Analysis Overview
SHA256
a9f4f0aaa2b9dada4882da30859d2da372ccd7d5633a195b0b94333e72e85c0d
Threat Level: Known bad
The file 2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:05
Reported
2024-05-22 21:08
Platform
win7-20240419-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DNIDYCT.exe | N/A |
| N/A | N/A | C:\Windows\System\uZXvvHS.exe | N/A |
| N/A | N/A | C:\Windows\System\SPiUxVI.exe | N/A |
| N/A | N/A | C:\Windows\System\aYABSRl.exe | N/A |
| N/A | N/A | C:\Windows\System\sCPXniY.exe | N/A |
| N/A | N/A | C:\Windows\System\QWDqrqm.exe | N/A |
| N/A | N/A | C:\Windows\System\rYzVUXI.exe | N/A |
| N/A | N/A | C:\Windows\System\kfVoYGH.exe | N/A |
| N/A | N/A | C:\Windows\System\prnJqjv.exe | N/A |
| N/A | N/A | C:\Windows\System\ndbsVPN.exe | N/A |
| N/A | N/A | C:\Windows\System\tjBgRhp.exe | N/A |
| N/A | N/A | C:\Windows\System\MHvoCHf.exe | N/A |
| N/A | N/A | C:\Windows\System\fPTwpoi.exe | N/A |
| N/A | N/A | C:\Windows\System\RJWZWVT.exe | N/A |
| N/A | N/A | C:\Windows\System\IqNxFzn.exe | N/A |
| N/A | N/A | C:\Windows\System\MVBcHTS.exe | N/A |
| N/A | N/A | C:\Windows\System\fsjdSkC.exe | N/A |
| N/A | N/A | C:\Windows\System\UUstWaY.exe | N/A |
| N/A | N/A | C:\Windows\System\WhDrcBV.exe | N/A |
| N/A | N/A | C:\Windows\System\GuYbRdY.exe | N/A |
| N/A | N/A | C:\Windows\System\gfRoYtJ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DNIDYCT.exe
C:\Windows\System\DNIDYCT.exe
C:\Windows\System\uZXvvHS.exe
C:\Windows\System\uZXvvHS.exe
C:\Windows\System\SPiUxVI.exe
C:\Windows\System\SPiUxVI.exe
C:\Windows\System\aYABSRl.exe
C:\Windows\System\aYABSRl.exe
C:\Windows\System\QWDqrqm.exe
C:\Windows\System\QWDqrqm.exe
C:\Windows\System\sCPXniY.exe
C:\Windows\System\sCPXniY.exe
C:\Windows\System\rYzVUXI.exe
C:\Windows\System\rYzVUXI.exe
C:\Windows\System\kfVoYGH.exe
C:\Windows\System\kfVoYGH.exe
C:\Windows\System\prnJqjv.exe
C:\Windows\System\prnJqjv.exe
C:\Windows\System\ndbsVPN.exe
C:\Windows\System\ndbsVPN.exe
C:\Windows\System\tjBgRhp.exe
C:\Windows\System\tjBgRhp.exe
C:\Windows\System\MHvoCHf.exe
C:\Windows\System\MHvoCHf.exe
C:\Windows\System\fPTwpoi.exe
C:\Windows\System\fPTwpoi.exe
C:\Windows\System\RJWZWVT.exe
C:\Windows\System\RJWZWVT.exe
C:\Windows\System\IqNxFzn.exe
C:\Windows\System\IqNxFzn.exe
C:\Windows\System\MVBcHTS.exe
C:\Windows\System\MVBcHTS.exe
C:\Windows\System\fsjdSkC.exe
C:\Windows\System\fsjdSkC.exe
C:\Windows\System\UUstWaY.exe
C:\Windows\System\UUstWaY.exe
C:\Windows\System\WhDrcBV.exe
C:\Windows\System\WhDrcBV.exe
C:\Windows\System\GuYbRdY.exe
C:\Windows\System\GuYbRdY.exe
C:\Windows\System\gfRoYtJ.exe
C:\Windows\System\gfRoYtJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1860-0-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1860-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\DNIDYCT.exe
| MD5 | e5fdfee7a9d89247aa4cab8bf8c0bb7d |
| SHA1 | 07f64ddcd8d88dcf19ffed84a6e81ddef3a08ce9 |
| SHA256 | eb9c05ede79fe58d6c7f5cb37011bcb52864ea92a97d6351906e4b577b276190 |
| SHA512 | e1738a0cdc398b6aae67909aef0b6c80b842380c96dd72d7cccf572bc4c7836e3a50fc7411b51aaac1124883a23eb7b1d2a1e5e8d5cac66ceaa8f404450e1167 |
\Windows\system\uZXvvHS.exe
| MD5 | e972115af3e5d6d037bffd0f58cebd6a |
| SHA1 | 712bc9c5e5bf2f4555444e1f2adbb583041855b6 |
| SHA256 | b1ec76456da3179bd8e3befd6b261a8a811070371affb5fda5f26f80b074ae14 |
| SHA512 | 661811069c3c143930dac659cf71704a539dc1bb1d10546fe02f881ed4e70888c297097e557fbbf86af42ee00923f4c7e0eb1b1816f1444bae58803a00584333 |
