Analysis Overview
SHA256
20147b9edc885c96895744428ed52da490e918d709be6c29d730fe000b3ff64e
Threat Level: Known bad
The file 2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
xmrig
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 07:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 07:46
Reported
2024-06-08 07:48
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rWxRKAw.exe | N/A |
| N/A | N/A | C:\Windows\System\KtDNMKV.exe | N/A |
| N/A | N/A | C:\Windows\System\WrOrdBj.exe | N/A |
| N/A | N/A | C:\Windows\System\xxSTrVe.exe | N/A |
| N/A | N/A | C:\Windows\System\WdjGgGF.exe | N/A |
| N/A | N/A | C:\Windows\System\EqYwwRD.exe | N/A |
| N/A | N/A | C:\Windows\System\hmeMWem.exe | N/A |
| N/A | N/A | C:\Windows\System\UqwPaha.exe | N/A |
| N/A | N/A | C:\Windows\System\JSmPjmL.exe | N/A |
| N/A | N/A | C:\Windows\System\DeVlfsU.exe | N/A |
| N/A | N/A | C:\Windows\System\FYncfZM.exe | N/A |
| N/A | N/A | C:\Windows\System\TPrucFI.exe | N/A |
| N/A | N/A | C:\Windows\System\yodmDdV.exe | N/A |
| N/A | N/A | C:\Windows\System\vnkVKcD.exe | N/A |
| N/A | N/A | C:\Windows\System\BTWhqkI.exe | N/A |
| N/A | N/A | C:\Windows\System\NllkwpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KpEYgfR.exe | N/A |
| N/A | N/A | C:\Windows\System\HVQylBI.exe | N/A |
| N/A | N/A | C:\Windows\System\HiQnGVo.exe | N/A |
| N/A | N/A | C:\Windows\System\iYGKDJA.exe | N/A |
| N/A | N/A | C:\Windows\System\GGWCyOd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rWxRKAw.exe
C:\Windows\System\rWxRKAw.exe
C:\Windows\System\KtDNMKV.exe
C:\Windows\System\KtDNMKV.exe
C:\Windows\System\WrOrdBj.exe
C:\Windows\System\WrOrdBj.exe
C:\Windows\System\xxSTrVe.exe
C:\Windows\System\xxSTrVe.exe
C:\Windows\System\WdjGgGF.exe
C:\Windows\System\WdjGgGF.exe
C:\Windows\System\EqYwwRD.exe
C:\Windows\System\EqYwwRD.exe
C:\Windows\System\hmeMWem.exe
C:\Windows\System\hmeMWem.exe
C:\Windows\System\UqwPaha.exe
C:\Windows\System\UqwPaha.exe
C:\Windows\System\JSmPjmL.exe
C:\Windows\System\JSmPjmL.exe
C:\Windows\System\DeVlfsU.exe
C:\Windows\System\DeVlfsU.exe
C:\Windows\System\FYncfZM.exe
C:\Windows\System\FYncfZM.exe
C:\Windows\System\TPrucFI.exe
C:\Windows\System\TPrucFI.exe
C:\Windows\System\BTWhqkI.exe
C:\Windows\System\BTWhqkI.exe
C:\Windows\System\yodmDdV.exe
C:\Windows\System\yodmDdV.exe
C:\Windows\System\NllkwpZ.exe
C:\Windows\System\NllkwpZ.exe
C:\Windows\System\vnkVKcD.exe
C:\Windows\System\vnkVKcD.exe
C:\Windows\System\KpEYgfR.exe
C:\Windows\System\KpEYgfR.exe
C:\Windows\System\HVQylBI.exe
C:\Windows\System\HVQylBI.exe
C:\Windows\System\HiQnGVo.exe
C:\Windows\System\HiQnGVo.exe
C:\Windows\System\iYGKDJA.exe
C:\Windows\System\iYGKDJA.exe
C:\Windows\System\GGWCyOd.exe
C:\Windows\System\GGWCyOd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1948-0-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1948-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\rWxRKAw.exe
| MD5 | 5e49779baf21837c08fbd76484afb099 |
| SHA1 | 96e10fd8d3b56ec2922ac8d2231395d0b48081ec |
| SHA256 | 69077fa990fcdcaf82af965fc9402c1d44cb2ac0e6abb2edb46ee179f2e04316 |
| SHA512 | 0a0c9a8f35f6d364ac622b9324fb45c978a48959042cf94db6088754689ff0818901d2b8ca31092a55f3fbc4a2c2ad1820ab7aca79a060b326750f8173522cfc |
memory/1948-8-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2228-13-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\KtDNMKV.exe
