Analysis Overview
SHA256
8e35f57d4f433eab255f82c17e71d38c4371ed681105097f2a01d89d13664052
Threat Level: Known bad
The file 2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:51
Reported
2024-06-01 01:54
Platform
win7-20240508-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IqZZNAL.exe | N/A |
| N/A | N/A | C:\Windows\System\jvuMnzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wnqFhWD.exe | N/A |
| N/A | N/A | C:\Windows\System\uGfhdll.exe | N/A |
| N/A | N/A | C:\Windows\System\IGEBLac.exe | N/A |
| N/A | N/A | C:\Windows\System\UrIpatI.exe | N/A |
| N/A | N/A | C:\Windows\System\aTYQPwY.exe | N/A |
| N/A | N/A | C:\Windows\System\QyEexpF.exe | N/A |
| N/A | N/A | C:\Windows\System\gbhBxsD.exe | N/A |
| N/A | N/A | C:\Windows\System\RnuAaMf.exe | N/A |
| N/A | N/A | C:\Windows\System\HzYaeZL.exe | N/A |
| N/A | N/A | C:\Windows\System\AngXGYT.exe | N/A |
| N/A | N/A | C:\Windows\System\BqIXEFd.exe | N/A |
| N/A | N/A | C:\Windows\System\CZUXLRf.exe | N/A |
| N/A | N/A | C:\Windows\System\hcJWWdI.exe | N/A |
| N/A | N/A | C:\Windows\System\lOPufms.exe | N/A |
| N/A | N/A | C:\Windows\System\kZpYLMu.exe | N/A |
| N/A | N/A | C:\Windows\System\DzgALgw.exe | N/A |
| N/A | N/A | C:\Windows\System\nFxyBNB.exe | N/A |
| N/A | N/A | C:\Windows\System\pLElGtD.exe | N/A |
| N/A | N/A | C:\Windows\System\EdRvvTw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IqZZNAL.exe
C:\Windows\System\IqZZNAL.exe
C:\Windows\System\wnqFhWD.exe
C:\Windows\System\wnqFhWD.exe
C:\Windows\System\jvuMnzQ.exe
C:\Windows\System\jvuMnzQ.exe
C:\Windows\System\uGfhdll.exe
C:\Windows\System\uGfhdll.exe
C:\Windows\System\UrIpatI.exe
C:\Windows\System\UrIpatI.exe
C:\Windows\System\IGEBLac.exe
C:\Windows\System\IGEBLac.exe
C:\Windows\System\aTYQPwY.exe
C:\Windows\System\aTYQPwY.exe
C:\Windows\System\QyEexpF.exe
C:\Windows\System\QyEexpF.exe
C:\Windows\System\gbhBxsD.exe
C:\Windows\System\gbhBxsD.exe
C:\Windows\System\RnuAaMf.exe
C:\Windows\System\RnuAaMf.exe
C:\Windows\System\HzYaeZL.exe
C:\Windows\System\HzYaeZL.exe
C:\Windows\System\AngXGYT.exe
C:\Windows\System\AngXGYT.exe
C:\Windows\System\BqIXEFd.exe
C:\Windows\System\BqIXEFd.exe
C:\Windows\System\CZUXLRf.exe
C:\Windows\System\CZUXLRf.exe
C:\Windows\System\hcJWWdI.exe
C:\Windows\System\hcJWWdI.exe
C:\Windows\System\lOPufms.exe
C:\Windows\System\lOPufms.exe
C:\Windows\System\kZpYLMu.exe
C:\Windows\System\kZpYLMu.exe
C:\Windows\System\DzgALgw.exe
C:\Windows\System\DzgALgw.exe
C:\Windows\System\nFxyBNB.exe
C:\Windows\System\nFxyBNB.exe
C:\Windows\System\pLElGtD.exe
C:\Windows\System\pLElGtD.exe
C:\Windows\System\EdRvvTw.exe
C:\Windows\System\EdRvvTw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2072-0-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2072-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\IqZZNAL.exe
| MD5 | 3273652935bea893fa3dcd110b333e66 |
| SHA1 | 60bc8dbe5c5e90d70bffbb48e1af0151a35842b6 |
| SHA256 | 6ccd0832768d0e2b8cee00f0bb63558c70084ebf4847668e7466fee553d5aad1 |
| SHA512 | fe1f09402a8f24bbf122cba1126320ac541b9cb55850e1656b37297fbbad202dcd19e6ebcfc2bbd34877ca85d5bdc02395706998561c69dd0ddcc8d7098bebf3 |
\Windows\system\wnqFhWD.exe
| MD5 | 9c82f66e6e86d262547941fe2bf286fc |
| SHA1 | 40fe8996ecdcee8d0eba8d13cdfc20ec10bee8bd |
| SHA256 | f21e7165cb51bb85b8bd0abeb61807742ab7079c04f0b92a520ada30c6ca87cf |