memory/2636-13-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1860-15-0x0000000002420000-0x0000000002771000-memory.dmp
memory/1636-14-0x000000013FFE0000-0x0000000140331000-memory.dmp
C:\Windows\system\SPiUxVI.exe
| MD5 | 27da3cf9b619eb57cea51e1a41f17c29 |
| SHA1 | 8f2edc30a37ce646ba5697fab8b1a234f517eccd |
| SHA256 | b4b2d984893a05937063658646153807929d524895db37839e2b170cc05b5fa2 |
| SHA512 | 3aa0f38a542db607961f2f9fe748b20fd7f61f764f5d49866448674eb52aa303e4b9830b80bc6499e1f41a895b1df4078b02c206ac831b08a49ea2c128f0af83 |
memory/2664-22-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1860-21-0x000000013F070000-0x000000013F3C1000-memory.dmp
C:\Windows\system\aYABSRl.exe
| MD5 | ddde07ea1aca50046070b00f09245f7a |
| SHA1 | ddea2e1cb263afbedb77b136ba88d3f38edfc0e7 |
| SHA256 | 27050752fdfa4f365165dd938dc92bbe516eff104be65b7940970c3e2a485314 |
| SHA512 | b9125af2cbe0c38ab56d199d922d16e4dcb65ccd193144c6505ab2d525c3951184528d07ed76a27112c21bd0a58e73e5a2ee336fad201d287d60572d6f59695c |
memory/2652-29-0x000000013FC60000-0x000000013FFB1000-memory.dmp
\Windows\system\sCPXniY.exe
| MD5 | 4b79c19874de529afc44c5ef2ec2a6b6 |
| SHA1 | 14c40e53012cd3f3602df30193d6ca03980fdcba |
| SHA256 | f8913c1f5b551bda23b2f8bafb7865b1e10aa7da3ab5f77e9e60c2f2d4db445c |
| SHA512 | 8e9087d4053172ac73240fd0ee00d97777bde9863f91ad08f7b6ed6082f5361d653839dcc2f530cc21f72dc7abb94814f0c02e07628b236b97c2c0c1b07ce787 |
memory/1860-37-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1860-38-0x000000013F030000-0x000000013F381000-memory.dmp
C:\Windows\system\QWDqrqm.exe
| MD5 | 9854a0163fc08964d524be56dd69950c |
| SHA1 | 67fd48319f9e402449c54b97011e7d56d7a74eb2 |
| SHA256 | 3b9a7636e9f0039ad42cd234010331087218925b20c63325f4186910b3a06814 |
| SHA512 | 933646bca68d5d0020a9821935ea5e9b449d493ecd189edf4351f9db18eb33c18f5e8c083c5e39e35f3c40bc21f2d79e8f604d5a0e6b87c79824928661ef0305 |
memory/2844-39-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2792-42-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2376-50-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2500-57-0x000000013F1F0000-0x000000013F541000-memory.dmp
C:\Windows\system\prnJqjv.exe
| MD5 | 0fcf7824c21d27a66906a906e4d1956d |
| SHA1 | f2d2f310e670accaa21c8cacd3dd67503c506388 |
| SHA256 | 5625629355e181569c1cec47aa72edd568c140f79e77657ec7e20a66f428f498 |
| SHA512 | 95606bc79af1ffc71fd56b4c08d9f71b2d60137f6e5c14bf37bc5591da432c51edea9bfdd0a3abfb90a5888967a668dd684f4489f4494c354bd34a1d9374e712 |
memory/3000-62-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2972-69-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/1860-68-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/1356-75-0x000000013F270000-0x000000013F5C1000-memory.dmp
C:\Windows\system\MHvoCHf.exe
| MD5 | fe7652d7e7df06849537121af1c36b11 |
| SHA1 | f0bdf470cf4c7b84ff07ec2e35585940868215fb |
| SHA256 | 0fa7b162d5cb30147cd372cb8c9a75f7bc142f993f9012403f840aa6bc87bb6a |
| SHA512 | b31e6ade30075c782b5777cb7b46334250c1cb7ff28275cf5f80c4891c10538cf6ad3ab148f28b6423a3c24a2601b83083c27a9c2990542a7941752072f98c90 |
memory/2688-82-0x000000013FCB0000-0x0000000140001000-memory.dmp
C:\Windows\system\fPTwpoi.exe
| MD5 | ac5522c8d8eb425bbad630904d63b528 |
| SHA1 | 37b7cb8f61790daa510a1d917ab54e20267333b8 |
| SHA256 | 6c2929eb975c74d57551cfdcc9aa005faa7eaa793fd1cf129cf9857b274f8cd2 |
