Analysis Overview
SHA256
e31ff57533b29c3ea3e3dad70c51aeed528c028fe59dc8d61d9e7f5f9f279bf7
Threat Level: Known bad
The file 2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 05:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 05:03
Reported
2024-06-08 05:05
Platform
win7-20240220-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KFwVFtH.exe | N/A |
| N/A | N/A | C:\Windows\System\vIsrZHq.exe | N/A |
| N/A | N/A | C:\Windows\System\KCmefXz.exe | N/A |
| N/A | N/A | C:\Windows\System\uPhbUyx.exe | N/A |
| N/A | N/A | C:\Windows\System\oEnKdYB.exe | N/A |
| N/A | N/A | C:\Windows\System\hFbbHTK.exe | N/A |
| N/A | N/A | C:\Windows\System\zwUCWhW.exe | N/A |
| N/A | N/A | C:\Windows\System\GsdmqYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\CiUUbsu.exe | N/A |
| N/A | N/A | C:\Windows\System\YTPoPiW.exe | N/A |
| N/A | N/A | C:\Windows\System\XIqSvLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kuNhWfP.exe | N/A |
| N/A | N/A | C:\Windows\System\tjRhCRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sHBXZpr.exe | N/A |
| N/A | N/A | C:\Windows\System\NicUpbK.exe | N/A |
| N/A | N/A | C:\Windows\System\CQYdzKh.exe | N/A |
| N/A | N/A | C:\Windows\System\RkUUHlb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNJimJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WuCZBqw.exe | N/A |
| N/A | N/A | C:\Windows\System\HXXMred.exe | N/A |
| N/A | N/A | C:\Windows\System\uKGjJSR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KFwVFtH.exe
C:\Windows\System\KFwVFtH.exe
C:\Windows\System\vIsrZHq.exe
C:\Windows\System\vIsrZHq.exe
C:\Windows\System\KCmefXz.exe
C:\Windows\System\KCmefXz.exe
C:\Windows\System\uPhbUyx.exe
C:\Windows\System\uPhbUyx.exe
C:\Windows\System\oEnKdYB.exe
C:\Windows\System\oEnKdYB.exe
C:\Windows\System\hFbbHTK.exe
C:\Windows\System\hFbbHTK.exe
C:\Windows\System\zwUCWhW.exe
C:\Windows\System\zwUCWhW.exe
C:\Windows\System\GsdmqYJ.exe
C:\Windows\System\GsdmqYJ.exe
C:\Windows\System\CiUUbsu.exe
C:\Windows\System\CiUUbsu.exe
C:\Windows\System\YTPoPiW.exe
C:\Windows\System\YTPoPiW.exe
C:\Windows\System\XIqSvLQ.exe
C:\Windows\System\XIqSvLQ.exe
C:\Windows\System\kuNhWfP.exe
C:\Windows\System\kuNhWfP.exe
C:\Windows\System\tjRhCRZ.exe
C:\Windows\System\tjRhCRZ.exe
C:\Windows\System\sHBXZpr.exe
C:\Windows\System\sHBXZpr.exe
C:\Windows\System\NicUpbK.exe
C:\Windows\System\NicUpbK.exe
C:\Windows\System\RkUUHlb.exe
C:\Windows\System\RkUUHlb.exe
C:\Windows\System\CQYdzKh.exe
C:\Windows\System\CQYdzKh.exe
C:\Windows\System\ZNJimJJ.exe
C:\Windows\System\ZNJimJJ.exe
C:\Windows\System\WuCZBqw.exe
C:\Windows\System\WuCZBqw.exe
C:\Windows\System\uKGjJSR.exe
C:\Windows\System\uKGjJSR.exe
C:\Windows\System\HXXMred.exe
C:\Windows\System\HXXMred.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1948-0-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/1948-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\KFwVFtH.exe
| MD5 | 62d08b52138d7a1be8c078d69eef6f36 |
| SHA1 | c54d57a854c372b577a66d82f094ef51de8be75c |
| SHA256 | 7898324a848e574e995feadc7bdbdbe9efee5a7db09f333374ac2238bd357a06 |
| SHA512 | 594bf2bb987d9576d43f922618e759bb1b63818d5e2820b9828f9f8fa3b4549067bacd219cf1f30172fc99f6e71be0af135244aeb95242c60aec48c16f5c6abb |
memory/1948-8-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/1508-9-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\vIsrZHq.exe
