Analysis Overview
SHA256
4b358f051e3017a53a4c6f72dc065a1ecf6e86dcdd367e30625a575179c1174a
Threat Level: Known bad
The file 2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
XMRig Miner payload
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 16:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 16:54
Reported
2024-06-08 17:04
Platform
win7-20240221-en
Max time kernel
136s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WkdWMjO.exe | N/A |
| N/A | N/A | C:\Windows\System\ByUgkol.exe | N/A |
| N/A | N/A | C:\Windows\System\EvtgZpS.exe | N/A |
| N/A | N/A | C:\Windows\System\WvPtODh.exe | N/A |
| N/A | N/A | C:\Windows\System\FCeAmjI.exe | N/A |
| N/A | N/A | C:\Windows\System\CPvxWCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jQBREVA.exe | N/A |
| N/A | N/A | C:\Windows\System\RkJVgob.exe | N/A |
| N/A | N/A | C:\Windows\System\duYCpur.exe | N/A |
| N/A | N/A | C:\Windows\System\JYFbVVu.exe | N/A |
| N/A | N/A | C:\Windows\System\MdxjttG.exe | N/A |
| N/A | N/A | C:\Windows\System\NcHSNEx.exe | N/A |
| N/A | N/A | C:\Windows\System\SJLKuIe.exe | N/A |
| N/A | N/A | C:\Windows\System\YZLxLwc.exe | N/A |
| N/A | N/A | C:\Windows\System\hGCPkkM.exe | N/A |
| N/A | N/A | C:\Windows\System\hpUfSnK.exe | N/A |
| N/A | N/A | C:\Windows\System\SqnoudW.exe | N/A |
| N/A | N/A | C:\Windows\System\PQfZGcy.exe | N/A |
| N/A | N/A | C:\Windows\System\LpXLQVv.exe | N/A |
| N/A | N/A | C:\Windows\System\lOrTlGK.exe | N/A |
| N/A | N/A | C:\Windows\System\heUpzGF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WkdWMjO.exe
C:\Windows\System\WkdWMjO.exe
C:\Windows\System\ByUgkol.exe
C:\Windows\System\ByUgkol.exe
C:\Windows\System\EvtgZpS.exe
C:\Windows\System\EvtgZpS.exe
C:\Windows\System\WvPtODh.exe
C:\Windows\System\WvPtODh.exe
C:\Windows\System\FCeAmjI.exe
C:\Windows\System\FCeAmjI.exe
C:\Windows\System\CPvxWCZ.exe
C:\Windows\System\CPvxWCZ.exe
C:\Windows\System\jQBREVA.exe
C:\Windows\System\jQBREVA.exe
C:\Windows\System\RkJVgob.exe
C:\Windows\System\RkJVgob.exe
C:\Windows\System\duYCpur.exe
C:\Windows\System\duYCpur.exe
C:\Windows\System\JYFbVVu.exe
C:\Windows\System\JYFbVVu.exe
C:\Windows\System\NcHSNEx.exe
C:\Windows\System\NcHSNEx.exe
C:\Windows\System\MdxjttG.exe
C:\Windows\System\MdxjttG.exe
C:\Windows\System\YZLxLwc.exe
C:\Windows\System\YZLxLwc.exe
C:\Windows\System\SJLKuIe.exe
C:\Windows\System\SJLKuIe.exe
C:\Windows\System\hGCPkkM.exe
C:\Windows\System\hGCPkkM.exe
C:\Windows\System\hpUfSnK.exe
C:\Windows\System\hpUfSnK.exe
C:\Windows\System\SqnoudW.exe
C:\Windows\System\SqnoudW.exe
C:\Windows\System\PQfZGcy.exe
C:\Windows\System\PQfZGcy.exe
C:\Windows\System\LpXLQVv.exe
C:\Windows\System\LpXLQVv.exe
C:\Windows\System\lOrTlGK.exe
C:\Windows\System\lOrTlGK.exe
C:\Windows\System\heUpzGF.exe
C:\Windows\System\heUpzGF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2872-0-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2872-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\ByUgkol.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
memory/2872-15-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2964-14-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1760-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp
\Windows\system\ByUgkol.exe
| MD5 | d479494dd3bb17c9f155351274b80dd5 |
| SHA1 | 6780be4daa0fbc347fe0ed08916bea88525b4c8e |
| SHA256 | 9c710b650c8652300c2aa060cbc01b03bfd705f151a92b3697a395d19ffb0d81 |
| SHA512 | adb5514f54367db7e49ad2b15f8d942e09efcb0b1e729c18781b7c496d8d134fb03195a1d1e439e6222dc1673e7aef7009ce21e9d3d25a336fa415307c6f0cfc |
memory/2872-8-0x000000013FA90000-0x000000013FDE4000-memory.dmp
C:\Windows\system\WkdWMjO.exe
| MD5 | 189015c450e5bedf3b473fb3ac8cfadd |
