Analysis Overview
SHA256
a57045dae088923c81e07cd1244bba95e7020ebe95334455291ae801ad433d4b
Threat Level: Known bad
The file 2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:17
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:17
Reported
2024-06-08 04:20
Platform
win7-20240220-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oohPfwM.exe | N/A |
| N/A | N/A | C:\Windows\System\mIvqfQt.exe | N/A |
| N/A | N/A | C:\Windows\System\hgpoXMx.exe | N/A |
| N/A | N/A | C:\Windows\System\yGakBKA.exe | N/A |
| N/A | N/A | C:\Windows\System\yRyFKoD.exe | N/A |
| N/A | N/A | C:\Windows\System\ACOuamW.exe | N/A |
| N/A | N/A | C:\Windows\System\wxSwBWi.exe | N/A |
| N/A | N/A | C:\Windows\System\QReWhNC.exe | N/A |
| N/A | N/A | C:\Windows\System\mtIhYIi.exe | N/A |
| N/A | N/A | C:\Windows\System\ODCtmVo.exe | N/A |
| N/A | N/A | C:\Windows\System\rHnGGLj.exe | N/A |
| N/A | N/A | C:\Windows\System\quyKhbi.exe | N/A |
| N/A | N/A | C:\Windows\System\MRhoyzF.exe | N/A |
| N/A | N/A | C:\Windows\System\QGgtStS.exe | N/A |
| N/A | N/A | C:\Windows\System\WyhxHlU.exe | N/A |
| N/A | N/A | C:\Windows\System\rqXDMbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ATVUtml.exe | N/A |
| N/A | N/A | C:\Windows\System\WLMrujy.exe | N/A |
| N/A | N/A | C:\Windows\System\OxMSLwl.exe | N/A |
| N/A | N/A | C:\Windows\System\BCCXJTA.exe | N/A |
| N/A | N/A | C:\Windows\System\BzylbDj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oohPfwM.exe
C:\Windows\System\oohPfwM.exe
C:\Windows\System\mIvqfQt.exe
C:\Windows\System\mIvqfQt.exe
C:\Windows\System\hgpoXMx.exe
C:\Windows\System\hgpoXMx.exe
C:\Windows\System\yGakBKA.exe
C:\Windows\System\yGakBKA.exe
C:\Windows\System\yRyFKoD.exe
C:\Windows\System\yRyFKoD.exe
C:\Windows\System\ACOuamW.exe
C:\Windows\System\ACOuamW.exe
C:\Windows\System\wxSwBWi.exe
C:\Windows\System\wxSwBWi.exe
C:\Windows\System\QReWhNC.exe
C:\Windows\System\QReWhNC.exe
C:\Windows\System\mtIhYIi.exe
C:\Windows\System\mtIhYIi.exe
C:\Windows\System\ODCtmVo.exe
C:\Windows\System\ODCtmVo.exe
C:\Windows\System\rHnGGLj.exe
C:\Windows\System\rHnGGLj.exe
C:\Windows\System\MRhoyzF.exe
C:\Windows\System\MRhoyzF.exe
C:\Windows\System\quyKhbi.exe
C:\Windows\System\quyKhbi.exe
C:\Windows\System\WyhxHlU.exe
C:\Windows\System\WyhxHlU.exe
C:\Windows\System\QGgtStS.exe
C:\Windows\System\QGgtStS.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\rqXDMbZ.exe
C:\Windows\System\rqXDMbZ.exe
C:\Windows\System\WLMrujy.exe
C:\Windows\System\WLMrujy.exe
C:\Windows\System\OxMSLwl.exe
C:\Windows\System\OxMSLwl.exe
C:\Windows\System\BzylbDj.exe
C:\Windows\System\BzylbDj.exe
C:\Windows\System\BCCXJTA.exe
C:\Windows\System\BCCXJTA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3032-0-0x0000000000190000-0x00000000001A0000-memory.dmp
\Windows\system\oohPfwM.exe
| MD5 | de4188a95ccb83c468381840ea2175ce |
| SHA1 | 973a17bd70670652e71ac5d69c2eb049b4ceb4df |
| SHA256 | 1f252e184577c781d401f0ee4dbafd9127f438240fdb6af9cd2ebb5e1eef831f |
| SHA512 | d85fa7bb664e4e767ea2f3bf11bb6bdc90b20d33a5e05be70213a71e1a24412c794dba707c360db0a9a3218955d115acf420209d5b67f6fb5d4432262082f778 |
\Windows\system\hgpoXMx.exe
| MD5 | 4a0024539b99a59438a507f6c3124cd6 |
| SHA1 | 877c1303e82457a4e776b0f86c8e082d1d4d8e4a |
| SHA256 | c73c5af55d8558fae3bc10df3309d6891a0212b6cc77f8f60263eea16930c988 |
