Analysis Overview
SHA256
d725205e3d6765bc50db32dd189a745832cae07733055187fd5a8ea075c6c877
Threat Level: Known bad
The file 2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:09
Reported
2024-05-30 10:11
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yNUDeHc.exe | N/A |
| N/A | N/A | C:\Windows\System\CJKonhh.exe | N/A |
| N/A | N/A | C:\Windows\System\HHvfAZj.exe | N/A |
| N/A | N/A | C:\Windows\System\bGaMdwP.exe | N/A |
| N/A | N/A | C:\Windows\System\chNadLB.exe | N/A |
| N/A | N/A | C:\Windows\System\bmZhzVT.exe | N/A |
| N/A | N/A | C:\Windows\System\NJkImYx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZlfEQTO.exe | N/A |
| N/A | N/A | C:\Windows\System\vUhlVVq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZShHjdm.exe | N/A |
| N/A | N/A | C:\Windows\System\aHSPhjy.exe | N/A |
| N/A | N/A | C:\Windows\System\FaTpToB.exe | N/A |
| N/A | N/A | C:\Windows\System\kmASGIz.exe | N/A |
| N/A | N/A | C:\Windows\System\YGeDcBB.exe | N/A |
| N/A | N/A | C:\Windows\System\XhbuoOi.exe | N/A |
| N/A | N/A | C:\Windows\System\aMHbMOc.exe | N/A |
| N/A | N/A | C:\Windows\System\dBIVhFt.exe | N/A |
| N/A | N/A | C:\Windows\System\lzophDD.exe | N/A |
| N/A | N/A | C:\Windows\System\iJwwNlu.exe | N/A |
| N/A | N/A | C:\Windows\System\PwfdURE.exe | N/A |
| N/A | N/A | C:\Windows\System\QFLwidW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yNUDeHc.exe
C:\Windows\System\yNUDeHc.exe
C:\Windows\System\CJKonhh.exe
C:\Windows\System\CJKonhh.exe
C:\Windows\System\HHvfAZj.exe
C:\Windows\System\HHvfAZj.exe
C:\Windows\System\bGaMdwP.exe
C:\Windows\System\bGaMdwP.exe
C:\Windows\System\chNadLB.exe
C:\Windows\System\chNadLB.exe
C:\Windows\System\bmZhzVT.exe
C:\Windows\System\bmZhzVT.exe
C:\Windows\System\NJkImYx.exe
C:\Windows\System\NJkImYx.exe
C:\Windows\System\ZlfEQTO.exe
C:\Windows\System\ZlfEQTO.exe
C:\Windows\System\vUhlVVq.exe
C:\Windows\System\vUhlVVq.exe
C:\Windows\System\ZShHjdm.exe
C:\Windows\System\ZShHjdm.exe
C:\Windows\System\aHSPhjy.exe
C:\Windows\System\aHSPhjy.exe
C:\Windows\System\FaTpToB.exe
C:\Windows\System\FaTpToB.exe
C:\Windows\System\kmASGIz.exe
C:\Windows\System\kmASGIz.exe
C:\Windows\System\YGeDcBB.exe
C:\Windows\System\YGeDcBB.exe
C:\Windows\System\XhbuoOi.exe
C:\Windows\System\XhbuoOi.exe
C:\Windows\System\aMHbMOc.exe
C:\Windows\System\aMHbMOc.exe
C:\Windows\System\dBIVhFt.exe
C:\Windows\System\dBIVhFt.exe
C:\Windows\System\lzophDD.exe
C:\Windows\System\lzophDD.exe
C:\Windows\System\iJwwNlu.exe
C:\Windows\System\iJwwNlu.exe
C:\Windows\System\PwfdURE.exe
C:\Windows\System\PwfdURE.exe
C:\Windows\System\QFLwidW.exe
C:\Windows\System\QFLwidW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2168-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2168-2-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\yNUDeHc.exe
| MD5 | fd7eb81ca8d88c3e72dec4d80d4a09fe |
| SHA1 | e04c58734636e497c6bf9225ebc9db7ed7c30997 |
| SHA256 | 5e38857af697a59920b68fddbe7a0e8e3b892744e69ebde9598c6270e634f6ad |
| SHA512 | 39c9ac1460f40c142e0c15cb214124175f24de1d2e5d79f922bbc169b5afc9d15924c6dee1e54af08c151b04876e52db662333b8a7833a5f724c0a767cb6fea8 |
memory/2596-9-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2168-8-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\CJKonhh.exe
| MD5 | 9e94c92236c0b5c1fb2081f17c51476c |
| SHA1 | 633107062d209ab56e95ffc55ae4504732267182 |
