Analysis Overview
SHA256
17d6e5fdab9e62b0414a84da6962fdf0555d6ee468e790f9a03bd05e3b67fa20
Threat Level: Known bad
The file 2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
xmrig
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 19:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 19:42
Reported
2024-06-09 19:45
Platform
win7-20240221-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XOpoUFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\eHFfyAt.exe | N/A |
| N/A | N/A | C:\Windows\System\pgsaBWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fbJedGS.exe | N/A |
| N/A | N/A | C:\Windows\System\nTHpOBE.exe | N/A |
| N/A | N/A | C:\Windows\System\oyaeula.exe | N/A |
| N/A | N/A | C:\Windows\System\dJEqfJA.exe | N/A |
| N/A | N/A | C:\Windows\System\XPOGFSV.exe | N/A |
| N/A | N/A | C:\Windows\System\Qtujcbq.exe | N/A |
| N/A | N/A | C:\Windows\System\LILXVyr.exe | N/A |
| N/A | N/A | C:\Windows\System\hhNROGS.exe | N/A |
| N/A | N/A | C:\Windows\System\LnDdOPP.exe | N/A |
| N/A | N/A | C:\Windows\System\lCEopTG.exe | N/A |
| N/A | N/A | C:\Windows\System\XuZncel.exe | N/A |
| N/A | N/A | C:\Windows\System\JtUIjnd.exe | N/A |
| N/A | N/A | C:\Windows\System\xOlOLCM.exe | N/A |
| N/A | N/A | C:\Windows\System\WDHNaoV.exe | N/A |
| N/A | N/A | C:\Windows\System\OMvqlIh.exe | N/A |
| N/A | N/A | C:\Windows\System\oMywRUt.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBpyBUu.exe | N/A |
| N/A | N/A | C:\Windows\System\ORgagom.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XOpoUFJ.exe
C:\Windows\System\XOpoUFJ.exe
C:\Windows\System\eHFfyAt.exe
C:\Windows\System\eHFfyAt.exe
C:\Windows\System\pgsaBWQ.exe
C:\Windows\System\pgsaBWQ.exe
C:\Windows\System\fbJedGS.exe
C:\Windows\System\fbJedGS.exe
C:\Windows\System\nTHpOBE.exe
C:\Windows\System\nTHpOBE.exe
C:\Windows\System\oyaeula.exe
C:\Windows\System\oyaeula.exe
C:\Windows\System\dJEqfJA.exe
C:\Windows\System\dJEqfJA.exe
C:\Windows\System\XPOGFSV.exe
C:\Windows\System\XPOGFSV.exe
C:\Windows\System\Qtujcbq.exe
C:\Windows\System\Qtujcbq.exe
C:\Windows\System\LILXVyr.exe
C:\Windows\System\LILXVyr.exe
C:\Windows\System\hhNROGS.exe
C:\Windows\System\hhNROGS.exe
C:\Windows\System\WDHNaoV.exe
C:\Windows\System\WDHNaoV.exe
C:\Windows\System\LnDdOPP.exe
C:\Windows\System\LnDdOPP.exe
C:\Windows\System\OMvqlIh.exe
C:\Windows\System\OMvqlIh.exe
C:\Windows\System\lCEopTG.exe
C:\Windows\System\lCEopTG.exe
C:\Windows\System\oMywRUt.exe
C:\Windows\System\oMywRUt.exe
C:\Windows\System\XuZncel.exe
C:\Windows\System\XuZncel.exe
C:\Windows\System\ZBpyBUu.exe
C:\Windows\System\ZBpyBUu.exe
C:\Windows\System\JtUIjnd.exe
C:\Windows\System\JtUIjnd.exe
C:\Windows\System\ORgagom.exe
C:\Windows\System\ORgagom.exe
C:\Windows\System\xOlOLCM.exe
C:\Windows\System\xOlOLCM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2068-0-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2068-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\XOpoUFJ.exe
| MD5 | 3ad9584563f4e762c465e03e83fdb69d |
| SHA1 | e05495adb1f7c7442d7029187f2de144143fdc6f |
| SHA256 | 5125fc9aa297513a05ce1f5b6c87b89b7095a07e86c9dc7d704ac7a0b442ae49 |
| SHA512 | c10e45361814ae69e7056126674f4e57e1be01d9412d629f59d3b81acbf04b505f2dcdcc7847172048a944d75f0a53d82a9baaffda4325254fc082920b3d7869 |