| SHA512 | 33c1ae70bdf8e0669bb7b1b918890c48a99ff2f809e384ebe16c481b7426a780347fd812aa59dcf02559a6af641fa4f77bffab0e29b4f8928143b24b812ca0f3 |
C:\Windows\system\RJWZWVT.exe
| MD5 | 1859bd4020bde4d751048f798f84538b |
| SHA1 | 85b407592493595ca796701c5717b7e3cac5f4b7 |
| SHA256 | d81e6fa7e101837efc6f1d1783828f720a3f4fa70421794024a28eee5e6741b7 |
| SHA512 | 96b870d3ed3f319b0efea1995429e5c6bb20129107514d52d69ff0159c7865e8bf23ea5b439818e0ee25c7ffa426d5373776a7e5c61ce02a534ca8c80e6c9d33 |
C:\Windows\system\fsjdSkC.exe
| MD5 | 4e87de12faba38ff042589ab63c953d6 |
| SHA1 | b951f001fc4e4b345cab71d2d25e2708030769f4 |
| SHA256 | 7ee1daf7bf68376118c593fccd7b666be5e1ab22358e144c807b51c02abfa9cf |
| SHA512 | 9e2859ee856ebfae9e95335e932240567e4abb466c0ef4e203ce0a2cd46d873e5cc100c325a9bc1bb70690582510031a60b7ed5a22bf796b488dc45b26566906 |
\Windows\system\gfRoYtJ.exe
| MD5 | 3b3ade7a16e40bdef9d4f1082cb6ad48 |
| SHA1 | d1b024b74b0e008fd66a829c69f5d35d0425b1e5 |
| SHA256 | ba8d696b390e6f345c85f62972e05f991e5d20a2a4a711a48bf0188467fd46cd |
| SHA512 | fae32ffa89f16b782792f3b81a8e7e249ad75167b1c27087966f483202de64b5bb58549de2a31f6ea39aacf3d72b778d898eb6565b882b23ce28d9553f750222 |
C:\Windows\system\GuYbRdY.exe
| MD5 | 779335ce386324b61b6e75545dab12a6 |
| SHA1 | fdb6246b53c8e242ed7b0df069a927cea3cd19cb |
| SHA256 | 7286a3fcb667a05fe9ab54bd22ec9c641ed544023c90bfb85bb3e6a74e09abdc |
| SHA512 | 9d3fd319839bf3a0e09abc72229f033992913acf376f9366c71778be2ea9704e7f93c4e03ea4afbfb1501fb85a38f14235ac9b45e6286513473ad133e1dd34ee |
C:\Windows\system\WhDrcBV.exe
| MD5 | 0d22ca626e7426b2a3617a17d85389ed |
| SHA1 | 2d070d709110c7a1c53c072690c2733aedc401af |
| SHA256 | 115794446e109c2410cee4ac5f8a20fbe91e6c84f45ecbf4f5c323e5478c394a |
| SHA512 | d12793eea2d840aece9353ca8fc86a8ba36561053a77481d49ce7aff9dfbe7fb55d8f1211e0e87ae9ddc9a1a853020156d522af58144c5c4f1b1005797c70ffd |
C:\Windows\system\UUstWaY.exe
| MD5 | faf56dda40ecf1181f1b8563ef05ce91 |
| SHA1 | 3dbb866b4ee9b4b59bcfdc3d97d096a81d6ca75f |
| SHA256 | 17e0f46b9f15ef80b0434cd666374f308580d4b918fddf8656f4a3f38e767e92 |
| SHA512 | db15bc2626f975728801cd87f86d4ba1409882436a8f3be89a913756da8ee79fc0f296527b5795dc6264e19b731c1c55b963d44cfede6fe014dd11feb3a6b523 |
C:\Windows\system\MVBcHTS.exe
| MD5 | 1919c800658df9bbe70c8d1b89ed1690 |
| SHA1 | fb92f7a0370a5e51179f3e0c8c0fdd16ad761b0a |
| SHA256 | c15435ff8ce900b5fadb6dd03f7956e9767de009bccdda03a03330bf9128f79d |
| SHA512 | 122675b00ed6dd6dfce5a0d4ae059a03d91ebf70f33c5d7aa0af505ddcedc0fc3ccdb2d93be01dc1990f013f2e31762a040012aa6f2bec24e4a139ba4297eff8 |
memory/1860-104-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\IqNxFzn.exe
| MD5 | 28ef57987a44e99de08e21bee34bf789 |
| SHA1 | b0ce949ed33dffd1bcb7951376eed65c2d3a7304 |
| SHA256 | 2d233cedf5f47051c535d70199215ed785d1ea4a96fb509c8371ceeade95761a |
| SHA512 | 58d2a0764552a1adcc2334f952675d873d9ccd4dbccf5cc2135f348f057e42fbe1eecd8b92608b9924bfe2175024d64733e59cadea48061f13038e8d5fd558d2 |
memory/2340-99-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1860-98-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2792-97-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2772-91-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2844-90-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1860-86-0x0000000002420000-0x0000000002771000-memory.dmp
memory/1860-81-0x0000000002420000-0x0000000002771000-memory.dmp
memory/1860-74-0x000000013F270000-0x000000013F5C1000-memory.dmp
C:\Windows\system\tjBgRhp.exe