| SHA1 | eada62e17cccd51370f60f158849cc11e05b9086 |
| SHA256 | c79ca2adcf7720d669c17c936b2e435ccbf32f29e170b0e2262cf551a5283ea4 |
| SHA512 | eaac48dd74e638ea0c16a3c59cab84dcc5c06dca68aeeff858bb3c90bc35f45623c3723081384985459648116ef2a0efd51efd545c65b9b3f460b9745a32626e |
memory/2872-24-0x000000013F9E0000-0x000000013FD34000-memory.dmp
\Windows\system\WvPtODh.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
C:\Windows\system\EvtgZpS.exe
| MD5 | 4903b877151908608f2740d717079050 |
| SHA1 | 8df8f98c29f1108dea62b593e7d304a17c2e6e08 |
| SHA256 | fd4d03314a53a0453fc41eaee9219ab09798d6b5b4f2adb1c93226fcb9cbc0da |
| SHA512 | 22881b646f0bdcee053b961f7c1a6c76b9a499a9482b668c2d9f25d07857e740c1b24ed4c27c740304e990e03c53d82aeaee5594741dbdad104b3b4a3d0fc8f9 |
memory/2592-28-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2640-35-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\FCeAmjI.exe
| MD5 | cf26e0d9bd7a2d965883d0f1d159c45f |
| SHA1 | b849d7d4f3d2d8072543ed7154069361d0c67e92 |
| SHA256 | 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba |
| SHA512 | b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7 |
memory/2656-32-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2872-31-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\WvPtODh.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
\Windows\system\FCeAmjI.exe
| MD5 | cc5c75432f56a46288c038387d994e4f |
| SHA1 | 844f0499312dcaa5cca9ebab08b9587de5c3c871 |
| SHA256 | 1729c576e0679236f26ce7ef13c1c1be25b9de89cd41245f32e4401841281dc0 |
| SHA512 | 0c12788cbe5c927c3f67a34fe1f320a2a3c1493f930ebc8790039ddf81ea0f2d706d074ac29db716be16deebb292322095afd6656374794d38c19000fa4ed393 |
C:\Windows\system\EvtgZpS.exe
| MD5 | f505e9632fbd4a5d58adc9e4173d1271 |
| SHA1 | 1bde162a3fb4ccb17e2151f596876ce0481e68a3 |
| SHA256 | 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6 |
| SHA512 | e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf |
\Windows\system\EvtgZpS.exe
| MD5 | 17fc50ceee2e03d90dc66d1b696ae04c |
| SHA1 | edb9bfabb63dae8151ef58d586ad8bd320e46954 |
| SHA256 | fc4616ed39d09901bce558c977cf8c1b0bb141044fdc081427724967ba6dd3fa |
| SHA512 | d8c3393f993fa67b8b0595df5ee762653e8d56a623f080da9228a5a0d869ef0a7edc1d904724d72b970bf2e625e4a5f9c12c3697e318c3a3b3b8ac5cb30955dc |
C:\Windows\system\CPvxWCZ.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\CPvxWCZ.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
memory/2872-42-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2736-43-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\jQBREVA.exe
| MD5 | 4e77e5b0d3e1f7e95208469762b9de9f |
| SHA1 | 0a5a009be862764615777c1b707d36edbc11ff21 |
| SHA256 | f92c26d020b7221553156425eb37df2d0419664ed1b1dfec4bcc6dd4844b43e4 |
| SHA512 | dda02ecff4425b741e8db0fc2114ffa66fea763a1c1005abb22eb8a9df84cf46de8481047ea55594255e59f8002d15f025c5315e413a202ba4d0fe32fa539aee |
\Windows\system\jQBREVA.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2872-55-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2460-58-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2872-57-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\RkJVgob.exe
| MD5 | 5fa795b3b7fbfdb00bd1230752e0c717 |
| SHA1 | c04df1c0104752fc707883394c20b7a38d950291 |
| SHA256 | 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179 |
| SHA512 | de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a |
\Windows\system\RkJVgob.exe
| MD5 | 180ec18cff675908ea09fb02b8edeae7 |
| SHA1 | 908a0fde6e66598e819044f800d2fb12a2c2d5e4 |
| SHA256 | 35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978 |
| SHA512 | f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49 |