| SHA512 | 3b279a46b07e7c314348be15b07cf10748659f2b93331097fb9a30822ccaff634bca815ca120aa6aa52112a92da488c6020b66dee0b444dd0725fdd96bd4af7f |
memory/2904-23-0x000000013F380000-0x000000013F6D4000-memory.dmp
\Windows\system\yGakBKA.exe
| MD5 | 7bc007a1fd8c59f828c5b44786c55255 |
| SHA1 | ae4b119d6962d6821368ef5b7a7b6b6bce91ecd2 |
| SHA256 | d403a0d263b51b057d16c0f462a000813b5a68c6a3bd16245556afbdec6ab170 |
| SHA512 | 81f26bd02c69e173e1e40604c57888ae49ba7f7fbcff098d4b33a68b26dd1b84c811148a477eebac53616e949bb2aacaafc7af365e64d01cd4b19922106c91e1 |
memory/3032-34-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2740-37-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3032-36-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\ACOuamW.exe
| MD5 | a8e2ae278bbfacc7346ccbc52f51fa12 |
| SHA1 | 048d25b065309deff91282af48609d2225e6b69f |
| SHA256 | 4fd53dcfa5ae4df57a0128d31b92bb1db14d457ca127d8cf694ae2fd96833450 |
| SHA512 | 0f4925dc9841724091757bcfdedba3a358f7942743dd3913b8043e0e12464a5c03434dad5a5405f60639673177fa1fb5d8770fb62b2a46ddb7a4a597266ac83e |
\Windows\system\wxSwBWi.exe
| MD5 | 578b0515bb2b5f73fad4ad646ded421b |
| SHA1 | a7b413ab5787f746240a20602b169b01d13ac7e9 |
| SHA256 | 3106efbc931ece3fc33acbd55028dd2aa8364d498d572f28b38fdd66104af7c0 |
| SHA512 | 0378a564e02ee2906de263bfd3579891ebd4e9f2b4ab932d5f38db3a9169d1e78fe5456520cde280f97f57f4be41c406a63aa5a31f559b92df9c0d0eec87993f |
memory/2100-51-0x000000013F570000-0x000000013F8C4000-memory.dmp
\Windows\system\QReWhNC.exe
| MD5 | ab4ce29dacb94b24c0cc2dfefe43519f |
| SHA1 | 8fd573017e42a631d15ed5d8a20400841b9588e3 |
| SHA256 | 22fb352c9f3203d8598de258f3aaded99f2204a4981634d94c2bab5c2877311e |
| SHA512 | 8fc27a7d69f1b37d5a194f24b65ceb94fef6741ae58f620f185cb9fd30b20cfe8f7de386c003bc674363c10fa5484eb4dd82b91f260235515eaf7d333a1eceef |
memory/3032-53-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\mtIhYIi.exe
| MD5 | f4fd662d3e597cf165ae77ab4eda44e0 |
| SHA1 | abf1bf45f87d3d40277f525c7b1125dc31a96bce |
| SHA256 | a9c7b3d26b259094dcf0fb4a7afe074ea9138db114a09aaf723d9d96785f57b8 |
| SHA512 | 2b30e406ca44527dbb92b134feb7fa9aaeda2dbf8f761224950b2bb021879b9621b51c16e7515fd7134f63169c40ff67630ca1e0a81b6da3e39f0d3362374014 |
memory/2440-65-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2644-72-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/3032-87-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\QGgtStS.exe
| MD5 | 1d0dcc832e92ba7757e897f588e1d605 |
| SHA1 | f081f606fa9befa2ef7040372a319bd3eab98003 |
| SHA256 | d96b8e065341adea1d1732a257655faf6b0770cdec8bd40edffe6723bc2e6fa6 |
| SHA512 | c74d9c7a35497193c0e7a522c5d11be13f6a26784af9c1baa884fd7a64aac47eb49c0be0634953f59619724dffd67d951b6ff85a7abd12bf396dd8ff5c9a4ea4 |
C:\Windows\system\rqXDMbZ.exe
| MD5 | fa23bf51a3e329edfa9788fba0aae01c |
| SHA1 | 72d094481e100b0ee13c4d0c0603249048385427 |
| SHA256 | e0d5c51ca279c1f41c4306c88cd026a2672829095533d255e9481db52e78ce70 |
| SHA512 | 2f51a0926f72863729037bd8b2e959693a8643a779cc753b8d0160a32193d0b95851d8a51ac0add0b3fa450edb1215d75850af4249ad73500dc85b184612cb4c |
\Windows\system\BzylbDj.exe
| MD5 | 00a98a63f508a862cfd818e2ace050a9 |
| SHA1 | 5241ec292bf24661f2a944553c0e81db06bfb181 |
| SHA256 | 8d3e1df975c2c06c1359ac2c4b851c624dbb7f82df5ad18f7327ca93d2d6790d |