\Windows\system\eHFfyAt.exe
| MD5 | 571548b27ed11eeac995dff6adbcde95 |
| SHA1 | ece126c0127e1ca6b051144619d3fce1f0d36e79 |
| SHA256 | eadfca0161c228f912fc46d204e11058d2995e184ee361adc02ade1c0c6a29f6 |
| SHA512 | fa31e5eb0643d2fb5320c346439d42aa5b521ae0e5ba3258e666edda05ecedf81f03cde11bd54785db3dc167ad6a3eaee0ef666b8fc20fadf4e529602a009ca4 |
\Windows\system\pgsaBWQ.exe
| MD5 | 61308d4debae2aa381e77aa51e4a2363 |
| SHA1 | 2356844cac62d06c837c87a9c31638a41e9d933e |
| SHA256 | 1b1b9ac7358c978d1ad4877e96f7009591c9a8c7dae920462605c3bcd1ef08b5 |
| SHA512 | 9dba7d53511efb2e7f7dd73ca4a4c97adce73a751fa64c63555d65296f35f13427a9f332a544dc1a315e5265483f6e2a476911b15c3130defca9839a4577b19c |
\Windows\system\fbJedGS.exe
| MD5 | 73146390c47e1c7349aacfefe3eec6aa |
| SHA1 | 1ace3922d6f8bb17813fb1bb389d5bcb8e506a13 |
| SHA256 | 1d7c20da4ad2e8900009a321cb8e70b6ad3e0bbdbacc1f6bdce83b7b94512ad7 |
| SHA512 | 4c45639d275fa753ef1d3758f0a535550c9614582311bc5f2557daab10f49c5ef528b912ccd794204d290f1d8f16e4198abaf1096fded3aecdf569ebd42bdc2e |
\Windows\system\dJEqfJA.exe
| MD5 | 3ac08ff7e682c93f282932d9ad0a8fc0 |
| SHA1 | 2de7c59c6d383e9ef4263d1535bedfbbefc6ae4f |
| SHA256 | 01c5cc5c92a189345d6aa0ee8897537ef8ea58bea257228359b85b80262ef7cb |
| SHA512 | 1785dc26e8eccdcf176a29bef4c718e071549231c2aa18a89017344cdc98b9e6d014a6913f107c4af89c3122a04dc8602d9551f32a9a4741dcf8bab80771992a |
C:\Windows\system\Qtujcbq.exe
| MD5 | 3ee7480db7024173281938b193326e18 |
| SHA1 | 590e3ae67f79050bcb55740e3b01375cd55cf60e |
| SHA256 | 082d5c3123e851e5e288987ef3066219c7ff664360b8f995d35c999349168497 |
| SHA512 | fab8d33bb61d1f678718d73c60c0e7b0a821c2fb304f42d767a594e0d2b79e9f44e300dd34cf698f6ef4f9ff19298c174a9f027a7b022e0bd5a8a85d6bd28d30 |
C:\Windows\system\XPOGFSV.exe
| MD5 | a95a84399abdc71c9a439f1c26990d3a |
| SHA1 | 4cbd1e6d0e41b4a4282ca1bfe4789f98fdfcd14c |
| SHA256 | 50ac10a32328cc9bb7ff94da745b88c8fa915a5e3185a4fa44a4504183f673d5 |
| SHA512 | 30c346bc697b067a857ad724f8b4d6dddedafd2a62362e04645d5d2c289e6c7249e8eff9e9d2a0e9bfb530a0975b710b10c28d2c1500501d2a210b21c1894841 |
C:\Windows\system\LILXVyr.exe
| MD5 | 0ee1110a22e4443ea306bf951fd17368 |
| SHA1 | 431ed5c361137e7bcca48c297ef9f440b6e9c373 |
| SHA256 | ec24b5785c35d475af8212e65e12bd7fb3aba741f38fd3a94c244b8d8a6fef48 |
| SHA512 | adc91bf786643a01633ae9f018074309283ce9c5496a26de46c54b0f084e8fd9fa9a54b579c70e583f0f91375896c81b5ac0fd1d2ee1cf35a6f3fc340368a52a |
\Windows\system\OMvqlIh.exe
| MD5 | 9f6fb4ab447e5bd19b3bd00dc0bc5afe |
| SHA1 | 4168aea12dc6a0d8b3ff5b30cfe5f31297641401 |
| SHA256 | 2c20c00537f2272a150c823833b9c69c3d9038c7b3eab8e57dc455deafe0de59 |
| SHA512 | 1c8359025354a61becdf49e2608b78fe2702b8e251e21cf62421c7440be7453e3d4a66f4247ced9ec5c041cf0bff3735dd88f6fe92ea75f6276438c609f1c34e |
memory/2536-91-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2068-90-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\ORgagom.exe
| MD5 | cea0c4921821527b18f84be889a50184 |
| SHA1 | 3b6c8eb7e87930f62ce0d47c403ef10cf8d0c781 |
| SHA256 | 49e109d3efd7c94a2194da6b1e70f89ffc73e01467d792d754e3632ada8b291f |
| SHA512 | cb4484e32b9fe00bb9b3e09a933f830a927454c1d0964764e27b92d856998e981e6237dee111c93ad1ccc0310d2e66d50892dee2575b1aaf7f7c5623d4853af3 |
memory/2992-82-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\XuZncel.exe