| SHA512 | aab7a382b7e63110849f8256c8b5c85cacc424a216ef86cceee08785889c9d2cda0925c346f2041997e5b0b4eacc0c1f07d2162e061cc797ec3cdb3546f0bfd1 |
C:\Windows\system\jvuMnzQ.exe
| MD5 | f298e091ccbcd0fcb4375d9a9cc12c44 |
| SHA1 | 673156dc55649678730c6d1e580f3b5a1cfd1b1f |
| SHA256 | 83f3b3570bc2a5a190ddfa696b3376cdd79c08d72054583a2f12cc785f7ba1d1 |
| SHA512 | 5b5841f2185b0d58619e84f05942b7e54bf2a265c4cf7b3f10e2314e55dda270c40e285b711b3633c4444513da14db88c66aa89a94d641105cc1798d4d30648d |
\Windows\system\UrIpatI.exe
| MD5 | 800d8ab19bbd53d47707bd809bf00b41 |
| SHA1 | 55c18ee9364b8f7262b4f61551d09a0a1c984314 |
| SHA256 | f8d3fc31eb6df3d531f85a3c9319cb72b6a05696c186262a34ad1b164dd134f9 |
| SHA512 | f9dff396b6a7f2587550b196aa67c238e61274ef0faa995599e1afcc1dcc79d64fee43f21cb39b007b139c8b85296114b103de77a248a69fc9a3807ed8ae0188 |
memory/2072-34-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2832-39-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/3056-26-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\uGfhdll.exe
| MD5 | 1bda58385cdd1d8af6e6cc196ef9eb56 |
| SHA1 | 0c89fde97783332f4571d84f501e5d9fd50f4b96 |
| SHA256 | 146ec45e7d0d9ac2d0665e0ad19301fc2b120607f7a5de062d75572a2b1e422a |
| SHA512 | dfba45b349664b70811ade240bc9c445d7e42b751df99de3d56f79cbd23e88aa34cae347d9eeb29b5d53d9c720cf10c8659f7fa3234f2844819a6c4ae31212a0 |
memory/2072-22-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2684-40-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2748-49-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2584-56-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2072-69-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2592-70-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2072-84-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\CZUXLRf.exe
| MD5 | c4655ffdeb0c063c6f118d29ff6aa816 |
| SHA1 | d6facf00171cae869599ec8167d4db2cd1a2b172 |
| SHA256 | ce8a044c08882c7c239eb3d442ae978a71f885115e409fc4ecbdd86ed9e43c37 |
| SHA512 | 2b3692375b35b5bb29270f879d950abe14c83455ce70f162b1c1a254f5d87cd0e59c2ed81bfecb7e6c5937d1f6e87101479530f52bc10720fc58744e2c875b17 |
C:\Windows\system\lOPufms.exe
| MD5 | 5ddcde9d592ad2ada9eff831651a15c9 |
| SHA1 | 536a8bfd71ba481347702cb80291868c05ad886d |
| SHA256 | 920a89092aff7111990bb86f65180ba188473015bb56483f7d2333eac25dda28 |
| SHA512 | 4a66a6e2ad7e7d8ca86134603791c557f15581b078648b58ee18733c9b437469fc3795b614c4c49196b2db567364d157a1175b5e5c26a71c571944ad64b0245a |
C:\Windows\system\DzgALgw.exe
| MD5 | 95b07d3a91247d84fa9b990156c7344a |
| SHA1 | fa28a34e8cb761f84ecea5065b6672d8959a5a98 |
| SHA256 | 3afa6fc4a5cb0f83894b5f4600f402e86fe5de5f1b4beaeb43256316151fe177 |
| SHA512 | bc14e5a7baf20fb25806d33a75f1c8009120bd806742693b242df03b0c8c3a78c0bf990063a34cb6aa28e58bbac8e4ab7fda5749570ec394787c74e263d42177 |
C:\Windows\system\pLElGtD.exe
| MD5 | a637645036b20a419cf2330b6ebf4b18 |
| SHA1 | 1998382ab37f9d713fc8cce2ace83d574f1881d3 |
| SHA256 | e889c929960be24edff2a512f901663dec38c4b824462b8b51c1badfb21b1091 |
| SHA512 | 9f6f09ddcafec86e9a6424638fdd42f10729159653bb40e7da3bc355bcea2efa97e5a1c159b2f21d1a068d08bdc538ff3b275a2fdcee5fdc78457c7094dd2651 |
\Windows\system\EdRvvTw.exe
| MD5 | 866b9a3e2d93623e1301fd46f0ee32ef |
| SHA1 | 8d0c8caf788818b8d9d901293616ed214140ca23 |
| SHA256 | 783b5781846bdb7c8a8cbc15474b5fec7c9d98f91d27f2442eace8899a0539d8 |