| SHA512 | 3ba11183932c4a698786f27bf53dcfc9d1dc372cfefb5e83aaa52c09d0b267837cb24c811b43b442f94ad04b59777b393396d7aa26fc9f335c2cf85c056c57b6 |
C:\Windows\system\BCCXJTA.exe
| MD5 | cc0380066effda914afbab438c22d480 |
| SHA1 | 0e8eb6a8e9b8758f6c338dea2c7933a0bd72456c |
| SHA256 | 3ccbd4f1a85b93cb653d666520ff9cc943d783ede4517e1b472f2dfbe2be4074 |
| SHA512 | 4fc1ab1b6e8660dc5b4503c20600afd46b531ff82c6042335307a51a030e7400b91f1ca10e52fd8756b9a688718c838a09e45d50ad03bbbf0b2d7424e9475c20 |
C:\Windows\system\OxMSLwl.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
\Windows\system\OxMSLwl.exe
| MD5 | cea85dfe9434f81e707c8a170713c18c |
| SHA1 | 357f58e2c4d85b2476fd6e4dfc9925af05ff6fd5 |
| SHA256 | 788b184c7a0173d4ef3e3a2c6a7fff55b0b03719d2532527be48eba71ed3bbf9 |
| SHA512 | 9f812629ee05d1aaef58a8884dc08fd53eebb100ef540abab49e52b0cca3adb6bc76e90653728d0674f7e11ba3dbfea739947349b3df007602464355fed131df |
C:\Windows\system\WLMrujy.exe
| MD5 | aee8bea1a57c1680fdb13eef68ea2b6b |
| SHA1 | 1bcad438ecb551a1022b0dd8b7213bca1b873d5c |
| SHA256 | b778fc76774c8810a5f92f6cd457f9c750bdbb4b71fafdd9de236bc9513d71d4 |
| SHA512 | 55bfe910d42ce3e110b5197dc0b2a8f2cc6f0a7f52d8adf665488683a0531a819d7f070f09afc04efbc9afd1a235895e0935d317b8998c2d88623c5d9aa7ccf5 |
\Windows\system\ATVUtml.exe
| MD5 | f41120e7855529bf7187180ca7258450 |
| SHA1 | b0c059df0d6beba5a3be7a777722bdf7cb8f6782 |
| SHA256 | 9919a83b02042755054406f3aa7696c4956d2572b28197f57c0884592d8ca9d6 |
| SHA512 | d37d8f7a0be58d93bc8089c89a121eb95b0112454faee747b0fcd8563799e0cfe93fa09c3375a04897e33045ddf699fa15568a303cf0b304e933d2cbf8aa4a6a |
C:\Windows\system\MRhoyzF.exe
| MD5 | d508fc6ef0abe87595c87fc8740c7ef5 |
| SHA1 | 19d2a7f0dd3a9f5871204c1d98c8e2976bee6038 |
| SHA256 | f806a25721142375e31b3638fa47889fb3ed82e6d04ee462f2554cd569dc8508 |
| SHA512 | e5b926f6a23e4893f1d0707458b01a3c6bb3fba808d3ff3642427c51af8eaab0527af962af90fefc2ffc5242cd0b5a0e592b70b3fce0b8cf8f54a9d5abe43685 |
\Windows\system\WyhxHlU.exe
| MD5 | f849ead9a7c3f3e0e8990dda29297ea6 |
| SHA1 | dd0643263bcf900cea6a355c19bcd0e794f5b36c |
| SHA256 | 54c829e879085b5b41747d84b104e5d24874466d4bcec49812de8274d061346b |
| SHA512 | 6122145f63621fec7c8350877bab0dbd3acc8bf867f4755052c0b246f69b1216f56287737796d6623e29575feb0e5be3765d75ef75450122290d14136e5921b1 |
memory/2280-100-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3032-99-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1444-98-0x000000013FE10000-0x0000000140164000-memory.dmp
\Windows\system\MRhoyzF.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/1360-89-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3032-88-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3032-86-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\quyKhbi.exe
| MD5 | 301ae3a5d2393e71a0e708a0d8de146e |
| SHA1 | 354c8bf0f69bd0a7adecefeacb5a3a5c0c8a0acc |
| SHA256 | 98b33fa7a1a64b0d19c5acaac4bb9494350bf32cb35115bb206dadd39ad5ea1f |
| SHA512 | 47330907074f98f2edee570816dd3187ba1836ae319e307a434d17cab158b90256e064dcd8320fd26a60c4b5929404fc709fc0c1e69a5c3e4b218656f0e50338 |
memory/2296-79-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/3032-78-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\rHnGGLj.exe
| MD5 | 634a8970cc8994fb2801952aeea456fa |
| SHA1 | f9dae053f5c8164c42a78233704932cece2ac007 |
