Analysis Overview
SHA256
5ab9536e2b123a93b736f01b3ac3ef45c6ef0366615633c08de686c491e1df62
Threat Level: Known bad
The file 2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:42
Reported
2024-06-01 03:44
Platform
win7-20231129-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FwDFKwA.exe | N/A |
| N/A | N/A | C:\Windows\System\xCQULGt.exe | N/A |
| N/A | N/A | C:\Windows\System\JuQcsFn.exe | N/A |
| N/A | N/A | C:\Windows\System\JVPdyYI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvEgvPg.exe | N/A |
| N/A | N/A | C:\Windows\System\NrOHYak.exe | N/A |
| N/A | N/A | C:\Windows\System\ELbywFu.exe | N/A |
| N/A | N/A | C:\Windows\System\NxwcaZt.exe | N/A |
| N/A | N/A | C:\Windows\System\kMpjlkj.exe | N/A |
| N/A | N/A | C:\Windows\System\QYCOIeF.exe | N/A |
| N/A | N/A | C:\Windows\System\RHkhjWe.exe | N/A |
| N/A | N/A | C:\Windows\System\BaDXrVi.exe | N/A |
| N/A | N/A | C:\Windows\System\wLYNfqT.exe | N/A |
| N/A | N/A | C:\Windows\System\OURZSoL.exe | N/A |
| N/A | N/A | C:\Windows\System\tHHceCr.exe | N/A |
| N/A | N/A | C:\Windows\System\QkHiFvo.exe | N/A |
| N/A | N/A | C:\Windows\System\wfeUnVf.exe | N/A |
| N/A | N/A | C:\Windows\System\KMLtSmY.exe | N/A |
| N/A | N/A | C:\Windows\System\kGDPonZ.exe | N/A |
| N/A | N/A | C:\Windows\System\aFQxCqn.exe | N/A |
| N/A | N/A | C:\Windows\System\gNocytm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FwDFKwA.exe
C:\Windows\System\FwDFKwA.exe
C:\Windows\System\xCQULGt.exe
C:\Windows\System\xCQULGt.exe
C:\Windows\System\JuQcsFn.exe
C:\Windows\System\JuQcsFn.exe
C:\Windows\System\JVPdyYI.exe
C:\Windows\System\JVPdyYI.exe
C:\Windows\System\ZvEgvPg.exe
C:\Windows\System\ZvEgvPg.exe
C:\Windows\System\NrOHYak.exe
C:\Windows\System\NrOHYak.exe
C:\Windows\System\ELbywFu.exe
C:\Windows\System\ELbywFu.exe
C:\Windows\System\NxwcaZt.exe
C:\Windows\System\NxwcaZt.exe
C:\Windows\System\kMpjlkj.exe
C:\Windows\System\kMpjlkj.exe
C:\Windows\System\QYCOIeF.exe
C:\Windows\System\QYCOIeF.exe
C:\Windows\System\RHkhjWe.exe
C:\Windows\System\RHkhjWe.exe
C:\Windows\System\BaDXrVi.exe
C:\Windows\System\BaDXrVi.exe
C:\Windows\System\wLYNfqT.exe
C:\Windows\System\wLYNfqT.exe
C:\Windows\System\OURZSoL.exe
C:\Windows\System\OURZSoL.exe
C:\Windows\System\tHHceCr.exe
C:\Windows\System\tHHceCr.exe
C:\Windows\System\QkHiFvo.exe
C:\Windows\System\QkHiFvo.exe
C:\Windows\System\wfeUnVf.exe
C:\Windows\System\wfeUnVf.exe
C:\Windows\System\KMLtSmY.exe
C:\Windows\System\KMLtSmY.exe
C:\Windows\System\kGDPonZ.exe
C:\Windows\System\kGDPonZ.exe
C:\Windows\System\aFQxCqn.exe
C:\Windows\System\aFQxCqn.exe
C:\Windows\System\gNocytm.exe
C:\Windows\System\gNocytm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1752-0-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1752-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\FwDFKwA.exe
| MD5 | be87206c69fc1cb0980d3612eb54f665 |
| SHA1 | a811f942bd3427d00d67a32e48e2dd07b72dff75 |
| SHA256 | e43f643bc70140c9a4e6db92e3398c651347b09d5ae442c4477d3907bac7d2c2 |
| SHA512 | 61862c005207fa481ecb53b1c59012c759825cdbec830c5dc0e45a8dd2bcf3137e5d077e01d2e880362ba68bf16f2fe32003ce4e529da04ffcde251fd96c93b9 |
memory/1752-6-0x000000013F780000-0x000000013FAD4000-memory.dmp
\Windows\system\xCQULGt.exe
| MD5 | 72cdd847850e96af2fb4ae527a677136 |
| SHA1 | d4721d34c95165c104212fb04c325fbcd145c833 |
