Analysis Overview
SHA256
e4c685e90a69095e7f8923bb50560619dc8fa05adecae632863ba89b0e218e84
Threat Level: Known bad
The file 2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:42
Reported
2024-06-01 01:45
Platform
win7-20240220-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MyJPbWY.exe | N/A |
| N/A | N/A | C:\Windows\System\piVPthd.exe | N/A |
| N/A | N/A | C:\Windows\System\comBKvq.exe | N/A |
| N/A | N/A | C:\Windows\System\HqelNXz.exe | N/A |
| N/A | N/A | C:\Windows\System\uFkjWmh.exe | N/A |
| N/A | N/A | C:\Windows\System\BLmdEuB.exe | N/A |
| N/A | N/A | C:\Windows\System\tKNNkND.exe | N/A |
| N/A | N/A | C:\Windows\System\ZSoGenT.exe | N/A |
| N/A | N/A | C:\Windows\System\beeXyha.exe | N/A |
| N/A | N/A | C:\Windows\System\prmmqnx.exe | N/A |
| N/A | N/A | C:\Windows\System\VPfgvQb.exe | N/A |
| N/A | N/A | C:\Windows\System\yeFnTdv.exe | N/A |
| N/A | N/A | C:\Windows\System\AMVCqnu.exe | N/A |
| N/A | N/A | C:\Windows\System\kjkaPnR.exe | N/A |
| N/A | N/A | C:\Windows\System\xhtzaIR.exe | N/A |
| N/A | N/A | C:\Windows\System\iTlCKEo.exe | N/A |
| N/A | N/A | C:\Windows\System\svcZbJq.exe | N/A |
| N/A | N/A | C:\Windows\System\hSpAojB.exe | N/A |
| N/A | N/A | C:\Windows\System\WonbujW.exe | N/A |
| N/A | N/A | C:\Windows\System\oETpEzU.exe | N/A |
| N/A | N/A | C:\Windows\System\ANfpkYS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MyJPbWY.exe
C:\Windows\System\MyJPbWY.exe
C:\Windows\System\piVPthd.exe
C:\Windows\System\piVPthd.exe
C:\Windows\System\comBKvq.exe
C:\Windows\System\comBKvq.exe
C:\Windows\System\HqelNXz.exe
C:\Windows\System\HqelNXz.exe
C:\Windows\System\uFkjWmh.exe
C:\Windows\System\uFkjWmh.exe
C:\Windows\System\BLmdEuB.exe
C:\Windows\System\BLmdEuB.exe
C:\Windows\System\tKNNkND.exe
C:\Windows\System\tKNNkND.exe
C:\Windows\System\ZSoGenT.exe
C:\Windows\System\ZSoGenT.exe
C:\Windows\System\beeXyha.exe
C:\Windows\System\beeXyha.exe
C:\Windows\System\prmmqnx.exe
C:\Windows\System\prmmqnx.exe
C:\Windows\System\VPfgvQb.exe
C:\Windows\System\VPfgvQb.exe
C:\Windows\System\yeFnTdv.exe
C:\Windows\System\yeFnTdv.exe
C:\Windows\System\AMVCqnu.exe
C:\Windows\System\AMVCqnu.exe
C:\Windows\System\kjkaPnR.exe
C:\Windows\System\kjkaPnR.exe
C:\Windows\System\svcZbJq.exe
C:\Windows\System\svcZbJq.exe
C:\Windows\System\xhtzaIR.exe
C:\Windows\System\xhtzaIR.exe
C:\Windows\System\hSpAojB.exe
C:\Windows\System\hSpAojB.exe
C:\Windows\System\iTlCKEo.exe
C:\Windows\System\iTlCKEo.exe
C:\Windows\System\oETpEzU.exe
C:\Windows\System\oETpEzU.exe
C:\Windows\System\WonbujW.exe
C:\Windows\System\WonbujW.exe
C:\Windows\System\ANfpkYS.exe
C:\Windows\System\ANfpkYS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2868-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\MyJPbWY.exe
| MD5 | 4f58da3f049500048c9a39f6f863c98c |
| SHA1 | 326212f86dab7f5344166007300e92e1440f4431 |
| SHA256 | c63f63ffb786bdf7a33de59fa1e7e0e3bc1ba350caf609c5e4d709bd179806f2 |
| SHA512 | 0a1c984cbe403fe6634fa5aba5fd9b03d861cfff1258cb27932db329edeea6d855b87c214b4a1a2ebfcff8fa5e9aecfd3acba51d86257db4406b75211bfa0b1d |
memory/2868-0-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2868-5-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2920-8-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\piVPthd.exe