| MD5 | 449dda502f038af81fbeac994278751e |
| SHA1 | 19b439eafa8fdb7970c7064913e8ea174d8daed1 |
| SHA256 | 4c3b910849f291962588d5b461b73b3837aa80c8c70a42fb81406b7977f534e0 |
| SHA512 | ee1091a62082e736544b1a64b27656dd6ca0c11a95c65b1aedaab22b16651082cedeea78feec7fadf1e9430194e8dafa0f1c8bbb15968a4a62121c58551d15db |
memory/1948-22-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/3064-23-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2628-16-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1948-14-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\KCmefXz.exe
| MD5 | d6603ead6d2833d4507b4291a05ee847 |
| SHA1 | 8f713947779349303b96da979531982699c02309 |
| SHA256 | bee4febbb6eea952ba63e1ecd1a9064b47168a6f7fbf15c66cae06722358e300 |
| SHA512 | 0a5494b5782827fbcd0b3399956596eab26c2d5865ca7514e0dd6248583289b6247870f809955b92ceb566e9159a474f995278f7fdd9c584edb4a5a2d494975a |
C:\Windows\system\uPhbUyx.exe
| MD5 | d9ea2174430941c118b7123173dd55fa |
| SHA1 | a4c238a9b6ea962ef00b322a3ac0d02e928946b8 |
| SHA256 | dce438a84a9bbdb8ebc2a6d44b368d247ace6e81e237b489e37a111c82f6a1c5 |
| SHA512 | b6977732f0a79f1c4d7a25bc6475c958fc2636b3006028dc62dd1a49c8c34166faaf9a323fcaca3ae883a939253fb2935c1565b8715aaec1b9e5dabd9beba058 |
memory/1948-28-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\oEnKdYB.exe
| MD5 | 4830f7ec4b5a87dba30a939fdb38cdc8 |
| SHA1 | 4a60c4b1a02baf4873ab47582d20b6bdcd74a846 |
| SHA256 | eeae9db7e9bf1b31fd6945d425f33d8ab1f5b9619831dafbe4cdf7c2b5f9aabb |
| SHA512 | e81b655198ed92537312a80cff6ac38cd336a422c64a641ac9a41ad56731eb6a873c62d06797b584d0303e3b50c28d59f4442aa1afd74b9aa40392f53bd3d593 |
memory/2728-37-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1948-34-0x000000013F950000-0x000000013FCA4000-memory.dmp
\Windows\system\hFbbHTK.exe
| MD5 | 89cdaf9cb41f7c078483a8440e856f2f |
| SHA1 | f36e2eb021428ac65a91d0b79a8d6db649fb2fe6 |
| SHA256 | a4c88c5efcc9db5fb70bb7ba6c576df3882664670dc1d4010453bfdf299fc7b2 |
| SHA512 | 9dd5d9eed81f8d1b18ccecf4028a6ff0cb8cd9a6a21c0afa17f458c489774981ea2d775a1f2cb08d1f66a1c69e48815d9fe6cb1c8f735c5f8744e1cec54c177b |
\Windows\system\zwUCWhW.exe
| MD5 | 9339cb4d49cf96cf65e0f46569288f4c |
| SHA1 | 0ba4230e848d04144be0f7f29c1fd1c0f014cb6e |
| SHA256 | e384c50f4968ab2ea80a0607607a9eb2d82625113925b3be336357243cf0a77c |
| SHA512 | c8b70cb106d3f0688d1b444bd1d828a2de5c0397ddfd71e39c7cf93994bc830be948f20a7b2f2affa0651e9700124c46b45693d785caf6e35000c331d4d42950 |
memory/1948-48-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2580-49-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\GsdmqYJ.exe
| MD5 | db75d62f23c192e7563bdc1dab4354f6 |
| SHA1 | 7f960eb60e85f05a144504661ba3251fcb2ee6ad |
| SHA256 | 31ab0bec2b2301d06c6d1fcf5cae20e9f996ab263e6ae8b9413eab9fce867429 |
| SHA512 | 1023e842f5376ea2479ad9aca91ed94a035eaa97ca1b420009308c18542b971efc36eb289db5e774dbce631147d71608da2a3693315f26a77fab37761c89b8af |
memory/2816-54-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\CiUUbsu.exe
| MD5 | b2c82a44b76f6d2d35c8cc62fb3423e4 |
| SHA1 | 10891a88ee1bf573bd5ddbe3ce02b2eb240be245 |
| SHA256 | a1e89fc6bdde99185bab21f60da901f31bdbad7e46b398179ea51e9d23d7a976 |
| SHA512 | 368ff2ec2f91720c24a885f1a9fa9a84e424910baea2a163aceded21f43d06efd75c168a47819e08538cc304d97f9865ca23793ef1952e4de8c6773eb1cdf3db |
