Analysis Overview
SHA256
b3953cc7e1333ac902b2d55c8048299ce8d983a97ebce0279cd9a9e705515ce8
Threat Level: Known bad
The file 2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:04
Reported
2024-06-08 17:07
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MaPwKss.exe | N/A |
| N/A | N/A | C:\Windows\System\iEMqbQu.exe | N/A |
| N/A | N/A | C:\Windows\System\qzunQdK.exe | N/A |
| N/A | N/A | C:\Windows\System\NKalQDf.exe | N/A |
| N/A | N/A | C:\Windows\System\cuEdKmX.exe | N/A |
| N/A | N/A | C:\Windows\System\qckOjdm.exe | N/A |
| N/A | N/A | C:\Windows\System\FyhCLSH.exe | N/A |
| N/A | N/A | C:\Windows\System\fFgIfaA.exe | N/A |
| N/A | N/A | C:\Windows\System\wPhkDGB.exe | N/A |
| N/A | N/A | C:\Windows\System\DzDiItT.exe | N/A |
| N/A | N/A | C:\Windows\System\vNZbakg.exe | N/A |
| N/A | N/A | C:\Windows\System\VyIVBck.exe | N/A |
| N/A | N/A | C:\Windows\System\hNsIMna.exe | N/A |
| N/A | N/A | C:\Windows\System\sGUXola.exe | N/A |
| N/A | N/A | C:\Windows\System\kApBdiu.exe | N/A |
| N/A | N/A | C:\Windows\System\hszmZZE.exe | N/A |
| N/A | N/A | C:\Windows\System\hoaQyfY.exe | N/A |
| N/A | N/A | C:\Windows\System\fIYFDwp.exe | N/A |
| N/A | N/A | C:\Windows\System\bttFvvY.exe | N/A |
| N/A | N/A | C:\Windows\System\lnRGNyf.exe | N/A |
| N/A | N/A | C:\Windows\System\yjSiAuy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MaPwKss.exe
C:\Windows\System\MaPwKss.exe
C:\Windows\System\iEMqbQu.exe
C:\Windows\System\iEMqbQu.exe
C:\Windows\System\qzunQdK.exe
C:\Windows\System\qzunQdK.exe
C:\Windows\System\NKalQDf.exe
C:\Windows\System\NKalQDf.exe
C:\Windows\System\cuEdKmX.exe
C:\Windows\System\cuEdKmX.exe
C:\Windows\System\qckOjdm.exe
C:\Windows\System\qckOjdm.exe
C:\Windows\System\FyhCLSH.exe
C:\Windows\System\FyhCLSH.exe
C:\Windows\System\fFgIfaA.exe
C:\Windows\System\fFgIfaA.exe
C:\Windows\System\wPhkDGB.exe
C:\Windows\System\wPhkDGB.exe
C:\Windows\System\DzDiItT.exe
C:\Windows\System\DzDiItT.exe
C:\Windows\System\vNZbakg.exe
C:\Windows\System\vNZbakg.exe
C:\Windows\System\VyIVBck.exe
C:\Windows\System\VyIVBck.exe
C:\Windows\System\hNsIMna.exe
C:\Windows\System\hNsIMna.exe
C:\Windows\System\sGUXola.exe
C:\Windows\System\sGUXola.exe
C:\Windows\System\kApBdiu.exe
C:\Windows\System\kApBdiu.exe
C:\Windows\System\hszmZZE.exe
C:\Windows\System\hszmZZE.exe
C:\Windows\System\hoaQyfY.exe
C:\Windows\System\hoaQyfY.exe
C:\Windows\System\fIYFDwp.exe
C:\Windows\System\fIYFDwp.exe
C:\Windows\System\bttFvvY.exe
C:\Windows\System\bttFvvY.exe
C:\Windows\System\lnRGNyf.exe
C:\Windows\System\lnRGNyf.exe
C:\Windows\System\yjSiAuy.exe
C:\Windows\System\yjSiAuy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2220-0-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2220-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\MaPwKss.exe
| MD5 | 9343617b97089dcd03de729b818e1a00 |
| SHA1 | b2c496be591b7e09346bc1891ee60ca48e7395e2 |
| SHA256 | d5604c08861a1a8ea433a6d3e003317cfef8c2fba3b5e5cff8808e2e5ef6875c |
| SHA512 | eeb2c3f4dbaf55abcc50504513a45b04d7644b8dcc3e2260dd2bfa6497c1bbbbc70a7a63e18950ab58102bcb5b6fca054f9431e96d7f8e571912d8f8fb6223d8 |
memory/1044-8-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\iEMqbQu.exe
| MD5 | b59bb966258daeed785223f7ab66d7a6 |
| SHA1 | 19551b4b249360281c9e5aebd42fa4d13225f331 |
| SHA256 | 3b98a4090a899ea68f49ed6a152ed2d9cb86b59829c5e30d5b5a264ccbbef5e9 |