| MD5 | 2be7baad57ae9f129ac4183c7a09b685 |
| SHA1 | e647b66c19b7ae583ec9c276e0c74f5351565399 |
| SHA256 | a646f8ef55265fbe7bdc65ff70f9e0caef7893305572c84178e37f826ff2bd31 |
| SHA512 | 7abef1eef6c153776180ebea4a50f4a2e420a9252747b1c85234f8443cad5c635d6181d1f10772985de2325ae8f27cdf231ad119a8db6629871fa5d4609944cc |
memory/2976-16-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2868-14-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2868-21-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\comBKvq.exe
| MD5 | 6b30763627998dd3eff89ae74607775b |
| SHA1 | 71bd78a7de20ebb7e8d0831ef67f3a361fd1dbbc |
| SHA256 | 64df11cad4bdbe045c7fac02fa7f66f3bc0ecad7bad99cebe64a7a835ec5fd8e |
| SHA512 | 18f1b05471f737ef707b7e9c4eeae0d9b859a17b3e58c7db60967d5cff48505bb929acdca75bd0b8f3abccca871f1585123240a7bf5a3c9d868d564d4b192259 |
memory/2596-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\HqelNXz.exe
| MD5 | cbd09102edc0a3a663dc42b306db49d2 |
| SHA1 | 9df16875248b71129f9218a0ebc174471580065e |
| SHA256 | 446f1d862079831cec859baa7ce038640d97e1756b423434954ea1a88e432a8f |
| SHA512 | bcfcde183490e15ab8cba8a1a81beca6f673a08b73a4ae98d21d02c6855231167e456bf9181317bdeabde48f0213c247b20c2635ec450d997a14fdd822999c59 |
memory/2868-28-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2592-29-0x000000013F4F0000-0x000000013F844000-memory.dmp
\Windows\system\BLmdEuB.exe
| MD5 | 2437a6ec041a3f2035a30a2e34018be8 |
| SHA1 | 316573fb2bcb1fde1d1b37f129c3181f386f3160 |
| SHA256 | 3c8c8a79126b493018a17e72f56a2140f3cc7703a7abfc606f13326e715ee971 |
| SHA512 | 7c9c0e71ad90cd44e15088909630008eb06a3787d15d10934036a74c4259779b8bacbcaddafd01bdca2c9fe39b7051c404c070cdf255e9f4ae74c2ed02fecec3 |
memory/2868-50-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2964-49-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1952-52-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2868-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2868-48-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\tKNNkND.exe
| MD5 | 2eeb894094162cee295305ed2e2e760e |
| SHA1 | 4e6afa6ad484d97b3e0e46cd8d1a81a82b19c3d3 |
| SHA256 | 4baafaa94c84f85b4c99051a525843a5efa5846022f98b88861b29df263cfb17 |
| SHA512 | 50ca8e05565f8ce3ff39bef351a868398a0223997fa86f93f736c2dd33f4736d0475371aa8dfebddba07720b5c988b94f8e4c2dfaab07ae9236150bbfa2d07c5 |
memory/2808-43-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\uFkjWmh.exe
| MD5 | 81c3ddf79e2e43eb36f6307b1788f41c |
| SHA1 | f9c0adfab2cb06ad3673d0a3f35ea92273d33390 |
| SHA256 | e8f03bbaad390295372244349f48a862ac8b9690b8314507e8e97bc35ae5a56a |
| SHA512 | 5219cd9024fadfb162938018542a59abbf480a9d7fbb3fb075ca1b71e2c5ab6032a3c31f666eafde9e3c176b8b1cf954ddd81e77e877763e13838337eef2d26d |
memory/2868-35-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\ZSoGenT.exe
| MD5 | f472cec67ff39c66489a84591fea3ae4 |
| SHA1 | 88c7b24636fc800f2d43ce8329ed292f7f240930 |
| SHA256 | 8205d71dc22fee6b83290b84e658aa989fb83e1c618abeaff2a0e48c2f8bccdc |
| SHA512 | a290678f14561c8d56246589c1e4c36617f6aa9e9b816a8ce151d1a94b322368534874fa782d32c7fe7065121caacffee4736f82a03c0503446f538d5733d772 |
memory/2440-58-0x000000013F450000-0x000000013F7A4000-memory.dmp