| MD5 | 96832980caf732ff1e18483722d20c45 |
| SHA1 | 9e88d7032568ab723b568572424afdb6b1bece45 |
| SHA256 | c1fc017ff99941913423caf6fd19bc2ead08a9aacdce7e189d8a891cd34eb6dd |
| SHA512 | ecbfc88881afb60d7653e2ff7703ab37760dc9aa705f2f11f6f42b3d53afa7a6cf7c41e8cc695fba0aad73ceb6587d44e6ff99de26c456f5425046f900835085 |
memory/1624-16-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1948-15-0x000000013F440000-0x000000013F794000-memory.dmp
\Windows\system\WrOrdBj.exe
| MD5 | fbd48157202acbf21d516a05b5195101 |
| SHA1 | 635ba96d8a56f8bb06287136e2fda620870dc4d0 |
| SHA256 | 0cd8357098d17444821dc047033dce833b4b8de50e7118b672854c70020b7e3b |
| SHA512 | 866691d9d5c8ec3d2b9c97f07ceaed6cfe88a07575525c4dc0a7acf22d2ab432e54da4465b05d5e673d316355a06fcd7ca63971538943c569191efd427f49934 |
memory/1948-21-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2532-26-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\xxSTrVe.exe
| MD5 | e46a51c1f211cd9aa7c9dea0e3e5daa3 |
| SHA1 | c01779a8bcdde0f8624bab3a146d69468a0535fd |
| SHA256 | 60759699729e66a7d5b6e62a9c5ad01a31b5c15aef2f063a787f80c4a89951a6 |
| SHA512 | d6c029430e9617f8b6674aad510aa7da17839c13b8ec65913d7ac67e60a38b7d2830d52981b11e61252eea47ef65f18cdbe0bcaaec384f12e980c879051eca0f |
memory/1948-27-0x000000013F180000-0x000000013F4D4000-memory.dmp
\Windows\system\WdjGgGF.exe
| MD5 | 369676845f8724cedff74cb6f1537cb9 |
| SHA1 | cd999d58c8a047f1acbedc9574d55d7dab74c66e |
| SHA256 | 23a157ed4fcafa6ba874c5c235485574fdabd06b284f7f41b6fe554d961588f7 |
| SHA512 | 7e885c1982a50f65fd4acbab6ddce4365c6a513a8d542eb9614f851f7ec65fc082a5efb62164ab5f54784705500aa80806c1f70fd6b614ba6990072406a0d190 |
memory/2952-48-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2508-39-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\EqYwwRD.exe
| MD5 | af55767918cfa19f741ec9ffe74e606a |
| SHA1 | c9770cc061d0bb7321fb4f80c419f17965c98e64 |
| SHA256 | b2b4e83d7513aa6b1ff50634b7d89e96a2b7a60a09c862e446f76846d91108e8 |
| SHA512 | a50d95b5e12e9c4eba773a0db41ddcdf2c81a560a77e71b56b25d571fbcbc0fc8a632a0a14622b05a90fb9b59d3ded8313396f63a308389f42c873519b084b4c |
memory/2424-51-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1948-50-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1948-47-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\hmeMWem.exe
| MD5 | cc920f8789a677cc2b067ac06cd7e1a4 |
| SHA1 | 1a13b38c882fdad2c8c0d9a8c8d3765f4e886ef2 |
| SHA256 | f7b4503944ecb280728f6698f25c6ad82cc046d080d0db7a2cb7803cf307274c |
| SHA512 | 7f0a53c5fd0b156e8a058c4d70d200b241a66f069f35a4013a3cfe11fa28109612c57307a283e7da56f80675068c27f2274f64b8889a130939ba57681aa42651 |
memory/1948-44-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2616-34-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\UqwPaha.exe
| MD5 | 0ec41b183d7a352b6b4b1ffbbb26946b |
| SHA1 | c86373b51871219b5fb9a4368808482823a1e8ee |
| SHA256 | 78cb913f00181b65cbad49628110c2f3f6e0f8a4263262d9e3e4724fb62d5d64 |
| SHA512 | 1081b0bd8dc12aab85ca35a242d5317671373b964eebefd9394e07164d2429422ee45062a2743b69360365060f5ef2f0a277579bf50d673737eeeba96c6d26d3 |
memory/1948-62-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2384-64-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\JSmPjmL.exe
| MD5 | 4083c1a8275015f054982fbf6c97096b |
| SHA1 | 75698177ec5b826b20f23d787631d66212451f94 |
