Analysis Overview
SHA256
40510a75a9cb01b2cf72a4ec4bc437dc455f7fa67fb534cc011975241840e02e
Threat Level: Known bad
The file 2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 12:08
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 12:08
Reported
2024-06-01 12:11
Platform
win7-20240215-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qKMhHjP.exe | N/A |
| N/A | N/A | C:\Windows\System\avxWIFS.exe | N/A |
| N/A | N/A | C:\Windows\System\idFLJlY.exe | N/A |
| N/A | N/A | C:\Windows\System\itvHcOO.exe | N/A |
| N/A | N/A | C:\Windows\System\rkPWgyN.exe | N/A |
| N/A | N/A | C:\Windows\System\JLsKKnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PCeFmvM.exe | N/A |
| N/A | N/A | C:\Windows\System\UyqApMd.exe | N/A |
| N/A | N/A | C:\Windows\System\XMxEEvT.exe | N/A |
| N/A | N/A | C:\Windows\System\bjNoXBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DelGpqv.exe | N/A |
| N/A | N/A | C:\Windows\System\HTdPfks.exe | N/A |
| N/A | N/A | C:\Windows\System\pUcciAt.exe | N/A |
| N/A | N/A | C:\Windows\System\xNsNXUX.exe | N/A |
| N/A | N/A | C:\Windows\System\AizYGnN.exe | N/A |
| N/A | N/A | C:\Windows\System\gZsRrqd.exe | N/A |
| N/A | N/A | C:\Windows\System\wGUNhqK.exe | N/A |
| N/A | N/A | C:\Windows\System\OEvGSKS.exe | N/A |
| N/A | N/A | C:\Windows\System\KlveNKr.exe | N/A |
| N/A | N/A | C:\Windows\System\zGIfmDV.exe | N/A |
| N/A | N/A | C:\Windows\System\MsOPVTE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qKMhHjP.exe
C:\Windows\System\qKMhHjP.exe
C:\Windows\System\avxWIFS.exe
C:\Windows\System\avxWIFS.exe
C:\Windows\System\idFLJlY.exe
C:\Windows\System\idFLJlY.exe
C:\Windows\System\itvHcOO.exe
C:\Windows\System\itvHcOO.exe
C:\Windows\System\XMxEEvT.exe
C:\Windows\System\XMxEEvT.exe
C:\Windows\System\rkPWgyN.exe
C:\Windows\System\rkPWgyN.exe
C:\Windows\System\bjNoXBQ.exe
C:\Windows\System\bjNoXBQ.exe
C:\Windows\System\JLsKKnQ.exe
C:\Windows\System\JLsKKnQ.exe
C:\Windows\System\DelGpqv.exe
C:\Windows\System\DelGpqv.exe
C:\Windows\System\PCeFmvM.exe
C:\Windows\System\PCeFmvM.exe
C:\Windows\System\HTdPfks.exe
C:\Windows\System\HTdPfks.exe
C:\Windows\System\UyqApMd.exe
C:\Windows\System\UyqApMd.exe
C:\Windows\System\xNsNXUX.exe
C:\Windows\System\xNsNXUX.exe
C:\Windows\System\pUcciAt.exe
C:\Windows\System\pUcciAt.exe
C:\Windows\System\gZsRrqd.exe
C:\Windows\System\gZsRrqd.exe
C:\Windows\System\AizYGnN.exe
C:\Windows\System\AizYGnN.exe
C:\Windows\System\OEvGSKS.exe
C:\Windows\System\OEvGSKS.exe
C:\Windows\System\wGUNhqK.exe
C:\Windows\System\wGUNhqK.exe
C:\Windows\System\KlveNKr.exe
C:\Windows\System\KlveNKr.exe
C:\Windows\System\zGIfmDV.exe
C:\Windows\System\zGIfmDV.exe
C:\Windows\System\MsOPVTE.exe
C:\Windows\System\MsOPVTE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2740-0-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2740-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\qKMhHjP.exe
| MD5 | 53ab52e941c6b3612e2a22cf1c82182d |
| SHA1 | c2f4596988dac356ebc33c9db8036b5d1cc84f6c |
| SHA256 | d857ed5b6c581560b12d94b17ef61b1591c2841aa16d7d341445c1972a99d444 |
| SHA512 | 801153158fb7a176da56fa1450f04ff106c2466983a18b10eec5df29fd5a7dbe2bc495581b78e5f9c95507a47b66e451a1dbfd3762559202cd413055fbbfcf68 |
memory/2204-9-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2740-7-0x000000013FE80000-0x00000001401D4000-memory.dmp
\Windows\system\avxWIFS.exe
| MD5 | cc0450ccae7c8310a7bd9f47bbc5c07d |