| SHA512 | f989c0bb4c5772bf2ba896b72024a3c75bfeca31769bd86f89dec4b1dfc850595a655fa5b4a440fc1d8be2574092fcd008aba418e04f1e59ef810518dcb2717b |
C:\Windows\system\nFxyBNB.exe
| MD5 | f505735597258b09dcdcb821a36d3cc3 |
| SHA1 | 5317de55236e96ddd10b2bb3c43e51f4fda72ffb |
| SHA256 | 8ea8807d6a12a0d1e2b0a64d9d992867bae1cf0820bf5d4865b48ed4d27bbe7a |
| SHA512 | 9a9ace9dae807b157a5d754d81dabee23520e32a1169f0478490d1af70fd362392cc156a337d7c6ad8bd3029741812edfc981495b61e9366e2b41bb10780ab32 |
C:\Windows\system\kZpYLMu.exe
| MD5 | 1460c7ef2d6f7c41120e5118339bed35 |
| SHA1 | 0587f48ed7e66695cf5e97549dde9ac4e814da39 |
| SHA256 | f7253b37b394ec883dc18ff3a07e0feac498ec5597ce69e4531b2eb70b6cc484 |
| SHA512 | cc24e656672b403293c19b385733433bed0a9b8f396fd63035bbb4176c8b804c645a50af35da6091fbbb700051203650efcc5b46fb7c33931c468079d4a89f1d |
memory/2684-137-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\hcJWWdI.exe
| MD5 | 0e938d3841499920eda981ec6eb81da8 |
| SHA1 | 97c6ad28cc782730d4e954b2cbfce0b670bb383b |
| SHA256 | 85170d5bda8db84c3e49f78a4a61a56c0ecd5d4e5fa12a233c8e54bc03dffefb |
| SHA512 | e23c19fcff13eba7947654b752cbfe1e2ed3fa1bfac8c712ef4b6cb9db910939ef53e97cf7ea7343bd89c745009ab2f56e1f187ebcdad2fc08c3dda24282874e |
memory/2072-104-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2832-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1836-92-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2780-99-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2072-98-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2072-91-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1740-90-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2748-138-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\BqIXEFd.exe
| MD5 | 10d8b833fd13a1e616d839988a8f6e26 |
| SHA1 | d65b0a198085aeac314f1bbe37b69fa74823d2d2 |
| SHA256 | 7ed2325d6fd4d04a6fa94489ed28fd7b3df422a562fe91f89ebffad2043f3729 |
| SHA512 | b1e358cc1ddcbc792de11e2b5954144b60367410892a27028b2b9ae889cbff6ca35912f9914301e550f0ee47dc53701dc2d65f5f81c23ad95432ded7dcc20ed8 |
memory/2144-77-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2072-76-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1040-85-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\AngXGYT.exe
| MD5 | 9bef8ef0e4ec26b9330109ef6f3b393c |
| SHA1 | 1b88144dcc2007d7bcb032d4b97bd9fcce7f033f |
| SHA256 | 6b5741e55f2f2b0587e463ca2ca4c5556ee0860febf080eb60247f04511e6ad8 |
| SHA512 | 6315666e2c4f5d1cfe62ff72261021ed47fe682bf37744f589798e8350e3d3b0c3359a01dd907b7e300a9ee9db663961f8da79c3a50763bcd1ab099b88d33dff |
C:\Windows\system\HzYaeZL.exe
| MD5 | 8b1b3f7ed6c6a1b516d9cfbb55208052 |
| SHA1 | e84c942d69ae52cef409b244d3026465e5349bd1 |
| SHA256 | 527379ad8cd653479089aa2502d25ad6942d21dfa66e5d37fcc8cb8dc1a8c61e |
| SHA512 | f1a5c80e010cfb812322a6bd4038082cccc85efe5215aa6024f12d86e79c379175ccab2cf5446c50180c7746c81c5af79d1ab1ac98ee0ad4eca540f76b50a249 |
C:\Windows\system\RnuAaMf.exe
| MD5 | 42c15aada2f74893b5d7ea8ecc36fa17 |
| SHA1 | 531049a3d53b007bf283756d580dd816ed2a4a91 |
| SHA256 | ff2abe06ea910828f6847d8e184b8a8bf65bd4042d4f382022def5d3b6056b08 |
| SHA512 | 44635b2a6230390d93c5cb5b204c4123a2d13770f64be0288a0bdc5baecf8c5e7ee03f22ecb91d7ac9bd3f707d6ac9b23e866665bd3cd179f973a675f5e24635 |