| SHA256 | c79d77f73b62b9581fedd485eab524b227c6a10e593706083f60ad920be44fa9 |
| SHA512 | 41b5a916e77dbf7559a2e804cbda35c554177a9ea9a51aef42a0067d45f60920972a5084cc3bf80a281e4dbc41deef4be0da8a90f28186c60b2814d6cca962af |
memory/2436-57-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2312-69-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1948-68-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\DeVlfsU.exe
| MD5 | aec86cead20784e99b1efe9ae113af22 |
| SHA1 | 1bfc4743de1c6a037e5805157b279bcf776189ad |
| SHA256 | 739cbd6bd170089bdcf145ddba399b6301985c43a75af84a97aeefe9856a02de |
| SHA512 | a61145ea439e54b71ecc92d4856b716328c15740aee84bb4e5a06cf84a6ae04aa82fc868fc72f7a82398650d77496be9dd9b86dfc5b7c9812debec27a73e9ffd |
memory/2532-87-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2564-104-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\NllkwpZ.exe
| MD5 | 175407f9571d11c200b758f9815fa12b |
| SHA1 | 33ea63978d87c59b5f9705332f029d03bf2ea8e7 |
| SHA256 | fe2e0660e041201d42c05c8db98f9517ec25d69409d73c4471a8287410f44158 |
| SHA512 | cac8a6079b257c7018cce90422c481cbd7de6e8523f05df7c764506750a884b41bfb266e51fa19c384993d85fa658023cbd11ba4d58025b6a7d9c0cf74c002af |
C:\Windows\system\KpEYgfR.exe
| MD5 | 1a54c7b772e42f4ef13f4c40b876ce59 |
| SHA1 | 09d1f64f792649b733080960c82a23d8161a29de |
| SHA256 | 5cef326f303ec1b36057920963c118bee523019367d6282841a64a6930a13a69 |
| SHA512 | a8c3971269a509d68fef5ce4f0ebf401d41f90840960639c82c18e83285860ef6aa5bcb914d2acc41a7ebac028dee2420af2dd5ba1f7b519019f69da9736f535 |
C:\Windows\system\HVQylBI.exe
| MD5 | 00670ab04c6f20e219aeb309a2f58100 |
| SHA1 | 44b46e291983218fd99417d5c80fcbef9fef1be2 |
| SHA256 | bc6949a2fd4192b8adbd50417cbdc30693951b27f00f64d83824655f50f9efab |
| SHA512 | d044311af214ab8419f8b8cb17fe6b68ad594216e1a80571200c00b894b407a5247fcd4dacf3e0998b1dbc60fcf255f014f6e21e4f26848bee372f7c0ff33a3a |
\Windows\system\GGWCyOd.exe
| MD5 | a2088c845cac8f4056a728341b3da73a |
| SHA1 | 8f3bc5b866b259adea7dd98bee28990ea7e379f2 |
| SHA256 | 1f21608c386e0b48e389d44546f71b52d6f0e05e203cdc8669e5d2559424539b |
| SHA512 | 086f547a8df96385c7a3833b1e6aeb45ae06e8c1fbb86c035abec47eaeaac8a09c1230e5338ce1143863cc8d57dc4f97983262ff6920daec6d1c767ee8884b6d |
C:\Windows\system\iYGKDJA.exe
| MD5 | 003ba33ca81217b0771bc83d53f7d4b5 |
| SHA1 | 2e403e2a5ba1cb85dd12658e848a09baf6f3304f |
| SHA256 | 088b3b41c672275fbbef77777b6c341f86399a7bbc6584ec5e70868099b73fa1 |
| SHA512 | 3d1c472ce9de37f6d68d716907d69fb3da23273c8dda64a26564da9bc546bf2e88b70c1df0e98a48ce4819a06e3b3176417954086942de3ff842d6d2cfc4620a |
C:\Windows\system\HiQnGVo.exe
| MD5 | 211a57d460290deab06d87994edc0b3e |
| SHA1 | 46647209a7088ddcc81e321ea05e5a43dfdc3b29 |
| SHA256 | 80477adb23f70c81f318f865c7b67601be1dab0a8f43eb673cabd25d4194fb4a |
| SHA512 | b739ecc5ec3e82627f56fc929c2c7f49efae780ef233aeaf45832b9a5caae122266ceab8a264704d2e4ee51f39639aa2c6b0f68fe952dbb5cd1c7d7ca2b63215 |
memory/1948-94-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\BTWhqkI.exe
| MD5 | c3ed1e9aca2a7d36f6d30736f4606a29 |
| SHA1 | 02dad6c6b68fca0c4e734b27cdc29c75c7123a97 |
| SHA256 | de0956edb2e13e53dbff8878122e00580bfeb488a07bb8662dfeed0f3ce90476 |
| SHA512 | bfefe422254e924b48fd2a84e29fd7cb6efb28d01f8b90a0c7ac461256dbe6d544cbc014703cf086c53264fc4c6bdcf48b9217a2fd14826f6f4b12888afa2504 |