| MD5 | 898428e8aa298f68bfc17c030a9adfa3 |
| SHA1 | eaffb1c8a410e09d905e8d4db5e8874b23347557 |
| SHA256 | 6368beff11764d3f192215f9cfd90b35ad4e47e1430f4bdad18c3b0277f6ff31 |
| SHA512 | 706f32fff7a2320ba13476d83eaa9959e749cdd6f7eafb36e271e4669fd734276367f88e9348308ab344882f8352996ac782013734f2b03d06fe234c24aa9ff3 |
\Windows\system\ZBpyBUu.exe
| MD5 | 572c8c94bdfd04bb4e16d73e6f993694 |
| SHA1 | 2f3bb2a0407964c4bc68c405dcb7d352f52b47f9 |
| SHA256 | 52cacaa05d9e41ccd7a47faa68296ffc86b9c6c8e2ddb08c2b95830a65eb443f |
| SHA512 | 2a6267336f1da58bbb373f6fcfc2b4755a5d9a43782dc62b3dfd2281ba16f14447cca23a0f853e83f3b9b9965e2729dd3f485cb7e2bbad79729e1d42c973ad50 |
\Windows\system\oMywRUt.exe
| MD5 | 9444e6827ac1bbbe28e9ff892a4d336f |
| SHA1 | f817eaa50618d893c0520251a123d494bbce062c |
| SHA256 | 681392a7e601304e766819a5256bd18c6a2a27bf9b23dfbad3dcf533d1f2f3a8 |
| SHA512 | 9a26f0c70755aa30af45b5f024497acc2ca5a3606a048f60b228134f4055c2f44bf04a4d026273c1169cf17cdf068b456ec01555b92618e9542edbcd9f35b8d4 |
\Windows\system\WDHNaoV.exe
| MD5 | fdee27c6d02696b41e90655fb928a606 |
| SHA1 | 1e9c2d6e4782363dbff98578a227c36938dcc048 |
| SHA256 | 5a70cf3ad1687822a54d7400f3e9b1ab82188ab50d80c654971d8180a6509552 |
| SHA512 | 4afd2f464365678b04800785bfdd3197edbedbc308208d6a549ca3f0bb1f98ca6989a707a9af4524f0adb9b08b0bca1cc509e2a7ec3177e9b93eb7fcb99ce10c |
memory/2948-118-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2068-117-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/592-116-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2068-115-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2068-114-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1424-113-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2068-112-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2068-111-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2448-110-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2068-109-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2416-108-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2068-107-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2432-106-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2068-105-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2728-104-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2068-103-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2752-102-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2068-101-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2412-100-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2068-99-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2532-98-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2068-97-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2640-96-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2068-95-0x000000013FCD0000-0x0000000140024000-memory.dmp
C:\Windows\system\xOlOLCM.exe
| MD5 | ad76343e91cf63192679b7fb21a9c8f1 |
| SHA1 | df0974ed0e7545a7e61c5f1e63842f1cc6c07f4e |
| SHA256 | 6d2131acc536b3af2dac6ab9c7a8392963f0d11db34218406b5799eb129337da |
| SHA512 | 31a3797569861c1843461954a6671ff934655a393095849148b83c2a9d0900ce9f5d3234a0597c2609686419a97c33a430966ad2a4752b2bf408b7c4e59330f3 |
C:\Windows\system\JtUIjnd.exe