| SHA256 | c51b87e0d12d40667505657e0ddfe50300fe849cae1b4dae84cf3a85ac5a97ae |
| SHA512 | 2119e3d6e3c43f185a9c9f3cbe28a303bf2388bdf3eda1e23593b9e140e6a82e634a23dbd669939779f94398bda780572e41a390d43fd350005d5953bcfef4aa |
memory/3032-71-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\ODCtmVo.exe
| MD5 | d136830d8ce90557b1b526169d1cabfd |
| SHA1 | 7fd5f909c612ab93da363e62378f1b6f380cae96 |
| SHA256 | 84e30ea5727b7fbc13b6954f360d7f1c5940610ee3c7552a51ef0bbd0c6b3494 |
| SHA512 | f96394adc2ad6147f614aa15a9e0f895db95a614d61e39eeee72e551220f5550b5ece6869332e69c2ba44f2e33c2852c892a63ff161ca6156231a25ef48ca0e3 |
memory/3032-64-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2376-58-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\mtIhYIi.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/3032-50-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2412-43-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3032-42-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3032-35-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2748-33-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2528-31-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\yRyFKoD.exe
| MD5 | 2b8cae360cdfab11275d90e941613ec4 |
| SHA1 | a24a8627b3ccfc3487303e6a217c5fab0174fc08 |
| SHA256 | 6052926a61463e7426232e7d459057f91b843dc0adcb8166618bef7f8838729d |
| SHA512 | dec466e315e6cad6fc5148c2b2c5705bf2723f15ec60340dc023b266298168bd39b87057b93c57d429b55792e57727e357938d625b393a0f1ac4039cc6d9f7f1 |
memory/3032-28-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2660-19-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/3032-15-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\mIvqfQt.exe
| MD5 | 45304447aacdce0bd2e9fabfca54ccc3 |
| SHA1 | 018798cd2e7166d5125f27320797d87dffa8a887 |
| SHA256 | a8ff630fcdc75f609702eacebc40461caf668cfbf3968040c0ab8c3eda54dc8c |
| SHA512 | d03282f078784170e4fded04796b0e51ac038ee3977511a1fa5872966bbef0913de517633160c734acf6c24cefa2cf743f2e41f1924440fdfd8e81e8d28725df |
memory/2412-136-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3032-2-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/3032-137-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1360-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3032-138-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2280-141-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1444-140-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2528-144-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2740-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2748-145-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2904-143-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2100-148-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2412-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2376-149-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2440-150-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2644-151-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2296-152-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2660-142-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1444-155-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2280-154-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1360-153-0x000000013F6C0000-0x000000013FA14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:17