memory/1948-109-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1948-107-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2508-106-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1948-105-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1276-103-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1948-100-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\vnkVKcD.exe
| MD5 | 64a1cf77385c9dab45370a7ddc2ca7ca |
| SHA1 | 911e36e562aea12ab927a6301cf63b37a244bcd9 |
| SHA256 | 069633201129dcca577e71d93a773692ed3d9c717be24267c32cafac06bbd9b5 |
| SHA512 | dceab33879ed54245f5b702d75ae0ec74996d167f02f7ec1a5e89edcdcd785e5841f0a9cb09ae808d0d8bb9d2a776522c86d39d7d52dee51ddf962b5379ba879 |
C:\Windows\system\yodmDdV.exe
| MD5 | 8932516c7a0ca556565b94ebb53f0680 |
| SHA1 | 3d4e67ed71320b96a211cd34e5fc5c6c79735cf9 |
| SHA256 | dc0c25e4e10633160ab7ec222fc30c9b3d6d3e147f376a3408fe20d83096e6c8 |
| SHA512 | 70579d52df6bdd5a0cb2fc5c851b52c4e66ac273f36b0d29add8339f5f44864781cf945b4fbf1535413040ff478d76fe7eb4b3aed33f84ba535e034f1fc5a6d0 |
memory/1948-77-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\TPrucFI.exe
| MD5 | ce6ae57c970f4cc6b067ec0e0f4c0825 |
| SHA1 | a9bd152b2df06a8726003cf0cc33b94cdc9cc48d |
| SHA256 | c877ac9c7560c63af28a64bd4bd23c124e1b8c0c1075d2f9a265187e4e187d3e |
| SHA512 | 93d33424069099363512ed8ae782a9fe984acd84ad2153268e81418da6d32ef918badab36df3ac522f0863e6e2f6bda04bd620e3df0c8859b5fd88e22d7af9a3 |
memory/1256-81-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2616-136-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\FYncfZM.exe
| MD5 | beb41b68511b01413f4ebb6ccde7b41d |
| SHA1 | 60085748a8a15159eb07c6ffe84acf8dd456ab41 |
| SHA256 | b0d38e6747f62b4111a1d56cdc1f38f263bab676854d3cc28dbed9960441aee6 |
| SHA512 | 6ee8d6c510fb4d83bab84e0a615f2f395bc7485585aaf06f1edfdeeee9a84f6822916f84399d8ac0d0c4f940bf4b38f96fabef9e1c94de00b6309a7294da8f57 |
memory/2952-138-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1948-139-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2384-140-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1948-141-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2312-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1948-143-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1948-144-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1948-145-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2228-146-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1624-147-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2532-148-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2616-149-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2508-150-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2424-151-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2952-152-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2436-153-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2384-154-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2312-155-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1256-156-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1276-157-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2564-158-0x000000013F7F0000-0x000000013FB44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 07:46
Reported
2024-06-08 07:48