memory/2792-45-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\YTPoPiW.exe
| MD5 | c613d5640d32c0e9282971901a4dff34 |
| SHA1 | 8b0dc543c20d4afbdae9de127ae415c2e5479b3d |
| SHA256 | 76b2e3c0bc342738cd41f4552d619c141ea11a34d24ab3013c6b5eeb2a8c09a1 |
| SHA512 | c65194f30c38bba12b3c45a57f38a5c6be3b543b6f975ecaeaba782b779b971ea3094796a94bf0280eaded00fae60268859bf135d944d67f73d8b89045bc791e |
memory/1948-67-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2500-74-0x000000013F1F0000-0x000000013F544000-memory.dmp
\Windows\system\tjRhCRZ.exe
| MD5 | 2d30a28ce126420098e7319f5c8d4678 |
| SHA1 | da06cb28eabebee5acd8e0ade89eadbebe59a643 |
| SHA256 | 21d2eba129b5e627b4f2699832e9965bdf0c57ca595bc5a587360aa1059d840d |
| SHA512 | 9c116436c937874bb5a991de582c813b5c336495f5528f6b707ad8a5726d3916bd3b4b799fc61ba969e553f5cd7e766980e3397048eaab5c81e1899d3b25e57c |
C:\Windows\system\sHBXZpr.exe
| MD5 | 47fb3169b4cb9cf1a07f6acbede78739 |
| SHA1 | 854c8b2059259b5025331e1f7a0d3e05f1a6e79a |
| SHA256 | 7f85a86ddeca683e6d6c63441a15d606e4dd236282b97b82e1446537013c8ec2 |
| SHA512 | 921e0145ad5ee2ee6af45c6763e819c9bee860d721e66575bae16052609cddedb6f3465f9c442b4cc7d1a68124e17c770375320c27d60a6a15a1765d7271e8f8 |
memory/1948-99-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\HXXMred.exe
| MD5 | 8c0ad0fe4deaf38bf34a2bf7e46e493b |
| SHA1 | c630c0a09e82d13283077ccb43720eb8c5cca096 |
| SHA256 | 1f0d143a6de74b26fc2af1ed92371738715d37678038ede2b60dbf29ed0a288e |
| SHA512 | f8c3d24e843b9fc6e58e74539bd288d39a114b9533a589332813e80fdbc4131eecff7cc62c857db56f3b438ab62b6757dd60d146724a4d35f14f6d41f47e7fcf |
\Windows\system\uKGjJSR.exe
| MD5 | 20d54a872b7d6584638fbdddd81f87b5 |
| SHA1 | 7a2e79780c400c157ef0150a9014b0c70a166ba1 |
| SHA256 | 6ff36578bdf89a6232a253f63571ab26da32c64507b5b6b0642ca1ce5f4ec085 |
| SHA512 | b972dbf6be3d45dd08d7ebecfbea5513b4ed02b5824fe8f22f599b84ea10e0d5bd6b5773b9862ac3541e1713da4dcb7e102cbeeabb276f73c4bc8b662fbc19c2 |
C:\Windows\system\ZNJimJJ.exe
| MD5 | 8b357f517e7ad1c6185ea214c1d0f6cf |
| SHA1 | 14e065b03458eb4b4e345de385c05e31f69ac7d3 |
| SHA256 | 5dc393cbb03970be9447376257af503accebb84b44edbb8c4b2f7710c26f1939 |
| SHA512 | 1a2cce1589b6de8bf0a9c7bafbefb80f63de9a878adb8297880257c76724b57b66783d71c5f31e83f0a012cee0273b81ae02b8935275b6ed1621f2325175551a |
C:\Windows\system\RkUUHlb.exe
| MD5 | 1aad7f8c7123c4b67520b3d0b99bcb18 |
| SHA1 | 460c460981f2ad273a3ab2661c94b4f309fa4e0c |
| SHA256 | c97686c8d28550f27a93315c6417fdcb741f26a1f13815cd48515e1d00aebbad |
| SHA512 | ad2df33acc455a4cafe417da50ac9ee62197d9bb707f4dac021de71f85035112827739edaf39fbdd6d9e7c0ce0858d29bcc3d6190775e827abb1cd6baed9214c |
C:\Windows\system\CQYdzKh.exe
| MD5 | 4f7321ab8e29f6ea37aea34701b4cdf7 |
| SHA1 | 1dc32fdeab741dea273a9ce512c0e2100af320c5 |
| SHA256 | 2005cd596f6aeb52e423bb13958382d8904040ceda16e3031a4fdcb1fdc44e89 |
| SHA512 | 4f573eb4759bc120ca0c8184ef8f6b9aab55c9527d4fd53b550abab304a0db9a18ceb544ee22e255426c687e13ad543c40b832d93a5e6e49c3837508322c8b97 |
memory/1948-114-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\WuCZBqw.exe
| MD5 | f6de2d3ef5689c50bd70515725435df8 |
| SHA1 | 8ff8877fa933efac7cc40d11376488105cad6876 |
| SHA256 | e7bfaa445f5747aa76559ff60dd45a134cb78aafe68e6ebba6b17c620f18622d |
| SHA512 | 605fb2fd567d58afe2f1fe93e2feaf10e4e9b61515ddd56c5cf19a5569aebb7e976dd82f4b75321316f46b876b06f25218fbbafad0f67fb64f2371d1ac09d581 |