memory/2464-64-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2584-139-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2072-63-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\gbhBxsD.exe
| MD5 | 377670a9fc51aa5d1265a780245653f4 |
| SHA1 | 2ae1cef689c1726e7e82f3ae9a79b745072d1257 |
| SHA256 | d5c42de4f944d1919e820e4093982808d819703759c199304e12ddacb2609694 |
| SHA512 | 89890b40944ecab4efc1ac578b519ce0489752bce83b34675b8bdea2d53621f884e991c2fd080a80371caad5c7bb6618ae83357dc2e1fa3fed08251dc3e225a8 |
memory/2072-55-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\QyEexpF.exe
| MD5 | 39b10ec52cbd97b28824e13aedc3d610 |
| SHA1 | 4c4780be5b6633828638645c98fdc3eae593631d |
| SHA256 | a7f46dcfbc18d9d06acd0ffbdb2d2d32472b5322df795fb11821a3f4d663846f |
| SHA512 | ecbe24572331e481cd4ce4d9d6d1946f563bf0218409aaad37d25d6582b9f37d6a5df6379542314042e6ba1243d947fac500b18d42c3ab815ab484ccef48664d |
memory/2072-48-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\aTYQPwY.exe
| MD5 | 9c8786819dd46946492d822554632256 |
| SHA1 | d6c2c3ad434506ed946c1014acebd07fbca3d389 |
| SHA256 | 9eace5ca8b61f62b3c415d0c864670e0d463617d1d302cb74950c0380733d664 |
| SHA512 | 68fcf425706d8e2e1e8a63eaea15ac3f586997aa01c574083f38af8591c6a3e3328df02a0a42d432246c196701a8cabaacf0e8385041bc083d8482c46849ae87 |
memory/2072-38-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2988-36-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2072-35-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2616-33-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\IGEBLac.exe
| MD5 | ebef2524d1bbd95fd268eef280fb7eba |
| SHA1 | f9980fac731e2394f84c842f72fb82adbc23bcfe |
| SHA256 | 0cb2130f23c6410323bbee12bb748a7310d95179a87b24a6e943972540095239 |
| SHA512 | 5d44a4477c25eb4ced7c8f880fd228be677692ea301ef0986f71a8905844f3492645c4290a810a6f1311858a03f7f831a9a0ef652f4e5badfbd6e983ff12fd5a |
memory/2072-30-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1740-17-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2592-140-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2144-141-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2072-142-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1836-143-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2780-144-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2072-145-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1740-146-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/3056-147-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2988-148-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2616-149-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2832-150-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2684-151-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2748-152-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2584-153-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2464-154-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2592-155-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2144-156-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1040-157-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1836-158-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2780-159-0x000000013F2B0000-0x000000013F604000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:51
Reported
2024-06-01 01:54
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OCWrrBw.exe | N/A |
