Analysis Overview
SHA256
40c4c891d39ae7918c0dc45a87e6fa6a5c3fa6732c0412305492c8f69e59ec8b
Threat Level: Known bad
The file 2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:02
Reported
2024-06-01 02:04
Platform
win7-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IKorwrz.exe | N/A |
| N/A | N/A | C:\Windows\System\lZJkyNK.exe | N/A |
| N/A | N/A | C:\Windows\System\KyyCNPO.exe | N/A |
| N/A | N/A | C:\Windows\System\MpPhThE.exe | N/A |
| N/A | N/A | C:\Windows\System\AIyVwsb.exe | N/A |
| N/A | N/A | C:\Windows\System\TsCjdxH.exe | N/A |
| N/A | N/A | C:\Windows\System\hyvMWwp.exe | N/A |
| N/A | N/A | C:\Windows\System\VUliqBI.exe | N/A |
| N/A | N/A | C:\Windows\System\WDKIIHn.exe | N/A |
| N/A | N/A | C:\Windows\System\KkIsjcp.exe | N/A |
| N/A | N/A | C:\Windows\System\vhsvcRm.exe | N/A |
| N/A | N/A | C:\Windows\System\QtXMBgo.exe | N/A |
| N/A | N/A | C:\Windows\System\iAccrVq.exe | N/A |
| N/A | N/A | C:\Windows\System\wxLVXGn.exe | N/A |
| N/A | N/A | C:\Windows\System\iKXPWaE.exe | N/A |
| N/A | N/A | C:\Windows\System\lgkBFnd.exe | N/A |
| N/A | N/A | C:\Windows\System\hJQDzEC.exe | N/A |
| N/A | N/A | C:\Windows\System\dqEwAOP.exe | N/A |
| N/A | N/A | C:\Windows\System\HLtcwXS.exe | N/A |
| N/A | N/A | C:\Windows\System\lLMEohh.exe | N/A |
| N/A | N/A | C:\Windows\System\seVpbNI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IKorwrz.exe
C:\Windows\System\IKorwrz.exe
C:\Windows\System\lZJkyNK.exe
C:\Windows\System\lZJkyNK.exe
C:\Windows\System\KyyCNPO.exe
C:\Windows\System\KyyCNPO.exe
C:\Windows\System\MpPhThE.exe
C:\Windows\System\MpPhThE.exe
C:\Windows\System\AIyVwsb.exe
C:\Windows\System\AIyVwsb.exe
C:\Windows\System\TsCjdxH.exe
C:\Windows\System\TsCjdxH.exe
C:\Windows\System\hyvMWwp.exe
C:\Windows\System\hyvMWwp.exe
C:\Windows\System\VUliqBI.exe
C:\Windows\System\VUliqBI.exe
C:\Windows\System\WDKIIHn.exe
C:\Windows\System\WDKIIHn.exe
C:\Windows\System\KkIsjcp.exe
C:\Windows\System\KkIsjcp.exe
C:\Windows\System\vhsvcRm.exe
C:\Windows\System\vhsvcRm.exe
C:\Windows\System\hJQDzEC.exe
C:\Windows\System\hJQDzEC.exe
C:\Windows\System\QtXMBgo.exe
C:\Windows\System\QtXMBgo.exe
C:\Windows\System\dqEwAOP.exe
C:\Windows\System\dqEwAOP.exe
C:\Windows\System\iAccrVq.exe
C:\Windows\System\iAccrVq.exe
C:\Windows\System\HLtcwXS.exe
C:\Windows\System\HLtcwXS.exe
C:\Windows\System\wxLVXGn.exe
C:\Windows\System\wxLVXGn.exe
C:\Windows\System\lLMEohh.exe
C:\Windows\System\lLMEohh.exe
C:\Windows\System\iKXPWaE.exe
C:\Windows\System\iKXPWaE.exe
C:\Windows\System\seVpbNI.exe
C:\Windows\System\seVpbNI.exe
C:\Windows\System\lgkBFnd.exe
C:\Windows\System\lgkBFnd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1612-0-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1612-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\lZJkyNK.exe
| MD5 | e56a1f455a70d76ff508773240533193 |
| SHA1 | a31eda506098c7ed31eec0c9595bbf419c19a426 |
| SHA256 | 2305277347365f42158c58f966199053e7180c288ebb7ff60caef83a175f82aa |
| SHA512 | e8a9df76de0edb0f5bc7a4f4bb2791523a7c9f0388e36a9735792b103d9a1da9f383cbccf86d4a7c6a9fae03e75fc9b956f4135b6a8289d583c8712d4a2dddfc |
memory/1612-9-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2604-16-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1964-14-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1612-11-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\IKorwrz.exe
