Analysis Overview
SHA256
25fad504c73c8025773f171267939ef57da04ee9a338513841ea6b7f55470d09
Threat Level: Known bad
The file 2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 16:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 16:33
Reported
2024-05-25 16:36
Platform
win7-20240508-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BazRiQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pogessg.exe | N/A |
| N/A | N/A | C:\Windows\System\MjzrQiG.exe | N/A |
| N/A | N/A | C:\Windows\System\yLonbTg.exe | N/A |
| N/A | N/A | C:\Windows\System\kMpRLRF.exe | N/A |
| N/A | N/A | C:\Windows\System\XWTwvlb.exe | N/A |
| N/A | N/A | C:\Windows\System\aRRrtuy.exe | N/A |
| N/A | N/A | C:\Windows\System\yBUtTcp.exe | N/A |
| N/A | N/A | C:\Windows\System\FAhTwnn.exe | N/A |
| N/A | N/A | C:\Windows\System\sGJVdUA.exe | N/A |
| N/A | N/A | C:\Windows\System\SlIzCnu.exe | N/A |
| N/A | N/A | C:\Windows\System\ULLAmhs.exe | N/A |
| N/A | N/A | C:\Windows\System\fSEPTpN.exe | N/A |
| N/A | N/A | C:\Windows\System\GrXzohp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiFnDtd.exe | N/A |
| N/A | N/A | C:\Windows\System\OdjCIiM.exe | N/A |
| N/A | N/A | C:\Windows\System\fEQEeGf.exe | N/A |
| N/A | N/A | C:\Windows\System\eNZXFGM.exe | N/A |
| N/A | N/A | C:\Windows\System\nUhSrvx.exe | N/A |
| N/A | N/A | C:\Windows\System\qcHlsKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hZhmUmO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BazRiQJ.exe
C:\Windows\System\BazRiQJ.exe
C:\Windows\System\pogessg.exe
C:\Windows\System\pogessg.exe
C:\Windows\System\MjzrQiG.exe
C:\Windows\System\MjzrQiG.exe
C:\Windows\System\yLonbTg.exe
C:\Windows\System\yLonbTg.exe
C:\Windows\System\kMpRLRF.exe
C:\Windows\System\kMpRLRF.exe
C:\Windows\System\XWTwvlb.exe
C:\Windows\System\XWTwvlb.exe
C:\Windows\System\aRRrtuy.exe
C:\Windows\System\aRRrtuy.exe
C:\Windows\System\yBUtTcp.exe
C:\Windows\System\yBUtTcp.exe
C:\Windows\System\FAhTwnn.exe
C:\Windows\System\FAhTwnn.exe
C:\Windows\System\sGJVdUA.exe
C:\Windows\System\sGJVdUA.exe
C:\Windows\System\SlIzCnu.exe
C:\Windows\System\SlIzCnu.exe
C:\Windows\System\ULLAmhs.exe
C:\Windows\System\ULLAmhs.exe
C:\Windows\System\fSEPTpN.exe
C:\Windows\System\fSEPTpN.exe
C:\Windows\System\GrXzohp.exe
C:\Windows\System\GrXzohp.exe
C:\Windows\System\ZiFnDtd.exe
C:\Windows\System\ZiFnDtd.exe
C:\Windows\System\OdjCIiM.exe
C:\Windows\System\OdjCIiM.exe
C:\Windows\System\fEQEeGf.exe
C:\Windows\System\fEQEeGf.exe
C:\Windows\System\eNZXFGM.exe
C:\Windows\System\eNZXFGM.exe
C:\Windows\System\nUhSrvx.exe
C:\Windows\System\nUhSrvx.exe
C:\Windows\System\qcHlsKZ.exe
C:\Windows\System\qcHlsKZ.exe
C:\Windows\System\hZhmUmO.exe
C:\Windows\System\hZhmUmO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2928-0-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2928-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
\Windows\system\BazRiQJ.exe
| MD5 | f40ba4391e5807c5d6c40ae43fc35e93 |
| SHA1 | d12c78b23897dbb8aae0343b4d226b359bbdcdf7 |
| SHA256 | 9b188d5fffc5ad71f2a6dcb4ecab7fd03b11a69a4f27e70537689a2ef3ba0165 |
| SHA512 | 59c263e6902853d8755b2aa41b2c7556a3d4079e21a808b750901530aafeace6e37ff1fdf78e15ac56731a06cd3eb9535b3c144cf07cd0ea41a92c9705594296 |
memory/2928-7-0x000000013FA50000-0x000000013FDA1000-memory.dmp
\Windows\system\pogessg.exe