| MD5 | da600060987de66274bf49519aa76b6a |
| SHA1 | cc4c0e2a9596b73575906b6d0f5853f948db6893 |
| SHA256 | 4efdebe16578e25a16697da16803963632689b49ad7da5a04ae35b32e1a7b2d9 |
| SHA512 | 7de135122f4ae055a2cd4214a4b73332db5f3c26bb4dc00cf982f3ccaca90f4e7dd0291c73f7f4dd871a8d82340bc73701298c66affb10f6edb39c7015521c52 |
memory/2068-77-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\lCEopTG.exe
| MD5 | e3d9fdc855150834017bcc52af4d4482 |
| SHA1 | 2b3f281570d08a3f8f45b1505ad03cab4b171a26 |
| SHA256 | 34d384c5801c898c995faebe55fcef8445b9374752252ea467f1cb863b71c361 |
| SHA512 | 74e7b0a0b9fa4ddaef320c7a20c4d1cfb1356f425aad30f66c331d5ee054491b54bf5be86d41ed2b26fcdeb92ebb587b05e6132edcd12a44ffa5e49a3f0b3b7c |
C:\Windows\system\LnDdOPP.exe
| MD5 | 8fa7a3d7675c76087abaad13bd56c058 |
| SHA1 | eeb266449f4d0c6bf7ad02258969d8554a0b9aa1 |
| SHA256 | 6d4d3c21ec2d78e668b0d1a95eb31f962fc8f96d69109689d0ede09ae192f523 |
| SHA512 | fab5f961094dda75c00bc47002e9f2ff829016724eafb2c6af142a045d0e8d5cf060a590c1e604b7a0568a04a8f96851777a65b43768fcad0066cc809b7a6dbb |
C:\Windows\system\hhNROGS.exe
| MD5 | d85926b22380d729ce3e805fb47b8382 |
| SHA1 | 2384d227a0b9a0ef96dae4f56600ea8269dc13ed |
| SHA256 | 1129728f04f20d9a225ee435a40a9fb591efe9faaa15fb424b84bf6bc5c21800 |
| SHA512 | 2742a54e1b81c338f74b200fa27cca1ac9f68bd86dff77af9c27618ddc3c14b7d1d5fcb9d7ed8aa346342caa407a33cccd26c37844a98077e2880d3b11092ded |
C:\Windows\system\oyaeula.exe
| MD5 | d7f9737330c226fa7abc5032a1791dcd |
| SHA1 | 082a038bbde4493d737a5810395c0a7ee4fce2f4 |
| SHA256 | 4bb3e104b5ac0637416fbbe4a0a8ccff28bf89c166b1f91bd23fd2bbee926e93 |
| SHA512 | 6fbce4fbdf5a3df32983e4a1b56ad755bbf9483a4eef770d07a48df4100172320946cbea8ded878159b3f16f03e02edabfcef51ac878bae1f7f6c12feae9c95b |
C:\Windows\system\nTHpOBE.exe
| MD5 | 107f990ab121ac4976f8f656c20c9177 |
| SHA1 | ac17dba28b3da2b1db00bc5f4a979a8945faa923 |
| SHA256 | 0343c6c538f288b854e05aea7c45a492596fbcded25611a6c8976707602f6617 |
| SHA512 | 0c9da956376f373a68d30e27c4c877a585bd208fc9e5d2f51998f6760a834823190effff9defde181336f199eed0dcc8189fc6bf1f2ddca02da0dd00f0c37037 |
memory/2068-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2068-136-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2448-137-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1424-138-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/592-139-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2948-140-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2536-141-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2992-142-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2640-143-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2532-144-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2752-145-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2412-146-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2432-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2416-149-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2728-148-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2448-151-0x000000013F630000-0x000000013F984000-memory.dmp
memory/592-150-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1424-152-0x000000013F4B0000-0x000000013F804000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 19:42
Reported
2024-06-09 19:45
