Analysis Overview
SHA256
7237d3b90945d7caa6c5190e46590149b6a981378d6993162b28cbcd25015c6f
Threat Level: Known bad
The file 2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:31
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:31
Reported
2024-06-01 01:34
Platform
win7-20240215-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZwngHuk.exe | N/A |
| N/A | N/A | C:\Windows\System\FPZdUJV.exe | N/A |
| N/A | N/A | C:\Windows\System\oRdsEgU.exe | N/A |
| N/A | N/A | C:\Windows\System\ENYpLIc.exe | N/A |
| N/A | N/A | C:\Windows\System\eJiqlYY.exe | N/A |
| N/A | N/A | C:\Windows\System\YGDEJvo.exe | N/A |
| N/A | N/A | C:\Windows\System\zVxTueV.exe | N/A |
| N/A | N/A | C:\Windows\System\AdMwTzV.exe | N/A |
| N/A | N/A | C:\Windows\System\gZUGsvf.exe | N/A |
| N/A | N/A | C:\Windows\System\TnFoFUj.exe | N/A |
| N/A | N/A | C:\Windows\System\dOptFgW.exe | N/A |
| N/A | N/A | C:\Windows\System\YOSbGxG.exe | N/A |
| N/A | N/A | C:\Windows\System\TkgrAZG.exe | N/A |
| N/A | N/A | C:\Windows\System\STdBekU.exe | N/A |
| N/A | N/A | C:\Windows\System\QgexGAt.exe | N/A |
| N/A | N/A | C:\Windows\System\FeMofxq.exe | N/A |
| N/A | N/A | C:\Windows\System\veuZBcY.exe | N/A |
| N/A | N/A | C:\Windows\System\rXvHjvE.exe | N/A |
| N/A | N/A | C:\Windows\System\nQxCEAr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRhSFlW.exe | N/A |
| N/A | N/A | C:\Windows\System\JRcsHCX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZwngHuk.exe
C:\Windows\System\ZwngHuk.exe
C:\Windows\System\FPZdUJV.exe
C:\Windows\System\FPZdUJV.exe
C:\Windows\System\oRdsEgU.exe
C:\Windows\System\oRdsEgU.exe
C:\Windows\System\ENYpLIc.exe
C:\Windows\System\ENYpLIc.exe
C:\Windows\System\eJiqlYY.exe
C:\Windows\System\eJiqlYY.exe
C:\Windows\System\YGDEJvo.exe
C:\Windows\System\YGDEJvo.exe
C:\Windows\System\zVxTueV.exe
C:\Windows\System\zVxTueV.exe
C:\Windows\System\AdMwTzV.exe
C:\Windows\System\AdMwTzV.exe
C:\Windows\System\TnFoFUj.exe
C:\Windows\System\TnFoFUj.exe
C:\Windows\System\gZUGsvf.exe
C:\Windows\System\gZUGsvf.exe
C:\Windows\System\dOptFgW.exe
C:\Windows\System\dOptFgW.exe
C:\Windows\System\YOSbGxG.exe
C:\Windows\System\YOSbGxG.exe
C:\Windows\System\TkgrAZG.exe
C:\Windows\System\TkgrAZG.exe
C:\Windows\System\STdBekU.exe
C:\Windows\System\STdBekU.exe
C:\Windows\System\QgexGAt.exe
C:\Windows\System\QgexGAt.exe
C:\Windows\System\FeMofxq.exe
C:\Windows\System\FeMofxq.exe
C:\Windows\System\veuZBcY.exe
C:\Windows\System\veuZBcY.exe
C:\Windows\System\rXvHjvE.exe
C:\Windows\System\rXvHjvE.exe
C:\Windows\System\nQxCEAr.exe
C:\Windows\System\nQxCEAr.exe
C:\Windows\System\ZRhSFlW.exe
C:\Windows\System\ZRhSFlW.exe
C:\Windows\System\JRcsHCX.exe
C:\Windows\System\JRcsHCX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/3000-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\ZwngHuk.exe
| MD5 | 353d74a18e01eb8c33870662ed697558 |
| SHA1 | 411001b77dadfd067428ce067c0de3d402035241 |
| SHA256 | 0a1e2b630c9fd06cc0e0d4f630b57400c1051971d22bcd3c7cdd3d2c7948474d |
| SHA512 | dda2c65c2a76db75d2349f9be0a8f9b6f7dce6a29b828320268a3f9d3261d262ecc21f672200f33f4825b62eb0f89b7fcbaf57f5d85fa146328c380e3f19fd6e |
C:\Windows\system\oRdsEgU.exe
| MD5 | ee9d5e2694421e650d32b978f381ac7f |
| SHA1 | 859a285c1d452b6cab8a289b5d99bcd51b25210e |
| SHA256 | dc29f49fb7ef20d61bc01e5d57f7c3b2d7652198c0e3fab0d6f2810d8f9c32f2 |