\Windows\system\beeXyha.exe
| MD5 | 85e55e2b40611884b02593841640b7bc |
| SHA1 | 9aa257fd4ae9ba94b86d8b28bc1a920bb17e9f65 |
| SHA256 | 4e691e6a7ba8007dd41425b8cc1ec742756c9ffc0e9c18f0f23685fbf960c658 |
| SHA512 | 3ac1fcd191f634a96a5612500fcff9a9dbe421fc66afdf460d8f2ac1404c2bbbfe5389fccd5c221a907e8b6eed06a9ead8bcf7585484b8c295d370c0998961e8 |
C:\Windows\system\prmmqnx.exe
| MD5 | f78e61890109871ae4f6425658458159 |
| SHA1 | 319f3463af9e4aa136576a81ebda8f0591fba45c |
| SHA256 | db5598bf6dabaad958b622837e58b4ce3b7fd016d2c9181dbf0f351769e5567d |
| SHA512 | c6ceeb61a5defee16f868cd3da9cfb8426bafed4ea9e8f16ac7b30a8479aa73d7eb61773f3a9e2e1907efae3acbec43e2dc078ab1171825b5380c7e1b88f187e |
memory/2976-71-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2900-73-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2868-75-0x000000013FC60000-0x000000013FFB4000-memory.dmp
\Windows\system\VPfgvQb.exe
| MD5 | 02c63682f8b452fca157a8af713f4ffb |
| SHA1 | 14191193cfd5dae7eaedd87f854b02ae93054ba2 |
| SHA256 | 9fab0813d7e4e5d808eeefa4a301679d8adbf18ce0b84755c1adb4dcfe608c51 |
| SHA512 | 57a0a5208e4b37b9df37c56dc942aca10d591527c5a8ccf2ed23c84da8feaf5fac5e9b6265e0fb6230cbfa028f7249ef3f5a537bddb11967afb581cd45cd6c30 |
memory/2868-72-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2920-64-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2868-62-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2868-80-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2668-81-0x000000013FC60000-0x000000013FFB4000-memory.dmp
\Windows\system\kjkaPnR.exe
| MD5 | 726b7e619600cb54c17316e398f34dd5 |
| SHA1 | 7b0a156005a53b81687e6d8c79c952a771c33a4d |
| SHA256 | 4c01626a71ed59aac913e8697bb4f8a168704c80c7572db3f002ebb376dd86db |
| SHA512 | 5caa789f94f108a88fadc31d0439afa6a56d24b5fa352111b806861dc7ea76cb4c47b169e60677a8831ccccc3420505a207ab4fe5b31a62fc2f85523b4966f6d |
memory/2868-105-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\iTlCKEo.exe
| MD5 | 9a6f8503ffb29a8b395f9958ddf4df01 |
| SHA1 | 82a87bf8fa3f129c7cf950edd8810859671569f6 |
| SHA256 | 712ce9a80f131352782d172e3859f16ad1f8f1c5ac6f42ff92b85567c37fbd3d |
| SHA512 | c7a90caebd747fc12900e9d5847dc0ec95ef54d1a3513860ef160a63a5b2f63e084fc099279f8e9992fe2e241080751d0aafd64362156d8eecb04a91803aa05a |
C:\Windows\system\WonbujW.exe
| MD5 | 95b87c877f5e0f2443d6c77e3727fc20 |
| SHA1 | 4f31439daa848a54c1e74483fd83e8e5deeb0e05 |
| SHA256 | a77b34e77309a14b5b91d7657d66a8f32b50e2db3cc924452f85f372817c4c81 |
| SHA512 | d4f076aa5c6e90c8ae02ded3285854760ebf1f3309ec7734b81e575775fa87bb1007ebcaff1ea26e9c5a0966d5a7f68bf1dd6e9493dc348f14f5ad577a579fee |
\Windows\system\oETpEzU.exe
| MD5 | 7401a41f2f64dfc72b8451149bd0e409 |
| SHA1 | 779de720966c397b1145ffd1299b8809b442f890 |
| SHA256 | bfd239ff2a33686c3e70b677c00090102e5b688f1f63455ff39dca7b3376ea3f |
| SHA512 | b7fa08522b3e6e90a1831108ad3f6f975685408ed341e15b47be275ca118394b6c6820a88e7046009ae350eec0ca0ad677e43da657a9b63e846d3e09371a428f |
\Windows\system\ANfpkYS.exe
| MD5 | a4afb7fa5b0086446545bd9101bfbde6 |
| SHA1 | bdbf94df5c934a6dddc85aad8fc729aa72169307 |
| SHA256 | f8c9d67f9022b87b1b369ef41b33ac8dd8e94a229f3b77b409c231a941d355aa |
