Analysis Overview
SHA256
9d235f1737fa0997191e325eaa186665d2f10dc1a814591c2fc08fcdeddd7e12
Threat Level: Known bad
The file 2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 21:22
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 21:22
Reported
2024-06-11 21:24
Platform
win7-20240221-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pAEDxAf.exe | N/A |
| N/A | N/A | C:\Windows\System\kQGNeBb.exe | N/A |
| N/A | N/A | C:\Windows\System\XryquTE.exe | N/A |
| N/A | N/A | C:\Windows\System\YzlcNsI.exe | N/A |
| N/A | N/A | C:\Windows\System\ShNiqre.exe | N/A |
| N/A | N/A | C:\Windows\System\SZiXjdW.exe | N/A |
| N/A | N/A | C:\Windows\System\BiDGcYp.exe | N/A |
| N/A | N/A | C:\Windows\System\ORinkpG.exe | N/A |
| N/A | N/A | C:\Windows\System\hzUdYnf.exe | N/A |
| N/A | N/A | C:\Windows\System\ycyCDdo.exe | N/A |
| N/A | N/A | C:\Windows\System\AjvmkCh.exe | N/A |
| N/A | N/A | C:\Windows\System\iMpWVel.exe | N/A |
| N/A | N/A | C:\Windows\System\bMtfDTM.exe | N/A |
| N/A | N/A | C:\Windows\System\zXaSUue.exe | N/A |
| N/A | N/A | C:\Windows\System\WrLxiJk.exe | N/A |
| N/A | N/A | C:\Windows\System\MFONZkR.exe | N/A |
| N/A | N/A | C:\Windows\System\KNOGGbi.exe | N/A |
| N/A | N/A | C:\Windows\System\taYHHqX.exe | N/A |
| N/A | N/A | C:\Windows\System\qHqtKBV.exe | N/A |
| N/A | N/A | C:\Windows\System\KxHsXMa.exe | N/A |
| N/A | N/A | C:\Windows\System\WNJfCEX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pAEDxAf.exe
C:\Windows\System\pAEDxAf.exe
C:\Windows\System\kQGNeBb.exe
C:\Windows\System\kQGNeBb.exe
C:\Windows\System\XryquTE.exe
C:\Windows\System\XryquTE.exe
C:\Windows\System\YzlcNsI.exe
C:\Windows\System\YzlcNsI.exe
C:\Windows\System\ShNiqre.exe
C:\Windows\System\ShNiqre.exe
C:\Windows\System\SZiXjdW.exe
C:\Windows\System\SZiXjdW.exe
C:\Windows\System\ycyCDdo.exe
C:\Windows\System\ycyCDdo.exe
C:\Windows\System\BiDGcYp.exe
C:\Windows\System\BiDGcYp.exe
C:\Windows\System\AjvmkCh.exe
C:\Windows\System\AjvmkCh.exe
C:\Windows\System\ORinkpG.exe
C:\Windows\System\ORinkpG.exe
C:\Windows\System\iMpWVel.exe
C:\Windows\System\iMpWVel.exe
C:\Windows\System\hzUdYnf.exe
C:\Windows\System\hzUdYnf.exe
C:\Windows\System\bMtfDTM.exe
C:\Windows\System\bMtfDTM.exe
C:\Windows\System\zXaSUue.exe
C:\Windows\System\zXaSUue.exe
C:\Windows\System\WrLxiJk.exe
C:\Windows\System\WrLxiJk.exe
C:\Windows\System\MFONZkR.exe
C:\Windows\System\MFONZkR.exe
C:\Windows\System\KNOGGbi.exe
C:\Windows\System\KNOGGbi.exe
C:\Windows\System\taYHHqX.exe
C:\Windows\System\taYHHqX.exe
C:\Windows\System\qHqtKBV.exe
C:\Windows\System\qHqtKBV.exe
C:\Windows\System\KxHsXMa.exe
C:\Windows\System\KxHsXMa.exe
C:\Windows\System\WNJfCEX.exe
C:\Windows\System\WNJfCEX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1756-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1756-0-0x000000013FC90000-0x000000013FFE4000-memory.dmp
\Windows\system\pAEDxAf.exe
| MD5 | 119c7b15b8f22ad0e6dd602c20a9fbb0 |
| SHA1 | 1cf581be49d306985034338127cc255b76c7460e |
| SHA256 | c5bc3f6f6850ca2586c2529d751cf95a44d89f938dd20b14f0367948a8ca1521 |
| SHA512 | f3ea91ad854e9e99a14fdbf30987aeb827c02be1ae6f5e0e5a7548b5d1744bc069e169cbd1424518d15a458b71f874b30e46e53c1cfdb3468eda98762d625f42 |
C:\Windows\system\XryquTE.exe
| MD5 | 94585a2c93ae74e6da013c4f5db23ff2 |
| SHA1 | ec28178c960d09d5c9406608d9e432e2c54870e4 |
| SHA256 | a13464a155f1333e1f9ec2cdc69ae68830f5d59ce437c00cac6698cf57706656 |