| SHA512 | 83e689182b55b765486488c38b3af5a3b2bec890faafcc8f4910b1002bc06d454b2fc8913b08383fa3592cad92231f1f8c134c28f1a76091ec88c518e54e19ef |
C:\Windows\system\FPZdUJV.exe
| MD5 | 8c60cdadda28a9c2c343be4570338fdc |
| SHA1 | 26639f033b576c6c6421e76f8095666a99e3fff9 |
| SHA256 | c4463e8ccccb38619f7272eb359f772422f3732adcc820ad3ff85cfed379d176 |
| SHA512 | 754942a386873e7edacc0b728231747649376fb678f0541d098ef066491c9306c9b1093d288d452acd60f77ca74d34e7c8aaed7d8f3e1afce96cd996fba7103a |
memory/2096-13-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\ENYpLIc.exe
| MD5 | 4a968ae2d0334d2127f60bc05e822d57 |
| SHA1 | 95623c00f76704f8f775b63fddbf39cb117fef74 |
| SHA256 | 259a86e076907482fb99b5d0219497965aef1d325122a443cc10d47a9ccf1990 |
| SHA512 | 6f93fd326188c650aab32657b009a4adade723ce8162ccf2dcf93c1dfda436e6ef86e662efba08882753f5476fb0554224874ae908bb30119c5101fd69b050dc |
memory/3000-27-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2680-28-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2988-22-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/3000-17-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2992-15-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3000-11-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3000-8-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\eJiqlYY.exe
| MD5 | 80672bb88d5fc394de7ecc162d0e678e |
| SHA1 | 91cd33aa0c4a186d2b62a5034c57788578b50175 |
| SHA256 | db7b1dfd339a35b94cfdfb72bb1967ca6fd69c8ad45da7ad57314630ede4ce9d |
| SHA512 | 449fb6906f1c6e54ce4e01e640d32c68704f4163e22bfd36cedb573a8dee8afd2533c4254ab20cf134a8cd6b47bae7497725b2aa55f5b72534f0d4df08ee5833 |
memory/2560-37-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/3000-36-0x00000000023D0000-0x0000000002724000-memory.dmp
\Windows\system\YGDEJvo.exe
| MD5 | a7843013565970d65b1eaacd8c03f225 |
| SHA1 | c06e13387aee313f49535c6f94d4e95a27197657 |
| SHA256 | 41095e1f36640e98cb6c22e82c23c119d0c3b5e65e90f75e27f941765f28bf4f |
| SHA512 | 88291293936acef2bc5873b6a3352ac36801d521bc1b68a04bea1f27c99a159388a0c732277f5bce5f1cd27f1f6bb242c1a317fd9429744f18a3fa8a0938ecef |
memory/3000-42-0x000000013FA10000-0x000000013FD64000-memory.dmp
\Windows\system\AdMwTzV.exe
| MD5 | ff45d5952b258a239e4e96ae0711dc21 |
| SHA1 | 7c91d93f7df018b65c0fbdd7308379fa6f19aaa9 |
| SHA256 | 06cef01a4721692ae345e5f3507a1a0ffc22e0121d250dff64ed720d403ade5b |
| SHA512 | ff3050c119ea559c59014e6c6e70ea4c1be73dfb6ea0547c8428c61122b98acb33063883f54a4eb13a8608dcaff79dc07d0650786de1954bb71fad733939b313 |
memory/2276-57-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2644-59-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2096-58-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/3000-56-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\zVxTueV.exe
| MD5 | a8b35968c76861fa98e4b30c27d9ac40 |
| SHA1 | 1a0293a5779b091e3e13b0a613b31f9ace2b3be8 |
| SHA256 | fb5374ac5450e5f0a215215e43c635b7dc3bc63ce7062a7d859205fab0955edd |
| SHA512 | 09bafb90ee36c0d1ee3878cffd12fd671d9a31d87e16c29fa2253c87d8ce1b61fa3aab36dc4d3f315987dadccc0634c9fe4a541c13f0620bd2e6d922d15c2fd3 |
memory/2648-48-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/3000-40-0x00000000023D0000-0x0000000002724000-memory.dmp
\Windows\system\dOptFgW.exe
| MD5 | e025ab95832351a140b90995a7c6bfbf |
| SHA1 | 0436521151b10db1622dbbd52107b6671bf1783f |