memory/2872-49-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2216-50-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\duYCpur.exe
| MD5 | ffafad94c04d076c16e861ff07a4cb57 |
| SHA1 | c3501d64aef8c1b093200710a06e749c69db782a |
| SHA256 | 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295 |
| SHA512 | 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700 |
memory/2964-68-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2512-71-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2872-72-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2020-77-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2872-96-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2872-98-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2656-94-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\SJLKuIe.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
C:\Windows\system\hGCPkkM.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\hpUfSnK.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\system\SqnoudW.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
\Windows\system\heUpzGF.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
C:\Windows\system\heUpzGF.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
C:\Windows\system\lOrTlGK.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
\Windows\system\lOrTlGK.exe
| MD5 | 469aca0e2abc33bcc5100f89b3196890 |
| SHA1 | b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35 |
| SHA256 | 8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f |
| SHA512 | bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae |
C:\Windows\system\LpXLQVv.exe
| MD5 | 8277fedbd3255e17ffda30a6804ad507 |
| SHA1 | c32c09de51b706fec128d9564a25a53385cea3fd |
| SHA256 | d43f6e9d0972eb990827edb5a308943ead0705d18dde6862ac212f02acb082bc |
| SHA512 | a30d613628f706b740c6aabb343211e2503cbb8767b966ec9ed17f9d484b9271d2ffdfdc7d123cde9df707e49f67b1b427d4473764aa073d1c3b78c01ea789ed |
C:\Windows\system\PQfZGcy.exe
| MD5 | 90be846177ebce09b1bfa8b40630684a |
| SHA1 | 43a2c66ff47d9e295f18f8c18fe76b69e8850154 |
| SHA256 | 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65 |
| SHA512 | f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6 |
\Windows\system\SqnoudW.exe
| MD5 | d872631fef320bcfe95799f5b4c466cb |
| SHA1 | 451a1400f207f69d35ba907e243aed76879dcd2c |
| SHA256 | 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438 |
| SHA512 | 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d |
memory/2548-108-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2872-105-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2640-104-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2432-103-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2484-102-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2872-88-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\SJLKuIe.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/2592-74-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2700-84-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2872-82-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\MdxjttG.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/2872-63-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2872-140-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2872-141-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2872-142-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2700-143-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2872-144-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2872-145-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2548-146-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1760-147-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