Reported
2024-06-08 04:20
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oohPfwM.exe | N/A |
| N/A | N/A | C:\Windows\System\mIvqfQt.exe | N/A |
| N/A | N/A | C:\Windows\System\hgpoXMx.exe | N/A |
| N/A | N/A | C:\Windows\System\yGakBKA.exe | N/A |
| N/A | N/A | C:\Windows\System\yRyFKoD.exe | N/A |
| N/A | N/A | C:\Windows\System\ACOuamW.exe | N/A |
| N/A | N/A | C:\Windows\System\wxSwBWi.exe | N/A |
| N/A | N/A | C:\Windows\System\QReWhNC.exe | N/A |
| N/A | N/A | C:\Windows\System\mtIhYIi.exe | N/A |
| N/A | N/A | C:\Windows\System\ODCtmVo.exe | N/A |
| N/A | N/A | C:\Windows\System\rHnGGLj.exe | N/A |
| N/A | N/A | C:\Windows\System\MRhoyzF.exe | N/A |
| N/A | N/A | C:\Windows\System\quyKhbi.exe | N/A |
| N/A | N/A | C:\Windows\System\WyhxHlU.exe | N/A |
| N/A | N/A | C:\Windows\System\QGgtStS.exe | N/A |
| N/A | N/A | C:\Windows\System\ATVUtml.exe | N/A |
| N/A | N/A | C:\Windows\System\rqXDMbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WLMrujy.exe | N/A |
| N/A | N/A | C:\Windows\System\OxMSLwl.exe | N/A |
| N/A | N/A | C:\Windows\System\BzylbDj.exe | N/A |
| N/A | N/A | C:\Windows\System\BCCXJTA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oohPfwM.exe
C:\Windows\System\oohPfwM.exe
C:\Windows\System\mIvqfQt.exe
C:\Windows\System\mIvqfQt.exe
C:\Windows\System\hgpoXMx.exe
C:\Windows\System\hgpoXMx.exe
C:\Windows\System\yGakBKA.exe
C:\Windows\System\yGakBKA.exe
C:\Windows\System\yRyFKoD.exe
C:\Windows\System\yRyFKoD.exe
C:\Windows\System\ACOuamW.exe
C:\Windows\System\ACOuamW.exe
C:\Windows\System\wxSwBWi.exe
C:\Windows\System\wxSwBWi.exe
C:\Windows\System\QReWhNC.exe
C:\Windows\System\QReWhNC.exe
C:\Windows\System\mtIhYIi.exe
C:\Windows\System\mtIhYIi.exe
C:\Windows\System\ODCtmVo.exe
C:\Windows\System\ODCtmVo.exe
C:\Windows\System\rHnGGLj.exe
C:\Windows\System\rHnGGLj.exe
C:\Windows\System\MRhoyzF.exe
C:\Windows\System\MRhoyzF.exe
C:\Windows\System\quyKhbi.exe
C:\Windows\System\quyKhbi.exe
C:\Windows\System\WyhxHlU.exe
C:\Windows\System\WyhxHlU.exe
C:\Windows\System\QGgtStS.exe
C:\Windows\System\QGgtStS.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\ATVUtml.exe
C:\Windows\System\rqXDMbZ.exe
C:\Windows\System\rqXDMbZ.exe
C:\Windows\System\WLMrujy.exe
C:\Windows\System\WLMrujy.exe
C:\Windows\System\OxMSLwl.exe
C:\Windows\System\OxMSLwl.exe
C:\Windows\System\BzylbDj.exe
C:\Windows\System\BzylbDj.exe
C:\Windows\System\BCCXJTA.exe
C:\Windows\System\BCCXJTA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3044-0-0x00007FF7F5D30000-0x00007FF7F6084000-memory.dmp
memory/3044-1-0x000001F093F40000-0x000001F093F50000-memory.dmp
C:\Windows\System\oohPfwM.exe
| MD5 | de4188a95ccb83c468381840ea2175ce |
| SHA1 | 973a17bd70670652e71ac5d69c2eb049b4ceb4df |
| SHA256 | 1f252e184577c781d401f0ee4dbafd9127f438240fdb6af9cd2ebb5e1eef831f |
| SHA512 | d85fa7bb664e4e767ea2f3bf11bb6bdc90b20d33a5e05be70213a71e1a24412c794dba707c360db0a9a3218955d115acf420209d5b67f6fb5d4432262082f778 |
memory/5780-8-0x00007FF681AB0000-0x00007FF681E04000-memory.dmp
C:\Windows\System\mIvqfQt.exe
| MD5 | 45304447aacdce0bd2e9fabfca54ccc3 |
| SHA1 | 018798cd2e7166d5125f27320797d87dffa8a887 |
| SHA256 | a8ff630fcdc75f609702eacebc40461caf668cfbf3968040c0ab8c3eda54dc8c |
