Analysis Overview
SHA256
a2df6c7b5b32c9526e9d73f51a21103ae34280484ddec031503324feb7b04db9
Threat Level: Known bad
The file 2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 10:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 10:05
Reported
2024-05-30 10:07
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RykKejn.exe | N/A |
| N/A | N/A | C:\Windows\System\davkDcu.exe | N/A |
| N/A | N/A | C:\Windows\System\cDjGnKD.exe | N/A |
| N/A | N/A | C:\Windows\System\abrpnrB.exe | N/A |
| N/A | N/A | C:\Windows\System\jxqbrzv.exe | N/A |
| N/A | N/A | C:\Windows\System\KrrYrkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BoYWjIU.exe | N/A |
| N/A | N/A | C:\Windows\System\XifoYzy.exe | N/A |
| N/A | N/A | C:\Windows\System\SycihBq.exe | N/A |
| N/A | N/A | C:\Windows\System\cXRTRiW.exe | N/A |
| N/A | N/A | C:\Windows\System\IOTxwUY.exe | N/A |
| N/A | N/A | C:\Windows\System\INxmBwT.exe | N/A |
| N/A | N/A | C:\Windows\System\VTidvgG.exe | N/A |
| N/A | N/A | C:\Windows\System\DbkwXYn.exe | N/A |
| N/A | N/A | C:\Windows\System\ypfQFsN.exe | N/A |
| N/A | N/A | C:\Windows\System\jUBBwNq.exe | N/A |
| N/A | N/A | C:\Windows\System\SwOwFdf.exe | N/A |
| N/A | N/A | C:\Windows\System\jPNpoAh.exe | N/A |
| N/A | N/A | C:\Windows\System\YlIhwLY.exe | N/A |
| N/A | N/A | C:\Windows\System\FWEGVDq.exe | N/A |
| N/A | N/A | C:\Windows\System\TEQajou.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RykKejn.exe
C:\Windows\System\RykKejn.exe
C:\Windows\System\davkDcu.exe
C:\Windows\System\davkDcu.exe
C:\Windows\System\abrpnrB.exe
C:\Windows\System\abrpnrB.exe
C:\Windows\System\cDjGnKD.exe
C:\Windows\System\cDjGnKD.exe
C:\Windows\System\jxqbrzv.exe
C:\Windows\System\jxqbrzv.exe
C:\Windows\System\KrrYrkJ.exe
C:\Windows\System\KrrYrkJ.exe
C:\Windows\System\BoYWjIU.exe
C:\Windows\System\BoYWjIU.exe
C:\Windows\System\XifoYzy.exe
C:\Windows\System\XifoYzy.exe
C:\Windows\System\IOTxwUY.exe
C:\Windows\System\IOTxwUY.exe
C:\Windows\System\SycihBq.exe
C:\Windows\System\SycihBq.exe
C:\Windows\System\INxmBwT.exe
C:\Windows\System\INxmBwT.exe
C:\Windows\System\cXRTRiW.exe
C:\Windows\System\cXRTRiW.exe
C:\Windows\System\VTidvgG.exe
C:\Windows\System\VTidvgG.exe
C:\Windows\System\DbkwXYn.exe
C:\Windows\System\DbkwXYn.exe
C:\Windows\System\ypfQFsN.exe
C:\Windows\System\ypfQFsN.exe
C:\Windows\System\jUBBwNq.exe
C:\Windows\System\jUBBwNq.exe
C:\Windows\System\SwOwFdf.exe
C:\Windows\System\SwOwFdf.exe
C:\Windows\System\jPNpoAh.exe
C:\Windows\System\jPNpoAh.exe
C:\Windows\System\YlIhwLY.exe
C:\Windows\System\YlIhwLY.exe
C:\Windows\System\FWEGVDq.exe
C:\Windows\System\FWEGVDq.exe
C:\Windows\System\TEQajou.exe
C:\Windows\System\TEQajou.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2972-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2972-1-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\RykKejn.exe
| MD5 | 3c93a1f06bc09c7cfd6369f28d0fa8cf |
| SHA1 | 874c319040f4926feda1046a4dc8282a85b27149 |
| SHA256 | 89147a46400a95b3404c673ad2cb475ac2032c6cb4c5c4e3e5d2a3076735e7ee |
| SHA512 | b49a61950d305463da5f277667a474c2c9b016300c4203323dd84a198f1afbb427ba5e7abc09aad60eaab613fdefc0349fb48035a25c5b242e5ec600ed13f937 |
memory/2792-9-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2972-7-0x000000013F7D0000-0x000000013FB24000-memory.dmp
\Windows\system\davkDcu.exe
| MD5 | 77ea1a759b9d8ffd903fe7a83efaafd8 |