| MD5 | dcc3bbb65fc7fa2f186f574721c501df |
| SHA1 | 47e52744e7c9704d3746421476a6fa1d219922f2 |
| SHA256 | 580497fe86308502827c856a4cffd5c60cf731c26672196cc70e815fe4a4b0a7 |
| SHA512 | 278dcb1bcb3ec1a18caf29f02badbccbeeb2fcd6eba7892b55e42d8e7015b498299d7cd8fbcc5e12f357c64e11d8372cab7b1639b89d8faba057158229b64a21 |
C:\Windows\system\MjzrQiG.exe
| MD5 | c9a8206452bac3547da4910f9f8e581e |
| SHA1 | efaef32f7839a0a0456fb42024e0197c68e60fa3 |
| SHA256 | bd5b974ea952f878e44d02c1fb75ef0a143791747ccff5ca2564964b7c577dce |
| SHA512 | 656e5e31944a39b238c67632ccd000b548f833280ca88bd9f2c68f12b007ee268dc93a71063f75457493082a3622b1c2c84eaa1e27e413709477b738ccf1a299 |
C:\Windows\system\yLonbTg.exe
| MD5 | c0506568066fce5b3fd1c7e7a194701d |
| SHA1 | 783ccf8bb41baa6c55d85f850a7b569e3fe451d6 |
| SHA256 | 067f83f9f3350b3e93b9c6fe2b258bfe4e27496543d8ca68a716bb9c0cad779b |
| SHA512 | 5ee69038311b3c8245ed0bb55781bdc9348116aa15973f11c5b72a42312909e2ee9580a966368c9d89ce25e262561630c24ccc19cd00e725871d4019840bc968 |
C:\Windows\system\kMpRLRF.exe
| MD5 | a18394653589e4b0b5768355314394ae |
| SHA1 | 6cbc641a9c3af184a5d3d7e183e34342b0131748 |
| SHA256 | 4c58a894d1885b09827d1883c4506d7644b4c4cdaa5f7f5dc50079a4885568e0 |
| SHA512 | bdac0d62b9174a1d71bd496aaf7fa391c5e63ed24f7be96f5ea1aefdedf0802358ce0af71d54162c74f9759ad903a6359706171cb6004043606a588e5b4bed28 |
C:\Windows\system\XWTwvlb.exe
| MD5 | 1d92d7d4e93144cae388a423bc37c90e |
| SHA1 | e820279aa1c7055a3ffc7892974fe0ae092e633b |
| SHA256 | 47aae25e1d2b7b7db110988a4e127581c2403aa9ca726013e8aff026ef2c0e60 |
| SHA512 | 83d1dcfd5c816897308e56502e6117565fcb08fad53421a6cb967d96d2a9ca6743460e2165813a7868e0951da23264c9f4350d472a69cb7746022db501844b53 |
C:\Windows\system\yBUtTcp.exe
| MD5 | 63186cf7089d37176f1beb6fe4de0a72 |
| SHA1 | bb96db456d82b2cf84deba8f72e955d6178c7399 |
| SHA256 | e491b0660babf994651f32b0842d784d8437e4af7ba5cfe7879db59eb4ecfd85 |
| SHA512 | 76fe6e7b90a55437beb4aaec3a11529645eeea4e74fd18b9362c15f27f226e567f663f796018caa605a8f66511c1ce3387ed4cde44b3a677c9f48007422b2385 |
C:\Windows\system\SlIzCnu.exe
| MD5 | 234f25352269ea5add59b19ec5addcf1 |
| SHA1 | a55c7ad21d559633322b05d15f551c98d1fc1723 |
| SHA256 | 3777d4da35afb99fd92d6e784e1133f271ba5e25324bcac8fd8b1c05c50f1125 |
| SHA512 | 33b22552c1a14fb8e9dea6898ea59f88cec3037fc70b54c6d396c094303094031d7891e6305de3d291bf0139e7fa54a6525814d078db75da8d429ef218f9a357 |
C:\Windows\system\GrXzohp.exe
| MD5 | 1fbfdb1e04eb9b079c13d14520c10ee5 |
| SHA1 | 2fbe8c7de2f216200571749e2eda17f9c210da06 |
| SHA256 | f936c2050b6505cc3b495699ae23297f2bac867f6aa9a66d4cf22a46281ba4f3 |
| SHA512 | 5a72695acc3c3aa16314735a9e241cd6ac3abff9b99495d22aa061a30fb7b7e6b71de5c038066a709d71e8b94d0a100397b8f4190582a3e2306265d40b76ba92 |
C:\Windows\system\OdjCIiM.exe
| MD5 | 0cfa9a5195577257173b4a87f9700bdf |
| SHA1 | 5b4a46d9faa1a711a43c621c368173e96941a69a |
| SHA256 | 8f1d18d1924e58225661424598c20413fc6b9b72bfb5e9e16ae68cd097f29434 |
| SHA512 | 324138fc05f75c00851cf2444cd394cfa7189e7718d7b84953ac6d1e15d807d11c481726396bc97b67f3dd2063d3902cde66c084cc8cc2cdc07876957b91a2a0 |
\Windows\system\qcHlsKZ.exe
| MD5 | 6589cf41b5a1a86f161068c0ed496f15 |
| SHA1 | 069e309198218b7f5c4205dbb5b5e863704a2a90 |
| SHA256 | dcdc09dab263165c48cb7a45c3e37301266c756f38a819f957558969ad168e28 |