| SHA512 | d03282f078784170e4fded04796b0e51ac038ee3977511a1fa5872966bbef0913de517633160c734acf6c24cefa2cf743f2e41f1924440fdfd8e81e8d28725df |
C:\Windows\System\hgpoXMx.exe
| MD5 | 4a0024539b99a59438a507f6c3124cd6 |
| SHA1 | 877c1303e82457a4e776b0f86c8e082d1d4d8e4a |
| SHA256 | c73c5af55d8558fae3bc10df3309d6891a0212b6cc77f8f60263eea16930c988 |
| SHA512 | 3b279a46b07e7c314348be15b07cf10748659f2b93331097fb9a30822ccaff634bca815ca120aa6aa52112a92da488c6020b66dee0b444dd0725fdd96bd4af7f |
memory/2928-14-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp
memory/5496-20-0x00007FF6542C0000-0x00007FF654614000-memory.dmp
C:\Windows\System\yGakBKA.exe
| MD5 | 7bc007a1fd8c59f828c5b44786c55255 |
| SHA1 | ae4b119d6962d6821368ef5b7a7b6b6bce91ecd2 |
| SHA256 | d403a0d263b51b057d16c0f462a000813b5a68c6a3bd16245556afbdec6ab170 |
| SHA512 | 81f26bd02c69e173e1e40604c57888ae49ba7f7fbcff098d4b33a68b26dd1b84c811148a477eebac53616e949bb2aacaafc7af365e64d01cd4b19922106c91e1 |
memory/1020-26-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp
C:\Windows\System\yRyFKoD.exe
| MD5 | 2b8cae360cdfab11275d90e941613ec4 |
| SHA1 | a24a8627b3ccfc3487303e6a217c5fab0174fc08 |
| SHA256 | 6052926a61463e7426232e7d459057f91b843dc0adcb8166618bef7f8838729d |
| SHA512 | dec466e315e6cad6fc5148c2b2c5705bf2723f15ec60340dc023b266298168bd39b87057b93c57d429b55792e57727e357938d625b393a0f1ac4039cc6d9f7f1 |
C:\Windows\System\ACOuamW.exe
| MD5 | a8e2ae278bbfacc7346ccbc52f51fa12 |
| SHA1 | 048d25b065309deff91282af48609d2225e6b69f |
| SHA256 | 4fd53dcfa5ae4df57a0128d31b92bb1db14d457ca127d8cf694ae2fd96833450 |
| SHA512 | 0f4925dc9841724091757bcfdedba3a358f7942743dd3913b8043e0e12464a5c03434dad5a5405f60639673177fa1fb5d8770fb62b2a46ddb7a4a597266ac83e |
C:\Windows\System\wxSwBWi.exe
| MD5 | 578b0515bb2b5f73fad4ad646ded421b |
| SHA1 | a7b413ab5787f746240a20602b169b01d13ac7e9 |
| SHA256 | 3106efbc931ece3fc33acbd55028dd2aa8364d498d572f28b38fdd66104af7c0 |
| SHA512 | 0378a564e02ee2906de263bfd3579891ebd4e9f2b4ab932d5f38db3a9169d1e78fe5456520cde280f97f57f4be41c406a63aa5a31f559b92df9c0d0eec87993f |
memory/5324-41-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp
memory/5344-42-0x00007FF730CC0000-0x00007FF731014000-memory.dmp
memory/6040-36-0x00007FF74AA30000-0x00007FF74AD84000-memory.dmp
C:\Windows\System\QReWhNC.exe
| MD5 | ab4ce29dacb94b24c0cc2dfefe43519f |
| SHA1 | 8fd573017e42a631d15ed5d8a20400841b9588e3 |
| SHA256 | 22fb352c9f3203d8598de258f3aaded99f2204a4981634d94c2bab5c2877311e |
| SHA512 | 8fc27a7d69f1b37d5a194f24b65ceb94fef6741ae58f620f185cb9fd30b20cfe8f7de386c003bc674363c10fa5484eb4dd82b91f260235515eaf7d333a1eceef |
memory/4984-50-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp
C:\Windows\System\mtIhYIi.exe
| MD5 | f4fd662d3e597cf165ae77ab4eda44e0 |
| SHA1 | abf1bf45f87d3d40277f525c7b1125dc31a96bce |
| SHA256 | a9c7b3d26b259094dcf0fb4a7afe074ea9138db114a09aaf723d9d96785f57b8 |
| SHA512 | 2b30e406ca44527dbb92b134feb7fa9aaeda2dbf8f761224950b2bb021879b9621b51c16e7515fd7134f63169c40ff67630ca1e0a81b6da3e39f0d3362374014 |
memory/1832-56-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp
memory/3044-62-0x00007FF7F5D30000-0x00007FF7F6084000-memory.dmp
memory/1520-66-0x00007FF64C0B0000-0x00007FF64C404000-memory.dmp
C:\Windows\System\rHnGGLj.exe
| MD5 | 634a8970cc8994fb2801952aeea456fa |
| SHA1 | f9dae053f5c8164c42a78233704932cece2ac007 |