| MD5 | dfafcb1c0e1fc9776b5916c59bb0838d |
| SHA1 | 85b02a0ba2766aee140774524e57ad6fe16145ab |
| SHA256 | fb0c5cbfa7cc312a7a00d8f676d21e6ed9f5a1e2d41805a3eb9cc71682eabda7 |
| SHA512 | 78b759cf27994529b4809861774bb83e39059a796bef59470c2d6fc64e435879a44d7975a843651632252f591c64fcc03ad6b17fa9af8ef0b432c6ecaab96076 |
C:\Windows\system\KyyCNPO.exe
| MD5 | 699d07407c53ad8f45eca7c900fab4db |
| SHA1 | b3e04ba42b3e93e470426ef2972666828f671e89 |
| SHA256 | 241fa5f6e5c9073be7f5f76c3a91c9832999e02cc71998c3a3d0017bede856b4 |
| SHA512 | 2f1eddf8e3f12ef475c73ed5372467379cd56f8242c67b151f57e096b370bd4f72bf1353fc7cb6ca6a21a71ae96af478a964ff12ad233fd22f0902f886016527 |
memory/2736-23-0x000000013F300000-0x000000013F654000-memory.dmp
\Windows\system\MpPhThE.exe
| MD5 | a661cb3a72fe1f3a999bd1af5956a9c7 |
| SHA1 | d1f93bf015243edb620623c5af7685cbfbb4200e |
| SHA256 | 766211f68e60d1306eb0fdce71509bdbaf04bbacdde9dbad1100378729fb6726 |
| SHA512 | 7d0393a3cd48b5e0e65e94e5cad17d3121766659b80ad6c55c0ec58a141c98908b06e58419f1ace7174f79e5e952a7ad4e3401f704d7e060921fd78bc6ef7f04 |
memory/2592-29-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1612-47-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1612-50-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2580-61-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1304-67-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2448-77-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1612-112-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\iKXPWaE.exe
| MD5 | d44cc9d86c9b57556fd048751566f4f7 |
| SHA1 | ae20ffbe03ccc111739a6ff2fcb748f7d4c1ed82 |
| SHA256 | 194c59a7381ad2a546534c0fd6b80b7c560747f03bcca721423c989d1cee5376 |
| SHA512 | 38a990d4b7ce55ef083710e9cfcd91fb09b787d50f944af6d6c730e6b821603dc3c01ab64e310e13081c79ce1dfb80d4faf5dd0901c365a21f720a99411d5e24 |
\Windows\system\seVpbNI.exe
| MD5 | 5eab763cf8c54b138ded264c982db625 |
| SHA1 | 80a2c7a937a5a4f79de3e5d3c503d62d8285cdc3 |
| SHA256 | 35b0e5908b565b9b2346e6493727189cbef6a91df95c312ab060d4113416e2b9 |
| SHA512 | f1da92ee3bf240e6ac52b6fa2b0791cddd1600d257b9a329e0e8e210aac13cb9d221285fb2881eb6543f4c6ef8b2cda44573292d1508ca358496d09ec920849b |
C:\Windows\system\wxLVXGn.exe
| MD5 | e64d65b8a0ee0404d2e6439d20240938 |
| SHA1 | bb2ebe4e88253468f6cafd71f815f7d7368bcad1 |
| SHA256 | 9d54a8dcec3940f8b5fce6b484a7439f8d4b856b2845d98e4b5ba553784768f9 |
| SHA512 | 941298c7206b7d363e1a14b1bc08b07d313783a7c3142ab5f9b8a90acadf629aab783071b6c10b1bac369cb387fb684efb831f5894475fc37a18db553d559f5e |
\Windows\system\lLMEohh.exe
| MD5 | cb3db2871bbe6d7cd2c7abe6c3bd2606 |
| SHA1 | f47c70f49982424802a0d9d9b5525d8741f0292f |
| SHA256 | 3ecd944d7ad9610b8182e5b1ee15c76afe583da3e13f76eeedfe247aad39255e |
| SHA512 | a3528f2d46512b76a01d638658156d5a6eaf3762745faf534172c8ae678e08a1ee844057e9729bf35991806f035d7b6e34ba2c166ca8170d42e0026ffd5d94a8 |
C:\Windows\system\iAccrVq.exe
| MD5 | 3dd7c1c7cedf32acf7c775163c61b126 |
| SHA1 | bb1c5473a3db84999402f69f06adebca913ba207 |
| SHA256 | 80f2fa1bfda1a560a4a9fa35155d8e7901cda3250ab223448812b60c6adc657f |
| SHA512 | 489a98be0ff47f3e6011dbb3aae22b0e8a2d866cee2ee0d34be64def0e3e68123745ba92987accfa0652d3fffc8b9e0b1edcd246fdabfe44066ae3a91d4babf7 |
