Analysis Overview
SHA256
6107c5fe45d8e714592edb54ff4b4c726a3689c327a00ad31718a1cb01251e72
Threat Level: Known bad
The file 2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:11
Reported
2024-06-01 11:13
Platform
win7-20231129-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jrRxtte.exe | N/A |
| N/A | N/A | C:\Windows\System\GnnJaCi.exe | N/A |
| N/A | N/A | C:\Windows\System\OrIdNEy.exe | N/A |
| N/A | N/A | C:\Windows\System\LLXeGRa.exe | N/A |
| N/A | N/A | C:\Windows\System\xOkfeFl.exe | N/A |
| N/A | N/A | C:\Windows\System\RfPVaEi.exe | N/A |
| N/A | N/A | C:\Windows\System\HILVVGD.exe | N/A |
| N/A | N/A | C:\Windows\System\QpCCaAg.exe | N/A |
| N/A | N/A | C:\Windows\System\gjXeKHv.exe | N/A |
| N/A | N/A | C:\Windows\System\cFnENHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YcQbbGH.exe | N/A |
| N/A | N/A | C:\Windows\System\FWHISqm.exe | N/A |
| N/A | N/A | C:\Windows\System\KccGCVd.exe | N/A |
| N/A | N/A | C:\Windows\System\gBPNbEm.exe | N/A |
| N/A | N/A | C:\Windows\System\AFMpUdc.exe | N/A |
| N/A | N/A | C:\Windows\System\zIZAolq.exe | N/A |
| N/A | N/A | C:\Windows\System\dQrTWET.exe | N/A |
| N/A | N/A | C:\Windows\System\orbdiUr.exe | N/A |
| N/A | N/A | C:\Windows\System\pybXweQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xGdAhho.exe | N/A |
| N/A | N/A | C:\Windows\System\wDfcGFC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jrRxtte.exe
C:\Windows\System\jrRxtte.exe
C:\Windows\System\GnnJaCi.exe
C:\Windows\System\GnnJaCi.exe
C:\Windows\System\LLXeGRa.exe
C:\Windows\System\LLXeGRa.exe
C:\Windows\System\OrIdNEy.exe
C:\Windows\System\OrIdNEy.exe
C:\Windows\System\xOkfeFl.exe
C:\Windows\System\xOkfeFl.exe
C:\Windows\System\RfPVaEi.exe
C:\Windows\System\RfPVaEi.exe
C:\Windows\System\HILVVGD.exe
C:\Windows\System\HILVVGD.exe
C:\Windows\System\QpCCaAg.exe
C:\Windows\System\QpCCaAg.exe
C:\Windows\System\gjXeKHv.exe
C:\Windows\System\gjXeKHv.exe
C:\Windows\System\cFnENHJ.exe
C:\Windows\System\cFnENHJ.exe
C:\Windows\System\YcQbbGH.exe
C:\Windows\System\YcQbbGH.exe
C:\Windows\System\FWHISqm.exe
C:\Windows\System\FWHISqm.exe
C:\Windows\System\KccGCVd.exe
C:\Windows\System\KccGCVd.exe
C:\Windows\System\gBPNbEm.exe
C:\Windows\System\gBPNbEm.exe
C:\Windows\System\AFMpUdc.exe
C:\Windows\System\AFMpUdc.exe
C:\Windows\System\zIZAolq.exe
C:\Windows\System\zIZAolq.exe
C:\Windows\System\dQrTWET.exe
C:\Windows\System\dQrTWET.exe
C:\Windows\System\orbdiUr.exe
C:\Windows\System\orbdiUr.exe
C:\Windows\System\pybXweQ.exe
C:\Windows\System\pybXweQ.exe
C:\Windows\System\xGdAhho.exe
C:\Windows\System\xGdAhho.exe
C:\Windows\System\wDfcGFC.exe
C:\Windows\System\wDfcGFC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2364-0-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2364-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\jrRxtte.exe
| MD5 | 25b7ce2ba7ee19dcf01a71057f7f8e5f |
| SHA1 | 5388c5bda2f0772fa6c4331bee52e55d50a83573 |
| SHA256 | ad9d1bdda4e628a94cfc23de121a8a11a3a9cf41f75dd92474d0d84f8b11d153 |
| SHA512 | 4d741d0b0f17a05b17b29cd8cd198a8ae2cee9168edbcf2d998e7baeb3bcba6bf0a506added5c8f98c09f3db74c0bc6384ddad24e318fc6013a82deb1f3f7a97 |
\Windows\system\LLXeGRa.exe
| MD5 | 782e5e443193d310a119b81875acd880 |
| SHA1 | 3ac42b682a60bdf00f1c3b190f61b91e1cba0899 |