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dblzxHu.exe | N/A |
| N/A | N/A | C:\Windows\System\ThsnDKf.exe | N/A |
| N/A | N/A | C:\Windows\System\HQCkkrf.exe | N/A |
| N/A | N/A | C:\Windows\System\njRHTKp.exe | N/A |
| N/A | N/A | C:\Windows\System\TdBfFQB.exe | N/A |
| N/A | N/A | C:\Windows\System\tYkGesG.exe | N/A |
| N/A | N/A | C:\Windows\System\xXyDPgL.exe | N/A |
| N/A | N/A | C:\Windows\System\JmkGAnU.exe | N/A |
| N/A | N/A | C:\Windows\System\UFdWoTu.exe | N/A |
| N/A | N/A | C:\Windows\System\rSmwfHp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZEZHowI.exe | N/A |
| N/A | N/A | C:\Windows\System\WDytuFu.exe | N/A |
| N/A | N/A | C:\Windows\System\QvrAKav.exe | N/A |
| N/A | N/A | C:\Windows\System\SXGAyKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jHajnoR.exe | N/A |
| N/A | N/A | C:\Windows\System\GPbEger.exe | N/A |
| N/A | N/A | C:\Windows\System\EwtNcdE.exe | N/A |
| N/A | N/A | C:\Windows\System\TtyyRKN.exe | N/A |
| N/A | N/A | C:\Windows\System\fAUhYZU.exe | N/A |
| N/A | N/A | C:\Windows\System\klwiRho.exe | N/A |
| N/A | N/A | C:\Windows\System\UBsISQC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_9df1383c7dd6be7fb31da5775d9b34bd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dblzxHu.exe
C:\Windows\System\dblzxHu.exe
C:\Windows\System\ThsnDKf.exe
C:\Windows\System\ThsnDKf.exe
C:\Windows\System\HQCkkrf.exe
C:\Windows\System\HQCkkrf.exe
C:\Windows\System\njRHTKp.exe
C:\Windows\System\njRHTKp.exe
C:\Windows\System\TdBfFQB.exe
C:\Windows\System\TdBfFQB.exe
C:\Windows\System\tYkGesG.exe
C:\Windows\System\tYkGesG.exe
C:\Windows\System\xXyDPgL.exe
C:\Windows\System\xXyDPgL.exe
C:\Windows\System\JmkGAnU.exe
C:\Windows\System\JmkGAnU.exe
C:\Windows\System\UFdWoTu.exe
C:\Windows\System\UFdWoTu.exe
C:\Windows\System\rSmwfHp.exe
C:\Windows\System\rSmwfHp.exe
C:\Windows\System\ZEZHowI.exe
C:\Windows\System\ZEZHowI.exe
C:\Windows\System\WDytuFu.exe
C:\Windows\System\WDytuFu.exe
C:\Windows\System\QvrAKav.exe
C:\Windows\System\QvrAKav.exe
C:\Windows\System\SXGAyKJ.exe
C:\Windows\System\SXGAyKJ.exe
C:\Windows\System\jHajnoR.exe
C:\Windows\System\jHajnoR.exe
C:\Windows\System\GPbEger.exe
C:\Windows\System\GPbEger.exe
C:\Windows\System\EwtNcdE.exe
C:\Windows\System\EwtNcdE.exe
C:\Windows\System\TtyyRKN.exe
C:\Windows\System\TtyyRKN.exe
C:\Windows\System\fAUhYZU.exe
C:\Windows\System\fAUhYZU.exe
C:\Windows\System\klwiRho.exe
C:\Windows\System\klwiRho.exe
C:\Windows\System\UBsISQC.exe
C:\Windows\System\UBsISQC.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/468-0-0x00007FF70BAD0000-0x00007FF70BE24000-memory.dmp
memory/468-1-0x0000019C866B0000-0x0000019C866C0000-memory.dmp
C:\Windows\System\dblzxHu.exe
| MD5 | a26e67eb93e7703e3fea4595e046d70b |
| SHA1 | 2b103adb266862cf6d54c435f70a458d6f0e3bec |
| SHA256 | 64e2c9bb07a049b1604ad8543221a452f4dc371f23c6b635cdad4d954ab8b5d7 |
| SHA512 | da2d7e14ab0c6b912b0486d55d7e543eee485f349d7b3d7f7ac0523fe0db232c635ab92b23f4b6a2aa6e691e12f610a919073edbdbbd0f8a1173a1ab1bb63f96 |
memory/1676-8-0x00007FF7F0F00000-0x00007FF7F1254000-memory.dmp
C:\Windows\System\ThsnDKf.exe
| MD5 | 98ecea39d7c192f4b34baffb72234148 |
| SHA1 | 8d34a22635d21286b3f1b9e0bc8e5a451a7a2510 |
| SHA256 | 10905fd6f0487f5e7ed4e7805aac7599356bd7bc4cb578b4a840810b89afd855 |