\Windows\system\HLtcwXS.exe
| MD5 | 82542f4158fa3fec66ec3adf1c6ffabb |
| SHA1 | 8e15c222142d2618f70fdf6fabc177c3e0686ea9 |
| SHA256 | 0d7aa8c94681a786f5d3b3428b623d91dbf86b9c5c191bb69f8d2d0ca3b80833 |
| SHA512 | 08186503e0151b330e1d3412e22f582bbd85e3c50c47928b6f568e68e0bc86d2c7a78e000c1a3457213f800a40ecb45a526ee9b0891ddf6786879035941c7265 |
memory/2592-87-0x000000013F400000-0x000000013F754000-memory.dmp
\Windows\system\dqEwAOP.exe
| MD5 | 10b6b72ca9bbccdb823ad2f8910c60e6 |
| SHA1 | 1c98054f14509fe3d53b2d1e71e0303cd9286baa |
| SHA256 | ce26da75172a21e570a4c45109097c90399602db93132bc8ffca067ebc1852e4 |
| SHA512 | 112a0534d80a846068673b59e65308398a1f651d9ddd50fb83e5ff0ad7e46997a3c9f0e8670e2362889e485b6471f2f1dde9a11348fef1765ac441578c1d3365 |
\Windows\system\hJQDzEC.exe
| MD5 | e45d246c2a48b13d57ad1c6d9f427c9f |
| SHA1 | 0a3c07d460881ae92c201acfb61c83c55299df8f |
| SHA256 | e6c1d52e1fc74e19bf745971c7a62c0c1ed7b54edcabda52b490eabb74ee28a8 |
| SHA512 | 358e237f5e0b7b814536c642f180d547667b6abd2d29fc07f6592bac2d4f252f87e705b540912655b253cf7033b9f241e496a813efa90a41b6c05c9ea55bdf78 |
C:\Windows\system\lgkBFnd.exe
| MD5 | 0d7dd44d495791a27a7699de55fb5089 |
| SHA1 | c74014e77daa48742f0a7dd318d13b597bdb81fe |
| SHA256 | 8d5cd2ea9b19a5c82b5c0ccd1d9ba86931a3154b2e109b095ab874e57dc534da |
| SHA512 | 9965e677a6a74ef3d7643ee066bcecda53ddbf565c1c9c76e8b1d0d686b7c7afde4c27f7bbd9668b39a802566e9d4e85238bea11f32dd49ce736ba8a3363cac4 |
memory/1552-116-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1612-115-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\KkIsjcp.exe
| MD5 | e2c0d34778231fd676a113106091585f |
| SHA1 | 586b40980fb75dbc129d37a78e97b56cdc65a87f |
| SHA256 | ba0c31598bba81fc15c89379676edc96ed6694592b1a2b9d7ddd8a675495f600 |
| SHA512 | 0d7e4c55d4e80b2bf4d22710e6c96afa9e6d7ebac8eda3922c336e24d6a37e59cb6fa58fe5c051186970915bf8f8ecff04604a2f29d47691e5404552ab805249 |
memory/1612-65-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2576-106-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1612-99-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2772-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1612-83-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1612-82-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\QtXMBgo.exe
| MD5 | d74175ca51e76b1d4ee886b46b6d78f7 |
| SHA1 | b23f9cfb4f9c0ce2f4287d1abfd124814c9d65ad |
| SHA256 | 1bc6a50fea313efcdff7a45dd5137997ef4e854a6441344674460f91335f882f |
| SHA512 | a7d70b842d51e4a34477f6ad1209860149cc645caeedadbb0be96b792c3ef4664b1acbee5bb106ee4b32fda38e21b86d7f66404ed2026eb6ac63a6b7a99b18c1 |
memory/1612-73-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2604-72-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\vhsvcRm.exe
| MD5 | ea60dce58def41ec7d2f2e7fa6f4efb6 |
| SHA1 | a06b744aa98161dc5dc75ebc4d50c5dadd0443ce |
| SHA256 | d7af169ef1a10f55e2750e2ede6380f95184bc95bda8978ea6f1e580499a7521 |
| SHA512 | e062c7a08229376a0f0a0a5a2e57b64e4caac9aec7ac852d9bca94f856d1a14c4292c73c652980df03e39d92e1b11c0f2de686554ff25cc341c3fbde4f901d2e |
memory/2480-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1612-55-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2580-138-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\WDKIIHn.exe