| SHA256 | c51b87e0d12d40667505657e0ddfe50300fe849cae1b4dae84cf3a85ac5a97ae |
| SHA512 | 2119e3d6e3c43f185a9c9f3cbe28a303bf2388bdf3eda1e23593b9e140e6a82e634a23dbd669939779f94398bda780572e41a390d43fd350005d5953bcfef4aa |
memory/1076-69-0x00007FF614990000-0x00007FF614CE4000-memory.dmp
C:\Windows\System\ODCtmVo.exe
| MD5 | d136830d8ce90557b1b526169d1cabfd |
| SHA1 | 7fd5f909c612ab93da363e62378f1b6f380cae96 |
| SHA256 | 84e30ea5727b7fbc13b6954f360d7f1c5940610ee3c7552a51ef0bbd0c6b3494 |
| SHA512 | f96394adc2ad6147f614aa15a9e0f895db95a614d61e39eeee72e551220f5550b5ece6869332e69c2ba44f2e33c2852c892a63ff161ca6156231a25ef48ca0e3 |
C:\Windows\System\MRhoyzF.exe
| MD5 | d508fc6ef0abe87595c87fc8740c7ef5 |
| SHA1 | 19d2a7f0dd3a9f5871204c1d98c8e2976bee6038 |
| SHA256 | f806a25721142375e31b3638fa47889fb3ed82e6d04ee462f2554cd569dc8508 |
| SHA512 | e5b926f6a23e4893f1d0707458b01a3c6bb3fba808d3ff3642427c51af8eaab0527af962af90fefc2ffc5242cd0b5a0e592b70b3fce0b8cf8f54a9d5abe43685 |
memory/3632-76-0x00007FF769D30000-0x00007FF76A084000-memory.dmp
memory/2928-75-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp
C:\Windows\System\quyKhbi.exe
| MD5 | 301ae3a5d2393e71a0e708a0d8de146e |
| SHA1 | 354c8bf0f69bd0a7adecefeacb5a3a5c0c8a0acc |
| SHA256 | 98b33fa7a1a64b0d19c5acaac4bb9494350bf32cb35115bb206dadd39ad5ea1f |
| SHA512 | 47330907074f98f2edee570816dd3187ba1836ae319e307a434d17cab158b90256e064dcd8320fd26a60c4b5929404fc709fc0c1e69a5c3e4b218656f0e50338 |
memory/1020-88-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp
memory/5324-92-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp
C:\Windows\System\QGgtStS.exe
| MD5 | 1d0dcc832e92ba7757e897f588e1d605 |
| SHA1 | f081f606fa9befa2ef7040372a319bd3eab98003 |
| SHA256 | d96b8e065341adea1d1732a257655faf6b0770cdec8bd40edffe6723bc2e6fa6 |
| SHA512 | c74d9c7a35497193c0e7a522c5d11be13f6a26784af9c1baa884fd7a64aac47eb49c0be0634953f59619724dffd67d951b6ff85a7abd12bf396dd8ff5c9a4ea4 |
memory/3624-91-0x00007FF756D60000-0x00007FF7570B4000-memory.dmp
C:\Windows\System\WyhxHlU.exe
| MD5 | f849ead9a7c3f3e0e8990dda29297ea6 |
| SHA1 | dd0643263bcf900cea6a355c19bcd0e794f5b36c |
| SHA256 | 54c829e879085b5b41747d84b104e5d24874466d4bcec49812de8274d061346b |
| SHA512 | 6122145f63621fec7c8350877bab0dbd3acc8bf867f4755052c0b246f69b1216f56287737796d6623e29575feb0e5be3765d75ef75450122290d14136e5921b1 |
memory/4436-82-0x00007FF7C5C00000-0x00007FF7C5F54000-memory.dmp
C:\Windows\System\ATVUtml.exe
| MD5 | f41120e7855529bf7187180ca7258450 |
| SHA1 | b0c059df0d6beba5a3be7a777722bdf7cb8f6782 |
| SHA256 | 9919a83b02042755054406f3aa7696c4956d2572b28197f57c0884592d8ca9d6 |
| SHA512 | d37d8f7a0be58d93bc8089c89a121eb95b0112454faee747b0fcd8563799e0cfe93fa09c3375a04897e33045ddf699fa15568a303cf0b304e933d2cbf8aa4a6a |
C:\Windows\System\WLMrujy.exe
| MD5 | aee8bea1a57c1680fdb13eef68ea2b6b |
| SHA1 | 1bcad438ecb551a1022b0dd8b7213bca1b873d5c |
| SHA256 | b778fc76774c8810a5f92f6cd457f9c750bdbb4b71fafdd9de236bc9513d71d4 |
| SHA512 | 55bfe910d42ce3e110b5197dc0b2a8f2cc6f0a7f52d8adf665488683a0531a819d7f070f09afc04efbc9afd1a235895e0935d317b8998c2d88623c5d9aa7ccf5 |
C:\Windows\System\BCCXJTA.exe
| MD5 | cc0380066effda914afbab438c22d480 |
| SHA1 | 0e8eb6a8e9b8758f6c338dea2c7933a0bd72456c |
| SHA256 | 3ccbd4f1a85b93cb653d666520ff9cc943d783ede4517e1b472f2dfbe2be4074 |