| N/A | N/A | C:\Windows\System\lNdFlhh.exe | N/A |
| N/A | N/A | C:\Windows\System\BfFWNUW.exe | N/A |
| N/A | N/A | C:\Windows\System\CGuCToQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IBCfRAF.exe | N/A |
| N/A | N/A | C:\Windows\System\VhNdvpI.exe | N/A |
| N/A | N/A | C:\Windows\System\uhSczTj.exe | N/A |
| N/A | N/A | C:\Windows\System\BUaWrBw.exe | N/A |
| N/A | N/A | C:\Windows\System\kwQfKkH.exe | N/A |
| N/A | N/A | C:\Windows\System\wwcZkUk.exe | N/A |
| N/A | N/A | C:\Windows\System\AekQMHB.exe | N/A |
| N/A | N/A | C:\Windows\System\snXvShk.exe | N/A |
| N/A | N/A | C:\Windows\System\NypCsQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HkfhfbQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XhfJUGT.exe | N/A |
| N/A | N/A | C:\Windows\System\DSkLCxp.exe | N/A |
| N/A | N/A | C:\Windows\System\RaIyLDM.exe | N/A |
| N/A | N/A | C:\Windows\System\xsqAceI.exe | N/A |
| N/A | N/A | C:\Windows\System\RMxXqzs.exe | N/A |
| N/A | N/A | C:\Windows\System\ToTlrmN.exe | N/A |
| N/A | N/A | C:\Windows\System\bQYhChl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_539081b1ddcf82ceb603fe66f6d2dd10_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OCWrrBw.exe
C:\Windows\System\OCWrrBw.exe
C:\Windows\System\lNdFlhh.exe
C:\Windows\System\lNdFlhh.exe
C:\Windows\System\BfFWNUW.exe
C:\Windows\System\BfFWNUW.exe
C:\Windows\System\CGuCToQ.exe
C:\Windows\System\CGuCToQ.exe
C:\Windows\System\IBCfRAF.exe
C:\Windows\System\IBCfRAF.exe
C:\Windows\System\VhNdvpI.exe
C:\Windows\System\VhNdvpI.exe
C:\Windows\System\uhSczTj.exe
C:\Windows\System\uhSczTj.exe
C:\Windows\System\BUaWrBw.exe
C:\Windows\System\BUaWrBw.exe
C:\Windows\System\kwQfKkH.exe
C:\Windows\System\kwQfKkH.exe
C:\Windows\System\wwcZkUk.exe
C:\Windows\System\wwcZkUk.exe
C:\Windows\System\AekQMHB.exe
C:\Windows\System\AekQMHB.exe
C:\Windows\System\snXvShk.exe
C:\Windows\System\snXvShk.exe
C:\Windows\System\NypCsQJ.exe
C:\Windows\System\NypCsQJ.exe
C:\Windows\System\HkfhfbQ.exe
C:\Windows\System\HkfhfbQ.exe
C:\Windows\System\XhfJUGT.exe
C:\Windows\System\XhfJUGT.exe
C:\Windows\System\DSkLCxp.exe
C:\Windows\System\DSkLCxp.exe
C:\Windows\System\RaIyLDM.exe
C:\Windows\System\RaIyLDM.exe
C:\Windows\System\xsqAceI.exe
C:\Windows\System\xsqAceI.exe
C:\Windows\System\RMxXqzs.exe
C:\Windows\System\RMxXqzs.exe
C:\Windows\System\ToTlrmN.exe
C:\Windows\System\ToTlrmN.exe
C:\Windows\System\bQYhChl.exe
C:\Windows\System\bQYhChl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2108-0-0x00007FF6E2530000-0x00007FF6E2884000-memory.dmp
memory/2108-1-0x0000020E23FA0000-0x0000020E23FB0000-memory.dmp
C:\Windows\System\OCWrrBw.exe
| MD5 | 4814e7c3fe1d355b6691cb2c9c24b8cc |
| SHA1 | ae5d85b1042b7090933c3302c1b9c33570920bdd |
| SHA256 | d1c7788a42d05e189c23b1c8739965c0dca146e04df5941ccebdb94f8f32dbe6 |
| SHA512 | cb6f69b6d6e05efdc5ec2ff058b3330c3529b3493808c986134a91b03f2017196776f17d87c008fc81cb7b3d5407771ea487674d362cd73fb50a3b32a4a44e4d |
memory/2824-8-0x00007FF63F600000-0x00007FF63F954000-memory.dmp
C:\Windows\System\lNdFlhh.exe
| MD5 | f5c5aadf53383494128de801d9240dec |
| SHA1 | 3d79785af59d40984d6360aa8273e6e11cfd3ea8 |
| SHA256 | dfc2569fa25cccd0a4220d6650576af65ce1f16d71c61be9ffad47d81a3e7f77 |
| SHA512 | daa65c902024c92f425f1a9b62f95c198af693642524fe1856b727e803d69d505a2c4a3ab88016cd6f91c2495f5d8293b2c96114247490c06ebddeba8cb0bd7c |
memory/4788-12-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp
C:\Windows\System\BfFWNUW.exe
| MD5 | a9bd5031b9c96c192869e838810b10e9 |
| SHA1 | 473e67565e83d310bd79afc03222ff73c1643c93 |
| SHA256 | fc244ca3e27e5136f6fa28b547128688a0702b70775bb80d1a70abf519cd03ab |
| SHA512 | 52c1dd6a756fb4306b14057c8cd4281cbceef10d991bad4da18dc65198984a72db2bd260055315aff1cc796e0993f320f66ca45b62e91bd134767b5562b6bda1 |
memory/3716-18-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp
C:\Windows\System\CGuCToQ.exe
| MD5 | 766beabb16e64599b23170821370ad99 |
| SHA1 | 62eab6cd42b24ae388b2039dbe55899d640d22e4 |
| SHA256 | 571b59b95a28d334000f3f2daca8caf4aa9fbeb2dd1b82b143791101511d215f |
| SHA512 | 97c067321f8b336169f732daa103c8da71adbbff30b9c035571e5907a43374cdc82484f5a43ac842f50895871f29963279ddadc060378393c9f30ffa55088887 |
C:\Windows\System\IBCfRAF.exe
| MD5 | ad826020144ddcb072fd0a713deb39c7 |
| SHA1 | 6e23b7fb3583e94e9cb8becb9aa226ccd7f0ba2a |
| SHA256 | 1ca1403065115aab91177e791cf622afcbfaca50676642ef3970281893eed1e0 |
| SHA512 | 2017e15241d317c4538dd766c2ac2012fb62803796b3edb4c0d054f2b5131a795239e87fbdf5bbd8eef2674a9a49e892c7ec8073f1016c797ce859ca6dc4ee33 |
memory/5024-30-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp
memory/432-24-0x00007FF60FA40000-0x00007FF60FD94000-memory.dmp
C:\Windows\System\VhNdvpI.exe
| MD5 | e01c95c3d6c3c535f61a4d5e795ef09d |
| SHA1 | 03b962618a79bd9cee0fa00e7ef2002ac38723b5 |
| SHA256 | ecb45bacc9ae0121b12dc2bf7a3c9fb1d33bb3a0b72eda01524e7d395be4627b |
| SHA512 | 6a87ff519666da9492352ce1d2bbad834eb92d014b426af2495051a54658ebb4d9102b1a0f3a935b9f1ce25e6a123c2413eb0fbb2a417917c27119894ecd7613 |
memory/1180-38-0x00007FF714630000-0x00007FF714984000-memory.dmp
C:\Windows\System\uhSczTj.exe
| MD5 | 3a83fba699aec2f700542d00957c1306 |
| SHA1 | 980ff460bc254ca78bbd121d22a6724fd6632dda |
| SHA256 | 1574f50b90400779343321c5b45228f0c67f3236207f6f2e05d8f41d94100a99 |
| SHA512 | e8303b5c7d4447cbbf9d26e6e73e8b1eb9c193645a4b7fb8990f560cf2846f2fa4e795288b17818df8820779b75e773698422448830afcc53c2c11dabc425359 |
C:\Windows\System\BUaWrBw.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/3928-47-0x00007FF6333E0000-0x00007FF633734000-memory.dmp
C:\Windows\System\kwQfKkH.exe
| MD5 | 97a3b32ab914edf61295d3e94c7c180f |
| SHA1 | 2c5d460cd4feaf57a1d08e24f7fc9d0734206578 |
| SHA256 | 33879e5a12a2a31b2c1696d99c6b00b9be4a86ed520d131f242b20335f2a7caa |
| SHA512 | 1d68f991bb283cb42f9f09307f5a86c18058b22f4303bd53e5dce98cb778c9d28f635df040495928b20ed202bd8b51231e992428374ca5475fbee05686374ecb |
C:\Windows\System\wwcZkUk.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/2108-62-0x00007FF6E2530000-0x00007FF6E2884000-memory.dmp
memory/1552-67-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp
C:\Windows\System\AekQMHB.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/4488-70-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp
memory/3716-79-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp
C:\Windows\System\HkfhfbQ.exe
| MD5 | e9dca5492592d6ee5bdd4f8210a617c1 |
| SHA1 | 61f9e612e49e2bc4e9d9bee58ce2f5d8e12aad1e |
| SHA256 | e65220be63d0d006388ae41fe3dbee4fa45cf583b27aa25638e1135874e67a8d |
| SHA512 | 80b9ca3c3f9bc7c34372b8c45b4ac02cbd590c468d0fdbe4c22c2c7dcfdaea1eff048d736f99e38bbabbb9daaf18092c2098b6c63d368ab94e2c7d2154b75c21 |
C:\Windows\System\DSkLCxp.exe
| MD5 | 06e3f45b9551e73fb3de14794d2f5c1d |
| SHA1 | 33c19f8944e55e8bde65a4bace95d464d051efaf |
| SHA256 | 0b8e6fe3203697649a255ec782adeccdc6a21b78e3d417a9f3b1bc5408f29e08 |
| SHA512 | 722f65a8b67734e3629e5696013a52fe704a97646e53aca201889fd438eb8fb5784dbaa93362d950808ac95dfaaa32007f47a40a29cbae5c16cd1190e2a08300 |
C:\Windows\System\RaIyLDM.exe
| MD5 | 676c4bb09b07c7cbe31d625dc4bda94a |
| SHA1 | b070d78787edb6237f353d8882a447a7f594ba66 |
| SHA256 | 297df0c9444175069e6df9cdd22075c57f25554277e9b414a3281e92090dd19f |
| SHA512 | 5d2a113eb6f64883f3c7e9805a20dc34c5f7b5d60fcf6dd2a7ed069a43148caeb5f9aa2d200c2619a9cc469140ebfba4f8923d95415c17c9588aa627023cdb3d |
C:\Windows\System\ToTlrmN.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\System\bQYhChl.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\System\bQYhChl.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\ToTlrmN.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\System\RMxXqzs.exe
| MD5 | 29d2f84685560d5c5533e4f2e904b126 |
| SHA1 | 587a0ea5f40243075c52b6f2e2dd96c12690a39d |
| SHA256 | 740d0214e10273256e32d33dabed10d1582dbbfc6cb904850fd02cd1ef547974 |
| SHA512 | 093cefb105f13f38fdae3ec7acefcf353425ffb4eaee2301f6b6ccff9e5e108bbe096439dc4771e6a0455c140064c70ff4e998289de6f8334493235da9b568d6 |
C:\Windows\System\RMxXqzs.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\xsqAceI.exe
| MD5 | b6ad2e9c5a69e4c25332dd6cbeac8dfb |
| SHA1 | 5717486199ba68ab9df2cde8731fedab301962bb |
| SHA256 | 200904411adac6d2f4ed063988c6d38da3019ca912e74097037f389ff3da2d12 |
| SHA512 | 9d74e3b5577e624687c00dfefb75f07f3d6bf40fab8a6806e41549efa74f1f9d69d6cd1ea5207229b320d91058baa6b3a9ce6aadaf249e809d12ed16bf379246 |
C:\Windows\System\XhfJUGT.exe
| MD5 | 103e85d4eaac8ddfb6f3b5375a6a37fc |
| SHA1 | 6477ef58e65eacb00ee5af4a962a0d3112594662 |
| SHA256 | 7a9c3203e1c7834cd1471b3acd063f85cd86718b34b8fa76cc4ae74be283c1c7 |
| SHA512 | 00a886159ad63e382e57439a0016449c3fb57a935ef7c5623b795c9d56fb88488e621c9a99e46faef2dc7d44e30da79c32680a0d59435f6d62b041529ca3b504 |
memory/1312-94-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp
memory/4344-92-0x00007FF627720000-0x00007FF627A74000-memory.dmp
C:\Windows\System\XhfJUGT.exe
| MD5 | f580b5d790053fee7fff4b76615a03b0 |
| SHA1 | 989829a8668ec92829b511f8349529db56634e1a |
| SHA256 | cb8faf5d192dffb336f6c3ff32fa150e5464727d0a43944172b74833e424e1ca |
| SHA512 | aee4c107f1f6fe7f5e0c0358ade0f322c151e02f1fbce2a71be92cfa6486910bb362b6c5c87bab451840438ecb85b10654b0f65432e85eee848ef862cfcc6600 |
C:\Windows\System\NypCsQJ.exe
| MD5 | c02fb3b16e7301165457d9ca11d050a1 |
| SHA1 | c7464664d390100c915c2213f86965643cc7dbcd |
| SHA256 | 8c255c9592851ff64a0ba6b6dd31488be1e5fe89fb217c5986c49e0b89b91231 |
| SHA512 | 4b5cd48944da4f26138f7fa943fe7a66d6d5baf842982bfe0f9fcec9a5e163ed14264ba1ab73208596f598ea3dea4402624e2936196e11e415d499038f01af81 |
memory/5108-78-0x00007FF766C20000-0x00007FF766F74000-memory.dmp
memory/4788-76-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp
memory/2356-75-0x00007FF713390000-0x00007FF7136E4000-memory.dmp
C:\Windows\System\snXvShk.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2824-69-0x00007FF63F600000-0x00007FF63F954000-memory.dmp
C:\Windows\System\snXvShk.exe
| MD5 | 93d46d62d961e02a56e7181c67a0bc09 |
| SHA1 | c6389ab9e89efe7b99a0736d9d797061f214cff9 |