| SHA256 | e55166a07ff8eb0ca4bd0cdef8c2811c93f346dc32a40c5ac8f2bd86f7dec7a2 |
| SHA512 | 8f23e36ad0e069063f4df4e90738bb2d42eff6e332ecf9b60d1bda8d8146be0c505f979d123e91c016935856fcecf7ef22ae6ec83f6d889959edb11262f6cd4a |
memory/2780-85-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\YOSbGxG.exe
| MD5 | 97d97c665add2c77997ce9061298bc7b |
| SHA1 | a8f7545f63c20bbbadee51567f20cefa73b5c306 |
| SHA256 | 4a33fbcbb5de2fad3f56fe5c2286379c0bd27771d79819d20e9c892cfd0aee8b |
| SHA512 | 5138a4891262bac79de146f6ce28b8af1bf0bfe64207daee4b92a7bb322657a1c31234797fcab1df3afebe93364e5350eea0105a5537015d2baa4abc1cafe3c7 |
\Windows\system\FeMofxq.exe
| MD5 | 80743171c37f05bba7216837cec58572 |
| SHA1 | 7fc553e90662eea8103a0b012fd51f112194c7e6 |
| SHA256 | 3ba1f0d4522397f7fec3b1b3791ac7641a342da9e8d31d38fc5efc7e0e0456ae |
| SHA512 | aa09c37696a903c863c2e6e092541d0d8308632edead3ca791001de15506e2f367c1f270f1f12e9a9535292f40d2f424f1a0859fe7e2c9856d8d99096e241e46 |
memory/3000-112-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\ZRhSFlW.exe
| MD5 | 596da22c6b344361f44436eb67b70592 |
| SHA1 | 00ccc8b5c9a8077512d2e41ce9b2a14236f4d119 |
| SHA256 | 65352013016c830c1508586933d52f0fd92830082575cb02c94aa92beef21878 |
| SHA512 | 8417a82515b3d6f0a279950808046e51ae1a42e1f8496f69814da5a54abf1276a210861bdf49d7c02087a268bbec51be8aacc1cdf20760a78164607d6ae6e80d |
\Windows\system\JRcsHCX.exe
| MD5 | 74260f005a67dcd938bf1ac6bc2e11c9 |
| SHA1 | f2ecb42b459d4cc349b05e5133e071b81db5f955 |
| SHA256 | 7c54bcfe3f6b36003cbcb94c92250c1b8622cc1e982ecdc85934c2285155b983 |
| SHA512 | ce53cd72908ebdb2cdb0124794927d1313fe8ebb5f3b9f315fb897fde828e7607e786795f68f8a6d8d1da80f9d0b4f4d69633966b7dd9a1adadf8609166f3ce6 |
C:\Windows\system\nQxCEAr.exe
| MD5 | 1d1563c33a56e088126904820e601ee9 |
| SHA1 | 02a0f27709f283865d33f3c85c978f2b8e33ee73 |
| SHA256 | b685afe3e830d3f61337537b789d8fa1d308f3686da9a0e5eb96d61a5de19da9 |
| SHA512 | 4d60c73160ba264bb9cc25dce9740ba475695e9855ce6e06617e9c9e9349708ae3b6f5f2aa83005a7d20d58be6dd460ae8fb2499dcca95d3376ec3bd7cde4229 |
C:\Windows\system\rXvHjvE.exe
| MD5 | c5bd52a3316dc536817fdab46c1346b0 |
| SHA1 | 4e0186fb85d8f7045b1d9a0e47eee95a70f2ff8e |
| SHA256 | c5a2b37a84ef0253b2fa116709841f1cb749a8b853166822f77a38826402b10c |
| SHA512 | 926a166a6e877ed0af3c22cddbd1802ecd95322044018737c6465d2ccf090d9544560ee498fd47dedebc5bc6439de39929193b2911f58617aa125a5628cd486f |
C:\Windows\system\veuZBcY.exe
| MD5 | 9f247bad2ce975ac78a0ccf5433ee610 |
| SHA1 | fe0d052d178dd187273e790be2d06f187a1a2754 |
| SHA256 | 15f263f0146235b5390ce57413743deb3548a85e9f50b0e037f1af6a7ad3f1e2 |
| SHA512 | 0f0d0d40fe46d7d63c593817769ebb505f7046547d71c943924a557d0d61ef961e1a532e17bb26642129d6e6b78ca5d6fd71654b37cdf8325da5e0b4c30b36da |
memory/2936-117-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/3000-109-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\QgexGAt.exe
| MD5 | 593ead2a0706eac18be3adb906822358 |
| SHA1 | 0433f77600a60785f7ee99714879467c462bde46 |
| SHA256 | 25a75d2be7f2d6f3f070a33c905d2280dee44f27fb0a120288cb09da49583eaa |
| SHA512 | 8bb6a17af05396fdd85adbc66b5c02956df28e4bae534dfad31aee4cabec8e53552e332d652ef832c8dd2ec5d9a62552a87d430cd9ef303c3e42aedf4c3dafaf |
memory/3000-106-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2816-105-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3000-103-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\STdBekU.exe