| SHA512 | 6c6d23cec9c1f33e788c6a5303031f0c70102aa263747dcf528d6d31d49d4a25b1a11cb9f07dc08aabde27ca9736c98e4fcec44e98fe41b65dbe0c8b1828e80d |
memory/4644-14-0x00007FF62A3F0000-0x00007FF62A744000-memory.dmp
C:\Windows\System\HQCkkrf.exe
| MD5 | 392988a4677672874041cf1cdccec75c |
| SHA1 | 96a30582dc3910a4b06bf948077fc9ff9e7e760a |
| SHA256 | 2738663df67f6c0fa89b2d2c41320f06295ee9aa0fff961bef44e0ac35a13bf8 |
| SHA512 | ee53c468a6eca2885e0641d7aa3003f9ce54a1079f861efbea29ef7f7daa5f5402fb4262bd7955734311f0d279efcf3bac6cd4c299f0203978bd1e5a439b4116 |
memory/3224-20-0x00007FF6870C0000-0x00007FF687414000-memory.dmp
C:\Windows\System\njRHTKp.exe
| MD5 | 4d11c3054d1b89e4786973ca9ef29f9e |
| SHA1 | 0edd78b5cd595ca3b82794eccd2556413b46ac91 |
| SHA256 | c529b5f52423d290d7ef5ba8142d9845a0b2fc3efd77745bc99da01ce9edf8f6 |
| SHA512 | 0280a5fa4c77828bf91985c8f6fe8a3d3bcf3058bb907ead646e6894e1eb8c7d133311e52191f2206874d59d872c117ca17e3cbeeed8ac76bb32e72538c6df04 |
memory/788-26-0x00007FF7CE280000-0x00007FF7CE5D4000-memory.dmp
C:\Windows\System\TdBfFQB.exe
| MD5 | f1141c64d614d813f75d9416cc60be48 |
| SHA1 | 9391cead8287262d0f5ef69d47dc83ac62d5bf7f |
| SHA256 | 8d2034c5fd8bc0e108cfd2684072f624ea8fb20ff882936ebfe7ecddd2888100 |
| SHA512 | 28515cc2cd3efa42092c5956f03feac035b149ec1b906dcd8c5c7056492a2f7257620acb1dfa8fff90951327ba13e2789b38b086d0ef930858d4aef45231cf4a |
memory/1560-31-0x00007FF72C7D0000-0x00007FF72CB24000-memory.dmp
C:\Windows\System\tYkGesG.exe
| MD5 | f10679f662bf96960b5cf80ef06fcded |
| SHA1 | cccd792fcc275ab200b25ed64cc1ca79a7bcab56 |
| SHA256 | c4318933846f78ee56a5fbfe2bd0821b792df5f2c62248a5415ba0f04d26aa42 |
| SHA512 | 30f0c6f9921f57307b975e0d30dc364f553fe400a3f156d92a8a7e3b1bf66c37d1c4b949cb40b92f71ca97911dfe7d2e63859483f427658c13220d48a9d8925a |
C:\Windows\System\xXyDPgL.exe
| MD5 | 4eba28ef608a65a4cdabb4a100d20d83 |
| SHA1 | 3db25d75ffcd00e0e1e78d20a076e2e06e72b035 |
| SHA256 | 74720ba23a107af90e4e95854aa51010d111f7e92b4bcf3002362b1a6f086ac8 |
| SHA512 | 60bc5e7dff0dc6794102ffdc813d35f5c0d5befdc4c777b39bec34e5c84fad5b498cdb6aac57d62dd1649ef6122171bbb477da8b206edac0a33c80890b8249dc |
memory/4020-41-0x00007FF6D8AC0000-0x00007FF6D8E14000-memory.dmp
memory/3076-37-0x00007FF7930C0000-0x00007FF793414000-memory.dmp
C:\Windows\System\JmkGAnU.exe
| MD5 | 3b29edb67cf19648d5e7dab17367c4f1 |
| SHA1 | 9a0424c3b7d0f0a21454d155625a3dc5254b934d |
| SHA256 | 21242e1710bebf2bd79b3a4eb2feb00959406f1ac886454cc49807538053d733 |
| SHA512 | e99e522f58991aef1be425b07f963e06ac7e4c863a650d5fbbcd1fe87268a4e812d453b4a1c80e3e25bfa04edd8e575487594737c92a0e45f8d640d1116374e0 |
C:\Windows\System\UFdWoTu.exe
| MD5 | c9220dfedcbad0db11f97d4b47195f25 |
| SHA1 | df5df60462eb90537719d817020fa1e8aef0054e |
| SHA256 | 41f8ca0fe4fd04df29d92477844d888b0949a394b5b62dab4e18457e5c0fd390 |
| SHA512 | 5f7d603c822342b223906f78227303a5b2621a53ee44b47383d8390b15e9edf7a6dd36af9763e884affd48cbbc7ce461523f89c45010902ecc51f681d93e04e1 |
C:\Windows\System\rSmwfHp.exe
| MD5 | 2dd4f472dcb0704727c9dfddc5e1a695 |
| SHA1 | 497c089dfbb432b7630ead227293f9992c8e3fc8 |
| SHA256 | fcdeba37cab055d2c124f03978a97bb05fb687fd1784be0649ef3ee04ff58441 |
| SHA512 | bbf2a46e402df3bfcaa44a769d210f2594d773435891cb60db08fccf8959a6e0e6d5d07e0af51fecd70c2f6c57b81d50cf6b47beabbedf95dc40dd09f8799170 |