| SHA256 | a0182c1e607ca54679ba03d7e79a820ff0590c56f6c8abfbe8bc7dea68d442bb |
| SHA512 | 614b0b36f7a483dfc371a701ba312eeb526758a01ce67307bde3467be04e48a6e69443b899629484dccbb069af4a086f81daf874f163c93b2093049b449e3544 |
C:\Windows\System\AekQMHB.exe
| MD5 | 5b6cc8875f0e6e20d33f61b4dcb33551 |
| SHA1 | e85b51a972ba8c10bb6d847aca57b782e9e62f14 |
| SHA256 | b858d42ffdbc5fafe0f866baacfee1588efb7880d8a1af17a6f1a43be6232b36 |
| SHA512 | db0bf1630c31a31380098123968b658936c27fef1aa78f2bcf51e6e9febe863015b99072d0f9d16fe53c9e002d530af704c4f6dfc3a2fe2bf4cd83cd5dcdae6e |
memory/5068-61-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp
memory/2748-51-0x00007FF602210000-0x00007FF602564000-memory.dmp
C:\Windows\System\BUaWrBw.exe
| MD5 | 01a576e3f1335ed309ef3919fac916a9 |
| SHA1 | 8165606312355192c0de78485bb4d25de5ec2007 |
| SHA256 | 2b56b3d1b64fd3a424ed1ac85aa7f390ca50af03f2a2a51fbfb82bfc1cfc6541 |
| SHA512 | 2052cf14df42400fa927c28cc097afb7bcaedf7cbad1b0093901f19a2c972bd17ee8c685a5715764bcc16290a338c4fc3bff6b8291f19fcd43bd18b14b1075a0 |
memory/4396-127-0x00007FF7DD370000-0x00007FF7DD6C4000-memory.dmp
memory/5024-126-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp
memory/3480-131-0x00007FF76FD30000-0x00007FF770084000-memory.dmp
memory/760-132-0x00007FF7B9420000-0x00007FF7B9774000-memory.dmp
memory/4192-130-0x00007FF739C90000-0x00007FF739FE4000-memory.dmp
memory/208-129-0x00007FF7C9240000-0x00007FF7C9594000-memory.dmp
memory/4104-128-0x00007FF603AF0000-0x00007FF603E44000-memory.dmp
memory/1180-133-0x00007FF714630000-0x00007FF714984000-memory.dmp
memory/5068-134-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp
memory/1552-135-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp
memory/2356-137-0x00007FF713390000-0x00007FF7136E4000-memory.dmp
memory/4488-136-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp
memory/5108-138-0x00007FF766C20000-0x00007FF766F74000-memory.dmp
memory/1312-139-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp
memory/2824-140-0x00007FF63F600000-0x00007FF63F954000-memory.dmp
memory/4788-141-0x00007FF60BB50000-0x00007FF60BEA4000-memory.dmp
memory/432-142-0x00007FF60FA40000-0x00007FF60FD94000-memory.dmp
memory/5024-144-0x00007FF6E2090000-0x00007FF6E23E4000-memory.dmp
memory/3716-143-0x00007FF60EB00000-0x00007FF60EE54000-memory.dmp
memory/1180-145-0x00007FF714630000-0x00007FF714984000-memory.dmp
memory/3928-146-0x00007FF6333E0000-0x00007FF633734000-memory.dmp
memory/2748-147-0x00007FF602210000-0x00007FF602564000-memory.dmp
memory/5068-148-0x00007FF6DA9F0000-0x00007FF6DAD44000-memory.dmp
memory/4344-153-0x00007FF627720000-0x00007FF627A74000-memory.dmp
memory/5108-152-0x00007FF766C20000-0x00007FF766F74000-memory.dmp
memory/1312-154-0x00007FF7CB350000-0x00007FF7CB6A4000-memory.dmp
memory/4396-155-0x00007FF7DD370000-0x00007FF7DD6C4000-memory.dmp
memory/4104-156-0x00007FF603AF0000-0x00007FF603E44000-memory.dmp
memory/208-157-0x00007FF7C9240000-0x00007FF7C9594000-memory.dmp
memory/1552-151-0x00007FF7CC370000-0x00007FF7CC6C4000-memory.dmp
memory/2356-150-0x00007FF713390000-0x00007FF7136E4000-memory.dmp
memory/3480-160-0x00007FF76FD30000-0x00007FF770084000-memory.dmp
memory/760-159-0x00007FF7B9420000-0x00007FF7B9774000-memory.dmp
memory/4192-158-0x00007FF739C90000-0x00007FF739FE4000-memory.dmp
memory/4488-149-0x00007FF619B70000-0x00007FF619EC4000-memory.dmp