| MD5 | a2b9f36d47206f3e57d0c364a99dccba |
| SHA1 | 34144b42d4a9a3878b523ccad3c6fc586edfa7de |
| SHA256 | c6713f6b53a3264ee99379848a01b8f8b82934e061c0340a9496f85b7cf23b4b |
| SHA512 | 3c0863b4d9694e96a4dc13554ffa84a37f27bbc23dd87980a10e0b65830794451a8c2d6b58a0a99f339cd0c56b7833b17833d16563a02d470caf4649c887e334 |
C:\Windows\system\TkgrAZG.exe
| MD5 | 94899ff980d2ff8f0f2643f0269326d2 |
| SHA1 | 311f240ffd52267f368482f71108935a43ecdea5 |
| SHA256 | 4c7898118c9b6c015cbec95a0b67e1c018ada93e253d3d7f31b9a4bc288322e2 |
| SHA512 | 1923b75c1451123760996359257f19064a68ee252ec99370e4064273599bf309f9ac116b598d672b445314e7c86b163f046a2b15b7e399b17694ac4543b91452 |
memory/3000-99-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2680-76-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2460-81-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\TnFoFUj.exe
| MD5 | 94d27464b5c0598d0848414a4371e42d |
| SHA1 | 7db838f2a4edb335143f6e36ddd0959800c3ebea |
| SHA256 | e946c18a24da066a6d9c56e21b8a4de4dc560a9e37d214a4ea688825e2974816 |
| SHA512 | 59310dcee281c91f1f48e7a9d60eb356fae902f9a6845a4402cf3bbbd208141ed62c99de279f5d6b712543dff2b2be662423ee92c5721e652145f4fe6065e5eb |
memory/2140-73-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2988-71-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/3000-70-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\gZUGsvf.exe
| MD5 | 0cfdd0e58aaba6862f453d09102dc8a0 |
| SHA1 | 6e8112c220c267a2862723140ccf9fa6c170da56 |
| SHA256 | a36388a64337a57da8be821fda75cc18d88439304fd7dfe75eb52a2e7d186fa8 |
| SHA512 | e2225e778639a49bcc1f207f2d37ded44cb8af320f44b5d2607b973db543fccfa0ebb8069f4d6002e34817e515fee02e20dd021dd926454b4360bbf7547dce47 |
memory/2992-63-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3000-68-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/3000-67-0x000000013F230000-0x000000013F584000-memory.dmp
memory/3000-140-0x000000013F230000-0x000000013F584000-memory.dmp
memory/3000-141-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2140-142-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2780-143-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/3000-144-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2096-145-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2992-146-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2680-147-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2988-148-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2560-149-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2648-150-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2644-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2276-152-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2140-153-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2460-154-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2780-155-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2816-156-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2936-157-0x000000013F490000-0x000000013F7E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:31
Reported
2024-06-01 01:34
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cYHLaVc.exe | N/A |
| N/A | N/A | C:\Windows\System\SySdWkK.exe | N/A |
| N/A | N/A | C:\Windows\System\XJEXVrX.exe | N/A |
| N/A | N/A | C:\Windows\System\eNJAgjN.exe | N/A |
| N/A | N/A | C:\Windows\System\ukflGyb.exe | N/A |
| N/A | N/A | C:\Windows\System\bQirfdA.exe | N/A |
| N/A | N/A | C:\Windows\System\IGuDnMe.exe | N/A |
| N/A | N/A | C:\Windows\System\TkxsQJz.exe | N/A |
| N/A | N/A | C:\Windows\System\VPxDlml.exe | N/A |
| N/A | N/A | C:\Windows\System\sAlOCzI.exe | N/A |
| N/A | N/A | C:\Windows\System\zhWSsbJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YpOJmfo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZswDUfs.exe | N/A |
| N/A | N/A | C:\Windows\System\uZjgsQi.exe | N/A |
| N/A | N/A | C:\Windows\System\PMPvBHd.exe | N/A |
| N/A | N/A | C:\Windows\System\OJssmgl.exe | N/A |
| N/A | N/A | C:\Windows\System\MeIQXyD.exe | N/A |
| N/A | N/A | C:\Windows\System\wTaHsTS.exe | N/A |
| N/A | N/A | C:\Windows\System\YyxPvbI.exe | N/A |
| N/A | N/A | C:\Windows\System\oCPwChb.exe | N/A |
| N/A | N/A | C:\Windows\System\VKcHPNo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_e2a069d4340db3c946cf3fc8884384cf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cYHLaVc.exe
C:\Windows\System\cYHLaVc.exe
C:\Windows\System\SySdWkK.exe
C:\Windows\System\SySdWkK.exe
C:\Windows\System\XJEXVrX.exe
C:\Windows\System\XJEXVrX.exe
C:\Windows\System\eNJAgjN.exe
C:\Windows\System\eNJAgjN.exe
C:\Windows\System\ukflGyb.exe
C:\Windows\System\ukflGyb.exe
C:\Windows\System\bQirfdA.exe
C:\Windows\System\bQirfdA.exe
C:\Windows\System\IGuDnMe.exe
C:\Windows\System\IGuDnMe.exe
C:\Windows\System\TkxsQJz.exe
C:\Windows\System\TkxsQJz.exe
C:\Windows\System\VPxDlml.exe
C:\Windows\System\VPxDlml.exe
C:\Windows\System\sAlOCzI.exe
C:\Windows\System\sAlOCzI.exe
C:\Windows\System\zhWSsbJ.exe
C:\Windows\System\zhWSsbJ.exe
C:\Windows\System\YpOJmfo.exe
C:\Windows\System\YpOJmfo.exe
C:\Windows\System\ZswDUfs.exe
C:\Windows\System\ZswDUfs.exe
C:\Windows\System\uZjgsQi.exe
C:\Windows\System\uZjgsQi.exe
C:\Windows\System\PMPvBHd.exe
C:\Windows\System\PMPvBHd.exe
C:\Windows\System\OJssmgl.exe
C:\Windows\System\OJssmgl.exe
C:\Windows\System\MeIQXyD.exe
C:\Windows\System\MeIQXyD.exe
C:\Windows\System\wTaHsTS.exe
C:\Windows\System\wTaHsTS.exe
C:\Windows\System\YyxPvbI.exe
C:\Windows\System\YyxPvbI.exe
C:\Windows\System\oCPwChb.exe
C:\Windows\System\oCPwChb.exe
C:\Windows\System\VKcHPNo.exe
C:\Windows\System\VKcHPNo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2164-0-0x00007FF72EB10000-0x00007FF72EE64000-memory.dmp
memory/2164-1-0x0000016CBE3B0000-0x0000016CBE3C0000-memory.dmp
C:\Windows\System\cYHLaVc.exe
| MD5 | 49e2b2f05185dfc1264de5188a08b2ea |
| SHA1 | 61c14d4a17a3b6be75df108393a96c848701e088 |
| SHA256 | 2b86bcbd313c2c9a3b5df204b9d6f8cb9e902190c55a8580e0d33f6d220fd23a |
| SHA512 | 6c51d65326569894d8df2b0fc6bc87771da74234b3abc7389b38b15e8d9785459958cf25e198f0cdacbdc601b32d8fc2233980a34aa61047504c5f23d5d05234 |
C:\Windows\System\SySdWkK.exe
| MD5 | 98311d29360a23bc39eaeabf5a99b56d |
| SHA1 | f3a5856859976b19df56c23ee1efb6d33f0a14e5 |
| SHA256 | ea93e3fb278c0c880518d8a1948f32a2744eee8ab0948fa1e3c74a04d1d12c5c |
| SHA512 | a41fc47974e4eecd420778610a6e06bdccf21d9a89c8b9b9105cd06e9f04d91a2f954aa504dc68c54f07b103213d9a1f9a6a1600bfcaafefadbe6f9d0a6a0624 |
memory/116-8-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp
C:\Windows\System\XJEXVrX.exe
| MD5 | 4ae0003962f6131627d98952611342d6 |
| SHA1 | b8bdcfb73db729a9a15174bddf0e604912307d48 |
| SHA256 | 7315f8c17c4c70bb4f4ca9524fd3b2ab7dcc92d4e5bd2c03ca0844e735f39c59 |
| SHA512 | 989fbe14d325477e3ffc58c199d128efee8bffd9603f011e09644ae633263657bd6a7b180d60e71b5aa446feaa4e1649ac750882e4e539c6a54dbcf21159b40a |
C:\Windows\System\eNJAgjN.exe
| MD5 | 17cba280f4b266bca6e2d4d4168d14ad |
| SHA1 | f5b048d1639e7a852f4ed36af5cb827fce1d2421 |
| SHA256 | 404590684b644743a4ae1e7d46ef5b9ed9c0676b959572d607ffa8d529f2ce44 |
| SHA512 | f31b3e760e20d4372fc91973720bc493fabe028a7eed31da7375273df2ce1b95c274c294cc0cbb92f2b5fe1a6c02c0a11a02663461eedd35b5a61ead23cffc20 |
C:\Windows\System\bQirfdA.exe
| MD5 | a902f01c6fc2388c40c762f3b8feeaf9 |
| SHA1 | 34f25fb8b5acc945ede4e06d99ee1a5077296d46 |
| SHA256 | 0ae5c9efbdfe572489648b68449d1c41393588483206324b9b8e918bbc7cc53c |
| SHA512 | 81f91c5b3f9afab7d2955193018758573e8fdaec1fb4de89954598d27eba90acf7753720bc2ef8d068b23aa4851be939f4e3ab4e78f924e611a879cd504000cf |
memory/1740-35-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp
memory/1492-34-0x00007FF78C020000-0x00007FF78C374000-memory.dmp
memory/440-31-0x00007FF6D9360000-0x00007FF6D96B4000-memory.dmp
C:\Windows\System\ukflGyb.exe
| MD5 | 52ce012130be7eb0dd1d1b167463b1e5 |
| SHA1 | 4f86730a476117f04e1becd48b554d48601afddb |
| SHA256 | 15b92dd452be7e6b2661ad6acdc43979f2a1b34a38e06c2b2bb4cdc2b2407d52 |
| SHA512 | 70c206264f99724ef897100094e0d5665fdf0153cab41c8164241796872e1449690ea9104fa41975fd3ddcf039d8cf6414a97a3e02502bc715ad482fc1af7506 |
memory/1792-18-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp
memory/1904-14-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp
C:\Windows\System\IGuDnMe.exe
| MD5 | 5b257238783dbfafd2dc3af599f88adf |
| SHA1 | ead4b4ced6acd1b7adb205e07b2250e4b10558de |
| SHA256 | 1eae871c7088350101b18cdde729a5587839b9b788bf1e6fd92451844c9da974 |
| SHA512 | e4b2b8996b48cf1a83e6418c2d9f57b8cf93cffa27567013cb690258bc2627d79919d07a4ac07c3378b18c6d50d7f837cf107aa31b658e39dc396f44108f2109 |
memory/2744-42-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp
C:\Windows\System\TkxsQJz.exe
| MD5 | 46392ec5f808f23d9944a5d859a8a158 |
| SHA1 | 9737de65bd28d24b3b97f51cfa5aa7e1eb9a3e46 |
| SHA256 | 1f7acbe062ec1947f658cf9c323ada110d0f4681ac780887c10c148f836251bd |
| SHA512 | 54eb680551f5115d5ad8218a6509053fd11b18288207e1c643668fe437cc295d57165c5c926e7e566963ef2fdc78a6dda1610ef1a1499442f357f7375577dc60 |
C:\Windows\System\VPxDlml.exe
| MD5 | a403c7c3e6cb31069ed69826d0468556 |
| SHA1 | bcb6cfb062eb6919684c46c815831207f655352d |
| SHA256 | d6857fb17326f5257076ccbfd664c033084781032f1cf8262885c1676fe9fc8f |
| SHA512 | e53b7465e41d1733248312f3444e58a437ab145a8b46eb98a267eb51d9c389c5f1827df8782f62ab7040f17a1ee796b54202bdb3fcee88f54014dcd910cf81dc |
memory/1968-48-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp
memory/1380-56-0x00007FF6DC3E0000-0x00007FF6DC734000-memory.dmp
memory/2164-62-0x00007FF72EB10000-0x00007FF72EE64000-memory.dmp
memory/116-66-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp
C:\Windows\System\zhWSsbJ.exe
| MD5 | 42090ba38378d88f068bd3c2ff5b9ea0 |
| SHA1 | f7604733ee2fb17b146cac7c594458f172514c3b |
| SHA256 | 5e5ad91a374eca17d5e5f94bf766de61f35ed90bffc1e5a1a36e8fc81182c9ed |
| SHA512 | cab8ae387e067f8ccdc6dffc14d05ef9ce327754ce1f15369de41ca3760a0eba88dacd47104ad6c09f3fd1925cea8a04fa3b16cc45d68dfd0861a67aaa5e8100 |