| SHA256 | 67e3e1b829a3fb9d64036128b4297a899e03324d54499248bc7a8ff27aefc5d5 |
| SHA512 | 066094d1e5f16d4a0293a62d8cc8d6c1baa6a409bc25a62f05db4572117b03a165e82452d7b63e714760d6312f594e0b6bf90c5975398f38c635756feae5cdb3 |
memory/2168-14-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2708-15-0x000000013FA30000-0x000000013FD84000-memory.dmp
C:\Windows\system\HHvfAZj.exe
| MD5 | 36c952f3e15c30d5efd1f234ebb843c8 |
| SHA1 | e7075341f61c4052f6949c582fe1800d03cf1664 |
| SHA256 | 653e73b78f974607b6f93c5c0cd763c3ef2c9acadbb141fd114304aaefb08eb1 |
| SHA512 | 762c49a083138487f5c4ed6e6c62251dc89cfc4d4c6195f5eb826a266a4b2a00a30e763e7d115ad91d16e3c2813776a3964fb75cf82d236888471511ac247ee0 |
memory/3052-23-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2168-22-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\bGaMdwP.exe
| MD5 | cab2b9f855a247b1e946d59429d36a1d |
| SHA1 | c3dda8782c18faa0af616d452395bb91791e6879 |
| SHA256 | 0215af8daf4bea1e5a0b279ba7ccb06543acb8d14d534d1f8f82770e6a50b950 |
| SHA512 | f43f24021fdf546ec65fcf238522e0b5fb2889cf7466b4e7f48439fdfd852d3991c6cad309e92566af4da260f13213fd3201502dcdfc6606331a36a09431915b |
memory/2728-29-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2168-27-0x000000013FB90000-0x000000013FEE4000-memory.dmp
\Windows\system\bmZhzVT.exe
| MD5 | 1d88dc59499c63a181c1aadf0c52fa91 |
| SHA1 | 8610ec6bd2655da2e7e181b2731e928fffaac1df |
| SHA256 | d549c395c786cd311fdd92e198199ddef5d6c58dc57d67ddf872de2b4bdf3db2 |
| SHA512 | eeda450f1ed614d7a3d995ceae7565b428a3b3afe738e2da84f71f053f7db9c9ebb9da2c5362f3a62aef6ac7af44dc0dcade453e619e9ca1928f1b257ec8740d |
memory/2632-43-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2168-39-0x000000013F750000-0x000000013FAA4000-memory.dmp
\Windows\system\ZlfEQTO.exe
| MD5 | 5024f70d755fe2e5a585051b373fd445 |
| SHA1 | f46c85d7b9f9f1c4781dbe31d28f47e587bdb8ad |
| SHA256 | 9fab8730756dfaf3906d888e377f71b54a1c7e488105315b1eafedb12e11c512 |
| SHA512 | 09e68e6cb4ee8ad1442b645d1bda69c4e7332b008287c2b6976fbd871474033b51eabeef4852a9bd0feeec59276d8407395dcb7b7ad75a4418b3d2cf0f0449b3 |
memory/1976-60-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2168-59-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2980-75-0x000000013F460000-0x000000013F7B4000-memory.dmp
C:\Windows\system\aHSPhjy.exe
| MD5 | 83ca326330fecbb7b7eaed753af5493b |
| SHA1 | 074734e8eb1d9854bdb7944b005666b8c3cd82e6 |
| SHA256 | 26f6ad8dcfca5f988196ae2db122710458928e34c7c6f960b64bf488fa219ede |
| SHA512 | fcb02884c0083fc50f37d70da3ff98395dd1cee9fffe9ebb53ea0f07a1a525e4cb64ac4c32d340a7fc023630194153908bbf9b08598a91b84e8738433c50ac32 |
memory/2772-92-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\lzophDD.exe
| MD5 | 1c794de87b07a750eac6d5c6943b0130 |
| SHA1 | 080dca6f88c03b44ec2f299bf2b13be53992f6af |
| SHA256 | f1008d6e79d05bb9ffb2f1f58ff9c7f0a979394460fabc4b760efc4219110363 |
| SHA512 | 5e378e108a2aa76abaf6328bc1467818d0e5252d74cbbfdd0d6b4d78ffb77926d1054b5085346e0b826e0c5a8e1950a83516626bb05c64d406c6a28f81d99e6a |
\Windows\system\QFLwidW.exe
| MD5 | 3fa5b832d6c18fdee1597752828d12d6 |
| SHA1 | f754390edfd49395912a725f49feaf0cd6344ffe |
| SHA256 | 9b6d4b9a8670871bb263f90fe905914f30e6affbe3aba3193095e0c52dcffa9a |
| SHA512 | f7cf9cbb7dfd284d7618a8cf45eada753d7d3a446b1d2dfa2e730a84da6265106b09e93839cfca0e32a4ee4bd176a5c4f352791c5b7d24e6f95489a54e475a37 |
C:\Windows\system\PwfdURE.exe
| MD5 | 27304fab92af79dde697b2a4a67675ca |