| MD5 | 3e9f829a0e09c7f72f656bf7a15061df |
| SHA1 | 99acc53deaa189144d41db0f0a45663adbfa40b3 |
| SHA256 | f3d10267cefe7d5ece7e323be4657562909e0aed04707c96dd33e77b72ecdd83 |
| SHA512 | 21e57ddbea49ec2eac44e4cd1aab1b8b5c1e815d151524a3ef0ee3fe6078e4ee6e628baff820872668c38857f074d8ea2fd889f622fa2ca2aa7e004dfb719bf8 |
C:\Windows\system\VUliqBI.exe
| MD5 | e1e0ceb966bf8cb0b84e29d554c7b6c5 |
| SHA1 | 4dbe82cb7bc8081d7e91931cd19a433a245d9b92 |
| SHA256 | f32bbef5c6fea6dedc79096c8e733a4eea134ef1e860dd2fd6202403a61ed601 |
| SHA512 | 325f28e2f57d211837d9f2c7f6eeccb3338c42a5afba6ef6f3c18dfff32d67fdbfd78e29ee91c7ed4b854739bc469e86179d3efd9fe939dc2e4caf6a727dff41 |
memory/2632-49-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\TsCjdxH.exe
| MD5 | 0a01cf8465475a0a3b2c41b9b749f532 |
| SHA1 | 67ec5499165075e805656ea76f501701b38d987b |
| SHA256 | 7eddbc43e4e7642e290e3548aab9e8dc8100f33a249749077f8b2a5253c8fff5 |
| SHA512 | 7feb366311ff85e1f5dd52ba751e62a3c7b7e04aa599b74926c2255bc4c9c2cd2bce42d1827f2108260358c1f3fbd7ddcd15c7524120395649fb60ea4f0bc25c |
memory/2816-46-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\hyvMWwp.exe
| MD5 | 23b054a682c7ff47cc978ccdcebc8825 |
| SHA1 | c84d67df0495d953e845f0e7a9726fa3a6844ab4 |
| SHA256 | 05db73667fed9763dc6ae9c821522ce88bcd60d152198a091eda944edec63dfc |
| SHA512 | 640f104da3924c7cfe0b56bf92fff212b01d52b08dc3eff7adc6aca10396ce204ab092192cd9fe8c195841e3a42026f17e43b43f752a2547f1ef075f17bb4a64 |
memory/2576-35-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1612-34-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\AIyVwsb.exe
| MD5 | 1eba42fba73e29040490bed1f992706a |
| SHA1 | 855a0f085cd5b0f424ae602b0e18e7dd84e0be8a |
| SHA256 | e00df38a01110be4a7989aa1c50c563314ccd25ee0f861eae8a58bb4ae3a398c |
| SHA512 | 2562efeae299d50d08fddb057758c2792ac390fa78257ece79692918f417e2b703033db27fdd245949677eb50bdc41c3a6ecbf40db3da83c84e210dfb3dc9941 |
memory/1612-28-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1612-22-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1304-140-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1612-139-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2448-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1612-142-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2772-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1612-144-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1552-145-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1964-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2604-147-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2736-148-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2816-149-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2576-150-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2592-151-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2772-153-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2448-154-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2632-152-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1552-156-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2580-155-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1304-158-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2480-157-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:02