| MD5 | 622f320eb2b1b9a3cbc05417facb8ebf |
| SHA1 | b3d5f4419333d7a65fc15dad97d01eac541e9639 |
| SHA256 | 8988dfecee62f0be96efb11541064b201e481235d59717bc6b34ccd818507c50 |
| SHA512 | 89bb99c23a1c9ef945d9e55c5e9d66217afcb0fe12a8ac2a20a7d7788e6e01fcf44312755b030355a18db12ffc90aaf6920ab9dd58dd7aa79361c3d0a21b4ebe |
C:\Windows\system\ndbsVPN.exe
| MD5 | 21ede488b8c37299505de90d50824bae |
| SHA1 | 3e7a89e8e79ca40ec5e2717bf603213f8def7579 |
| SHA256 | c95c923edf5646e022eb7d92ba1c37cda1eadee1e051de7d0459e5e4f23d4faa |
| SHA512 | d7b2d8c2fc3af7d2057848971e39540e04127bd90943d976640029c14d2ed0561aadd7ae65ca0d00bff4ca947edba5c1ff081ed0a6b6bf93691b8dc6b8dad012 |
memory/1860-49-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2636-56-0x000000013FC20000-0x000000013FF71000-memory.dmp
C:\Windows\system\rYzVUXI.exe
| MD5 | bf947c2ba856961f508c0bec91ec6ce0 |
| SHA1 | 4141a697d21c2252315681bc9d596c63a75f3dc0 |
| SHA256 | e8828fa8af17571b2fb985b8e7dba1a8f0f1d72bbbd14436de12a7d1536b5a37 |
| SHA512 | d9d7ee3a9e423d65c2f2d634ac0818015870a2daacd2af11fca7c5290416a37c00d7cabf3a5edb321a65a4272b7a1e3bae6dd711df9297f5108db4c410e8fbd8 |
C:\Windows\system\kfVoYGH.exe
| MD5 | f0d16cc4506f85bf741bb732da1fc9e9 |
| SHA1 | 437287ec6777e9a08bab4d837a26fc76754b32eb |
| SHA256 | be46c3958e4652151db8bcb21cafc90e719ba5e310e5cafdc50d87af2e69d258 |
| SHA512 | 436d6838f1131b3773c9fae9c1bb07f72082018fcfbe082991d19fa255e607219cbe819b4f2c2262e5bc9eeb96ef189eec1334c4c5e7866830709bcf7102c117 |
memory/1860-136-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/3000-140-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1860-139-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1860-28-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2972-153-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/1860-152-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2772-151-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2688-150-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/1356-149-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/1504-158-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2044-161-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1860-162-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2384-160-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1352-159-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1452-157-0x000000013F040000-0x000000013F391000-memory.dmp
memory/1176-156-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1784-155-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2340-154-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1860-163-0x0000000002420000-0x0000000002771000-memory.dmp
memory/1860-164-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1860-186-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1860-187-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1636-212-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2636-213-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2664-217-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2652-219-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2844-221-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2792-223-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2500-227-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2376-226-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/3000-229-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2972-231-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/1356-233-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2688-235-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2772-246-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2340-248-0x000000013F870000-0x000000013FBC1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:05