memory/5012-67-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp
memory/4352-65-0x00007FF670C60000-0x00007FF670FB4000-memory.dmp
C:\Windows\System\sAlOCzI.exe
| MD5 | 2e02bcd91272bdecb4ab2b8922c62b58 |
| SHA1 | 048d85c68657391063c509053eae2aac59e669e9 |
| SHA256 | 126eb5a6ce8bf0cf7e0e132c59607d96830f8317fea75e8f37a59adc4986e559 |
| SHA512 | c104be4f1ac1bcab24d206d489f1557f7e7182e30daa1aee801c09f4d735ace4ecf29ff56c9ca3250b3d08e66961c79125e6ce603bcf0199f73dbe7cfe00c46b |
C:\Windows\System\YpOJmfo.exe
| MD5 | e4bf84c2eb5164076ababd1624758f63 |
| SHA1 | 75f6733fe374b666ec6ecfe5184740e36bae078f |
| SHA256 | 8f46522cb5c6689a4f6ba3f853e28ed53c5bdaf199d5f704fab188baa69b553c |
| SHA512 | 14a9f30d4e65bbfa8654d726609a00681f198b588a5f2d043f43a9c86948eb5ce0ddd9d5e73d349433cc24dc32b396ccf973952809840e924015ebe234b961dd |
C:\Windows\System\ZswDUfs.exe
| MD5 | 538fb9996ca2893c3230ec37e37524da |
| SHA1 | 97ad87b9910ca2d77dbc71d869bf9a3ee5f2c1f9 |
| SHA256 | bc9d00bbe543d01eb3c528c2a490fa6cd5baae5f6e3fcafa8b13078961d80c98 |
| SHA512 | 7075da2592c41d8d06a53fb73df32a54788d2f36545aee9cf3c7770a8321d1b1b8d59b449ceec9169ad339fd37ff8d357c5480ebd8ff6f68ee4f3cb12169689f |
C:\Windows\System\uZjgsQi.exe
| MD5 | 279fe374fc316b486774f85945d756b5 |
| SHA1 | d907ed37185e02ebfb2f0fa69089123f810208fb |
| SHA256 | 96cc2fcf5ac0bc6a7e5516e3bfdce92fe5435ca75626656bd8a1a9f27331787f |
| SHA512 | 02323ee79ea67d3548709302c9cad14ec670f8794b03fba09688301be9d2575de3d601cc5ed4bcff32fa8608be8bfb04805ae45724705f777ac13c05ede86fef |
memory/4832-84-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp
memory/1792-80-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp
memory/1464-78-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp
memory/1904-74-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp
C:\Windows\System\PMPvBHd.exe
| MD5 | 37719888bee6d489b146bd8d53c7791f |
| SHA1 | 723329627c1d0354b322c09e925117247b9f524c |
| SHA256 | a5cb2714f7fa8cc9748e7ac323028db278fd16f6253c2f730de2e6e2e4e864e4 |
| SHA512 | 3b12088dd57399b9cff3c748a1029f255ff8ea92f333a2368615fef41f756856d25d06ecc0768db22eacd274f933c9c6246ddee30acedede4b2b573030751a21 |
C:\Windows\System\MeIQXyD.exe
| MD5 | 97a47308b78007d0d153fe62858bf64a |
| SHA1 | 4db7a8c22d84a2525f0681c2721e48ac1b481650 |
| SHA256 | 96bffc9e39b5b9263a1d8612cf03b45e561538a735fc66fc604b1178c237e42e |
| SHA512 | d7f912b889679829ebf3f02bda0e778235802a6ff43538ddb5e6ba3820e08e316ceac7eb118de248eebe4a8a6e9d806a98b6f9f593d3beb8a4e6718feabb8e90 |
C:\Windows\System\wTaHsTS.exe
| MD5 | c5b06ed0553f2ed4f02f570da040085c |
| SHA1 | 8279a864eef078176abb993f5b28f059c337d310 |
| SHA256 | 142a348117592c324ef28e8d48c1a72694482d0f9065bbf2fab44f06e61ce005 |
| SHA512 | 2dae732bcb101b04106777ba1b488be4b4d3b5796a57adc3944d82b75609d82fd152a8eac6f9403cdb9f7a31ca7acc0bdc2f71244a4e16fb945e02290fe1ab67 |
C:\Windows\System\oCPwChb.exe
| MD5 | 3735258d7c14eb591de68db84083ba41 |
| SHA1 | 8f4d5f843559e997f99c028ba90a5675acfb15d0 |
| SHA256 | cdc0db1c26fd01af38d31d06a68872cd262b1af12eb6f6ae7137b5f29694bfa0 |
| SHA512 | 62c746b1c179435e31d05d1a668a52c28d00bcde1d32d69545c7a1640842f6db2f965f751314a4b9377b90999b5ff2fb17ecc906a76357e638fbfb824755191c |
C:\Windows\System\VKcHPNo.exe
| MD5 | 49f6b344d59085b0c0a4db77c75fe72a |
| SHA1 | 0c8477bc8d2caf620dd305e734b412482b39388e |