Reported
2024-06-01 02:04
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YUJzdNG.exe | N/A |
| N/A | N/A | C:\Windows\System\UAdsQZH.exe | N/A |
| N/A | N/A | C:\Windows\System\NJuBeYe.exe | N/A |
| N/A | N/A | C:\Windows\System\CEQqUYA.exe | N/A |
| N/A | N/A | C:\Windows\System\kDbwrgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mLzaDBR.exe | N/A |
| N/A | N/A | C:\Windows\System\XLheihT.exe | N/A |
| N/A | N/A | C:\Windows\System\KTXWrkb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNcwVJp.exe | N/A |
| N/A | N/A | C:\Windows\System\qeiqUxe.exe | N/A |
| N/A | N/A | C:\Windows\System\LFwzXcM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbuALEb.exe | N/A |
| N/A | N/A | C:\Windows\System\ojIbGQl.exe | N/A |
| N/A | N/A | C:\Windows\System\GggunFz.exe | N/A |
| N/A | N/A | C:\Windows\System\UpwIjay.exe | N/A |
| N/A | N/A | C:\Windows\System\IxfwwjP.exe | N/A |
| N/A | N/A | C:\Windows\System\UJEElQv.exe | N/A |
| N/A | N/A | C:\Windows\System\ftCTltS.exe | N/A |
| N/A | N/A | C:\Windows\System\TGQaqPt.exe | N/A |
| N/A | N/A | C:\Windows\System\IUiiCEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qAPwcha.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_85b069a8a846539b611fc33a5a8753a4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YUJzdNG.exe
C:\Windows\System\YUJzdNG.exe
C:\Windows\System\UAdsQZH.exe
C:\Windows\System\UAdsQZH.exe
C:\Windows\System\NJuBeYe.exe
C:\Windows\System\NJuBeYe.exe
C:\Windows\System\CEQqUYA.exe
C:\Windows\System\CEQqUYA.exe
C:\Windows\System\kDbwrgQ.exe
C:\Windows\System\kDbwrgQ.exe
C:\Windows\System\mLzaDBR.exe
C:\Windows\System\mLzaDBR.exe
C:\Windows\System\XLheihT.exe
C:\Windows\System\XLheihT.exe
C:\Windows\System\KTXWrkb.exe
C:\Windows\System\KTXWrkb.exe
C:\Windows\System\ZNcwVJp.exe
C:\Windows\System\ZNcwVJp.exe
C:\Windows\System\qeiqUxe.exe
C:\Windows\System\qeiqUxe.exe
C:\Windows\System\LFwzXcM.exe
C:\Windows\System\LFwzXcM.exe
C:\Windows\System\ZbuALEb.exe
C:\Windows\System\ZbuALEb.exe
C:\Windows\System\ojIbGQl.exe
C:\Windows\System\ojIbGQl.exe
C:\Windows\System\GggunFz.exe
C:\Windows\System\GggunFz.exe
C:\Windows\System\UpwIjay.exe
C:\Windows\System\UpwIjay.exe
C:\Windows\System\IxfwwjP.exe
C:\Windows\System\IxfwwjP.exe
C:\Windows\System\UJEElQv.exe
C:\Windows\System\UJEElQv.exe
C:\Windows\System\ftCTltS.exe
C:\Windows\System\ftCTltS.exe
C:\Windows\System\TGQaqPt.exe
C:\Windows\System\TGQaqPt.exe
C:\Windows\System\IUiiCEZ.exe
C:\Windows\System\IUiiCEZ.exe
C:\Windows\System\qAPwcha.exe
C:\Windows\System\qAPwcha.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1056-0-0x00007FF64DE10000-0x00007FF64E164000-memory.dmp
memory/1056-1-0x000001F914140000-0x000001F914150000-memory.dmp
C:\Windows\System\YUJzdNG.exe
| MD5 | 8892e44fe6ab70fc2842464d37575a25 |
| SHA1 | 09b084ac3708d326176b8f13954d415f572d14f9 |
| SHA256 | 40071567e0341480785a786a8633365cc5b64577ff3b646dcf4b347a2a0fcd10 |
| SHA512 | 687a884fd954872d766da6031c2dbadf70d0d4b55eefdadaf2e33995a9e349c83e9d96963395ef7b6fb0785e6f6a5bc6d5cbb3abcd920f386387a815682649de |
memory/1392-9-0x00007FF615830000-0x00007FF615B84000-memory.dmp
C:\Windows\System\NJuBeYe.exe
| MD5 | 69296b3219b65bb562e4ab32443c3b35 |
| SHA1 | 3e1233bd276362c6e691aaf5ecaf0e7331d43bfe |