| SHA256 | 9540d7a72cb6e5a8a28f8e02de70ab4f049517347f307e22b1177aae233cf850 |
| SHA512 | 6c0b903f189b61acf24d1f525dbcd4e01aabad8952d714a22b481c4d384c81239da72a7046b8be822aed69ed21cc8dd519769d6a52c79072592cda98f0c853bf |
C:\Windows\system\OrIdNEy.exe
| MD5 | 312924465cef8a694a623ee5653f47bb |
| SHA1 | 78cef3389746f4213f35e25e6156cba4c1feae07 |
| SHA256 | 5a3c4edeec0740a690d1f8c4ac5f33709fea2d10c342d67a65dcb7a795523891 |
| SHA512 | 3529e3e3dba97a1e47f48080e2233561465ade3e950ba6e60b3b94cd75d2dfe198a2780641bec3f8287407693d697006664e3c02897246996527189c0ac22f51 |
memory/2364-29-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\xOkfeFl.exe
| MD5 | 622287b977cb4f18b803054804b69d47 |
| SHA1 | 38feee547dc9ad4bbed0774de2be045ca5fa41d9 |
| SHA256 | 493c59564ae2422d6aa53142754699957e2389650df3fa95dbddbedf3fc00b45 |
| SHA512 | 44289246c1e9715d63cb003086cb4d3835983bc5bd25128c83940740d4f378bbff282b4346767800536e97707f8c46d107e6e238103f2d14dab88e51a8146952 |
memory/2672-40-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2608-43-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2364-42-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2364-41-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2540-37-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\RfPVaEi.exe
| MD5 | f94069d0e2bec1e667a28a8ca09c2d73 |
| SHA1 | c72d28c0ea8b04a625642a476e3480f0b03b1adb |
| SHA256 | a93d4d24b0c1fc540650f7353cf14f4cb6a05fcb1d574009dfeb8fd24016799c |
| SHA512 | d80a6b5dae48cac73d16de91d78f5714f9569303ac8490a3679a1c793a5a8cd9d7e766b45743d1c352aa5e60291a59ed9144b42c95fda9294dde5031ed75b728 |
memory/2940-33-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2364-25-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2364-22-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2044-21-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2620-50-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2784-56-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2364-49-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2724-64-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2364-62-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\gjXeKHv.exe
| MD5 | e1a9fbc6d9f3ff90a4d0a568d12e5206 |
| SHA1 | 99a6beebd992bc0ca2d1fff446fbf41b7db92a7b |
| SHA256 | 7230071e16187a47301cac7f8f3c8d41fe154d8beddbec2c8e11a74840b1fb22 |
| SHA512 | 91f639184459c510acadbb47209690616a3cc90005bb6c40ea9373cb5a2c422e3b754bf8aad8553bd5587e03111c578e16b4de5b4660a5a6b491b523474ae5f7 |
memory/2364-55-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\QpCCaAg.exe
| MD5 | 88e8478809dc4e22e46a492518072c7f |
| SHA1 | 8f2e2ecafedf6cb9ae443abae747ce169c79e5ce |
| SHA256 | 18d55e494df196ce7fe990036f9f4d056b091fa847965b8f1ccb1be48d2a4fed |
| SHA512 | 54602c35e8e2624007e6db07639f1e22054b9557bbdc640a1a6d1be2d57caabb1d7760b075903d35fa77e1251dd00a149c94eb837d2f18994c4efc102826edb5 |
C:\Windows\system\HILVVGD.exe
| MD5 | f10aaa01f113a20bf3f8e4cf7aba24b8 |
| SHA1 | 2e6c96322034d5125c698105a88de8acf18c805f |
| SHA256 | daa1534f40cbab0dd366deada3cb36281b52755b42e424dad0585213da1a70f7 |
| SHA512 | 5930ae4e4bce6f4d7f7c8427e3761ed23f390ff4a54fc44763b6db020577c551592575b9d25637d696b56dac1abb150a7418851946a5c5a2193f11795f0789f8 |
C:\Windows\system\GnnJaCi.exe
| MD5 | 0c625c1e53b75c3a8f4d7f2ded8c1d7f |
| SHA1 | 76eef3eb01f837d92e405a61c23fd6a4bd050995 |
| SHA256 | f4c9f86c301b4fbfdafd8cd7542cfb16290ec557258d06786d0c8f5d471c3359 |
| SHA512 | 9fceab39cd6e1bd4a9ece328a76775e578440c887b78c1b04ff21b998b05405c2f1a9ec88e7112e72a5cd670c6408f78c17b4f26db02fd938947f413e51a8037 |
memory/2340-11-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\cFnENHJ.exe
| MD5 | 73e6f1512796404a8f8b45e31537495a |
| SHA1 | d9233cf7a16ab41b0bf83981f10f55f631c17e82 |
| SHA256 | c8c647ff8baebcba84345114c3263c08a492d9228f7f3d621388ffa65cb088a5 |
| SHA512 | a86238311b2d8125f35cde6c0df719738ca348b9f765386418daad181c35f6a3c31e791273108129c6ca7d21d1f7fe946f0320244463c5ff3bbb0b20e7ec1511 |
memory/2364-69-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2024-71-0x000000013FB00000-0x000000013FE54000-memory.dmp
\Windows\system\YcQbbGH.exe
| MD5 | 26feea54a679f6c8caf3ad848cb51fdb |
| SHA1 | dc4ea56ae5d22be63292c673e563af8f171bd589 |
| SHA256 | 0033a8b2216da3e394e26598a6771d57a90c9c5cd72798fa24ba5d9fb9e9a773 |
| SHA512 | 3601545078ad767bc0c83c45507d59d318b4fa16481a769074ec08679b09363afaf0ccce25f9f398edea50f00b6881aa795cfff979757b298bb1a8d3ac9ff510 |
memory/3016-78-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2364-76-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\FWHISqm.exe
| MD5 | 8dec6307d5690ef7d5ff416a0d8bce9f |
| SHA1 | fada2c2869fd37f52ab372913cdf7c96ac40fbcf |
| SHA256 | 692c26270e9085f450b173dfc17b5112309e34cbcbc6372fe6e35fd13d6aee5a |
| SHA512 | c1e2ea25017c676c34472935dece00d6f046eefed4161f75adcd7212d8813c9bb0608a739da1c8e269a1091ebc92642b3f40bb5e301c93b2a3b46f532e25cdb3 |
memory/2340-84-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2044-85-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2364-86-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1864-88-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2364-83-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\gBPNbEm.exe
| MD5 | b95c7934d5541b488c8dd8b0c9aee2a7 |
| SHA1 | 03ee834217d08d770a842fc73f3011a6e3cf7b8a |
| SHA256 | 5d3745c022db16fea855005fd7d59676e95b11e77ed4f3cfb0b856018fc42c04 |
| SHA512 | 33c06afbbf530843561d79c8a86a6c39b8ea5cf26934492ff86220853befb4c7ac3d2f0846ee26962645dede4f5905bd92ac10138715e579e914cd375e65d761 |
memory/2672-99-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1664-103-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2364-100-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1584-97-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2364-96-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\KccGCVd.exe
| MD5 | f30520e526e2a5172c7df2f31e137c2f |
| SHA1 | a86563ade27bba17b734c632f79a84fad04c4850 |
| SHA256 | 5166e37c248847715cf10b1047a09ac38c090e103e690d52376144428c7fb90b |
| SHA512 | 1634639478ec7b2dd53be26f726676f09aab3eba4362d431a69cbe532c8f2d3ead0a69d89b2c14917b93366fc323a789d8c72bdff296bf063421c06378e20fa8 |
\Windows\system\zIZAolq.exe
| MD5 | ff0edbc478880d7f8f7cf19e266450a7 |
| SHA1 | 192ada6188d05ead2ef681aa8b66ff78fd0a142d |
| SHA256 | 3f1cf6bfee6fefb3deaedd98d77291005805de01619fab5d4efb2b6efe5e1020 |
| SHA512 | 3a541aeb0b0ffe66b01a53f4c7b6ab8470ca0e787c75c968ed7698ac878cbe9b630e7575d6543e18decee420c9ce31382d3fdc1327a5cee6ee83993e01599d73 |
\Windows\system\xGdAhho.exe
| MD5 | 44c32666be3e58694612686afd77ed39 |
| SHA1 | 92940a7f885d1e8e45ad6de0330d8adbcf8cf494 |
| SHA256 | ac6c358ebb6a8868c3c899e7470d645661e2f5c1f27cd99545edc4f6b56e81f9 |
| SHA512 | f6463db66020221dc5ef1bb771108285d023b1e13b8318ec974c7d7841cfbfa259f00940de709c044f7f82a1b8f6d00f3f45a0da67987ed5b8571a2a61e7098c |
\Windows\system\wDfcGFC.exe
| MD5 | d01c267bb5d1c5db07ef5c3eeacbf986 |
| SHA1 | f33f426466f472495718422744e51c136b1b5acd |
| SHA256 | 25e011d224b5149eadb235cfcae56499437de3f1dc405b171d9fbefee31b2be9 |
| SHA512 | f8a4922fa0d4ca188a55efc11c4671ac46e50f5f17a1a4bb6e594e0747be7121505faa9a09d5179ed1e92cda09180a4cf22aa37abde20166b7a65faabe68a91f |
C:\Windows\system\pybXweQ.exe
| MD5 | cb877cbde9ad5e9c7756c2f112f710f9 |
| SHA1 | 55ca8926422a5713bc9724381f4ad59c0c8cc97b |
| SHA256 | ca6f5906e4be81d20f71391d4bcdab3a2d6c51c8dc2705cdb517c380aeba274f |
| SHA512 | aa32ec7e360f168d0c5449073df4608724c5a47607b3f59758051f59e7b7437e7fd3f38e13da124265b34cfa19bcb0ca2ecab1246e1aca6787a3700bd8fe5e20 |
C:\Windows\system\dQrTWET.exe
| MD5 | 2b03e7c3c622bb804651431745917a33 |
| SHA1 | d7914bac5ed25b607e2a9c867df564aa400d3b99 |
| SHA256 | 8fe40c5a14496de3a54deb55d787ba3e54adc7483ea14dbd3ac284b79d312f04 |
| SHA512 | 2e417572c5156dd226c0eb6c6b2e4e7903390bd373c32fca9c387d545442ac78b8160026069cffeca31020c259424f17794d6cce30907b748af1afa22303e217 |
C:\Windows\system\orbdiUr.exe
| MD5 | 18208eda01c8e1c164ba1eedc958aba5 |
| SHA1 | 1e2c4574e892950ff56c679a72251afe01a8c56f |
| SHA256 | fffbd6dfb2c705cfd4006b22592607fc68528959967fdd084d50de1d386a0a15 |
| SHA512 | 2c8e9e7bd0ec6c6524c7a3ddeea1636468697d770b13ae4b556c8d08ed91023609e0f37369a3993ac2a04c6a7e62504d6b4dd43e4f64e5333c76039a5286c66e |
C:\Windows\system\AFMpUdc.exe
| MD5 | f32b9f60dd276225bb16098bdf58f6d3 |
| SHA1 | fe37495bdac3286fd85dcda430ad7c3787d902be |
| SHA256 | 86e315e521845c5bc301072130d96f237f4cb9c6ea9dffaf15113f41350a83eb |
| SHA512 | a0bb6ef0a92f2c17f7cda10584dce9593cafe10b169b6af735b23ab3f3608e753e3403920979e0b989c4f61e92bfb12938ca415ed24faf144177f57c25ba0ff5 |
memory/2364-105-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2784-139-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2724-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2364-141-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2024-142-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2364-143-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2364-144-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1584-145-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2364-146-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1664-147-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2340-148-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2044-149-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2940-150-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2540-151-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2672-153-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2608-152-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2620-154-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2784-155-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2724-156-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2024-157-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/3016-158-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1864-159-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1584-160-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1664-161-0x000000013F170000-0x000000013F4C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:11
Reported
2024-06-01 11:14
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ABeFSPs.exe | N/A |
| N/A | N/A | C:\Windows\System\oOHRlOf.exe | N/A |
| N/A | N/A | C:\Windows\System\NOTdYRy.exe | N/A |
| N/A | N/A | C:\Windows\System\EzJlGvt.exe | N/A |
| N/A | N/A | C:\Windows\System\iKNGhBa.exe | N/A |
| N/A | N/A | C:\Windows\System\krMMAIr.exe | N/A |
| N/A | N/A | C:\Windows\System\wVpeiqh.exe | N/A |
| N/A | N/A | C:\Windows\System\FoopTbA.exe | N/A |
| N/A | N/A | C:\Windows\System\itxJPJx.exe | N/A |
| N/A | N/A | C:\Windows\System\ArNDycx.exe | N/A |
| N/A | N/A | C:\Windows\System\nrUfWRi.exe | N/A |
| N/A | N/A | C:\Windows\System\EpmxmxT.exe | N/A |
| N/A | N/A | C:\Windows\System\iKVNGEa.exe | N/A |
| N/A | N/A | C:\Windows\System\SszKOvW.exe | N/A |
| N/A | N/A | C:\Windows\System\mugVUpj.exe | N/A |
| N/A | N/A | C:\Windows\System\AnEUoqo.exe | N/A |
| N/A | N/A | C:\Windows\System\JckCjGc.exe | N/A |
| N/A | N/A | C:\Windows\System\ihJkegb.exe | N/A |
| N/A | N/A | C:\Windows\System\auciQcN.exe | N/A |
| N/A | N/A | C:\Windows\System\NnqlHXN.exe | N/A |
| N/A | N/A | C:\Windows\System\tfKXlAy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_576ed9fc598922b23832584ac79f4291_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ABeFSPs.exe
C:\Windows\System\ABeFSPs.exe
C:\Windows\System\oOHRlOf.exe
C:\Windows\System\oOHRlOf.exe
C:\Windows\System\NOTdYRy.exe
C:\Windows\System\NOTdYRy.exe
C:\Windows\System\EzJlGvt.exe
C:\Windows\System\EzJlGvt.exe
C:\Windows\System\iKNGhBa.exe
C:\Windows\System\iKNGhBa.exe
C:\Windows\System\krMMAIr.exe
C:\Windows\System\krMMAIr.exe
C:\Windows\System\wVpeiqh.exe
C:\Windows\System\wVpeiqh.exe
C:\Windows\System\FoopTbA.exe
C:\Windows\System\FoopTbA.exe
C:\Windows\System\itxJPJx.exe
C:\Windows\System\itxJPJx.exe
C:\Windows\System\ArNDycx.exe
C:\Windows\System\ArNDycx.exe
C:\Windows\System\nrUfWRi.exe
C:\Windows\System\nrUfWRi.exe
C:\Windows\System\EpmxmxT.exe
C:\Windows\System\EpmxmxT.exe
C:\Windows\System\iKVNGEa.exe
C:\Windows\System\iKVNGEa.exe
C:\Windows\System\SszKOvW.exe
C:\Windows\System\SszKOvW.exe
C:\Windows\System\mugVUpj.exe
C:\Windows\System\mugVUpj.exe
C:\Windows\System\AnEUoqo.exe
C:\Windows\System\AnEUoqo.exe
C:\Windows\System\JckCjGc.exe
C:\Windows\System\JckCjGc.exe
C:\Windows\System\ihJkegb.exe
C:\Windows\System\ihJkegb.exe
C:\Windows\System\auciQcN.exe
C:\Windows\System\auciQcN.exe
C:\Windows\System\NnqlHXN.exe
C:\Windows\System\NnqlHXN.exe
C:\Windows\System\tfKXlAy.exe
C:\Windows\System\tfKXlAy.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3420-0-0x00007FF7AA9A0000-0x00007FF7AACF4000-memory.dmp
memory/3420-1-0x0000016135DC0000-0x0000016135DD0000-memory.dmp
C:\Windows\System\ABeFSPs.exe
| MD5 | c2b8ffa33a435745b9ea05661dbad395 |
| SHA1 | a36bd3035c5e262978e1004fc30a85b0c4212dea |
| SHA256 | 60bfb322e21f04f07f1d04495ec98b80ad8886aee6f59080961011b5b20e74f5 |
| SHA512 | 5f1a6b4b7f694d00a9ab00124282995d60c4db6c28d356bce1c09e3bac18d32c5cb69515199d07e0946135cb700a8b3df1ce9fbf319e1d8a4a3dbee483a4c63a |
memory/3488-7-0x00007FF79F5F0000-0x00007FF79F944000-memory.dmp
C:\Windows\System\oOHRlOf.exe
| MD5 | 4bf61270a6afc837bc531f5cc4c2cab3 |
| SHA1 | 82e5c9b86bf13851095fb982a4dfb09c26e4a12d |
| SHA256 | b27744f9be01d21ad06a74fb5a35beb6958d8a88bbcf69945350814dee7fc5f4 |
| SHA512 | 3c29143ef0cdc8cd781b1f862260154e1c5015a2872752701b9089e9172818b451edc21e57860676f4ca4570b4993a2d69bc062b87a73d67f172416118e074bb |
memory/2272-14-0x00007FF758300000-0x00007FF758654000-memory.dmp
C:\Windows\System\NOTdYRy.exe
| MD5 | 2116996022ee6e72882634d0a92f081b |
| SHA1 | b6982208efd00dade8bc9db8c9c227ff299939df |
| SHA256 | 7ac53c1654484a705a4f5ce884f35a17dc001005a2644f2b2b25818a31621473 |
| SHA512 | 08f2155738dba3b12ca02497f8010e04b71421363e97016992135f4f1392fb0e5687ef05051e21ba598df647417159a1c1ed748715782c7ae5c338ddadf75a96 |
memory/4628-18-0x00007FF66E6D0000-0x00007FF66EA24000-memory.dmp
C:\Windows\System\EzJlGvt.exe
| MD5 | 57d92ba4c2f30eada07e015b85ad1c5e |
| SHA1 | 7e20e584e8da1dacac9a2d87811b03c8a4843786 |
| SHA256 | 12e6b9cd901bcc39beba3f197df99b3822fd917bbfc89b6494e237b4603c5a4e |
| SHA512 | 7f407c2d5f85c4f65ee05a492f171ac406e8cbfb19d4361aad4f7fbaf9fac2cdde84d4cdd7db2b621d1d06f58812edae6d9254eba76b6d6ec3d59d5b50c2a3a8 |
memory/3740-26-0x00007FF624CB0000-0x00007FF625004000-memory.dmp
C:\Windows\System\iKNGhBa.exe
| MD5 | e02954ac64a95fdc705b19de82863ade |
| SHA1 | 9d6d2733c361e72f1a8635093dcf81d5a7af2ddd |
| SHA256 | 24d515be7bc9f83a2a6112f749a9d55c3063db01f5afad6730730256df97ffe6 |
| SHA512 | deb5cf9ce8e6cce8d272e75f386d82f8e99a4ed3fa1c8955cc99996496d85b51084d4a0c4909103538210a3384c3449cb49564ee7c5a091629a9fc4fb918c8fd |
memory/4384-32-0x00007FF7B17E0000-0x00007FF7B1B34000-memory.dmp
C:\Windows\System\krMMAIr.exe
| MD5 | bd4e54e84566b42a6fcb3d5da1402097 |
| SHA1 | 2fdaf7cabd3b936708ac468480cfdb21caa76ff3 |
| SHA256 | 5dd30969c1f7e840896b1e6783f27c369eb15ca5b02c9fc52fc19fe52b414860 |
| SHA512 | 415697c791fa2e5f8cee5c16ce3aa80c233286c31638ced61305e9574f892d6eef110ad4317059107c53f4a70b52b6cba048351cfaeb7c0b76a924ed8bee6328 |
C:\Windows\System\wVpeiqh.exe
| MD5 | 740fa2d1114c0457699c194119a768d7 |
| SHA1 | 1555123b7954cdaaa774088b96fac8607436d8cb |
| SHA256 | 38ac40a9ff00eff31d98b9492d0fde833eec7a53a30a145529eb8814b9c4809a |
| SHA512 | edbd08b544836d5c11db47ff81115aafaa0733a0ea65196da675c741cc8cbbec83c52683c6452cf2ee631a2a062fe3ed015dbc14b6d489225e884bdc30d11c81 |
C:\Windows\System\FoopTbA.exe
| MD5 | fdb1caa398827f2df033ccc9b8192ca1 |
| SHA1 | ec0ddcd6b709f63de4aa495f175c4476eebe7e22 |
| SHA256 | 97477be13a2687ca25d95f128c9e1a46da36ffcce932e421ac3830412c299f89 |
| SHA512 | f9b0782ef5f4e4cc14dfb705d6a49c835687fa139d7e99177bf06b3f4f5bcff912f9378e374d43ead7eedcfc5d2f6716adf4851aa4b56746e13d8b4184047058 |
C:\Windows\System\itxJPJx.exe
| MD5 | 0ad4130acc2e7c69d2427320a32ffecc |
| SHA1 | 4d046ff98be1bb1ab4f9fee011fb718d130b08cb |
| SHA256 | f697b90c6d4459f19fe8c886c949b78c61af112e945bc4265b326fd095ad13cd |
| SHA512 | c99e1822c0a5c8adc224b05e89d19aaf699ea5990c6863baf4e59e544d5a47cc52fbfb2b04d168c3ed5d20362d29418b47071a07998103f4875f6122c0fa53eb |
C:\Windows\System\ArNDycx.exe
| MD5 | e23ea9dd317b8c062cff61093f079f4b |
| SHA1 | 9f257743f2ae2cd5f66cbe15df1879fcdc69e384 |
| SHA256 | ad75e135f92d885978e4104610f62c1fdbfa65f61f4b5f403a0225cf8ab27d60 |
| SHA512 | ee237444d59e391fca66664a5c099cdddb020378c7863b0d854b107b1c8aaa65dd1b7330657ba24d06558d672400dc718c701bf04a119b1228777600bd0422c4 |
C:\Windows\System\nrUfWRi.exe
| MD5 | 898ea6dbedb3b02aa54d346fac2c40d8 |
| SHA1 | f1298a4c0eb360aba1ec56cbb5bf146dfad24e85 |
| SHA256 | 16baf1945398b2745cb3ac67937bc0bffc909dd851181bfb27deb01984235074 |
| SHA512 | 51472c9244d6724cfef8dd5cd65f7d5dc9cf815dfaae33908d57ca3584775f109548e7f20998041cc1b2e2d44fb40077019e6cc5cfaadaa2f62b565f668c3063 |
C:\Windows\System\EpmxmxT.exe
| MD5 | 27828da871f3ba9179e3f91be71075f0 |
| SHA1 | d1319cc00a9787c595a24052c4a25ff659a561f6 |
| SHA256 | d404b147d4bc6e78c7324453b59ab3bce9ad47565a301666ce8fd3d67eec34fc |
| SHA512 | eeab7dafa3885ee97fccfa99f726aa5d37d6dcb2b9c7d4438706f59c651d3f267f9aead8bde56d9361a7aa9a9f350e1a1888bc76c1b633b59ae863175c0c093d |
memory/3572-72-0x00007FF6152D0000-0x00007FF615624000-memory.dmp
memory/4016-74-0x00007FF73CFB0000-0x00007FF73D304000-memory.dmp
memory/380-76-0x00007FF74D1D0000-0x00007FF74D524000-memory.dmp
memory/1652-78-0x00007FF743420000-0x00007FF743774000-memory.dmp
C:\Windows\System\iKVNGEa.exe
| MD5 | e009e9fd9c76cf00d37a91749b7476f6 |
| SHA1 | 4521f20c3a21b51705db84f6edd81b5bcc78734a |
| SHA256 | e48a2d743b456331e486a3bfeb171679da22f46a586643813df32d6e2da8b6c4 |
| SHA512 | 14b5e94fa339a2890a0fff4fc122a8e8f992a876fa54c37b6a9c6d513dd94e6bda434135cae956c2c9b9f5d6e3c0fa6821fb614c52884cd95a31fc81440441d3 |
memory/2528-77-0x00007FF7D5370000-0x00007FF7D56C4000-memory.dmp
memory/3716-75-0x00007FF68F840000-0x00007FF68FB94000-memory.dmp
memory/3752-73-0x00007FF700D10000-0x00007FF701064000-memory.dmp
memory/2068-70-0x00007FF7B9040000-0x00007FF7B9394000-memory.dmp
C:\Windows\System\mugVUpj.exe
| MD5 | 6600ea394a63643fea9c0679cf250204 |
| SHA1 | dbb5f427604dc9785a79a69a6b18b603ad015517 |
| SHA256 | 036d53fb5d47be2255cda830444fc5f04beb61f81d4a997dac9b41e4960ac36a |
| SHA512 | aaa21782f7006d9d30a6360fdb00b83a053638026502443f8de83fa857a615edfb632ddc2014f24537f2f25d2ac41947ff8c6d96c716bc775ef1ff81fdec3b71 |
C:\Windows\System\SszKOvW.exe
| MD5 | 67e416a1d0b76fa1bc4773e9d55c75d6 |
| SHA1 | 6447e376d4acde1cf6f35b952d2be75b60f2b7b2 |
| SHA256 | 986fb80bd7b95c4217199086f55f672486065b41d96d8ea3010c27b1a7f97929 |
| SHA512 | 0c60f3d12c372b1462020bf52ed2a79272929ab112477721b585bda416f1f11a8e98ce7871114f395aca9c2888524962dfcff2267701f95a81225742cb8af9be |
C:\Windows\System\AnEUoqo.exe
| MD5 | b680002bef32860f165243e24471f207 |
| SHA1 | 66a1b697aa2b9987a065d87c561caa56d2301ff0 |
| SHA256 | 8620dfd6891bbea607a98e993e747151b50227478b0cf0ef949c8fa223df260a |
| SHA512 | 4264bcbc9238868f141b5c9d1fa1269124393384a8cd001d9dfdb10a2e1b3493dcbeecf803eb20773c2bf20daf7c2f9dc990aa4b3a9a4e04653d3e8b47ce5c4a |
C:\Windows\System\JckCjGc.exe
| MD5 | 077ad16ab806ada66519027031c68405 |
| SHA1 | 3a458ce48eebae1d6daf9705cec6a68d5df2ea9d |
| SHA256 | 111712585727661387d2a4c4be3de0027670ba7f1eee4a41ccc019fde5602819 |
| SHA512 | f555137db06f74f31fffa5a99345ea5c2fde0b393daa50d7bc0e5deba4326d6131fa9a05d5588b95f819de1f379c2aeb840e58ae4c455a2b2bc57a043e841f67 |
C:\Windows\System\ihJkegb.exe
| MD5 | f5a3a9c58089cfbbc19e353c8a4c5959 |
| SHA1 | 7db12e350dd35feed6aa5c134d43c054055c705a |
| SHA256 | 81d65abf0c26529e7de35722241a5fb4240652534a9f0d0f842a2aaa009f36ed |
| SHA512 | 752a16c365cb8136d3f58a17d79d2f8a82bfef9fcbf64ac88a4629184f4b2a151c1c3cf0c9495815438969814a1ceae445e92061ac9caeb67179c5b454f73aed |
C:\Windows\System\auciQcN.exe
| MD5 | 3020f3c7291e8264e42a68adb9fe5cb5 |
| SHA1 | 5c4e0f57ab90bbce7c0c3cd32f3c1de9665b42cf |
| SHA256 | ce60c00dfc828c5a55ccebca41bf305ecef7a49a8d4498e80eb3b1dceb5f0921 |
| SHA512 | 434a8193601b7753c9688e304722ec3993eedb28b0928c8f7fe7bb9023a957fc7b691c1b87147a77af739554de837ed0553dbe0815f7f2b1fdcef20ab0cbc9e7 |
C:\Windows\System\NnqlHXN.exe
| MD5 | 644c0458cae7393d934d5a5f4c7eaee7 |
| SHA1 | 9f5561c72a1e6a05179112249d5905f9e4bfeaf1 |
| SHA256 | 332a867ddf57c0209644b71cf4f77d466ffb0ba82f13528bfd918e3da8bceb83 |
| SHA512 | 6ecb9014bb0098c4618fb6312b1c28748b5f756cb0e35bdfd0cccfe2ed0a91a1f954370c635f22a06a43c122b4e53224008a79af6471d9abd422c73b474e0969 |
C:\Windows\System\tfKXlAy.exe
| MD5 | 3dbac290fd325e26ee9226d8df9e9f4d |
| SHA1 | 5ab65609d3fc7921abaffe6bb182dbfd5d52b50e |
| SHA256 | b1428dc578c4c640e8d9cb6595f7e8400d77e7d50d172497890e63bde113f990 |
| SHA512 | 5267234d2e80ad842f54b86e42bb6b7f50e8d702a2e3ff5f762fc50f6ffbc40eedf6e058e03539fb4f6fc37bf507290e499935a62388b75e73fa6f3388244bab |
memory/1844-120-0x00007FF6331A0000-0x00007FF6334F4000-memory.dmp
memory/3868-121-0x00007FF69EAA0000-0x00007FF69EDF4000-memory.dmp
memory/3592-123-0x00007FF65C0B0000-0x00007FF65C404000-memory.dmp
memory/2264-122-0x00007FF723A70000-0x00007FF723DC4000-memory.dmp
memory/4204-124-0x00007FF6522C0000-0x00007FF652614000-memory.dmp
memory/1584-125-0x00007FF630F50000-0x00007FF6312A4000-memory.dmp
memory/2192-126-0x00007FF6CD020000-0x00007FF6CD374000-memory.dmp
memory/3612-127-0x00007FF6A4010000-0x00007FF6A4364000-memory.dmp
memory/3420-128-0x00007FF7AA9A0000-0x00007FF7AACF4000-memory.dmp
memory/3488-129-0x00007FF79F5F0000-0x00007FF79F944000-memory.dmp
memory/2272-130-0x00007FF758300000-0x00007FF758654000-memory.dmp
memory/4628-131-0x00007FF66E6D0000-0x00007FF66EA24000-memory.dmp
memory/1652-132-0x00007FF743420000-0x00007FF743774000-memory.dmp
memory/3488-133-0x00007FF79F5F0000-0x00007FF79F944000-memory.dmp
memory/2272-134-0x00007FF758300000-0x00007FF758654000-memory.dmp
memory/4628-135-0x00007FF66E6D0000-0x00007FF66EA24000-memory.dmp
memory/3740-136-0x00007FF624CB0000-0x00007FF625004000-memory.dmp
memory/4384-137-0x00007FF7B17E0000-0x00007FF7B1B34000-memory.dmp
memory/2068-138-0x00007FF7B9040000-0x00007FF7B9394000-memory.dmp
memory/3572-139-0x00007FF6152D0000-0x00007FF615624000-memory.dmp
memory/3752-140-0x00007FF700D10000-0x00007FF701064000-memory.dmp
memory/4016-141-0x00007FF73CFB0000-0x00007FF73D304000-memory.dmp
memory/380-142-0x00007FF74D1D0000-0x00007FF74D524000-memory.dmp
memory/3716-143-0x00007FF68F840000-0x00007FF68FB94000-memory.dmp
memory/2528-144-0x00007FF7D5370000-0x00007FF7D56C4000-memory.dmp
memory/1652-145-0x00007FF743420000-0x00007FF743774000-memory.dmp
memory/1844-146-0x00007FF6331A0000-0x00007FF6334F4000-memory.dmp
memory/3868-147-0x00007FF69EAA0000-0x00007FF69EDF4000-memory.dmp
memory/2264-148-0x00007FF723A70000-0x00007FF723DC4000-memory.dmp
memory/3592-149-0x00007FF65C0B0000-0x00007FF65C404000-memory.dmp
memory/4204-150-0x00007FF6522C0000-0x00007FF652614000-memory.dmp
memory/3612-151-0x00007FF6A4010000-0x00007FF6A4364000-memory.dmp
memory/2192-152-0x00007FF6CD020000-0x00007FF6CD374000-memory.dmp
memory/1584-153-0x00007FF630F50000-0x00007FF6312A4000-memory.dmp