| SHA512 | 51d777f4be2b11125fd9b805463b3eefb656050d1a15d866bd769e185b3714cfec1d1eba78d5c8493976823d82d2f2b7e61bf2f0482f89739ceefd3b672710ff |
C:\Windows\system\hZhmUmO.exe
| MD5 | e6ddfd91f8fb933d1a92411d48871331 |
| SHA1 | 36fdcf6690e6eb902894128e594af14b3c09175a |
| SHA256 | 821d041dcdfc0e93b09dbb1132436365de629aee6de1a74f97618e996227fa85 |
| SHA512 | 19756a5c96329804e1a3734166b93ca1a1a1ee90ac6dfec0570e94c5c031a44c01e4e836f48079aaeceb5edfa9908a47b8d6bdc2d24d0cf81c81d8b3975767c8 |
C:\Windows\system\nUhSrvx.exe
| MD5 | abe4593240801d3ff29889ef62049e5c |
| SHA1 | 007689fd267e810857d27bf583b840c307716dc9 |
| SHA256 | 02fb1c0ecbb5c999f46b41c232d9ef458a6bdd8ff647e350299fcbaaab814b17 |
| SHA512 | 786d3004001c4dbeec310573a68e91ecd588c2f4bbae817e06f230f38f7e8fd0e760e22afabda3df8bc050379ae3aa33e7f5a5fbced513e35b6db3ae04da6ad4 |
C:\Windows\system\eNZXFGM.exe
| MD5 | f86797b4a0c461cb189151bccdb6473a |
| SHA1 | 3620044700f51bebd31a17461cfc3f96bb18e9aa |
| SHA256 | da04373751456f6e97ee1a5a2899680b3ae8dbc369a8fa5fbbfedb7f5666a7c3 |
| SHA512 | c9edf60ef8a0b318e478f316307ca2dc034b61af1157fcaeb4c61d08a1c5637351fd0ca67cba004d34d176ec9b175ec3e22b2c2155042d2142b7b9b88b4ccf02 |
C:\Windows\system\fEQEeGf.exe
| MD5 | ef35270268ed96343c456eefb42f33f3 |
| SHA1 | 1f7ee181620d345e8734c1adb9bd115226d5c5ab |
| SHA256 | 0eaf4ce4c699092f15d52a5a95e73dac0e588771bb2cb913ec49f808801cdbc1 |
| SHA512 | 32faf9efb27d9bf7c34612c1e21113d951d141b385f39f15eba21f9c4223cab8ee45851cc4361560e376fab1438bddeb70749aaca8f4c9f878d5156f2362bef5 |
C:\Windows\system\ZiFnDtd.exe
| MD5 | 0746d4b81eb65c941ee2982ae65558cb |
| SHA1 | f7a1cae68ac551b5ba16c95d7b056a49c54afee5 |
| SHA256 | 259fcff682387b65cdd953d3b8729daf4a944d1b39640b7ed3c5ee10adc99441 |
| SHA512 | 1fa521968228b7bcad00efd3a554d5e35eff7916496df8c9fe500c1ad618d7d3592e621fde06fc472cae1b65d5cfcc75001c4447aea3f8c1a1cd1042db776e0b |
C:\Windows\system\fSEPTpN.exe
| MD5 | 34304966cc97fcf3421f82f355bf20b7 |
| SHA1 | 96af8bcf91f775443e4c8f3f042ef468e4c80ea9 |
| SHA256 | 12ab10dc8fd02091fce0873745b0c21b4fe26e50e76dd0b7920872227498f450 |
| SHA512 | d2577278006f1919320dba77c61c1ea2c6fb06989b1f502f6e9404c19227aad9d9bb0b9d81f1a7647fcd878e9bf7bdea19aec914895bcee69812d2bf24664869 |
C:\Windows\system\ULLAmhs.exe
| MD5 | 8fce8884c5b0d58d842c9b275aea9b7a |
| SHA1 | 352ef57447f780666d69d7b67a9f0a86bd4de71d |
| SHA256 | 9c91bdb27658175acf4cc185c11fe126325f95ee576239a3063d8246d4dce222 |
| SHA512 | dd481942821472dd469defac9210d13d26480fba76308752977b7e1fc249adb72d805d6b26edd1076d008966c1dde4774dfdb74434013420903ddbb391aaecbe |
C:\Windows\system\sGJVdUA.exe
| MD5 | 215fa1395118b8d36253772c1e17ffba |
| SHA1 | a066bb62cf3506881e5f86a0372c3e0f955c2cf4 |
| SHA256 | 2555011884b346a411ac410aa8b117a80fe32418428043390c117ba1ca9dfca6 |
| SHA512 | 757b456494e7fe804c2b95683549a8ab07452c8eb3c70edb2cb9de4daa75cf8a317a2b968c007506accb0eca744c0c9f2838d1de5f364a7fa6018fa94e8c2025 |
C:\Windows\system\FAhTwnn.exe
| MD5 | ad8ff9074aaa9fd6498c1efb5f0ade8c |
| SHA1 | 9ec65135101fa96ef86a12d71aa7bfdbc82fab65 |
| SHA256 | 6d19f68d03a995e6662891128de454444e12973b747f05550b23f20e0aaf10ef |
| SHA512 | d5899ed3624411e4066c3dd4a9260434abbc49df2290bd830a6e6d886875c14d0858c466c1ebc3cf037226ac5fb7a68f31c4779bbfa35d25206a0c355fcf63d0 |
C:\Windows\system\aRRrtuy.exe
| MD5 | 2113d3ab1f9765e2025e133afe1ed1a4 |
| SHA1 | 14e58cd5ddc7f03683107eb58b0ffb5fb9a289c1 |
| SHA256 | f117f98a3c2eb6ab57fe23c3f89d5d52fa425bf51fc0e984f1d0649b5ed506de |
| SHA512 | 0c23357679a19f768c84ff0a3df3894198b247e9a6a097dd92c09e8e8c91e97ef28a58c99826fd1e90d7349a7decabe07f945ab2d532bc16b410db67aed07d8a |
memory/2928-108-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2600-109-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2928-110-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2928-112-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2616-111-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2928-116-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2928-119-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2512-118-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2264-117-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2540-121-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2180-128-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/1932-129-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2520-127-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2928-126-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2620-125-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2704-124-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2928-123-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2528-122-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2720-120-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2800-115-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2928-114-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2732-113-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2928-130-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2584-145-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2220-151-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/324-150-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1820-148-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2760-147-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/3040-146-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/1044-149-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2928-152-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2928-174-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2928-197-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2180-217-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2732-225-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2600-224-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2264-227-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2720-229-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2620-233-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2616-240-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2800-242-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2520-250-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2704-248-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2540-246-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/1932-243-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2528-232-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2512-254-0x000000013FED0000-0x0000000140221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 16:33
Reported
2024-05-25 16:36
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ELTFBrB.exe | N/A |
| N/A | N/A | C:\Windows\System\BXZduTV.exe | N/A |
| N/A | N/A | C:\Windows\System\nabWhsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YLSxwDS.exe | N/A |
| N/A | N/A | C:\Windows\System\AnmMhyA.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnxkRKo.exe | N/A |
| N/A | N/A | C:\Windows\System\kuOTlkH.exe | N/A |
| N/A | N/A | C:\Windows\System\QRFpQeK.exe | N/A |
| N/A | N/A | C:\Windows\System\HcZjkFp.exe | N/A |
| N/A | N/A | C:\Windows\System\DgadmZd.exe | N/A |
| N/A | N/A | C:\Windows\System\oFoYxip.exe | N/A |
| N/A | N/A | C:\Windows\System\MlHiSPb.exe | N/A |
| N/A | N/A | C:\Windows\System\ladavvz.exe | N/A |
| N/A | N/A | C:\Windows\System\iElevMD.exe | N/A |
| N/A | N/A | C:\Windows\System\YOidzAN.exe | N/A |
| N/A | N/A | C:\Windows\System\XIPOPRP.exe | N/A |
| N/A | N/A | C:\Windows\System\wFevzcK.exe | N/A |
| N/A | N/A | C:\Windows\System\cJEXOfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YthfhNO.exe | N/A |
| N/A | N/A | C:\Windows\System\FMwPpHd.exe | N/A |
| N/A | N/A | C:\Windows\System\sSoJTxf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_eaefb47189ae3adf6ccdaef5af81f128_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ELTFBrB.exe
C:\Windows\System\ELTFBrB.exe
C:\Windows\System\BXZduTV.exe
C:\Windows\System\BXZduTV.exe
C:\Windows\System\nabWhsJ.exe
C:\Windows\System\nabWhsJ.exe
C:\Windows\System\YLSxwDS.exe
C:\Windows\System\YLSxwDS.exe
C:\Windows\System\AnmMhyA.exe
C:\Windows\System\AnmMhyA.exe
C:\Windows\System\ZnxkRKo.exe
C:\Windows\System\ZnxkRKo.exe
C:\Windows\System\kuOTlkH.exe
C:\Windows\System\kuOTlkH.exe
C:\Windows\System\QRFpQeK.exe
C:\Windows\System\QRFpQeK.exe
C:\Windows\System\HcZjkFp.exe
C:\Windows\System\HcZjkFp.exe
C:\Windows\System\DgadmZd.exe
C:\Windows\System\DgadmZd.exe
C:\Windows\System\oFoYxip.exe
C:\Windows\System\oFoYxip.exe
C:\Windows\System\MlHiSPb.exe
C:\Windows\System\MlHiSPb.exe
C:\Windows\System\ladavvz.exe
C:\Windows\System\ladavvz.exe
C:\Windows\System\iElevMD.exe
C:\Windows\System\iElevMD.exe
C:\Windows\System\YOidzAN.exe
C:\Windows\System\YOidzAN.exe
C:\Windows\System\XIPOPRP.exe
C:\Windows\System\XIPOPRP.exe
C:\Windows\System\wFevzcK.exe
C:\Windows\System\wFevzcK.exe
C:\Windows\System\cJEXOfZ.exe
C:\Windows\System\cJEXOfZ.exe
C:\Windows\System\YthfhNO.exe
C:\Windows\System\YthfhNO.exe
C:\Windows\System\FMwPpHd.exe
C:\Windows\System\FMwPpHd.exe
C:\Windows\System\sSoJTxf.exe
C:\Windows\System\sSoJTxf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
Files
memory/4644-0-0x00007FF6E7FD0000-0x00007FF6E8321000-memory.dmp
memory/4644-1-0x000002C341FB0000-0x000002C341FC0000-memory.dmp
C:\Windows\System\ELTFBrB.exe
| MD5 | cab456ba1044125a8f89ad5dbb1e3e94 |
| SHA1 | e333f69b3da4605e34a6bf3b82db379cd7655e3f |
| SHA256 | 8763c2768b09834454535317365bf5a7737a0d7521ced531b1659005dea48345 |
| SHA512 | 508f2e6d83017ccd57dc90995255b2274dde15048dbfdcad12d2abe78e57d00042c3f6362e888935c0b706eee7affb90245f99972aa749e82e8354e2073099c0 |
C:\Windows\System\BXZduTV.exe
| MD5 | 883da3a5c1847febd84acb9c1e0d1c72 |
| SHA1 | 5dbdf2c9b4e89fad57b45dd85af39e8a46708b5f |
| SHA256 | 97b5dea78b8467602ab2ead0dbaf12258023592714f8c5fb42a3d1e5defd4bbc |
| SHA512 | d79b097f4cd8fe34b1b9654d0d422f2ecd9f6387f5323373800c0b460494f21fb8d22d4bbda4359127d4aad365ba45a91ad7280e2f6722f313caade55cde2673 |
C:\Windows\System\nabWhsJ.exe
| MD5 | af8336aba46f6e6bcc615207cfbf48f2 |
| SHA1 | 717d420adc19bab59422ec18922c4064964656a5 |
| SHA256 | 95f2bdc37f2ab608110ae1aaa5ca51dd8516357683bfa553a3dbfaca02dfa159 |
| SHA512 | cc6d5bbd3fb3dea73a01666782daf1b1d0c250fda797af6a0c85b01d07439c48073e1cb8eaae8a7fa7d23154e09ea5cf29315feb70210867ca17bb818fc2699c |
memory/4036-6-0x00007FF6A2D90000-0x00007FF6A30E1000-memory.dmp
memory/4540-12-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp
memory/2400-20-0x00007FF71EA00000-0x00007FF71ED51000-memory.dmp
C:\Windows\System\YLSxwDS.exe
| MD5 | d85d0a5e621017e3d310dc096aa0a38b |
| SHA1 | 2bb33b0238f160c4465384a7680f825b012453c3 |
| SHA256 | 7712014ce42f37f6a61c95db7999e834662a5e804e92de5095d091b3aa777c8e |
| SHA512 | 24b3aded2ca71a61373aa4f9f6ac046a0b28ad50e43482a9100c3de6d5fc187fe1a434486cb9513c01f658556f0d703b64329cbcc71bd002fedea5f406bbe23a |
C:\Windows\System\AnmMhyA.exe
| MD5 | 796d0864a55512b71df15897a34546cd |
| SHA1 | 342701f4850a580b9feb35498916f4af8edf2010 |
| SHA256 | c2c7c35ce7560e0952e0dabbe2446e6328daef67a978c36b0c9c6d1076151511 |
| SHA512 | 78849795bbf3c1e872c2addd4572b62f8a4af72184cbba8da44572781d9b9dd1b6c6b5a98ceb297dc1b8a94ccd01fe0a3c6cda71aea970a652ccc55bc9361531 |
C:\Windows\System\ZnxkRKo.exe
| MD5 | d034bca959c68ffe5ecf48356beb3b86 |
| SHA1 | 9d295b13df0ce1b1331e24b1560fc1b3b3a299c7 |
| SHA256 | 0a5d503697276c8de65342e2c1499e94e7dfda4fdb7850313a5ab42ad99d6320 |
| SHA512 | d1e4ed29dd8b8b94e0e77f9a018a7db43a4eb8820780698fc9b3d19c937e1df74cca1f223bd70c4729de49f39a427317db0fe42ecf2ca7e002a5c16f2ab60ced |
memory/2088-32-0x00007FF6BBF60000-0x00007FF6BC2B1000-memory.dmp
C:\Windows\System\kuOTlkH.exe
| MD5 | 04bff5f6f96bc26d524a23a6c0587b83 |
| SHA1 | 5138c4847dcf253d6345eedef43705e9ea48f6bf |
| SHA256 | 8f8ca5119796c428c1424aa1a79fde5a8a2dddb022e6b42e5430bdc67d0371d0 |
| SHA512 | 852211eb88256612f0cf2510c22c71bf6ce692d7fade0f7ed69be876d4e4b770e942a6d765bf004784069d17885c759ad5ca8fbf89b3e8ca3586b651dec369aa |
memory/732-43-0x00007FF694FC0000-0x00007FF695311000-memory.dmp
C:\Windows\System\QRFpQeK.exe
| MD5 | 100f9e37e653a8f9c36ca3aa7a273a53 |
| SHA1 | c811a15929bc069d0fbcb8638a762bacb2ea0669 |
| SHA256 | 64fbef9fc3ddd3d9388f2ed0aa7d3f0a8cb704c033548f424cc080fa7adc9f58 |
| SHA512 | ad4f80f7e0888d09cfc483a21f3371b87472e37ce8f13c4785d2e09ffc1a8f4d0c1fb026275a8e225c6f89a535b01d68597dc7b0ebea2cf241614f28ce1a8913 |
memory/3636-59-0x00007FF7BACF0000-0x00007FF7BB041000-memory.dmp
C:\Windows\System\oFoYxip.exe
| MD5 | c607c09bc60ef4e1b143db386aad1bdc |
| SHA1 | a8ce1859a658f93da3fe2462cc174e2c8fd98f03 |
| SHA256 | 570f69cbc8f21f3721a3edd4950c7349f96775708195a6e755f20199f2abaed4 |
| SHA512 | 77fd06b25b057d247b0c4469bc44ce775b632b2a2b51132e7a7514b938aa97e7ddf31512c17b2b2782157a33463f18b7000ce5508b47ba0c82d26b7af88d44da |
C:\Windows\System\DgadmZd.exe
| MD5 | 7a7e15da47b0cb4fb2a7493e3f189d5a |
| SHA1 | 085987307a3b2d0af2f565c43291eb4fcd295c04 |
| SHA256 | 61a21d1eff1f2bbdd8c6055a6d1d24c46b06b47b76051388279e1fc1f788ab0e |
| SHA512 | d2aa4d707bb21ad25211f5165cfcbe406b1948054994e71da76196343a121810c8ff22eeae1b52225ef25fe4a637d23f7d90b28e577eb2716ba5f1b9021052d8 |
memory/2268-61-0x00007FF78F720000-0x00007FF78FA71000-memory.dmp
memory/696-58-0x00007FF798A70000-0x00007FF798DC1000-memory.dmp
C:\Windows\System\HcZjkFp.exe
| MD5 | adfc0b94b77b6fc44b350a68c633a690 |
| SHA1 | e6b829a7155d95e7184d73702d3736855d973ea4 |
| SHA256 | 209cc28d93f64f66eb1e14a0510e51e8ea0d13c49d931a29942360d977b6767a |
| SHA512 | e96b0a021117483f325afcd55cca90a679e8e032d5eab75f49764d5ec62db4b35a5336c2dc45cfccbb9db01c0ce35d2b99effc84a1c34de01d5fea4d19e5d9f7 |
memory/3092-46-0x00007FF6CE4E0000-0x00007FF6CE831000-memory.dmp
memory/2952-42-0x00007FF78D870000-0x00007FF78DBC1000-memory.dmp
memory/2008-68-0x00007FF7A3720000-0x00007FF7A3A71000-memory.dmp
C:\Windows\System\MlHiSPb.exe
| MD5 | 9370669d004e97653e9b550418f3a045 |
| SHA1 | ec7293a04a9619a230dbca86a9157749acb04c93 |
| SHA256 | fd56b87b85000e2b638e90d97b9712cc0fcb80b09249d256400047151015f345 |
| SHA512 | 588a88d04f4e19b9ea15538aefce2814270a3defc02b1157bf0ea450f1122fe65bf64c479c5428ec11baa54f37cf8584d239bac8c961092311e1827fd5a3d77f |
C:\Windows\System\ladavvz.exe
| MD5 | 44ef5fb7ed0d712d10e0710c515e3314 |
| SHA1 | 073c94eae97f688dfdcb728919ea09b1d5a1d6b5 |
| SHA256 | a48d23f6a809b322820277a0c88e14356034527cd366b87b94ddf3357a7c6d49 |
| SHA512 | a97a77a511a55c80a2a15d4941f0e23fd9c6e67549ce3014c9fea8a4743377ea203a81c47f8afe8ad0d256ac879a27d8dcf562ae5781784e9b6c9bcc4b9411d2 |
memory/4136-74-0x00007FF678D50000-0x00007FF6790A1000-memory.dmp
C:\Windows\System\iElevMD.exe
| MD5 | bd0cb9835e16cf6c96686715922585cf |
| SHA1 | 94983494591055ff8b03d6004cd4b9455a826e6f |
| SHA256 | daba40e4808530ec210c7cfede51e007ba152088819d7203ec9cbe26fb793512 |
| SHA512 | d97435c9ebd4596bdb09c379f8445dece12ac3466755da293aa60398438dd23d74cd0b39ba0f7266f08e0d3161a0ab2d93b64e9400975afc386fdcbb53814448 |
memory/1884-80-0x00007FF659190000-0x00007FF6594E1000-memory.dmp
memory/4512-87-0x00007FF78A170000-0x00007FF78A4C1000-memory.dmp
C:\Windows\System\YOidzAN.exe
| MD5 | e3932aa680ca1155759f1a0fc321baa7 |
| SHA1 | 82674ba1f52a376cf33f939e00d34f9fb2f25b01 |
| SHA256 | a69170f57dad72c5bc0aa01565722c6f38e4e4f7d38427c74689327b64e94df7 |
| SHA512 | 8414449561230d7607b7d845a34090c4c77831f66864c6af7f15a798bee7cc49f3feb9d4a7408246a83ecd850cb8cabab037b349caa74088489f4bee4448e115 |
memory/4644-86-0x00007FF6E7FD0000-0x00007FF6E8321000-memory.dmp
memory/772-94-0x00007FF71F2C0000-0x00007FF71F611000-memory.dmp
memory/4036-93-0x00007FF6A2D90000-0x00007FF6A30E1000-memory.dmp
C:\Windows\System\XIPOPRP.exe
| MD5 | d68bc2ef2da7704e1a6953cc5e0f5889 |
| SHA1 | 30781785d6da870650b484ac9b5a43d51eb81149 |
| SHA256 | 7ca200f903b1cf4672208dd61d787dd54aa8deb7b4a013a5c8bb54a24df56e98 |
| SHA512 | 3df1fba7e5f94937fe5b9a9613e09d8a8cd7dfe4894c430c596d1fa740a5e812f15aa86668826d261d9936621edbd4212f600588a25ae9e49071dea45300f89b |
memory/2272-100-0x00007FF70EC20000-0x00007FF70EF71000-memory.dmp
C:\Windows\System\cJEXOfZ.exe
| MD5 | 414205405e9b15e03b5cedffe1310a87 |
| SHA1 | e2b555e8cc349a066a2e1168e9fed50c624e649a |
| SHA256 | 75276b39a7f4d8c499a35373e8f6009b3be2c40e563e4b48f0f4d07b4acbdaea |
| SHA512 | 50afcf76b909496d91d7045ac24daead60c50820fdbb7ec4199bc3e9186af2a8d041db10a0b3341ce8173dcf72ed74972d3d1f64126127655d4cbf9002179680 |
C:\Windows\System\YthfhNO.exe
| MD5 | 51e1852f79d2410e374ab389002a9ffb |
| SHA1 | 50090aed43257f6baaebec7e1368c6eec4baf4c9 |
| SHA256 | 867bf368e9c64fd6975d486c0411b0d762b30966c197d5ee19b75a4f8e32ede2 |
| SHA512 | 9ae4c423275ba3ce8913311d4d2aff3ed5f24d15d0701682ce479ac0daa6614c18eca70697f22cf58c53a44a09a0709559655a38a8181e2c5697e30897068e43 |
C:\Windows\System\FMwPpHd.exe
| MD5 | e3fad07350d80a6c0f911b7c5678bef3 |
| SHA1 | ed938d6c819da739836debdf9ac201423c0a946d |
| SHA256 | ca51238c9cad495163d53d115cf598e39847303386e2c0f91dae97d17c73dab4 |
| SHA512 | 719b2d1fd9f7c796a74435699e23d173206fc533bbc75a66f53675ee3ded7fa6c3da25a9741e8757d38de1393081b323f6f78487720ce7548c4df4f788730969 |
memory/2268-126-0x00007FF78F720000-0x00007FF78FA71000-memory.dmp
C:\Windows\System\sSoJTxf.exe
| MD5 | fa3c35075ec3ca5017695e7527c76ea6 |
| SHA1 | 23bc208743cf94bafb257a5e481a57494b5815e3 |
| SHA256 | 22bb6139fae1ce857ea012c9aa3a449021dc74a2c919ccce78cc4c7e89c17ea8 |
| SHA512 | cd9f806b66045e09ae825004b6e64de8542c27003aacb5a3962775667aead6feec79123b6829d8a64c9d07c884c41bafa598e5e8a0edbb5aa289b9a11b340ebf |
memory/4592-127-0x00007FF657F30000-0x00007FF658281000-memory.dmp
memory/3924-125-0x00007FF7C8D80000-0x00007FF7C90D1000-memory.dmp
memory/4880-121-0x00007FF76AA10000-0x00007FF76AD61000-memory.dmp
memory/4836-120-0x00007FF63FAD0000-0x00007FF63FE21000-memory.dmp
memory/376-108-0x00007FF70D010000-0x00007FF70D361000-memory.dmp
C:\Windows\System\wFevzcK.exe
| MD5 | 4e43e66cdaf25b56cb7f6f69923f5497 |
| SHA1 | f312ac49f3bf8b763b820cae008bd996c12d6f4f |
| SHA256 | a45ab57f3c054216bdd2fecc10e57a6b8f46c738b4bbc832742ac8912e4a1bf4 |
| SHA512 | 192e38bc8b7856fcbe16c4dbe66d5aa1ed1d8106f4e40ebf656fde4e38eba8dedd6c008975159dc0cace8c353cdc5738b510a9c6f02a4822f3c69fa39a80ba15 |
memory/4540-99-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp
memory/4644-132-0x00007FF6E7FD0000-0x00007FF6E8321000-memory.dmp
memory/4136-140-0x00007FF678D50000-0x00007FF6790A1000-memory.dmp
memory/2272-149-0x00007FF70EC20000-0x00007FF70EF71000-memory.dmp
memory/376-150-0x00007FF70D010000-0x00007FF70D361000-memory.dmp
memory/3924-153-0x00007FF7C8D80000-0x00007FF7C90D1000-memory.dmp
memory/4592-154-0x00007FF657F30000-0x00007FF658281000-memory.dmp
memory/4644-155-0x00007FF6E7FD0000-0x00007FF6E8321000-memory.dmp
memory/4036-201-0x00007FF6A2D90000-0x00007FF6A30E1000-memory.dmp
memory/4540-203-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp
memory/2400-205-0x00007FF71EA00000-0x00007FF71ED51000-memory.dmp
memory/2088-207-0x00007FF6BBF60000-0x00007FF6BC2B1000-memory.dmp
memory/3092-210-0x00007FF6CE4E0000-0x00007FF6CE831000-memory.dmp
memory/2952-213-0x00007FF78D870000-0x00007FF78DBC1000-memory.dmp
memory/732-212-0x00007FF694FC0000-0x00007FF695311000-memory.dmp
memory/696-215-0x00007FF798A70000-0x00007FF798DC1000-memory.dmp
memory/3636-219-0x00007FF7BACF0000-0x00007FF7BB041000-memory.dmp
memory/2008-218-0x00007FF7A3720000-0x00007FF7A3A71000-memory.dmp
memory/2268-221-0x00007FF78F720000-0x00007FF78FA71000-memory.dmp
memory/4136-224-0x00007FF678D50000-0x00007FF6790A1000-memory.dmp
memory/1884-226-0x00007FF659190000-0x00007FF6594E1000-memory.dmp
memory/4512-228-0x00007FF78A170000-0x00007FF78A4C1000-memory.dmp
memory/772-230-0x00007FF71F2C0000-0x00007FF71F611000-memory.dmp
memory/2272-238-0x00007FF70EC20000-0x00007FF70EF71000-memory.dmp
memory/376-240-0x00007FF70D010000-0x00007FF70D361000-memory.dmp
memory/4836-244-0x00007FF63FAD0000-0x00007FF63FE21000-memory.dmp
memory/4880-243-0x00007FF76AA10000-0x00007FF76AD61000-memory.dmp
memory/4592-247-0x00007FF657F30000-0x00007FF658281000-memory.dmp
memory/3924-248-0x00007FF7C8D80000-0x00007FF7C90D1000-memory.dmp