| SHA256 | c19f53445d8477c8aee5b24400f1b7efae8a06ead3d1eab54b245b4b354e8182 |
| SHA512 | 679c95e34418ea1a6e8da3b74cbbdfed650e7e9eb3aa78b498e661e3102450d1f624cd1a5ca1bb2f6e03104a9e3ad0576a7b4c0d7284a903a32e7ec5dee0e977 |
C:\Windows\System\UAdsQZH.exe
| MD5 | 5cc82687166c9649cd5987522105f08b |
| SHA1 | 83fd3384a625fc22dc07441f9e8868addcc60412 |
| SHA256 | 3a8ca49cca4f3263125238efc88cb143bff1e6017e9fae169a851813569f1701 |
| SHA512 | e81d8b4b09e4169474b5a2816241d7b29846c12516830cb3dffad5d476bd3f9687efa65a56395e4e8dbcc07770ff0a224729731e8934008a027f6f4ae6c2fd13 |
memory/4608-14-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp
memory/3016-18-0x00007FF690400000-0x00007FF690754000-memory.dmp
memory/4800-24-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp
C:\Windows\System\CEQqUYA.exe
| MD5 | af75cb98acfd713e6b9c17845faad0dd |
| SHA1 | ac85d9336c523dd5e2f3536bd5df7ef7f4a91e24 |
| SHA256 | fae504aaa78732311e4513b9c82ec0542ef57aa3fa3aab5cb5d61bf5d5061f10 |
| SHA512 | f121721e46ab7c3e36be451a78922ace0981c5a5df1ac112d8fafc309cefd1a9ac5482bf7edab9e1e97ec71e3a9464862f0a641476fc336a0c0e51373b413ccc |
C:\Windows\System\kDbwrgQ.exe
| MD5 | a7526aa1e52b2c49e4b185625bcba069 |
| SHA1 | 27e4b39d9f41937c686bfc5fe8a3633c5d7d17b1 |
| SHA256 | 105eb1d4c20af4ca5d9ea5ce4bcdb2df0948b907b88bc4aabde66d2c3df7a0da |
| SHA512 | 28e4f40944af43adc598b9b3d7d252e25b39709f4d1ae7c2815bb7dd578d3da1b6239670e347f221fe9c80d98c0cfc04dab467bd82228a2db68612bc05c215d1 |
C:\Windows\System\mLzaDBR.exe
| MD5 | f10f6b314f918d0b791ede9ad737d6f4 |
| SHA1 | 6921dad9ffe622dd42bf670d3b9102706ab8d8ea |
| SHA256 | 16c5fea36568290a5bc89294fde5c337d9cdc16863bf8603d990cd5c9233964c |
| SHA512 | 94722b0617090a1c510f0481dcf32a28f20b3bb4e4fb925d7abe74754daefa3589546a4f4e41d038666256f68279d580e23f31969804382bbea7b0dba83f76fb |
memory/1728-40-0x00007FF6D8BD0000-0x00007FF6D8F24000-memory.dmp
C:\Windows\System\ZNcwVJp.exe
| MD5 | f017c4b7b7b8ea52fde0588d7a6d0dce |
| SHA1 | cc3f9d98e234d3ed4baf009b7d87008bd2ec2723 |
| SHA256 | e34ecfb36bb4a3be3cfe2a7320663342b369303eaa09283758ef10998f2855ff |
| SHA512 | ab603ef4e7e103abc4a17c831bafd4ff8c1cba08dac2ef70e5ea308feba86e4e8ddcbc608357a0784c4640ec10947e6d05d035a594e64c583c093fbd6b14fb21 |
C:\Windows\System\qeiqUxe.exe
| MD5 | 299863641b428e69457b68f23336ae34 |
| SHA1 | fd5c4797050cd17a4bedee78a11811aaae30de2f |
| SHA256 | 4aa475cdf8dc6cbabb7a6e21b32f4802367adf41f973e8a8a7531e34058e3a42 |
| SHA512 | 1b595b822dbf20a494413c782ed8fc46106c40f65c4149b8ab5ee0a3e2eaafe8c01f812a2b6bc039dc14385cd939c80f077b3925f69538ba75a8638e641a441c |
C:\Windows\System\ZbuALEb.exe
| MD5 | 63d55f8c34177dbec900623bbec89a19 |
| SHA1 | 969f0b88eae93017f1d793740c06bb40d6cb5692 |
| SHA256 | e3aa202a4061991b370aac57d745e25aaa76d033c4d2d498e66b6e97dbd08404 |
| SHA512 | a16730cd1c65b711acba538785be2ff2b4d524bc00106b5a2283110a429c00a6839bf5bb74697d99fedde335f173b13c2fa795a92e3d63b096391baecd2e00ed |
C:\Windows\System\ojIbGQl.exe
| MD5 | 90e88bb272696da52f5bc64ce64cf78f |
| SHA1 | cb94029d4757f0102245c4389c41be7b25341b7c |
| SHA256 | 765740b27e2f10b10c7dd7a3812cb35bfaf18ecdb3ecc9728e4d1de5149fbacc |
| SHA512 | c3c57a479b4f5da94cf2e3d4f4e7344ca64847a6467a5885c0658be2ad327634ac239f0e43939b9498e3ebb7cd5329214ad248db5fdffaf69b86241fb4f9ee9c |