| SHA512 | 2098ee860fe5af2e0268e508a8a924c2f394ace43504faea6bb29f0279ae49fab25ee2c3f8047084b2be314adbf0f86e97173032017c83929bd44a7f11df6e49 |
memory/1756-9-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1756-13-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2084-23-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2944-20-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1756-18-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1744-17-0x000000013F060000-0x000000013F3B4000-memory.dmp
C:\Windows\system\kQGNeBb.exe
| MD5 | d5794586e205b2b9939a3f13d8e10861 |
| SHA1 | 99ab99a972ab5b0a43c7c0cf61ec2e44458cc306 |
| SHA256 | 759b3b036377f09e7235e67a623ae9be5a1cc85218ea474f2b160b3feaf1df39 |
| SHA512 | 3027932fbf857bddf263f14316c553b82391795d3417c8baea838470508ce9a69785f71ca27392b2eec1857f1bdbd97fd94328e24307a8a1cbda2e60f30d1ec1 |
\Windows\system\YzlcNsI.exe
| MD5 | db12446b16df9d63bc1a10a6262bbd4c |
| SHA1 | dadeb920221d3f5dbb897eba15d3ae3d8cdcc6a2 |
| SHA256 | 18bbc6a9a67502ab8913ef0fdb6adca01aae1f5f8406ca268c29731651158241 |
| SHA512 | 2dde199f2a7d814524308659605c86d9338b1e46205cd643c2d9b40e77682a7e5d91909f7315a6d7c8c68179c18f8896f511e7edbbf347f086353e6dbc84ce32 |
memory/1756-25-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2792-30-0x000000013F070000-0x000000013F3C4000-memory.dmp
\Windows\system\SZiXjdW.exe
| MD5 | 2eb3380867874133bc0b395613ff49df |
| SHA1 | 8dbf37ed08f21e7375abb43f332913b207ec34d1 |
| SHA256 | c44fcfbf4ded4535f3048105a84dcf54a910c4b7d7b42a51d66a789354240e49 |
| SHA512 | 8d577ffe57136c15d129eda718ab70d8d4315a03f3f4a79d8683b793ab88180762e7bd2e219b4c31d8e6c81f6a4a1909362179daec3195ee6c3db44f27cfb2c7 |
\Windows\system\ShNiqre.exe
| MD5 | fdcb4fda388453f57c8c09c34aefa35a |
| SHA1 | fbac1a704717fd867ba1e6f7cd01aa0c4c4be7e9 |
| SHA256 | ef694a9889e4bdde60b5f5b25d66aa2c9f577e0da61219a87a3588d628875cef |
| SHA512 | 1ee9ec1bbb3eab69e466edca04fac4b3114a259043e8c28a0212da1a43aca74bf16df4f819ca764fe6989f35ab77b297165fc70ab1890856a15166b46fa13138 |
memory/1400-41-0x000000013FCC0000-0x0000000140014000-memory.dmp
\Windows\system\ycyCDdo.exe
| MD5 | 55e50766c3b5e599195742a40c931e79 |
| SHA1 | bd03366abec7e766cd828e3f51e13c1835a59b1a |
| SHA256 | 4140c231ff032d3965ae1b5d1420ca5701b6d74d48b68dc04871ddb29cda9eab |
| SHA512 | 9b5767860d06d1241b08e5e3b409493cbf21a456b33a1e223f289e936becfa03831e9576f2e1209cd9dfb3658be51398d7ee3a8df93ae3d650966509841e68c9 |
\Windows\system\hzUdYnf.exe
| MD5 | 0308bacc54729f580b4679711a05b00e |
| SHA1 | e550ebc50ec229ed609ac9b9a505087d3fbbac77 |
| SHA256 | ba499f3ac849402d845a6dfe0d638bc4b96de8d2a239a3202bd885c4ad685173 |
| SHA512 | 3ad53ee738fc666d66e8d70205414ff97ff457de46499ec02ab85f4890b50ea8e0bab15e3618004a2bd23ec712510e05d8ee99a0dae1ca70474b45b3b2ebc4d8 |
\Windows\system\ORinkpG.exe
| MD5 | 43de684498087ed81cd72d2a798e97c8 |
| SHA1 | 005000b4e4873be59b42645a163bce504e6e71dd |
| SHA256 | 9192fcc797f4c09de3f55d5b2399894e78e37a175087d3df37d738a1b7d94824 |
| SHA512 | a6b43b13b3eed4c8ca5c45203a59dd6d512c47f66d96f2de47c8df877d1b8c086b98f14aed64233fc2790a8a7a7291f139f1e3a73601e3551b6b0c51ee6a5cae |
memory/1756-48-0x000000013FC90000-0x000000013FFE4000-memory.dmp
\Windows\system\zXaSUue.exe
| MD5 | bdf5cda4211180a0fb631aeea2bd1187 |
| SHA1 | a18300e9aebb6078bb2fe0378b84a3b5338eed12 |