| SHA1 | 964cda55cffed8ca8cec5c27c11eccb8cdcf9c75 |
| SHA256 | 8c56a4836d74624ea418170398fa26b349e120b57250fc6a8b7d473f2daafac1 |
| SHA512 | f3e40fcfec9e06e495711b341ea6ad4501212dc2241225eb41f619d9ce02c1b60c7739858209ba9286e6eab8ae9c870a9d4f8086cc3979c2d4fd947eb6398720 |
\Windows\system\itvHcOO.exe
| MD5 | 63387ccd32b6f59dcaa5edc431faba6e |
| SHA1 | f5c7b3eaf256751ee5d4f172dcb2e4a1330f5733 |
| SHA256 | e4be1179bd6385c6c1594d5dcf0fe374be0b5b05ea11404f75afbb2debbfb64f |
| SHA512 | f49989426052934e49f27f1fa0ba7bb7a105071a6b4b243130c78d647508bdb72b80e3bcb6b402945f505ef208f95446f6db6e55ddb42375115ec723d9f7c481 |
C:\Windows\system\rkPWgyN.exe
| MD5 | 8a80506278bd1b39925a867e157fdeda |
| SHA1 | ecdb4fb8e7060fec68f32f495842464761224629 |
| SHA256 | bad291ef3ed6c5bc820b3a99a283f4504d837f8769e911d23235aa73d30e5fe5 |
| SHA512 | 42cc396d4242130591a8ccd36cdb22733b4ed3f6d347e0ffd282e773b65fca44081ea6255b864ee7d9773d139a876b8a7fe94bcfe10d672ede5a5518a5da67f2 |
memory/2580-52-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\UyqApMd.exe
| MD5 | 7fa6d198c297044fce74f852d2e957b8 |
| SHA1 | 466c6709c1a5825d7ef96a8803853ec6be962cdc |
| SHA256 | da586be30639819ae285cc84a0d0a9e4ec6994bd11265e66b75bd62f6b2c891d |
| SHA512 | 5c068be094230ae2c4e451f34fdb8d71b879296ec25406236da301b3e59d3c307b82f13cddeb521181ce98e674c4d10dd13a7b30f579eff7353679e498ba6f0e |
memory/2740-68-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2492-70-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2740-69-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2740-67-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2740-66-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2740-64-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2640-93-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\AizYGnN.exe
| MD5 | a4cd4160ac3f10cbce58faa81190b078 |
| SHA1 | 7f228847deb24ebc55f6f8439a50c9b1b52c388d |
| SHA256 | 2732dce179cff590f03331e9dc91dd126d8ada21950a42754cbf06d3e36ed721 |
| SHA512 | 9022e65f01f3d8f8a86f586b3a7f8a9c49da88d70b96dfb57ad8e994e8105b25cff5088082c4848601f321e197ca6c9c62c058725f2745999812c160405a4482 |
memory/2740-48-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2704-85-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\gZsRrqd.exe
| MD5 | ccb4ce8829d785665844ea5251d21a42 |
| SHA1 | e8e66b2efb2063dd9bc29ff64b68b69a10ddf830 |
| SHA256 | 02faccfb060e65cd42d8a6c0fe741ebb91d4afff9026d6eb3e655b649f158c70 |
| SHA512 | bd9d87529d6b6132da92aafa945afa032580491f7ebaf08e1e9f274a4c8edcd101a659d3a901ab91e18905ad4c990b02eefa2cf3e31f6aa86aa6ec0e1ecc919b |
C:\Windows\system\KlveNKr.exe
| MD5 | aa7e2f827422712012dea5b0bdbd12f2 |
| SHA1 | 30186a37cf23f119d425b174106d0524146d11fa |
| SHA256 | b37c83e2c70ce5b282bff46991ef75779d6564d2ee6cf4659dba302dd6611f1c |
| SHA512 | 0889ffc4cbac45932ff8adbdc49b4ce1eeb861610cffef6508b98e9c66f47d91d957b4a95c4cce0eb196304817078d49706e5ceedf6fe4b8e5d8f4876af6383b |
C:\Windows\system\zGIfmDV.exe
| MD5 | 24be2d113308028f4ac9b6ad73ffe203 |
| SHA1 | db0fa63e20605b3efa593950c1176fa1197e0525 |
| SHA256 | 89ee71246ad7f886c30c6640872ec578e762fda753e58a07cb89cc2a1c6da703 |
| SHA512 | 5d73221f905571a37bd72f11aaed7b9d255b70618437c4d52a075ba4a2a5b63c67653a355ee7b84a039fa19f0a454ad03bdbef2945b1a2ac0cea3b2d4dfb824c |
C:\Windows\system\MsOPVTE.exe
| MD5 | ede06f255b77566129fd6aeca6bab77a |
| SHA1 | 0cc177998d9c552b12de60f2d7d0366bb8075e5f |