| SHA256 | 9b5695b8a0a43729161a6c6ca021137f1757494ce852a666fd033c95c848a3f7 |
| SHA512 | ff4df9e04b2d16f3e35c82fa568f872476153452cf601b6f6dd56be56f55ddbc4d0919f564b9ca3992e014f6f282f2d5c0c05be543a239e76bdf61b142d9a11c |
C:\Windows\system\JuQcsFn.exe
| MD5 | ce3d6a803a69f8a9dfca8c4f3936111a |
| SHA1 | 53b174431d74e35c2f3becc024ed594d382de915 |
| SHA256 | e73154a1978eb94813fdbeb5dd53b9d89d2f14c3cd82ee08ecc3f7b3f337cfbc |
| SHA512 | 1af66059e3703d3965d11cb5b5e26d2afa5d6579a46a09ad72177bc9c2101d2cfb5643d9b4a9a193d13d600f925d83cefefe5e5276b3e2b5098f83fe20b1cbea |
C:\Windows\system\JVPdyYI.exe
| MD5 | 04f69756f57a2c19f7355903f54c7e16 |
| SHA1 | fb0b50061fa74625796905bc03d1a2678f722a05 |
| SHA256 | 4da40885c29c98a0549c5f07be6c81edb6e6a8356f6e5336d911909b3fc5e6f7 |
| SHA512 | 4ba68ed46b6e53546edbb6a1d6d3585a8a23b99d8fdfbcba8f896e2196106ed1e10feb8479ac6d6fa9a80ea51b20023d3189ef493e6e3774a0fbdd7c88e85177 |
memory/2140-25-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2268-29-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1752-26-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1752-16-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/3032-15-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/3016-12-0x000000013F780000-0x000000013FAD4000-memory.dmp
\Windows\system\ZvEgvPg.exe
| MD5 | ff664294188f7bc53564c342b61fa46d |
| SHA1 | 7796e4d1036d5194b04a2079f43fc33768527ca0 |
| SHA256 | d837e593158810d5de5e03e1ed2f72eaeaf9ddf19542c43fed8b5d838c2e68e7 |
| SHA512 | 593e0131046aba9088ace8a17cd43d767d2691bb3c313760e1137f84a32526c08c986e0134f700a6c0138ac980da903c53b19c7d4043a7937fc5fa67e877319c |
\Windows\system\NrOHYak.exe
| MD5 | fda8ee2d5477a2e331180f5e6f6fdf64 |
| SHA1 | 3e5627930c67fe7dc89c79500bb126569a5fadd3 |
| SHA256 | e414a9d6a44cf3b76e467ebd1130e4eb4e1bc15115a36c2b7d01fea4e409bbbc |
| SHA512 | a464261671a96eea763f017e3f838eeb2a9749c0c43e198ddcb0ed42a8e32a4f04f460eba54fba013a6025cabb259c403d8546e7e618f93db70b5dc5efbd214d |
memory/2640-42-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/3016-41-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\ELbywFu.exe
| MD5 | 138a449b66c14267dbc6714ff9807aa2 |
| SHA1 | ea687f4cd5cc7ea762cc8fbe790d85091c5fc559 |
| SHA256 | d13490a745d0d553ccbd2d6797a6b8399724977878a99a3e7ba1819ab806ab70 |
| SHA512 | fa182ecba22ce173d8a1818831712d9aad136302f914c0b9cc2098497a2999d7d9a110621461aa9366c28b2ac5844ecab01dbd57b1514dcdbf4fb3b80a8d975c |
memory/2664-50-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1752-48-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1752-40-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2648-38-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\NxwcaZt.exe
| MD5 | f5c71b5f46d464302a288d7405669ffe |
| SHA1 | 9178922a89dafafd1f023cd10e851154ad5ddac7 |
| SHA256 | a9703664aead9094719aa850348cd298108844f4d70e677ae2a551a6ccc53394 |
| SHA512 | d43e4e952ac2bbaed4582fe98adbfac34a40960529984d328c67169c58de50a6e7774b71cde21b9cc51a1661860add2f80c8b966c4ed0e05ae68ac57dc908ddd |
memory/2480-58-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3032-57-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1752-56-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\kMpjlkj.exe
| MD5 | de9faa65a646cb487a3da9899aad18ef |