| SHA512 | 616c3976e73bf52bb480a6a2b2e56d51262f2d3b8c00081ccffc64e79d454bb9c54b9348e09c7368e3c575ba3b89a582160681fdbba5493cc27953b82a7e68af |
memory/108-131-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2772-129-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\hSpAojB.exe
| MD5 | f41a1cec0ad8b59e3509e8f7271a6029 |
| SHA1 | f323c758ad3dc7f1523a711b6892caa5abd31f14 |
| SHA256 | b01dbe95191312e2cebdd771e261edbcfe90670dd044e0dacb69cd12eb59e1b1 |
| SHA512 | b37b3496c57fb2a5f33427f5e8ef93b6da4f593de68b86a4b242a304906f31cb2a2d2585f05719432d95abbf515a07fb5e2e39d93460b78e5d245b4742399819 |
C:\Windows\system\svcZbJq.exe
| MD5 | c866c324fb3b5a0583a83c4a1c6549c2 |
| SHA1 | 51b2cb86baf2079a9515ae04f4bb330dfbb85a38 |
| SHA256 | d5575f2b9d35665ad70395c6433ec4baf1c170d6cd5db775c4c6ee1ddc7fd58c |
| SHA512 | bf762e100ce08e0407c431eb3a2ab4801d4e5d7cbac99303f543b1cb37f7e80efd08aa286beec5f8e7b4abb02329d8cdb856c09ab7fc038e99795b64e805ffa2 |
C:\Windows\system\xhtzaIR.exe
| MD5 | c7fa5ecd53f7dbbdafea4aff3bddf3e3 |
| SHA1 | 8140a134b2cf68b78b6e196641e97d7e64a67bc9 |
| SHA256 | 7e8333f9cd916e259a2edb5c3f320428f50920634bb3d9107ebdda83aab685cb |
| SHA512 | b8c0ae740235ad49ed89a1440f9059543f8ef64f847760b3a2d8329e8b07fdc5b683d1598acad9648936b606eb730889acfc0c04c4778777e144f6ab9a0c424e |
memory/2732-102-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2868-98-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\AMVCqnu.exe
| MD5 | bc75f3306f2c0ca2e3dff5b71c5d3e40 |
| SHA1 | 6a0c22f051f26f223336915ae3c6822354ad7184 |
| SHA256 | 9521cd1746c7c1bd11748a41fbf7e961b2d487a739d16dba3ac02edae16ea51d |
| SHA512 | 48a0e09c87d973372e8a9ccf6e8c2e8aa2dbaaec18b8f59dfb0399f4e08c9ef2a9f311e0508279497705d9186650d161b8752ee68085f2ff16433f935591e097 |
memory/2592-94-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\yeFnTdv.exe
| MD5 | 2a89fd59a41517a3061c761a4e315721 |
| SHA1 | 54556c3db399ccc4602f784e7e83ca957e359ec3 |
| SHA256 | a74809eaa27c63a1f1a75deabd9c2d22f88f5a6f00e41c8499a250099d0779a7 |
| SHA512 | 6a8470fe31f59f5db769aca1a79fb8eeb6a081c122ff2aeb4f080f159b6a81e71e17bd09215cc2363911efaef89857109bd0f940e96c82b32915a640f4589587 |
memory/2868-137-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2868-139-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2520-138-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2868-140-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2920-141-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2976-142-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2596-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2592-144-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2808-145-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2964-147-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1952-146-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2440-148-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2520-149-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2900-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2668-151-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2732-152-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2772-153-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/108-154-0x000000013F0B0000-0x000000013F404000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:42