| SHA256 | e3d90ec284f405c624bb248c7ca487af95eab628bea5c8f83457a24d67869bab |
| SHA512 | 5905cd5840c3831b086f1f3cecbc61257ae104408ac0c0eb617e49e878e2637509618e8d23ed3f7f69a2307a7a138bb30a911ef9a8ce8da292831f1952dea419 |
\Windows\system\OEvGSKS.exe
| MD5 | 1cf58a9f299bf72c6a31e99d35c8f30f |
| SHA1 | e57190e0b0e24368892a211017858756de5aed47 |
| SHA256 | 489084b42f647571c52f33ea6366a690b6c0a1d212b652511dc6522c0d90f8fe |
| SHA512 | 5bf06ba45e77efec2d7a730b408e562f564582ceb6ae6ce021db72a00c78dbfa01e34183cb6c670f4ec6cf807a05919bcabb615ca81609fad508053a8eaa0db7 |
C:\Windows\system\xNsNXUX.exe
| MD5 | 69dbaedcbf6f3e5a6a6a61e1b01216e1 |
| SHA1 | b09030e4846b39a259e780eab29f15dfe44ff2b4 |
| SHA256 | 5efd6302eb45d01da4e6e9c921d2e1526d982560fbe5cc0e0331a21aa1a81b5d |
| SHA512 | c9d01400ecfcf9864641c57afac1a412d976bbfe77571ecdf0118506db34c29ffe6fb8523d0cb34bf98a1cf41d12fe845fcb4de1aaa925625fecd6ab579f9e94 |
memory/2740-98-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2940-97-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2736-96-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\wGUNhqK.exe
| MD5 | 4fe09193f9134427c8b9f7478621e1ce |
| SHA1 | 7999afa6dabea86f401a6b0eac3607997e5cc939 |
| SHA256 | e34803ee24f6155295113ed8bad1540b119253be4df75b4495d0ff5016272f7b |
| SHA512 | b94eb1055316deeeb69d67dbccee25eae50e68558e2ccd1346062b4e981de9163e2fe88ae9fbb438a890fa784420d2af308ccd3f2fc4c48a46963f053515d510 |
memory/2764-84-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\HTdPfks.exe
| MD5 | 11c2c931972dac404ccd369a1a202ec9 |
| SHA1 | 82d6770fb9142019314d7739c0acfc7fe8f3ef74 |
| SHA256 | 040bc3e0d3886a9991c4b01c30c5b350073bbf6d3c10276089ca5401be54def3 |
| SHA512 | fdde9241f51cd54d6bf74a4f7e118c4da7a6044366a00dead6b85884efe7b39b9682f12201c818bdfbc4e05a08a67c541fc9e602bf44ab1bd71ce8309c4f3216 |
C:\Windows\system\DelGpqv.exe
| MD5 | cb2799ef36242b20728130a860c895e9 |
| SHA1 | 5220d6148e523d122d3b6f397f6b147812848ca9 |
| SHA256 | 68be2423a4d28addc077222166bc5b63ba545e4b0875866c9ef79962e4976128 |
| SHA512 | b3ae97ed2cccc8ff568968a178df93cab880ba0295a6eb3dd7c13f72fa98455e3d3a3cd4b366a22c6c602a2fe6a3b66af23d71f86eddb8b5c451aa5f8b2e7a4a |
memory/2728-80-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2740-79-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\bjNoXBQ.exe
| MD5 | 2b2c6147ec409fd4bf057c1fda624d1b |
| SHA1 | be4ef1a15828f4bbfa45ec970d9f7d74fd53716f |
| SHA256 | 7f1339971a4fed9c7d1a9a8cda21361b8f096aa8cfb89e76d69969679dbc6020 |
| SHA512 | d2f2443d756b187f0eff2ec972271ebddf7c456530766aa2b2be4a86cd99b1437d6a59d54338d25bcf9bc23903ff1a7033f1913c38ec7150055918c5c1121f7a |
memory/2700-75-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\XMxEEvT.exe
| MD5 | d4d921857da6fa0c5a256e01e4919f43 |
| SHA1 | fa5de811c4b8173a4ba379b1c072771c28743d78 |
| SHA256 | 5519ea79bcec4e7f4d3eef4d7ef68e07920c9022726a26a0f992c6fe2947592c |
| SHA512 | e1514c0a31d21768ec6fc32cc5c2e36611f12a223a5d21f00ed36898ecf4647a4827deb6aa176ae32929d67970b7aaaddd3bc3151707473b9a0322288487bb5f |
memory/2740-72-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2720-56-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\PCeFmvM.exe
| MD5 | b3cea6430c73846eaaed6567bc7ec7a9 |
| SHA1 | 722bac165f77f93f5c8d38916ef3d21aa7887907 |
| SHA256 | da46dfd2a67a7f8918492a1f14dbd70197958844d170d3df841f1c451a2a854e |