| SHA512 | cd43dd78bab06281c8a44ce8b8efa7fadaa2afc19ee671f6cc0610a60b555555210351febba603c7ce43a209f62695c9f32b428b69366500c23da50d5c14999d |
memory/1196-15-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2220-13-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\qzunQdK.exe
| MD5 | 80f5fc9000c230d674752b2d2caf44d0 |
| SHA1 | 09f7464a0ca4300035d1a975f971722dc86575c7 |
| SHA256 | 0047d5ee624546377d1a8f81573bca9d5dd3ace18ce1b987e3ac1faa37a53d54 |
| SHA512 | 1dd4511b4e57acc7f2b5267d950edb106f4f8edd2b38ce612c7070f197007b99b7ed21cf5bd9b989aa8bbf7db6a893a676fdf52bbf77c5d221dde845dd904a19 |
memory/2248-21-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2220-20-0x000000013F1E0000-0x000000013F534000-memory.dmp
\Windows\system\NKalQDf.exe
| MD5 | cfe5451890e90bc8b23028d7c10e0c6b |
| SHA1 | 19f6aa8313badf27182693cbe9944bd43dec2f76 |
| SHA256 | acca2560f4647d84440425112515d4a465132fd61e91933d6f9c80a046c861a9 |
| SHA512 | d21b61f28fecd142549086bf2fb5db3b2c3861db91b4c8d36120ea89b758549bdae3b0f86602d2e0d08a1ea0a7d5aa7d42e45e1be2ad764565c604922b32ae6d |
memory/2220-27-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2652-28-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\qckOjdm.exe
| MD5 | 2996f1167b52537c01032acff6df573f |
| SHA1 | 87355deaf6874160534a87bd3f05543c7dc55d7a |
| SHA256 | 23c117e1dc12bb613c0e21b8af375fbbbc4150048a9aa20fa52b0be33232e42b |
| SHA512 | 176400d1581bacd6d456369626a3ba944fe10c67d8c5e77d70edcf3728fcd2e92b97c0e55d88839fe884807c40e5ae9f2180e17ee20e5b52ad68f1696301cff5 |
memory/2708-38-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\cuEdKmX.exe
| MD5 | 34a686f78feeb341f11879789c61f5e3 |
| SHA1 | abb8ef6f6d1dfd347a2aab43dadcfbae878fd0cf |
| SHA256 | 0b346c5ab8571196a6502701f3b117cfe052f628d878e860e53d32aa096d785f |
| SHA512 | 9fe009f2ba6c5cceb9b44cbeeecacd868674a1a50aaf0cfb5696cfe356dd1c12f5fed62925ca51c19dc60476f63a6c97a7411be68710b33b7fc1717d8074e035 |
memory/3008-40-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2564-55-0x000000013FF50000-0x00000001402A4000-memory.dmp
\Windows\system\FyhCLSH.exe
| MD5 | ae40a887a56e937620cc4619e046c0a2 |
| SHA1 | 02827093079bd645299a6c29907dc720bd131294 |
| SHA256 | 8a274b9bbdca3064c7e079d1b6a3d2f65bccfcf3e413797976be39816d62161a |
| SHA512 | 246906f5d5ecda62bfb16c546638b8ed1ed9517a41dad807c2dbe626b86bb9c5d4846585bd995db64581948535997cd16c6e86d897c9d523e314312c410e34c4 |
memory/1044-68-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\VyIVBck.exe
| MD5 | 8a1f85ebe6f724cca3818e6b8f243a5b |
| SHA1 | be2b456627c4ca41f7e5645c082afbe8452fb0f4 |
| SHA256 | fb55daac88ed2acf330a7749c3e9604bb2ee2c65d4fb4a4f55bf9e9f5179e0a8 |
| SHA512 | b64888f61062785269792905673e3bc5e2617617f972863e1bf03211d0f52706605b96793849693b55c84492c3bac0be8e01fef4d20d33b4c74015047452355f |
memory/2220-86-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2948-87-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\kApBdiu.exe
| MD5 | 1c92b711a717ae80c8d5160e5985132c |
| SHA1 | ec28c339d416f895fcbb8ad7bc01bae3965c4f93 |
| SHA256 | 4af50aa61eb918e8eac30aff604d80b99941dde1ed57b2d19243376a1941cad2 |
| SHA512 | 4c36961692657cd376ab1609f58d671cea91c8b3b9e817b4eba752797fc2e30140df05faabe66157d70bc9ce090b845e16381d63fae72f8001810cd9ee6be219 |
C:\Windows\system\bttFvvY.exe
| MD5 | 9e323df89aa0523801298bbb206fa718 |
| SHA1 | 74b9923ce2fe138d603219d1e45bcec0dc39b942 |
| SHA256 | 1247d2b1472b16ce6862c773da6b8e742324001a6488678f4772e5831406bad1 |
| SHA512 | 6ac5c9179307ea31c24d8d11d578726b4b7afb0d8b3e65a72ddcc5afbb2bd1ece930311989706657d2e683f7d7c0ebe11bad0d9b5e1f4d3fdb2c5b230678a6f1 |
\Windows\system\yjSiAuy.exe
| MD5 | 27f603f6183a85cd4a07b11b9c667dbf |
| SHA1 | 01416973ceba8600346e220ed4625b291178f65c |
| SHA256 | 9691741fd192012b36382c651b69c719d621a099e8fa014aa9a24ba4a33dd9d9 |
| SHA512 | 515b96cd71cbc6744c1fcdd393b24bb3a03dfc3c008c50b7b13b280c410d4884c6221a4417b5459709ed33b701dd8ffae4a85f23a198d2ca21d7d2232a04523e |
C:\Windows\system\lnRGNyf.exe
| MD5 | 1153c0f377b72331bb9374adb764c243 |
| SHA1 | fc8ed1e6eceda09ead108548aad69b42841a1230 |
| SHA256 | 37ae6f126f205e1e378fd6e661f45eaf8fb2e75392606308965ea9e6aa58ac5b |
| SHA512 | 374aa387950a8701d891035b357632f75db2252f9e09c552fa46d8399975c9549a3ff01e2ebbd02cc8b5437162a1425ae2278640913d3dc94cc13bbd9a44745a |
C:\Windows\system\fIYFDwp.exe
| MD5 | b60feeeb45ce0acfa5c2749259018f69 |
| SHA1 | 35334aab258aff3575974699a914f9e2606150b6 |
| SHA256 | e6e263df58e88754fa4a9b60405472851e5e9cbe8e3d1d33e491d6ee1aa05478 |
| SHA512 | 74437b40209c42d84a3149df9a86d15722d8f5a151b7caab6fa3c4f9db848f529a21a1cf6c24f3553d0f3d33e117207b5861519d5c4c1fc1ac0418d2067c8e43 |
C:\Windows\system\hoaQyfY.exe
| MD5 | c5cda98cbe547e1a7dae1d4cd39e7b63 |
| SHA1 | dd9ae070372236d1c5e7fccb686170d87b6bfbec |
| SHA256 | b031a55384b142a93e58870ee40d12178c5d4a1cd7d62a1d55959791934c2000 |
| SHA512 | 42e413f3d11b1ede6344c6d852751003cdaeb6b5c08af760f74d209b4d27a733aafa90f786931e72155a11910c60f1140e47e156674bf2afec19f75a19948d94 |
C:\Windows\system\hszmZZE.exe
| MD5 | 745a50f35efab208a1974c9d94d6c294 |
| SHA1 | 6d3a0231da6ea65a15bf7630b0288de86a71a0e5 |
| SHA256 | 4b9e374254d419ea65fa3c6ab1ce675203b44c8bee72737205f3328ad78434bc |
| SHA512 | 20f7cf6f062aac67433351896150bb61bb9f2b074f3ed7bf578b29fa89a1d30c73406786f130345ea0b39bfe712ee2c463ead6bc5a99c5b1a8937343ef1fbbb3 |
memory/2220-109-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1552-108-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2564-140-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2960-94-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\hNsIMna.exe
| MD5 | f13777056bba0e1598d40ee0ec8a9cb1 |
| SHA1 | 8faa5a464e8c16bd69315dd6dd42795e6dd720b0 |
| SHA256 | 213e8ff25f416ba90cd0303c4a76a72a721e9db19ccff392d5b25b85bdb57e74 |
| SHA512 | cf54a2d7c11a7eea2eb5f5daed9ffa3fcee9341ec7b121bdddbb7df0355d5c936d7da7545fe7066e364927aeceebe255b76fc8b67282c33abbd2e4e0829d228b |
memory/2220-92-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/3068-103-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2220-102-0x0000000002410000-0x0000000002764000-memory.dmp
memory/3008-101-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\vNZbakg.exe
| MD5 | 26fecaec38ed280d4a88246a145a9120 |
| SHA1 | 0f71e67b5e9f90d1eb8facef2b5482185bc858c0 |
| SHA256 | 5c1eac64ea5a1fbb4fb89359ecb248c7fd07695d0c4f75594d6ad7b52c763f1c |
| SHA512 | 203b1f0b27bf1bd47b05217ca517add661b7f38626390e054a75aed630ced6d12df032638ef950ef680cb84be625b769f73af9765b6b19352582806b0a626817 |
memory/2220-76-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1196-75-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2220-74-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\sGUXola.exe
| MD5 | 2d9e1be113e6b8798988e2217d6e8291 |
| SHA1 | 8198930b3991d36812204e3d769398d43dee4608 |
| SHA256 | adf4424818f2e62798cdd6c23e0d99238426041b5cab01f90563edc4c2a7a77f |
| SHA512 | c9ca2f6697aa8c5aec235e228cbda2a6de3bd9b2cb0a1190b259222c5fb505a10f0f65ed219e78ef7d64d9e0559cbf6000e65e228a3a25f6feb0a0a334f6f459 |
memory/2528-63-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2220-62-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\wPhkDGB.exe
| MD5 | 52dc3eef2952f3f770054907bd812a09 |
| SHA1 | 35b4f1c42fc64a6f059b2c88afb7c4589f7f5c50 |
| SHA256 | eb479fd0841f139ce7df4061a9fd66598d455a08054c05e1deb25ed1299f1c2b |
| SHA512 | f05d9a8aba0c87d73c2bda23e04ffebac4bf65cc6239df15b1253ee18396561d0fd8d8b30ce1a1ae186026f532e8386f961f035f5702d3960d0063a746708332 |
memory/2228-85-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2248-84-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2220-60-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1552-48-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2220-47-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1992-69-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\DzDiItT.exe
| MD5 | 78efc3ff29874d87b57654ede3454008 |
| SHA1 | 4635529125e8eb261d7aa9eb8d53cb86b0f62fac |
| SHA256 | 67398771d106923d48203858d7f7c3149cf5c68ecbfcd0bfb4a7804e2eb1e7fa |
| SHA512 | 8f59545d60f20188cd9e2a230eb985a6a870981f0b3373c5f5d275bd35147962633a941143e436315b05727e1fe4052eccc02f0f5fabd18d39a07ee980ca9b19 |
memory/2220-54-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\fFgIfaA.exe
| MD5 | a5d472c6cd2d8b85a80421f7289ad700 |
| SHA1 | 4562068e639a4a959bf5ced0ab9eb0d42cb4c3cb |
| SHA256 | 52bab2e2f24d0e08c591a6b3856798510451b75c35cadfd17d19db9dabfa71ad |
| SHA512 | 0008c4c5ead09250ea86294d26e6027d8e207d067d61c92ee027d3de31327024ede499c9f9769e1d83d6571da1803c46c2d69ed00a768c577379a712cd2e81b1 |
memory/2220-39-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2528-141-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1992-142-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2220-143-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2948-144-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2220-145-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2960-146-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2220-147-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2220-148-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1044-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1196-150-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2652-151-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2248-152-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2708-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/3008-154-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/1552-155-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2564-156-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2528-158-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1992-157-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2228-159-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2948-160-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/3068-161-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2960-162-0x000000013F280000-0x000000013F5D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:04
Reported
2024-06-08 17:07
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PCjjdTk.exe | N/A |
| N/A | N/A | C:\Windows\System\DnFqdzj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrVShwO.exe | N/A |
| N/A | N/A | C:\Windows\System\nSEDlfY.exe | N/A |
| N/A | N/A | C:\Windows\System\sdBXfUS.exe | N/A |
| N/A | N/A | C:\Windows\System\slPBxKy.exe | N/A |
| N/A | N/A | C:\Windows\System\PbemDII.exe | N/A |
| N/A | N/A | C:\Windows\System\xMREccW.exe | N/A |
| N/A | N/A | C:\Windows\System\yAhzjYv.exe | N/A |
| N/A | N/A | C:\Windows\System\PaVzRyo.exe | N/A |
| N/A | N/A | C:\Windows\System\RZFAVfb.exe | N/A |
| N/A | N/A | C:\Windows\System\VQELhDT.exe | N/A |
| N/A | N/A | C:\Windows\System\nWQUgtM.exe | N/A |
| N/A | N/A | C:\Windows\System\ULZCuQx.exe | N/A |
| N/A | N/A | C:\Windows\System\jYayYwW.exe | N/A |
| N/A | N/A | C:\Windows\System\qPoqoJG.exe | N/A |
| N/A | N/A | C:\Windows\System\xxgHUAD.exe | N/A |
| N/A | N/A | C:\Windows\System\cEDFLVv.exe | N/A |
| N/A | N/A | C:\Windows\System\MStRuNp.exe | N/A |
| N/A | N/A | C:\Windows\System\AXzkJub.exe | N/A |
| N/A | N/A | C:\Windows\System\JcSFHFX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PCjjdTk.exe
C:\Windows\System\PCjjdTk.exe
C:\Windows\System\DnFqdzj.exe
C:\Windows\System\DnFqdzj.exe
C:\Windows\System\ZrVShwO.exe
C:\Windows\System\ZrVShwO.exe
C:\Windows\System\nSEDlfY.exe
C:\Windows\System\nSEDlfY.exe
C:\Windows\System\sdBXfUS.exe
C:\Windows\System\sdBXfUS.exe
C:\Windows\System\slPBxKy.exe
C:\Windows\System\slPBxKy.exe
C:\Windows\System\PbemDII.exe
C:\Windows\System\PbemDII.exe
C:\Windows\System\xMREccW.exe
C:\Windows\System\xMREccW.exe
C:\Windows\System\yAhzjYv.exe
C:\Windows\System\yAhzjYv.exe
C:\Windows\System\PaVzRyo.exe
C:\Windows\System\PaVzRyo.exe
C:\Windows\System\RZFAVfb.exe
C:\Windows\System\RZFAVfb.exe
C:\Windows\System\VQELhDT.exe
C:\Windows\System\VQELhDT.exe
C:\Windows\System\nWQUgtM.exe
C:\Windows\System\nWQUgtM.exe
C:\Windows\System\ULZCuQx.exe
C:\Windows\System\ULZCuQx.exe
C:\Windows\System\jYayYwW.exe
C:\Windows\System\jYayYwW.exe
C:\Windows\System\qPoqoJG.exe
C:\Windows\System\qPoqoJG.exe
C:\Windows\System\xxgHUAD.exe
C:\Windows\System\xxgHUAD.exe
C:\Windows\System\cEDFLVv.exe
C:\Windows\System\cEDFLVv.exe
C:\Windows\System\MStRuNp.exe
C:\Windows\System\MStRuNp.exe
C:\Windows\System\AXzkJub.exe
C:\Windows\System\AXzkJub.exe
C:\Windows\System\JcSFHFX.exe
C:\Windows\System\JcSFHFX.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1328-0-0x00007FF7AB790000-0x00007FF7ABAE4000-memory.dmp
memory/1328-1-0x000001D5DE510000-0x000001D5DE520000-memory.dmp
C:\Windows\System\PCjjdTk.exe
| MD5 | c4bf539a6a4117db677bc5edc738144d |
| SHA1 | a08fb8a7f6716c7fe8a30aaf5ab9423cefe2676f |
| SHA256 | 5533a4f9b021cb88c4f1c9d46314d7458c06e278e0e802f9e349fd195365211f |
| SHA512 | e8d78f6c845898e10bfb29839e09dee8626bc92acde64b0b3306bb03413ba2817f543b4820e57ac6aa0439f2e8b7f3c62c5cc542e4b4a130224e700118cfabff |
memory/2008-6-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp
C:\Windows\System\DnFqdzj.exe
| MD5 | 2b330e7d579f711a333181846c466521 |
| SHA1 | 658bcf5ce12d6c01ef21e781314af41100ccf4d8 |
| SHA256 | 51cc7a57f4600556c55ea9a56214c1aa85ef88de174a6e4ec19b27b292eab8e4 |
| SHA512 | 8c6b8b54ea29ea4c5476eaae2e418451989b1578466810b4400568d7670f8641395460090ffcfabf2ee20a6cc6697f8fb97920cc05a19afc65e12c9f88ef1f20 |
C:\Windows\System\ZrVShwO.exe
| MD5 | 31c7589858bc654fe1be1e532377d39b |
| SHA1 | 8bfe7431b579b32ee359626f268a80152204d120 |
| SHA256 | ece416b3cabd36f5bdbec347fcac5f381f758a0c44e2b41cf03138bb39cc26d7 |
| SHA512 | 653118e13ae5748fb9b7445c4aa5d2a64736e225584cadd6beb26a2240811fc86be8696c9d66751cc26b0f2370c89da385626d72449d46c6a07c960732075bb4 |
memory/1812-12-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp
memory/3892-20-0x00007FF778700000-0x00007FF778A54000-memory.dmp
C:\Windows\System\nSEDlfY.exe
| MD5 | 5716f3fe1fe9785affc7e53aba10252c |
| SHA1 | c42b167876c3f737846232315f867d7941b0018d |
| SHA256 | 7981de677421352c88e200d34a25a8991f7c359b948c97d6680c6ee38b93323d |
| SHA512 | 63b0c6cc62ca2f2c941d7854a5132c5601f8cde73df6492d74e893a93c45606f8718f8218306525bd8951753080d3b903f98ef9934a653020d83f7d911b397d9 |
memory/2060-26-0x00007FF788490000-0x00007FF7887E4000-memory.dmp
C:\Windows\System\sdBXfUS.exe
| MD5 | 14625531295703146d74a5117850aa39 |
| SHA1 | 73fb6237f9a98232934a8fdb0bb08865df37deb5 |
| SHA256 | 9c27b5d93526f58e53b2783c344d3169a62e0d01d3c723be11fc170f52187758 |
| SHA512 | 5a598526a175e9db12efadd19e93110eab768e21809e88fcb567a9f997e94cf6e10d0387dfd62a313f8bf45132ddc1e20e39bcd98908f8bd7ee80d6cfd132592 |
C:\Windows\System\slPBxKy.exe
| MD5 | 00cc18f0cf9c7bfb893bcea89edb5084 |
| SHA1 | 9a549fd26d169eb490aca91efca5bd9c4199731b |
| SHA256 | 3bd9d69aa2969a46c6003b86d8cd53a462d8ef28da1d8f6fb36b2c3c8d9e3fb0 |
| SHA512 | 5f324d26a041526daa91eda9ce95a30a59b379c74877da960f8f90a0790ae19ca19ab0cbd458896e487c7f4f60afa88a7c1fa36db84755f34892cb10d049b3c1 |
memory/1716-33-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp
memory/2320-43-0x00007FF615660000-0x00007FF6159B4000-memory.dmp
C:\Windows\System\xMREccW.exe
| MD5 | 33b94fd03c0d46355e8f88ab15c00599 |
| SHA1 | f59e14a075d9ecb4cd658a9291b8c23520e9f393 |
| SHA256 | 529212099f90ddaf227c13f9d3a9873455fdaafd63686f0839b327167c2b5cab |
| SHA512 | f222d3d5ee1b4a98efec33d7ca5939db3a653392b8bf62bc7cbaa49d1fefa83a3e4fd8dd7cc8a37f23f40fd7534954e3c97e82991744c5c8a98f8b6193eec9b0 |
C:\Windows\System\PbemDII.exe
| MD5 | d16413edcdf43867e421e55e79abff29 |
| SHA1 | 5378dad5a98e27d8ecf4008d8da38c7dce5c101e |
| SHA256 | ef8e00b8f0c3dd3f68971d886f2fe5fe6fa29599c3ffe2d0950cbab2797f53ab |
| SHA512 | 96c780f8d728dc4337ee3ad4fe596d4797cb2d5747b7e23bbe09299e6bcf0922f25de4de14bdeb47923478da2d340fa8bfe660e9a243d42d61b073a6994c3aa2 |
memory/1460-38-0x00007FF7461A0000-0x00007FF7464F4000-memory.dmp
memory/2292-50-0x00007FF723140000-0x00007FF723494000-memory.dmp
C:\Windows\System\yAhzjYv.exe
| MD5 | d4434158a31cae59d08e8175a36a8879 |
| SHA1 | dc3e62e4a292d553ae8ffc039fdf401b8a88552e |
| SHA256 | db69ac70c1973b6abc9139be696f4677708011a2e78fb61ef65f4ffb0ce273fd |
| SHA512 | c1e389ecad0b6445edb8a00215326184911ae4330cb2b34261d6a23cc044e79f805de14f08ba790fdabb2ab162e9d8272056e3d212dc81500a8013bfb651cc11 |
memory/4472-54-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp
C:\Windows\System\PaVzRyo.exe
| MD5 | e5965f0229acc641d54fd43cd0777ad4 |
| SHA1 | e67f7d0712153b35072e832f309b474eaf3dbf23 |
| SHA256 | 0b7c2e27e57443e4751738ed343bab8ad847b86ba466c1569b1849d2b0049864 |
| SHA512 | 6d37b7d3f7c68fc2430ded9a7a423e9a1590dc33577707a07fbdb4b7bf4610a75897bb43f5cacf9bdac0c1e60cdf12e0e676531def46fa1cc9223a94b1cd3bae |
memory/2132-61-0x00007FF776600000-0x00007FF776954000-memory.dmp
C:\Windows\System\RZFAVfb.exe
| MD5 | e07a423ee011e7fef7d7d4e63b41f5cf |
| SHA1 | 2016f06b2c80b8e2f10c8fde48ce49221c8e36d1 |
| SHA256 | af462e3194e4658fecd5232ba99ccaef465905304c0b7806f52706400a54fd32 |
| SHA512 | 25b7fcd1fa218e9edba70647947cb7d0bf488e4caa11a7ba1eccd4bf9bce28e9928e32a945a0bf78f096fe93a1afcea9fb1e34d0dd38d6c5786985bec479880a |
memory/1328-60-0x00007FF7AB790000-0x00007FF7ABAE4000-memory.dmp
C:\Windows\System\VQELhDT.exe
| MD5 | 324fc62c6f2615fca0320f7dd7f57339 |
| SHA1 | 8ef61443cad7ddcf1d8815da87cf2d7d36634f44 |
| SHA256 | 58104c2198abe0c5be55e7a178e2a11d5748edbc6a81e1f4c24a3b748d0ea23e |
| SHA512 | 44d7b53c16279aee9fd83f2fc2340da74b2ba06bbe23fd2a166abf03a2d966abaf2f6ce031fea070d7892b97aa681751e52ac14e9d5c8b7c9042f9ddef8f8e93 |
memory/1812-74-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp
memory/4112-75-0x00007FF710490000-0x00007FF7107E4000-memory.dmp
memory/1736-73-0x00007FF629D80000-0x00007FF62A0D4000-memory.dmp
memory/2008-69-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp
C:\Windows\System\nWQUgtM.exe
| MD5 | 8caa31e22ac0236b6e51d311f878ab00 |
| SHA1 | 12b18563ba8b709db8f9343068b56c7c60beb7c6 |
| SHA256 | f180c0afc025a081cf2c598f5dfabffd69aaed2f4b81e52bf619dad189075326 |
| SHA512 | 62c8a8702aa627bdb10eb5eeeed3971afb1a7db97a49dcda762d5b448d768c568a290b779699d14720f90a580f12f19eb46979d768df06ea751e40222ee8d791 |
C:\Windows\System\ULZCuQx.exe
| MD5 | 65c805e678cd6512bf29a22b8c497829 |
| SHA1 | b548da8f4025cf81625742149f5e6386aeacf333 |
| SHA256 | d48a10fd40fe8dc1428520e3d65c07d9eee9b51dd0e92ff4c6686ae58377a44c |
| SHA512 | 28278dbddb702ea74660309771853205a0fe6cd0de0f88abc53c745928a2ae9a2fd06530d04c4ae3232d445c07d52171d3ed0800717a035d9f103588855ce5a8 |
C:\Windows\System\jYayYwW.exe
| MD5 | 7ce462ccc61e3344232b763b8e03acac |
| SHA1 | 1581fb6a3200fb7d96db73e7427db758f49b5bf4 |
| SHA256 | 2d31a8d8985561900c135ec071324f383f60c3358549d0e1ff741501734393c4 |
| SHA512 | 944888bf9f0989eadcfcc30de3391f10a87802f0b7dda96b6c46f92af290a749eb99c298cf40c4d20c69049c08b5be742c7fa1a43c5751d0cb000506b0cb088d |
C:\Windows\System\qPoqoJG.exe
| MD5 | f3f0238fcd79b58ad6376eaea8778bae |
| SHA1 | 6d4e3c1f1a7dd64cbbc4c4185cf6065f7c489391 |
| SHA256 | 511aa0574a54b7d68a51ad94021e0a209fac890f8b1ae3b604d17190d642c79c |
| SHA512 | 16dac02e2b900481803138033f3eb3f0dcb896f5deb44d103140c99f77d455d787df253b3b5d6d1c8d74a09cb6447e9e938d63aa134b29d2b7ab9bbbaff75258 |
C:\Windows\System\xxgHUAD.exe
| MD5 | cae5e082c360fc54ab523c99a8c97762 |
| SHA1 | eaef17bedd1f732b23fa5aaf4b178f44c771928a |
| SHA256 | d15732ff7275c747064bfe2f45f4b8f25404cd00bbad34e5ffc811f3083cb1e4 |
| SHA512 | 08418c50e3dc497d45e488147892c5948c6b43361d03764335193136c13c592ad8fc954a1fe0a08381634e1fd1590931ef5931480cfce7d584075dd5d2eba0fb |
C:\Windows\System\cEDFLVv.exe
| MD5 | 9b12342727fb174b6aa2b2086fbce5fd |
| SHA1 | be0c6eb10f463e8cd9a7ee1f0a44e38ee273ecf8 |
| SHA256 | 948f232297ab280d78b48b7579d801c89ed86114e4340716fe5d1e6b11428b59 |
| SHA512 | 63cebb4a85f0713b9b32260e14811979bdabe22645c99fc8e29160437bba346d8d13c323af227645c1b6ec1f032940b4b89e3dc28b397f06b25d34c9fdc980d3 |
memory/452-111-0x00007FF6FB4F0000-0x00007FF6FB844000-memory.dmp
memory/2320-110-0x00007FF615660000-0x00007FF6159B4000-memory.dmp
memory/4640-104-0x00007FF6FCE80000-0x00007FF6FD1D4000-memory.dmp
memory/1568-95-0x00007FF693120000-0x00007FF693474000-memory.dmp