| SHA1 | d9752e2e50fea259925a38394ebf2cfebd5afa47 |
| SHA256 | 23f0279c959e8c551c497e7c44fdc0ad0013e1294b687eb52598215db7ddc705 |
| SHA512 | 57dd182b682b38637888e78428e60a0c04eca24ee9ff0ba57dbdb1e216c1fe8b2708349e4e35412ef0e015684265d1e7e3dbbaaf278a95e6060ec6b9924981c3 |
memory/2460-65-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1752-64-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2140-69-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\RHkhjWe.exe
| MD5 | bacdf16ec1ba183735e0d529d612a99a |
| SHA1 | 548aa3cb9aa81666f839d4ff344757e8c78ec272 |
| SHA256 | 90b45c5b87f071114366c20c28cf2a51c2fc9cc123866e442b7d5c7b6238df3e |
| SHA512 | b0613e52988717aa2b02c3e6471d76350574c4d5e44f87096fea4ab2cc52845ec692ffd3e1da597b5b25ee62d97163fc7d39450892eee8936fb5811af1024f39 |
C:\Windows\system\BaDXrVi.exe
| MD5 | 262c28f37b0aad90925109cd92468d1d |
| SHA1 | 7da7ee2f740c53eb89b220f9080f620d41fd8cc7 |
| SHA256 | 847f8c0378b571dbe682228e8ffddd690d4e536ae2098d1240a0cdbc8ef4a926 |
| SHA512 | af2950089097a24243a512dfe3f156a2ad4f4f386fc51565c7a098655f952b903d8b20270b8b0c4766fb27a9076e10d245396b498e5534c733426a3eb92d43b5 |
C:\Windows\system\KMLtSmY.exe
| MD5 | b67ad9eb52a27bd2ff53fb63e45327e2 |
| SHA1 | 31f2c2e59fd4d404594ac4d0361b7a19ab9ae7fc |
| SHA256 | 0d14ec49c2227a8ed1621e38dd565861cb5c7777b8ccfc5e276cdd33bcd0ffa0 |
| SHA512 | 022da06e0c87b7b88c1e85cc8010c066b96bda17bada5bd9acaea9edc897c0dad525d28115d07bd7bd6922fb45a2149437fff7ddfbcbc8192a5d603bce4b942b |
\Windows\system\kGDPonZ.exe
| MD5 | 1f26365a60874d931e88155fe76978e7 |
| SHA1 | 1dbba7337166574c7575962ec294f2f8947c1d79 |
| SHA256 | 5570ada0423559649f8ca6f59eb3360aca79741c0784760a5621addd3fc4390f |
| SHA512 | 033b5452c83790ce680667776266ec6300012e7c654b201254c81e2496d033a472a70f71db35eee01798aac7355e2701cd3fb939f1df6cffe09e94b611f8befe |
C:\Windows\system\gNocytm.exe
| MD5 | 3f4cedccc3ac645a46dac74cab27102e |
| SHA1 | 5ac3d3d046825ece0675c78f72ece582200b6fc9 |
| SHA256 | 1a4289fd1350bf6e5344216f43b456d6cd41f42597d47e6f8975880dc6e167d6 |
| SHA512 | 61e196ec8d4dbfd24e6a1541a8067739b69a3453681d623427cb048cfc648ce6a9e86d425b5075207110dde000dba15e4bdb5438158dc754ed33bc9d3338dbbf |
C:\Windows\system\aFQxCqn.exe
| MD5 | 51ac01c204ad3520d72a93a3074a75be |
| SHA1 | 0d61504313f67a51010c525a683154386b2cc262 |
| SHA256 | 0928c1b6ae6128a9a1fccb847537bfc39a683eee306e55addd98531d71d1a616 |
| SHA512 | f6dfa0c308c109afe93f38935234a5c376f748ba7695a27355953237f54a8163259f5d778ab5ff4c886ac81b62d0bbb2a39b2e7641da9a7e1a5d93035fe74e1f |
C:\Windows\system\wfeUnVf.exe
| MD5 | 40ec4b4a642a65f68ae5691a1a6056ec |
| SHA1 | 8032724ccf09093cc39815ad726c541f39a3eaec |
| SHA256 | 8ace2ee60cda1c28c4239b810c0d2b5a96e22ce14de4ef5da35931cec1677bf5 |
| SHA512 | dbc5d58ab578d6ab7e73619304ecef0671ccbbbdd86e9a8b16811197313960ae86a71f920d5ec1e03da8715800ea547dc9d5f5a2173ef1f0268f2bd3339ed7df |
C:\Windows\system\QkHiFvo.exe
| MD5 | cf1be123c7fd215026bf83012cfcf108 |
| SHA1 | 052b17840d761219c0d0b9ef47af097fbfe00eb8 |
| SHA256 | c9dd4dcf53e5a02e7205a12a97b525340c346ed4107b14f1a46c1e7c6b9fd99d |
| SHA512 | b1009b19d80f8ce5696199971b97db653a68824ffc25f1b961f53ba26f42982c5571c72c7a57e97c25c29a032ae8792eea99988bc7e72c892b19e7e5336939c3 |
C:\Windows\system\tHHceCr.exe
| MD5 | a04a00a954b806d4264597a408bc94f0 |
| SHA1 | e1b17b926d3ed5d21385a169de77a113a49a8044 |
| SHA256 | 428ddc4f39013621b8a937fed7ce0c339cb1ab4a08046bc6a9f9ce69bc0af0db |
| SHA512 | 62542833a815f0cd2106d1739bcbcf6974c366a0cdacf0c801021be787438b97da0481d8582a2b358762f9bdefb8108c3e215b5c779511a72a16adbe01d7d936 |
C:\Windows\system\OURZSoL.exe
| MD5 | 73c3fe5fc77b3af602715aa14b3a2467 |
| SHA1 | 0677837d1131b72141afe49ac6ca3f9b116f1178 |
| SHA256 | 95a22b1ff23317c2e4e74cc2d95dbd430c3cf19853ff49cc36c8af50992dc736 |
| SHA512 | 54393b41e38d0f8e9bd9aa18201e8130d5ecef5460cc4ecec1bc232aa74b2a0e7dd129cc7384a2eccd8830e37cc84f29975b7d458b286756306b90fe62a50455 |
C:\Windows\system\wLYNfqT.exe
| MD5 | 56a278977ae983e1012b9410984c1815 |
| SHA1 | 83b5de8b1025a104663227b184b28c72ff026e92 |
| SHA256 | 9c275f2847e26c7a3fa9b97567d5c2fc9827ba98b0892fac03d1f8801f6ab461 |
| SHA512 | f5c26a58af6d6cdc29f9cbf49fa497c78f5d373bf1c1bdebef80dc496f6b3894d93a6f450899e0a1893739d214282c8eb02fa111c36c142d09dd86fa4ecc0a0c |
C:\Windows\system\QYCOIeF.exe
| MD5 | e43bd07633019e9be851deec3603b3a1 |
| SHA1 | 816ff3ed3e289aa92924c6fde73534f848e9caaa |
| SHA256 | 7058db6f4a9a0a463f39c6c8935ea19d5350f45b46006d3c2d2b98b9103704c9 |
| SHA512 | fb0937e2d1fae61f58fb10f235bcdaa4200ff6151c2bead6c3969e8abdf8dadb221e3252c116c87ea2f5767af3ece968c530fcf63c4e891498aec3cf820c596a |
memory/1752-126-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2280-129-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1752-130-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1752-128-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3028-127-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1752-132-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1524-135-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1752-136-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1752-134-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1396-133-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2804-131-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2268-137-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2648-138-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2640-139-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2664-140-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1752-141-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1752-142-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1752-143-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/3032-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/3016-145-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2140-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2268-147-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2648-148-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2640-149-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2664-150-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2480-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2460-152-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1524-153-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2280-154-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3028-155-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2804-156-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1396-157-0x000000013F550000-0x000000013F8A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:42
Reported
2024-06-01 03:44
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PtbCGYe.exe | N/A |
| N/A | N/A | C:\Windows\System\yDxcSAU.exe | N/A |
| N/A | N/A | C:\Windows\System\BWCRjkF.exe | N/A |
| N/A | N/A | C:\Windows\System\rdIQJEY.exe | N/A |
| N/A | N/A | C:\Windows\System\egnRHEY.exe | N/A |
| N/A | N/A | C:\Windows\System\ccBWWXU.exe | N/A |
| N/A | N/A | C:\Windows\System\iCLvQSN.exe | N/A |
| N/A | N/A | C:\Windows\System\RbDYSnN.exe | N/A |
| N/A | N/A | C:\Windows\System\iJYlmup.exe | N/A |
| N/A | N/A | C:\Windows\System\IItwkro.exe | N/A |
| N/A | N/A | C:\Windows\System\ozkwEzP.exe | N/A |
| N/A | N/A | C:\Windows\System\BtrmrMh.exe | N/A |
| N/A | N/A | C:\Windows\System\PldxwHl.exe | N/A |
| N/A | N/A | C:\Windows\System\uspNldK.exe | N/A |
| N/A | N/A | C:\Windows\System\isNNgmm.exe | N/A |
| N/A | N/A | C:\Windows\System\rLRurxo.exe | N/A |
| N/A | N/A | C:\Windows\System\upEdJpU.exe | N/A |
| N/A | N/A | C:\Windows\System\KCsAqBx.exe | N/A |
| N/A | N/A | C:\Windows\System\rvvBUzh.exe | N/A |
| N/A | N/A | C:\Windows\System\TTNiknC.exe | N/A |
| N/A | N/A | C:\Windows\System\GuLkOZs.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PtbCGYe.exe
C:\Windows\System\PtbCGYe.exe
C:\Windows\System\yDxcSAU.exe
C:\Windows\System\yDxcSAU.exe
C:\Windows\System\BWCRjkF.exe
C:\Windows\System\BWCRjkF.exe
C:\Windows\System\rdIQJEY.exe
C:\Windows\System\rdIQJEY.exe
C:\Windows\System\egnRHEY.exe
C:\Windows\System\egnRHEY.exe
C:\Windows\System\ccBWWXU.exe
C:\Windows\System\ccBWWXU.exe
C:\Windows\System\iCLvQSN.exe
C:\Windows\System\iCLvQSN.exe
C:\Windows\System\RbDYSnN.exe
C:\Windows\System\RbDYSnN.exe
C:\Windows\System\iJYlmup.exe
C:\Windows\System\iJYlmup.exe
C:\Windows\System\IItwkro.exe
C:\Windows\System\IItwkro.exe
C:\Windows\System\ozkwEzP.exe
C:\Windows\System\ozkwEzP.exe
C:\Windows\System\BtrmrMh.exe
C:\Windows\System\BtrmrMh.exe
C:\Windows\System\PldxwHl.exe
C:\Windows\System\PldxwHl.exe
C:\Windows\System\uspNldK.exe
C:\Windows\System\uspNldK.exe
C:\Windows\System\isNNgmm.exe
C:\Windows\System\isNNgmm.exe
C:\Windows\System\rLRurxo.exe
C:\Windows\System\rLRurxo.exe
C:\Windows\System\upEdJpU.exe
C:\Windows\System\upEdJpU.exe
C:\Windows\System\KCsAqBx.exe
C:\Windows\System\KCsAqBx.exe
C:\Windows\System\rvvBUzh.exe
C:\Windows\System\rvvBUzh.exe
C:\Windows\System\TTNiknC.exe
C:\Windows\System\TTNiknC.exe
C:\Windows\System\GuLkOZs.exe
C:\Windows\System\GuLkOZs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/3008-0-0x00007FF6473E0000-0x00007FF647734000-memory.dmp
memory/3008-1-0x00000291C5FE0000-0x00000291C5FF0000-memory.dmp
C:\Windows\System\PtbCGYe.exe
| MD5 | 25ec551d9776b81f1216df11e4dfed20 |
| SHA1 | 49d64d50aca5d7d1ab5f1673c89c13181d689d14 |
| SHA256 | 897f7e1ae96d8c34b93bad43a55657c25340caacc9c55d8a495127142293004a |
| SHA512 | d344eeca63af4776b0122384fbe978ae4d162c8049d58e6af409c8fa93af35376c6aa66040033d4f6ab113cb854c24596092f110944b5c8d5411993652fd169f |
memory/536-7-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp
C:\Windows\System\yDxcSAU.exe
| MD5 | be6b10620fd705ea1a48479ca8b20945 |
| SHA1 | 93075cf251182763634e344d3d5867ed8a107791 |
| SHA256 | 5b1a8df58fc0f567d019b6721a8ddf045f976c05fcf4f0ee6a46efba47eae18b |
| SHA512 | e7989a389ed76c63ff65ac03f16d92c7724b1b0a37ffa3bccf1bae002f62d8c98e94ac6eab865ffc1f3b243e8d708e08bae49a4c7bc9549b54a860955c07d04f |