memory/2632-100-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2792-111-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2728-98-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2576-97-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\NicUpbK.exe
| MD5 | 4e200b73d4b84bab831ebcab94c787d7 |
| SHA1 | 3698e0e72dee3e81823775462af5103faf28aeae |
| SHA256 | c86c3451c78338a005f2bd630fbfb87358548b529b3867bdf7b8d375e3889035 |
| SHA512 | 72f5e81eaaaf02db48fe450f5aa9b68a82a4a3caaba83636f962e02b9b6fe68b4b968c315de2fd4f4862af12d97cc532f444457262866639cdad10cc44b0d817 |
memory/1944-90-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1948-89-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2184-83-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1948-82-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2628-81-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\kuNhWfP.exe
| MD5 | d5f835492242b7935dbbbc36a382cdf9 |
| SHA1 | f91a718d2683686ba6977e7cd80d9a0ae762fa0e |
| SHA256 | d83e3ee5d2ad892ff38c31ae4d4588225e3335a6baeb39a6540a2dc06ced7fa6 |
| SHA512 | 635d9999625a3d8c60737b792e74928d4712204f84d7bf9f5c51aef078ac3a025c7428da7927c240e180fe68e8dd88c8dbd221825323398a9a3a1065754237cb |
memory/2444-69-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1948-68-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\XIqSvLQ.exe
| MD5 | f1cb60b091c35c2ad89ed92325ef8ff0 |
| SHA1 | 2e28dea42c1db88930e6b4e8b1483812c23a9388 |
| SHA256 | 72c33de6a48ce4d57eea859e42e3e5f3fa19e35f3e1065e5fc755166a8275167 |
| SHA512 | ab1992cc00606aa0d5764c510e5e9ca02afda13d3607927ec3ff4ff2c8bab04f8ca132610d132e371ca0f751471f83ded1c12b20037d02921064c3ae40fa02fe |
memory/2584-62-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1948-61-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2816-137-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1948-138-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2444-139-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2500-141-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1948-140-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/1948-142-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1944-144-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1948-143-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1948-145-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1948-146-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1508-147-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2628-148-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/3064-149-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2576-150-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2728-151-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2580-153-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2792-152-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2816-154-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2584-155-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2184-156-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2500-157-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2444-158-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1944-159-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2632-160-0x000000013F890000-0x000000013FBE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 05:03