| SHA512 | 2c474fe501f10deb00b2f43abb7a11ebac69497fc31f6846a903977ecaf953e1c5405ab99e6b57766185b1e618d318ffaf4c27b5aab3c95d0cfb768f4289b85d |
memory/2168-108-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\JLsKKnQ.exe
| MD5 | 2586085d410e4fc3ad6501de89792f70 |
| SHA1 | 8a25250bd2a0d18f1d2a883c936bfb76bcee11a9 |
| SHA256 | 3299a983347e005061cd3a54bdda7d81d82386168e4f8b3ba420c1d07873e90f |
| SHA512 | 3888fbfb487447c9c07729ea75c3ef749ee2aa0ce2eace4b4f3ebe51e715e88a4850ddfad68a17cac7bffedff48b0bc1d2c1e67a18b2dcbd7a261e72e6782242 |
memory/2736-27-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\idFLJlY.exe
| MD5 | f010df9c2dbe8aebf4d0baa051ba3681 |
| SHA1 | 5d3e1a405b8eb6798ea8ba5585db4339d10a83a6 |
| SHA256 | 246225456fff73e373b5ad92beb8e5775a9c493e910e55adec7db1648fe1ba07 |
| SHA512 | feba6348948ac1beb8c6db3024eb7456a9a9faacb6d0cd115722dce77afa1862d6d6b8cbef283a5ee033e169afe61784ea45d512b80f07d5de1bb0c7d1e486a8 |
memory/2624-106-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2740-92-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\pUcciAt.exe
| MD5 | b5667948f7075a92d855e4ac2aeac966 |
| SHA1 | 0a376c895dc19c2b4def34778405263fade9810d |
| SHA256 | fceb7ddc1644baca58ce70d3a85b02026c8b927230cab26d72c482e39ace7e2a |
| SHA512 | 8cb54c4276c22171df6a571cc72db63c807f8411393d6f22c664d369d9ce48e706677006f642f21bcdad7505f5190950363d33f6807792b4a28f35936d73c2b2 |
memory/2624-61-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2648-43-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2740-35-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2740-33-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2940-31-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2492-137-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2700-138-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2728-139-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2704-141-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2764-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2740-142-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2740-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2168-144-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2204-145-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2736-147-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2648-146-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2940-148-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2580-149-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2720-150-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2624-151-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2492-152-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2700-153-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2704-154-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2640-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2764-156-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2728-157-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2168-158-0x000000013FD90000-0x00000001400E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 12:08
Reported
2024-06-01 12:11
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qKMhHjP.exe | N/A |
| N/A | N/A | C:\Windows\System\avxWIFS.exe | N/A |
| N/A | N/A | C:\Windows\System\idFLJlY.exe | N/A |
| N/A | N/A | C:\Windows\System\itvHcOO.exe | N/A |
| N/A | N/A | C:\Windows\System\XMxEEvT.exe | N/A |