| SHA1 | 53ef53fc17dc71dad2b9352948625ddbdaaf7f7b |
| SHA256 | 9d3a14d692497f55c709368ef8f86612613c8e6c534cb955259ee083c70ab076 |
| SHA512 | 50acdd9983caac5a0ce3625d764a12ed7945a4449ba7e9effa1db816b38a4c06e76bd7df69fc38ce7b91897901c3bc72a3ed272b38a10e0ca3c7191f2923de6f |
memory/2972-13-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\abrpnrB.exe
| MD5 | 8776735beebca521fc5691e8f44ad478 |
| SHA1 | 479bbe750917a5971443a2468d59ccf01995ec03 |
| SHA256 | 81f23408e1ff04334c88bb6718020f20430d4ea1a7b8f980f2a86552124d3b60 |
| SHA512 | 754299afd3df9cc37c146484d3820cd8bb2cc3201fe69ca898647b63c1cd5d98f1d47de64f0b4ee713ae9b5a1c28047d04f5f122436dd42a2308edc6c8a422e6 |
memory/2972-24-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2796-18-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1820-30-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2660-29-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\cDjGnKD.exe
| MD5 | ab06e9aa1e7e2b92bc0454a095241e57 |
| SHA1 | 7cb8daee2b48b2a38fb88c051c59c9753a9a199a |
| SHA256 | b969d189ef946137d28f435adffd8dd436b791e02f06c8c53ecc74a58c1b9085 |
| SHA512 | 3d8837feda15a6c000b92d9b3c5b39cd07d69c2cd148165574682c3bfe08b93f254aa66c18e906e29419d0dd2b154cac64d2f709c1722f29b66768b53f73f99b |
memory/2972-22-0x000000013F510000-0x000000013F864000-memory.dmp
C:\Windows\system\jxqbrzv.exe
| MD5 | 5c39e50b96a7ec1768fbde1fb97f5361 |
| SHA1 | 2403070f3fb2a5ac1f0fc59b10947ee80d03ca77 |
| SHA256 | 35a62cb51a86a3f64b171b59c11aa62781de936859b5267232ea419f067b1c62 |
| SHA512 | e942d88685a5d307fb83c5089ded321333ca6de80a9c73463c349abb8f0424e4831ccff3a8201df54ac9153e8de07443e556c2a260a9df1cee7a1bd4029209c5 |
\Windows\system\KrrYrkJ.exe
| MD5 | aeaeb9999c7bc7b79d919ed029d06a76 |
| SHA1 | c400a8ad437854ec80b93938cb2e11e6ef087690 |
| SHA256 | 2e548719b7823e0f482b4f85d48ae3bd4109c08785f3ebb64afdc6f59e2aad4b |
| SHA512 | c74798ab5ba6e4f7911f6e51e1021c11617abbece8379d8b3e6619a2375f0842fb854e938941c383bf0aa7f71e94781489f22b15b743d2168e15f65eac8bb893 |
memory/2972-43-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2556-44-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2676-36-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2972-35-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2972-39-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\BoYWjIU.exe
| MD5 | 89381b736967731eed10803577b02b74 |
| SHA1 | 7915f7afcad6ad7550f3a8669d0cc6b94de1008d |
| SHA256 | 1cfdb5e19e1e89caf2d229df463d611a81a138b27b65a0949bac80a3dbaa0366 |
| SHA512 | 40b3520cd0015e94e179c65b074bb8bc8fc12fc8f077d3510dfbaedd16a19fc9b8179327ec4468e6c123544993eac7ab34389ba89b77d3ee5b4e7263ec59320d |
C:\Windows\system\XifoYzy.exe
| MD5 | 5e3e60c2e27a2f739e1ed7b2e8dabcf5 |
| SHA1 | 6169a2bf3fb4da57e2e29c61c3408f30314750f1 |
| SHA256 | 02ef538e7746e766df61c3945f6cad5c7c2ed11ef3b657924a0a47495949ccd4 |
| SHA512 | aa52139e30ebe84da1f9d1b45a122f15ed545ffae91e181523c73d4a705983ccbbd42835f768b1a935d1482423adbd999c288b71ac974b10c2141eb84e9791ec |
memory/2632-63-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\DbkwXYn.exe
| MD5 | e557cf6eaa9f0490d9cf6fdbb48a2465 |
| SHA1 | 7d4f7644302c7e90a623bb4fa05d0ef40b631105 |
| SHA256 | bc87b612e4db6328e4e98e1689cb620bd8baf49416d50d8f05b23c0cdfc9f4bd |
| SHA512 | b9d2cf6cbfe5a251f5fee11ad462acd7c64beba70ac9a43381844e2bfac06cb504b36ba1776bc61f62bd7fd132ec65cc61cac4e46065e1d2403124c5dc5507bd |