| SHA512 | 4fc1ab1b6e8660dc5b4503c20600afd46b531ff82c6042335307a51a030e7400b91f1ca10e52fd8756b9a688718c838a09e45d50ad03bbbf0b2d7424e9475c20 |
C:\Windows\System\BzylbDj.exe
| MD5 | 00a98a63f508a862cfd818e2ace050a9 |
| SHA1 | 5241ec292bf24661f2a944553c0e81db06bfb181 |
| SHA256 | 8d3e1df975c2c06c1359ac2c4b851c624dbb7f82df5ad18f7327ca93d2d6790d |
| SHA512 | 3ba11183932c4a698786f27bf53dcfc9d1dc372cfefb5e83aaa52c09d0b267837cb24c811b43b442f94ad04b59777b393396d7aa26fc9f335c2cf85c056c57b6 |
C:\Windows\System\OxMSLwl.exe
| MD5 | cea85dfe9434f81e707c8a170713c18c |
| SHA1 | 357f58e2c4d85b2476fd6e4dfc9925af05ff6fd5 |
| SHA256 | 788b184c7a0173d4ef3e3a2c6a7fff55b0b03719d2532527be48eba71ed3bbf9 |
| SHA512 | 9f812629ee05d1aaef58a8884dc08fd53eebb100ef540abab49e52b0cca3adb6bc76e90653728d0674f7e11ba3dbfea739947349b3df007602464355fed131df |
C:\Windows\System\rqXDMbZ.exe
| MD5 | fa23bf51a3e329edfa9788fba0aae01c |
| SHA1 | 72d094481e100b0ee13c4d0c0603249048385427 |
| SHA256 | e0d5c51ca279c1f41c4306c88cd026a2672829095533d255e9481db52e78ce70 |
| SHA512 | 2f51a0926f72863729037bd8b2e959693a8643a779cc753b8d0160a32193d0b95851d8a51ac0add0b3fa450edb1215d75850af4249ad73500dc85b184612cb4c |
memory/4348-126-0x00007FF64A4C0000-0x00007FF64A814000-memory.dmp
memory/1936-125-0x00007FF767400000-0x00007FF767754000-memory.dmp
memory/3116-127-0x00007FF65B4E0000-0x00007FF65B834000-memory.dmp
memory/5488-128-0x00007FF6C9570000-0x00007FF6C98C4000-memory.dmp
memory/2820-130-0x00007FF693790000-0x00007FF693AE4000-memory.dmp
memory/4052-129-0x00007FF78CB60000-0x00007FF78CEB4000-memory.dmp
memory/2596-131-0x00007FF7EC1A0000-0x00007FF7EC4F4000-memory.dmp
memory/5344-132-0x00007FF730CC0000-0x00007FF731014000-memory.dmp
memory/4984-133-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp
memory/1832-134-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp
memory/1076-135-0x00007FF614990000-0x00007FF614CE4000-memory.dmp
memory/5780-136-0x00007FF681AB0000-0x00007FF681E04000-memory.dmp
memory/2928-137-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp
memory/5496-138-0x00007FF6542C0000-0x00007FF654614000-memory.dmp
memory/1020-139-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp
memory/6040-140-0x00007FF74AA30000-0x00007FF74AD84000-memory.dmp
memory/5324-141-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp
memory/4984-143-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp
memory/5344-142-0x00007FF730CC0000-0x00007FF731014000-memory.dmp
memory/1832-144-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp
memory/1520-145-0x00007FF64C0B0000-0x00007FF64C404000-memory.dmp
memory/1076-146-0x00007FF614990000-0x00007FF614CE4000-memory.dmp
memory/3632-147-0x00007FF769D30000-0x00007FF76A084000-memory.dmp
memory/4436-148-0x00007FF7C5C00000-0x00007FF7C5F54000-memory.dmp
memory/3624-149-0x00007FF756D60000-0x00007FF7570B4000-memory.dmp
memory/1936-150-0x00007FF767400000-0x00007FF767754000-memory.dmp
memory/2596-151-0x00007FF7EC1A0000-0x00007FF7EC4F4000-memory.dmp
memory/4348-152-0x00007FF64A4C0000-0x00007FF64A814000-memory.dmp
memory/3116-153-0x00007FF65B4E0000-0x00007FF65B834000-memory.dmp
memory/5488-154-0x00007FF6C9570000-0x00007FF6C98C4000-memory.dmp
memory/2820-156-0x00007FF693790000-0x00007FF693AE4000-memory.dmp
memory/4052-155-0x00007FF78CB60000-0x00007FF78CEB4000-memory.dmp