| SHA256 | 1af11a5e268dc0a39d424c3ccedb8f9da1b5aaf40c0dfa98868f1e831bb1b612 |
| SHA512 | f10f4efe47f46f1de9b0fbd7603406eb80ee5168337288e4edf2cfce3c39284ed83ccf6cfbb5f67d075bd8889c1d39825d25073d4ef278797880892cda6a03dd |
C:\Windows\System\YyxPvbI.exe
| MD5 | 88a0976c9265f25d6473c5e8e424b024 |
| SHA1 | 8e4ca878c7ec8de8a1fd987c725a583136585903 |
| SHA256 | aac5efe7500a175e3fbc29700c87f75abaa80ccaae3e9967e9f5bf2ad58e9631 |
| SHA512 | 793dfbdafd67d55e95b1a0b1f09cd066d71e6e55525fab339833234386a2f8dd392214d7a19c53fee358ceede8a4438cb66ae3b4d0f294aed747f08f14a839f4 |
C:\Windows\System\OJssmgl.exe
| MD5 | 7364855e85551aa9a1ae6fad189fba1a |
| SHA1 | 10406446eb46dd8bd0e8cdd5beab445013780aa7 |
| SHA256 | 6d1833b06323761416c9b59e7aa322779f7390c0436d8e167fa64634576a7e57 |
| SHA512 | ef063e7615cdda7c29adee8faa5a13e29778f208a299cdfe673f6b61c7053211e89733ae64f020f63d01749dba2bf6968e7428ec905fc0db8d918a40be29ea51 |
memory/4516-124-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp
memory/2272-125-0x00007FF7BD280000-0x00007FF7BD5D4000-memory.dmp
memory/4324-127-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp
memory/1612-126-0x00007FF7496B0000-0x00007FF749A04000-memory.dmp
memory/3404-128-0x00007FF724E30000-0x00007FF725184000-memory.dmp
memory/4824-130-0x00007FF6520B0000-0x00007FF652404000-memory.dmp
memory/3300-131-0x00007FF729850000-0x00007FF729BA4000-memory.dmp
memory/1676-129-0x00007FF682E50000-0x00007FF6831A4000-memory.dmp
memory/1740-132-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp
memory/2744-133-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp
memory/1968-134-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp
memory/1464-136-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp
memory/5012-135-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp
memory/4832-137-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp
memory/4516-138-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp
memory/116-139-0x00007FF6CD8E0000-0x00007FF6CDC34000-memory.dmp
memory/1904-140-0x00007FF6F9A70000-0x00007FF6F9DC4000-memory.dmp
memory/1792-141-0x00007FF7EE400000-0x00007FF7EE754000-memory.dmp
memory/440-142-0x00007FF6D9360000-0x00007FF6D96B4000-memory.dmp
memory/1492-143-0x00007FF78C020000-0x00007FF78C374000-memory.dmp
memory/1740-144-0x00007FF64F180000-0x00007FF64F4D4000-memory.dmp
memory/2744-145-0x00007FF605F90000-0x00007FF6062E4000-memory.dmp
memory/1968-146-0x00007FF7CD540000-0x00007FF7CD894000-memory.dmp
memory/1380-147-0x00007FF6DC3E0000-0x00007FF6DC734000-memory.dmp
memory/4352-148-0x00007FF670C60000-0x00007FF670FB4000-memory.dmp
memory/5012-149-0x00007FF7E7810000-0x00007FF7E7B64000-memory.dmp
memory/1464-150-0x00007FF6FEC00000-0x00007FF6FEF54000-memory.dmp
memory/1612-151-0x00007FF7496B0000-0x00007FF749A04000-memory.dmp
memory/4324-152-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp
memory/3404-154-0x00007FF724E30000-0x00007FF725184000-memory.dmp
memory/4516-158-0x00007FF6CE390000-0x00007FF6CE6E4000-memory.dmp
memory/3300-157-0x00007FF729850000-0x00007FF729BA4000-memory.dmp
memory/1676-156-0x00007FF682E50000-0x00007FF6831A4000-memory.dmp
memory/4824-155-0x00007FF6520B0000-0x00007FF652404000-memory.dmp
memory/2272-153-0x00007FF7BD280000-0x00007FF7BD5D4000-memory.dmp
memory/4832-159-0x00007FF6CE290000-0x00007FF6CE5E4000-memory.dmp