Analysis Overview
SHA256
fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb
Threat Level: Known bad
The file 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:32
Reported
2024-06-07 01:34
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jJUrdrX.exe | N/A |
| N/A | N/A | C:\Windows\System\FilBJTy.exe | N/A |
| N/A | N/A | C:\Windows\System\GDEquYn.exe | N/A |
| N/A | N/A | C:\Windows\System\qyvxeCe.exe | N/A |
| N/A | N/A | C:\Windows\System\sDkIpOm.exe | N/A |
| N/A | N/A | C:\Windows\System\pKzjpAc.exe | N/A |
| N/A | N/A | C:\Windows\System\xWyegZN.exe | N/A |
| N/A | N/A | C:\Windows\System\oNzSgFN.exe | N/A |
| N/A | N/A | C:\Windows\System\jAVkXTo.exe | N/A |
| N/A | N/A | C:\Windows\System\cRdFGmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\zrunwUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xjNjUuS.exe | N/A |
| N/A | N/A | C:\Windows\System\LRMfqjt.exe | N/A |
| N/A | N/A | C:\Windows\System\PlYlAor.exe | N/A |
| N/A | N/A | C:\Windows\System\ugcTiqG.exe | N/A |
| N/A | N/A | C:\Windows\System\cRUhzlR.exe | N/A |
| N/A | N/A | C:\Windows\System\klhIWmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\RmHMGhI.exe | N/A |
| N/A | N/A | C:\Windows\System\sMvJAEB.exe | N/A |
| N/A | N/A | C:\Windows\System\aLllZQN.exe | N/A |
| N/A | N/A | C:\Windows\System\YjfYnmD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jJUrdrX.exe
C:\Windows\System\jJUrdrX.exe
C:\Windows\System\FilBJTy.exe
C:\Windows\System\FilBJTy.exe
C:\Windows\System\GDEquYn.exe
C:\Windows\System\GDEquYn.exe
C:\Windows\System\qyvxeCe.exe
C:\Windows\System\qyvxeCe.exe
C:\Windows\System\sDkIpOm.exe
C:\Windows\System\sDkIpOm.exe
C:\Windows\System\pKzjpAc.exe
C:\Windows\System\pKzjpAc.exe
C:\Windows\System\xWyegZN.exe
C:\Windows\System\xWyegZN.exe
C:\Windows\System\jAVkXTo.exe
C:\Windows\System\jAVkXTo.exe
C:\Windows\System\oNzSgFN.exe
C:\Windows\System\oNzSgFN.exe
C:\Windows\System\cRdFGmZ.exe
C:\Windows\System\cRdFGmZ.exe
C:\Windows\System\zrunwUJ.exe
C:\Windows\System\zrunwUJ.exe
C:\Windows\System\xjNjUuS.exe
C:\Windows\System\xjNjUuS.exe
C:\Windows\System\LRMfqjt.exe
C:\Windows\System\LRMfqjt.exe
C:\Windows\System\PlYlAor.exe
C:\Windows\System\PlYlAor.exe
C:\Windows\System\ugcTiqG.exe
C:\Windows\System\ugcTiqG.exe
C:\Windows\System\cRUhzlR.exe
C:\Windows\System\cRUhzlR.exe
C:\Windows\System\klhIWmQ.exe
C:\Windows\System\klhIWmQ.exe
C:\Windows\System\RmHMGhI.exe
C:\Windows\System\RmHMGhI.exe
C:\Windows\System\sMvJAEB.exe
C:\Windows\System\sMvJAEB.exe
C:\Windows\System\aLllZQN.exe
C:\Windows\System\aLllZQN.exe
C:\Windows\System\YjfYnmD.exe
C:\Windows\System\YjfYnmD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1872-0-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1872-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\jJUrdrX.exe
| MD5 | a197e1c17fea896e5eb056890d185cd4 |
| SHA1 | d964bc11c4945b153ab99520e32dc2df28c26515 |
| SHA256 | 3f335d39ade0dd77daa485e6e2d9134e9b251427e60ab59cd04f3027dfdf779d |
| SHA512 | 4326ed000a82257a6f9917c383e774c445ae6fd1b77d2a5b3ba9c1a0828b3376943e2317ee046e9231f97ab70ad3972e4464960a1d82735fb8bc4b6b846258ce |
\Windows\system\FilBJTy.exe
| MD5 | 2b50b80d6af7d20a4af5533921126b4e |
| SHA1 | b026c16c5d0cd71dbf5d87f8a105c551dd64a9d3 |
| SHA256 | 16216fe5f0b6c982b3a842a642c998afbbade3eec0f3c47d254ef5920ff75f8c |
| SHA512 | 78ba8edcb20746f2e63d33c29a0d399f7a482fd036c1ed61eb6f3ce0f5ffe5620594f17da50fe22e1703d37f7b9a6895ed748d87a67e2869d5d960d726d3349e |
memory/2880-15-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2948-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\GDEquYn.exe
| MD5 | 2dad0398158baa0e22be739ddce1079a |
| SHA1 | abc86e17ed6b5f137a19471b3cfa3c6aad0f0e3e |
| SHA256 | a49328b05d3926c812ba6e683be413154cd116f13abf4dba0b768492b736fa51 |
| SHA512 | d9ba1ad192069b0a47de00be3bda91a3fc68846ab8755e8966a738d6bfe3b49222c593355aa458cca1ef0dee95d801540d68994777cfae124482dd49d4d9793d |
memory/2272-22-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1872-33-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2644-28-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\pKzjpAc.exe
| MD5 | d8ba5a3fa1340754bfde60b66563d88c |
| SHA1 | 647bd730c5e3d1262101a579b9e9c018f283907f |
| SHA256 | ab437544d942699cf25e202bbaeb6be6dbd34bac6b98b4d370bc86ac592d3809 |
| SHA512 | 2f6e66c09a42d919509d6d3d1d50a25fa5b59e1d6422aa26da276f70b1177c72161acfbb9793b9ffa6aa6524dc389966fd356eeb5a03187eff1341ef140c4f50 |
memory/2592-41-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1628-61-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2332-63-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\cRdFGmZ.exe
| MD5 | 54836edc137c745b3f03f09a7f0fb5f6 |
| SHA1 | b0f93d5f7d3230afa75dc31ac73b031a20d5201d |
| SHA256 | 5918c183c31826de74c8f8d8a25161f0e17592b835f1b386ff1212529fad980d |
| SHA512 | 605366e8979c8129e79ab3ac7daeaaca112261af6e6e5a925ea538ad227ef72421272c25c8b973e7a1729e015a3c4013acf187a47eb5e02539005c2e88609c5a |
memory/2508-70-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2276-81-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/836-95-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2592-101-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\klhIWmQ.exe
| MD5 | 2505bf5838e2bbdc8ff6e2fe96dfb113 |
| SHA1 | b26f95298ea77c9c6c99b2df8c3c677ad7384e09 |
| SHA256 | 8b0f2b01ceb0d2b5e67b98cfc1369075266e0772ac245aed6a76657aabdf5261 |
| SHA512 | b5b906a542ec6899dacc904418a78b80523573007e9a2079967fca3b72730ae96af3b494e9999cc8b10fd15d5cb061ff64b29c4301b9547ec06d60d11f8c4abb |
C:\Windows\system\aLllZQN.exe
| MD5 | e132bb7d49a49b7053a8befc7be53b1b |
| SHA1 | 3cbdf5211276355edb2fcf47dd7cf3433aa30cca |
| SHA256 | e2d3e85e59b0d2552b88a4f98631ad8864a3272d836b13a5e181fe1915521c97 |
| SHA512 | b74de076196c5a663d3c576f91fac652595e818424fa42caf0b1423d27ef23aa0b33e729a7319ad282930f859e52b93f9960a9162853358250d4b800afa51def |
C:\Windows\system\YjfYnmD.exe
| MD5 | 7f9fd3dbb6e0886aae949d54855fbec7 |
| SHA1 | 65490b2044fbd48eb4ca5bf2998070308e01bce7 |
| SHA256 | 6edf88823a0cb723668b4e207f17d3b1a5e29d09cc9ec9a46776e19ff7d6dee9 |
| SHA512 | e18fc5c12357b1f7bbb47cd76a9fc972536aeb18c605747c937786ed9c7275e7528fa8dc3a3f7957f1b060bef6669249196aa835404f352dff81a25e0f7e9114 |
\Windows\system\aLllZQN.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\system\RmHMGhI.exe
| MD5 | d41cc16989ea771640e6da397c21b7b2 |
| SHA1 | 3b10f46dfc365cfc46a7404b9502b843b659311c |
| SHA256 | 86774ad5a2227e7c7e5c6c747e5575b09c320f7150c8ba3cf712fa2e2917de36 |
| SHA512 | cc0190cf600f7e4a966db9472d77820a210e3006063551481576a878b3bb18f8f4ab87dd60fbff21c43f2d3671fad53df15e849a9d1b17773832dd113b765ece |
C:\Windows\system\sMvJAEB.exe
| MD5 | c2c6b7154820ea527a4c0649645bba94 |
| SHA1 | 3418a9f21e490de49e4e5ec657bd00241a9e14cf |
| SHA256 | 549cbc3b6501b943b446c9e4992708a35dff9eb214e75efce5fb3401b100b784 |
| SHA512 | c4e498120c25bb9bbc7d8a198170dcc7b8d95b2d7b215d0a617277bf1cc5324a51731eef4b8be25eacdb932af1223082bd31f3ff3b2c38ec81f81807e712da1b |
\Windows\system\RmHMGhI.exe
| MD5 | 4b7216d89e20f49e9c16c0253cc47511 |
| SHA1 | 2897390157f4ddd1aa5b6b0434e8fd2685151896 |
| SHA256 | 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f |
| SHA512 | f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84 |
C:\Windows\system\cRUhzlR.exe
| MD5 | f505e9632fbd4a5d58adc9e4173d1271 |
| SHA1 | 1bde162a3fb4ccb17e2151f596876ce0481e68a3 |
| SHA256 | 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6 |
| SHA512 | e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf |
\Windows\system\cRUhzlR.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\system\ugcTiqG.exe
| MD5 | 3cb624af897d52a81e426d4f5dd59d60 |
| SHA1 | 38356b755815775283f59d16c133c5e3105415eb |
| SHA256 | d50bb98d3205c0f9bd21e9333c1f911364f1253dd92fb5ea16f15d0712b195dc |
| SHA512 | 0a207149724ba627e0b96cff365833da977a591e9cb52cfa909d40a9c4fb54cb0d756289dfe50ad3611619abb8690f22fd860f7df291b44c412bac710e7a472b |
memory/1872-106-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2728-105-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1872-104-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2520-103-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\PlYlAor.exe
| MD5 | 9388a431d776fb3384cc0f8d889c5fe8 |
| SHA1 | 66f8b35e47221994ff4fc314a69a8a79a8ebc4c5 |
| SHA256 | 482908ab4109d086faa1485dac315f1e3f5c0118e0b4482155d77041a8ca8982 |
| SHA512 | 44c241d469e4f32c8e679838c423c74ce374e74ebaf7f80146110ef4bddf8db62923d8a3d8e3c7bff9abc70cc1269c950395bd1be36cd3f539a94529769021ab |
memory/1872-94-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\LRMfqjt.exe
| MD5 | 04c07271dd2c1957e69f2330cc9a995d |
| SHA1 | 6997f073aa27a18c26984ecbdf54ce1fecc19da4 |
| SHA256 | 0e3a57335afc2a5a90c1c5d168d0eee9ca0e33277d5faedf04d985dc4ed25921 |
| SHA512 | 470b4046e5f3ad6ec576cb9335eaba44f6dcdacb39e98f22153be19f15d84326b5ac7dfb61910febe67825675698fa242430a243a82e1aad3183f6264a51fed4 |
memory/840-88-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1872-87-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\xjNjUuS.exe
| MD5 | a6e11638de1c1049cced1684ca7cd041 |
| SHA1 | afac20e587821316792de96dadae8351ca4d69ed |
| SHA256 | 4caba453c6182f54be465df0480760a39d7b9b678164d04cddbeab2b748ddb63 |
| SHA512 | de1ce779a46bcc7122831312c111e13c8caf89aaa0b3fa5480a6ef3854a9433777b4000f4f982c8fe18d90ae43f81de84375fe5e5d1291663fa754796516c435 |
memory/1872-80-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2632-79-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2644-78-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1872-69-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\zrunwUJ.exe
| MD5 | 4b33a158dbe7078072d056207cca5b88 |
| SHA1 | cd7026b204c8364f98fb9faec5df24e6feb232ee |
| SHA256 | 94213f11e41d98cf89b2316e919c373394f2012962a683e3eca873189ec97fcf |
| SHA512 | a4e71d3e7162761b5e47192a4ba502cb311b93c9fd753b9c98f17142e93bd61e1c4a92f6c46c2f17e0fd0ce8be4e7e0dddc7808db1fd5ee552758ee7c7ea4644 |
memory/2272-68-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\cRdFGmZ.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/1872-51-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2520-50-0x000000013FE00000-0x0000000140154000-memory.dmp
\Windows\system\jAVkXTo.exe
| MD5 | a367b6d521c108d0d655409af3987a51 |
| SHA1 | e089965a81cdd40f5255db7b387258b187714b1e |
| SHA256 | 74722ed8ea31a31c0a862af965b51a937e91d4b397659b64e4f01aaaa208cc8e |
| SHA512 | a6202dfe8040e1510787086efe5d6dc9207f9edc13fe9e0dce31a25c6b6c2b674ab2aa70c652e4ede78be5a6cbd9d2974a7381c9ef5bafc47aab76b6c2ebb0ff |
memory/1872-58-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\oNzSgFN.exe
| MD5 | e7444d77cf14ef0e95c0a8cd435e9490 |
| SHA1 | 0e0a708ed2619225be4adb14afb3fe5611522f74 |
| SHA256 | a706948e9037d7b1f0c228cc79efdad7fcc0c221c0a70b3a9041f4d21ae56912 |
| SHA512 | b21e1bcd3dcbf2a47b2f002cf783a704b2daab3434f069b3eca66f5bb43bb00aa8337eed8912de0de7b61acb6c16cda8162b233b4401f240eafe4ed90b625559 |
memory/1872-46-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\xWyegZN.exe
| MD5 | f0676dfd30283cd21514bb1d30ac9cec |
| SHA1 | c75665b8fab12b8ae5e7627225e4700b988f4f77 |
| SHA256 | cb309ac32a2b5d5d945d7d9b882f76fe049935d9fe58c5ca985e33d41f93aa87 |
| SHA512 | 6ee45480050e9eb6ab96c504edf5c1fbffd0694c470356de5f702b336c57887ed0812f95fa14abb155905fa80c3aa2b28ed2787d73f1e8dabaf41edb8f896764 |
memory/1872-38-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/2632-36-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1872-27-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\sDkIpOm.exe
| MD5 | 13c43bd31a380a2ec41d43d72ae962f2 |
| SHA1 | 267cec60b8644cad5446f7b1570a64740ef34c3e |
| SHA256 | b0565691213e413b0c35efe6c47f809597e2eaa9b0db0a2b9ffdf9eaf85aadb1 |
| SHA512 | 88581808fcbe2c5f1607aced4e8a05abfd7f1167467e70f13ae497ad22337858f2a21ce68504dfa175bc5e8208619bd72116da866db34e12d9ead44c2add019a |
C:\Windows\system\qyvxeCe.exe
| MD5 | cc1bd029f9fbde25af7836ab4529bee4 |
| SHA1 | 4f07f573100ff6e1cf57b1e0e5999d63e34d3b4f |
| SHA256 | d960febdb2edb56842ef38ca8acf84549536c4ed5cde47099c4d688247ab07c8 |
| SHA512 | 4961e525242aac34acb05740d1bc743dc6dc338090cbda080367774bdb1f7fb572123d3494e3af1762882944c6c4b58b4766ce0e39a78d4a8517d182b23bd8bb |
memory/1872-20-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1872-13-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2332-140-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2508-142-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1872-141-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1872-143-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1872-144-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/1872-145-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1872-146-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2880-148-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2948-147-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2272-149-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2632-150-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2644-151-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1628-154-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2592-153-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2332-155-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2508-156-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2276-157-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/840-158-0x000000013F240000-0x000000013F594000-memory.dmp
memory/836-159-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2728-160-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2520-152-0x000000013FE00000-0x0000000140154000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:32
Reported
2024-06-07 01:34
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FodKnOO.exe | N/A |
| N/A | N/A | C:\Windows\System\VjsRYph.exe | N/A |
| N/A | N/A | C:\Windows\System\TqLzuBR.exe | N/A |
| N/A | N/A | C:\Windows\System\pNDjMww.exe | N/A |
| N/A | N/A | C:\Windows\System\JIHZaQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NEFBrTR.exe | N/A |
| N/A | N/A | C:\Windows\System\OxWHUpC.exe | N/A |
| N/A | N/A | C:\Windows\System\ROeYSOG.exe | N/A |
| N/A | N/A | C:\Windows\System\urJcNrT.exe | N/A |
| N/A | N/A | C:\Windows\System\fMedKPU.exe | N/A |
| N/A | N/A | C:\Windows\System\HmKhZNa.exe | N/A |
| N/A | N/A | C:\Windows\System\oCjEIKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wPlJqdW.exe | N/A |
| N/A | N/A | C:\Windows\System\xuSsqqM.exe | N/A |
| N/A | N/A | C:\Windows\System\fZRvYYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wzbSNQU.exe | N/A |
| N/A | N/A | C:\Windows\System\oGtRknr.exe | N/A |
| N/A | N/A | C:\Windows\System\NNybTjL.exe | N/A |
| N/A | N/A | C:\Windows\System\APotKmh.exe | N/A |
| N/A | N/A | C:\Windows\System\UVWmlrf.exe | N/A |
| N/A | N/A | C:\Windows\System\ryaFRvh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FodKnOO.exe
C:\Windows\System\FodKnOO.exe
C:\Windows\System\VjsRYph.exe
C:\Windows\System\VjsRYph.exe
C:\Windows\System\TqLzuBR.exe
C:\Windows\System\TqLzuBR.exe
C:\Windows\System\pNDjMww.exe
C:\Windows\System\pNDjMww.exe
C:\Windows\System\JIHZaQQ.exe
C:\Windows\System\JIHZaQQ.exe
C:\Windows\System\NEFBrTR.exe
C:\Windows\System\NEFBrTR.exe
C:\Windows\System\OxWHUpC.exe
C:\Windows\System\OxWHUpC.exe
C:\Windows\System\ROeYSOG.exe
C:\Windows\System\ROeYSOG.exe
C:\Windows\System\urJcNrT.exe
C:\Windows\System\urJcNrT.exe
C:\Windows\System\fMedKPU.exe
C:\Windows\System\fMedKPU.exe
C:\Windows\System\HmKhZNa.exe
C:\Windows\System\HmKhZNa.exe
C:\Windows\System\oCjEIKQ.exe
C:\Windows\System\oCjEIKQ.exe
C:\Windows\System\wPlJqdW.exe
C:\Windows\System\wPlJqdW.exe
C:\Windows\System\xuSsqqM.exe
C:\Windows\System\xuSsqqM.exe
C:\Windows\System\fZRvYYZ.exe
C:\Windows\System\fZRvYYZ.exe
C:\Windows\System\wzbSNQU.exe
C:\Windows\System\wzbSNQU.exe
C:\Windows\System\oGtRknr.exe
C:\Windows\System\oGtRknr.exe
C:\Windows\System\NNybTjL.exe
C:\Windows\System\NNybTjL.exe
C:\Windows\System\APotKmh.exe
C:\Windows\System\APotKmh.exe
C:\Windows\System\UVWmlrf.exe
C:\Windows\System\UVWmlrf.exe
C:\Windows\System\ryaFRvh.exe
C:\Windows\System\ryaFRvh.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp
memory/380-1-0x000002D1C22D0000-0x000002D1C22E0000-memory.dmp
C:\Windows\System\FodKnOO.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp
C:\Windows\System\FodKnOO.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
C:\Windows\System\VjsRYph.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
memory/1704-14-0x00007FF6575B0000-0x00007FF657904000-memory.dmp
C:\Windows\System\VjsRYph.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
C:\Windows\System\TqLzuBR.exe
| MD5 | 90be846177ebce09b1bfa8b40630684a |
| SHA1 | 43a2c66ff47d9e295f18f8c18fe76b69e8850154 |
| SHA256 | 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65 |
| SHA512 | f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6 |
memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp
memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp
C:\Windows\System\pNDjMww.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp
C:\Windows\System\JIHZaQQ.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp
memory/3236-44-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp
C:\Windows\System\urJcNrT.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp
memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp
C:\Windows\System\fMedKPU.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp
memory/4004-63-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp
C:\Windows\System\NEFBrTR.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp
memory/1340-70-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp
C:\Windows\System\oCjEIKQ.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
memory/1704-76-0x00007FF6575B0000-0x00007FF657904000-memory.dmp
memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp
C:\Windows\System\wzbSNQU.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
C:\Windows\System\fZRvYYZ.exe
| MD5 | 0003cb25d8e5fcf51d1ea8407b9410fc |
| SHA1 | fc0940ac8a56e45a19f31c325aba00f814dae439 |
| SHA256 | f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2 |
| SHA512 | 3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87 |
memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp
memory/2812-102-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp
memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp
memory/2092-106-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp
memory/1388-103-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp
memory/2596-122-0x00007FF7083F0000-0x00007FF708744000-memory.dmp
memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp
C:\Windows\System\ryaFRvh.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
C:\Windows\System\UVWmlrf.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
memory/3700-125-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp
C:\Windows\System\UVWmlrf.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp
memory/3616-115-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp
memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp
memory/2876-135-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp
memory/3236-134-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp
memory/4712-132-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp
memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp
memory/1704-137-0x00007FF6575B0000-0x00007FF657904000-memory.dmp
memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp
memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp
memory/456-140-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp
memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp
memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp
memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp
memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp
memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp
memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp
memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp
memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp
memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp
memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp
memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp
memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp
memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp
memory/3700-154-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp
memory/4712-155-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp
memory/2876-156-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp