Analysis Overview
SHA256
dd95316632e1aa1ed80bde7b5422b938c81c1275287cb7e733b22b5d23c5f27d
Threat Level: Known bad
The file 2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:31
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:31
Reported
2024-06-01 02:33
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mZcgrnn.exe | N/A |
| N/A | N/A | C:\Windows\System\PzvGILd.exe | N/A |
| N/A | N/A | C:\Windows\System\MbAFkLN.exe | N/A |
| N/A | N/A | C:\Windows\System\rFrMngj.exe | N/A |
| N/A | N/A | C:\Windows\System\LPYUUQW.exe | N/A |
| N/A | N/A | C:\Windows\System\IoIcqNj.exe | N/A |
| N/A | N/A | C:\Windows\System\FizdPCS.exe | N/A |
| N/A | N/A | C:\Windows\System\obWsfSs.exe | N/A |
| N/A | N/A | C:\Windows\System\RXpWLqo.exe | N/A |
| N/A | N/A | C:\Windows\System\lLEmRDl.exe | N/A |
| N/A | N/A | C:\Windows\System\vYTeLzv.exe | N/A |
| N/A | N/A | C:\Windows\System\dTdUrfS.exe | N/A |
| N/A | N/A | C:\Windows\System\ROBgNeO.exe | N/A |
| N/A | N/A | C:\Windows\System\LBXtcKN.exe | N/A |
| N/A | N/A | C:\Windows\System\eDDJXgg.exe | N/A |
| N/A | N/A | C:\Windows\System\pIVynSN.exe | N/A |
| N/A | N/A | C:\Windows\System\mlXZOyt.exe | N/A |
| N/A | N/A | C:\Windows\System\WKizudy.exe | N/A |
| N/A | N/A | C:\Windows\System\dtASitz.exe | N/A |
| N/A | N/A | C:\Windows\System\RxnJQeN.exe | N/A |
| N/A | N/A | C:\Windows\System\QIwBQLi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mZcgrnn.exe
C:\Windows\System\mZcgrnn.exe
C:\Windows\System\PzvGILd.exe
C:\Windows\System\PzvGILd.exe
C:\Windows\System\MbAFkLN.exe
C:\Windows\System\MbAFkLN.exe
C:\Windows\System\rFrMngj.exe
C:\Windows\System\rFrMngj.exe
C:\Windows\System\LPYUUQW.exe
C:\Windows\System\LPYUUQW.exe
C:\Windows\System\IoIcqNj.exe
C:\Windows\System\IoIcqNj.exe
C:\Windows\System\FizdPCS.exe
C:\Windows\System\FizdPCS.exe
C:\Windows\System\RXpWLqo.exe
C:\Windows\System\RXpWLqo.exe
C:\Windows\System\obWsfSs.exe
C:\Windows\System\obWsfSs.exe
C:\Windows\System\lLEmRDl.exe
C:\Windows\System\lLEmRDl.exe
C:\Windows\System\vYTeLzv.exe
C:\Windows\System\vYTeLzv.exe
C:\Windows\System\dTdUrfS.exe
C:\Windows\System\dTdUrfS.exe
C:\Windows\System\ROBgNeO.exe
C:\Windows\System\ROBgNeO.exe
C:\Windows\System\LBXtcKN.exe
C:\Windows\System\LBXtcKN.exe
C:\Windows\System\eDDJXgg.exe
C:\Windows\System\eDDJXgg.exe
C:\Windows\System\WKizudy.exe
C:\Windows\System\WKizudy.exe
C:\Windows\System\pIVynSN.exe
C:\Windows\System\pIVynSN.exe
C:\Windows\System\dtASitz.exe
C:\Windows\System\dtASitz.exe
C:\Windows\System\mlXZOyt.exe
C:\Windows\System\mlXZOyt.exe
C:\Windows\System\RxnJQeN.exe
C:\Windows\System\RxnJQeN.exe
C:\Windows\System\QIwBQLi.exe
C:\Windows\System\QIwBQLi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2860-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2860-0-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\mZcgrnn.exe
| MD5 | 99003a21aa4d5c72a8873cef82e9c39d |
| SHA1 | fd91ceb425fdba7a5c9ff2a68efed7ba25ca2490 |
| SHA256 | 4fa110532097abe4f3cef440582b6a3b3ff26ec4e32b153315b7f2bbf11b8312 |
| SHA512 | f8538d654dea1ba986a1584c7f5f9bbb465b0a59cd904b168530a94e4b7a752a10807ceb230cc1134886369353e574cf56a60072cb83998517254f45665d6c0d |
memory/2860-8-0x000000013F260000-0x000000013F5B4000-memory.dmp
\Windows\system\PzvGILd.exe
| MD5 | 8ebd55d04ab8e1fa2caef4411669b43a |
| SHA1 | 3206ac819e7f73aa15695889a1470c0619aafc38 |
| SHA256 | 42904d3713833fa32b2d62028c851bebf5f0ae59b4e1167961b40e1b0b6c967a |
| SHA512 | e314237e9e7471fa81f99f5a7cd7aaf12907054933afd18472e06697e0916055da0a79c5f11413f6cdeee34277e26b5594243a16f57c33da1fa704f91d5e0736 |
memory/2860-16-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2032-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1668-13-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2860-18-0x000000013F1B0000-0x000000013F504000-memory.dmp
\Windows\system\MbAFkLN.exe
| MD5 | 87539ed0011b8d664effea990787067a |
| SHA1 | 9faa43412370710c4fcc1d5f1cda399a1d6994bf |
| SHA256 | 1b97394ffcf3699438da8d2360b174eb7243c948a8df4d9bfda3e7b2d6f92e08 |
| SHA512 | 9399c89afcab3007e13d97d37a0db3ecbf77fb34b8e394de1050f05952628baa4fec431e466c6c729bd0028986d0750b4a5e41ea881b4e989d13f28da6878b62 |
memory/2124-23-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2860-25-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\rFrMngj.exe
| MD5 | d2f48a150b89dce639d01c6349b2d504 |
| SHA1 | a8f1a50118af155e08ff8020fb9ce7361ebbf536 |
| SHA256 | c37a3732ddaf5486e6f08cd9def07e058b7e6153cd850ce61c3ef29f0a1eb2f5 |
| SHA512 | cf6a81906febbc08d0a1e2ad24180b3140c2f6afafefe6401d6f71e05dad4660a3b5f83e0acdb46dea3faf8e4bfcbebf13c0ab37f64d67efe174673660b9cb57 |
\Windows\system\FizdPCS.exe
| MD5 | b0f5435a4066e20abe066682367fc2e4 |
| SHA1 | 7e3a6edcafc719771c0fde5b71ba4afb376f78f7 |
| SHA256 | 2168b138dc06351c50f81a95e29c2cd264f77ff2ce402150858d4ed72c5ebd7a |
| SHA512 | 4d93846afdc7f2f40180dda9a3a2489ac94e3cefb981c61cece4d98ff8a63a688fc236e8f67831d8e236da4d3f26ae6aefbffec3fb61e046bacb1a809a8d85bb |
memory/2776-33-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\LPYUUQW.exe
| MD5 | ebe477fccdae09f4e4a38ac2c94d4b36 |
| SHA1 | b16be43b4ffe6addd04e800df27f8d49b1126acb |
| SHA256 | b156d19328487ac8c63081c83057d12b9c86fd73dd733ceee2d640251d98e615 |
| SHA512 | c722540445df37a5d8df09c5a0f3bca801f95822ee92ae50ab9b8473256017944a51dfe4f7ef336dd2099e935f14385e4eecc3d082a0637b32254afb78c4887e |
memory/2872-41-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\RXpWLqo.exe
| MD5 | 09524caf6080c3cf6ad0851cc1f054f6 |
| SHA1 | 8afcc9cd9fee004efa4700705ed99db6a9952eec |
| SHA256 | 74f3590e7899527f44cfb50d11d639ec8cb8ef1d8412b90571d5e551424f05e9 |
| SHA512 | 7c2a06f4cfb30183499e42c0bb723f2787f4fb179c4d4c58be99e6e65e705e541f1f0e517c26c8314b882e5375746988b450bee61e7e571a95c725820e434941 |
memory/2624-64-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\lLEmRDl.exe
| MD5 | ed45f80acbc268b38de8ff7e124d50e0 |
| SHA1 | 60788b2a549534bac0fa00916f0bbbdf48ac5ea1 |
| SHA256 | d0fc6f77b3e479b8d37416bd1b1a58cada13699bde2c42600e3ef4ade3aa9368 |
| SHA512 | 4a3b1f5968c465493e482cc44cb003e2e0db9f870c9c2f76e74ad2ffed22b1d6f807558eb5fd9d187bbff038b62f1b5cea783be12d0fa8018e6bd149f3b83d44 |
memory/2192-70-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2988-79-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2812-93-0x000000013F470000-0x000000013F7C4000-memory.dmp
\Windows\system\pIVynSN.exe
| MD5 | fda742c5ddf20decc1541ca61df59c4d |
| SHA1 | 8ddfac026487dadb50a2c56e615476f4f3be8271 |
| SHA256 | 3e9dbe460d606e2b3b82f0c3b1b0b7cd56542a8e2c1ef9c18a04a04e6fa57904 |
| SHA512 | ddd25881e3ad39f5a11db3b3c8f3b517a35a9a2d9a53bb122c66948c1a0b9ac82eba334e738583e45fa4dfdeb17646a8fdcc2a9d9aebb42d8698b4a252cce936 |
\Windows\system\WKizudy.exe
| MD5 | bf13654b6aa93e382b6c578a26ee0ac0 |
| SHA1 | f47112d4d43f87e616e37f2cf8a1302de47b1190 |
| SHA256 | 829c80c5a7f0b2d9beb6f1e6a38a7dfcb9b701ac40c289b1ed77824d56c99723 |
| SHA512 | 71059d0cbe5a6c1314899c59614433d54024dcb8d4494f3b4d42e59e68a1cf8aa1f39722f574790a0a9e380c25426811964082730ee2d97ed8ef609ee442997c |
C:\Windows\system\QIwBQLi.exe
| MD5 | c2be05cd9ba77511ae2ebe542f619614 |
| SHA1 | cb97b86c710fb18e49a428f7106c9c5974e0826d |
| SHA256 | 60249b551841f51e41b1b51449c63335bf16eb0eee78319f284aabad5d8b5e53 |
| SHA512 | 8aae5a20818c411eb5bc3485cc1d0b057fd3b65b26fbaedac64d42fd2f5ef8ecb654768ee9e21b7ff6364e4482738202683cd175f5ac3afcd5543b8813eb3afa |
C:\Windows\system\RxnJQeN.exe
| MD5 | f1481da5bc113b25552ca412a337fa43 |
| SHA1 | 6806905e553d231e73788aa19761f74a629ab7ab |
| SHA256 | 98ca629108c415bdd6470408fbb4d5698a9782216f38f3d45a51e1728248aed9 |
| SHA512 | 62c000df7ab714ac099566723c5840eba5009441b563e7e2749501a36e3f9644c646cda7af6c811c94bc32c94fe1134d62edaab40d8b4a5bbc87e11c1088a8e7 |
C:\Windows\system\dtASitz.exe
| MD5 | 3aeec99508b885ad03a6b1726b1394bb |
| SHA1 | e8b642c48efca142a44a30380cf4395a3d88a895 |
| SHA256 | 87a70d10d33417b16b5f7c99667c0c5a126cc617bce7e9efd3d424145c14cf36 |
| SHA512 | 8932ba084904a17425e5da33278ca87390686a256e539862af3477c8d0e17fe32db5c13b56d26e891872e8d51772c72a94d6bb3c47da143ea98e326799dde6cb |
C:\Windows\system\mlXZOyt.exe
| MD5 | 9f260b7b824b892838184eebd417aa80 |
| SHA1 | 0bc487b740395b266cbb6797e39021286d3f7ae3 |
| SHA256 | f006c6c312f09df7cb6646a57db32985c748a38e2f3150df82778b033bb30469 |
| SHA512 | 5d0c7d508450ef64d5eb1bb78ccd3b4955356f2895dad590f9d3fa8dc682730b24032c951576ffb8e7bd0a21b1ac0ed3b81c29cca469df6a0ceb891e5d61aec2 |
memory/2860-119-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2944-101-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2860-100-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\eDDJXgg.exe
| MD5 | 84dcf3dc7445fb2fb138d5472650a053 |
| SHA1 | 3813a6ba8962553a134d1a8e437e3840e97707e1 |
| SHA256 | db6d0b19048cc45f17647b600c3791cf4bd1e7b93b4dab2d3b0d01886bc216ee |
| SHA512 | d9ba8080fac31daf914463b3d7ce5d8bf7b81fe7778e907bfbb7db163a55477236bf64a827bd83123b0bc208e68691936a72664d714e756ab18caf97e9a4378e |
C:\Windows\system\LBXtcKN.exe
| MD5 | 40e3dea61cbd5a0e71eac3829ad8a590 |
| SHA1 | 68d656839406d2bae3c3b808147f2954fe590243 |
| SHA256 | 447a619ba2e3cb75cbb3e8f4caf05c1ad0df0503ce668539429dfd2f2726b942 |
| SHA512 | 928906c5eb6fa98c06dd4aa27bc7381b5f56fc0a96a7532c9f33816ba85699a720122ea0f116a302d92ccec323243c4682e98486bef3fb746a230f5537560e17 |
memory/2860-92-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\ROBgNeO.exe
| MD5 | fcfe8fada424aa1b66f72f42dc98f8e5 |
| SHA1 | d07fa74a9826c2a8fd5e332ca648d579361600e2 |
| SHA256 | bba08adfc54f9c5265964e6545ea871f5c0f114bbbc848bc107d5140c109fdd6 |
| SHA512 | 381be05128b3d446f975251cecc258742c4a4fd8efd81d8db24753025fbb695de00d22288b47c862484c187dc1420413e994f2cbc2dbbb77e6ca899423270aaa |
memory/2764-87-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2776-86-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\dTdUrfS.exe
| MD5 | 530149dcda483fafbb2b8b95aa2a3111 |
| SHA1 | 106e10795f217e2c8362df3891f6d33cccfdd88d |
| SHA256 | db69220489bd321088dd07df811ab203f7900b39723617c5918abd0ac1f2e7bd |
| SHA512 | a81d9a9ef141f598cd6d11f70da45aa6da560c6e7d7466a9e5a39b8208c9189da7673be4fbcd586f8eaaf31689e2cbda4206d76beae3a481f21b955dea7bdfcc |
memory/2860-78-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2124-77-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\vYTeLzv.exe
| MD5 | 8d189258aace2fb9161a23d58f131d56 |
| SHA1 | dfe6589aae142c9fd25200cea719bd0c82151a60 |
| SHA256 | 030297c887a3403fd83880f82aee92040b553669c9e72ef56ae4a97d26d70282 |
| SHA512 | ce8f7f5863078b3d63dd89f0528f4734027036c882794de30555b291291dd120c06f743ee4362dacd323b7c09eef308324c9e5f1cf555b21799d0785570a7043 |
memory/2860-69-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2032-62-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2860-40-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2768-61-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2860-60-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2860-58-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\obWsfSs.exe
| MD5 | 700f5d0a18cd567a44cad9c87b2a01c4 |
| SHA1 | 3d29a4cba78425f5780367576d90f5cf05cea3eb |
| SHA256 | b128db4fef09e1c70669cff6ed9c5839c6168db08b1143ae5b4d1bf6b8086e5e |
| SHA512 | 9170fca828deb04c912b59ec20ca0b5610e924d6bca895634bb2bf74aeac96f1fa362603d94925c8c423697294a805e7b84ac1792e0e69cd9a840087c8330847 |
memory/2836-56-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2860-37-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1944-49-0x000000013FD20000-0x0000000140074000-memory.dmp
\Windows\system\IoIcqNj.exe
| MD5 | 6138ae9451d2726529e7b9f759a7ab9f |
| SHA1 | 6de9619ed6352f8dcdfde9de268cb2849f2dd1c1 |
| SHA256 | 8109607b64f9c014709041b18abcbc5c58d640b0b94bbd44d136f21fcc9d7081 |
| SHA512 | 96768af923d75aac1b029ece67c60ed98a94a77316da768908789a558a2ed66942481e3b45b02dbf64b1eb48031b1efebcca1607ebbc0d9fadc751ef430660d9 |
memory/2624-137-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2860-138-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2192-139-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2860-140-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2988-141-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2860-142-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2860-143-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2812-144-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2860-145-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1668-146-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2032-147-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2124-148-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2776-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2872-150-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1944-152-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2836-151-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2768-153-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2624-154-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2192-155-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2988-156-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2764-157-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2812-158-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2944-159-0x000000013FE90000-0x00000001401E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:31
Reported
2024-06-01 02:33
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JvmHBKe.exe | N/A |
| N/A | N/A | C:\Windows\System\msCWXhM.exe | N/A |
| N/A | N/A | C:\Windows\System\hNGOjor.exe | N/A |
| N/A | N/A | C:\Windows\System\qcHydaC.exe | N/A |
| N/A | N/A | C:\Windows\System\cUvlOTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gaOvsgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OJXHDSG.exe | N/A |
| N/A | N/A | C:\Windows\System\AlFJylG.exe | N/A |
| N/A | N/A | C:\Windows\System\vFfDFEq.exe | N/A |
| N/A | N/A | C:\Windows\System\wGNKdgf.exe | N/A |
| N/A | N/A | C:\Windows\System\DbrgosM.exe | N/A |
| N/A | N/A | C:\Windows\System\UezpfvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BNaKOZk.exe | N/A |
| N/A | N/A | C:\Windows\System\tKSATMq.exe | N/A |
| N/A | N/A | C:\Windows\System\HolcOOr.exe | N/A |
| N/A | N/A | C:\Windows\System\prpkQBB.exe | N/A |
| N/A | N/A | C:\Windows\System\CdhHATg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcshvDD.exe | N/A |
| N/A | N/A | C:\Windows\System\uoIKXZZ.exe | N/A |
| N/A | N/A | C:\Windows\System\LHYKbFn.exe | N/A |
| N/A | N/A | C:\Windows\System\sPriCbM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_81f035b288eb538a5ed9c8fc39ab38bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JvmHBKe.exe
C:\Windows\System\JvmHBKe.exe
C:\Windows\System\msCWXhM.exe
C:\Windows\System\msCWXhM.exe
C:\Windows\System\hNGOjor.exe
C:\Windows\System\hNGOjor.exe
C:\Windows\System\qcHydaC.exe
C:\Windows\System\qcHydaC.exe
C:\Windows\System\cUvlOTJ.exe
C:\Windows\System\cUvlOTJ.exe
C:\Windows\System\gaOvsgQ.exe
C:\Windows\System\gaOvsgQ.exe
C:\Windows\System\OJXHDSG.exe
C:\Windows\System\OJXHDSG.exe
C:\Windows\System\AlFJylG.exe
C:\Windows\System\AlFJylG.exe
C:\Windows\System\vFfDFEq.exe
C:\Windows\System\vFfDFEq.exe
C:\Windows\System\wGNKdgf.exe
C:\Windows\System\wGNKdgf.exe
C:\Windows\System\DbrgosM.exe
C:\Windows\System\DbrgosM.exe
C:\Windows\System\UezpfvQ.exe
C:\Windows\System\UezpfvQ.exe
C:\Windows\System\BNaKOZk.exe
C:\Windows\System\BNaKOZk.exe
C:\Windows\System\tKSATMq.exe
C:\Windows\System\tKSATMq.exe
C:\Windows\System\HolcOOr.exe
C:\Windows\System\HolcOOr.exe
C:\Windows\System\prpkQBB.exe
C:\Windows\System\prpkQBB.exe
C:\Windows\System\CdhHATg.exe
C:\Windows\System\CdhHATg.exe
C:\Windows\System\ZcshvDD.exe
C:\Windows\System\ZcshvDD.exe
C:\Windows\System\uoIKXZZ.exe
C:\Windows\System\uoIKXZZ.exe
C:\Windows\System\LHYKbFn.exe
C:\Windows\System\LHYKbFn.exe
C:\Windows\System\sPriCbM.exe
C:\Windows\System\sPriCbM.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4888-0-0x00007FF735F00000-0x00007FF736254000-memory.dmp
memory/4888-1-0x000002A1769C0000-0x000002A1769D0000-memory.dmp
C:\Windows\System\JvmHBKe.exe
| MD5 | cd2955deacec5bcac8863a9361763e34 |
| SHA1 | 4137af6a07d50f6878ee4cf5bb66b6d7e5608978 |
| SHA256 | e914e1eddbafb997430ddab6003407fe97a55d5e93d126b5f3bab557f28db2f2 |
| SHA512 | a1ae2ff1f589dfd72ba0dc794dddd6d14840ebdbfc3eb27dbee1e90345a0121d5c6b4f8214259aff2494bfc9f8ad15408db61825a59f771d192e92b2760f7a69 |
memory/5040-8-0x00007FF7BEDF0000-0x00007FF7BF144000-memory.dmp
C:\Windows\System\JvmHBKe.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
C:\Windows\System\msCWXhM.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/4204-14-0x00007FF7F3F20000-0x00007FF7F4274000-memory.dmp
C:\Windows\System\hNGOjor.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
C:\Windows\System\hNGOjor.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
memory/2120-20-0x00007FF7A7AB0000-0x00007FF7A7E04000-memory.dmp
C:\Windows\System\qcHydaC.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\qcHydaC.exe
| MD5 | b4dfce80d6bb1ce23f3c5302b468f449 |
| SHA1 | 6198054da28b5c2d5282b65ac4ee173025bd7698 |
| SHA256 | 28ed2427624e8ef4b9bb4176ed3dd615a743307f0372c54fdd3417767341d210 |
| SHA512 | 1e753522ea0b8c91e33a1b7232acd7a858178de8d5e1ff966e7908c84ff6eb24c09fe6fad60be026fe091c1511fd9e6a1bbd66d7ec9d0be6f823597f03607ec5 |
memory/1192-26-0x00007FF654B10000-0x00007FF654E64000-memory.dmp
C:\Windows\System\cUvlOTJ.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
memory/3304-30-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp
C:\Windows\System\gaOvsgQ.exe
| MD5 | d872631fef320bcfe95799f5b4c466cb |
| SHA1 | 451a1400f207f69d35ba907e243aed76879dcd2c |
| SHA256 | 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438 |
| SHA512 | 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d |
memory/3144-38-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp
C:\Windows\System\OJXHDSG.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\OJXHDSG.exe
| MD5 | fe23c2895808f37c631fe64d18aa72e6 |
| SHA1 | fdd2e611a75bf85bed662caef14df21d29fe6a21 |
| SHA256 | 85240bb88f228eb440192aeb6aa8a5482627411ed565a116a70d908b133e993e |
| SHA512 | 4081c359dd4f157e86c1ff4b4862a91f4c721ab8377797c95bedd763148ec3e381f7bff52d49cace6cd515d70c834b922bf83d457436cf53eb7a633a5b1f7373 |
C:\Windows\System\AlFJylG.exe
| MD5 | e2042d11b554072fb47eb35732a85d6f |
| SHA1 | ff44c5aa683e1200439b2e425f44c59bc73c97d0 |
| SHA256 | 840d1c46ebb882aebfd1b5613600ff649416993949b2f8e5938ca45c2569ed68 |
| SHA512 | e974d3d3fc410a609f34cc46596558553c33186598eb7bc852c56b253bdd26de81bf719c270a682faef67a8b1f0dc1908340eec7a4dca57965ef3764fa77f69a |
memory/1284-46-0x00007FF758F00000-0x00007FF759254000-memory.dmp
memory/5064-50-0x00007FF6C7260000-0x00007FF6C75B4000-memory.dmp
C:\Windows\System\vFfDFEq.exe
| MD5 | 12f04703ce5a77b87ec8c2e43857c42e |
| SHA1 | 6250977a12b50458fce84fdf9d7527eb3b7440a4 |
| SHA256 | 893bbedd49ab455cf3d9eece418e32896fe9765dfb0365dad690da1fb4ea000e |
| SHA512 | 902633468087769673c796e7664dba8f9f953ad8f6f2071ec78f02da9f16261aaff271af94b8560ad8d1394d5d61e42da1f5a01f5661450225d0045e4e3434f5 |
memory/4888-60-0x00007FF735F00000-0x00007FF736254000-memory.dmp
memory/3996-63-0x00007FF73B750000-0x00007FF73BAA4000-memory.dmp
C:\Windows\System\wGNKdgf.exe
| MD5 | 498742578af4268f795d896fcaad1acd |
| SHA1 | da63b38b4909061d87e90b2b91a7a2a2566d06a3 |
| SHA256 | 95d2a882e9a1b0e3fb5bc2251eb97a8842217e83bb84f6bf898038adeaa6ad07 |
| SHA512 | 1a9b97628b375293a31efdc60f640e27f7bfe8a02e0b2e55b33ca7fd3b3ccbe3fba5b49a9af7e8e34d80464f43490637a410b661385b2f848f00f71b48499762 |
C:\Windows\System\UezpfvQ.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/4204-74-0x00007FF7F3F20000-0x00007FF7F4274000-memory.dmp
memory/4480-76-0x00007FF6E2570000-0x00007FF6E28C4000-memory.dmp
C:\Windows\System\BNaKOZk.exe
| MD5 | e7fc0f89ccc98bc6c4ad3c7cfd449a8f |
| SHA1 | 2ea7ac298b8c2aa25c789200661f74db8fb761ee |
| SHA256 | ddf080bdde61a8a1991e8e1f9b61b0c4fd7f9da134006d6505ad1fc0367c1319 |
| SHA512 | 86f499c41ff3d738967b119f038d3525e5ae162895a4d5880a9fff94cd5a709d2e5aeb0b946d3a4d801a04c0efc7bc3a5e2acc4f11a59a7ac314d1828f697080 |
C:\Windows\System\UezpfvQ.exe
| MD5 | c295faa825ad3ddc32c409174170d429 |
| SHA1 | 3e31cba68dae948d823314de753b99b88fc06bd0 |
| SHA256 | b89b898cb4da948c2bd44f71001c9b2995b6ea6fe4cec6bc8f18c4e32a653595 |
| SHA512 | 7dba6ff039047d9d8cc2fde3e62ca017fcb0e1dea45543c55e4667e7098bb23541d2caaf176f01e3523f8cdc83b8f57a5986ee03890446f9e8fd2e826d9b1196 |
memory/4272-73-0x00007FF73D730000-0x00007FF73DA84000-memory.dmp
memory/1568-84-0x00007FF75E020000-0x00007FF75E374000-memory.dmp
memory/2120-83-0x00007FF7A7AB0000-0x00007FF7A7E04000-memory.dmp
memory/5040-69-0x00007FF7BEDF0000-0x00007FF7BF144000-memory.dmp
memory/1552-55-0x00007FF7A1D50000-0x00007FF7A20A4000-memory.dmp
memory/2140-90-0x00007FF7980D0000-0x00007FF798424000-memory.dmp
C:\Windows\System\HolcOOr.exe
| MD5 | 10a471318897cf1e4e64863078d1bb5d |
| SHA1 | 5d1f63b8549ee3555485a0a4ea84ceeff90d7b77 |
| SHA256 | c9ffdb4101723b621cf8587f8c91d5523066ddf31207e6bd74f335015741feb9 |
| SHA512 | 00a845ab5e6bb7dae4275f09ec900e8c7ce3b7892d8340ddf41fa2aace0b3dac27b2f46fae4d3a05097466fbeb3cfaacf5526c24f5d587cdd83065e74091966d |
memory/3304-96-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp
memory/4772-97-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp
C:\Windows\System\prpkQBB.exe
| MD5 | 3eabd8d3b35f3b004af1d4789181b7bb |
| SHA1 | cf8bce05b65207b856b95aaafb90980aeba036e4 |
| SHA256 | 6800cccb7ba772e865d3787fed5b6f4c7664462211743dfbfbb003d5add8f2d7 |
| SHA512 | 3882decda145ee1f856e53fed261b8114a8340abd15eea26c2d0e7eb011d4353a88f5e30bb2ad8b92c7ee938d070987072bdde7fa03a9de78bbf13f05a9a5de3 |
C:\Windows\System\ZcshvDD.exe
| MD5 | 4bb27f9f4655d6768db18e5e0a474511 |
| SHA1 | b501ab9414fa57f7699039e98f023d850c9b41b4 |
| SHA256 | 38e578b813f2d7ad757fc4865aec5c85cf08b75f408871cc38c615757c734a43 |
| SHA512 | 1581ac767a322bc3c385aad4ed73e325965d34196b8dbd167da5dd0f44c700b8558d0cad37cf50824e4a4f1529abf7a56ceeb28f374235870f985c71f1116f86 |
C:\Windows\System\uoIKXZZ.exe
| MD5 | 03e43057284f57f1ea7bee4dfd654415 |
| SHA1 | b12011201bc67c2267f6669dd3c2e2959ec53489 |
| SHA256 | f1b3f5f6a3cd069dd9a013845f67c56882b312082248e9d3b8792343ad3d971b |
| SHA512 | c7e48e03438b86413d9340ff69d3fb666dc8d5ac5e27f667240facd274828d178c63cd9abe300a9c53da1ec3b7440fcdf92e37a411abcd24895f977c0acb667d |
memory/2052-121-0x00007FF610EF0000-0x00007FF611244000-memory.dmp
memory/2636-126-0x00007FF7A6180000-0x00007FF7A64D4000-memory.dmp
memory/3996-129-0x00007FF73B750000-0x00007FF73BAA4000-memory.dmp
C:\Windows\System\sPriCbM.exe
| MD5 | a600b0783c5595a7a97e6595232a1c12 |
| SHA1 | 80f7fcfe232280b45e13c10c53b46d0e18961c88 |
| SHA256 | 780db962ed241d72755cc43ac9db7c602ff895b94554b88dd65f966d764586c8 |
| SHA512 | 9d075b11229edc2820d7e91967ae29bc57738aef5e67de218da3db2808de663854e894a48e6e5294dece59a20b8740a0f1bd82e8a3eefd87bc772c0637dd3f89 |
C:\Windows\System\LHYKbFn.exe
| MD5 | 6f07156ae27a94253fee2a08eb89b950 |
| SHA1 | f319aa7ff62d68267c92db1e4689cea4bfe3b428 |
| SHA256 | 6a78dddcec34f9884e9b78d42b1a452547afb294d473f39972c4d97ab5645b18 |
| SHA512 | 94394c79fb938917562b39dcc94d8e574bafbc8cf69ccb916dcd988c65dae5c1c10abcc6fe475f7c4f87ea7c32a6be2017106f9fe823e72830a8c5ded7f0a552 |
memory/1552-122-0x00007FF7A1D50000-0x00007FF7A20A4000-memory.dmp
memory/4560-134-0x00007FF69FAE0000-0x00007FF69FE34000-memory.dmp
memory/2900-135-0x00007FF6DD540000-0x00007FF6DD894000-memory.dmp
memory/4748-109-0x00007FF798630000-0x00007FF798984000-memory.dmp
memory/1284-107-0x00007FF758F00000-0x00007FF759254000-memory.dmp
memory/3800-106-0x00007FF776310000-0x00007FF776664000-memory.dmp
C:\Windows\System\CdhHATg.exe
| MD5 | 07a42fded72369eb18a9b6597da2e835 |
| SHA1 | 9ad4b1f89370902dabe5686816a5c6dca787ecef |
| SHA256 | 8fc67c72ebacf38539bd93ebb23f9909d0c4f50a7384844d0063bd0d5c28e27d |
| SHA512 | eab8d382dcb6375f8c5a7d0359148f266e42a5e1dc7e32226eac51ce2147ce62254febf65e3d52fc84a40f5249f5343dcdd842437868f3f8b5188427d3e86d30 |
memory/4480-136-0x00007FF6E2570000-0x00007FF6E28C4000-memory.dmp
memory/4748-137-0x00007FF798630000-0x00007FF798984000-memory.dmp
memory/4560-138-0x00007FF69FAE0000-0x00007FF69FE34000-memory.dmp
memory/5040-139-0x00007FF7BEDF0000-0x00007FF7BF144000-memory.dmp
memory/4204-140-0x00007FF7F3F20000-0x00007FF7F4274000-memory.dmp
memory/2120-141-0x00007FF7A7AB0000-0x00007FF7A7E04000-memory.dmp
memory/1192-142-0x00007FF654B10000-0x00007FF654E64000-memory.dmp
memory/3304-143-0x00007FF771BF0000-0x00007FF771F44000-memory.dmp
memory/3144-144-0x00007FF6FE740000-0x00007FF6FEA94000-memory.dmp
memory/1284-145-0x00007FF758F00000-0x00007FF759254000-memory.dmp
memory/5064-146-0x00007FF6C7260000-0x00007FF6C75B4000-memory.dmp
memory/1552-147-0x00007FF7A1D50000-0x00007FF7A20A4000-memory.dmp
memory/4272-149-0x00007FF73D730000-0x00007FF73DA84000-memory.dmp
memory/3996-148-0x00007FF73B750000-0x00007FF73BAA4000-memory.dmp
memory/4480-151-0x00007FF6E2570000-0x00007FF6E28C4000-memory.dmp
memory/1568-150-0x00007FF75E020000-0x00007FF75E374000-memory.dmp
memory/2140-152-0x00007FF7980D0000-0x00007FF798424000-memory.dmp
memory/4772-153-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp
memory/3800-154-0x00007FF776310000-0x00007FF776664000-memory.dmp
memory/2052-156-0x00007FF610EF0000-0x00007FF611244000-memory.dmp
memory/4748-155-0x00007FF798630000-0x00007FF798984000-memory.dmp
memory/2636-157-0x00007FF7A6180000-0x00007FF7A64D4000-memory.dmp
memory/2900-159-0x00007FF6DD540000-0x00007FF6DD894000-memory.dmp
memory/4560-158-0x00007FF69FAE0000-0x00007FF69FE34000-memory.dmp