCI.exe
C:\Windows\System\iQMPjCI.exe
C:\Windows\System\XdVRsVs.exe
C:\Windows\System\XdVRsVs.exe
C:\Windows\System\GhNyTZc.exe
C:\Windows\System\GhNyTZc.exe
C:\Windows\System\nMjMpjV.exe
C:\Windows\System\nMjMpjV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4348-0-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp
memory/4348-1-0x000001F326080000-0x000001F326090000-memory.dmp
C:\Windows\System\uKZvHuR.exe
| MD5 | fd88a2bbe83a3d1e2046ac9adf80852a |
| SHA1 | db9b2683313d9ef15fac9213942f3cdf0f1e2d33 |
| SHA256 | 74ad716ef3ba645aae26794d1350d6e223beeb8d09362f1393f3a4d4a8756b5a |
| SHA512 | 76c778d233d371350abe070b7f6f37fff7484d3f6a1dbfced19df35d468dcdb8d13ed96f656d798f064dab7e9826d5a92ec4b550d89862afff009161893963f8 |
C:\Windows\System\yObrscy.exe
| MD5 | 488b3383dc7f6be1bf71ad631d3befa5 |
| SHA1 | 8e54380533cfc5a15f4c329670146b3b3bbe0f6c |
| SHA256 | 5f43b78e0c4e3f8fabab239cd0efff5c378ba64598a7721acf3d3d794cf74614 |
| SHA512 | 451a72a905d2779728976b3fe5528f23b12b41a9f43f1b71afbed89d7b3e1d47977c85457aea2df89df74d7c5a7958b5eb9da4ebf364f97ca36aa26b2d904920 |
C:\Windows\System\bYfRfxf.exe
| MD5 | b7a673d7ce17f9feefccd1f7650d7eab |
| SHA1 | 8f71fd11e16e22a4551283ce99338f1e7fcc1ba8 |
| SHA256 | d8805d4a15fcccd571fa23a9400413e3e5f712b5d9c7b6f44d59bace1cb2661e |
| SHA512 | cc6b4704d1bbd8328566a33ff323768179feca2fbfb5ae711d9f8779ad5dcc9cb3d4c3e750b215495fb0fbf42c1300909c539f3fc71aec23ab7b7df6d8ec1fa6 |
C:\Windows\System\hfeZSwZ.exe
| MD5 | c44e99853429f8aaa335dc2d5d1503ce |
| SHA1 | 800f750bfa456704541a55f2cc5eb687dff0626c |
| SHA256 | a9d8d84dafde1917335c55723137407b9b77e4820aa9c0d6b865617cba94d1ea |
| SHA512 | 4ab1ccfa660ddd4ebc93a21739a7c6d5b86b427c43c4507b4b8de52e81f5976920921587b02ed857c5c491668e829b6c21782e693c5a5bfc881db05c29ac220a |
C:\Windows\System\WctOEwR.exe
| MD5 | bd40489219f701f978fdfda3c667d802 |
| SHA1 | 7e56a5fa79b9a50d22514ed23de302295de9d8d2 |
| SHA256 | 5255c20aad4681c7fa537df73dc022855fb60b7ba16c24f12a2489e96a4de366 |
| SHA512 | eff9db994b48612703389fbc3d8a9de12183842ce2e9d9fdfc6dea0463197bf5628aca94ce2d24e92055e349dc79373da281093e029303ff5845da1e8b5d2244 |
C:\Windows\System\YGfbQAf.exe
| MD5 | bde60cc35cf5b14cf7912100918c911c |
| SHA1 | b9ab1a81fbcdfccca66f4b0446180ccae63e6cbf |
| SHA256 | d49b206f9ef943847d60ed6270b5146b3fa183acec3ca41cfa5db3f69e5f8c52 |
| SHA512 | 54d5def7609e5b0cd186b45636d27c472e7d14c534afce47a4617c8b8e2fad3622c676a96a76aaf8ce71050d73dbf3bbc191cd1288e1c3ad50971480389e36cd |
C:\Windows\System\SHEcGEU.exe
| MD5 | 6f03e858cdd6cded2085152ddc7bdd1f |
| SHA1 | 5c89148845221abe6775d1671b550dfb6f8b492a |
| SHA256 | 161cdd8727fd4cfb879ee44d006528c5e78029451c1ec21397612f02ce94b96a |
| SHA512 | ac30a8a60580d79f3eb75b345d14e37c1b9ca3bc455bb9884a77a50b8805c12d46c0c98192d8d3c8f70ec8f1eefa23aa269c709987d7c013b1531ca69f9a1cb1 |
C:\Windows\System\cLEdksm.exe
| MD5 | 0601a3d754150983e1aa4a8812996c5b |
| SHA1 | 118bc75a211b845d1a5056ad3842571210a437e4 |
| SHA256 | 1ad782cceae08c65ac13bde0c4ac25a7f95b8d060481a3dbd5a9e89d1e43ef51 |
| SHA512 | e47a9fe5a7defc03aff64b6180ed888cb52a6f0af8c89e28798e659386fc509bf87f29c032f7574e1ee6c07994c3ef38fe4cc495bbf1606b1b7262e7c83d9217 |
C:\Windows\System\vEoMqIp.exe
| MD5 | f39c5430872ed76df6a333043e350118 |
| SHA1 | a77bf658911d56293b471af99126bd48ceea43bb |
| SHA256 | 2812b6bbe823d5a5a78ab888e2cd87b6700f3425988cf1bb0e12e667aef8b5bd |
| SHA512 | 5dfad663844a6b1585361b4fd9a56331cc9b6a790aeaca4972ea57f6e4bea981da047bf0d80d98cf327d0ab229261ada34a3969677264412f30c6615c9952444 |
C:\Windows\System\uFgmuyb.exe