memory/232-12-0x00007FF798C10000-0x00007FF798F64000-memory.dmp
C:\Windows\System\BWCRjkF.exe
| MD5 | 1207b82fdaea14c234253a3e7cf3a3fa |
| SHA1 | b216116b38ea508a3cd395097e0d650fee5f6e57 |
| SHA256 | 0572a146141007717c1185f380f0df71fb7a7842975db85d49d3edd35b6037b1 |
| SHA512 | 0c5dd1da93bdbda68e9a743ba53d5f5565e6bebffd56c86fd2869d3ee7a11278ac7da66a30c4b691a5af50bdfc9773a61b366c1167fe9294ec56471541b8695f |
memory/3548-18-0x00007FF710DF0000-0x00007FF711144000-memory.dmp
C:\Windows\System\rdIQJEY.exe
| MD5 | 86e180c89e27d8a12e9cf260a210d974 |
| SHA1 | d21e7ade6ce414fe9102ce63478c561441dad930 |
| SHA256 | 09afa404d5613f97a72aaa8d58d3c0d9193e74d3d5c8f593539614a2f5fe639a |
| SHA512 | 6636e8e52f3fc4dc676da4ecdb905461d04dc7104f6431ab17e9de3abd8d9d39f0a285a1c3ef0e3f920ddf5bf2ab2930f6eb0061efca514f9695afad784895e3 |
memory/2040-25-0x00007FF697350000-0x00007FF6976A4000-memory.dmp
C:\Windows\System\egnRHEY.exe
| MD5 | 6a983f74654186362df998ed95c465ef |
| SHA1 | 0dfa6744682bb9fe97915496672d924ba016e9bb |
| SHA256 | 89565e6492d66c11940c74fdb75346dc97a20ba8c73446df77cbc27887a3899b |
| SHA512 | 6582116266a889ccfc85460f0a28a648cf032d6339d87c2c73ec24e943d73b3f982124d07d628ca61fb9b07da62794c24e79ba93857da4c3ff0483b9d540217c |
C:\Windows\System\ccBWWXU.exe
| MD5 | c31f526518fc197dd6b31ed92a7e6f6d |
| SHA1 | 8ee84244f0403b8a708523cf6f5ed90dca593bd2 |
| SHA256 | d82372543f7f581cc36ff0dd07cdafc85f5556cd19d87873aa0104789e09cd24 |
| SHA512 | 40943e766a6588056b68dea8926f37c7dd37a3fd17b26a4d8997921334c035be33f9ed4105ca33850d1461956fb5f6ec2b07efc2103e31ca660134d6feb4bee9 |
memory/1568-32-0x00007FF61F940000-0x00007FF61FC94000-memory.dmp
memory/2216-38-0x00007FF6FF900000-0x00007FF6FFC54000-memory.dmp
C:\Windows\System\iCLvQSN.exe
| MD5 | 81c694a0168be528b03eb39800b66055 |
| SHA1 | 6bfb6b36b63cce4716b271303d6a6504889eb215 |
| SHA256 | 95b49d76f053460b19c16d09251d77337f85de9062d9a2697d3bf2f9f59fbae1 |
| SHA512 | a22dfd01c7d01b6c586acd4ed3f0c3112cb27122dc8f91d6f1e9449b723d8b85fd9fa4005a062e529dca67bdf7a060ac9ea24b957b898db1f0ac7ad792afba7f |
memory/4548-44-0x00007FF6AFC60000-0x00007FF6AFFB4000-memory.dmp
C:\Windows\System\RbDYSnN.exe
| MD5 | 530e85fcd86416cbda51f4c2548b7cc6 |
| SHA1 | 252aa640a721e30ab8739124d3c2d10ec621bb37 |
| SHA256 | b0dd0e3bb50bc3675e2de4ac901f744ffd15661d81a270b66fb28a885b8365b2 |
| SHA512 | cce43d13d254633bea1a41a0de0971ecc5194e8518524e8515bdb74b7b473b62ae949060cb079e7f3d7c20465ab3a42c47e84ac31bd1426386d72f0da31fa0c3 |
memory/2152-50-0x00007FF6A3440000-0x00007FF6A3794000-memory.dmp
C:\Windows\System\iJYlmup.exe
| MD5 | 890b063c15aeb84ed0748cbd94328b1c |
| SHA1 | 04b51ebb4d7094bfcee3f62e7119a8ea00a19619 |
| SHA256 | 198c9d0f51038a29076cbdf830c259a782d560c5ef2a599ebac8ae4a9ca71af9 |
| SHA512 | e6e349940cf1e57bcca8f5c1d92effeb7b2c50037b311c293c15aa5f323db0820c686c14b449408c1f01e2dc15c5c1a5a5606ec21119749802df489389c47af3 |
memory/1296-56-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp
C:\Windows\System\IItwkro.exe
| MD5 | 3318bc748bc16e7ffa2990730f5a6c3a |
| SHA1 | 8fb730075e9ddb46c923b198a93b9a09ab7bdf36 |
| SHA256 | afa9929a60660b12affe2415b15196fbc1ed36048e36c412dd7a945afc0f179c |
| SHA512 | 384983b62b459ecedae87fcd5e67055359eb268a6f5e0bb66d7a82769864084bead6628c01af6a2f6f7a9b7165c0906869b500203602b454721813f898c535d8 |