| SHA1 | 3e9f3350ca64f5a88c6b6d526fa7045ddadf813e |
| SHA256 | 9c7118bba2d186fbaf72b99151624c6ad81e2f162d2ff719e12611ca26c0ad06 |
| SHA512 | 5af5aac407d70148141099d79628d818a61e0f4da03bc38123358fd38fba9d30eac200ee3526a85dd3f65828fb191eda14e0649ce63f8f3d5007d76aff6183f3 |
C:\Windows\system\iJwwNlu.exe
| MD5 | f68e3ff3adefdb5456a9fcc497c60ea7 |
| SHA1 | f8ed6fa0b4824e41a1085ee6146b72a2480ea0e3 |
| SHA256 | d03f1e1d366bb4d0c78f29ad4ca3aabd8d8bd07370a3374e0629fbb590683ea4 |
| SHA512 | 05f8ebd0be8345e1b6a39b3a9c1ca38786198163a4657bd13725b0cf09396bb7cace9d909ab8de42cdd6fc64b246d57c9796f6c8ad4c996621a449f5ab6f5bd3 |
C:\Windows\system\dBIVhFt.exe
| MD5 | 0c6e3680149de4daa740f79d2110e809 |
| SHA1 | d4d351c0da3a3a03d98d7f01335b7fc7ec24800b |
| SHA256 | 6faaad6dbab999059448923071a9b0d52d2a8bca5385dd32e4f3e6bcce7cd4a8 |
| SHA512 | b010bd2bde3b7df74b4ef72fde4b74a8341f7f07901bb25f03336d948026d423ca464ba36fb176057c8aa97988d95388c9a789f196ecfa158ea628040492c068 |
C:\Windows\system\aMHbMOc.exe
| MD5 | 5f64a5331e935f921587cde35c135250 |
| SHA1 | 684f7f76144e2319cd0882663b017a86810da9e0 |
| SHA256 | d36c270153802940c5850467d6f2f33ca8f6d621eb350fd3505480b651cf7aff |
| SHA512 | 86899f6d01074717e2137a520f47ab43b95005bcc140dc17405d38912764ddff1bfda289a52e28fc0b2418589ae4ed3dba694c6515d581fea28e7b9fa8117e8f |
memory/2980-146-0x000000013F460000-0x000000013F7B4000-memory.dmp
C:\Windows\system\XhbuoOi.exe
| MD5 | 39b03741832a5082fd7bf12f34a8cf19 |
| SHA1 | 13e62df3bf64a470a5ad8f94116704fcf9221a16 |
| SHA256 | 5385c8997eaa3cc12de4aff616312e3d98d5c3cbd6fdaa1cb75c885703536566 |
| SHA512 | 0e56bb33c178481167a604f7a78c96ce40b1ab8fe94cec0293360b1f6e7a87117226b0f4dfc485bfd01296ede76d3a2eea2b38276fb51ba5103041f4086d387b |
memory/2168-112-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2168-111-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1728-109-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2568-108-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\YGeDcBB.exe
| MD5 | f096ac77a81f5d238100ad0fd86e5b11 |
| SHA1 | 8560dddd0e5bdbe12f4173584aa9b7df52f73076 |
| SHA256 | a9a6d3492275f5a136d8fddee14d38b85b6a7aba8e084318bad6937ada6128ee |
| SHA512 | cb11243d53c274d8b01a22e75c8948a5ffc3942a25bf61b97d9743a363a1b748d3b45345df1a841358698c3ca0cc254559e95f1a58b260b8d6a7bb74a4791e87 |
memory/2168-103-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2168-102-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2972-99-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1976-98-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2168-97-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\kmASGIz.exe
| MD5 | 6f411c7bd8a0f22260dae1f9bd62efd0 |
| SHA1 | d543ba78f73c31f0b06101808e1577a30b599aeb |
| SHA256 | b61fe7fc67725fea17f1c516f5e227905d61bb9a198f21a566f106c300e4781d |
| SHA512 | 3e31e160d53e51d5e98320a64ffcc4b00af7056225621886304ba09c915a1c6560c40802e245cdda5390bc78cd303887c06d574960312f1900405bc4116c07ac |
C:\Windows\system\FaTpToB.exe
| MD5 | 35f6ad95b58d42ecc8f69fd234aa2a99 |
| SHA1 | c6e7acde267c34a717f80d192bb94f271624f3a2 |
| SHA256 | de111f5edce00bb47a6c26d036ffd717c2728652c00064667a442f896862140c |
| SHA512 | b39405b3cf4a62f6845afe89c06883c94df7dbe118e8368a1678e7b98eff9e091258b50ef0e138f05a54fac96888fed07d40f8d4d86253a5d1760fd399c88a16 |