| N/A | N/A | C:\Windows\System\bjNoXBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rkPWgyN.exe | N/A |
| N/A | N/A | C:\Windows\System\JLsKKnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DelGpqv.exe | N/A |
| N/A | N/A | C:\Windows\System\PCeFmvM.exe | N/A |
| N/A | N/A | C:\Windows\System\HTdPfks.exe | N/A |
| N/A | N/A | C:\Windows\System\UyqApMd.exe | N/A |
| N/A | N/A | C:\Windows\System\xNsNXUX.exe | N/A |
| N/A | N/A | C:\Windows\System\pUcciAt.exe | N/A |
| N/A | N/A | C:\Windows\System\gZsRrqd.exe | N/A |
| N/A | N/A | C:\Windows\System\AizYGnN.exe | N/A |
| N/A | N/A | C:\Windows\System\OEvGSKS.exe | N/A |
| N/A | N/A | C:\Windows\System\wGUNhqK.exe | N/A |
| N/A | N/A | C:\Windows\System\zGIfmDV.exe | N/A |
| N/A | N/A | C:\Windows\System\MsOPVTE.exe | N/A |
| N/A | N/A | C:\Windows\System\KlveNKr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9f5d5d9ab3e16962b42af5ffccce4d7d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qKMhHjP.exe
C:\Windows\System\qKMhHjP.exe
C:\Windows\System\avxWIFS.exe
C:\Windows\System\avxWIFS.exe
C:\Windows\System\idFLJlY.exe
C:\Windows\System\idFLJlY.exe
C:\Windows\System\itvHcOO.exe
C:\Windows\System\itvHcOO.exe
C:\Windows\System\XMxEEvT.exe
C:\Windows\System\XMxEEvT.exe
C:\Windows\System\rkPWgyN.exe
C:\Windows\System\rkPWgyN.exe
C:\Windows\System\bjNoXBQ.exe
C:\Windows\System\bjNoXBQ.exe
C:\Windows\System\JLsKKnQ.exe
C:\Windows\System\JLsKKnQ.exe
C:\Windows\System\DelGpqv.exe
C:\Windows\System\DelGpqv.exe
C:\Windows\System\PCeFmvM.exe
C:\Windows\System\PCeFmvM.exe
C:\Windows\System\HTdPfks.exe
C:\Windows\System\HTdPfks.exe
C:\Windows\System\UyqApMd.exe
C:\Windows\System\UyqApMd.exe
C:\Windows\System\xNsNXUX.exe
C:\Windows\System\xNsNXUX.exe
C:\Windows\System\pUcciAt.exe
C:\Windows\System\pUcciAt.exe
C:\Windows\System\gZsRrqd.exe
C:\Windows\System\gZsRrqd.exe
C:\Windows\System\AizYGnN.exe
C:\Windows\System\AizYGnN.exe
C:\Windows\System\OEvGSKS.exe
C:\Windows\System\OEvGSKS.exe
C:\Windows\System\wGUNhqK.exe
C:\Windows\System\wGUNhqK.exe
C:\Windows\System\KlveNKr.exe
C:\Windows\System\KlveNKr.exe
C:\Windows\System\zGIfmDV.exe
C:\Windows\System\zGIfmDV.exe
C:\Windows\System\MsOPVTE.exe
C:\Windows\System\MsOPVTE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 108.116.69.13.in-addr.arpa | udp |
Files
memory/644-0-0x00007FF663C70000-0x00007FF663FC4000-memory.dmp
memory/644-1-0x000001F9E14C0000-0x000001F9E14D0000-memory.dmp
C:\Windows\System\qKMhHjP.exe
| MD5 | 53ab52e941c6b3612e2a22cf1c82182d |
| SHA1 | c2f4596988dac356ebc33c9db8036b5d1cc84f6c |
| SHA256 | d857ed5b6c581560b12d94b17ef61b1591c2841aa16d7d341445c1972a99d444 |
| SHA512 | 801153158fb7a176da56fa1450f04ff106c2466983a18b10eec5df29fd5a7dbe2bc495581b78e5f9c95507a47b66e451a1dbfd3762559202cd413055fbbfcf68 |
memory/1572-8-0x00007FF748160000-0x00007FF7484B4000-memory.dmp
C:\Windows\System\avxWIFS.exe
| MD5 | cc0450ccae7c8310a7bd9f47bbc5c07d |
| SHA1 | 964cda55cffed8ca8cec5c27c11eccb8cdcf9c75 |
| SHA256 | 8c56a4836d74624ea418170398fa26b349e120b57250fc6a8b7d473f2daafac1 |
| SHA512 | f3e40fcfec9e06e495711b341ea6ad4501212dc2241225eb41f619d9ce02c1b60c7739858209ba9286e6eab8ae9c870a9d4f8086cc3979c2d4fd947eb6398720 |
C:\Windows\System\idFLJlY.exe
| MD5 | f010df9c2dbe8aebf4d0baa051ba3681 |
| SHA1 | 5d3e1a405b8eb6798ea8ba5585db4339d10a83a6 |
| SHA256 | 246225456fff73e373b5ad92beb8e5775a9c493e910e55adec7db1648fe1ba07 |