Reported
2024-06-08 05:06
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XmpyUwd.exe | N/A |
| N/A | N/A | C:\Windows\System\JASHhky.exe | N/A |
| N/A | N/A | C:\Windows\System\eNHynOM.exe | N/A |
| N/A | N/A | C:\Windows\System\DXEhrFz.exe | N/A |
| N/A | N/A | C:\Windows\System\AYbpKmw.exe | N/A |
| N/A | N/A | C:\Windows\System\yHtfTxH.exe | N/A |
| N/A | N/A | C:\Windows\System\mYBjqkr.exe | N/A |
| N/A | N/A | C:\Windows\System\dlWenxH.exe | N/A |
| N/A | N/A | C:\Windows\System\CQulAct.exe | N/A |
| N/A | N/A | C:\Windows\System\kmZerzi.exe | N/A |
| N/A | N/A | C:\Windows\System\QTWxDjw.exe | N/A |
| N/A | N/A | C:\Windows\System\TIlcmvl.exe | N/A |
| N/A | N/A | C:\Windows\System\jnwmBEF.exe | N/A |
| N/A | N/A | C:\Windows\System\BqLClZi.exe | N/A |
| N/A | N/A | C:\Windows\System\tlXqxBN.exe | N/A |
| N/A | N/A | C:\Windows\System\BiStsPe.exe | N/A |
| N/A | N/A | C:\Windows\System\QbLdyzK.exe | N/A |
| N/A | N/A | C:\Windows\System\WzUpawo.exe | N/A |
| N/A | N/A | C:\Windows\System\XRvQfVd.exe | N/A |
| N/A | N/A | C:\Windows\System\CPlqnEc.exe | N/A |
| N/A | N/A | C:\Windows\System\BxukOOJ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ab9197e65464ff7f43260c03219fddc9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XmpyUwd.exe
C:\Windows\System\XmpyUwd.exe
C:\Windows\System\JASHhky.exe
C:\Windows\System\JASHhky.exe
C:\Windows\System\eNHynOM.exe
C:\Windows\System\eNHynOM.exe
C:\Windows\System\DXEhrFz.exe
C:\Windows\System\DXEhrFz.exe
C:\Windows\System\AYbpKmw.exe
C:\Windows\System\AYbpKmw.exe
C:\Windows\System\yHtfTxH.exe
C:\Windows\System\yHtfTxH.exe
C:\Windows\System\mYBjqkr.exe
C:\Windows\System\mYBjqkr.exe
C:\Windows\System\dlWenxH.exe
C:\Windows\System\dlWenxH.exe
C:\Windows\System\CQulAct.exe
C:\Windows\System\CQulAct.exe
C:\Windows\System\kmZerzi.exe
C:\Windows\System\kmZerzi.exe
C:\Windows\System\QTWxDjw.exe
C:\Windows\System\QTWxDjw.exe
C:\Windows\System\jnwmBEF.exe
C:\Windows\System\jnwmBEF.exe
C:\Windows\System\TIlcmvl.exe
C:\Windows\System\TIlcmvl.exe
C:\Windows\System\tlXqxBN.exe
C:\Windows\System\tlXqxBN.exe
C:\Windows\System\BqLClZi.exe
C:\Windows\System\BqLClZi.exe
C:\Windows\System\BiStsPe.exe
C:\Windows\System\BiStsPe.exe
C:\Windows\System\QbLdyzK.exe
C:\Windows\System\QbLdyzK.exe
C:\Windows\System\WzUpawo.exe
C:\Windows\System\WzUpawo.exe
C:\Windows\System\XRvQfVd.exe
C:\Windows\System\XRvQfVd.exe
C:\Windows\System\CPlqnEc.exe
C:\Windows\System\CPlqnEc.exe
C:\Windows\System\BxukOOJ.exe
C:\Windows\System\BxukOOJ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 216.58.201.106:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1836-0-0x00007FF7F0FA0000-0x00007FF7F12F4000-memory.dmp
memory/1836-1-0x000001AE613E0000-0x000001AE613F0000-memory.dmp
C:\Windows\System\XmpyUwd.exe
| MD5 | 6edaa4cce3935f24642ade3e2cea0044 |
| SHA1 | 3abf9bb75cb655e13752e5a04a34a68226612abc |
| SHA256 | 373986a8282321ab41632be903d7ecdfd652b7c7e18c6593f7bd813a817a9baf |
| SHA512 | 2430c927b6bc79d79f805ba1970c297ac9c3afcf3f6b77029de9f88dc52af5c9e166f7148896140c1b207a223dacb9b8a65c0486c201bc4f2fcfb1118d77347a |
memory/1116-8-0x00007FF707140000-0x00007FF707494000-memory.dmp
C:\Windows\System\JASHhky.exe
| MD5 | 5d0e1d62b5de6c46b9b096efc942f0b7 |
| SHA1 | 69ac381d0fa00de4f36543ed54f309ae723dcff0 |
| SHA256 | 60e27c7fa05a8b58d9f97a0e7107311cbea440cc704f1980099da083a36b709a |
| SHA512 | 2362d42a1ecc02bd11ad8c0b792b83e5005dd0ad18b2a52e41a3c9430747f8cef9158fb5bee473e680dabdc62c08db7dfa1154562e5a6ece74602dcde33a8e5f |
memory/716-14-0x00007FF7040B0000-0x00007FF704404000-memory.dmp
C:\Windows\System\eNHynOM.exe
| MD5 | d9c1af64d54a3ec39298379b165b892b |
| SHA1 | 9b97d160fb5f01d80ba044db1456604bcd9b87f2 |
| SHA256 | c788034dca53c6117788691d06838d158d8931626b9de408c73946c2a3ae7f28 |
| SHA512 | 1dcded2ab525804ea4dc7e4a479652764202ea3fc1ff6f4354cbe2e4f883d842092beb49e5bff4594097550a01616dcbd475f8c4f58234d8b959bdeb3a93b1ff |
memory/2628-20-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp
C:\Windows\System\DXEhrFz.exe
| MD5 | 739c40cd832dc3bb0acbbb8639e9b42d |
| SHA1 | 43cb3e1dd840c03272bd47c0d8ea66b35e1c1d65 |
| SHA256 | ada8aa38cb81cbdfaa5f060fdb8a9f4d6dba498c534ec813572af3c1f432663d |
| SHA512 | d53f16defc1a14b20c9879a621c991311b3705363798e8db6d75c07199fc7fba1d2be5d9132b204ddf99a7b4a4c2c9c4f767b9ed283387b0a45ec8d367598471 |
memory/2576-26-0x00007FF696E00000-0x00007FF697154000-memory.dmp
C:\Windows\System\AYbpKmw.exe
| MD5 | 11b6a2ed21739c93a393ca2344c199ea |
| SHA1 | bfcb3b0fc79c8cf202fd92755ce6377355628a84 |
| SHA256 | b017b4870e0912b38071356b292c5aa1ad1b85c2527ff1e38cd626d58fbc44a5 |
| SHA512 | 2fe7004b4a32bab6e33721d3d383a1d389cf3ba9b4e90065ae98d023ba583bfa8e4c3edbfbb2fbd467655a66f59a6fabdd3860320ccf8bd16840ba2f0a922f01 |
memory/1352-32-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp
C:\Windows\System\yHtfTxH.exe
| MD5 | d35709df7457d5c1e47cb5eae6ea2f14 |
| SHA1 | f51f69ad52222d1e3892fd147c50d8db84a42c5e |
| SHA256 | 13de509e03e3981ffcac6fecaf87f55327290373807d162769aef2a99b122d26 |
| SHA512 | ddae6c2c94c10b4ad81054cf1a154135b8f9f799fa9bd15acde344df0a70ee9f2cbd9dca4fb5b189f3a542527d908c1285a5ff3ec30cd1ee18e7255e625ec64d |
memory/2872-37-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp
C:\Windows\System\mYBjqkr.exe
| MD5 | 69d91d086785605c37d6596df2df2a31 |
| SHA1 | 7caa7f4f18ae82ea2ba556a877128e652d96687a |
| SHA256 | 8aeb8de17b768a5cd182cc1b83ae685bb44b280b48bfbc92f9407b330fb9da07 |
| SHA512 | 06bd51760a20d8152baf4af1e9df46eb813a1533f9ea0724e287e32c4196017cb29b93a80dea8dd5da5be96e12b61d2944b62bcd9881f6d5d4fd65cea839dd65 |
C:\Windows\System\dlWenxH.exe
| MD5 | a3fc2a01fd487740ee8befd525cbe74b |
| SHA1 | b4f940195ab8ac023f6ff5fece66a133550dfc78 |
| SHA256 | 2dad0d81f990dca2ffa678a66287cdf43ff3c1a09f86bdadd8165b09ed43a4b2 |
| SHA512 | 9fb42542fd4b709955675a3f57f5b5a03da50a4fcf636257bd8c8bf93f8fc6b3e9d08a0ca01106bbd2a135660f626224584a055169681bc9164302d842459808 |
memory/220-49-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp
C:\Windows\System\CQulAct.exe
| MD5 | ac1f4c9d24544a407e7e53f4dd2b1321 |
| SHA1 | 9d4cd6373421db3a2c67399ec33e9ea4305ca28b |
| SHA256 | bffa6a67457243433a2c63b7a9d22b7a164e73c076a435847155f6bb58b2c267 |
| SHA512 | a9b37a9082779c1783777a6c9c6afdc845f06268fa168bb54501be6909ef283d77ff50c9d84afb15c08e2dd83df89f098bcd013958c036f0356327cf43de6d92 |
C:\Windows\System\kmZerzi.exe
| MD5 | 5203b65178aca044cede25dd05c64b7a |
| SHA1 | c80c1c3ce180c7db5bfc6002853fb29c54891d74 |
| SHA256 | d7b484f186965b6b6e8e18acc10efb485bf8bf9e84af8b818cc314d97e1fd42b |