C:\Windows\System\GggunFz.exe
| MD5 | a021b34379a51f9942df11538ab91175 |
| SHA1 | 7ff551646a2d70b58a3028ea4c07ecbc495b29f8 |
| SHA256 | 54977d4bdfcd85b2c8c5fd3036a5af69c7b92a14c098630a92b4502834f4e68a |
| SHA512 | cdc03480783b314ab067e0b5a0482b1bc923cfe8dd698b387e5c644f8b59619623a72c44715805decf6bdc87b782e06a14c0d2ebe92c20a6b4758146dbd47856 |
C:\Windows\System\UJEElQv.exe
| MD5 | 497c616158e836b89713dd0b707fba74 |
| SHA1 | 1bdb4f3c1068e542c11c6adc336d7da1c3b26ec5 |
| SHA256 | 4ddc5fe14021c1920aa582b8d4ab6a812e217c9f8c93fe8a32b666388fa487bf |
| SHA512 | b417da55d8575f9d8ea815106fcf3c273ec067504fc760819460b3b18d63621e001df7dc652cd1efd05cd89d7a338a7220ef1ddb3d379b939bf1ffa7dd87f648 |
memory/4056-92-0x00007FF688F30000-0x00007FF689284000-memory.dmp
memory/4952-99-0x00007FF7C2E60000-0x00007FF7C31B4000-memory.dmp
memory/384-105-0x00007FF63AF80000-0x00007FF63B2D4000-memory.dmp
C:\Windows\System\IUiiCEZ.exe
| MD5 | 3a0fcf7abcd811869ba54e2eeae8e661 |
| SHA1 | d2f1b1e226760623ee9ee9272896dfa89f768c37 |
| SHA256 | 3ff525748e5cab554777d2250112cf718a33bdbea038986b871c93744796e18d |
| SHA512 | e05c756dd5c742f1d993f1cd018653c30f2f7d1228429f9a234ed3bd668404b58b025bc73e7ff4ca5c5a1897bb7f4e30072b8fd87b0f66d599be0e31fee1c43c |
memory/1616-126-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp
memory/536-127-0x00007FF759580000-0x00007FF7598D4000-memory.dmp
memory/3520-125-0x00007FF7649A0000-0x00007FF764CF4000-memory.dmp
C:\Windows\System\qAPwcha.exe
| MD5 | 21a2f42f2102356e0613d861ee8b846c |
| SHA1 | 3fa69d83c8290588a429b7910d17150c43f97fa4 |
| SHA256 | 209c73d852e93aa951fe153e65ddb952350730691f11354d5fc44044cd28561f |
| SHA512 | 4526e7442249cc6cc4239dd0d444c547c4b61d5e4ac5720fd452ee9054b3d2dbf923b2d92a23706a12c1059d08495c352ce1c82b83adae8fdac7b9b9c5774a70 |
memory/4372-122-0x00007FF7ACCE0000-0x00007FF7AD034000-memory.dmp
memory/1932-119-0x00007FF72A380000-0x00007FF72A6D4000-memory.dmp
C:\Windows\System\TGQaqPt.exe
| MD5 | e3657e1286f4a3851b5252fa73a43cbd |
| SHA1 | b75895d49654588099091cac2ffaa1632efdee94 |
| SHA256 | af93a5ccbeac9a170d21cea643c1f6e8488943adbe9da90c7ea96e955d75a90a |
| SHA512 | d7ad3ecc5b9335dd7d9b3d07a041c404f25ab296c314ca9511a6c3805686c37bd039ce0e23441602e6696b3b8f110629c8d030915b406a09e6b65bb0f0adcbdc |
memory/908-115-0x00007FF73BFB0000-0x00007FF73C304000-memory.dmp
memory/4048-112-0x00007FF7C0F10000-0x00007FF7C1264000-memory.dmp
memory/3472-111-0x00007FF6ED740000-0x00007FF6EDA94000-memory.dmp
memory/1356-104-0x00007FF6BAF50000-0x00007FF6BB2A4000-memory.dmp
memory/1408-103-0x00007FF64E910000-0x00007FF64EC64000-memory.dmp
C:\Windows\System\ftCTltS.exe
| MD5 | aed2a8c59e1998d8453d2bd43e4e75c5 |
| SHA1 | 9d58110c282347679498bacd8474c032028aa287 |
| SHA256 | 81e675f98140b2d825b3776e529b6f1202066b6f3e6c28d67854757ce4d0df2a |
| SHA512 | 291604507bf230b2a8125b9036b322c1dc86a6f477edb11ef3c6dba664630c2bf093d5454967f43b595a3c9b1f2dd5cd2997a8585241e3177c08a90139eaf88f |
memory/2068-100-0x00007FF74AE70000-0x00007FF74B1C4000-memory.dmp
memory/3716-95-0x00007FF6CDD40000-0x00007FF6CE094000-memory.dmp
C:\Windows\System\IxfwwjP.exe
| MD5 | da1faf2d4fb90103484038eb8a54b30d |
| SHA1 | 68e2d77c27692992ee36f75dc0db6588b11db4ab |
| SHA256 | 62559116b0b573d9053b529b90944074e24a74a10601e882e77caf7bbaa824d4 |
| SHA512 | eea6dc11866993d6e37109df25ad54d76669e0bc55e076afd5fe57ae8ebac6d5d18927f5b6e4b17f45122a05368b78e230946dd41479f43e64fa8ccab35a81e5 |
C:\Windows\System\UpwIjay.exe
| MD5 | 21b56a0f91017896a951f411ec76373a |
| SHA1 | a5e25c3cb7ecf8518479d171d5f50eb8b1d91330 |
| SHA256 | 97d86fd71e76be2dd8a3451b077d3a24a63b202d0a9999bdf6d317a47fc73d09 |
| SHA512 | 581e2c77d06fb640e6e2ee7a299d29ec3f91692fec59d2cf8072b047cd3240dac41d9d3c91c656ee5a503b26952b658a91efe6972ded0ecd6ca901654e3c8ed9 |
C:\Windows\System\LFwzXcM.exe
| MD5 | 2f5991a1a816ccffc85ccb1aa04b6e3a |
| SHA1 | f6e50b7273125131a3a2458027156512d7344d9e |
| SHA256 | da6ce075fadd70604bbd83da12d63593e850d010578da7b5e70ff0fb353fd1a5 |
| SHA512 | 28ee9d102d9529191c373f646506c5c191dc971bfb3c056284a4430f5c86695debb4bb8dddbd16071c928d0a5df98b3d02d84bd767a88ab3c9b105939810c42a |
C:\Windows\System\KTXWrkb.exe
| MD5 | 4f8ded73c5da2310fc886231c59d86fb |
| SHA1 | 6e46bed317fc556206a1fd1e392ff981a0a736cc |
| SHA256 | 10f369ee28f82f4c22864a8d3a440ae50e6992c457604f93ee5bd3a9398ab064 |
| SHA512 | f630384bd07e9b83d399cd17f73dd5049812ce6d05803e89bdcaf44b5002e7822cdacd76f38f38a91cd05ec209af6527257f7fdda262538851d8e707be4ddd8c |
C:\Windows\System\XLheihT.exe
| MD5 | 962c11ddcb905f2904a6247385907e76 |
| SHA1 | b88f3dbf7fef1fb4d097aaf44acb2e02b7d2db50 |
| SHA256 | 6b7429c1c111f25673a3c2659f142c2c6a59d3ad7d7f0730bc4217c60b7b5e1d |
| SHA512 | cf1241ed2f21937cd117c16ffbe2c693abc4a54ea32eb3007d7af69c510da24a4bd7903784319c582acf1d611ebe127dbaa61e05d8e7ead8ac945fc1d46bb08d |
memory/2340-38-0x00007FF6FF910000-0x00007FF6FFC64000-memory.dmp
memory/1056-128-0x00007FF64DE10000-0x00007FF64E164000-memory.dmp
memory/1392-129-0x00007FF615830000-0x00007FF615B84000-memory.dmp
memory/4608-130-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp
memory/3016-131-0x00007FF690400000-0x00007FF690754000-memory.dmp
memory/4800-132-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp
memory/1392-133-0x00007FF615830000-0x00007FF615B84000-memory.dmp
memory/4608-134-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp
memory/3016-135-0x00007FF690400000-0x00007FF690754000-memory.dmp
memory/2340-137-0x00007FF6FF910000-0x00007FF6FFC64000-memory.dmp
memory/4800-136-0x00007FF7BB850000-0x00007FF7BBBA4000-memory.dmp
memory/3716-139-0x00007FF6CDD40000-0x00007FF6CE094000-memory.dmp
memory/4056-141-0x00007FF688F30000-0x00007FF689284000-memory.dmp
memory/4952-140-0x00007FF7C2E60000-0x00007FF7C31B4000-memory.dmp
memory/1728-138-0x00007FF6D8BD0000-0x00007FF6D8F24000-memory.dmp
memory/2068-142-0x00007FF74AE70000-0x00007FF74B1C4000-memory.dmp
memory/1356-145-0x00007FF6BAF50000-0x00007FF6BB2A4000-memory.dmp
memory/4048-147-0x00007FF7C0F10000-0x00007FF7C1264000-memory.dmp
memory/908-148-0x00007FF73BFB0000-0x00007FF73C304000-memory.dmp
memory/1408-146-0x00007FF64E910000-0x00007FF64EC64000-memory.dmp
memory/384-144-0x00007FF63AF80000-0x00007FF63B2D4000-memory.dmp
memory/3472-143-0x00007FF6ED740000-0x00007FF6EDA94000-memory.dmp
memory/1932-149-0x00007FF72A380000-0x00007FF72A6D4000-memory.dmp
memory/3520-152-0x00007FF7649A0000-0x00007FF764CF4000-memory.dmp
memory/4372-153-0x00007FF7ACCE0000-0x00007FF7AD034000-memory.dmp
memory/536-151-0x00007FF759580000-0x00007FF7598D4000-memory.dmp
memory/1616-150-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp