Analysis Overview
SHA256
2765d0eba83e7a68d373643b7712fdb1450b8960cef453f79d1d816cf5f6e4dd
Threat Level: Known bad
The file 2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:10
Reported
2024-06-11 16:13
Platform
win7-20240220-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kHUaelM.exe | N/A |
| N/A | N/A | C:\Windows\System\LTLBGXo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoYCKvg.exe | N/A |
| N/A | N/A | C:\Windows\System\gUmUtvY.exe | N/A |
| N/A | N/A | C:\Windows\System\vLfhdPD.exe | N/A |
| N/A | N/A | C:\Windows\System\KzskRcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GfykEGK.exe | N/A |
| N/A | N/A | C:\Windows\System\vpcNkvh.exe | N/A |
| N/A | N/A | C:\Windows\System\AxaCLTC.exe | N/A |
| N/A | N/A | C:\Windows\System\QbEgmUl.exe | N/A |
| N/A | N/A | C:\Windows\System\GyRfPUU.exe | N/A |
| N/A | N/A | C:\Windows\System\XBkumdo.exe | N/A |
| N/A | N/A | C:\Windows\System\fJEklxx.exe | N/A |
| N/A | N/A | C:\Windows\System\oRqGrqR.exe | N/A |
| N/A | N/A | C:\Windows\System\dvsEMEq.exe | N/A |
| N/A | N/A | C:\Windows\System\SYZBvTt.exe | N/A |
| N/A | N/A | C:\Windows\System\yimJsGh.exe | N/A |
| N/A | N/A | C:\Windows\System\lVZvjzt.exe | N/A |
| N/A | N/A | C:\Windows\System\OuFSUsj.exe | N/A |
| N/A | N/A | C:\Windows\System\AqkPjiz.exe | N/A |
| N/A | N/A | C:\Windows\System\YTSgZyO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kHUaelM.exe
C:\Windows\System\kHUaelM.exe
C:\Windows\System\LTLBGXo.exe
C:\Windows\System\LTLBGXo.exe
C:\Windows\System\ZoYCKvg.exe
C:\Windows\System\ZoYCKvg.exe
C:\Windows\System\gUmUtvY.exe
C:\Windows\System\gUmUtvY.exe
C:\Windows\System\vLfhdPD.exe
C:\Windows\System\vLfhdPD.exe
C:\Windows\System\KzskRcZ.exe
C:\Windows\System\KzskRcZ.exe
C:\Windows\System\GfykEGK.exe
C:\Windows\System\GfykEGK.exe
C:\Windows\System\vpcNkvh.exe
C:\Windows\System\vpcNkvh.exe
C:\Windows\System\AxaCLTC.exe
C:\Windows\System\AxaCLTC.exe
C:\Windows\System\QbEgmUl.exe
C:\Windows\System\QbEgmUl.exe
C:\Windows\System\GyRfPUU.exe
C:\Windows\System\GyRfPUU.exe
C:\Windows\System\XBkumdo.exe
C:\Windows\System\XBkumdo.exe
C:\Windows\System\fJEklxx.exe
C:\Windows\System\fJEklxx.exe
C:\Windows\System\oRqGrqR.exe
C:\Windows\System\oRqGrqR.exe
C:\Windows\System\SYZBvTt.exe
C:\Windows\System\SYZBvTt.exe
C:\Windows\System\dvsEMEq.exe
C:\Windows\System\dvsEMEq.exe
C:\Windows\System\yimJsGh.exe
C:\Windows\System\yimJsGh.exe
C:\Windows\System\lVZvjzt.exe
C:\Windows\System\lVZvjzt.exe
C:\Windows\System\OuFSUsj.exe
C:\Windows\System\OuFSUsj.exe
C:\Windows\System\AqkPjiz.exe
C:\Windows\System\AqkPjiz.exe
C:\Windows\System\YTSgZyO.exe
C:\Windows\System\YTSgZyO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2192-1-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2192-0-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\kHUaelM.exe
| MD5 | c389efa24dacfb1e0ecf8e0a4a722241 |
| SHA1 | c00cd1b013424e8b994dbac78b750e0e0423f0b4 |
| SHA256 | e4d25b01bacd8f2309ddeb99cca4f6c35ae3480a120a6335840db9d8b1807c5e |
| SHA512 | 7c7ff19680475554fcfd3524125027d3dbb024e6b539a5fee59be5e8f286200ebf2c36a5ddcbaf1a59b136300823761bd87f62278d841d168e518a4f0f7d694e |
\Windows\system\ZoYCKvg.exe
| MD5 | 3ebfb668853e1f9197e5cfbb892edeed |
| SHA1 | b6f8ec4193a5e57eaa50d45e2c6e9b22497097dc |