| SHA256 | 734a0d90a1416d1e1fd3771722d82c1e344fe775bb74b570222c79df98ea8720 |
| SHA512 | 3b489ecef4ae8b0c1c9c026cd29bab57ae9ee529260ad8a7ae1630363189ed9e12dcfd073d5093e1137ee3314a842d6822b2600cd6e78b9e98585310888d82e0 |
memory/1808-99-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2892-91-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\taYHHqX.exe
| MD5 | 2a1999f263cc035cd35bd2aafd1988f3 |
| SHA1 | b0e6466a1af942d27b4493209ce5c1011db6c1b9 |
| SHA256 | 521c55a0eeb9e1de7da08061d42379a38ad299263d87ed2704d282a643e9c944 |
| SHA512 | 9c8a53e8bc2f05faa36df6c8e888af5ac54a72ed4a92578c8dc5fd972d42b556e10bbc36486a9d8a4dab1930cba82e4056e28347398def2c83599ac68b633c07 |
C:\Windows\system\KxHsXMa.exe
| MD5 | 50aa2aeb053a0312d05beadef14db3a4 |
| SHA1 | 4ca8ab761b527e7dfcc5e5d065efadf62debfae8 |
| SHA256 | fa034aed85f41b5cc9ecdb01c4553c6746488b8a1bfc6bfb700ccc38eefe2eed |
| SHA512 | 91f6e202b3e52a05d8e6079765a9f24d740d37982b0dd6887a3f2e39b7916891a005f52324fbaf75ca0e2b097a87f8e70ecfeeed3e178df92a5234da2298922e |
\Windows\system\WNJfCEX.exe
| MD5 | 0cc3cb33a9bb1d4fbf2d4ba2e9280fd6 |
| SHA1 | d10e18ca066c433ca2bf4f23a9b235ccd9875d7a |
| SHA256 | 04f5a91172f628992c1d77cd1c2599b210abe9e90ca19e1b95ebafda8152bc9e |
| SHA512 | e6fd95d40750a01757f7731bda403b28a77c23c1af316f77f99bc646635929e991ada20762c2550e4c5270eee2b431dc7e9f5f323a3a393028b25e152aa337f9 |
C:\Windows\system\qHqtKBV.exe
| MD5 | 8ed3c0a0166090582ffb5a202f40d0c5 |
| SHA1 | 6a3c9a98eaa56d9b75f14e1abd56079c2c7ec0b1 |
| SHA256 | 1f293249ad8165e95374f99f50bf6fdb31e2170ced74cb71f4300e88aab3146c |
| SHA512 | 1a59fc92fd9f7285c06ab7ef2578e040a7a2ae4b772d63812b0a79ad29ee0171709d8a2e7c94ac0c3f44429b8d79f466c7b569e0b41237c2861d65fecdc737a5 |
C:\Windows\system\KNOGGbi.exe
| MD5 | 60bc022387faea423c0c06fc32843dad |
| SHA1 | f71309141f12dbcfda699daf93cd64e5db4a2062 |
| SHA256 | 77c60c9498abed24eaa6d8bd16d76ff031e25d3d5429349d42bf06df0915da7f |
| SHA512 | 5220574a94f462195c3bb6e9c19df963301c6a86968b75dedc4ea3c39868dd86ed24db82d9ddbdf4fae64f715d2c6e22cc26a7187a296dd7a817e482cf88cfa1 |
C:\Windows\system\MFONZkR.exe
| MD5 | f8329a0ea8d084f2e8b1978c6509c4e9 |
| SHA1 | e5b928a403ea706bb7b55ff1bab0810a49466660 |
| SHA256 | c878230c0dde6646656c3e34658f8df56dd8a4e6621e3fd3a0d8d4f1eb8a7b31 |
| SHA512 | 1618beb9b7292725623f830b204b8553862af9d7e3f99fb6aadfa2201faedee07e223caa70948d7e24ffe4bc8dfb0fc1de26e18e0307c599ec90b2d0022788aa |
memory/1756-105-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1400-104-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\WrLxiJk.exe
| MD5 | e9a731c37908d6ae4a5e2f2798a1b50d |
| SHA1 | e85adf15d42236f7fc04fdb4e8518e86f64ea598 |
| SHA256 | 5d064e53e16aa2eb3d75f7b164ffb718f141300b746325ea6acea9f2c2eeb66b |
| SHA512 | c069e9d75d00a9009aaa64fef36bb934aa2b22fb44fd1d887598cf7c71def66672006cd0e5450444d07a53a0fdcef6731f297081bd4c411e5d78a344565608ea |
memory/2084-90-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\bMtfDTM.exe
| MD5 | 7787bbb02a56f5460767421959ae4fab |
| SHA1 | e9f90408ab61eaf82938a18d85760483e8e80483 |
| SHA256 | eab8a877559f66de576722f2922f89245f8d5bf7f22d7546c3812c7349b61a73 |
| SHA512 | 3043f414a24fca310dd175522bd9df48fe5bdbd5aa2b2deafd2d9a904d4990585aa8d541147dae2b21ee9dc31635b5690220b2369a1f180c1d39be95f6639998 |
memory/2444-86-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2944-85-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\iMpWVel.exe
| MD5 | 82227edeaffa03492b4572b19be32b8b |
| SHA1 | a508b8281653d92d646f37ed5be05c3754d46b5e |
| SHA256 | 10a8994f4ad5f42b194b62be502ab689ba3ac9bb7e3b68e8b062f3543284288a |
| SHA512 | faf1dad8394938d3a96657d8c284865e883704f460efb555b11367a3f5f359ca09a2f1a56a52c43e6bf7c7588c2b52a9c9dc9e7f5dbff3c718fe1bafa351d446 |
C:\Windows\system\AjvmkCh.exe
| MD5 | 89473786fdd5038963529253d8061439 |
| SHA1 | 77b8d371302e37f8ef6738f9ac3ae449597af181 |
| SHA256 | 62a237a19a174ae352c7005472fb97064fcb60f5e2dbb92ccf035322f18236d2 |
| SHA512 | b4c3861e7e640253a8679f61e4f934e1f1aa890ecfdae8ceb083f943874826531fa6726916fc905efb181cfaa4adfd85e616e813bf8a12497495e75772f6ec58 |
memory/2472-82-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1756-81-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1756-80-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1756-79-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2868-78-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2500-76-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2496-74-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2608-69-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\BiDGcYp.exe
| MD5 | 7f2e946a4dac638dacd2dd91c0186372 |
| SHA1 | 8be4c9f29a0b5adebc8f82682120ebed9626d095 |
| SHA256 | 5b1213401848c6210de98c6e541f52005cd256a4967b05c9334c8b9933272df2 |
| SHA512 | ce6573fe0308a559ff78571b6b3c25bad1b75a703a88b90225aa0df2426e7bf20f0e7c521c17ca0326e7685f7a38153d9f9576e41ad31e298220d7478cab4d09 |
memory/1756-94-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1756-52-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1756-46-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1756-37-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1756-137-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1756-136-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2608-138-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2496-139-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1756-140-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2444-141-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2344-142-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2892-143-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1756-144-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1756-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1744-146-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2944-147-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2084-148-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2792-149-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1400-150-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2496-151-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2500-152-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2608-154-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2868-153-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2444-156-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2472-157-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2344-155-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2892-158-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1808-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 21:22
Reported
2024-06-11 21:24
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sdYiQbY.exe | N/A |
| N/A | N/A | C:\Windows\System\xzANhkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\yjZVLdH.exe | N/A |
| N/A | N/A | C:\Windows\System\GyOniUu.exe | N/A |
| N/A | N/A | C:\Windows\System\qQKdMRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UrNLxLi.exe | N/A |
| N/A | N/A | C:\Windows\System\INwmvTp.exe | N/A |
| N/A | N/A | C:\Windows\System\UyoChiK.exe | N/A |
| N/A | N/A | C:\Windows\System\CTmBZcj.exe | N/A |
| N/A | N/A | C:\Windows\System\irAvtBi.exe | N/A |
| N/A | N/A | C:\Windows\System\EgVvQRg.exe | N/A |
| N/A | N/A | C:\Windows\System\hZQTEVV.exe | N/A |
| N/A | N/A | C:\Windows\System\hUJrfYG.exe | N/A |
| N/A | N/A | C:\Windows\System\bcgwaZB.exe | N/A |
| N/A | N/A | C:\Windows\System\VXoumYU.exe | N/A |
| N/A | N/A | C:\Windows\System\VduRoTU.exe | N/A |
| N/A | N/A | C:\Windows\System\bObqcwN.exe | N/A |
| N/A | N/A | C:\Windows\System\qXCHPHd.exe | N/A |
| N/A | N/A | C:\Windows\System\jhqFAUu.exe | N/A |
| N/A | N/A | C:\Windows\System\RhpWMIX.exe | N/A |
| N/A | N/A | C:\Windows\System\hHRuCPw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_57b9b6557f9b9da6759b3bef979b91de_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sdYiQbY.exe
C:\Windows\System\sdYiQbY.exe
C:\Windows\System\xzANhkQ.exe
C:\Windows\System\xzANhkQ.exe
C:\Windows\System\yjZVLdH.exe
C:\Windows\System\yjZVLdH.exe
C:\Windows\System\GyOniUu.exe
C:\Windows\System\GyOniUu.exe
C:\Windows\System\qQKdMRZ.exe
C:\Windows\System\qQKdMRZ.exe
C:\Windows\System\UrNLxLi.exe
C:\Windows\System\UrNLxLi.exe
C:\Windows\System\INwmvTp.exe
C:\Windows\System\INwmvTp.exe
C:\Windows\System\UyoChiK.exe
C:\Windows\System\UyoChiK.exe
C:\Windows\System\CTmBZcj.exe
C:\Windows\System\CTmBZcj.exe
C:\Windows\System\irAvtBi.exe
C:\Windows\System\irAvtBi.exe
C:\Windows\System\EgVvQRg.exe
C:\Windows\System\EgVvQRg.exe
C:\Windows\System\hZQTEVV.exe
C:\Windows\System\hZQTEVV.exe
C:\Windows\System\hUJrfYG.exe
C:\Windows\System\hUJrfYG.exe
C:\Windows\System\bcgwaZB.exe
C:\Windows\System\bcgwaZB.exe
C:\Windows\System\VXoumYU.exe
C:\Windows\System\VXoumYU.exe
C:\Windows\System\VduRoTU.exe
C:\Windows\System\VduRoTU.exe
C:\Windows\System\bObqcwN.exe
C:\Windows\System\bObqcwN.exe
C:\Windows\System\qXCHPHd.exe
C:\Windows\System\qXCHPHd.exe
C:\Windows\System\jhqFAUu.exe
C:\Windows\System\jhqFAUu.exe
C:\Windows\System\RhpWMIX.exe
C:\Windows\System\RhpWMIX.exe
C:\Windows\System\hHRuCPw.exe
C:\Windows\System\hHRuCPw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2272-0-0x00007FF78B670000-0x00007FF78B9C4000-memory.dmp
memory/2272-1-0x000001B28BB00000-0x000001B28BB10000-memory.dmp
C:\Windows\System\sdYiQbY.exe
| MD5 | 7b57125c9d2d0097140cccdd0d925603 |
| SHA1 | 591745e66b6b90927a4ea32eca430a670e466037 |
| SHA256 | a9ab73120ae6a087fa70800722bc5403c3d9cbeb0b33eb5ee2bc18b8234cee6e |
| SHA512 | 3bae0573d9ea0c48539822cdab648a0d7c5e0844e208d6e62408e613474d57f451b517318e10f5e6b6de6a77fd26cccb23d5bfdafd962ace367551088b74397c |
memory/3284-7-0x00007FF7AB1D0000-0x00007FF7AB524000-memory.dmp
memory/1192-13-0x00007FF6CEF00000-0x00007FF6CF254000-memory.dmp
C:\Windows\System\yjZVLdH.exe
| MD5 | b5c2894a165a1733b47054cfd6f08a1d |
| SHA1 | 4184fd2415cc23bb6597a978fab585ae62b7eca9 |
| SHA256 | 6e924952b8f251d61f3d228b5c2b3af4476e6544fcee1aab311184bf5532afb7 |
| SHA512 | ac89aa90036371a65152aa7b84a782f6e58340c88e7c7a1b7d68dbb43591f4e659f22a9273cbe71860403fed5064e4dbe59927b6af22e878299f9c03fa2a955f |
C:\Windows\System\xzANhkQ.exe
| MD5 | b4ba924de9a38017e0bc60b4b3707e90 |
| SHA1 | 99026925295b45ddbc6dd625ad5e5336dfab5b45 |
| SHA256 | 243bf2784742b823733029e179f7173eefdf203b562eb2fd89e5350126bfd10d |
| SHA512 | f85a5a9f33e2c33ce85238273c0f354f6137b9aa1a6555949b2b672decd79c7721f08d2523e59caaec627a5c26b45c25c1a93a0b88fcf623668847dcb99e046a |
memory/4964-20-0x00007FF7875D0000-0x00007FF787924000-memory.dmp
C:\Windows\System\GyOniUu.exe
| MD5 | 6f7d8048982aeb3889bfc88f0c476c31 |
| SHA1 | 1f6c42c84e564be5bd5638261f6a4de096cbdd16 |
| SHA256 | 3379b2fa171695a52cc467ae34a252462a3efbc239edff5ab49903a92d7682e8 |
| SHA512 | 2d0930fe001a336bd90d109a3a75f6bc8c8ca53ad2948c633301e10ac183e594546e12885b7800b9500e3d56d584751e9d59e17a4f28084f1dd6bb95767ca1f2 |
C:\Windows\System\qQKdMRZ.exe
| MD5 | 956ac348747ebc0dfd9e9027a5c10504 |
| SHA1 | b3535e6d18c72ae49cdcd8eda1cf1f277b374e5e |
| SHA256 | 117fcb2997f5f8f5f54d5e6ea61c92d35c951d3f7ed0834cf43bac838792ec01 |
| SHA512 | 162cc474be36fb923b2b4b00568ec98673fc8a2e8e3e4f5a29d2d6647a5a59d52796a114c36b4bc4516e662a201f961aade87bd9ee5f0ddfc645a53eaf43c3b3 |
memory/4976-35-0x00007FF62B6B0000-0x00007FF62BA04000-memory.dmp
memory/4072-36-0x00007FF74B9E0000-0x00007FF74BD34000-memory.dmp
C:\Windows\System\UrNLxLi.exe
| MD5 | 7287539994f75ed41beef39ecf39df86 |
| SHA1 | 182cd143923829c9dc774eb36243a88d67054d68 |
| SHA256 | 09fd2e764df69750af9ea72dc999306d5145b9ca731dc38813aa00d3a178ad62 |
| SHA512 | ae457128ff1874b84066415c6ecea1baa4a6198a7f2e6e1b4947b9d5883c65778ea5e56cabb21da6c91bbc57f774f7c3ccee24c4a06c622b3a7b7478c8fc0dca |
C:\Windows\System\INwmvTp.exe
| MD5 | 2332adc3f8627c21f3c54efed5484a92 |
| SHA1 | a4ef759f0226f808dceaaa77578f78552654d91d |
| SHA256 | 3006f723b9c54c796096a3dfa673005c8d8e9a440fb5b76d5b45e64d5d2b8e2f |
| SHA512 | a0ff4642fdb89025a6e8bf3ecec154a15c561a6a8751bd025df993a44edb0d8bf6a4105be06ecddfba15ffd561b0a62eba242965579167dbde879b9f870a69c1 |
C:\Windows\System\UyoChiK.exe
| MD5 | b46263526ff2fe2b6a28d42b25ed5041 |
| SHA1 | 0d68cd76be78e44ee19c66182d498e481755031a |
| SHA256 | e1bb1cf5e3b1ef918c571fee403fa3b25548146e7debb191b2cb203c97b2ae0b |
| SHA512 | 9fe4198501ebaa7c51078e95711c2fd975349e89b397402274e4193016ef914114bfcdaffa258fb673beeec9106ad5c9eca26b2244cf36d64000c4d68ee3d650 |
memory/4020-48-0x00007FF7669C0000-0x00007FF766D14000-memory.dmp
memory/4012-44-0x00007FF6606A0000-0x00007FF6609F4000-memory.dmp
memory/4260-27-0x00007FF78CAA0000-0x00007FF78CDF4000-memory.dmp
C:\Windows\System\CTmBZcj.exe
| MD5 | b72eb33d9f0d02588ac2ab895b1ca665 |
| SHA1 | b0e02c3187e0fae3f3d69980846d8629638d948e |
| SHA256 | a69be4c5d1bd05c34de3515e6da119d7b4a9481e45bd22af643993580e359d1b |
| SHA512 | a915134905d9cec8e0a820800be289646924c439ce32bc4ec10f66f4a23c337918d65798e0d2cda3863869557b2e444fb1e67968ae375f1e119190ab86606499 |
memory/3856-54-0x00007FF6AA3C0000-0x00007FF6AA714000-memory.dmp
C:\Windows\System\irAvtBi.exe
| MD5 | f212b8771050ebdd8c007aee7cb18f2a |
| SHA1 | dc6c9ab224862682bdbd070805f1efd3127385f9 |
| SHA256 | 9d834e4a34f92ec40c23395827e751075252c7820ed70e3059f304dd98869f4a |
| SHA512 | 82f023680f496d011dd6ebc2329c938d7f2bdb245016b2374b88af9c7c95e42fe46acbc9d267f081ab1f153a0c4bf29e2708866c43168334fd25bff0df34135e |
memory/404-62-0x00007FF6E7940000-0x00007FF6E7C94000-memory.dmp
memory/2272-61-0x00007FF78B670000-0x00007FF78B9C4000-memory.dmp
C:\Windows\System\EgVvQRg.exe
| MD5 | 28cd045a75721240036dc30adea06446 |
| SHA1 | 76aae4c9ac5f5b0907ff9267486b3fa8a523d367 |
| SHA256 | 4aa6b8b93405f815ee0c8aae0fc29b652157403ad373c2841cdbc8d24b2dcbb7 |
| SHA512 | b814dd046adca723f21b985482d376ad57b5c551617cd101013f7516dd8e00b04c4163547aac1a5bb74efed5ed275041823faae51e05dc795319975fb4028ef8 |
memory/3512-70-0x00007FF6942D0000-0x00007FF694624000-memory.dmp
memory/3284-69-0x00007FF7AB1D0000-0x00007FF7AB524000-memory.dmp
C:\Windows\System\hZQTEVV.exe
| MD5 | b4a3bd4c154bf764864e4efa0627a72d |
| SHA1 | bce02b1c24eaf01e2d087bc7e8737feaf6a8d092 |
| SHA256 | 45fe8331da090af9bba86e11c83e4c9885abc72d3f27c81accc7c859f1a80934 |
| SHA512 | 3f29b4fa6ad61ac409552a3e6f346a8afab6f75af6a3f3496a2fd7da8d8ea8219e34fabb1dcf210aa7314b6d27b2bf8b5f5436b21ac6b904215d366a7d9fd5fa |
memory/1556-77-0x00007FF6696D0000-0x00007FF669A24000-memory.dmp
memory/1192-76-0x00007FF6CEF00000-0x00007FF6CF254000-memory.dmp
C:\Windows\System\hUJrfYG.exe
| MD5 | f89ac527689d50fa9912195660e0c6f9 |
| SHA1 | 49b84be442f1a28f848082248c74828548450523 |
| SHA256 | ba4ac052687a8854a86472a0ad6ea6c7e00e7ad89406847557db4c34ddb2db7d |
| SHA512 | f9be5d1b2024a7ad8af8c352343cca231b9b864a5b17c3e4b62314215d68e4b34282cc59c7d89b6198763d7fe95fba22f00ab7df1e0d406fbc4bc0803814fb11 |
memory/452-83-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp
C:\Windows\System\bcgwaZB.exe
| MD5 | 47c5506531959447546239c880834105 |
| SHA1 | 2ced406d0ca1d540cb2de97b85baaa72a3b0b850 |
| SHA256 | 0666e9f923186c1640163fc875700c3462b776d7e8fbfa1a6cc609de5dd355e1 |
| SHA512 | 498cb6788fa648bd30310676169a073a733020eb89a49b96197a8e2caf6646fc32269ce22bfbdf2a28e3a2e997502a332ac68997e34bf14d7eb20ca6dcb473ca |
memory/4976-88-0x00007FF62B6B0000-0x00007FF62BA04000-memory.dmp
C:\Windows\System\VXoumYU.exe
| MD5 | 94c5f10a5d7994eba4adaaf96c4c569d |
| SHA1 | f55fb65463732d86a65401451d3d2a870b721240 |
| SHA256 | 3c756e59d78035593e652e6e3ffa9f4f0cb11fd0a13b6f940345b6ff870005c6 |
| SHA512 | 4ad8f1a488b21acf9d03bef650ca5b901f39f31dc229fe65a1fa522727a91ac54348c50b3c59faecdd735fa0d4c678b259111530074dee23144f9361f01c824b |
memory/1040-96-0x00007FF6E3C70000-0x00007FF6E3FC4000-memory.dmp
memory/2120-91-0x00007FF7EA0B0000-0x00007FF7EA404000-memory.dmp
memory/4260-87-0x00007FF78CAA0000-0x00007FF78CDF4000-memory.dmp
C:\Windows\System\VduRoTU.exe
| MD5 | afcb7059a27350c50f26e536d7b3fe68 |
| SHA1 | f9cb44885a7d9eabc6bf01c5cfc5b6d1ad8ea4a2 |
| SHA256 | d92e1974447f9e18e64259c7a6dbb5428b1b865c8ff0aa11b2c76790d4e0536a |
| SHA512 | 67bca85f974fb40f89d20d7cdbc1c7a276b42b02d234dab1583361e835ce00f374ca3560a06278a43410bb851af558aebacd2cdea9d1f146b942d597aeeafc4f |
memory/4012-102-0x00007FF6606A0000-0x00007FF6609F4000-memory.dmp
C:\Windows\System\bObqcwN.exe
| MD5 | 45a16f1d78625dd67cd846e510ba0016 |
| SHA1 | f0d638abbb7a0271ea222b90a77387fcd91d33be |
| SHA256 | 99ba22ae3e6cb69a2cb6666cb1a0b8ad88f4fa01409f7e012768c947718c943d |
| SHA512 | 1a1fa863d2ee7f03c438a19e0ac230788e1ca6db7fefc1cdbcf12dc75ffbff173b0149da596bf60c6a8608f6bd4c8684ad8b174681adb277f05bf71475a752cb |
memory/3340-106-0x00007FF707A50000-0x00007FF707DA4000-memory.dmp
memory/4072-101-0x00007FF74B9E0000-0x00007FF74BD34000-memory.dmp
memory/1396-111-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp
C:\Windows\System\qXCHPHd.exe
| MD5 | ce55cf967c1aded87e9552de8878e90d |
| SHA1 | 5bc11f07926770f6ad36871ff00f7e3fbe6e0590 |
| SHA256 | c6a13182f13623f75f061be4b15d65c2c175b7558d9437d9a3e25cffd65c9de6 |
| SHA512 | 7d604498c2bb0ae6f72a41dc1c8c1a44978d1bf2745cdaf48a32b4a2ab337950f2710a4f9994ba052fc360a98e4a787cca4e51a500b4b6a379eb04e00034b3ea |
memory/2868-116-0x00007FF651150000-0x00007FF6514A4000-memory.dmp
memory/1352-123-0x00007FF7D40E0000-0x00007FF7D4434000-memory.dmp
C:\Windows\System\RhpWMIX.exe
| MD5 | 1098647c6d7b5da9c7657e704733e19e |
| SHA1 | 5a411659b44a06df7ece95a0dda86931ea34a144 |
| SHA256 | bd251ae3c829dba0ebc177ab69a3a3f7dd7fb5bb6c0865144c8c78633964b3d6 |
| SHA512 | 70b588d5414c0391a910b4c858d1f935854bc075275be0396eb8ec220f5cd7ea1d3054f6d115a28885e682ffdfaf6839c54ab6d28c61a0bbaa759d88bf8097e6 |
memory/2380-129-0x00007FF7A9B00000-0x00007FF7A9E54000-memory.dmp
C:\Windows\System\hHRuCPw.exe
| MD5 | a1bcec9dc5a2070443265ea0ca5636aa |
| SHA1 | 0303e133b7c923ebd9ad7e8ab61bc347040aba00 |
| SHA256 | 53f6932f14132be20fdcdff289606ec1cca3d3d2ce1fe39f251adb5d934d8f87 |
| SHA512 | c2b7dc416e87d4db69b08ae25d4aa071ee0ae4ea224e8b957aeb2413d79e2abf7ccecb0e4628bddfef4851122f58e065002b57b507fbc90c03780ae21b4e0fc8 |
memory/404-128-0x00007FF6E7940000-0x00007FF6E7C94000-memory.dmp
memory/3856-122-0x00007FF6AA3C0000-0x00007FF6AA714000-memory.dmp
C:\Windows\System\jhqFAUu.exe
| MD5 | 4372f599dbbe62c36f290eb3d7dc26e4 |
| SHA1 | a4796fb6c41f9629046b28618f74d7b5c3c33755 |
| SHA256 | ff91011ba0c07668cb21abae95cb2bc00b6e97b58948ebfd7218025cdaa76f90 |
| SHA512 | 662f015b66b9e46f49ae23c4ede458a17de004a73339e634bfd4d73171ca0efaf0d75285e649fe03488af048b170354d63fc0a7218bf14f734b6096b8fa3a6c5 |
memory/5056-136-0x00007FF65FD90000-0x00007FF6600E4000-memory.dmp
memory/2120-137-0x00007FF7EA0B0000-0x00007FF7EA404000-memory.dmp
memory/1040-138-0x00007FF6E3C70000-0x00007FF6E3FC4000-memory.dmp
memory/3340-139-0x00007FF707A50000-0x00007FF707DA4000-memory.dmp
memory/2868-140-0x00007FF651150000-0x00007FF6514A4000-memory.dmp
memory/2380-141-0x00007FF7A9B00000-0x00007FF7A9E54000-memory.dmp
memory/3284-142-0x00007FF7AB1D0000-0x00007FF7AB524000-memory.dmp
memory/1192-143-0x00007FF6CEF00000-0x00007FF6CF254000-memory.dmp
memory/4964-144-0x00007FF7875D0000-0x00007FF787924000-memory.dmp
memory/4260-145-0x00007FF78CAA0000-0x00007FF78CDF4000-memory.dmp
memory/4976-146-0x00007FF62B6B0000-0x00007FF62BA04000-memory.dmp
memory/4072-147-0x00007FF74B9E0000-0x00007FF74BD34000-memory.dmp
memory/4020-148-0x00007FF7669C0000-0x00007FF766D14000-memory.dmp
memory/4012-149-0x00007FF6606A0000-0x00007FF6609F4000-memory.dmp
memory/3856-150-0x00007FF6AA3C0000-0x00007FF6AA714000-memory.dmp
memory/404-151-0x00007FF6E7940000-0x00007FF6E7C94000-memory.dmp
memory/3512-152-0x00007FF6942D0000-0x00007FF694624000-memory.dmp
memory/1556-153-0x00007FF6696D0000-0x00007FF669A24000-memory.dmp
memory/452-154-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp
memory/2120-155-0x00007FF7EA0B0000-0x00007FF7EA404000-memory.dmp
memory/1040-156-0x00007FF6E3C70000-0x00007FF6E3FC4000-memory.dmp
memory/1396-157-0x00007FF65D950000-0x00007FF65DCA4000-memory.dmp
memory/3340-158-0x00007FF707A50000-0x00007FF707DA4000-memory.dmp
memory/1352-159-0x00007FF7D40E0000-0x00007FF7D4434000-memory.dmp
memory/2868-160-0x00007FF651150000-0x00007FF6514A4000-memory.dmp
memory/5056-161-0x00007FF65FD90000-0x00007FF6600E4000-memory.dmp
memory/2380-162-0x00007FF7A9B00000-0x00007FF7A9E54000-memory.dmp