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BTOPGUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MukVSEo.exe | N/A |
| N/A | N/A | C:\Windows\System\PSIgdpt.exe | N/A |
| N/A | N/A | C:\Windows\System\fELHCAv.exe | N/A |
| N/A | N/A | C:\Windows\System\TOarsvx.exe | N/A |
| N/A | N/A | C:\Windows\System\TbMMuGn.exe | N/A |
| N/A | N/A | C:\Windows\System\LkOJyrF.exe | N/A |
| N/A | N/A | C:\Windows\System\YUMLZwu.exe | N/A |
| N/A | N/A | C:\Windows\System\PPVRjwJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DONLyFC.exe | N/A |
| N/A | N/A | C:\Windows\System\UQnqACx.exe | N/A |
| N/A | N/A | C:\Windows\System\LheJcvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MkaQGAa.exe | N/A |
| N/A | N/A | C:\Windows\System\fMBadLU.exe | N/A |
| N/A | N/A | C:\Windows\System\CVkUpZN.exe | N/A |
| N/A | N/A | C:\Windows\System\eOthoWD.exe | N/A |
| N/A | N/A | C:\Windows\System\IzdhCrP.exe | N/A |
| N/A | N/A | C:\Windows\System\yLEGKPh.exe | N/A |
| N/A | N/A | C:\Windows\System\XXQZlhw.exe | N/A |
| N/A | N/A | C:\Windows\System\TlMwlyG.exe | N/A |
| N/A | N/A | C:\Windows\System\ovtLNvj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BTOPGUZ.exe
C:\Windows\System\BTOPGUZ.exe
C:\Windows\System\MukVSEo.exe
C:\Windows\System\MukVSEo.exe
C:\Windows\System\PSIgdpt.exe
C:\Windows\System\PSIgdpt.exe
C:\Windows\System\fELHCAv.exe
C:\Windows\System\fELHCAv.exe
C:\Windows\System\TOarsvx.exe
C:\Windows\System\TOarsvx.exe
C:\Windows\System\TbMMuGn.exe
C:\Windows\System\TbMMuGn.exe
C:\Windows\System\LkOJyrF.exe
C:\Windows\System\LkOJyrF.exe
C:\Windows\System\YUMLZwu.exe
C:\Windows\System\YUMLZwu.exe
C:\Windows\System\PPVRjwJ.exe
C:\Windows\System\PPVRjwJ.exe
C:\Windows\System\DONLyFC.exe
C:\Windows\System\DONLyFC.exe
C:\Windows\System\UQnqACx.exe
C:\Windows\System\UQnqACx.exe
C:\Windows\System\LheJcvQ.exe
C:\Windows\System\LheJcvQ.exe
C:\Windows\System\MkaQGAa.exe
C:\Windows\System\MkaQGAa.exe
C:\Windows\System\fMBadLU.exe
C:\Windows\System\fMBadLU.exe
C:\Windows\System\CVkUpZN.exe
C:\Windows\System\CVkUpZN.exe
C:\Windows\System\eOthoWD.exe
C:\Windows\System\eOthoWD.exe
C:\Windows\System\IzdhCrP.exe
C:\Windows\System\IzdhCrP.exe
C:\Windows\System\yLEGKPh.exe
C:\Windows\System\yLEGKPh.exe
C:\Windows\System\XXQZlhw.exe
C:\Windows\System\XXQZlhw.exe
C:\Windows\System\TlMwlyG.exe
C:\Windows\System\TlMwlyG.exe
C:\Windows\System\ovtLNvj.exe
C:\Windows\System\ovtLNvj.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 106.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4076-0-0x00007FF7B3F40000-0x00007FF7B4294000-memory.dmp
memory/4076-1-0x000001A66D1F0000-0x000001A66D200000-memory.dmp
C:\Windows\System\BTOPGUZ.exe
| MD5 | 63891eea5cc1d7f5489f3048031beb87 |
| SHA1 | 57d57e629b54f8f7de5faebcb3b11c5688ecb09c |
| SHA256 | b9899b2fae148fe67f68798f5a0df6faed3746e029233a8ac65dd78be879a956 |
| SHA512 | df4d11ce52e6e1b22196aaf26e0e17cf9a3718410e91b46019946d6ef2ba8f660b1ae67cc23c00be4046177ef570f0637281a00ab2d0d0c113c271f0b7ee570c |
memory/3080-8-0x00007FF6103C0000-0x00007FF610714000-memory.dmp
C:\Windows\System\MukVSEo.exe
| MD5 | 74d2530b4d87b5454a29ca663f3aa0df |
| SHA1 | 6ee481ae7d063316de0fdcc6a0eea68a69b4b79d |
| SHA256 | 02c4dbb6b3b5d15318ccda9079ddb7e5c600abffb264d92d8a02707712e8c468 |
| SHA512 | 75ebc11ddf0543587b3f0f2fe74bf9ecd0a81c18689d66320f2875fb0cfe43cec0691f5818f34de578827a60c931f3098dc8d01e793bbda512a5a167522dac5f |