Reported
2024-05-22 21:08
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KwTayzX.exe | N/A |
| N/A | N/A | C:\Windows\System\wCLriVk.exe | N/A |
| N/A | N/A | C:\Windows\System\aOQOEad.exe | N/A |
| N/A | N/A | C:\Windows\System\gJofWMp.exe | N/A |
| N/A | N/A | C:\Windows\System\SAdvvJq.exe | N/A |
| N/A | N/A | C:\Windows\System\NktLLrA.exe | N/A |
| N/A | N/A | C:\Windows\System\FtkJRyO.exe | N/A |
| N/A | N/A | C:\Windows\System\YIwHDWh.exe | N/A |
| N/A | N/A | C:\Windows\System\tZhCXyr.exe | N/A |
| N/A | N/A | C:\Windows\System\FduWFuF.exe | N/A |
| N/A | N/A | C:\Windows\System\CtOGfju.exe | N/A |
| N/A | N/A | C:\Windows\System\neNjBMR.exe | N/A |
| N/A | N/A | C:\Windows\System\bumIaHt.exe | N/A |
| N/A | N/A | C:\Windows\System\hyiFsme.exe | N/A |
| N/A | N/A | C:\Windows\System\IeTZjNw.exe | N/A |
| N/A | N/A | C:\Windows\System\jsFWlzM.exe | N/A |
| N/A | N/A | C:\Windows\System\LlfoscR.exe | N/A |
| N/A | N/A | C:\Windows\System\uXmelZL.exe | N/A |
| N/A | N/A | C:\Windows\System\vKaEZyO.exe | N/A |
| N/A | N/A | C:\Windows\System\uVJkThk.exe | N/A |
| N/A | N/A | C:\Windows\System\NblqKCw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ec28623da4216e6f416d36004dd3a650_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KwTayzX.exe
C:\Windows\System\KwTayzX.exe
C:\Windows\System\wCLriVk.exe
C:\Windows\System\wCLriVk.exe
C:\Windows\System\aOQOEad.exe
C:\Windows\System\aOQOEad.exe
C:\Windows\System\gJofWMp.exe
C:\Windows\System\gJofWMp.exe
C:\Windows\System\SAdvvJq.exe
C:\Windows\System\SAdvvJq.exe
C:\Windows\System\NktLLrA.exe
C:\Windows\System\NktLLrA.exe
C:\Windows\System\FtkJRyO.exe
C:\Windows\System\FtkJRyO.exe
C:\Windows\System\YIwHDWh.exe
C:\Windows\System\YIwHDWh.exe
C:\Windows\System\tZhCXyr.exe
C:\Windows\System\tZhCXyr.exe
C:\Windows\System\FduWFuF.exe
C:\Windows\System\FduWFuF.exe
C:\Windows\System\CtOGfju.exe
C:\Windows\System\CtOGfju.exe
C:\Windows\System\neNjBMR.exe
C:\Windows\System\neNjBMR.exe
C:\Windows\System\bumIaHt.exe
C:\Windows\System\bumIaHt.exe
C:\Windows\System\hyiFsme.exe
C:\Windows\System\hyiFsme.exe
C:\Windows\System\IeTZjNw.exe
C:\Windows\System\IeTZjNw.exe
C:\Windows\System\jsFWlzM.exe
C:\Windows\System\jsFWlzM.exe
C:\Windows\System\LlfoscR.exe
C:\Windows\System\LlfoscR.exe
C:\Windows\System\uXmelZL.exe
C:\Windows\System\uXmelZL.exe
C:\Windows\System\vKaEZyO.exe
C:\Windows\System\vKaEZyO.exe
C:\Windows\System\uVJkThk.exe
C:\Windows\System\uVJkThk.exe
C:\Windows\System\NblqKCw.exe
C:\Windows\System\NblqKCw.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/4380-0-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp
memory/4380-1-0x000001D3CD6D0000-0x000001D3CD6E0000-memory.dmp
C:\Windows\System\KwTayzX.exe
| MD5 | d81dfbdfebf5ddf7da1d343b0d902f0a |
| SHA1 | 20d6fd309cc1c6ba8631efe89c47e143d5807c40 |
| SHA256 | 8ecee6c19b69c7c9e7a16c3768c2e912edb4923b8e69b1fe9f75e9cf3cb77951 |
| SHA512 | 06d3af01435b241e96a8efc2c6c43108084ac51161675c94c17aa0e889e20ca9676e38b3efa073d0efa41b1b4b9e09d10fa31d0e49089c62594f3d6a2856d231 |
memory/2728-7-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp
C:\Windows\System\wCLriVk.exe
| MD5 | 194afdcbccf03c189e58521f4aa1fe9e |
| SHA1 | c5c0295ea833e6fdc81d1cf21bf84e7d4bf6e403 |
| SHA256 | efcf12f3a47c64fea93682268f582e8ed8531e278eb8da2527af10abce1dfe9b |
| SHA512 | 5cfb30657e87bf2718835840e6e57ff81d454e164e6aec375e8b97f6beca4c0fe3a842e25a74514232d26597a3d2a4d6075cd5f6fde664a6b68320c16dde789d |
C:\Windows\System\aOQOEad.exe
| MD5 | 953613e387ce95f2f3a9776412f23387 |
| SHA1 | 80041387a96ba61955e584c5ad3406097f8b32ff |
| SHA256 | 3786f991f29a40cbbc6767a8d5b3e16e15b254b2e93b8598fb06ee0360e83ffb |
| SHA512 | 73948dea703d5cf9457c47eb3c829d6e9b76410cf4b3391840be1a1bfd23f325131e23784c084c6216c9fb96b275c05ba0799773a15d0c876f5062df283c08e0 |
memory/4984-14-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp
memory/4024-20-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp
C:\Windows\System\gJofWMp.exe
| MD5 | 79afe3e45fc8c0e96c0aef99da926441 |
| SHA1 | 55a7f2bc6f9afa46bb307ef9dae28fa5a54eb6d1 |
| SHA256 | b0527a729d3919e6046b31e3fbc7c400a4814755e7fb383327a78ce980fa51b6 |
| SHA512 | 5e3218c26522d9e07308a10e878a84275a2aacc60b8669702f5c51c50b159345b92ce6b0583651b69b0f28d255ca47653f6ad2b8349a7a23ff69002600b77ae1 |
memory/1284-26-0x00007FF7030C0000-0x00007FF703411000-memory.dmp
C:\Windows\System\SAdvvJq.exe
| MD5 | 2d4cedce6a4dc482b9428fc606acc727 |
| SHA1 | efb2c760f0bdcbd459cad7b52cb38a014002aecf |
| SHA256 | b3c94f0862e99bfd02dee8f485257b849d533d5193b43deb77b673fa69817202 |
| SHA512 | cbe81c2762680447fdcf75f6e139e70a00910831d0b3a382a940d34e7263cb22e2570176463e38d3aea921b6e260633ab03cfdd8f5e881eca9458ead987c6da4 |
memory/1212-32-0x00007FF79A310000-0x00007FF79A661000-memory.dmp
C:\Windows\System\NktLLrA.exe
| MD5 | cf95643e96284076743d56d66b6a911f |
| SHA1 | 82f39bc436a9eb189982ff7d1c6e793f524f7c40 |
| SHA256 | f8d24599ac76caa47d4447352a266c07d4814be06ddc5d4372d54fa376764e1f |
| SHA512 | 6a9c986379720bb935d31a822a57863696e486bde6851f9b1a194bfe6288b45a65220a749f72f30b7d30bc695fcdd409c7f09c84f5cd43c30a8d693c7a97cda5 |
memory/3012-38-0x00007FF60FE60000-0x00007FF6101B1000-memory.dmp
C:\Windows\System\FtkJRyO.exe
| MD5 | a65dc02bbb2eab6cbe60eb9c2fa3c92c |
| SHA1 | e01d8c16395fe879ba089e3030fbc59d40cbae62 |
| SHA256 | 90e76881216360e607f2104fdfb280b9f87be0e91f52d55f861d99cbe27b8b30 |
| SHA512 | c6f49e7f541367d705ffa553702b4bc57edd7d5a2579220cd85f5eb7b6b8dd8a8acc96c4e47df6a58385eebdb3354b9e2ad1e7a2bd9ffbb9b8c1ced989ebcbbc |
memory/2820-44-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp
C:\Windows\System\YIwHDWh.exe
| MD5 | 262f2d44f78bfd9b8154dd1a3191a34f |
| SHA1 | c490faed448b3fa52c3114740f9e301bbb05f3dc |
| SHA256 | 4233ba3b8eb7d594904c83a3f8f3a92427b2a90f44e3f5ea2add5f3f73f2bd04 |
| SHA512 | 2ea6646d476b31d44b938fb953c7bfe2380bcd735b1aed26917bb6cc62425736512c35bd77e60fafe851fe114ebe26d29eadbd39a2f982692b89f0935a293cb3 |
memory/1776-50-0x00007FF71A640000-0x00007FF71A991000-memory.dmp
C:\Windows\System\tZhCXyr.exe
| MD5 | dfbe4c989296e92005f9bc5d49ff1f78 |
| SHA1 | ff391838ada30a14632849ecb6fb7375e9b3607a |
| SHA256 | 811981cc23e5feea03c8dd99dd4dbb16af617fbffa36db1540f3c0b9a31787c2 |
| SHA512 | ec984d89de10550e19ad7a48fea29a0eaeaec764d31da612f0bd6b2e227d2d51ae01ad7ea50edceeb078468ee456daf73bc8f950f2b2844cfc961ff87ce70633 |
memory/4380-55-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp
memory/4572-57-0x00007FF792C20000-0x00007FF792F71000-memory.dmp
C:\Windows\System\FduWFuF.exe
| MD5 | 284bd7ca385967563d2597a0e602ff51 |