memory/1716-93-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp
memory/2452-88-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp
memory/1484-81-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp
C:\Windows\System\MStRuNp.exe
| MD5 | 91c6a2a176fbe3230a7f4d640be360de |
| SHA1 | 80bf97c5e07021ac18c5ac7f0a081cd9c2a69507 |
| SHA256 | 5214b078d35773dcf1434dc4f4bc1c089009accdc58c8701fff9ac31c29150a1 |
| SHA512 | becb51026b376393a1b2b15fe0bcf13201882e5d2a336ec9ab951a4bce79f466af179f4fdaea87f54ede4166ab672a4d4c54ac3bc9530e19d7448aa026a714ca |
C:\Windows\System\AXzkJub.exe
| MD5 | 9c16c8e160aa08ebc978cf612f1b3605 |
| SHA1 | 90cefb758c8a716d5c3b788b7000cd90dc6e6c4e |
| SHA256 | 09eddec40dcc10c1289596fbe32e8c80564c2c54989e5f653adc435ed31deff9 |
| SHA512 | b359c23b3e632ed14be43f3bc250b5e53dbcb16663f161ef02f7cfba8e3078a3313f1569f4fd28f8531592f775fb0110849355526f38075a83978eda648dc362 |
C:\Windows\System\JcSFHFX.exe
| MD5 | f512f90b4a35ec20290a7721267cbdb0 |
| SHA1 | 5d58ebf37efe5c34e25907209f579a4af143d0c1 |
| SHA256 | 2115c4781d9ebf374bcf990f07b77a6ee58d1d505432f55e194929170224c273 |
| SHA512 | 24edb32ed4acb6e7ba9a720ca09394d979d867d67a0bd759793ddef8d344c512ac55aeb28611fd123add2da8d8c9e3daa5ea4f1c52abb8a6d2450bba1798bd39 |
memory/4472-120-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp
memory/1392-116-0x00007FF6F9DB0000-0x00007FF6FA104000-memory.dmp
memory/4036-131-0x00007FF763E80000-0x00007FF7641D4000-memory.dmp
memory/4588-133-0x00007FF7B7920000-0x00007FF7B7C74000-memory.dmp
memory/4380-132-0x00007FF6F07C0000-0x00007FF6F0B14000-memory.dmp
memory/2132-134-0x00007FF776600000-0x00007FF776954000-memory.dmp
memory/4112-135-0x00007FF710490000-0x00007FF7107E4000-memory.dmp
memory/1484-136-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp
memory/2452-137-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp
memory/1568-138-0x00007FF693120000-0x00007FF693474000-memory.dmp
memory/2008-139-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp
memory/1812-140-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp
memory/3892-141-0x00007FF778700000-0x00007FF778A54000-memory.dmp
memory/2060-142-0x00007FF788490000-0x00007FF7887E4000-memory.dmp
memory/1716-143-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp
memory/1460-144-0x00007FF7461A0000-0x00007FF7464F4000-memory.dmp
memory/2320-145-0x00007FF615660000-0x00007FF6159B4000-memory.dmp
memory/2292-146-0x00007FF723140000-0x00007FF723494000-memory.dmp
memory/4472-147-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp
memory/2132-148-0x00007FF776600000-0x00007FF776954000-memory.dmp
memory/1736-149-0x00007FF629D80000-0x00007FF62A0D4000-memory.dmp
memory/4112-150-0x00007FF710490000-0x00007FF7107E4000-memory.dmp
memory/1484-151-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp
memory/4640-153-0x00007FF6FCE80000-0x00007FF6FD1D4000-memory.dmp
memory/1568-154-0x00007FF693120000-0x00007FF693474000-memory.dmp
memory/2452-152-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp
memory/452-155-0x00007FF6FB4F0000-0x00007FF6FB844000-memory.dmp
memory/1392-156-0x00007FF6F9DB0000-0x00007FF6FA104000-memory.dmp
memory/4036-157-0x00007FF763E80000-0x00007FF7641D4000-memory.dmp
memory/4380-158-0x00007FF6F07C0000-0x00007FF6F0B14000-memory.dmp
memory/4588-159-0x00007FF7B7920000-0x00007FF7B7C74000-memory.dmp