memory/2272-83-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2972-89-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/3016-92-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2852-97-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\SwOwFdf.exe
| MD5 | 2b2b9b7a3cb8282d5ef4ea265d550eb1 |
| SHA1 | 0aa71e6162699daaebca72b879dfb26ebeafabfa |
| SHA256 | 95fff5700b2f02a34dc1ea35520fdbe908cc8c001ed8bfb419d146fd247f5fb3 |
| SHA512 | 1cd40c4daf1ccb632721cafff002347cf73126b10504529ad3b5cdd0243743d4c938714074fea6bfbee3a536d0f9041b8f63d1ff794bc363b376478b09fdff2f |
C:\Windows\system\YlIhwLY.exe
| MD5 | 50f131c5b7d9d885ac2f34f2415f9ef1 |
| SHA1 | c5e7d5b4c5fbe4283cd0de988b0033f279631bb1 |
| SHA256 | 8550718447925e09414b9113c796854e143dea39572c98bde014c6ec5ccc3387 |
| SHA512 | 739ccb652f179e13952b3e1fb74a5b6216b5cf53a10b3abbb1640dab37153413a7c8355a5ee50b2bcf5b0b84858fe7276d3e347222deb83dc8b9318c5d2b5db6 |
C:\Windows\system\FWEGVDq.exe
| MD5 | faea00418f08d5c2712af33f9059dfd7 |
| SHA1 | d83557cdb9fd5cda8a0f8066d37b9b57d02fe141 |
| SHA256 | 7885fd5c884b333086f87d337d45c03906675b0bb5a5eca4b580e35d36c3e652 |
| SHA512 | 9c95747b93fadac14ae5fec95a465fd4dd9c6eb12db335bf88b3a213a602988b100ec4898438026a85c3f0322855d4f193583417dc8ae6c599066a866ff06cde |
\Windows\system\TEQajou.exe
| MD5 | 3d12c10469d6f99c178313d1282df3c5 |
| SHA1 | a37fc3d84b575241076b54aa126a741fb82effca |
| SHA256 | f451af887afb8efeadbbd906826e0e7ca68dc0d352bc1a134eb0f51c628e8428 |
| SHA512 | e73429ef52680937c48cb2988a987c79ea5101a0a0164d09188f11f60ce846b25bcbcb32e7358f03347a8a753fd53fafcea9d779efda820739a2fdd0fd48eb2e |
C:\Windows\system\jPNpoAh.exe
| MD5 | 019bf98ff4691294c75a78e6bc4e4d28 |
| SHA1 | 1308f17df880bb2b625af764b64e62e0ebadb766 |
| SHA256 | 011b415bec1ec50432683c94d42cbcb01300b124bb8a1e144f6402a0775ecbe9 |
| SHA512 | 1ff160b757e3c2187f87e10719015aee183e3b6d636a49b1c92855c5856ba6bc309bf807d1a3baf73449513106abbe858e3952b0ea162ef0deab5b89d907719c |
C:\Windows\system\jUBBwNq.exe
| MD5 | ee80c03a00718874ec8bc983b9b48d3c |
| SHA1 | 5a7c3907df97bd70434be8db65bee9e0a8232913 |
| SHA256 | 9fdea06785b1bdf8072d87e7759dabeb602fbad1378e5c2875b83fc5f64dbefd |
| SHA512 | 4faa9fbda176cbceef65dc48db9b03d8c8bda2ca5f320d38cd7d03fea915a5ae6e353a7138888ee9292743ec3e29f8fc0d04d5ae168dfd03c82a961b67aaa90b |
memory/2676-103-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\ypfQFsN.exe
| MD5 | 9448daf76301c38b0c15a7d312262323 |
| SHA1 | 645f4dd47b361e9f8c089008b8e28c3401a756e2 |
| SHA256 | cda69bdf60363d5d68c095785ce42e334a193ae16a6be11a3f107f4ccf3d42c3 |
| SHA512 | 7dbaa6a0f110aa0396c75fde6dcd5fc8337121d94bd9a7db42284e372daa3be4e3c8827f58aea90aedc99dbce06bfd9e311da0b9cf31f56d7eb12ff983087823 |
memory/1760-96-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2972-77-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\VTidvgG.exe
| MD5 | d43c989ce6d22f0e528de3fb98992156 |
| SHA1 | 829119f468ed4cd97ce5bb125042751e214fb3f2 |
| SHA256 | 054d2735e4b47e47f66dba942ab55a3d92b885da21e44b4f7c842b0c342909b2 |
| SHA512 | a4570d9270e4d222f97f558ad1d186e8fe8b5d341814851040739d38246d226d00f33029701023e672cc731750ab73cea24973520d6ec6591c2f71cc8601a64f |
C:\Windows\system\SycihBq.exe
| MD5 | 66054d20bbe5add9b92fefe1e4d1a250 |
| SHA1 | 232fe1c83d7ba21f06ea76a230a4f8ecd1ced2d9 |
| SHA256 | bc8a4b513834fd2ff85c2f6c2fb6ff3e2ac6da6eeff25a1099773cfeb1820f6f |
| SHA512 | 3550a522f86d8618f6d5eedbac4423052d5c926b16044336eca953b9733333f6d22c3852fd4fb394c880e8352413175a01aec83c573c69d7745ad5177e26e295 |
memory/2536-90-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\INxmBwT.exe
| MD5 | 6678f1f0f04952deed816757ff87d3b5 |
| SHA1 | b19ddbe63e54cbdc27731bd6159415cbae7c19ca |
| SHA256 | 9bf86db35fd1465bc040bbe7bbdc734a0a7dae7cba572c444badc002c7453939 |
| SHA512 | 3256ee1b4c84029fd245505aebdcb25a926495e00af69b690311c7db0901d5cbfdeaeec564f056a5beede9d12b097143e2ec9def34fc2bd4b0931528288ddadd |
memory/2972-87-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2972-86-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\IOTxwUY.exe
| MD5 | 633142a724565c70dbed6b2157b4f0c1 |
| SHA1 | a0ad44267a775689365cf1bb60d78cc8f2f74a95 |
| SHA256 | b102e101763687dfbc0db8fe2bfb9e8707e9bad9ab91a233d340ea9fe8986c7d |
| SHA512 | ad0ee48a99aa4f31b9e82e943f1ecb2db524d9d0006b7c8fbe2b41cb5dd5bd57dac2e723a92372ce5d6fdf261cbec168b5d9975da43a4da7a0d739f6caefb6f1 |
memory/2592-82-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2972-81-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\cXRTRiW.exe
| MD5 | 6218d7e64fb68d31e6c5ee272805e870 |
| SHA1 | 4642e04426c1fd868a90b8f46a4bd331ac4673e1 |
| SHA256 | e9721ef26a5efce3ebf42da559442cd5d9eedcde781f78fd83c55fe592fe8a12 |
| SHA512 | 514a9acbd869028586af7496f3c458fc5615267f11a314eafe21b0d02a445a048d696dd30704e1a5e759171d9e07945e10317d14909240fda8bd477006feec81 |
memory/2796-73-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2972-71-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2656-56-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2972-136-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2556-137-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2972-138-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2972-139-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2972-140-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2972-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1760-142-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2852-143-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2792-144-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1820-146-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2796-145-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2660-147-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2676-148-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2556-149-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2656-150-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2632-151-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2592-152-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2272-153-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/3016-154-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2536-155-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2852-156-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1760-157-0x000000013F4F0000-0x000000013F844000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 10:05
Reported
2024-05-30 10:07
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bwAIaDI.exe | N/A |
| N/A | N/A | C:\Windows\System\fbckKWV.exe | N/A |
| N/A | N/A | C:\Windows\System\TCcefXL.exe | N/A |
| N/A | N/A | C:\Windows\System\KKcuypT.exe | N/A |