| SHA1 | 77fbdf0003d3f9b42c3a834a61b4af55edae1a4a |
| SHA256 | 29b265981412f811b0b1b253e76303ca86053dc7dc7224347688fa370f1206dd |
| SHA512 | 6b3340196dc084f62e69f842b50b69bf69b5eec2418b61423ba1155798c51b39cfe882059fc982bbf09e54e766d7f5a5630ed1bd167c7b715ef4543a55bf23e3 |
C:\Windows\System\CtOGfju.exe
| MD5 | a25491ccc9263b8dcd74f803e4f0c42d |
| SHA1 | 67a2d8c1cbfaf31ae4721f86151384779c007a72 |
| SHA256 | 9c5e41967236d259655dc0785f1bd3f765eff8f3fd394d1f32b1803d91cd1464 |
| SHA512 | 59afdc9391582e9931e0228e47194f1f94d708cabb333bbdbb8b3d08b91b8e3cc65cfcc6cff82aa72027da0f2d4c40aecdb71013b0e0659e0d855a18dffcf4f8 |
memory/2728-69-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp
memory/776-70-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp
memory/680-63-0x00007FF7820F0000-0x00007FF782441000-memory.dmp
C:\Windows\System\neNjBMR.exe
| MD5 | 112237c3f4d7c20ce2d8635ad4d7546e |
| SHA1 | 91198b7a33b347d9229649c7c3fff93c989cc49e |
| SHA256 | 0d1f07fcad8a2c947e2124b3252a70017684cd7ca4a5ccec834da94985c97e4d |
| SHA512 | 40cb345d2c6b201ba15cf7f409ecef0d39846814c5285eda8881c568bccbb40721e2c3afb4721654a8c36f6d10798870277aab2b893dbe1fb2fafe41f14173ba |
memory/4984-75-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp
C:\Windows\System\bumIaHt.exe
| MD5 | 597790784c7461bf3f2bf1384358f32b |
| SHA1 | f783b6900b82ab636f03b32a1a0948897a5aa1d4 |
| SHA256 | 656cb72abe8bd3691c14c7bf5b620156e26b37ec223245ad36cd728510521b8b |
| SHA512 | ddd0516976a745b9c96395f5233c944e5bfb7625e3b931f2c819c6c17b40c3a9b24766aba0b0411317e3bc8f772fa636ad5c33a3664b6b646127767b030485d0 |
C:\Windows\System\hyiFsme.exe
| MD5 | 343f612152bdb5687f9fad1728902c74 |
| SHA1 | 59c8a408ef6bced660cc395f0d753096ce43bf04 |
| SHA256 | 07f8e2fe1cce8fd677f3142b3ad97dd0f132c4cef4897c44d37e077b48cccf88 |
| SHA512 | e128ef0f09e97a667ad11c559f50a13344c1b82e0ef1ec2974e8874fd0728966cf7edabe17935e2fe2a5e196e69f201ba8d645e5b7b4ce566383b40fd6e92794 |
C:\Windows\System\IeTZjNw.exe
| MD5 | 4165819c363e28f3e7f995363514f537 |
| SHA1 | cea118dae5c70e434e3aa1310ce3ce0fadde81dc |
| SHA256 | 202e09fbd4743a2b74d15addab29c8889ffae4acc5598a30f659b688303ed09a |
| SHA512 | 2f22a41cc2e2df9ad8c5d4e623956acee61f7dbe99e49dbfe4f656e0ceb8b7418a830ae008748ee61fef90a19581fddee8c73d7c5b6f0986f64ed433859d5d2d |
memory/4024-94-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp
C:\Windows\System\jsFWlzM.exe
| MD5 | 37aab6796a60dbaece4a092f4c5e648c |
| SHA1 | 229c9a7941dd9f45411e05acd98e4b03b883ae06 |
| SHA256 | 058835f15462bba20556c2bcf8e667ea63c708a883e8b6ed1125c54df0a1aa30 |
| SHA512 | 3f73a0aa53415ee65c484a33b5a7b9bfd1795e3dc1f6c0b372c1e62de518be32606c2c0be03da788c714be9e2db4c5e92514d987817e76906d62d4aaaa43a5f2 |
memory/2492-98-0x00007FF6CE160000-0x00007FF6CE4B1000-memory.dmp
memory/1284-95-0x00007FF7030C0000-0x00007FF703411000-memory.dmp
C:\Windows\System\LlfoscR.exe
| MD5 | d0976774d1e9974681e5187d34dc1538 |
| SHA1 | d0bb1d762cd012c9b734dca7476da6bf50f4934f |
| SHA256 | 291effeb8681cbd606921a74c2e8cf155201d9663ce8d7a57951ac65b8f33656 |
| SHA512 | d16ee535f372aa279fd8189ab38b7b939bf76e3c954ec818b309ce5e434d7fb5010aa8c764464374369f8856cb3004ab36ce3dca4e849f964e508128982986f7 |
memory/1212-108-0x00007FF79A310000-0x00007FF79A661000-memory.dmp
memory/2792-109-0x00007FF7AEC10000-0x00007FF7AEF61000-memory.dmp
memory/3752-112-0x00007FF7F69A0000-0x00007FF7F6CF1000-memory.dmp
memory/524-118-0x00007FF79C210000-0x00007FF79C561000-memory.dmp