memory/2168-87-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2168-147-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2632-86-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1988-82-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2168-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\ZShHjdm.exe
| MD5 | 20285e3066cb1e689defbe82cbb877ec |
| SHA1 | b0079547b57c1e799f3dead1430da2c6f49418ad |
| SHA256 | db7540062f5faf46ae5ea94adf789dd81cf005111348c38f879cee673fe228b6 |
| SHA512 | 3a8b69cd6246248a2aeac999e83683dc6560ec94de277f6468524223c9ac8dc8cb740df749b95a620562c9421c53f161c76b4fd6d697808c7e1fcd7efca52b31 |
memory/2168-72-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2728-71-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2568-68-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\vUhlVVq.exe
| MD5 | 459a6e585e7e6a6318d353cc21830732 |
| SHA1 | 0230f0653ec7b26ccb1f5a545576e17e4e78677c |
| SHA256 | f91051b9cbac9d3f94485f132780f8c5207f6743d1172fdc897ebbc75408817c |
| SHA512 | ebc466c519492f7abaa528b08bd2790781ed92254fb5cbabea1e5cca19e0d886b596cc56a93987582dffc6a6e38e9f0f285e125b6a7dc5b4d7b99f484aab0c37 |
memory/2168-64-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2168-63-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2708-58-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2168-57-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2540-52-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2168-51-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\NJkImYx.exe
| MD5 | eaba6a6f936ce5df5be39c5db237b94d |
| SHA1 | f67fc7a9588149f5af34e6b739a80231dc278d2c |
| SHA256 | fe940cd462eb8fdf24f4a6e39f42e9b742400dcd7299cec8f939f24478102d68 |
| SHA512 | d65ce5658cb455e2794573cbdbf1eb5d748002a98dc7bce67cf6a8370ef765c1c184897eed17f44f8d9a8c36b974a6699afd384ef828fc314bde95aaaf1f276b |
memory/1988-148-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2168-46-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2812-37-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\chNadLB.exe
| MD5 | 8134aa9142d5d3317470c875f376dccf |
| SHA1 | abd06e0ef25282be33313d664a1fd685278dab45 |
| SHA256 | 9a361415457105fbe978611a36cc38df2e0a95fb10d8e0219d6cb2fb193eff6c |
| SHA512 | 3d0e6723979ec3782a491f4db25c6107b734e64813740c554d8380bc895e40e5d223ee8da45eb616e2d6331967168bc94550572fca66c723637947a384530b0c |
memory/2168-31-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2168-149-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2972-150-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2168-151-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2168-152-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2596-153-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/3052-154-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2708-155-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2812-156-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2728-157-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2632-158-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2540-159-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1976-160-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2568-161-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2980-162-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1988-163-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2772-164-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2972-165-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1728-166-0x000000013F1B0000-0x000000013F504000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:09