| SHA512 | 962dd298f9347224601d126d4da199411f6a9258bddd715c129112ee66b1ec9403b7b72689f183cb5a552695c67d1bcdde830495907637a998ca65f2f319cfb7 |
memory/2500-64-0x00007FF74A790000-0x00007FF74AAE4000-memory.dmp
C:\Windows\System\QTWxDjw.exe
| MD5 | a7f1d6e18304f5ca971f0bb65112c68a |
| SHA1 | 4f3f8cfac3c9934fb8368c0ebcd4cfcd7e6851bb |
| SHA256 | 131cb3eb0d20da7b2206c7b220e5945bd74fc303ba4e865303c4cc6b4cea6410 |
| SHA512 | 2e90499e05c34b092aded54939f6ad053dea3d177ba3f6fd0d5242812351070ea3de394dee35228b7be2e397cfca164b7d36115d9d4085c29ee002b37912ab45 |
C:\Windows\System\TIlcmvl.exe
| MD5 | 85cad1b2864e633d25e863ba151e2ff3 |
| SHA1 | 022e7f5b1659c14ce6cd21ad3a420dbf3517931e |
| SHA256 | 64b4aa20eb3866934ba4b256d8f3e2306265145944f22b42e422d37113ea794f |
| SHA512 | 033b53bae6fb6d19dc73fb9ecadd7974f5c7800435d12e8d1c9fda4aaa22ea05ad5a8638abebc527b1b2ba7a407d6e0bca987822f0e0102f48b3eb93bb530aa6 |
C:\Windows\System\BqLClZi.exe
| MD5 | 5fd71a02fa139c192d3baa67fb1d9f43 |
| SHA1 | 6949254ec37824ba4447194f2ba4df90af879ead |
| SHA256 | e4b28ba0fd9da1921d367bf3695433138fc3ebc234b2eece7a143ff49d39080c |
| SHA512 | 90bf962c5c107ae31db4144b00e600f7ef660ff3ed7899a4d0761d984a5c3ac22da45f12ca52a92514efcd94383add20ef42240cfb46bd502a99d1b710cb13c9 |
C:\Windows\System\tlXqxBN.exe
| MD5 | 38b5c2c6046cdd36c373a05535c54b6d |
| SHA1 | 2d800c60d57a1a15f7e417175e7ee3014312025f |
| SHA256 | da034d15401b40067e52ce910134f2d7b1bcb7ef0e919b62ba84fd2b528fb35e |
| SHA512 | c50209c4e6b3678da3237acb5088f5090dc4bc0c70fd2be246bc8a4de87b29ba12ebd70ba454ac0f6fc5c277e61463b9668748bdc27a13d04437bf8948da4723 |
C:\Windows\System\BiStsPe.exe
| MD5 | 6c20c0d559b94b124e60e91cf9f2e34e |
| SHA1 | 2c541a07063f2a864b4ef881e9186b8e24c6aa2a |
| SHA256 | cb9e076eb8374ba7e3931a4bb36752e587327cf267d80b5aeb4b809d2b4920d7 |
| SHA512 | f41a77ad4d8d938fa94e9948ff4e3cc69339b08ec2f73db6d8eec9eb3e8c5a99b95e9b1ac8635b5199fd0e7d4771177fd71e27822e27633d7132f6b72f6ba3e9 |
C:\Windows\System\QbLdyzK.exe
| MD5 | d629bda16eb55164d2002e76a4aa0822 |
| SHA1 | 8638b10be33033b123f8be9e9126e4ef72f8519e |
| SHA256 | 1e3e5ce0db6eddbb77d8d69441fa079ec59dc8a72aba09c3697cf1bafac611c6 |
| SHA512 | 70652f4dc8343b39c7f1e1fba6b1a7e85ca66bfac975c39a1ffa4231254aa9b0fb74113c7d7b2f90a54f47b006cc8bcdd57364e953a8688d8acd11ffb3da1a5f |
C:\Windows\System\WzUpawo.exe
| MD5 | c85269773858022bce8818cce2e986cf |
| SHA1 | 2a0414f73474f7df2890abc8ea271ec9f2109ff3 |
| SHA256 | 1c842a4443cdf621d69d70e2075ba3cdbf9c28ec74ef41a441a59b8c1fcaa306 |
| SHA512 | ffdcffbdd33037e554a660382f4836659c9be13629e670ff9b3b95ca27bb53c768e4ef632e885faefab5f72b4ca9dae7fa136418af0a84091531f13512185313 |
C:\Windows\System\CPlqnEc.exe
| MD5 | 1852121619fbac8c05b758bc7cbab567 |
| SHA1 | 5b88af4910883917de63c37efeb622219953d11f |
| SHA256 | 642a6d7bb34e60bef6eeb2e883a0972f86e529c31eeffb33d3b4a4b244a91e97 |
| SHA512 | ecf7d211b7da134f79b5bad58e59cbe9a6cfb45b57ff8966d3daba65d8ae01fd5bfc75c29cc57d7c4b9cebb076408726e04cffb2f502f8da32254963b82114de |
C:\Windows\System\BxukOOJ.exe
| MD5 | 1553e01bf94aa7714034fbdb0ab227cf |
| SHA1 | b793bbf49f145b325cec7b4062f33524ce6d7f53 |
| SHA256 | 018542340ed3e300c6c4f55bc890ed7dc9013e7fc3a56c6f73796f63cd1ad99b |
| SHA512 | 725393e497854596afe839ed73afd6a9723612b228883d3eadff022fe818a7a89e5a9abb82c9f9dbfc12d92fb21af637eb20d0bb579a3d40d082f85eff401705 |
C:\Windows\System\XRvQfVd.exe
| MD5 | 69c758edf30e341123b1bf783bf42eda |