2592-149-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2656-150-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2964-148-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2640-151-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2736-152-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2216-153-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2460-154-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2020-156-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2512-155-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2700-157-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2432-159-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2484-158-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2548-160-0x000000013F1E0000-0x000000013F534000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 16:54
Reported
2024-06-08 17:04
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
165s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tPmpOGN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrawzLM.exe | N/A |
| N/A | N/A | C:\Windows\System\YhApZTw.exe | N/A |
| N/A | N/A | C:\Windows\System\VKffFxA.exe | N/A |
| N/A | N/A | C:\Windows\System\WHCJXmn.exe | N/A |
| N/A | N/A | C:\Windows\System\bBBQgVP.exe | N/A |
| N/A | N/A | C:\Windows\System\trZvslp.exe | N/A |
| N/A | N/A | C:\Windows\System\AGSBbkt.exe | N/A |
| N/A | N/A | C:\Windows\System\jYiUPop.exe | N/A |
| N/A | N/A | C:\Windows\System\UTGzhzg.exe | N/A |
| N/A | N/A | C:\Windows\System\dfXLqxO.exe | N/A |
| N/A | N/A | C:\Windows\System\EwTEZJE.exe | N/A |
| N/A | N/A | C:\Windows\System\JYkbMrF.exe | N/A |
| N/A | N/A | C:\Windows\System\ALxRsKz.exe | N/A |
| N/A | N/A | C:\Windows\System\JrjraSf.exe | N/A |
| N/A | N/A | C:\Windows\System\BXbQpTN.exe | N/A |
| N/A | N/A | C:\Windows\System\fLzyHep.exe | N/A |
| N/A | N/A | C:\Windows\System\ErWoTeC.exe | N/A |
| N/A | N/A | C:\Windows\System\btQwaEb.exe | N/A |
| N/A | N/A | C:\Windows\System\eYTTxhd.exe | N/A |
| N/A | N/A | C:\Windows\System\BlXWlPj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_27a5a2395602672f765c43c520f83df6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tPmpOGN.exe
C:\Windows\System\tPmpOGN.exe
C:\Windows\System\ZrawzLM.exe
C:\Windows\System\ZrawzLM.exe
C:\Windows\System\YhApZTw.exe
C:\Windows\System\YhApZTw.exe
C:\Windows\System\VKffFxA.exe
C:\Windows\System\VKffFxA.exe
C:\Windows\System\WHCJXmn.exe
C:\Windows\System\WHCJXmn.exe
C:\Windows\System\bBBQgVP.exe
C:\Windows\System\bBBQgVP.exe
C:\Windows\System\trZvslp.exe
C:\Windows\System\trZvslp.exe
C:\Windows\System\AGSBbkt.exe
C:\Windows\System\AGSBbkt.exe
C:\Windows\System\jYiUPop.exe
C:\Windows\System\jYiUPop.exe
C:\Windows\System\UTGzhzg.exe
C:\Windows\System\UTGzhzg.exe
C:\Windows\System\dfXLqxO.exe
C:\Windows\System\dfXLqxO.exe
C:\Windows\System\EwTEZJE.exe
C:\Windows\System\EwTEZJE.exe
C:\Windows\System\JYkbMrF.exe
C:\Windows\System\JYkbMrF.exe
C:\Windows\System\ALxRsKz.exe
C:\Windows\System\ALxRsKz.exe
C:\Windows\System\JrjraSf.exe
C:\Windows\System\JrjraSf.exe
C:\Windows\System\BXbQpTN.exe
C:\Windows\System\BXbQpTN.exe
C:\Windows\System\fLzyHep.exe
C:\Windows\System\fLzyHep.exe
C:\Windows\System\ErWoTeC.exe
C:\Windows\System\ErWoTeC.exe
C:\Windows\System\btQwaEb.exe
C:\Windows\System\btQwaEb.exe
C:\Windows\System\eYTTxhd.exe
C:\Windows\System\eYTTxhd.exe
C:\Windows\System\BlXWlPj.exe
C:\Windows\System\BlXWlPj.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/656-0-0x00007FF77A1B0000-0x00007FF77A504000-memory.dmp
memory/656-1-0x0000021DD1660000-0x0000021DD1670000-memory.dmp
C:\Windows\System\tPmpOGN.exe
| MD5 | b3b1fe37c6b55c4273902588f2685ff8 |