Reported
2024-05-30 10:11
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CyoipiN.exe | N/A |
| N/A | N/A | C:\Windows\System\WsEopIW.exe | N/A |
| N/A | N/A | C:\Windows\System\qrfKRju.exe | N/A |
| N/A | N/A | C:\Windows\System\KGEXyXA.exe | N/A |
| N/A | N/A | C:\Windows\System\sIKUytw.exe | N/A |
| N/A | N/A | C:\Windows\System\dDEUNvf.exe | N/A |
| N/A | N/A | C:\Windows\System\XuhseOG.exe | N/A |
| N/A | N/A | C:\Windows\System\sAQAVVk.exe | N/A |
| N/A | N/A | C:\Windows\System\xwZAJvk.exe | N/A |
| N/A | N/A | C:\Windows\System\tAyQshP.exe | N/A |
| N/A | N/A | C:\Windows\System\EbyfUet.exe | N/A |
| N/A | N/A | C:\Windows\System\FAOfzWk.exe | N/A |
| N/A | N/A | C:\Windows\System\ruReaOl.exe | N/A |
| N/A | N/A | C:\Windows\System\BLjiigX.exe | N/A |
| N/A | N/A | C:\Windows\System\WNMkrVK.exe | N/A |
| N/A | N/A | C:\Windows\System\jswfTye.exe | N/A |
| N/A | N/A | C:\Windows\System\tKOEDbY.exe | N/A |
| N/A | N/A | C:\Windows\System\ivTopcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\TrwJDEL.exe | N/A |
| N/A | N/A | C:\Windows\System\egMHQNJ.exe | N/A |
| N/A | N/A | C:\Windows\System\cyTLhou.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_ac21948565285d29adf9cbc157cbeb02_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CyoipiN.exe
C:\Windows\System\CyoipiN.exe
C:\Windows\System\WsEopIW.exe
C:\Windows\System\WsEopIW.exe
C:\Windows\System\qrfKRju.exe
C:\Windows\System\qrfKRju.exe
C:\Windows\System\KGEXyXA.exe
C:\Windows\System\KGEXyXA.exe
C:\Windows\System\sIKUytw.exe
C:\Windows\System\sIKUytw.exe
C:\Windows\System\dDEUNvf.exe
C:\Windows\System\dDEUNvf.exe
C:\Windows\System\XuhseOG.exe
C:\Windows\System\XuhseOG.exe
C:\Windows\System\sAQAVVk.exe
C:\Windows\System\sAQAVVk.exe
C:\Windows\System\xwZAJvk.exe
C:\Windows\System\xwZAJvk.exe
C:\Windows\System\tAyQshP.exe
C:\Windows\System\tAyQshP.exe
C:\Windows\System\EbyfUet.exe
C:\Windows\System\EbyfUet.exe
C:\Windows\System\FAOfzWk.exe
C:\Windows\System\FAOfzWk.exe
C:\Windows\System\ruReaOl.exe
C:\Windows\System\ruReaOl.exe
C:\Windows\System\BLjiigX.exe
C:\Windows\System\BLjiigX.exe
C:\Windows\System\WNMkrVK.exe
C:\Windows\System\WNMkrVK.exe
C:\Windows\System\jswfTye.exe
C:\Windows\System\jswfTye.exe
C:\Windows\System\tKOEDbY.exe
C:\Windows\System\tKOEDbY.exe
C:\Windows\System\ivTopcJ.exe
C:\Windows\System\ivTopcJ.exe
C:\Windows\System\TrwJDEL.exe
C:\Windows\System\TrwJDEL.exe
C:\Windows\System\egMHQNJ.exe
C:\Windows\System\egMHQNJ.exe
C:\Windows\System\cyTLhou.exe
C:\Windows\System\cyTLhou.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2980-0-0x00007FF631980000-0x00007FF631CD4000-memory.dmp
memory/2980-1-0x0000019700600000-0x0000019700610000-memory.dmp
C:\Windows\System\CyoipiN.exe
| MD5 | a7e9beca0ef164c20ad24448d942fc14 |
| SHA1 | 0ff45f854dd5c89419cf6c0e0de3ea122a0f1059 |
| SHA256 | 9abf7e16d608a21d5eba3aa4af62107274dbc31f14f1ea2d373cf95ca3285b1f |
| SHA512 | 21557d3669b80bfac21e58759e2637119a9a0ca9943032263bbf20c4f7af869ab1c2c77548ba5ea1a2b59ddfde3d722c46b78c8d917cd8ac7847eb2da18fcdef |
memory/340-8-0x00007FF6A24A0000-0x00007FF6A27F4000-memory.dmp
C:\Windows\System\WsEopIW.exe
| MD5 | 091eafe336fa2022b25eb19a7b05287b |
| SHA1 | 46549fe48f5c83b9eec8f32a0be617bcaad4c2ae |
| SHA256 | 4fe69a7e518f09aefc3c8f014cf37b68be0ec61b84e8818f01bb0eb174907687 |