C:\Windows\System\PSIgdpt.exe
| MD5 | 85a52cd0cd0fcf3bb13448bdbfaad5dd |
| SHA1 | 37cec2fd6d38211a9a523c5b823560ed53cd8c7a |
| SHA256 | 2f564dfa9208f8b4b94423f568b936378acf76831c42805d943d300a01a82243 |
| SHA512 | 8d09bfceffc68a647c3fb2f867ba206500c050d9e580d7147bf395c3fc3f37b5fa30b83a20e1109d2aa08724d5bf0009064a3ca00c1add8afadc27bb60ac1fa3 |
memory/1616-14-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp
memory/1404-20-0x00007FF789C10000-0x00007FF789F64000-memory.dmp
C:\Windows\System\fELHCAv.exe
| MD5 | c1deb8afe3d299d82a2e63457bd19dc3 |
| SHA1 | 7ba69b1966c4bf49015891fae12b64ce1bc50ec7 |
| SHA256 | cbae21e505864f0bad59fc2e38dc9c154e77f94570fff4f51d9367fd79977f8e |
| SHA512 | 5415af2e5cd551c7307c811ce79c837939d0e5c995151ada902d4f16dff27bd94ab3fd5c5e90b45c2cff1a2ad2fb0d00b3f44e87461c7f61ca1d124c6ed0afad |
memory/3456-25-0x00007FF769A20000-0x00007FF769D74000-memory.dmp
C:\Windows\System\TOarsvx.exe
| MD5 | 8824b51e3c6b022563e40d26b44e7e35 |
| SHA1 | e71a7fd7a4d195110419493ae9bfc662c9dc17bf |
| SHA256 | 0834bb17e1291b516251b8519429245b66a2ed843fc7f49e2e8c7f78c751c56e |
| SHA512 | 1e6e7e28bbe3824522f735b1fb66dbbf8adc41ec29976529fb80d21a87d2ed5142418bc2ceb8a42544c868733fc241cfb9136585623702ace2f51154780957d0 |
memory/4536-33-0x00007FF65A030000-0x00007FF65A384000-memory.dmp
C:\Windows\System\TbMMuGn.exe
| MD5 | 644ed1c78c3c9fefd0e3f3f46d0265ae |
| SHA1 | c71571f833c11b6005f1ed6c87e78871c9b28645 |
| SHA256 | 087f2b16908ce042fbfe919a7cd82ab134fa4f22a760477189fe0a4f0f6f0a2e |
| SHA512 | 80b836fc36c6953a21d1e146bf8774d5fb882c95f34e1f5f0654cd80476972fcf9f7e45b4474d1747c9b7313a967508145c83040325d03849e6a84c5addbbe41 |
memory/232-44-0x00007FF7714F0000-0x00007FF771844000-memory.dmp
C:\Windows\System\YUMLZwu.exe
| MD5 | b9d446c86370d852ba1eb3f25996a705 |
| SHA1 | f3f062c80668e9cc9007b2f22b4cbf154ffb7ca6 |
| SHA256 | 74509fa6d6a161791e6368489b7825db4b4a1d9c68890782d0d5dd4cc1785bad |
| SHA512 | 06e165e6bf768faa32ea3596eed78e87201eb821b2c32a81ef5124fe56133b0e18346624a5c915794987dbc503d906b3de485c5b0c3143c3689ac4cb01fc9b96 |
memory/4476-50-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp
C:\Windows\System\PPVRjwJ.exe
| MD5 | cc4913a42fc7172ee9741bc5bb56faef |
| SHA1 | c31af3fe1fd13c6f46dda02a5641773aec1dabf6 |
| SHA256 | c1acf2f0a6f047af4a65a348f8f8a1b4ac0a8b677859e9d07093163b75f3d255 |
| SHA512 | 6dac796aa4adb8a40e1ea4f2550df52ee80bc2ae6d5d8b9cf4ea8feaa353784cec93279eea52cbcd9445e3c7da2dc47cc4d6087971618499f49e071aad709905 |
C:\Windows\System\DONLyFC.exe
| MD5 | f29ba56f07c0690759785127abaf5b9a |
| SHA1 | 6a3e81137e924c92d31cae33ae223918e7f285e7 |
| SHA256 | 818dc5c84ab04e991a4a29e31ace8ba277e630845ec999c7cc26301b3371c0ed |
| SHA512 | 0ca5ecd995c29f54ad82178ad0890375501642823c668436694ba1775cbfa10ca72ca699c89f23588445bdef9b2499407609225bba8011d28293dcb46bf3ed79 |
C:\Windows\System\UQnqACx.exe
| MD5 | 9638de3c8ef40e850a0f3915f525ddb6 |
| SHA1 | 2b1f8933df2a16284fb5b5a4d2b49c7a0eeff627 |
| SHA256 | 870a81c896d246b45c559dfcf48fd7a628b019f5778860f809537081ce3ee007 |
| SHA512 | b328b4fabb8ba7a055bc7ce9ac4bf7a078b09fb6ee450fc614a487e106ad1aee70df76783c37968d22c9ec3e45873e78a82bcb295b5af19b710827685d611b8b |
C:\Windows\System\LheJcvQ.exe
| MD5 | f9542c862b314acb4c6fde7a15606f1f |
| SHA1 | 6b35a695460507ac8476f984e6886781bf37e3cf |
| SHA256 | a48bde4e9c3ea2d283b78d9d77676ddba9d6856339649bbf19572c6d6b3c55ce |