C:\Windows\System\ozkwEzP.exe
| MD5 | 7b642fd032d8ac9a40d40aff934aa234 |
| SHA1 | 6e94c5b8e605e46f3d98ee7c8a2b4792fd5d3176 |
| SHA256 | 50555f44d31e17e9495c55126ed3252907540e412765ae68cfa087a89d59225b |
| SHA512 | 2c4bcdaf3e0bb1420c53aeacf8667fd4ade30a64642188fbd3d002baba4edc836fed422d363eb4b4b8077e4d6cb6ab5f61d8f4927299c6532d74e70978fa08fd |
memory/3008-62-0x00007FF6473E0000-0x00007FF647734000-memory.dmp
C:\Windows\System\BtrmrMh.exe
| MD5 | d89db565af779c4ce17aa928496d77b9 |
| SHA1 | f42308fc5c9ff2374250d79dae07bef363f631b1 |
| SHA256 | a044040e624aa135af2da12a64db83c9b75805cd00e554a8516a3648038e5360 |
| SHA512 | ad4a176aff6c14d55c9894a07588d3d0ae25e47d2ea49ebdfa4298b4048ecd7779ecd4096672297a65ea14744881c246a2f4019a2ccf6ce9df5fc3e7193d2025 |
memory/3048-75-0x00007FF6CC7C0000-0x00007FF6CCB14000-memory.dmp
C:\Windows\System\uspNldK.exe
| MD5 | 901593e43df02fcb506ee95061a4334c |
| SHA1 | 58954d89d52d049baf52e40b07d6ef6873995be3 |
| SHA256 | b51cce4b39d83cf05c0dde7ffe0400862d39401efab7ccee2d86d7d5ebcd2932 |
| SHA512 | 1a62554863c4fb33d7f400d3c9c675c0b8b616d9a6c7cba7663af91bb83d7017f9d3f36b7152ce2d1d4256967646fe985b2d14280e248a753520cb93be0f137c |
C:\Windows\System\PldxwHl.exe
| MD5 | 6f0d181fd09becafda8a560b0068a50b |
| SHA1 | 29cb281bcc53834821dc99c8c22ff5e73b724d91 |
| SHA256 | 9e458671a323366f4ba5d2b071e4025d0790793479dbda1eccfbf3f857f88740 |
| SHA512 | a821e4cb83793434620ee458e2c0a86673befd42e714cd467c69c60a7b4911825fc0dc31567dd6b73e8af5c79945c3eee630e5c240596cb8c506a75a01e6cd20 |
C:\Windows\System\rLRurxo.exe
| MD5 | 4faa4027e008b8320d52ef93c8e7d53d |
| SHA1 | 08acb1a718783b1eaf59fd0db4a682fd06f3fd9e |
| SHA256 | 628f2d36d4a3d7ac752a2ef88a3e25dd9fa84fbcd56e9895e83bdc5bb9cc056a |
| SHA512 | 5ab81c6b18c416f2dfeb3f4dda17ec748e9ff9a1b6823d7f2130d76a332b07adac330832633426b49148afe5df4dc88aaa9be7888975ce41868b7b8f96840c40 |
C:\Windows\System\upEdJpU.exe
| MD5 | b0115820ae7391bcb50a655c03c3f132 |
| SHA1 | 256e4869087f9d279f72367c271ece27441b4be4 |
| SHA256 | dcab42a2e6417dbdd6ee1fc0eb6fa03efe89bf80de14f1aad3a6b0fca35fcf24 |
| SHA512 | 06cddb4a7a5a9b2ca325194420e766b3b0454f72ad238db87a29e01d92567d2a56fbd0507104b295ef73c83d562fcf8a4eaab9412eea568009a47e99f7b495d6 |
C:\Windows\System\rvvBUzh.exe
| MD5 | d4d56d5be8a96b35b5d053e3cabdfca0 |
| SHA1 | 67719fb86c23e60d6c5a4ff33c0f7dd827c39c4c |
| SHA256 | d2bccf875cc184599e2bead49a48e389d719e08ca0daf119973340e3c3c027ff |
| SHA512 | 167e428d38e14dd01aa48c6e975ad526bfb66f43bedee47299ddb92ed0f302707a99f2f022367539fd3dd44c0b1a3118ba5e042873cc0caa14183980532e15a9 |
C:\Windows\System\GuLkOZs.exe
| MD5 | c80ad6b415c9f04a53b51d8b0e9c01c1 |
| SHA1 | 6e807987f1b634b4eedcb3c6d0aa0a6284ca79a5 |
| SHA256 | 339a7dfc47af6d1e2c10aa416a65cb42cf16407a619fbe7aba8963aab803825e |
| SHA512 | 8fd9c485566c70c1c8ff2f4b762cae8d5cad191dada66c911b3b03e302da0fbd17befb9b7ee88c7fa7c25c994453caa6a8943ec0ac2365eba2da57fb9d914f23 |
C:\Windows\System\TTNiknC.exe
| MD5 | f5f051e2b7f5ec53dcbfd06e5d0c31bb |
| SHA1 | 42d67434217bba8dc08d78fea952e42f8fc6aec3 |
| SHA256 | c90e33c0c926b3e4c51d777eb1c6951054816f7d794ca8c4d5a2a71576689c26 |
| SHA512 | 74dc1b645cd032793826a5e9403c9144e72d1985a07d17d832bc8f24ee3bc399c6239cc4f98ca34c2d2b2d3fca9f7dbdbb3abfeea4efe0e4458bf1d49d33697f |