| SHA1 | 71ad244e9e2c19b72d1c45f2aeadf3518dc0ef84 |
| SHA256 | 267656baa6a684319f36bdfcd1584f253c9b2e5ee5e0f7709536344dfa499c43 |
| SHA512 | f8d77ba42ca53496e1c29dc121fe83301324eee6dc7598e3ded0a87fafda9bb9aebe55bc7c58aa96a9121d983c8918fa7732c627deaf5206ffd54e1d1aa6c2c1 |
memory/2484-6-0x00007FF647820000-0x00007FF647B74000-memory.dmp
C:\Windows\System\ZrawzLM.exe
| MD5 | 7334a878e18a5fe90359835a65a36a6b |
| SHA1 | b730baad0144bac05e690ac9ebad98ea72ca8c09 |
| SHA256 | de5499c715ef081146dcecf24a717ce3840ca1317b6f29b20d795fc8c7d33d35 |
| SHA512 | 1f5d0ce0ccebada7c069e7ca1428b0177623c7014da9b8b4bc804414e9736b197eec63fe79179582fc31610390ea989e9f8f2003d0ca7069d27be63f79ecc077 |
memory/3760-14-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp
C:\Windows\System\YhApZTw.exe
| MD5 | a9ed10c4d9adcd66d669237c746b4d92 |
| SHA1 | 40409d47bfa47895c75eb5d6f56ef159b9d3880b |
| SHA256 | 487e1d6438c3927a85931b43ff9710281dd3d0c9ee5b3171b83644ce34c5d63d |
| SHA512 | 72af9bd4b84121912a8ba98548d32ecca019268fcb783148d66b70db1de66fb13e78d6d92e0cf5b64e1ab21a638be1ea96b6184c94b92b07f8e581ec13fc990f |
C:\Windows\System\YhApZTw.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/4972-20-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp
C:\Windows\System\VKffFxA.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\VKffFxA.exe
| MD5 | e7dc03299a54a0e73ae4cb12a36c8ac3 |
| SHA1 | 4df1ee54bbb439e8e6b5659650ccd94b95f037a4 |
| SHA256 | 0166ed63424269f5c75d340dfaf1b6736fb181a01ea2b4334789fe366755a13f |
| SHA512 | 38472391455372d3e7af7e24edefdfefd65bf6cb41fcbbc6b6d02aaa6a92abea7fc6e4330380150d49ff4fa070f6abec5f62b2d7f25a990313f3ef4741ba5efc |
memory/3536-26-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp
C:\Windows\System\WHCJXmn.exe
| MD5 | 7dbc387b266e3dcee3cfe42d437ffad8 |
| SHA1 | 0022a88ded2abecb5730fa4431c4a75f4946de27 |
| SHA256 | 3013feeae5414f9551c9afc865f0b791e76c8e298d06fe2a4090a52bae1466c9 |
| SHA512 | ccf079590870a1f9c79b8531812aae51fd795d54ff9a31c0a8fb738b44c02b3441519b485ea198891e5852e48dbc73b2bfe05885d35dbe6e78e96eb7f4e9dce6 |
memory/2556-30-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp
C:\Windows\System\WHCJXmn.exe
| MD5 | 1d3a027708a48a3c73a911f7d1532fca |
| SHA1 | f960fd40bf0cf951600c386a6a9501a01e54ab51 |
| SHA256 | f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda |
| SHA512 | 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539 |
C:\Windows\System\bBBQgVP.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\bBBQgVP.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
memory/5604-38-0x00007FF6FBA10000-0x00007FF6FBD64000-memory.dmp
C:\Windows\System\trZvslp.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/5556-44-0x00007FF766440000-0x00007FF766794000-memory.dmp
C:\Windows\System\trZvslp.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
memory/1964-50-0x00007FF7C8310000-0x00007FF7C8664000-memory.dmp
memory/5328-56-0x00007FF630320000-0x00007FF630674000-memory.dmp
C:\Windows\System\jYiUPop.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/656-61-0x00007FF77A1B0000-0x00007FF77A504000-memory.dmp
memory/5396-63-0x00007FF6D6FE0000-0x00007FF6D7334000-memory.dmp
memory/2484-67-0x00007FF647820000-0x00007FF647B74000-memory.dmp
memory/4476-69-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp
C:\Windows\System\EwTEZJE.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/3760-76-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp
C:\Windows\System\EwTEZJE.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
memory/4360-79-0x00007FF7AF450000-0x00007FF7AF7A4000-memory.dmp
C:\Windows\System\JYkbMrF.exe
| MD5 | 64608890dcd212091a87599b2f0612b4 |