| SHA512 | 9ef8b442396d646b0d4643ee749f0ac0295ced040d289bdbd423f0a61ae4b947aeb84958c0315284eaed04f5e8c4feb9135930bc55d102eff56b4e376006dd18 |
C:\Windows\System\qrfKRju.exe
| MD5 | 517e00c3d4ab8d2d2cf781d9c869fcf4 |
| SHA1 | ade331f4126bebcad28d57e646cb127d0e567411 |
| SHA256 | cd8b602dfd29483b2ae6039591aaf1cbfd5e7310f82a1c1e3429c7d6cbaff31b |
| SHA512 | d34b57ee3e529f5e3e44b2d26d3c6eb6db7cbb2a8510d48036f35c4a43823f875ecb85f1c77076a9dece7da220d2d954333623b96495e8c8a672a853cc137299 |
memory/2668-14-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp
memory/1816-20-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp
C:\Windows\System\KGEXyXA.exe
| MD5 | 3b18180de008dc42ce708ad473379458 |
| SHA1 | 8c25898557683f57701ce2c1b11a63d3d264814b |
| SHA256 | 1639176c37ef9f66ed9ae43ee1ae40ff84885e959838d8460736d441ef324913 |
| SHA512 | cb41d11df1e4ba6e0ab24d9783c24c6b00470b73b9e95b195bebbc40052e022b4ea50e407a8bb1212f938fc61b030e2d615f8b2cd6bba8f456e3be9b584edd2e |
memory/4840-25-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp
C:\Windows\System\sIKUytw.exe
| MD5 | a3d8eadcb5da535e7e959a6b88f2e300 |
| SHA1 | cfec08b20ec04cca3286f2e876d3c655cd9b48fe |
| SHA256 | ce4cd3b63dd0256ba73059d267af60f06573aa21211c292589c1eb576232f7de |
| SHA512 | 630eb1c91d4ab3a6af9c3fa0848fd7c89ca349adc0ebf65fd6a1579dba96e91d92ee5b059658f2f1bc815af8d29e76b15e6ec7071069e58231bd73f0ebb416a6 |
memory/3500-32-0x00007FF784EE0000-0x00007FF785234000-memory.dmp
C:\Windows\System\dDEUNvf.exe
| MD5 | ef9c9495db921fc27afcfc60b8a08b77 |
| SHA1 | 33be6766909ce5777a6ab5c1189ae9f03db0e203 |
| SHA256 | 3d2bd108dbf5efa220c6d03db6f3eae57515ea4b8bf4928e1b03faafc1b265cb |
| SHA512 | f73ff574696290d1783befa604d02f3b87f337f08702198cb2ca76ae135669f2d2575e8932a8ba32ca33a95793c3c04bee73d00d6acd455f7070c2a9476a2002 |
C:\Windows\System\sAQAVVk.exe
| MD5 | 86a73fbcee3a799c6ee8bd6278ed7092 |
| SHA1 | 1030c6eb98030c7bf5f7683cf4f48fe1b57d9080 |
| SHA256 | c566082961799d8dbb6d305d69f7d7b746a900451c90334c140c1e32111cca01 |
| SHA512 | 141e221a8c0a099c838062ef0d4bb94f1a3535737b2eaa61171b5e834cf7da0c79268e397d608bc15682ab481afbd49bb1e6f03df30dfce4462404dbbe92fd9b |
C:\Windows\System\XuhseOG.exe
| MD5 | 27be1e4636f183719d55ad1d24d3102e |
| SHA1 | f888d3e925ff65c9329a869670fbf98dee5a1f40 |
| SHA256 | 267e01991ade675d451d42f13a9655bd7ffd837ee8f04542779af43d721e20df |
| SHA512 | cecb822235129227666fccac1976c27eb2029595e5e39ab7245e64f8cfff3e4964a16754cfab05d1e928f670e47354df81ce5b683faf7ed38c9c3c98057d3994 |
memory/4116-38-0x00007FF6EE440000-0x00007FF6EE794000-memory.dmp
memory/888-47-0x00007FF76E680000-0x00007FF76E9D4000-memory.dmp
memory/4196-48-0x00007FF764930000-0x00007FF764C84000-memory.dmp
C:\Windows\System\xwZAJvk.exe
| MD5 | 655e2987e388ba0813999cd01e980d39 |
| SHA1 | 2d1c84dfd2bc9109c71fd2be9cd5343265482124 |
| SHA256 | 43eb0d53be604eec63f205c11aaf1a46c3362ec7686d8d8bee3f4de94bb3697f |
| SHA512 | 9d945e4eab1b3e8969589eef276c1996ec651d103a1bd44cfd2ca6f40cca7141fdd29543f9843bd0b99ccaa5846c9da4290cd448d0cc6b11fb7e1a8559ee03c8 |
C:\Windows\System\tAyQshP.exe
| MD5 | e9d45a1b74b881e8f15ec44d53365c6d |
| SHA1 | 3ef184449f8cddd697a98f09868da317041e2d35 |
| SHA256 | e6031b010b640ce34e1705cd4350df2abde944a588fbd9faa847f3a72ab4b409 |
| SHA512 | c2b92b3a77bd83069183de05dc0460dd97c05e1127d621ae66f57a0d53680e8fb9a25dbf6f68a295b6d33d392a55a76c1a5f75046b293c7e726a05ccabfb6cad |