C:\Windows\System\KCsAqBx.exe
| MD5 | 85bf8664ab41bae97d809d22dc73b6f2 |
| SHA1 | 82578727983e83deef5cf2e084b2e03a98bf577e |
| SHA256 | 29b47cac35a35a9bf5d11a4b245d0fba37a29096d23a6ecf386a397dceb80771 |
| SHA512 | 6ba6e8abdae3099f87e9cfad113a9351ae6bb6b6c5acced675a15487ddbab4a1fd00056d554f23ae2717a6709f879e99d8a464512f65f0d642282b68a4df0c87 |
C:\Windows\System\isNNgmm.exe
| MD5 | f556bc3dfd1590d2a74dbcda4bc7b21a |
| SHA1 | a06bea4380fc5205062a2daf409f85d5381e32dc |
| SHA256 | 72155f8813f12b63718d829c1774b7b7ea96a64682e18d5f6b2fb3ba7a4266aa |
| SHA512 | 73982bbc19a21794021893d6568be7c571d35cd5242691ecdb36f4be0a1f7aefc20eef2962eb4328263175fd45f64f5fe4c8bdd069364cb9dc4fa00f54a33507 |
memory/5084-87-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp
memory/3548-81-0x00007FF710DF0000-0x00007FF711144000-memory.dmp
memory/4108-78-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp
memory/232-76-0x00007FF798C10000-0x00007FF798F64000-memory.dmp
memory/536-71-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp
memory/1152-70-0x00007FF6B7F70000-0x00007FF6B82C4000-memory.dmp
memory/1076-125-0x00007FF6DFC70000-0x00007FF6DFFC4000-memory.dmp
memory/2748-126-0x00007FF717C20000-0x00007FF717F74000-memory.dmp
memory/2040-130-0x00007FF697350000-0x00007FF6976A4000-memory.dmp
memory/3012-127-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp
memory/2568-129-0x00007FF72C220000-0x00007FF72C574000-memory.dmp
memory/1984-131-0x00007FF7FD500000-0x00007FF7FD854000-memory.dmp
memory/2800-132-0x00007FF60E190000-0x00007FF60E4E4000-memory.dmp
memory/1516-128-0x00007FF70A3B0000-0x00007FF70A704000-memory.dmp
memory/2124-124-0x00007FF6DCFB0000-0x00007FF6DD304000-memory.dmp
memory/1296-133-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp
memory/4108-134-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp
memory/5084-135-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp
memory/536-136-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp
memory/232-137-0x00007FF798C10000-0x00007FF798F64000-memory.dmp
memory/3548-138-0x00007FF710DF0000-0x00007FF711144000-memory.dmp
memory/2040-139-0x00007FF697350000-0x00007FF6976A4000-memory.dmp
memory/1568-140-0x00007FF61F940000-0x00007FF61FC94000-memory.dmp
memory/2216-141-0x00007FF6FF900000-0x00007FF6FFC54000-memory.dmp
memory/4548-142-0x00007FF6AFC60000-0x00007FF6AFFB4000-memory.dmp
memory/2152-143-0x00007FF6A3440000-0x00007FF6A3794000-memory.dmp
memory/1296-144-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp
memory/1152-145-0x00007FF6B7F70000-0x00007FF6B82C4000-memory.dmp
memory/3048-146-0x00007FF6CC7C0000-0x00007FF6CCB14000-memory.dmp
memory/4108-147-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp
memory/5084-148-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp
memory/1984-149-0x00007FF7FD500000-0x00007FF7FD854000-memory.dmp
memory/2800-150-0x00007FF60E190000-0x00007FF60E4E4000-memory.dmp
memory/3012-152-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp
memory/1516-151-0x00007FF70A3B0000-0x00007FF70A704000-memory.dmp
memory/2748-153-0x00007FF717C20000-0x00007FF717F74000-memory.dmp
memory/2568-154-0x00007FF72C220000-0x00007FF72C574000-memory.dmp
memory/2124-156-0x00007FF6DCFB0000-0x00007FF6DD304000-memory.dmp
memory/1076-155-0x00007FF6DFC70000-0x00007FF6DFFC4000-memory.dmp