| N/A | N/A | C:\Windows\System\fihLDnn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbfnhYu.exe | N/A |
| N/A | N/A | C:\Windows\System\WfQTLVo.exe | N/A |
| N/A | N/A | C:\Windows\System\bMnkYNS.exe | N/A |
| N/A | N/A | C:\Windows\System\OLBzpmW.exe | N/A |
| N/A | N/A | C:\Windows\System\SiUQIOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\XFptWZE.exe | N/A |
| N/A | N/A | C:\Windows\System\cpEiRZW.exe | N/A |
| N/A | N/A | C:\Windows\System\gknNLEY.exe | N/A |
| N/A | N/A | C:\Windows\System\kzIkxNm.exe | N/A |
| N/A | N/A | C:\Windows\System\uZdBGbI.exe | N/A |
| N/A | N/A | C:\Windows\System\SvKNZPi.exe | N/A |
| N/A | N/A | C:\Windows\System\QGnFbod.exe | N/A |
| N/A | N/A | C:\Windows\System\jEtwMPG.exe | N/A |
| N/A | N/A | C:\Windows\System\oZBTcPX.exe | N/A |
| N/A | N/A | C:\Windows\System\qjBrCtx.exe | N/A |
| N/A | N/A | C:\Windows\System\BlojyNA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5fe943997996bfe95d8c0db76ac882c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bwAIaDI.exe
C:\Windows\System\bwAIaDI.exe
C:\Windows\System\fbckKWV.exe
C:\Windows\System\fbckKWV.exe
C:\Windows\System\TCcefXL.exe
C:\Windows\System\TCcefXL.exe
C:\Windows\System\KKcuypT.exe
C:\Windows\System\KKcuypT.exe
C:\Windows\System\fihLDnn.exe
C:\Windows\System\fihLDnn.exe
C:\Windows\System\ZbfnhYu.exe
C:\Windows\System\ZbfnhYu.exe
C:\Windows\System\WfQTLVo.exe
C:\Windows\System\WfQTLVo.exe
C:\Windows\System\bMnkYNS.exe
C:\Windows\System\bMnkYNS.exe
C:\Windows\System\OLBzpmW.exe
C:\Windows\System\OLBzpmW.exe
C:\Windows\System\SiUQIOZ.exe
C:\Windows\System\SiUQIOZ.exe
C:\Windows\System\XFptWZE.exe
C:\Windows\System\XFptWZE.exe
C:\Windows\System\cpEiRZW.exe
C:\Windows\System\cpEiRZW.exe
C:\Windows\System\gknNLEY.exe
C:\Windows\System\gknNLEY.exe
C:\Windows\System\kzIkxNm.exe
C:\Windows\System\kzIkxNm.exe
C:\Windows\System\uZdBGbI.exe
C:\Windows\System\uZdBGbI.exe
C:\Windows\System\SvKNZPi.exe
C:\Windows\System\SvKNZPi.exe
C:\Windows\System\QGnFbod.exe
C:\Windows\System\QGnFbod.exe
C:\Windows\System\jEtwMPG.exe
C:\Windows\System\jEtwMPG.exe
C:\Windows\System\oZBTcPX.exe
C:\Windows\System\oZBTcPX.exe
C:\Windows\System\qjBrCtx.exe
C:\Windows\System\qjBrCtx.exe
C:\Windows\System\BlojyNA.exe
C:\Windows\System\BlojyNA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4044-0-0x00007FF731280000-0x00007FF7315D4000-memory.dmp
memory/4044-1-0x000001AC31260000-0x000001AC31270000-memory.dmp
C:\Windows\System\bwAIaDI.exe
| MD5 | 1ae7d4b63dcf10977ce5e2fcbc78dd47 |
| SHA1 | 7393ac720d4a23b1bd36757de219e6a8fca2b624 |
| SHA256 | f4275240a4a526f51c57f42fc07d24c171a3da099a0354606b44a970a9504610 |
| SHA512 | 7c238423fd651161bab31e9abd7e27958df30995cd0876010ce2a5456e07874584654b67638fc79a0fc39bda78092fe2524b52e41d247b71fd8b022d5567abaf |
memory/536-8-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
C:\Windows\System\TCcefXL.exe
| MD5 | 0d349f512d8967d0a2a9dd973ade37b8 |
| SHA1 | c05cabca1ff9790d6dae835078f8c5495c0a0ea6 |
| SHA256 | c2f92a2a7e5d8cc935917bf91bfd4c10513a0d3105673db34741cb927e43c980 |
| SHA512 | a0013ddeff6410b95e6f9d4b6e2a4e3302d1514c4847ebeab3f0ac0a84e823fcdf59c20313d2ffd387d8edddaa7eb4e0dcd4f8d39320fc81996b8dd3fc506a8a |
C:\Windows\System\fbckKWV.exe
| MD5 | 86a2825c940654031661cbae73c40418 |
| SHA1 | 907d22a5d7d84d2f56765873d443c0ef40512083 |