| SHA512 | feba6348948ac1beb8c6db3024eb7456a9a9faacb6d0cd115722dce77afa1862d6d6b8cbef283a5ee033e169afe61784ea45d512b80f07d5de1bb0c7d1e486a8 |
C:\Windows\System\itvHcOO.exe
| MD5 | 63387ccd32b6f59dcaa5edc431faba6e |
| SHA1 | f5c7b3eaf256751ee5d4f172dcb2e4a1330f5733 |
| SHA256 | e4be1179bd6385c6c1594d5dcf0fe374be0b5b05ea11404f75afbb2debbfb64f |
| SHA512 | f49989426052934e49f27f1fa0ba7bb7a105071a6b4b243130c78d647508bdb72b80e3bcb6b402945f505ef208f95446f6db6e55ddb42375115ec723d9f7c481 |
C:\Windows\System\XMxEEvT.exe
| MD5 | d4d921857da6fa0c5a256e01e4919f43 |
| SHA1 | fa5de811c4b8173a4ba379b1c072771c28743d78 |
| SHA256 | 5519ea79bcec4e7f4d3eef4d7ef68e07920c9022726a26a0f992c6fe2947592c |
| SHA512 | e1514c0a31d21768ec6fc32cc5c2e36611f12a223a5d21f00ed36898ecf4647a4827deb6aa176ae32929d67970b7aaaddd3bc3151707473b9a0322288487bb5f |
C:\Windows\System\bjNoXBQ.exe
| MD5 | 2b2c6147ec409fd4bf057c1fda624d1b |
| SHA1 | be4ef1a15828f4bbfa45ec970d9f7d74fd53716f |
| SHA256 | 7f1339971a4fed9c7d1a9a8cda21361b8f096aa8cfb89e76d69969679dbc6020 |
| SHA512 | d2f2443d756b187f0eff2ec972271ebddf7c456530766aa2b2be4a86cd99b1437d6a59d54338d25bcf9bc23903ff1a7033f1913c38ec7150055918c5c1121f7a |
C:\Windows\System\DelGpqv.exe
| MD5 | cb2799ef36242b20728130a860c895e9 |
| SHA1 | 5220d6148e523d122d3b6f397f6b147812848ca9 |
| SHA256 | 68be2423a4d28addc077222166bc5b63ba545e4b0875866c9ef79962e4976128 |
| SHA512 | b3ae97ed2cccc8ff568968a178df93cab880ba0295a6eb3dd7c13f72fa98455e3d3a3cd4b366a22c6c602a2fe6a3b66af23d71f86eddb8b5c451aa5f8b2e7a4a |
memory/4952-54-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp
C:\Windows\System\rkPWgyN.exe
| MD5 | 8a80506278bd1b39925a867e157fdeda |
| SHA1 | ecdb4fb8e7060fec68f32f495842464761224629 |
| SHA256 | bad291ef3ed6c5bc820b3a99a283f4504d837f8769e911d23235aa73d30e5fe5 |
| SHA512 | 42cc396d4242130591a8ccd36cdb22733b4ed3f6d347e0ffd282e773b65fca44081ea6255b864ee7d9773d139a876b8a7fe94bcfe10d672ede5a5518a5da67f2 |
C:\Windows\System\JLsKKnQ.exe
| MD5 | 2586085d410e4fc3ad6501de89792f70 |
| SHA1 | 8a25250bd2a0d18f1d2a883c936bfb76bcee11a9 |
| SHA256 | 3299a983347e005061cd3a54bdda7d81d82386168e4f8b3ba420c1d07873e90f |
| SHA512 | 3888fbfb487447c9c07729ea75c3ef749ee2aa0ce2eace4b4f3ebe51e715e88a4850ddfad68a17cac7bffedff48b0bc1d2c1e67a18b2dcbd7a261e72e6782242 |
memory/2332-49-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp
memory/992-47-0x00007FF6C99F0000-0x00007FF6C9D44000-memory.dmp
memory/2920-41-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp
memory/3240-33-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp
memory/2408-27-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp
memory/3528-19-0x00007FF7932F0000-0x00007FF793644000-memory.dmp
C:\Windows\System\PCeFmvM.exe
| MD5 | b3cea6430c73846eaaed6567bc7ec7a9 |
| SHA1 | 722bac165f77f93f5c8d38916ef3d21aa7887907 |
| SHA256 | da46dfd2a67a7f8918492a1f14dbd70197958844d170d3df841f1c451a2a854e |
| SHA512 | 2c474fe501f10deb00b2f43abb7a11ebac69497fc31f6846a903977ecaf953e1c5405ab99e6b57766185b1e618d318ffaf4c27b5aab3c95d0cfb768f4289b85d |
memory/3396-18-0x00007FF7740A0000-0x00007FF7743F4000-memory.dmp
C:\Windows\System\HTdPfks.exe
| MD5 | 11c2c931972dac404ccd369a1a202ec9 |
| SHA1 | 82d6770fb9142019314d7739c0acfc7fe8f3ef74 |
| SHA256 | 040bc3e0d3886a9991c4b01c30c5b350073bbf6d3c10276089ca5401be54def3 |
| SHA512 | fdde9241f51cd54d6bf74a4f7e118c4da7a6044366a00dead6b85884efe7b39b9682f12201c818bdfbc4e05a08a67c541fc9e602bf44ab1bd71ce8309c4f3216 |