| SHA1 | 642cba6fdd06687bf7b84652d1d79a4e1e6a2442 |
| SHA256 | b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b |
| SHA512 | 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347 |
memory/4972-83-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp
C:\Windows\System\JYkbMrF.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/4544-86-0x00007FF6C61F0000-0x00007FF6C6544000-memory.dmp
memory/3536-89-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp
C:\Windows\System\ALxRsKz.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/5944-91-0x00007FF7AE790000-0x00007FF7AEAE4000-memory.dmp
C:\Windows\System\JrjraSf.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
memory/2556-97-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp
memory/5976-98-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp
C:\Windows\System\JrjraSf.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\System\BXbQpTN.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/5828-104-0x00007FF7C7170000-0x00007FF7C74C4000-memory.dmp
C:\Windows\System\fLzyHep.exe
| MD5 | 2b325ba998218e1724cf0adeb30ee980 |
| SHA1 | 91c91f972b93ca21c02dbae5cc375d4e1212c0a0 |
| SHA256 | 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9 |
| SHA512 | d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5 |
memory/5508-110-0x00007FF74E0F0000-0x00007FF74E444000-memory.dmp
memory/1600-116-0x00007FF77F9E0000-0x00007FF77FD34000-memory.dmp
C:\Windows\System\btQwaEb.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
C:\Windows\System\eYTTxhd.exe
| MD5 | 6b5887af4274a78686a788865765637c |
| SHA1 | 5afc15e6fcbc11377bbabbda47ff43f6ebedd369 |
| SHA256 | ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006 |
| SHA512 | 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077 |
memory/5524-125-0x00007FF6564A0000-0x00007FF6567F4000-memory.dmp
memory/5564-126-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp
memory/2316-133-0x00007FF72A200000-0x00007FF72A554000-memory.dmp
memory/4476-131-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp
C:\Windows\System\eYTTxhd.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
memory/5976-135-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp
memory/5564-136-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp
memory/2484-137-0x00007FF647820000-0x00007FF647B74000-memory.dmp
memory/2316-138-0x00007FF72A200000-0x00007FF72A554000-memory.dmp
memory/3760-139-0x00007FF7C1DA0000-0x00007FF7C20F4000-memory.dmp
memory/4972-140-0x00007FF6E8790000-0x00007FF6E8AE4000-memory.dmp
memory/3536-141-0x00007FF75F800000-0x00007FF75FB54000-memory.dmp
memory/2556-142-0x00007FF69A0F0000-0x00007FF69A444000-memory.dmp
memory/5604-143-0x00007FF6FBA10000-0x00007FF6FBD64000-memory.dmp
memory/5556-144-0x00007FF766440000-0x00007FF766794000-memory.dmp
memory/1964-145-0x00007FF7C8310000-0x00007FF7C8664000-memory.dmp
memory/5328-146-0x00007FF630320000-0x00007FF630674000-memory.dmp
memory/5396-147-0x00007FF6D6FE0000-0x00007FF6D7334000-memory.dmp
memory/4476-148-0x00007FF6A2AF0000-0x00007FF6A2E44000-memory.dmp
memory/4360-149-0x00007FF7AF450000-0x00007FF7AF7A4000-memory.dmp
memory/4544-150-0x00007FF6C61F0000-0x00007FF6C6544000-memory.dmp
memory/5944-151-0x00007FF7AE790000-0x00007FF7AEAE4000-memory.dmp
memory/5976-152-0x00007FF770C90000-0x00007FF770FE4000-memory.dmp
memory/5828-153-0x00007FF7C7170000-0x00007FF7C74C4000-memory.dmp
memory/5508-154-0x00007FF74E0F0000-0x00007FF74E444000-memory.dmp
memory/1600-155-0x00007FF77F9E0000-0x00007FF77FD34000-memory.dmp
memory/5524-156-0x00007FF6564A0000-0x00007FF6567F4000-memory.dmp
memory/5564-157-0x00007FF7ADAD0000-0x00007FF7ADE24000-memory.dmp
memory/2316-158-0x00007FF72A200000-0x00007FF72A554000-memory.dmp