| SHA512 | 732020e397816903a3fa0700455091503f0d4d91d443f29f169af425cb39c8f41dcf521f5b9c2741e8d1fc55f5aeb43b07e1be08395c133f8675cccb072c9df3 |
C:\Windows\System\MkaQGAa.exe
| MD5 | 671bde84eb49c280fbee140e137a0bf6 |
| SHA1 | 5e5686b93bb9b29ed231e792c79825afcf641056 |
| SHA256 | e82dbfa487d9b7aacab5bd66176d5164a660e177b1440487abf2cc9cf3783840 |
| SHA512 | 676ae49b236cd41dff736cfcec121cf65758a70742369aa34a606c4dd5dbb5dd24acfad1208477a4dd735c430fb18920702463b44d8b68842055a6ca9467cbd6 |
memory/2108-78-0x00007FF7A7530000-0x00007FF7A7884000-memory.dmp
memory/2516-81-0x00007FF67F910000-0x00007FF67FC64000-memory.dmp
memory/3992-82-0x00007FF639540000-0x00007FF639894000-memory.dmp
memory/412-80-0x00007FF7B6A30000-0x00007FF7B6D84000-memory.dmp
memory/4724-79-0x00007FF77F390000-0x00007FF77F6E4000-memory.dmp
C:\Windows\System\CVkUpZN.exe
| MD5 | 6583ed2a50e3b66d3075f760bda83088 |
| SHA1 | d6fc949d1deb3ce0adef87a96983d42e42cdc2f9 |
| SHA256 | 02b7658248d60df741e769119c957d24870ea3619eeab2a38d167f3f373d3dff |
| SHA512 | 059b6e1e39af29d09dc94602dabc403d62dc80a29459a6ee7a083d35ef51973b293a2506819df514d0184fdbae21433fcc065824b85b92818a5d4ac5226e01da |
memory/4076-89-0x00007FF7B3F40000-0x00007FF7B4294000-memory.dmp
memory/2740-93-0x00007FF7FC2C0000-0x00007FF7FC614000-memory.dmp
memory/1812-92-0x00007FF7659D0000-0x00007FF765D24000-memory.dmp
C:\Windows\System\fMBadLU.exe
| MD5 | ae8e06fd7ecafac1a19f87455d1ee8f7 |
| SHA1 | e6e6d1b6dad05a9588c0be1e5c7eec5ced5912e8 |
| SHA256 | 8da7a95cf85d5bff75e4a2706aeb509ca01187fa299b8dd6f48ac9f17e21b503 |
| SHA512 | 046cc3c428d0a0b00f09226bcc7af2100512be394e1f66ced2c7ca3bcf6b52b5541cc76898ce7d20dc7e6904c2b8a77c28e636f0d783584287e7d3dfe42508d8 |
C:\Windows\System\LkOJyrF.exe
| MD5 | ab0e5edb1ce2fb9a80f68cd6a57e1883 |
| SHA1 | e0eda5d50c3e9f59074bb7769a5d5bd7806aee95 |
| SHA256 | 07616fa220bdec225f7bbb657fcde0615fb41e0f5cbea1ed615e0805bff3e28a |
| SHA512 | d3c506acf66fa84ab1329d6dfef8b3a8757f6e458485feff42729c2c2adf051f0295e6a7aaf4699b9aa5a06cc8143c635c65566969eb7c0fc89f3e83c4b540b8 |
memory/3616-41-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp
C:\Windows\System\eOthoWD.exe
| MD5 | 3be80e0e91d2097578d1011a351f4a9d |
| SHA1 | 532ec93dc1e2dffb9db01d799032e3b252f4155a |
| SHA256 | 80556424c17c15cfa3db7e058a41adb97d897e7b55294417ebf6a323b400996e |
| SHA512 | 1adef89ef56c2f6f8acc9cecd822801b6158cb5c2ced56e19757cd95a036b91ff718983c76e1cb75ca4e4d42df9eeefb63618aa5b758c682caca77b3152de00e |
memory/3080-97-0x00007FF6103C0000-0x00007FF610714000-memory.dmp
C:\Windows\System\IzdhCrP.exe
| MD5 | b06348697272af35da46ccc85bfb92a0 |
| SHA1 | c8532aa2d5e4dae4c116922d879266f2210cccb2 |
| SHA256 | 4767543904f5164459d4a6c6f68b750a5207619e294e4ea7c0e7a1865f6381e4 |
| SHA512 | adea3a3cab4fcfdb9dc5b5f4bca562af2f6d42323c2d40cdb9bf8a717a25b86999b429cf240fd22a88f0e5b789dfe312aa3286b2ddc40af37bf40379fd2fdbfb |
memory/3808-102-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp
C:\Windows\System\yLEGKPh.exe
| MD5 | bde0ed23f738141454aa8eb827b74b6e |
| SHA1 | 8d42502e91e0c632cfb816707332e48d1976d943 |
| SHA256 | 1021bad96dcdcf677d7adf94f25a4a5b9c4ff8ce05b758a8ff60a883081256b0 |
| SHA512 | 7e0abe1970f1907f1d99cb0cde0cbeb8b4bb983bb560b5f564b4150f77bd518b73dbc8a23a1494725483061a07152f323de0872ff3a4b8bebb19faab1ce37962 |