| SHA1 | 61763f84f0307c120cb89de166dbaf18501f0ed2 |
| SHA256 | 1a14b2f2328b6d75287e630c4ad1e8e8eb6bf2bd18f5e90b0843382d67248641 |
| SHA512 | feee411c06aac5673886f3c7ba35d6887db5d6a625958f3fd085164d912da03ed502e97180dea8655345bcf641ee7b98511739901ba84a00d47338ffb1e76d45 |
C:\Windows\System\jnwmBEF.exe
| MD5 | d3d07ab8a4bda846a5e6ed1627a27acf |
| SHA1 | 94aba6de6cd5d5b1ac75b1201456fe8da3d71c85 |
| SHA256 | 0ae5a6411a10eac98b93837fb37f30145e0c49e752c41801b2e046d99c91b4b7 |
| SHA512 | 11bc74f81089439dd1a5e5732f503b0a94623fece9737ea84d8ee78f398d25f9b7fe64382acf5b06fce41bb4f870aa63709ba175eec157f0f856ba836d8434df |
memory/4648-79-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp
memory/1836-71-0x00007FF7F0FA0000-0x00007FF7F12F4000-memory.dmp
memory/4808-67-0x00007FF67D980000-0x00007FF67DCD4000-memory.dmp
memory/3152-58-0x00007FF781130000-0x00007FF781484000-memory.dmp
memory/1340-119-0x00007FF6AE890000-0x00007FF6AEBE4000-memory.dmp
memory/1580-120-0x00007FF612DD0000-0x00007FF613124000-memory.dmp
memory/4624-121-0x00007FF785770000-0x00007FF785AC4000-memory.dmp
memory/1800-122-0x00007FF656440000-0x00007FF656794000-memory.dmp
memory/2024-123-0x00007FF7F0000000-0x00007FF7F0354000-memory.dmp
memory/4336-125-0x00007FF69A1B0000-0x00007FF69A504000-memory.dmp
memory/700-127-0x00007FF66BB50000-0x00007FF66BEA4000-memory.dmp
memory/1624-126-0x00007FF624F80000-0x00007FF6252D4000-memory.dmp
memory/440-129-0x00007FF700EF0000-0x00007FF701244000-memory.dmp
memory/1116-128-0x00007FF707140000-0x00007FF707494000-memory.dmp
memory/3300-124-0x00007FF7C44A0000-0x00007FF7C47F4000-memory.dmp
memory/2628-130-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp
memory/1352-131-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp
memory/2872-132-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp
memory/220-133-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp
memory/4648-134-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp
memory/1116-135-0x00007FF707140000-0x00007FF707494000-memory.dmp
memory/716-136-0x00007FF7040B0000-0x00007FF704404000-memory.dmp
memory/2628-137-0x00007FF7B1BE0000-0x00007FF7B1F34000-memory.dmp
memory/2576-138-0x00007FF696E00000-0x00007FF697154000-memory.dmp
memory/1352-139-0x00007FF6B35C0000-0x00007FF6B3914000-memory.dmp
memory/2872-140-0x00007FF76E4A0000-0x00007FF76E7F4000-memory.dmp
memory/3152-141-0x00007FF781130000-0x00007FF781484000-memory.dmp
memory/220-142-0x00007FF7E5DD0000-0x00007FF7E6124000-memory.dmp
memory/2500-143-0x00007FF74A790000-0x00007FF74AAE4000-memory.dmp
memory/4808-144-0x00007FF67D980000-0x00007FF67DCD4000-memory.dmp
memory/4648-145-0x00007FF7EFE10000-0x00007FF7F0164000-memory.dmp
memory/1340-147-0x00007FF6AE890000-0x00007FF6AEBE4000-memory.dmp
memory/440-146-0x00007FF700EF0000-0x00007FF701244000-memory.dmp
memory/4624-149-0x00007FF785770000-0x00007FF785AC4000-memory.dmp
memory/1580-150-0x00007FF612DD0000-0x00007FF613124000-memory.dmp
memory/1800-148-0x00007FF656440000-0x00007FF656794000-memory.dmp
memory/2024-151-0x00007FF7F0000000-0x00007FF7F0354000-memory.dmp
memory/4336-154-0x00007FF69A1B0000-0x00007FF69A504000-memory.dmp
memory/1624-153-0x00007FF624F80000-0x00007FF6252D4000-memory.dmp
memory/3300-155-0x00007FF7C44A0000-0x00007FF7C47F4000-memory.dmp
memory/700-152-0x00007FF66BB50000-0x00007FF66BEA4000-memory.dmp