memory/4416-69-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp
C:\Windows\System\UyqApMd.exe
| MD5 | 7fa6d198c297044fce74f852d2e957b8 |
| SHA1 | 466c6709c1a5825d7ef96a8803853ec6be962cdc |
| SHA256 | da586be30639819ae285cc84a0d0a9e4ec6994bd11265e66b75bd62f6b2c891d |
| SHA512 | 5c068be094230ae2c4e451f34fdb8d71b879296ec25406236da301b3e59d3c307b82f13cddeb521181ce98e674c4d10dd13a7b30f579eff7353679e498ba6f0e |
memory/1572-75-0x00007FF748160000-0x00007FF7484B4000-memory.dmp
memory/2964-81-0x00007FF658720000-0x00007FF658A74000-memory.dmp
C:\Windows\System\xNsNXUX.exe
| MD5 | 69dbaedcbf6f3e5a6a6a61e1b01216e1 |
| SHA1 | b09030e4846b39a259e780eab29f15dfe44ff2b4 |
| SHA256 | 5efd6302eb45d01da4e6e9c921d2e1526d982560fbe5cc0e0331a21aa1a81b5d |
| SHA512 | c9d01400ecfcf9864641c57afac1a412d976bbfe77571ecdf0118506db34c29ffe6fb8523d0cb34bf98a1cf41d12fe845fcb4de1aaa925625fecd6ab579f9e94 |
C:\Windows\System\pUcciAt.exe
| MD5 | b5667948f7075a92d855e4ac2aeac966 |
| SHA1 | 0a376c895dc19c2b4def34778405263fade9810d |
| SHA256 | fceb7ddc1644baca58ce70d3a85b02026c8b927230cab26d72c482e39ace7e2a |
| SHA512 | 8cb54c4276c22171df6a571cc72db63c807f8411393d6f22c664d369d9ce48e706677006f642f21bcdad7505f5190950363d33f6807792b4a28f35936d73c2b2 |
C:\Windows\System\gZsRrqd.exe
| MD5 | ccb4ce8829d785665844ea5251d21a42 |
| SHA1 | e8e66b2efb2063dd9bc29ff64b68b69a10ddf830 |
| SHA256 | 02faccfb060e65cd42d8a6c0fe741ebb91d4afff9026d6eb3e655b649f158c70 |
| SHA512 | bd9d87529d6b6132da92aafa945afa032580491f7ebaf08e1e9f274a4c8edcd101a659d3a901ab91e18905ad4c990b02eefa2cf3e31f6aa86aa6ec0e1ecc919b |
memory/3964-86-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp
memory/3528-85-0x00007FF7932F0000-0x00007FF793644000-memory.dmp
memory/4392-84-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp
memory/3224-62-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp
memory/644-61-0x00007FF663C70000-0x00007FF663FC4000-memory.dmp
memory/4776-96-0x00007FF7C3D60000-0x00007FF7C40B4000-memory.dmp
memory/3240-95-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp
memory/2408-94-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp
C:\Windows\System\OEvGSKS.exe
| MD5 | 1cf58a9f299bf72c6a31e99d35c8f30f |
| SHA1 | e57190e0b0e24368892a211017858756de5aed47 |
| SHA256 | 489084b42f647571c52f33ea6366a690b6c0a1d212b652511dc6522c0d90f8fe |
| SHA512 | 5bf06ba45e77efec2d7a730b408e562f564582ceb6ae6ce021db72a00c78dbfa01e34183cb6c670f4ec6cf807a05919bcabb615ca81609fad508053a8eaa0db7 |
C:\Windows\System\AizYGnN.exe
| MD5 | a4cd4160ac3f10cbce58faa81190b078 |
| SHA1 | 7f228847deb24ebc55f6f8439a50c9b1b52c388d |
| SHA256 | 2732dce179cff590f03331e9dc91dd126d8ada21950a42754cbf06d3e36ed721 |
| SHA512 | 9022e65f01f3d8f8a86f586b3a7f8a9c49da88d70b96dfb57ad8e994e8105b25cff5088082c4848601f321e197ca6c9c62c058725f2745999812c160405a4482 |
memory/2376-113-0x00007FF65D550000-0x00007FF65D8A4000-memory.dmp
C:\Windows\System\wGUNhqK.exe
| MD5 | 4fe09193f9134427c8b9f7478621e1ce |
| SHA1 | 7999afa6dabea86f401a6b0eac3607997e5cc939 |
| SHA256 | e34803ee24f6155295113ed8bad1540b119253be4df75b4495d0ff5016272f7b |
| SHA512 | b94eb1055316deeeb69d67dbccee25eae50e68558e2ccd1346062b4e981de9163e2fe88ae9fbb438a890fa784420d2af308ccd3f2fc4c48a46963f053515d510 |
C:\Windows\System\KlveNKr.exe
| MD5 | aa7e2f827422712012dea5b0bdbd12f2 |
| SHA1 | 30186a37cf23f119d425b174106d0524146d11fa |
| SHA256 | b37c83e2c70ce5b282bff46991ef75779d6564d2ee6cf4659dba302dd6611f1c |
| SHA512 | 0889ffc4cbac45932ff8adbdc49b4ce1eeb861610cffef6508b98e9c66f47d91d957b4a95c4cce0eb196304817078d49706e5ceedf6fe4b8e5d8f4876af6383b |
memory/4100-133-0x00007FF60E360000-0x00007FF60E6B4000-memory.dmp
memory/2288-135-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp
memory/3224-134-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp
memory/2472-128-0x00007FF6BE7F0000-0x00007FF6BEB44000-memory.dmp
memory/4952-127-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp
C:\Windows\System\MsOPVTE.exe
| MD5 | ede06f255b77566129fd6aeca6bab77a |
| SHA1 | 0cc177998d9c552b12de60f2d7d0366bb8075e5f |
| SHA256 | e3d90ec284f405c624bb248c7ca487af95eab628bea5c8f83457a24d67869bab |
| SHA512 | 5905cd5840c3831b086f1f3cecbc61257ae104408ac0c0eb617e49e878e2637509618e8d23ed3f7f69a2307a7a138bb30a911ef9a8ce8da292831f1952dea419 |
C:\Windows\System\zGIfmDV.exe
| MD5 | 24be2d113308028f4ac9b6ad73ffe203 |
| SHA1 | db0fa63e20605b3efa593950c1176fa1197e0525 |
| SHA256 | 89ee71246ad7f886c30c6640872ec578e762fda753e58a07cb89cc2a1c6da703 |
| SHA512 | 5d73221f905571a37bd72f11aaed7b9d255b70618437c4d52a075ba4a2a5b63c67653a355ee7b84a039fa19f0a454ad03bdbef2945b1a2ac0cea3b2d4dfb824c |
memory/1028-119-0x00007FF7171B0000-0x00007FF717504000-memory.dmp
memory/2332-110-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp
memory/4948-104-0x00007FF76FED0000-0x00007FF770224000-memory.dmp
memory/2920-101-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp
memory/4416-137-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp
memory/2964-138-0x00007FF658720000-0x00007FF658A74000-memory.dmp
memory/4392-139-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp
memory/3964-140-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp
memory/4948-141-0x00007FF76FED0000-0x00007FF770224000-memory.dmp
memory/1028-142-0x00007FF7171B0000-0x00007FF717504000-memory.dmp
memory/2288-143-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp
memory/1572-144-0x00007FF748160000-0x00007FF7484B4000-memory.dmp
memory/3396-145-0x00007FF7740A0000-0x00007FF7743F4000-memory.dmp
memory/3528-146-0x00007FF7932F0000-0x00007FF793644000-memory.dmp
memory/3240-148-0x00007FF651BA0000-0x00007FF651EF4000-memory.dmp
memory/2408-147-0x00007FF7FB700000-0x00007FF7FBA54000-memory.dmp
memory/4952-149-0x00007FF73F160000-0x00007FF73F4B4000-memory.dmp
memory/2332-151-0x00007FF6826B0000-0x00007FF682A04000-memory.dmp
memory/992-152-0x00007FF6C99F0000-0x00007FF6C9D44000-memory.dmp
memory/2920-150-0x00007FF7BFCB0000-0x00007FF7C0004000-memory.dmp
memory/3224-153-0x00007FF62AD00000-0x00007FF62B054000-memory.dmp
memory/4416-154-0x00007FF7229C0000-0x00007FF722D14000-memory.dmp
memory/2964-155-0x00007FF658720000-0x00007FF658A74000-memory.dmp
memory/4392-156-0x00007FF66B920000-0x00007FF66BC74000-memory.dmp
memory/3964-157-0x00007FF619FF0000-0x00007FF61A344000-memory.dmp
memory/4776-158-0x00007FF7C3D60000-0x00007FF7C40B4000-memory.dmp
memory/4948-159-0x00007FF76FED0000-0x00007FF770224000-memory.dmp
memory/2376-160-0x00007FF65D550000-0x00007FF65D8A4000-memory.dmp
memory/1028-162-0x00007FF7171B0000-0x00007FF717504000-memory.dmp
memory/2472-161-0x00007FF6BE7F0000-0x00007FF6BEB44000-memory.dmp
memory/4100-163-0x00007FF60E360000-0x00007FF60E6B4000-memory.dmp
memory/2288-164-0x00007FF62BA50000-0x00007FF62BDA4000-memory.dmp