| SHA256 | 8b7e3774e15372b5006d7a7e3b2d595adc172c8afbc25aaf4fbf41ad88cbc0b1 |
| SHA512 | 0f9d8f24964b3ec710cc8c21f672d4727554566f181b86fe4479fc310b838383a89fffdd18c3b75507b8528bf6f38de7103574efe5c54ee2f772e5a0ec77be68 |
memory/4484-12-0x00007FF691A20000-0x00007FF691D74000-memory.dmp
C:\Windows\System\KKcuypT.exe
| MD5 | 0f57c3c315fb0bafd10862415f936f0f |
| SHA1 | 46fc0428a8b005aa38d7cf56b16f9fb5eeac08c7 |
| SHA256 | 86b7ed70c10e46073f0e073c65d5cfbb00ea1fd0533f70eb5127856971a804ad |
| SHA512 | 35f0b0ae1f67b35637fdcf45354966e1a3eaa17cc0f2fd48a5513ec2a05ca1a8de5fd04fff396f0dc6d93fdc6cbf0c9fa7b588aa17c6756f60b35bd35d3182ed |
C:\Windows\System\fihLDnn.exe
| MD5 | 83833653567f5cd86b0dcd7b24445d7e |
| SHA1 | cf4005a01be1d111520d96c7a173297d0d55377d |
| SHA256 | 3ed9cd78aefdab585a2601285e876cce4f923c7ea2ce8b04a7ca6635cad89199 |
| SHA512 | f8d318f834b2d661971a38d52e6d4f6f443fb47bf54ff086d039761b7a6d412ed593814c2618b12e724c2cff5171ba73ab71511250380f07188fbb8aeb0fccd8 |
C:\Windows\System\ZbfnhYu.exe
| MD5 | dbd056ab0be7b06dfe5093a05e9e4350 |
| SHA1 | cc32e24980cb9a176a9787475bda3d34e74505c5 |
| SHA256 | 74d6081db8779d476bb63f87f335c5b540d1e7a0a7a303d74ca14dff067211a2 |
| SHA512 | 14a49e5b85a629fbd6a083436dd788d81a0aab9b58e9aa96b7a32c6ea0b36eec09cde88a038910bea050d71d96aecebff41bb154f9ab2993eedfcf82ac5bdd61 |
memory/2032-38-0x00007FF606B70000-0x00007FF606EC4000-memory.dmp
memory/3936-28-0x00007FF68FF30000-0x00007FF690284000-memory.dmp
memory/3728-27-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp
memory/3204-22-0x00007FF745980000-0x00007FF745CD4000-memory.dmp
C:\Windows\System\WfQTLVo.exe
| MD5 | 14759289163cb6c8f03636bf02d70fee |
| SHA1 | a867510ef0f328effc9c351c09639858dbc02606 |
| SHA256 | 39cbda44ad536c27d9249ab7c8bfdf1536ca4803071d60bd489d3d31598475b6 |
| SHA512 | 9e2f2b51acd89aee7daf4f4ef67d32ecb51c111b29ae575ded7bde07a88a18f936842a3de927b1c71556f3ae4903263ce9d89688d56c114920783007d1148541 |
memory/2820-43-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp
C:\Windows\System\bMnkYNS.exe
| MD5 | b5184fb9eac56f92eb176e304db78178 |
| SHA1 | 0d175ec596e7ffe4773161270d1b08b1f8f7774c |
| SHA256 | b6d10c0778d1d8acf068bcab8079e86001ad6b7931b48a68aeaea66b935f3e8c |
| SHA512 | 1c8db91c405c95eb3413447cbde7b8b3bc3b4da6393acdb00cc0547ec513b32d6c785450c96ce304c4518b3e065833156a8ec757635c283ffcea362bda650538 |
memory/3560-50-0x00007FF796EF0000-0x00007FF797244000-memory.dmp
C:\Windows\System\OLBzpmW.exe
| MD5 | 33f4111715e4704e2389d80563b942b9 |
| SHA1 | faebc8356bcd71e10f3ae40ca7322993a1810562 |
| SHA256 | 0f49199be820a41cb1aa303c21fb7a30c1356deb9e23477295ca283198e1a15f |
| SHA512 | 0d59b2235c8f7bce67abaffe9ec1f82e939c9b0cc4903c70bbbf66f91e2c7d1c03f5523e4a9346f0d127fc23c27221eea15aaf49c210cc2ba9ca0db9c91b26f0 |
memory/4800-54-0x00007FF7155B0000-0x00007FF715904000-memory.dmp
C:\Windows\System\SiUQIOZ.exe
| MD5 | d99dd76bcdd5f40cbc7e3e938df1a4cf |
| SHA1 | 11565fd391ba766e9fb00e8e8cc8b60029a1f2ef |
| SHA256 | 4e8e1bf3fc86f3badcf7c268ca45b0e92aa56fab13f5ded4956dd84bc3a9c241 |
| SHA512 | e121fd1e17bdefe5a99141f5af9402dd8df2f46a27f358bea8ae0f21365059e596ddbf006db3ede2285fb24f69c74e7c52455b0fb7a1ef160be65b25fa70b71b |
memory/1680-61-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp
C:\Windows\System\XFptWZE.exe
| MD5 | b82bfa661b139aef6148ec3ca8ce1240 |
| SHA1 | 9c5224b5d6e9fb261ba106df67694cc8eca1daf7 |
| SHA256 | 345dae67f17eb37bbccb0112b24fc4416fe9ddec1c4db7865d7b3e689c1bd88c |
| SHA512 | 03818e8fb32d12948dbdc2b6cb7f9317f9f487397cf1ef3978dae134fe0fdc756334563809ec8a6c757082f8c72d67c26d0c78e84f67b38640181cc41fa66944 |
memory/4044-60-0x00007FF731280000-0x00007FF7315D4000-memory.dmp
C:\Windows\System\cpEiRZW.exe
| MD5 | 3a6b641afadae03b55988745622369c7 |
| SHA1 | f94577128210ce2a0e6c629d084d1f2e21665dba |
| SHA256 | 2a0f398bcf8d0af0e6f084a2b655898d8bac93674418139b615078f3a650395f |
| SHA512 | 822b64399111b8b31597d123799b008128ded3eff0694b918b5af337409a3574af1ffa017c14a99fc9127685a0b7be33105ad04e0c496a500708bb740ed59eab |
memory/5080-70-0x00007FF7CF220000-0x00007FF7CF574000-memory.dmp
memory/4484-75-0x00007FF691A20000-0x00007FF691D74000-memory.dmp
memory/1416-77-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp
memory/536-69-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
C:\Windows\System\gknNLEY.exe
| MD5 | 01434ed364e80b8f07036ea20c2a260b |
| SHA1 | de36d502531e29242d8bb5764717b610011a26b5 |
| SHA256 | a776990908cf321f0305f9f50426b8b1220224514f5cfd4ccd8f05c21a07de77 |
| SHA512 | d37c2fab2ae3af0c045475eebc9ab5797c2dd1f707929f1f130ac9824c9568aca8954d1a6a6a6d7f235efb59ae4182888f90c2103e6c5e8fdb082657ec891f26 |
memory/3728-81-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp
memory/1780-84-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp
C:\Windows\System\kzIkxNm.exe
| MD5 | 233567b7a0ef62a5ab79e24b265a6a39 |
| SHA1 | 3fe414dacf8d31c1fdb7c9208c18cb522aeb930d |
| SHA256 | d3c24493b0b3290b922582f81e13a6d4c1d99cf98c14afbf93807b8cd41056ef |
| SHA512 | 70133b7293c686605eb309f4d43815c10383dd6ac76a0b6cc1f1780d7f7f21622f162f1554076f7609215d9664601e8ef68f17815acf261c57e1ef9a2d8707f7 |
memory/3480-90-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp
C:\Windows\System\uZdBGbI.exe
| MD5 | 7b722cdf0e55561b4582ebab7c82b29e |
| SHA1 | 1b51deb99f9378e8a362f7f0be28592c5a7cd0bf |
| SHA256 | 1fcc2d86ba429a0150f2189d7c053891662c3ebc44e9c7f8860e7995689b98a2 |
| SHA512 | 62cd3fddf1b070584bf299a148c17017353ef784d8b38875f144d839e38532077a8be622249a1d3eb8fb6850e1f566976ca0179417b0c2509d3012f817849356 |
memory/3936-96-0x00007FF68FF30000-0x00007FF690284000-memory.dmp
memory/2624-97-0x00007FF638D20000-0x00007FF639074000-memory.dmp
C:\Windows\System\SvKNZPi.exe
| MD5 | 5e6bffa2c0a0e1cbd5c9b8764195897c |
| SHA1 | 688482f0f6deab5f4af9a6ce083900804795df88 |
| SHA256 | f4ddc69124f69e4bad383696b417297c4339e06b1393fed2999d0896636945dc |
| SHA512 | d14e7bd8884d83b5a9ea07501aafd07b0273c15592e2d334952b710af7304b87174ad60bca7b2683a2bc0e49bf16fd7f10eb6cac6e09e636c0184aa554235f3f |
memory/376-106-0x00007FF67BF30000-0x00007FF67C284000-memory.dmp
C:\Windows\System\QGnFbod.exe
| MD5 | 28d1bcfa30ece836ab17e93e70068e9f |
| SHA1 | cf5f1067d41c632cf392035698e4f04c5b5fe7b3 |
| SHA256 | 51c82a520a60ad5bb685f2db0e520cdc7dc472d897b6e91746f87d0f7224419b |
| SHA512 | 40638288d266e5b7bfc2c39c13d59793258136c6c6fa1521180310b1498ff9f582bb690960b18c1f3c3913b40e0b88d646b29e5dd7a9ea48b3f1b489590b121c |
C:\Windows\System\jEtwMPG.exe
| MD5 | e73bc6b9a837fa7afa4e7e9fd6261a63 |
| SHA1 | 06212bf7351bc187fd73424529296cd49a0bff73 |
| SHA256 | 45f4cd7f8fc751497b1802a77083e30365cf8b6c1c73784fe524a1377945800f |
| SHA512 | 39e143271c72a231cdf1f16bcb05be0d7b7d5c20554e3f39ff7f90121053a3acb0eb3a27346e80a6d55fd27795bff4dee93d32ef7ed2e0d4b3fcdf0913a4a85b |
memory/400-110-0x00007FF703CE0000-0x00007FF704034000-memory.dmp
memory/2820-107-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp
memory/2108-117-0x00007FF71C3D0000-0x00007FF71C724000-memory.dmp
memory/3560-116-0x00007FF796EF0000-0x00007FF797244000-memory.dmp
C:\Windows\System\oZBTcPX.exe
| MD5 | b59c747c2df74651025a9179fe26ff04 |
| SHA1 | 4564a56d75e26443b407bd81ba2898a669f83bec |
| SHA256 | ee3048c7baaab609a01915a4dc3ca546fc41a1f8c33ec5a6d9eb6521574343bd |
| SHA512 | 57210108538edc096fe7dc8111b1fce4246c13962df00609f7fa3d729029e6518259eeb4143ac7b4f355ed156fb045a1f96ed9abc9196fae08eefb530ecb5fdc |
C:\Windows\System\qjBrCtx.exe
| MD5 | 71134a7c95815444d28a0e3f2e1cf76b |
| SHA1 | 51b762e21ff7a656960b2b78b904473922ac6275 |
| SHA256 | 6f7a878bab424fe401e62159455ab0269145be5a8c43cf65b4a415102507bdff |
| SHA512 | 04f8649fe062ed3f845a513d3d59877faf5f502e83a788a429613f0b1c6ce347e73c4544d4d02e346627b1baec636e59f253bc4fb4e85996337a5061acf62be3 |
memory/552-129-0x00007FF707710000-0x00007FF707A64000-memory.dmp
memory/1680-128-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp
memory/2016-126-0x00007FF6C0330000-0x00007FF6C0684000-memory.dmp
memory/4800-123-0x00007FF7155B0000-0x00007FF715904000-memory.dmp
C:\Windows\System\BlojyNA.exe
| MD5 | 8bc6c68df8ce66d773ed4d11d12d51f3 |
| SHA1 | 1988268f2238ff749de05abd6cdcb7018b0ee257 |
| SHA256 | 827e9f8b72edd4c444e868c5c58be4b75c287c468a987224dd2b7b173cbf93f7 |
| SHA512 | 9dd4015ff2b815e1ece9807334262c9b56b9f3c4f91fb3e5d16030faf2adfee18cc76d75dcf6b3b99b56d8d9bee84e85c45d5a154b9c8152685b5b18bcee5f69 |
memory/4824-136-0x00007FF657D90000-0x00007FF6580E4000-memory.dmp
memory/1416-137-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp
memory/1780-138-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp
memory/3480-139-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp
memory/400-140-0x00007FF703CE0000-0x00007FF704034000-memory.dmp
memory/552-141-0x00007FF707710000-0x00007FF707A64000-memory.dmp
memory/536-142-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
memory/4484-143-0x00007FF691A20000-0x00007FF691D74000-memory.dmp
memory/3204-144-0x00007FF745980000-0x00007FF745CD4000-memory.dmp
memory/3728-145-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp
memory/2032-146-0x00007FF606B70000-0x00007FF606EC4000-memory.dmp
memory/3936-147-0x00007FF68FF30000-0x00007FF690284000-memory.dmp
memory/2820-148-0x00007FF6889A0000-0x00007FF688CF4000-memory.dmp
memory/3560-149-0x00007FF796EF0000-0x00007FF797244000-memory.dmp
memory/4800-150-0x00007FF7155B0000-0x00007FF715904000-memory.dmp
memory/1680-151-0x00007FF6E4BA0000-0x00007FF6E4EF4000-memory.dmp
memory/5080-152-0x00007FF7CF220000-0x00007FF7CF574000-memory.dmp
memory/1416-153-0x00007FF72AC70000-0x00007FF72AFC4000-memory.dmp
memory/1780-154-0x00007FF6F6500000-0x00007FF6F6854000-memory.dmp
memory/3480-155-0x00007FF6B7990000-0x00007FF6B7CE4000-memory.dmp
memory/2624-156-0x00007FF638D20000-0x00007FF639074000-memory.dmp
memory/376-157-0x00007FF67BF30000-0x00007FF67C284000-memory.dmp
memory/400-158-0x00007FF703CE0000-0x00007FF704034000-memory.dmp
memory/2108-159-0x00007FF71C3D0000-0x00007FF71C724000-memory.dmp
memory/2016-160-0x00007FF6C0330000-0x00007FF6C0684000-memory.dmp
memory/552-161-0x00007FF707710000-0x00007FF707A64000-memory.dmp
memory/4824-162-0x00007FF657D90000-0x00007FF6580E4000-memory.dmp