memory/1616-105-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp
memory/612-110-0x00007FF787810000-0x00007FF787B64000-memory.dmp
memory/452-119-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp
C:\Windows\System\TlMwlyG.exe
| MD5 | 1782d9ba8419a8dcb101e948454fd661 |
| SHA1 | 7bb806270a6ae749951ea6f69ccb37b0d0841d49 |
| SHA256 | 05e5136611c759ff75837bc03b6e0b01547ec739495788aba96083c92af0a364 |
| SHA512 | 8263b9d5020e05772cb33f01217296db4e2090a75b7353d27e9b1e53d24ce1cfa9fdae1a44d8a358d6f60033d598410365e21c6362b7b6ca2c9ddb597605b1c2 |
C:\Windows\System\ovtLNvj.exe
| MD5 | 99c992c02a96105f91de728f2ca4f913 |
| SHA1 | 83a0490576cd7ab734b7e2b7aa49c12431c9b020 |
| SHA256 | e6b8f7bab79110b2f55c72d5701fd97996968d1be26a652bdf5c07d1e3df8e25 |
| SHA512 | 47f0283cf085c36d52e0c2e41855f7e15d6fb2bfaec7dbefcade422299ff8cc368d63a1db33012a9bb63b03502b281a314c51ba78bfac3ca7f1b771708be9b6b |
C:\Windows\System\XXQZlhw.exe
| MD5 | db4f27a7553e70ef96bb5c14b866164b |
| SHA1 | 72fe075cdd08e0ccf61c93a633033a7d1af57de4 |
| SHA256 | 803078490b2e6ccec184ff7263b77a05063972c0b98f9a67a0668a3f70b65905 |
| SHA512 | 6e4db30e96a6e8877f634f1e20289dd8672a97b43cc9fba323062dd1e95194e07b8fe77c4b38e4c0b13cba8e013bd5dec088d2d03010e50488a5bc0d0bee1b6d |
memory/1404-111-0x00007FF789C10000-0x00007FF789F64000-memory.dmp
memory/3456-129-0x00007FF769A20000-0x00007FF769D74000-memory.dmp
memory/1844-130-0x00007FF612550000-0x00007FF6128A4000-memory.dmp
memory/3964-131-0x00007FF629880000-0x00007FF629BD4000-memory.dmp
memory/4536-133-0x00007FF65A030000-0x00007FF65A384000-memory.dmp
memory/3616-134-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp
memory/4900-132-0x00007FF7FED70000-0x00007FF7FF0C4000-memory.dmp
memory/232-135-0x00007FF7714F0000-0x00007FF771844000-memory.dmp
memory/4476-136-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp
memory/3808-137-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp
memory/452-138-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp
memory/3080-139-0x00007FF6103C0000-0x00007FF610714000-memory.dmp
memory/1616-140-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp
memory/1404-141-0x00007FF789C10000-0x00007FF789F64000-memory.dmp
memory/3456-142-0x00007FF769A20000-0x00007FF769D74000-memory.dmp
memory/4536-143-0x00007FF65A030000-0x00007FF65A384000-memory.dmp
memory/3616-144-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp
memory/4476-146-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp
memory/2108-147-0x00007FF7A7530000-0x00007FF7A7884000-memory.dmp
memory/232-145-0x00007FF7714F0000-0x00007FF771844000-memory.dmp
memory/3992-149-0x00007FF639540000-0x00007FF639894000-memory.dmp
memory/412-151-0x00007FF7B6A30000-0x00007FF7B6D84000-memory.dmp
memory/2516-150-0x00007FF67F910000-0x00007FF67FC64000-memory.dmp
memory/4724-148-0x00007FF77F390000-0x00007FF77F6E4000-memory.dmp
memory/1812-152-0x00007FF7659D0000-0x00007FF765D24000-memory.dmp
memory/2740-153-0x00007FF7FC2C0000-0x00007FF7FC614000-memory.dmp
memory/3808-154-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp
memory/612-155-0x00007FF787810000-0x00007FF787B64000-memory.dmp
memory/452-156-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp
memory/1844-157-0x00007FF612550000-0x00007FF6128A4000-memory.dmp
memory/3964-158-0x00007FF629880000-0x00007FF629BD4000-memory.dmp
memory/4900-159-0x00007FF7FED70000-0x00007FF7FF0C4000-memory.dmp