Reported
2024-06-01 01:45
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WvhFXyB.exe | N/A |
| N/A | N/A | C:\Windows\System\rrBXzjw.exe | N/A |
| N/A | N/A | C:\Windows\System\VQYqBiH.exe | N/A |
| N/A | N/A | C:\Windows\System\pxXZYCP.exe | N/A |
| N/A | N/A | C:\Windows\System\qyTMiTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IvaACjm.exe | N/A |
| N/A | N/A | C:\Windows\System\WJEJFaX.exe | N/A |
| N/A | N/A | C:\Windows\System\dvEBVKn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbNYrrY.exe | N/A |
| N/A | N/A | C:\Windows\System\gbeUSHf.exe | N/A |
| N/A | N/A | C:\Windows\System\sHXuQlM.exe | N/A |
| N/A | N/A | C:\Windows\System\qxsKTcD.exe | N/A |
| N/A | N/A | C:\Windows\System\TdatGEM.exe | N/A |
| N/A | N/A | C:\Windows\System\RHAOhdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\hXaJdte.exe | N/A |
| N/A | N/A | C:\Windows\System\YICMECR.exe | N/A |
| N/A | N/A | C:\Windows\System\fUPKKvr.exe | N/A |
| N/A | N/A | C:\Windows\System\aRRBjaN.exe | N/A |
| N/A | N/A | C:\Windows\System\DlLbsDb.exe | N/A |
| N/A | N/A | C:\Windows\System\HBkMbYd.exe | N/A |
| N/A | N/A | C:\Windows\System\jtDyzxY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WvhFXyB.exe
C:\Windows\System\WvhFXyB.exe
C:\Windows\System\rrBXzjw.exe
C:\Windows\System\rrBXzjw.exe
C:\Windows\System\VQYqBiH.exe
C:\Windows\System\VQYqBiH.exe
C:\Windows\System\pxXZYCP.exe
C:\Windows\System\pxXZYCP.exe
C:\Windows\System\qyTMiTZ.exe
C:\Windows\System\qyTMiTZ.exe
C:\Windows\System\IvaACjm.exe
C:\Windows\System\IvaACjm.exe
C:\Windows\System\WJEJFaX.exe
C:\Windows\System\WJEJFaX.exe
C:\Windows\System\dvEBVKn.exe
C:\Windows\System\dvEBVKn.exe
C:\Windows\System\ZbNYrrY.exe
C:\Windows\System\ZbNYrrY.exe
C:\Windows\System\gbeUSHf.exe
C:\Windows\System\gbeUSHf.exe
C:\Windows\System\sHXuQlM.exe
C:\Windows\System\sHXuQlM.exe
C:\Windows\System\qxsKTcD.exe
C:\Windows\System\qxsKTcD.exe
C:\Windows\System\TdatGEM.exe
C:\Windows\System\TdatGEM.exe
C:\Windows\System\RHAOhdQ.exe
C:\Windows\System\RHAOhdQ.exe
C:\Windows\System\hXaJdte.exe
C:\Windows\System\hXaJdte.exe
C:\Windows\System\YICMECR.exe
C:\Windows\System\YICMECR.exe
C:\Windows\System\fUPKKvr.exe
C:\Windows\System\fUPKKvr.exe
C:\Windows\System\aRRBjaN.exe
C:\Windows\System\aRRBjaN.exe
C:\Windows\System\DlLbsDb.exe
C:\Windows\System\DlLbsDb.exe
C:\Windows\System\HBkMbYd.exe
C:\Windows\System\HBkMbYd.exe
C:\Windows\System\jtDyzxY.exe
C:\Windows\System\jtDyzxY.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2516-0-0x00007FF7309A0000-0x00007FF730CF4000-memory.dmp
memory/2516-1-0x000002E2F52C0000-0x000002E2F52D0000-memory.dmp
C:\Windows\System\WvhFXyB.exe
| MD5 | 5af49557a8faef9653f50fb83f1bdd0d |
| SHA1 | 57cf1a384bba03b03cfb59c8b738b90b3226f69e |
| SHA256 | 4d0ce9e9ed2c2bc7a2fda08d0062e88fb7cf2da092d324e41c2bf43955850d52 |
| SHA512 | 67ee7d7cf8c9f71594a22abc783177a49ebf4cca53ffea709e971e1e3b7ab18af4c97cb21cad2110e4d1ac9cb84a604b3e78ff0d6310259077b6b10710cc4caf |
memory/3584-8-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp
C:\Windows\System\rrBXzjw.exe
| MD5 | 10082c659fdd6ee54a1f5f7960a34e9b |
| SHA1 | fe9b41a52791804df1c928241bcca2a05d82fd18 |
| SHA256 | d3953aa141ad15be06c69c178816f306ff4b07837a6a5d3d6e014a4b7c17e3a4 |
| SHA512 | 77b4fd58318f04ee3fb83ff2ccd5759570e3e23b1e3527e37187c4a041c4ebef24b746b5b0ddf8a61150dd19175f4a372b0224667f9944644fcf2d781613334c |
C:\Windows\System\VQYqBiH.exe
| MD5 | bb1a278c564edc0a9c37188765a00c79 |
| SHA1 | 29ddb3233e1135e638635be1fe3d39824b67d80e |
| SHA256 | ce986c9376e5ae672878b67f17b826c3a47ea9213452332dcdafdf3a1d70348c |
| SHA512 | 24d1f03dbefc0ae408737e379026f1a013fddfee1ab88e18a1b548d83f38d3fe32063bd3ad78fa082652d22daee0f934cf13aa2a63f64bb45738f049657d1f32 |
memory/728-19-0x00007FF7943E0000-0x00007FF794734000-memory.dmp
memory/3176-20-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp
C:\Windows\System\pxXZYCP.exe
| MD5 | c224a3a08613841e9b9d26f5a78925e7 |
| SHA1 | 1011d5acebdcabf95c324f4b6153ca632e9ee3ba |
| SHA256 | 971c7a0783f1682aa2d5d2b74dec01d13d8ed901db6d2eea25430b64ddd54f2c |
| SHA512 | 12300e6e4eac76e8953090b504ec57704b102a4265a81e93c8ed01c7010c834200bf861ad35454e52fd3e7b637a7e70584ae764fb3cf76f0d52bbb1e39c0e946 |
memory/2160-26-0x00007FF786450000-0x00007FF7867A4000-memory.dmp
memory/2992-30-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp
C:\Windows\System\WJEJFaX.exe
| MD5 | a4f88fd09e4029fab1976729a430e92f |
| SHA1 | 04eaed4c8573ac5bfeeb3a8541aa6c3caedd006a |
| SHA256 | dbfecd97b1c57a33016c09032c044a8c9e20776225a82642c9128047f6c24f31 |
| SHA512 | a43e13b3abf1c21ddb16c44ffd4abf0620809798d03e5001522fe27913efdad65812f2821b8768e68285fe0bc561bcec408f93f684e752811acb37ff6036fa7b |
C:\Windows\System\gbeUSHf.exe
| MD5 | 99612e93dbd7918e227b101e1a9c7791 |
| SHA1 | 66b4e31ff9e7c13859e13c73147417f12bd706d8 |
| SHA256 | b5ea0ce172678ba348ca2b6b9a6e2349d0f7abbd4694996450fe82b4788cc286 |
| SHA512 | f26275ed0a39e305e58961184fdf139c2dd4a5252fe21cb58303e9fe8ea098e13b412dcca875a13c92074c12103ed06b798cc8099a2d91bcf0917fcc1e07584c |
C:\Windows\System\sHXuQlM.exe
| MD5 | cdd28eece4bd7007a6d97801d6f81c9d |
| SHA1 | e89f78ef80aa5f88a3a11a942272446a9e5aae30 |
| SHA256 | 43f602c4af1ed2c300bc777d4f1292b35981ebfe65bc32fabf40629918b5ea9d |
| SHA512 | 31cb46e024e0f8d3d16d7babf18603feb96ce665f22fe2f3c7bfa7b18c67f09827c07516554c82e9f277c0457c91d2eaf03ed7d5b1b6dfac51aa4b7d42651caa |
C:\Windows\System\RHAOhdQ.exe
| MD5 | 409baab3f825d97b237565c40fdfa533 |
| SHA1 | fcc3a56176114d49ee9f00a8af758412edc4bd39 |
| SHA256 | 8fb2decb100a77eefbbead8cf66155912a2104b590a932738914edcbffdaea72 |
| SHA512 | eaec2b96814a889b6308a9badbcc0f74122fb7778a085c732444eeb06769a48c467099e41a5108d98f6f96391184bc3b4e2f201a1f7798fe8303759e3da39d74 |
C:\Windows\System\hXaJdte.exe
| MD5 | eb2370a9dedda2bfd872bdedd1864e11 |
| SHA1 | fde2f3f67062bf788ab35db22fdf35e6fa9ec894 |
| SHA256 | 481392b29677bc21685f755ea4969ac120b5469a08d0588c10fd4871c9b84d1d |
| SHA512 | ddc87ea17fce04792d234e9d916d611e9824f25d2925cfc2b8a024e321935fe6b9a6c995cfb2c957cfeb3a025b3dde66b2ba16ad4d4b8ebd3f2e2dff57f11ebc |
C:\Windows\System\DlLbsDb.exe
| MD5 | c65bc36dc7831e666b2e8e02e2d48eea |
| SHA1 | 07b7eb37ca47d426323f73fa5284d84d16728459 |
| SHA256 | c051b40c752b3c374c6520eaac9d53f8c9759310db4cdc36bfbf2b0f325e2d5c |
| SHA512 | 6f893441dfc341dde1430a76894a2b01673a9e8b9f5cff3df91e54a31327f2fb14da345cf1ec492b55ca28431f3201ca7b861c2bbdb4331fde4e5155549d7f01 |
C:\Windows\System\HBkMbYd.exe
| MD5 | 98e9372bae13dd5585550bff99cd5be4 |
| SHA1 | b48967a96a6a0eccfb5a0295702557f9cd71eb17 |
| SHA256 | 55c912e8902cab18b40d3c6ae3dbc2f8d3dca941c405ac26df9ba8e7f89118de |
| SHA512 | fb1af91799dfcb586d409644698ce4dcd9dce55d99013be022e82ddad68e295941b2686ab6b6a0f0df3fd6f92dcb9b47c810a713d3ba1eeb7a8ad353eb97b61a |
C:\Windows\System\jtDyzxY.exe
| MD5 | 793488fb6b4065c08b102e17d7923128 |
| SHA1 | e41803b9d882012c618b6b06aeff294d5157f7e7 |
| SHA256 | 87a50066355aac4e4142b15c2c30175783ebe661d7be1bba3b3aab69add30f41 |
| SHA512 | 6c6fd7c3f6122a7f2e569d3810f9d20656df2b9827329b6f86822d6904e0e34758ea160346f72ba7d72580ea39f8a8838a2ba224b14306f54f192850010b432a |
C:\Windows\System\aRRBjaN.exe
| MD5 | e0cccaf36f35bd816ad901c6ebc42c88 |
| SHA1 | 4075e1785e6442d7f41889828008bba18c6a2517 |
| SHA256 | 3f80cbfdf8897376c0b37f321c788605813f671b7ac0d5b0149e28429f209f37 |
| SHA512 | 138bc98d6a56b3b6c167b53bf2ed023b1fbe4486f6e7cf76f36c04a85ee64bfde6771d02420f5c36ebc91e00769570d5419fbafc91a13b167202e1418777cf3a |
C:\Windows\System\fUPKKvr.exe
| MD5 | a6711ec59968d8a8e23b6e685ad85bc3 |
| SHA1 | 2945b973904d4064a424654644e5eba16da87d2f |
| SHA256 | 80487972e1ad962c2f009c1e062c0b3f851b39d1029e4ec7fb02b738a90655ee |
| SHA512 | 447b9afd446a3748438c3c7d8e5fa31f8e342f644bb9878228203da61f8cdca24e37fc1239e8cf0aef95139236d240bee3e8b900365082795306a052199fcf56 |
C:\Windows\System\YICMECR.exe
| MD5 | 615b069749394d625fb33d491f658207 |
| SHA1 | efd31fa40393b7dbab59ec24e2c8156cfb066cc0 |
| SHA256 | 44f5682c1048eb2ab94fa670df5fcc92af25b2d1d82e3bb3e45c1f39c226a0d9 |
| SHA512 | 8b499fbc8e6290384ca93d1c14dfb9b69012200382fa72c1e4ce9189ddcf1a87b21fdaf560dcff555647a85257e6701d9aa77ad53a37b401dfb196612a1e8f26 |
C:\Windows\System\TdatGEM.exe
| MD5 | 97a5ad724a77ac596a4f6995d6575e44 |
| SHA1 | e647120f3e926e432c1762139cd4ad29c14bb4fa |
| SHA256 | 80fb9ee0618ac50ce2d75e869a5162497ad529e1dbdb5343d3c2a3a8792ed568 |
| SHA512 | b8eac46c9555c10817dcd8e6dd279961bc74076df10d0e339507f21cba47a4ab0e5d24f065cd7fd503a288cba15a9ea93835b5cae6916473c527818b3d531dea |
C:\Windows\System\qxsKTcD.exe
| MD5 | 4a5530edc68717c2a8e311f198b1f450 |
| SHA1 | 645de1e80de171ddd326f4c52e5246f85e204e01 |
| SHA256 | 9eab92089008497ec81e74b5161ee4cc8c429078bece6b376d85d0e25781365b |
| SHA512 | 3de00264210eb20b8174081ef01d175a6707b5e4ac6ee72a45550b9254aa9a9898b52e14f08799fd6ef4f81fd2709647d62a04debcd362bf956fc69e17baca03 |
C:\Windows\System\ZbNYrrY.exe
| MD5 | 6854c06844f79e737889446d4af3a415 |
| SHA1 | defd20448b4b0ea4cdd45be74e018cbd4ddd25a0 |
| SHA256 | ae1f46f1a94b89cd37006ff90de758f0b1c03893531145b5bff0d7165870eeea |
| SHA512 | 06821fe63d1e518c9915ad05bf8851827eff0da360ae0b0c839f59a1481a9d05c46dbec14273e2482ff498ffb90408bc0d2e272f03a3f924f4bf42d135322662 |
C:\Windows\System\dvEBVKn.exe
| MD5 | 8bd0ed2ef2f6732bc441bb98d679279e |
| SHA1 | 634f376333568023bd4ba704adbe5f0d7cabbae7 |
| SHA256 | f2e51f6a42d41f6e0f9cab118dbb00bcef470e406d61b76b7a600f410fd4301b |
| SHA512 | 3de17633a3f184963ea16afee4ba8d6d58e86e70ddee933197d6b9460a4d907baa3857ca8f070765a75c4cd65a87af402ea83c2daf70e395c14dac380d78b692 |
C:\Windows\System\IvaACjm.exe
| MD5 | 7b1a3f7994f0550c6b76f6cc9d786579 |
| SHA1 | a3098a8f89b32d0e92e5239fd27d919a579c29b0 |
| SHA256 | 4d50a73e07f1fcfae927cccc7502e296d556ff4745b41bbaa0540f77b3e8bcbb |
| SHA512 | 00be02edac209a83f289efcc58696c3b21c178dfc9985d7dd68aef6127c88e471c3d0894ef859fb45b920862f7508973f391502b4389cf90d1af7eb983f28134 |
C:\Windows\System\qyTMiTZ.exe
| MD5 | 822a4d185c3168ecccd6370a755fef36 |
| SHA1 | f830fa7ef41789fde4a5a542815982e2a0a63247 |
| SHA256 | dfc58ae346c19980f6088d8b0b060bb002a34fee890678ec212fbb53b97937dc |
| SHA512 | 35ee965fb48d4e4e040c6fcdfd8f6f122a2780de68031b7051bb861648fb5a3099c3d5151344660d9655162872c8bdbb489e362df6cbdbad7379b120d847df6b |
memory/2264-112-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp
memory/2920-113-0x00007FF6B2450000-0x00007FF6B27A4000-memory.dmp
memory/3200-114-0x00007FF722C80000-0x00007FF722FD4000-memory.dmp
memory/3268-115-0x00007FF60A6C0000-0x00007FF60AA14000-memory.dmp
memory/428-117-0x00007FF7723B0000-0x00007FF772704000-memory.dmp
memory/4848-118-0x00007FF691E60000-0x00007FF6921B4000-memory.dmp
memory/2576-116-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp
memory/2212-119-0x00007FF74F6F0000-0x00007FF74FA44000-memory.dmp
memory/3732-122-0x00007FF6428D0000-0x00007FF642C24000-memory.dmp
memory/2768-123-0x00007FF610FC0000-0x00007FF611314000-memory.dmp
memory/2072-121-0x00007FF65FB60000-0x00007FF65FEB4000-memory.dmp
memory/2192-124-0x00007FF7D2370000-0x00007FF7D26C4000-memory.dmp
memory/3908-120-0x00007FF6E0800000-0x00007FF6E0B54000-memory.dmp
memory/4692-125-0x00007FF6873E0000-0x00007FF687734000-memory.dmp
memory/380-126-0x00007FF6C0970000-0x00007FF6C0CC4000-memory.dmp
memory/3840-127-0x00007FF71FD70000-0x00007FF7200C4000-memory.dmp
memory/2516-128-0x00007FF7309A0000-0x00007FF730CF4000-memory.dmp
memory/2992-129-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp
memory/3584-130-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp
memory/728-131-0x00007FF7943E0000-0x00007FF794734000-memory.dmp
memory/3176-132-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp
memory/2160-133-0x00007FF786450000-0x00007FF7867A4000-memory.dmp
memory/2264-135-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp
memory/2992-134-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp
memory/3268-136-0x00007FF60A6C0000-0x00007FF60AA14000-memory.dmp
memory/3200-137-0x00007FF722C80000-0x00007FF722FD4000-memory.dmp
memory/2920-138-0x00007FF6B2450000-0x00007FF6B27A4000-memory.dmp
memory/2212-144-0x00007FF74F6F0000-0x00007FF74FA44000-memory.dmp
memory/2768-146-0x00007FF610FC0000-0x00007FF611314000-memory.dmp
memory/3732-145-0x00007FF6428D0000-0x00007FF642C24000-memory.dmp
memory/2192-147-0x00007FF7D2370000-0x00007FF7D26C4000-memory.dmp
memory/3908-143-0x00007FF6E0800000-0x00007FF6E0B54000-memory.dmp
memory/2072-142-0x00007FF65FB60000-0x00007FF65FEB4000-memory.dmp
memory/2576-141-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp
memory/428-140-0x00007FF7723B0000-0x00007FF772704000-memory.dmp
memory/4848-139-0x00007FF691E60000-0x00007FF6921B4000-memory.dmp
memory/3840-148-0x00007FF71FD70000-0x00007FF7200C4000-memory.dmp
memory/380-149-0x00007FF6C0970000-0x00007FF6C0CC4000-memory.dmp
memory/4692-150-0x00007FF6873E0000-0x00007FF687734000-memory.dmp