C:\Windows\System\uXmelZL.exe
| MD5 | 68085f3cdf22d129709d067fc2a64974 |
| SHA1 | 48879cb595c7ae5d035ad3a5f27e5d9167d5217d |
| SHA256 | 1d10c8a0639984ff10e98ae28493f958706925be52c6ec159c366b9f2f5e2a11 |
| SHA512 | 6cc22e5c54331ec6f5ba8e56fcd17037c3b0048999ca4cf0ec3285da5569da733652ab4b6e8202a0f5ed915a5b2ba043692ee643796ad41ee0c8b71b2e18da3a |
C:\Windows\System\vKaEZyO.exe
| MD5 | fb0291f12b975cb5c8dfdbcd0d7b50ca |
| SHA1 | 1d4ea853381c99b82e4e886a889548cb75f21bb7 |
| SHA256 | cf3a60e82cc20d5d72873981ac47a2ff69e7f57ab9a029079457d16f8d9301a9 |
| SHA512 | c44fcca403482c7a8a844b80ad3d31a0d83d596041f27f9eb0fa934192c39acaa630f9398ef1cdff86064dcb04ef816b36f19ad9aec5ab07604807e97847665c |
C:\Windows\System\uVJkThk.exe
| MD5 | 07b0740bb66cfabeede8317113ffe2db |
| SHA1 | f07d633ea2b57d6a07d4cfd286220c2c73a0482e |
| SHA256 | 5c1fe31ff53963f4cf5690962aab908d08ef6ac7f0d9d70853764eda98defd53 |
| SHA512 | c6256329d0494214a21b490a637545c9f854755812c8cced1e0c6cc05fa5ba0e1032a15b3a8cc310cfa45ec95bf3d2f3508f6dfcd23881b6070cce9dcd9e3479 |
C:\Windows\System\NblqKCw.exe
| MD5 | 642798002fe57cd2f09c23ff91b1250e |
| SHA1 | 8672f314d368f5bcd3fa518e5dd9d6922aeb69da |
| SHA256 | 2c5240b8f1d5f0fc2b4e39421b973d5c2d09004c190b0fd51fa3a9d26ac642a5 |
| SHA512 | 6872bcfef00cf6b0e3954047123185197aa341849996eef6829c144c82f47baf3e3df0549b7bed95630a4a9c824f966e5fa05eaece0fe2c93cf3bea036d1eb85 |
memory/3172-115-0x00007FF73FBA0000-0x00007FF73FEF1000-memory.dmp
memory/3380-114-0x00007FF6B1740000-0x00007FF6B1A91000-memory.dmp
memory/1060-107-0x00007FF7870D0000-0x00007FF787421000-memory.dmp
memory/1776-138-0x00007FF71A640000-0x00007FF71A991000-memory.dmp
memory/2820-137-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp
memory/4380-134-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp
memory/4084-148-0x00007FF692D10000-0x00007FF693061000-memory.dmp
memory/4584-147-0x00007FF7A2020000-0x00007FF7A2371000-memory.dmp
memory/3640-149-0x00007FF6244A0000-0x00007FF6247F1000-memory.dmp
memory/4380-160-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp
memory/2728-190-0x00007FF7AC020000-0x00007FF7AC371000-memory.dmp
memory/4984-192-0x00007FF7AAB60000-0x00007FF7AAEB1000-memory.dmp
memory/4024-194-0x00007FF6A22F0000-0x00007FF6A2641000-memory.dmp
memory/1284-202-0x00007FF7030C0000-0x00007FF703411000-memory.dmp
memory/1212-204-0x00007FF79A310000-0x00007FF79A661000-memory.dmp
memory/3012-206-0x00007FF60FE60000-0x00007FF6101B1000-memory.dmp
memory/2820-212-0x00007FF7C9050000-0x00007FF7C93A1000-memory.dmp
memory/1776-214-0x00007FF71A640000-0x00007FF71A991000-memory.dmp
memory/4572-220-0x00007FF792C20000-0x00007FF792F71000-memory.dmp
memory/680-222-0x00007FF7820F0000-0x00007FF782441000-memory.dmp
memory/776-224-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp
memory/2492-226-0x00007FF6CE160000-0x00007FF6CE4B1000-memory.dmp
memory/3752-228-0x00007FF7F69A0000-0x00007FF7F6CF1000-memory.dmp
memory/1060-230-0x00007FF7870D0000-0x00007FF787421000-memory.dmp
memory/2792-235-0x00007FF7AEC10000-0x00007FF7AEF61000-memory.dmp
memory/3380-237-0x00007FF6B1740000-0x00007FF6B1A91000-memory.dmp
memory/3172-239-0x00007FF73FBA0000-0x00007FF73FEF1000-memory.dmp
memory/524-241-0x00007FF79C210000-0x00007FF79C561000-memory.dmp
memory/4584-243-0x00007FF7A2020000-0x00007FF7A2371000-memory.dmp
memory/4084-245-0x00007FF692D10000-0x00007FF693061000-memory.dmp
memory/3640-247-0x00007FF6244A0000-0x00007FF6247F1000-memory.dmp