C:\Windows\System\ZEZHowI.exe
| MD5 | ec09cd43ef27ffdab9e507affe0be4a6 |
| SHA1 | 3d904b8ce179890d2a08701dfb28971f330ee7c8 |
| SHA256 | 7e4f11753510ea9bf5b8693ff160d2c6ff1c89dff1cde19f24d2ca8c6731ed64 |
| SHA512 | b1de3a163d1f0c91937032fc93550019bdd8d510446c2ad6d7756e16e14af565ae07e8cbd601835a665b7094549db3dd6c4c18ea47a3607ef181c7aaf345c0ce |
C:\Windows\System\WDytuFu.exe
| MD5 | bee00d57e10a984cf2ba9f420b12b624 |
| SHA1 | 44b6c0e45b3a879883566ca3250f069fbe058ef1 |
| SHA256 | 8338763402630ae0d7f7173fcce865d40d934c5da0d8e19ec9445c42ab10a3ac |
| SHA512 | 9bc9a63c255dc650e2a0b3a388110b1d6cf70528c5a17599bb0e1c451c7a95f379c1520234311d3834bc9d998e706d256a1391e3fcf650b05eda1466f9fb72bb |
C:\Windows\System\QvrAKav.exe
| MD5 | 3f797aa0c6d30dfbc015f1e7fdd5f076 |
| SHA1 | 0c4c071056a2449d98b3615dc52057ad9a241d60 |
| SHA256 | 920be62b8ee3061d2e376b817a4c23615560d9a0456ff04df2e550bd54b80426 |
| SHA512 | c194c1e24909380fbed167f1c630eea378c530edb882065d4a552bc82b60a202fc13dd66ba26cb59e4066b6089500c3dde189b9a0686d5e4066edf4bc1892660 |
C:\Windows\System\jHajnoR.exe
| MD5 | 5aee506639d5f282c5f3eafc368da597 |
| SHA1 | 2be587aba97ee31bc4cd06f39fb647cf8ac797e8 |
| SHA256 | 456d46978e27303c3163d68e6bfce3e11df5467baf16a8d8ed25caccb4933070 |
| SHA512 | 8c2fa159c4aeb43af867a0a90cd5511f26cf5f933e6656534e58f8941a8fed645dbd8a20d6e8d077d2c441ff03d699c03eac0652f6b55a91577c2f23de65e308 |
C:\Windows\System\GPbEger.exe
| MD5 | 225968f383ca5017163a11bc5352681d |
| SHA1 | ac5592bf57d6992d3010510f0678f07643b9e0ca |
| SHA256 | 840481d09b89e53eae03af0c98558223e64a30a9dadca66cbe4b107cd90508e7 |
| SHA512 | e48c4d7b71926bd9f37430e116cb635ae2b761edf93af49b9dbccd8a6f7d7f38d018a5217aca71d1e685b4ee23796e89b68c2076bc2116bb5341907de5368267 |
C:\Windows\System\TtyyRKN.exe
| MD5 | a423f15050e14461b41f9619acc4c1d3 |
| SHA1 | c3db56a6e9cc6f95a263571c12996b8621614e2b |
| SHA256 | cf746c571fc9a2a9c0526a968e9084987314b3656b312c22cb40347936e076bf |
| SHA512 | 0b8aefc1f090c93f48362400f6e0a96d1b22b55b9d235346eaac942c293059d7af84badbd9388459f3b97f37fd3b50b640ce8581e7454f3629f2890d72d9e354 |
C:\Windows\System\fAUhYZU.exe
| MD5 | 88f09a8347dcf57463957d19b4de5dfe |
| SHA1 | 6e18fb5c996ffbf1ff9885786f000570b0334b74 |
| SHA256 | a7a6776f16e4262984a0f163c7a2add3b5fe958e260e09ee8d9376e8c675a6b2 |
| SHA512 | bef5fd29a6997152d35160f817781d6f176a89833fc8980b20b92faf47cb02cfa6bfcba05bf5957403ef65baf5486ee96d736c3b6479a21f5761a03bfb9cc3ca |
C:\Windows\System\klwiRho.exe
| MD5 | 9f7ea0457dc8c8e4dd8a6ec4a6e88045 |
| SHA1 | 2930882424380f6cb711a4964068f1094a701b32 |
| SHA256 | 20938e1ce5fdc25cab833b209de4c6e110dc0a11c4a94248009379ffc0aaee96 |
| SHA512 | 03728fb0f563ec3ab9969e1a455d967c77ef9b36ae0b1d27d17b0668195073384c2e12ce3c21b7af2502da48a6aabb1a02695cff2c90a86cfcb9b603e55caacc |
C:\Windows\System\UBsISQC.exe
| MD5 | ee53bf14d1135365f7195231ce8ef1a3 |
| SHA1 | 6e91cff3a598674df1bf6b7068713d7e18ceeaec |
| SHA256 | 6f2da69339600f74d283bc1b6ea9028c26536c4ce6a1a306b14f4dbfaa497086 |
| SHA512 | dd9d40bda852b6375365af871de40064806509ab9a6f49c75a0695acc01d908808b82e02ddcb861923d7d70e7aca30ee7028f8b5990fa64171f96066ff76cee5 |
C:\Windows\System\EwtNcdE.exe
| MD5 | 23fde8284ce8303552d3394100a6b1ac |
| SHA1 | d483f6ac1b0db06e9ec2652cbd30044efbe8dd24 |
| SHA256 | de3a4d94923d0475e07df4a5efa722cee2fc29ee41dfe6c32c62e3cf152c1cd1 |
| SHA512 | 871f8d89ee0155d483a87565981f658e651da743a2f0a9d1de3721f85716ba6dcbf85f6445bddf0f6fd8dadba88ea4077c92ac3f19c111ad237466cb5a9ad274 |
C:\Windows\System\SXGAyKJ.exe
| MD5 | 19356c06c7ab33721b43079c870e489d |
| SHA1 | cad083672740b8941ff900036fb97eb941d257e8 |
| SHA256 | daf4063b063beddb5af5582198e43be5534342a41f4863a8c7b829c2646c3959 |
| SHA512 | 65532e822403c0a5964feb04a91410077c650c719838a4498e3db4ce734464b0718aa5ba7802b08f7233427f0f56d86665639d97b2abfb1dcf83dc063243420c |
memory/2068-114-0x00007FF6DEFE0000-0x00007FF6DF334000-memory.dmp
memory/4104-115-0x00007FF6E3A40000-0x00007FF6E3D94000-memory.dmp
memory/1624-116-0x00007FF70CAB0000-0x00007FF70CE04000-memory.dmp
memory/1640-117-0x00007FF6B75E0000-0x00007FF6B7934000-memory.dmp
memory/712-118-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp
memory/2404-120-0x00007FF7410E0000-0x00007FF741434000-memory.dmp
memory/3592-119-0x00007FF76DDF0000-0x00007FF76E144000-memory.dmp
memory/2428-122-0x00007FF77B600000-0x00007FF77B954000-memory.dmp
memory/2600-121-0x00007FF62E590000-0x00007FF62E8E4000-memory.dmp
memory/3664-124-0x00007FF712F60000-0x00007FF7132B4000-memory.dmp
memory/3460-125-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp
memory/4056-123-0x00007FF7F4B80000-0x00007FF7F4ED4000-memory.dmp
memory/988-127-0x00007FF753730000-0x00007FF753A84000-memory.dmp
memory/4312-126-0x00007FF76CDD0000-0x00007FF76D124000-memory.dmp
memory/468-128-0x00007FF70BAD0000-0x00007FF70BE24000-memory.dmp
memory/1676-129-0x00007FF7F0F00000-0x00007FF7F1254000-memory.dmp
memory/3224-130-0x00007FF6870C0000-0x00007FF687414000-memory.dmp
memory/1560-131-0x00007FF72C7D0000-0x00007FF72CB24000-memory.dmp
memory/3076-132-0x00007FF7930C0000-0x00007FF793414000-memory.dmp
memory/4020-133-0x00007FF6D8AC0000-0x00007FF6D8E14000-memory.dmp
memory/1676-134-0x00007FF7F0F00000-0x00007FF7F1254000-memory.dmp
memory/4644-135-0x00007FF62A3F0000-0x00007FF62A744000-memory.dmp
memory/3224-136-0x00007FF6870C0000-0x00007FF687414000-memory.dmp
memory/788-137-0x00007FF7CE280000-0x00007FF7CE5D4000-memory.dmp
memory/1560-138-0x00007FF72C7D0000-0x00007FF72CB24000-memory.dmp
memory/3076-139-0x00007FF7930C0000-0x00007FF793414000-memory.dmp
memory/2068-140-0x00007FF6DEFE0000-0x00007FF6DF334000-memory.dmp
memory/4020-141-0x00007FF6D8AC0000-0x00007FF6D8E14000-memory.dmp
memory/4104-142-0x00007FF6E3A40000-0x00007FF6E3D94000-memory.dmp
memory/1624-143-0x00007FF70CAB0000-0x00007FF70CE04000-memory.dmp
memory/1640-144-0x00007FF6B75E0000-0x00007FF6B7934000-memory.dmp
memory/3592-145-0x00007FF76DDF0000-0x00007FF76E144000-memory.dmp
memory/4056-150-0x00007FF7F4B80000-0x00007FF7F4ED4000-memory.dmp
memory/4312-152-0x00007FF76CDD0000-0x00007FF76D124000-memory.dmp
memory/3664-153-0x00007FF712F60000-0x00007FF7132B4000-memory.dmp
memory/988-154-0x00007FF753730000-0x00007FF753A84000-memory.dmp
memory/2600-151-0x00007FF62E590000-0x00007FF62E8E4000-memory.dmp
memory/2404-149-0x00007FF7410E0000-0x00007FF741434000-memory.dmp
memory/3460-148-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp
memory/712-146-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp
memory/2428-147-0x00007FF77B600000-0x00007FF77B954000-memory.dmp