C:\Windows\System\EbyfUet.exe
| MD5 | dbda301aad02d33b076a6583b833239b |
| SHA1 | 505ab09bd414a0f1b9570281b16728de724cd328 |
| SHA256 | b3df557a76b136a6561cc47147b64752d7c11d5ee52c180c45abdcf291eaacb4 |
| SHA512 | 0629c0b5ca9502825466602eaa2c00d58378481287fb6f910ea8a3f1f7a888f4c6d22bc43223925ff8ba309db45e95662c763025f460387ac2708fb8fc1bb697 |
memory/4364-64-0x00007FF68C710000-0x00007FF68CA64000-memory.dmp
memory/1188-56-0x00007FF7A41A0000-0x00007FF7A44F4000-memory.dmp
C:\Windows\System\ruReaOl.exe
| MD5 | 64c9b6c09dc64068f86bf52ca5024755 |
| SHA1 | 869d6a675b2f7259a6f8681227aaac471dc4ef00 |
| SHA256 | be6467943f63c8ad9e6ae3034d25e151422368aa0a2f735dd5f302daba58199c |
| SHA512 | ef5a54c484509d5e25281b0b62e628b812df2ca581fc4d31011f46fa3ed932f655ce6e18881fbe1f7711f7a78640ab6c65619c4c8507a35af7fea814f8d4155c |
memory/2668-84-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp
C:\Windows\System\BLjiigX.exe
| MD5 | d6b5c491dc531232fd74195f2a2bd14f |
| SHA1 | d92492d9cbb1db38b3106f6d8d7fb0c53a038427 |
| SHA256 | 65070efc5901a5cb6c40b852d03d8a035bcbb68190d9b25e457e197056aa25ee |
| SHA512 | 0656456f0a064f3b614d2fc4b7c9cbe382316b74428be2969d116003a2b0bf4fbca5cc7e9380b4f76d4d117a0b39a60338d76bcfc480e649fabcfa0bcca7ed6b |
memory/884-85-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp
memory/5020-83-0x00007FF63C2A0000-0x00007FF63C5F4000-memory.dmp
memory/628-80-0x00007FF7D73E0000-0x00007FF7D7734000-memory.dmp
C:\Windows\System\FAOfzWk.exe
| MD5 | bef13931f262979e4d9bbec1f4a6eaca |
| SHA1 | 0c262764c559dae82f5e40ffceed8d9663d86429 |
| SHA256 | 7960582e929f62878d81dc6a62f21f154ac77beea151b4e36a7aae6462babc60 |
| SHA512 | f54b536e6af15535890fb6147734e9d07653c469f9b352d2b415361989ea7cb0d3494b33d7882ef7608756585ee88f138da7b392a42e4b340262740cf429c1ad |
memory/788-69-0x00007FF77F4F0000-0x00007FF77F844000-memory.dmp
memory/2980-68-0x00007FF631980000-0x00007FF631CD4000-memory.dmp
C:\Windows\System\WNMkrVK.exe
| MD5 | 05ff5e8e259cd4e0d7b5e11741401924 |
| SHA1 | b52ab2c21dc45fb5c14ab37b84b548c6816da945 |
| SHA256 | 6788f308d0d65d1f80a4aacc237dcbff5336c1a7e3bf62544e0fa06b0517ca96 |
| SHA512 | 40f6eb2504c81b0230568808c9b247fa0d91468531092c157603947b221a781cd3d4fda65c538344100ffe27e054bbbf56acc393d90d6d8125ded5fce8fe1e89 |
C:\Windows\System\jswfTye.exe
| MD5 | b0c575e6440d46597fbd9d6a8c31a35a |
| SHA1 | d049c1a0d9388a2f8f76e79ec32f32d1820f0ee4 |
| SHA256 | ceb7b43aca5a376b28a658119855de3dac5fb34ccfada7ed5e9eef1712363161 |
| SHA512 | 34a35acfd486e8c60326946de723e83ff8b59325f904226db615437a4e841afa6355adc45a9805cf8306e5e3281dec78a07068d1772c6484a221822b9715493e |
memory/624-105-0x00007FF614560000-0x00007FF6148B4000-memory.dmp
C:\Windows\System\tKOEDbY.exe
| MD5 | 72d18d0bc738d5109882906785a36ae4 |
| SHA1 | 8f67bd8a47609cafb17af7a3ae6d54fb949bce0c |
| SHA256 | 08453a2ba97f5847b0dd7e4e7b80ec1ed983a70def1bc7f1b1290837fef9e9e3 |
| SHA512 | 1d8be9a950c92b0b4ff9f56e8a613cc61ef6d5df1b71cfd24fca5fc63207f297be475c1283db69fd53e62672e7fd02cf5acbdcdbcdaf2552aa05e974927d2b2a |
memory/3500-107-0x00007FF784EE0000-0x00007FF785234000-memory.dmp
memory/3476-106-0x00007FF704100000-0x00007FF704454000-memory.dmp
memory/4840-104-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp
memory/4328-93-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp
memory/1816-92-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp
C:\Windows\System\ivTopcJ.exe