| SHA256 | dd09e6eb0902cc9d645b5b2d43c21396952af30f580f916964a77d9726a47346 |
| SHA512 | cad083f17a63ce06a246541da903e9a116fda987315c0e05dd5d5787675aebd086e84e28db05363488828ddabb5913c33267ccbf3c9e495a2e4077965bfb5e75 |
memory/1692-12-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\LTLBGXo.exe
| MD5 | 286ee6689fedaa070b97cd42b39855b6 |
| SHA1 | 988c19786a124b870fdb6d2ecfc21e79cd6fde2c |
| SHA256 | 948a3587872052814b5d6c7ab848edb97c404254080b19a32160108eee0dc65a |
| SHA512 | 449a311c3a7a3cd5b422c496e4d534506f0df381561e2ac4402e8536ef2c73cc400d5d4104747bb76ba8417f71736cf60b01e32d332737301c105263289bd7f8 |
memory/2920-21-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2656-20-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2192-16-0x000000013F450000-0x000000013F7A4000-memory.dmp
\Windows\system\gUmUtvY.exe
| MD5 | 2e68f5eac264f84bea28c3d549749f13 |
| SHA1 | ce471774e80a96447f202777d27b697728029197 |
| SHA256 | 24f96daed621a5320a051381cde634dfa00576a5d7f050c9ea9d7205d7b4aab3 |
| SHA512 | fbb53b5664f0cb27389800f5da58d5632e0a8c6bd24375857918d0dca0275c27f91de18ccdff7c5fc04a17dca9159d14d2163c8aa6abc87b80274c90a463e2b9 |
memory/2192-23-0x00000000024C0000-0x0000000002814000-memory.dmp
\Windows\system\vLfhdPD.exe
| MD5 | 75776704d201a9f731dade780530039d |
| SHA1 | 9f1fd6e962d301a3c2740f87569875184ba73454 |
| SHA256 | e83b22b7e4b8537b72fcc2b089f5ab1cfdb1457a9dc2cc547212feccca37ef3f |
| SHA512 | d01b22726cda59e1f229fc37d4d1580c890fbf01269f86b97d2fd74f5da083cf1fcb5293aa3555a05d9278bca84a612af932c53d647e06f812afe37114d15bcb |
C:\Windows\system\KzskRcZ.exe
| MD5 | 76f1281504d193e3f6d6a967487ffb43 |
| SHA1 | 0d8cac132d88355baf1033d11edc94307dcbc503 |
| SHA256 | 6fa1fdcb002d24c7ea08dcc9a34214a85cb1e580ab44ca911febe0d337faeb9b |
| SHA512 | c17c88cd9f8075cddd4efc88292c03e669451e0b9cd1909d05ef2a39aba531581b0ce2cd0271f0f06a242ef1fc0b3e2eb1aac3912ae7b630dbc1be03afe2630e |
memory/2192-39-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2520-37-0x000000013F740000-0x000000013FA94000-memory.dmp
\Windows\system\GfykEGK.exe
| MD5 | a6f8249833876a11b796fe96028711fc |
| SHA1 | 370a3c74fa1b4b78578895dfc86b2491051a72d5 |
| SHA256 | 17e8f33df9eb69e29899f3f1e6ceceec0d9adf3bb0446cac4d0d7141118b9d2f |
| SHA512 | fc75c6cb352b99facbd6b9975dd2e7cac35950c61bce9465cf3ff85d7b8757245da4b66cdd9837a0d9a649f411b7aed2136f24bdd5fe3c03b44227681a7521f3 |
memory/2732-48-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2192-46-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2192-44-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2504-43-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\vpcNkvh.exe
| MD5 | 285bc7144937a6a1a0b9607bb62cd234 |
| SHA1 | a7f64a965242ac9036ddb02d4c9318416f5a3287 |
| SHA256 | 8fffd11936dd2564cd3b9874c34333fc360a6188753ee55e0dd39f2e729058ea |
| SHA512 | 167467c2ef229422c1d8f8f358022a370ff0734bd7e28d040b847f0aca9ce4be63ffeb9179f3de2b90c8fb895a935967e616e7a24e756948cef3296e5aa90554 |
memory/2552-56-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2192-55-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1692-54-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\AxaCLTC.exe
| MD5 | 58c310264b4ddabb472b6bb76908d1be |
| SHA1 | 5d82ef5856fa29974d61a2878668394267f375d1 |
| SHA256 | 93863689e1eaa4e79e8e2a0007c4bb78ff16a9facc2c4f418664d0150b5356d5 |
| SHA512 | 148681c57c0e7f2a706c0f94fa310cf82be66ac70d25e90e8532362b1f0071d1539b13a584273d537c48f23063eda6902b66a4eb1cc110c6e27f04c4bbc3e6c3 |
memory/2400-62-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\QbEgmUl.exe
| MD5 | a5bfec5c093e6ea8b73ef02f6d78840f |
| SHA1 | c4c1d8b39491d9749719344f8041d6fba1ec4925 |
| SHA256 | d4022819c70496cb716b3a98263eed4163650fd7aee91884af47eb2901cadfe7 |
| SHA512 | 1cf23af8bbac84ddd3a1d6a9daef22ca8fa7c9f41ae77bfba4cc68a9cfcb03dfb37c861a264b322dd3488d32184b6ba6011e29cbcf4abef8248b7c96ce6ef4e6 |
memory/2460-69-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2192-68-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\GyRfPUU.exe
| MD5 | 3228c117b46aad24800c27e6a4fee70a |
| SHA1 | 45f0887baef416534935eeb4a59f4a0fed27ef2c |
| SHA256 | df01b7f137093dafa090c5658937a44c4ed85922f8c02a04daed91295e84efeb |
| SHA512 | 4842fde95dd2a00bcac65a9e0b2ff7012fba468d775c587fbf11bd0cad06b71ad1c4f680adbe69036944db2eac4aadf59b1726d2f12a76625686c81c8d09eca3 |
memory/2428-76-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2192-74-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\XBkumdo.exe
| MD5 | bc5658d44a1fed914f3f9f756fcecbed |
| SHA1 | 7745dde2e6386d4558913cc966f8dae772f10e66 |
| SHA256 | d51d643e6b708d3fa7724b15d2cc7b85dd18ad84b306e65c264b1ea8affd6ca4 |
| SHA512 | 27a8fc1d0979a54a3ec00f314d97477ce19ddab8f54aaf474579fbcd83b206ee723d3217f11dd56979469872fcb6af27d4375b62eff41416b306f71e051e512a |
memory/344-83-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2192-82-0x000000013F040000-0x000000013F394000-memory.dmp
\Windows\system\fJEklxx.exe
| MD5 | 57d12abd1bde7c945535c5d0da0dbd5b |
| SHA1 | 6906d7135c1d003ee79a4a84b7cf1f827b65b806 |
| SHA256 | 3b0b420bb0d900cd2c4e7f8beb42a0d74575fa629ef63001dc216cf02b537dfe |
| SHA512 | d10370e019664760577bc20452fe877613b6d3b03e21746b0e4deae5a8a7f0253c3b83d1ad8d87cdeff064b8f05a08e8f2143f906d09e0f0b82cd69bd9d84df1 |
memory/2060-89-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2372-91-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2192-90-0x000000013F740000-0x000000013FA94000-memory.dmp
\Windows\system\oRqGrqR.exe
| MD5 | 995c6d6306458981efd244d25682c9e6 |
| SHA1 | c1a63ab83a60fe38b9f27dc24f874150baecea28 |
| SHA256 | 74154826d5f5aeff406c3d0bade66d4d38017d73ff56751160d7ed019683273d |
| SHA512 | d415ae97e606ed6e3a1acdefbfc7615bbe7476d0294a9c42892f4d7320bd27b0a5b06be38e0235b95b5755f9551da87370f0fd33272ad6197c01f5610ce267d8 |
memory/2192-97-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2708-101-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\SYZBvTt.exe
| MD5 | 657ae36129741a627307767a21403885 |
| SHA1 | 5a5ac8e91dbe3e0684bc4e24ad988345e64c0149 |
| SHA256 | 862fe9d108d7f15eef4137e7952314986258a3f562efdb808b3662da34dffd13 |
| SHA512 | e5fc3448e91093aa12f74ae1d1eef81fadb82b91d9a2b808b0691b06e087c67b4d5c860881cba02c8eb9ce4c2d88e059838f01748e132fb83b0c650f98c85654 |
C:\Windows\system\yimJsGh.exe
| MD5 | cf411f062bc96c076a4d38908c0ee8c4 |
| SHA1 | 843f4b8ab7d06170bc2f34897fc288070fddd191 |
| SHA256 | 95f02964ed04a8de5326f3477b81b79827c64f6a43a81c49b89470dd682f7689 |
| SHA512 | 287470a38322cdcafb7d50a5a62ddb5b238289e65276757fe1eb82d17a56c455e6a2e02d9a0ccb33558723ff98504d720653667acfcb7b004110adec9ba6587e |
memory/2732-114-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\dvsEMEq.exe
| MD5 | d0e121b3a8ab57cef63b6c482d8bc953 |
| SHA1 | 0868e1c6d7eb0801c607f4b089ca7a7d87c76940 |
| SHA256 | e70ed30e6b90927f04a7560b6fff104fde7f938fa10a66e03c0c50753d8f40e5 |
| SHA512 | e5bc8ac02dd29908e24c811ce9e32fc0b4e8d70927e3edd7bfe8ec26ff865dc4775b6d9a0e58c0347aba09c60e047b70916d5136412f90477d71d3999449e61e |
\Windows\system\lVZvjzt.exe
| MD5 | 75334efa3348513b880e493fd2bbaf04 |
| SHA1 | e6b2d1d81fda221b1cc9043b86ef93ef78c5cc0c |
| SHA256 | 34c6c77a025970629ef114d94d72472863a575179cd135d891f69e4f220f1ace |
| SHA512 | 71248bcfbc7f9bddf5dc5eebd9667307fc843b553430bd0a87d7aae4fa1656c481e1f08a64c3fc86d1e14ba758609e772aa56d2b89e1fccf6523f0eaf31eaa09 |
\Windows\system\OuFSUsj.exe
| MD5 | 8d3dc40a3c64331ea7c62831dd76df45 |
| SHA1 | 76d1758b60822d363df526e2a0d02d63873992fa |
| SHA256 | 2edf4464aed1fa5268ecb229b0ef005f759a4582de9a122a9442fba9cb2a5ee9 |
| SHA512 | 2907c7852c0b1c4ef6e3749c7ef208d9be21e552e2462d96e9c3a672e2d2a1d50d17bb83ee18a75d42dfb1239fdb81c5b9017396181a11605daa1a9ad293651b |
\Windows\system\AqkPjiz.exe
| MD5 | b71541e08b3b82134779d4ea5cb01893 |
| SHA1 | 8319b6426c62b6107ff259feb932880b961b68af |
| SHA256 | 95dbfea2d5bdd126baa0b9faa4eacfd6c13549c7792edfca5723cbc8d68ff8f8 |
| SHA512 | 74e6d2696e57fc7fe63d8d4cf070abe03f25eac7bdfe33dea343f0647b41aa2d7bc48de10c4de8b3e9a3e85a9f04bab7fed16527379786e6cf8e6d7d3813789c |
C:\Windows\system\YTSgZyO.exe
| MD5 | b918d5f386583a8e3fdfb8c361e1a8af |
| SHA1 | e5c653f31c443888ea7d6385cb479116f36c35a4 |
| SHA256 | f8b3db97911d4f57aa042f8ee2ba43a490eb68570b015101673ddcbe79c84f99 |
| SHA512 | e14beeff50f79332991afca6b6041308b41227e44576952d2ca3ac031acaaf1caa9cc7c369b368f73f699fa61d64ae51c1c1745d429d71a89b40e0b57cd28b6a |
memory/2192-134-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2192-135-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2192-136-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2192-137-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2192-138-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2192-139-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/2192-140-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2192-141-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2656-143-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1692-142-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2920-144-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2060-145-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2520-146-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2504-147-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2732-148-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2552-149-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2400-150-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2460-151-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2428-152-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/344-153-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2372-154-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2708-155-0x000000013F3D0000-0x000000013F724000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:10
Reported
2024-06-11 16:13
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ARpqDOb.exe | N/A |
| N/A | N/A | C:\Windows\System\ttfJRbl.exe | N/A |
| N/A | N/A | C:\Windows\System\kqUBjED.exe | N/A |
| N/A | N/A | C:\Windows\System\WbmdmeU.exe | N/A |
| N/A | N/A | C:\Windows\System\gGIIYLt.exe | N/A |
| N/A | N/A | C:\Windows\System\dTpbzgi.exe | N/A |
| N/A | N/A | C:\Windows\System\EkjtIqo.exe | N/A |
| N/A | N/A | C:\Windows\System\tpOBdeA.exe | N/A |
| N/A | N/A | C:\Windows\System\DHsiYVE.exe | N/A |
| N/A | N/A | C:\Windows\System\nMeeYpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WOWiKfu.exe | N/A |
| N/A | N/A | C:\Windows\System\OTOiGkN.exe | N/A |
| N/A | N/A | C:\Windows\System\Drprqhv.exe | N/A |
| N/A | N/A | C:\Windows\System\RARDVhB.exe | N/A |
| N/A | N/A | C:\Windows\System\wFthnYA.exe | N/A |
| N/A | N/A | C:\Windows\System\WhXZNRw.exe | N/A |
| N/A | N/A | C:\Windows\System\dtfsOQq.exe | N/A |
| N/A | N/A | C:\Windows\System\fDPKgLd.exe | N/A |
| N/A | N/A | C:\Windows\System\Aqydpph.exe | N/A |
| N/A | N/A | C:\Windows\System\PgxIKQP.exe | N/A |
| N/A | N/A | C:\Windows\System\VvFbDlC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_bde5652ad858c1dcdb9123f65df1aad4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ARpqDOb.exe
C:\Windows\System\ARpqDOb.exe
C:\Windows\System\ttfJRbl.exe
C:\Windows\System\ttfJRbl.exe
C:\Windows\System\kqUBjED.exe
C:\Windows\System\kqUBjED.exe
C:\Windows\System\WbmdmeU.exe
C:\Windows\System\WbmdmeU.exe
C:\Windows\System\gGIIYLt.exe
C:\Windows\System\gGIIYLt.exe
C:\Windows\System\dTpbzgi.exe
C:\Windows\System\dTpbzgi.exe
C:\Windows\System\EkjtIqo.exe
C:\Windows\System\EkjtIqo.exe
C:\Windows\System\tpOBdeA.exe
C:\Windows\System\tpOBdeA.exe
C:\Windows\System\DHsiYVE.exe
C:\Windows\System\DHsiYVE.exe
C:\Windows\System\nMeeYpZ.exe
C:\Windows\System\nMeeYpZ.exe
C:\Windows\System\WOWiKfu.exe
C:\Windows\System\WOWiKfu.exe
C:\Windows\System\OTOiGkN.exe
C:\Windows\System\OTOiGkN.exe
C:\Windows\System\Drprqhv.exe
C:\Windows\System\Drprqhv.exe
C:\Windows\System\RARDVhB.exe
C:\Windows\System\RARDVhB.exe
C:\Windows\System\wFthnYA.exe
C:\Windows\System\wFthnYA.exe
C:\Windows\System\WhXZNRw.exe
C:\Windows\System\WhXZNRw.exe
C:\Windows\System\dtfsOQq.exe
C:\Windows\System\dtfsOQq.exe
C:\Windows\System\fDPKgLd.exe
C:\Windows\System\fDPKgLd.exe
C:\Windows\System\Aqydpph.exe
C:\Windows\System\Aqydpph.exe
C:\Windows\System\PgxIKQP.exe
C:\Windows\System\PgxIKQP.exe
C:\Windows\System\VvFbDlC.exe
C:\Windows\System\VvFbDlC.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2252-0-0x00007FF7E1590000-0x00007FF7E18E4000-memory.dmp
memory/2252-1-0x000001D113960000-0x000001D113970000-memory.dmp
C:\Windows\System\ARpqDOb.exe
| MD5 | 7ed42f16d46b989d8ff793942e328c84 |
| SHA1 | 898281dffc5f0985884b8ee575eef031b426522c |
| SHA256 | 82fe1a213bd99af50c262335fb3b6aec2e388d81228fea883d8015c8a2e89dd8 |
| SHA512 | 7938ceac675656af61412c83e5a0b884eb5c70581bf367a7c893027b3ea0eb846ebcd09859ea36466bcb99006eb1f59347d6b4caf842746d0bd918e76cbed89a |
memory/1996-8-0x00007FF6E2580000-0x00007FF6E28D4000-memory.dmp
C:\Windows\System\ttfJRbl.exe
| MD5 | db5d30a15fa55e35f9eb07cd91111114 |
| SHA1 | f2be611c9ff37a890f0b10f552fb56b66a2f8c89 |
| SHA256 | 1b925daeae05caf59396bee8c89f75d43183bf3894c984ed9b384d11adea3de2 |
| SHA512 | 73cb7612cda953d6e83fb852c9198c36af035acbb281e9180c7db5b6c397964717c27d20c6b35cce69c292e9a980bb7f062ac737d7e366c91f1ff0e56e3228d6 |
C:\Windows\System\kqUBjED.exe
| MD5 | 0e98ac8b6bd0b6ee208f6f83f1e6eade |
| SHA1 | d6475e00dbabcd5367d93588754ac5b4db9f9035 |
| SHA256 | 6e128abc40bfa7dd06ba039c99f09ca3d8b87a41894dfd5c6e184aff45d96ff7 |
| SHA512 | 4fd066e98a43fa038d536b85fd160f2a785689d9c5aec477c1caedc2ab5936245ee428ac31b6c312df2bbfb78d637a062258d0310801e63d6e2e83a5aeed5223 |
memory/4212-14-0x00007FF75A0F0000-0x00007FF75A444000-memory.dmp
memory/4956-20-0x00007FF6E3DE0000-0x00007FF6E4134000-memory.dmp
C:\Windows\System\WbmdmeU.exe
| MD5 | 173009aa771ebe822625e13aa2309bf8 |
| SHA1 | 39fe7d05ad9c279cd315c85170fda8e23cd4becf |
| SHA256 | 91a6b8bfd5a55e937a6434e0f3ad0ed778e5617ab35a824b2e0a7d778127a447 |
| SHA512 | ae105a7e23bc5a24b729e7d020112d87cbc6660d952a6f0cf8245890b046c95d089c5998ce5f25d94d1dd9f8afb103235f618c529148277dd4ca70ef96180eae |
memory/5000-26-0x00007FF658060000-0x00007FF6583B4000-memory.dmp
C:\Windows\System\gGIIYLt.exe
| MD5 | fb4ce7acd3bf32cf1f9a7366abfd68aa |
| SHA1 | 59dcddac1356172cb6e268bba45dc52d4596881a |
| SHA256 | cc508d7f50518263dea35772c1f66f2c11593fa52f80553f9a288a0b0cf18930 |
| SHA512 | d2afa0d4b8e491c96351b7f282cae9b275cc7807da0c5d8dd677ca4973e2c58966e320a8c77ddd10db9a93a81097eb7d78cc5e7baa817fb24f4f09964ba418cb |
memory/3132-30-0x00007FF6EE500000-0x00007FF6EE854000-memory.dmp
C:\Windows\System\dTpbzgi.exe
| MD5 | 5503693faab9336bab2729fed74d56a6 |
| SHA1 | a3cd1cd58b1372c9a0e6daa8c6d679ace116aef2 |
| SHA256 | ee7aef16b2df23964ef402b3ddce54bf294358035292df98f387a7d51286603b |
| SHA512 | 797b048eeb16188847e2baa324f0d631d51a760306908019dcccb6ca01e9ee6478a1cd8bf807db4621e38f212a2ec130be2a39f288e1ad74134d28c5bee25c58 |
C:\Windows\System\EkjtIqo.exe
| MD5 | ae8eed42a26fb5b96176508e725165c5 |
| SHA1 | b979c4fb8aa91c04fa5f7ba34e013f84059e7430 |
| SHA256 | d233e4caf864a48d8a9db9373e08ffd9993251754dc7f20bcea66c9a7aa0f742 |
| SHA512 | 99704d596724afe8cbf6d2e423ddf746e63087b41c5a6ae2b8a2cd25d77cf228789bccc617a1e28346f039bf766af185b01f50b3d151a422631683c0b869e9c3 |
memory/5108-43-0x00007FF7550D0000-0x00007FF755424000-memory.dmp
C:\Windows\System\tpOBdeA.exe
| MD5 | 34b3637027494b771e0afaa3db60c8a1 |
| SHA1 | c1c2113ae7324d0a813be257691ac2c63b608efd |
| SHA256 | 6d1f369cb365c5f7d9cc0edfd71c19ff3ad7fae3c1085198a74fbe2b2d399fda |
| SHA512 | 3697fbbf642435914eab273f2a3f4cbe1e6240835d1efcc51918d542e996dcbb66824e32ec05f6ff6f85b11854d1a7049c054b00cabd9f608c1dc8d3070e7224 |
C:\Windows\System\DHsiYVE.exe
| MD5 | 5ea3d77497058815520eb69de7a16494 |
| SHA1 | dee57d6f49fc8e2827414aa3d82478f9e268d3cb |
| SHA256 | 0f8b0d78412050e55583d3c30c5f73baf0adea36751fd4fcadff1c6ea9e07ed9 |
| SHA512 | 9fcc3556b4bababe76c57b349f69e7a59d55c40de5e0bc21c020085eb106952cbe23769539f91e0596ba3d75b168c0f6ac4b2c9641edc391935de41da96fdec0 |
memory/404-52-0x00007FF7B8BF0000-0x00007FF7B8F44000-memory.dmp
C:\Windows\System\nMeeYpZ.exe
| MD5 | f26cd3bb83aa9d422c21549bdccac0c9 |
| SHA1 | 6ad548826f9444fd1ed752be7ad587a556582956 |
| SHA256 | bb6aed80156927d1a4dfb5123521790ea72a0b097e0c5d043d84410e45fe8dc1 |
| SHA512 | 73e30bfc834dbcedad9c68d72d760737aeaf17ca5c6758422dd32714d5f84bae3493a3de7a83d9beafb149881b3c7df2143ba9a98ba4a9f2c65251ea9669bc42 |
memory/4304-56-0x00007FF6DCFE0000-0x00007FF6DD334000-memory.dmp
memory/3796-47-0x00007FF6C9440000-0x00007FF6C9794000-memory.dmp
C:\Windows\System\WOWiKfu.exe
| MD5 | fa35a1ddcc50a12b713f598411fc2ac2 |
| SHA1 | 740c28b997deaefdb99982ba26a2a9e43ce23406 |
| SHA256 | d5c3f555923d0455fc097319c3d02cf251eb152d7a1d978d134247db9527fa51 |
| SHA512 | 55e558bbf3bcb6808d07b880b37408acd06b1ecff56868d4e0a2a1d7070e42230d4ea5631685cb87d144830dd3af00f2bddcab54ae55541e6e3c385dc075d1db |
C:\Windows\System\OTOiGkN.exe
| MD5 | 38072b3f24b14e633be32275ddaf481b |
| SHA1 | 8ea325640c37a900ad9a1b6c908be17d0211edb5 |
| SHA256 | 10f5698f7fc7b1d220feda7be8d2f191955de7d13848a618184da2610f0e62bb |
| SHA512 | 29be0df3f7e00c93c977bce3c7ccfb1f9b20f85d1352c5743df34997a503b048408f79571f88281babfbdb43735ea6b06a7d2bfb2b31249d1fb784fda53271ec |
C:\Windows\System\Drprqhv.exe
| MD5 | d7addd007ddc4e65f1774570218a8ac6 |
| SHA1 | 413088665d8868b65209d72388a820da1ed220bd |
| SHA256 | 9de56afbed34bb529773f9c58ab2d7b402ac7d4171b69fe5abf2b1eb6a5d856a |
| SHA512 | 36717d37d26d6f4940dac82b30c241eddf66717dbd219a8df73718a563b18559849f8eaec9a87b658592c3e490d40a7a41d8db5995b0268058361facc49acca4 |
C:\Windows\System\RARDVhB.exe
| MD5 | 97ff731939e06cfce2202953ec96277b |
| SHA1 | 1b29c2f0e7fecfc1916ede1a381151e2e4819471 |
| SHA256 | 2c29576194120c72426d43525e16292a827f9abf87abfe2545103632d04af955 |
| SHA512 | 420149f8eef4bff735a87b591a81c25024f7d671e3b67eb32494632d3c07ecb1a8362ac09cf3805fbdc3cf651013b80dfce7eb3129e09509b4ef5faa4ad98888 |
C:\Windows\System\wFthnYA.exe
| MD5 | 16dbf36286534b2734bf11ef8470235c |
| SHA1 | 821c20eee87f642fc274a7761bb4e948161de32d |
| SHA256 | e1f4d9f74ca51e9bf13210e575273f3fd94ba13e54d39cb231652200600976ed |
| SHA512 | 5348a0703050d5ca19342c8bfc5af80f49dbd61565cc8943dc4ca79fb372437cd728282046d657541865190b42d634390af1a62b609d835687d96330bb2bc323 |
C:\Windows\System\WhXZNRw.exe
| MD5 | b3a8be903ba2a7f47f95c39425588357 |
| SHA1 | 3f122e03abc1e39d3c4602bc3832ad0741c73f5b |
| SHA256 | f27dcabf2ffb3842fdd67b069986e47f4b58fa067cb8b5e725761e0cdf83223f |
| SHA512 | 4729fc84356e16d7589de7a332076e53d59206b7a762974fd1ca577bb24ab3d28c0b864f8d1b4ecc4271ae8c354e0de8162ea557068af7d94c5ff4b38c7159de |
C:\Windows\System\Aqydpph.exe
| MD5 | 3b5eb5fc433f20e2c2eb6e093818ee6c |
| SHA1 | 773d65486b8e9ac4be8c79347c19705fc0beb389 |
| SHA256 | fcec4ebb5433fd5504f3de6966fdc68376ca9bb849979d5621a12d539fe50a11 |
| SHA512 | f6cc4efc8e156515089e69bb8e684d4870557036c9d1528c5d664a3cf5d3f02665180ce8c37189da33ccb91d716e1c18d11164c773b6f73bed1be09e04d0f21c |
C:\Windows\System\PgxIKQP.exe
| MD5 | e4358876a4356296f1e9f71540354c78 |
| SHA1 | db3b73f9c2ad682d8b95833ea2b3408081071673 |
| SHA256 | 5e6d0690c6c1aad594a8cbff5b5339b1653f7aa18306c1d4d2f0f508f11f47c6 |
| SHA512 | 8a792f8bc24fdeaabdf5b5047cd4bad8c9dae5193fba8921af1a125c2f7a6cb3bc3bbaaddf0ff2384086467619b6f0fe62f05bc1d048500c9ac4deb9e459e881 |
C:\Windows\System\VvFbDlC.exe
| MD5 | 737fd806f8eacf65374c0821c2ef4fbb |
| SHA1 | 8e96838cfb3b01017c851f4b45f3cd0fe4a9025b |
| SHA256 | 2b61d9a2f025cb774a9e8abafc91e60822a20445d671eaafa9774f51464bbb5a |
| SHA512 | c8af71c97e7d39f89a79b9541c64e1701c44d389ecf960fc6f487ce8c57e9c5c38d5cec125f9af22839b7fccb1ad891ae2d243ba5281e4352b4134e8575450be |
C:\Windows\System\fDPKgLd.exe
| MD5 | 6881afdec9562cd1d255f8bfb7198e5f |
| SHA1 | a03364bacf0348013624f518919e012485153aad |
| SHA256 | df5bd64d334db90a2ce55975710c2c5ae84901a8915fb11bf5ce724e7db0276c |
| SHA512 | 5a45e6e17f2da52c6be47d8f8adceac0e5bc055a8b6c9369e1dedb561d8507197b294e7c40f33207c08a2f9d316afd37bfcb0b9819bb25a814db5c2fdf1e2dbf |
C:\Windows\System\dtfsOQq.exe
| MD5 | 0cf99168d7ac1f6daeb4dfe9bedd09c1 |
| SHA1 | ccd76963ce217c15ed4e73d3a261255fd1271e53 |
| SHA256 | 2ab71d990ba4af53af548a06536466145c28acb476a48551d87a17f87a2bc72b |
| SHA512 | 5b8de678b67ca53c14a88dfbf331511bf5737f46160cc57d71ac147b4a238f295ba8c63352f2ebd50b1314dc4885c2933bc7bb1adacf51797024eec9bb21318d |
memory/400-116-0x00007FF72E570000-0x00007FF72E8C4000-memory.dmp
memory/5076-117-0x00007FF6E2170000-0x00007FF6E24C4000-memory.dmp
memory/4344-118-0x00007FF7F6B40000-0x00007FF7F6E94000-memory.dmp
memory/3180-119-0x00007FF705D50000-0x00007FF7060A4000-memory.dmp
memory/396-120-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp
memory/1244-121-0x00007FF647BC0000-0x00007FF647F14000-memory.dmp
memory/4468-122-0x00007FF75D1F0000-0x00007FF75D544000-memory.dmp
memory/1016-123-0x00007FF6D0160000-0x00007FF6D04B4000-memory.dmp
memory/3940-124-0x00007FF73F9C0000-0x00007FF73FD14000-memory.dmp
memory/1688-125-0x00007FF60A160000-0x00007FF60A4B4000-memory.dmp
memory/3516-126-0x00007FF697EA0000-0x00007FF6981F4000-memory.dmp
memory/2908-127-0x00007FF739090000-0x00007FF7393E4000-memory.dmp
memory/2252-128-0x00007FF7E1590000-0x00007FF7E18E4000-memory.dmp
memory/1996-129-0x00007FF6E2580000-0x00007FF6E28D4000-memory.dmp
memory/4956-130-0x00007FF6E3DE0000-0x00007FF6E4134000-memory.dmp
memory/3132-131-0x00007FF6EE500000-0x00007FF6EE854000-memory.dmp
memory/3796-132-0x00007FF6C9440000-0x00007FF6C9794000-memory.dmp
memory/404-133-0x00007FF7B8BF0000-0x00007FF7B8F44000-memory.dmp
memory/4304-134-0x00007FF6DCFE0000-0x00007FF6DD334000-memory.dmp
memory/1996-135-0x00007FF6E2580000-0x00007FF6E28D4000-memory.dmp
memory/4212-136-0x00007FF75A0F0000-0x00007FF75A444000-memory.dmp
memory/4956-137-0x00007FF6E3DE0000-0x00007FF6E4134000-memory.dmp
memory/5000-138-0x00007FF658060000-0x00007FF6583B4000-memory.dmp
memory/3132-139-0x00007FF6EE500000-0x00007FF6EE854000-memory.dmp
memory/5108-140-0x00007FF7550D0000-0x00007FF755424000-memory.dmp
memory/3796-141-0x00007FF6C9440000-0x00007FF6C9794000-memory.dmp
memory/400-142-0x00007FF72E570000-0x00007FF72E8C4000-memory.dmp
memory/404-143-0x00007FF7B8BF0000-0x00007FF7B8F44000-memory.dmp
memory/4304-144-0x00007FF6DCFE0000-0x00007FF6DD334000-memory.dmp
memory/5076-145-0x00007FF6E2170000-0x00007FF6E24C4000-memory.dmp
memory/4344-146-0x00007FF7F6B40000-0x00007FF7F6E94000-memory.dmp
memory/3180-147-0x00007FF705D50000-0x00007FF7060A4000-memory.dmp
memory/396-148-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp
memory/1244-149-0x00007FF647BC0000-0x00007FF647F14000-memory.dmp
memory/4468-150-0x00007FF75D1F0000-0x00007FF75D544000-memory.dmp
memory/1016-151-0x00007FF6D0160000-0x00007FF6D04B4000-memory.dmp
memory/3940-152-0x00007FF73F9C0000-0x00007FF73FD14000-memory.dmp
memory/1688-153-0x00007FF60A160000-0x00007FF60A4B4000-memory.dmp
memory/3516-155-0x00007FF697EA0000-0x00007FF6981F4000-memory.dmp
memory/2908-154-0x00007FF739090000-0x00007FF7393E4000-memory.dmp