| MD5 | a552c236162b4288c7e63fc7c3bdb6b6 |
| SHA1 | fbc968f275bd10a61c0dc0c93eeeec37eda39d49 |
| SHA256 | c7aa044a9591bc6434a17f8740c743416c1200c68961c870e0aa9dfbe69d2073 |
| SHA512 | 07af653aaf9eca032f1deeb5e264e6abf1a0b18c7066b3211d7cd90d24b45276fd8e9cd6722c6c23e53e951378a7e20f228bf5af86992451207bfea01093b01a |
C:\Windows\System\IPBTsvC.exe
| MD5 | 5effb4a49371f23eee88e70da4234a81 |
| SHA1 | 17a26e1f9c6d267681f2cccb2506c780353959ff |
| SHA256 | 86f51e6d68ef23dff74f246acaf69ced1ad4d150142967febc005539b9a3305c |
| SHA512 | c93d2bba5d849c7acb2299bb40bd3e7f84029d8518c3cd9768efac2744247fdc20bd9ed5b184e2ca59c136e9a9db9d63a6bc3797cfe5aa53a4ac83887b36883e |
C:\Windows\System\ONGJtlg.exe
| MD5 | d1d1b57d7118702d4b0bdc90d934b525 |
| SHA1 | 223ae7d2bf84bc0959dfe89eb7153b757c9ec3ae |
| SHA256 | 0005cbed3e2a4aea7eb380e43f7eceac747e6cf1b9176884fc0c482b6d8d290a |
| SHA512 | 937f0e022c895ff9c40db94e93b9ebcd03a5adc15080b1171d3ea0ea5b83a12f1e8fd6368245c8ca39006545b9cf9cae74acb3487920c2166e24e4ae7542a972 |
C:\Windows\System\sTzUWlR.exe
| MD5 | dc287d2b224f43babd0ed25f75d555fe |
| SHA1 | 29ec4bee30537a2b7d115fe8b0f5864442c834b7 |
| SHA256 | bbae0a0866b3dff31e440e6f41385a54ac034660ef38059b6df1cf5d37d11a2f |
| SHA512 | 558a0ff3e7fe8df9181306a80deb0cd456c37c0ce93607caf4f21fffe798611d4e0ab2b2499246fd6a17b2bb4573f25fec044856d8782470745ad7ce316afef2 |
C:\Windows\System\XdVRsVs.exe
| MD5 | b89ea1ef2fc1b9d26307996d3e1686bc |
| SHA1 | 032539d47225ec90a785acf7a2b505e3952681ff |
| SHA256 | e4379fdfd7076e9007aa2d3029885e8116ac58da0875b74547deb0f16d56394e |
| SHA512 | c6cc0d210ab849abd62b35bb56cb3aeea24ca6d6e8716b20d6408b8be6d0d1d027a6ae411f1cb7baa21186ff8b12a304c36ef5c270874a2a081810f79560d088 |
C:\Windows\System\nMjMpjV.exe
| MD5 | f28f7aaf5a1008aab2d26aa2dec28a7e |
| SHA1 | 91e79987c6635ca1a561ec4292d3941db7cd63e3 |
| SHA256 | ca77d0ef1c2323b5636aa0599955399a365767ad22d69a1ea84f1e52f0142d90 |
| SHA512 | 9406f99165e0e05d4b4d71c916efcfd058b5af9a6e0a9925cae530231b651cd299a3102336f4b385f2f457057dc4917fc24d8f3380888c2030be30efc63d2526 |
C:\Windows\System\GhNyTZc.exe
| MD5 | aa5bee9658835d7db0d8115de8d103c0 |
| SHA1 | 79d97ca0d2ddfa561d554e306ee9f83571519e30 |
| SHA256 | 87a6d5c8f27838078b759123685d0859c6c1d3f1d36a6643ec791df2c14e3ed5 |
| SHA512 | 53538ef8c9ec2ef8caee1d94068ac53bd71fa40f5670af8fd5881fa4d66ac2576356c192ae8f586e4319c5107f59c013f2b6a6631220a4edd892b8b5d3c1061a |
C:\Windows\System\iQMPjCI.exe
| MD5 | b071cfe9300fbb425373d49e3cde91dc |
| SHA1 | 22f5d423463a4ccb9daa06d5d4973e4e21cab40c |
| SHA256 | 559332b0a19a2dd8398e59a76faa7204cbf301a294f2d9501e7744b8238bab3e |
| SHA512 | 2ac409fd1dd1c1b0b2ecdcef8c542f15ee24f95d0880862060224f5a24278476838998755059af6e9ee631336d1f624a5263603438e71c5c356c3c3392dced09 |
C:\Windows\System\JNQrkkC.exe
| MD5 | 3f3d196a232c194df4c18b850ee39893 |
| SHA1 | 86a84d89d6ff3bad3f3437b487f853e386229f1a |
| SHA256 | ed62d92d9da77280fdefa709073f4345b6140289a70e998ccc18cb80aa481f51 |
| SHA512 | 8a849ff2ba47f85ec32195841079803044e70c87bab569ee169c2cf29bb6995fc0614dad460b354d39b8c99232aa65ad38f9842090f2a4b2032108bac9abd5a0 |
C:\Windows\System\FGCgkpW.exe
| MD5 | 34f84c23abefda00ee796a535bec5d21 |
| SHA1 | 4a23d2b042db26392e6e78c2a02697404639e3ca |
| SHA256 | 92aacffad523b7c81956de2e26ea88454efe92ffafb510cac2e19d57c77f75ce |
| SHA512 | 40167337d3badff7ddcd09ee8059b79e2e9a0afc9ecfd61dd2070e4801c03e480a7ce17e03a208dd8aa46253281bc02847b12001da8db69e4d2486e0b96ca11b |
C:\Windows\System\GKrHfsl.exe
| MD5 | 320d0b4d8877e3bea3e1d0e45bd4bb69 |
| SHA1 | 4505a5d1de6ccbc8d0a286a8d53f8efd48cd9393 |