| MD5 | 97c1580f60eac427614bb61238e53539 |
| SHA1 | 946733f96290be8d9b50ea3f426edda6c8849f9e |
| SHA256 | 600055b9114240ec4754b118ba7abf99056c36226cdbee63f49929ed02f97a80 |
| SHA512 | b7c7351896703aae01d7d439c082a9968ba6d10c9c4e77953042e2de14cde1c46ae64043347f5510e8045420a0ad87fa6e73a01f2a7cdb5575cba5ad672aacb7 |
memory/4236-114-0x00007FF696450000-0x00007FF6967A4000-memory.dmp
memory/4100-121-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp
C:\Windows\System\egMHQNJ.exe
| MD5 | b7d6e52b3eb3c0f6ee9f2ada5e8ec5d1 |
| SHA1 | 797c80b71e1b7d511dcebd2cf7850632ca26d1a0 |
| SHA256 | 0268a391c5306d47bb6633fde192f3aa7ba68c6da62c3e276f9340da3af5fe8d |
| SHA512 | 9ab72da9dbc551fa0d7e3e6e445d498eb8af0b2712a44cfdb048c98123a0353d0c8082ca69330d7d98db9a637149e60470c7d31c2f494e569275ff0f48c0d117 |
C:\Windows\System\cyTLhou.exe
| MD5 | 0100a44bd49f18b61db1202c659d5d0d |
| SHA1 | 349bb41531f856fd60eb6a7be93124bda3037f95 |
| SHA256 | 458e6fae39113087c8a70f6e7d52ec85ea51dd346768aeacdef7def4bbaa4834 |
| SHA512 | f02fd33d14fef8dd368597ab6c9f528c0e7a6ca22d4e87ab1995c254ae4e07858fba8f45afd26035d508fa9b9bf11e45e452cab588c2cc3a11a50821e35ed7d4 |
memory/3532-129-0x00007FF6EF950000-0x00007FF6EFCA4000-memory.dmp
memory/3636-133-0x00007FF6FEBF0000-0x00007FF6FEF44000-memory.dmp
C:\Windows\System\TrwJDEL.exe
| MD5 | 07fc98aba3e4905a0cf30c7137b01764 |
| SHA1 | 6cb92db174df1fe8e8063fee9cad541029ddc442 |
| SHA256 | f46093a2b42b3772583b1836fc858a1a3d4968e4ce8eca77eb3af2bd3ca0cdd8 |
| SHA512 | f5f95dbd3576623a59b9a0a91dabc6ee722869afe0820d35368fd8d265cb18744ca8ac0b7c49dcfd1c9eab30047e2e674769e888130fedde0d279aab6c53c969 |
memory/4196-119-0x00007FF764930000-0x00007FF764C84000-memory.dmp
memory/884-134-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp
memory/4328-135-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp
memory/3476-136-0x00007FF704100000-0x00007FF704454000-memory.dmp
memory/4236-137-0x00007FF696450000-0x00007FF6967A4000-memory.dmp
memory/4100-138-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp
memory/340-139-0x00007FF6A24A0000-0x00007FF6A27F4000-memory.dmp
memory/2668-140-0x00007FF6099A0000-0x00007FF609CF4000-memory.dmp
memory/1816-141-0x00007FF6A7490000-0x00007FF6A77E4000-memory.dmp
memory/4840-142-0x00007FF7D5D60000-0x00007FF7D60B4000-memory.dmp
memory/3500-143-0x00007FF784EE0000-0x00007FF785234000-memory.dmp
memory/4116-144-0x00007FF6EE440000-0x00007FF6EE794000-memory.dmp
memory/888-145-0x00007FF76E680000-0x00007FF76E9D4000-memory.dmp
memory/4196-146-0x00007FF764930000-0x00007FF764C84000-memory.dmp
memory/1188-147-0x00007FF7A41A0000-0x00007FF7A44F4000-memory.dmp
memory/4364-148-0x00007FF68C710000-0x00007FF68CA64000-memory.dmp
memory/788-149-0x00007FF77F4F0000-0x00007FF77F844000-memory.dmp
memory/628-150-0x00007FF7D73E0000-0x00007FF7D7734000-memory.dmp
memory/5020-151-0x00007FF63C2A0000-0x00007FF63C5F4000-memory.dmp
memory/884-152-0x00007FF7C2230000-0x00007FF7C2584000-memory.dmp
memory/4328-153-0x00007FF7ACF70000-0x00007FF7AD2C4000-memory.dmp
memory/624-154-0x00007FF614560000-0x00007FF6148B4000-memory.dmp
memory/3476-155-0x00007FF704100000-0x00007FF704454000-memory.dmp
memory/4236-156-0x00007FF696450000-0x00007FF6967A4000-memory.dmp
memory/4100-157-0x00007FF7AA250000-0x00007FF7AA5A4000-memory.dmp
memory/3532-158-0x00007FF6EF950000-0x00007FF6EFCA4000-memory.dmp
memory/3636-159-0x00007FF6FEBF0000-0x00007FF6FEF44000-memory.dmp