| SHA256 | e9d549846af7e3151801479ae0c37c81f13c64c7ffcc2386c4e29205a8e57f95 |
| SHA512 | 8c36011f328e06e07ca80b8ef04b38a673ce27facdf86d94f57c9d2b4a429917bc37a145bff1a7e2cb53aabe632393f2c7e046381636122ce740ad562a980a8d |
C:\Windows\System\iSjYXSt.exe
| MD5 | 180e856586a517e3b9c26d4ca60d69bb |
| SHA1 | d9163b61c17941e0cda056d2622d7380bda48dd1 |
| SHA256 | f01c04ff2124d2e539b02314fc534b0bf5d7e4a75975dfa5f986e0866ca7ef13 |
| SHA512 | 73721326fd3728549c56a1907950289827ddb8c69a027aa6829b634d399264e52d6491d78b69480d9b2820e92f73de1729becbe924ea2a56dbc478ef928fd8a0 |
memory/768-33-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp
memory/5084-26-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp
memory/4388-25-0x00007FF641380000-0x00007FF6416D4000-memory.dmp
memory/688-19-0x00007FF666440000-0x00007FF666794000-memory.dmp
memory/1624-10-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp
memory/1108-112-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp
memory/1016-114-0x00007FF713500000-0x00007FF713854000-memory.dmp
memory/4864-113-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp
memory/3424-115-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp
memory/2024-116-0x00007FF666E00000-0x00007FF667154000-memory.dmp
memory/2020-118-0x00007FF631F20000-0x00007FF632274000-memory.dmp
memory/4492-117-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp
memory/744-119-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp
memory/4384-120-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp
memory/2244-121-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp
memory/4956-122-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp
memory/1532-124-0x00007FF60B540000-0x00007FF60B894000-memory.dmp
memory/5076-125-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp
memory/1156-126-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp
memory/4652-127-0x00007FF600B20000-0x00007FF600E74000-memory.dmp
memory/3836-123-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp
memory/4348-128-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp
memory/1624-129-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp
memory/688-130-0x00007FF666440000-0x00007FF666794000-memory.dmp
memory/4388-131-0x00007FF641380000-0x00007FF6416D4000-memory.dmp
memory/5084-132-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp
memory/768-133-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp
memory/1108-134-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp
memory/4864-135-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp
memory/1016-136-0x00007FF713500000-0x00007FF713854000-memory.dmp
memory/3424-137-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp
memory/4492-139-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp
memory/2024-138-0x00007FF666E00000-0x00007FF667154000-memory.dmp
memory/2020-140-0x00007FF631F20000-0x00007FF632274000-memory.dmp
memory/744-143-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp
memory/4956-144-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp
memory/4384-142-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp
memory/2244-141-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp
memory/4652-145-0x00007FF600B20000-0x00007FF600E74000-memory.dmp
memory/3836-148-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp
memory/1532-147-0x00007FF60B540000-0x00007FF60B894000-memory.dmp
memory/5076-146-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp
memory/1156-149-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp