Analysis Overview
SHA256
00d8bb9a84840cace6185c5bffeaef6bd426057ed5cd428d4c0b9fbfe67f1003
Threat Level: Known bad
The file 2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:06
Reported
2024-06-01 03:09
Platform
win7-20240508-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LxxIuUf.exe | N/A |
| N/A | N/A | C:\Windows\System\vFTjfuH.exe | N/A |
| N/A | N/A | C:\Windows\System\wfUdkJU.exe | N/A |
| N/A | N/A | C:\Windows\System\mVUoviE.exe | N/A |
| N/A | N/A | C:\Windows\System\wnrVlzq.exe | N/A |
| N/A | N/A | C:\Windows\System\gPCQbMD.exe | N/A |
| N/A | N/A | C:\Windows\System\LnSXVCr.exe | N/A |
| N/A | N/A | C:\Windows\System\IZwfwNO.exe | N/A |
| N/A | N/A | C:\Windows\System\essdRrN.exe | N/A |
| N/A | N/A | C:\Windows\System\UMcFDEt.exe | N/A |
| N/A | N/A | C:\Windows\System\JKpmpDx.exe | N/A |
| N/A | N/A | C:\Windows\System\TtVXBOb.exe | N/A |
| N/A | N/A | C:\Windows\System\TAcZEzp.exe | N/A |
| N/A | N/A | C:\Windows\System\isNZLof.exe | N/A |
| N/A | N/A | C:\Windows\System\SfRbcsa.exe | N/A |
| N/A | N/A | C:\Windows\System\btAeHbR.exe | N/A |
| N/A | N/A | C:\Windows\System\LSGJrdH.exe | N/A |
| N/A | N/A | C:\Windows\System\vgwyGAW.exe | N/A |
| N/A | N/A | C:\Windows\System\lLmViHT.exe | N/A |
| N/A | N/A | C:\Windows\System\VZMRYVu.exe | N/A |
| N/A | N/A | C:\Windows\System\BTGywOC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LxxIuUf.exe
C:\Windows\System\LxxIuUf.exe
C:\Windows\System\vFTjfuH.exe
C:\Windows\System\vFTjfuH.exe
C:\Windows\System\wfUdkJU.exe
C:\Windows\System\wfUdkJU.exe
C:\Windows\System\wnrVlzq.exe
C:\Windows\System\wnrVlzq.exe
C:\Windows\System\mVUoviE.exe
C:\Windows\System\mVUoviE.exe
C:\Windows\System\gPCQbMD.exe
C:\Windows\System\gPCQbMD.exe
C:\Windows\System\LnSXVCr.exe
C:\Windows\System\LnSXVCr.exe
C:\Windows\System\essdRrN.exe
C:\Windows\System\essdRrN.exe
C:\Windows\System\IZwfwNO.exe
C:\Windows\System\IZwfwNO.exe
C:\Windows\System\UMcFDEt.exe
C:\Windows\System\UMcFDEt.exe
C:\Windows\System\JKpmpDx.exe
C:\Windows\System\JKpmpDx.exe
C:\Windows\System\TtVXBOb.exe
C:\Windows\System\TtVXBOb.exe
C:\Windows\System\TAcZEzp.exe
C:\Windows\System\TAcZEzp.exe
C:\Windows\System\isNZLof.exe
C:\Windows\System\isNZLof.exe
C:\Windows\System\SfRbcsa.exe
C:\Windows\System\SfRbcsa.exe
C:\Windows\System\btAeHbR.exe
C:\Windows\System\btAeHbR.exe
C:\Windows\System\LSGJrdH.exe
C:\Windows\System\LSGJrdH.exe
C:\Windows\System\vgwyGAW.exe
C:\Windows\System\vgwyGAW.exe
C:\Windows\System\lLmViHT.exe
C:\Windows\System\lLmViHT.exe
C:\Windows\System\VZMRYVu.exe
C:\Windows\System\VZMRYVu.exe
C:\Windows\System\BTGywOC.exe
C:\Windows\System\BTGywOC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1984-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/1984-1-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\LxxIuUf.exe
| MD5 | 82e5e2f6129c2d3cb1dd2e28a844528c |
| SHA1 | d0299cc2517ced85bf3e594bb35e47aef6c9ef34 |
| SHA256 | cdeb64a71bb7c8378d4899630dc1154c026f9f0600e016065ed9c45854e85296 |
| SHA512 | 2746fc22501cea636cebb7b3da8c7da1569b2a3a5edc2e8bc049dc0587a2c9d8fd0bc041caed78d4802bd228be6cb992bb44286c4a05149ecb75338aa71507b1 |
memory/1632-9-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1984-8-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\vFTjfuH.exe
| MD5 | 0db32164f1cba09b2a44c1b50880adb5 |
| SHA1 | 9bde13ec38ee281041e94619d95dac570f0ddc87 |
| SHA256 | 02c9d841d077094a7126b2b0a5675b623a54cec4f7972f0fae78c2f51f3ff3ce |
| SHA512 | a9075ec195063549a95230d28b8bd6f97548bc081f1e66ce8ff0ba7d3270ce996e48ac1e7ebe1188ebb8da1bad307fe8ea9f9f0026ace07d79ed6c3814c27710 |
memory/2740-15-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1984-13-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\wfUdkJU.exe
| MD5 | d4c0c02bd1f95044d05abe1c2d364272 |
| SHA1 | d3e2b33cf6a22e007787569dfce26cf9e9a48cc2 |
| SHA256 | fae0f822cc2da3a0606d2ab8e18102d95f39d7809d37e802a7ab80264a61958a |
| SHA512 | 38de08a4f4575e7a105d8051faf68db3a1d754fd87663a01b0b044dd125aab3e59503a170c8f24b7d8fb5653c09787533117f62ce0b440ba89c2143c935fef6b |
\Windows\system\mVUoviE.exe
| MD5 | 7614c7ac00f1b83591d7b820974780a7 |
| SHA1 | 9d40173dabd00286dd895bec97dee0adf20d3299 |
| SHA256 | ee71c71e9c4252a6af21bbf3a4625376289b5f4bff0bf6ed0bfe989ee9a3ce08 |
| SHA512 | af347a08a2b2bd59a36a36c3e44a48f326bfc40c4bfa8555d3697ed501fa7859ac78773a6a27edc477907cf3449e8ea441aaafef06fc770bc188bae027d2a4be |
memory/2680-44-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1984-43-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2508-142-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1984-141-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2520-140-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2516-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\BTGywOC.exe
| MD5 | 8981bac019b50d40fa77ed9d72e632e3 |
| SHA1 | ef33c0597f35e0783793b4d7d925866caee4fa59 |
| SHA256 | fedb164b6eb65858a36997ad742bd5feb943418b665ff2e31d605fc29fded8c6 |
| SHA512 | 88ab65afa519845047458f77f135b775a02f78c82522e3235c665c50a7df0c5db823ada375ece92ed581310c8d9d35c57d5070d58447f2b57a96d38af4987fe1 |
C:\Windows\system\VZMRYVu.exe
| MD5 | 6c2dc849dbf6e904571d84951434ad8f |
| SHA1 | f06c4e89a2bd69dc5e94ec5fb4d2b1e3de36e168 |
| SHA256 | 2789ad0b02912a1e62760ac3e992a8f8f7e7c06869bb3ab3b055756113d8e874 |
| SHA512 | adeabf2f21e5d2b235a519b2ec18487c25de78743d041c17a5a891d8552140d99e22028a938e2cdb42154c2a1abeedb3a45e28a012fb96725c3a0ebd357540c1 |
C:\Windows\system\vgwyGAW.exe
| MD5 | 1e0f800c59643e385261ee47b5781e25 |
| SHA1 | cf21c3a37346343f92b4cf4e6c2c0ee7e4648c13 |
| SHA256 | de26ee92b88cf6e097809f8e1256cd1c8cf76b22fcf3a38f597166304f84cc6a |
| SHA512 | f3d6de6e46d88b9126c3b9b2d48b9154cafacf52e480185d7a1134218c93c20aeda62ebab7fb9cff749d23783991f7b143a8655266154bc2c953ee1b5efc8972 |
C:\Windows\system\lLmViHT.exe
| MD5 | 5dda2ff659193f20ef728013d10a57b6 |
| SHA1 | f05b8c00a61b447b26c551158eea70984fb50640 |
| SHA256 | 141b522bd53ab7ed9be4b11175fc0500871156240a0cdc6d5584064451ccde3f |
| SHA512 | 37a7c947e44b050ad97de00896397260969b4b94302f8a67955ea00f926c777a491d00a7a92868b56756892fea2158b0d14985df11eff06db640f3d42d2c2851 |
C:\Windows\system\btAeHbR.exe
| MD5 | d5c68413b9a4b7a6538efce31302ae49 |
| SHA1 | cba45677ec976c359a163644b7749cd8c9494681 |
| SHA256 | d86d220752f1755ec5992f2e03f554c2076cd42c0f773c84fc68dfc9795014df |
| SHA512 | bac70940d3f0853d402cfd2dbb520e9e98509de6f13846cc4c499b94ba2e346815744a2c114de3e21ea8fce93b390ae4274c63a2c5832a15f63d5f23628b3379 |
memory/1984-112-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\LSGJrdH.exe
| MD5 | d9570b373fe74bab4ac14c6fabe32a45 |
| SHA1 | c9e8d5332e7bf590e921d415e7afceb033d65b62 |
| SHA256 | d769908cbc46f13d5d057deccdc821142cc5e680c07699092af1b0f1e9a1cb81 |
| SHA512 | 0166773eb2a374c225b02a6494096a0674967e3b69ef7ecde6bf575c8180a86b07218b4edac9be758b9cb9b8109050ce7512c7516651d9696c5163ca643122c9 |
memory/2680-108-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2640-107-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2712-106-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2824-100-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1984-99-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2732-98-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\SfRbcsa.exe
| MD5 | 5a10aa292e8ef8099b07422e0eef3a02 |
| SHA1 | 254e87a82b06603bd56a15b63b0e7523e545ceaa |
| SHA256 | 7021b0a29a3c415344022225622109b064e9cef4da217a29b564bcadfba6e4d3 |
| SHA512 | 11d46c4b9e9cad9bdac956438d0f9f166e0e7a7d1193b400c0382ed1b9b8d0ecca110760a1f6e425eabb8964ce7dd76d941563fb7d749c097de5efe82dd63e87 |
C:\Windows\system\isNZLof.exe
| MD5 | 9342e07a4495bebaa790b557e323d4d1 |
| SHA1 | cddc99456f9b99f7caca53482ae2a354a2f144a8 |
| SHA256 | a794d21ebc28a551d70621dd3b702f516b9113e7fc3cd82bf58f4c82eda5c9c6 |
| SHA512 | f83f091bc9b56d479d8e8c1e86df9fd2cc3faa9c3401e20a5a572b0da938c4de3d35a93887952e092cd9f8105af86e1353b96e54c305e1a0b8e6a5fe1e3d1ad7 |
memory/2792-92-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1984-91-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\TAcZEzp.exe
| MD5 | b44f848de160ef59dc7e4ab7dc5ce3e9 |
| SHA1 | a318399d10f502c7636234b9ef68fff2dfc2e0f5 |
| SHA256 | 5d22c6b151137565bd7b999e36959306b6643bf3fc1df2bb3610c5d2b01eb279 |
| SHA512 | 65910e25d267e8375df44965580177678d361bfb6278e1862d3ddaf0048a511f597ac30214277ce06bad7c16f70f78436a2cfb18aac945c0ec92d7129260c359 |
memory/2184-85-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1984-84-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\TtVXBOb.exe
| MD5 | ec3cc6260f45389cc678342c1fd481d1 |
| SHA1 | 9c63eb070356591ebaa504e3a02991098267d925 |
| SHA256 | 3e4617be33eef58105ec0750a2efea3a25cda14723492ec8d60106bfda2502d4 |
| SHA512 | 8e9af4df4f77794a5397ee9cf2bff030870d7cee37d98c7824a69724d94458ebc98de64875df5c5d49accce022e4b12845d9f217b05106b21216dbc4b01adcbc |
memory/3056-78-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1984-77-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2508-68-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1984-67-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\JKpmpDx.exe
| MD5 | 9c7d08578e1c11a7cfee47cb73ed694b |
| SHA1 | 81a45d4cb57749588aacfacb962c55611cfd1c53 |
| SHA256 | aaa690427b72164f9e5710a07d5446aa0aeb70ed113ab546e8eab4c00935fe87 |
| SHA512 | 7e90911658091535e337185f0dc0d85013ff76ff6699c267d5e7fed261365a00d3fd015153613643787b7c5761aad777bda2ba4c0eb5e1db88fd190d5b62ca4a |
memory/2740-66-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\UMcFDEt.exe
| MD5 | 5144fcdd9dacc6d1c6016d189dd617a8 |
| SHA1 | 796f437d6a05fb106fea7d21fcbb40413e786394 |
| SHA256 | e5e14f959083717548ef5b7c61601c4e353791510dac31f5ac07d66b095fb01e |
| SHA512 | d9f772dd009922508438356412cb65a9be5cf12dc6c2ada4a7cfc1532f3dd4722c4d51adce93cdd1e13b975ef97881e741195e9165d5c35e091563455eb45b98 |
memory/2520-62-0x000000013FA40000-0x000000013FD94000-memory.dmp
\Windows\system\essdRrN.exe
| MD5 | 2c11b7d43c4e1eacb1868faf674660cf |
| SHA1 | de5ea6436a576f2437eef059cfebea859814613e |
| SHA256 | e67c0244ac9126c87d17c911c95abd2377a0dacf8f49249d0afcbf950b75ee83 |
| SHA512 | 81843086be4952ae3701cc95df11de28f9a8a59ca25f412db388b0d8af1dd97d269bda9e10ea85ba36d3065b9e078356b14a5c7d84306d1e9e8ea91c788e1a6e |
memory/2516-60-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1984-58-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2640-37-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2712-36-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1984-57-0x000000013FA40000-0x000000013FD94000-memory.dmp
C:\Windows\system\IZwfwNO.exe
| MD5 | 431a116b95425136068081d44bb076f4 |
| SHA1 | 69fc758f23906f48fb7f0fe846fa7d5b1104adf9 |
| SHA256 | b71f282b744671b190dc433e1cf9f9a6b3915e842b1c02d15b5ede7aea818349 |
| SHA512 | 85f3c118d632f1895cf019b18f7b7a0aea3610fecc14a3f2adfd0a4a502fd521d00d233a99daa64d2884440afb355d71d60824d13f8617cf9f9d12c40457a212 |
memory/1984-50-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\LnSXVCr.exe
| MD5 | 72d7a6daf470b861a7759138b2bf51ae |
| SHA1 | ed125024e172ee2eb541805d4e7267cbc19e2830 |
| SHA256 | 2fff3f6733c6d31debd0233654b04a827b71e16061c76ce2192c31667ce5ba52 |
| SHA512 | 4316fbd522f2cb3e88163afc1f39fbf94fc0629b4de77a7f392588e7b4dbb15619a4fc6420fd44f4fa8e30129eb6dd8f4f85ba9fb4d58a3395fe46a275579ae4 |
C:\Windows\system\gPCQbMD.exe
| MD5 | 9dc086d478be277e38b96fb164ab3b03 |
| SHA1 | 035746ad1e3761b4bdb7c5939458b009dd84cdc6 |
| SHA256 | d7fab474b34bd09829692fc24350e19f33f7dc18653c02fee63879bf290ef540 |
| SHA512 | caa043cdba450aeda0e4819a6e7fd763d7ffdccba1976635997221e32f6da2130deed69a360cb57f0bec19ea5d238eeb6ac9b69229b1adc21e08b86ec8bffaee |
C:\Windows\system\wnrVlzq.exe
| MD5 | d0fb58bc9e12c04c298715c9bddad32b |
| SHA1 | 3deb10cebaf09546f08e49e3dad86b9648098c75 |
| SHA256 | 6592c2eb3f6e53426a899d46c67960d37e9e000f1fe2bf712ce0eeaba8010e98 |
| SHA512 | 05045eaff83500f473f6f867a23e686bb2d5ba4efe5fb940175749aa114a6acfc1c1bde0d78c85832990b3b1ddad2813d0a23355c540e92e544d8fd5e7a8c0c2 |
memory/2732-33-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2124-23-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1984-20-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1984-143-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1984-144-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/1984-145-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1984-146-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1632-147-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2124-148-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2740-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2680-150-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2640-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2732-151-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2712-153-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2516-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2520-155-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2508-156-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/3056-157-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2184-158-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2792-159-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2824-160-0x000000013FFD0000-0x0000000140324000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:06
Reported
2024-06-01 03:09
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RKmSXWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kXGjjFl.exe | N/A |
| N/A | N/A | C:\Windows\System\OHevKea.exe | N/A |
| N/A | N/A | C:\Windows\System\EnHqTCV.exe | N/A |
| N/A | N/A | C:\Windows\System\SfOelpB.exe | N/A |
| N/A | N/A | C:\Windows\System\lqLrDUj.exe | N/A |
| N/A | N/A | C:\Windows\System\eBNkFaC.exe | N/A |
| N/A | N/A | C:\Windows\System\PGOdTDM.exe | N/A |
| N/A | N/A | C:\Windows\System\AODeNMz.exe | N/A |
| N/A | N/A | C:\Windows\System\MtgKIxS.exe | N/A |
| N/A | N/A | C:\Windows\System\KqCkXlm.exe | N/A |
| N/A | N/A | C:\Windows\System\TtMwVWA.exe | N/A |
| N/A | N/A | C:\Windows\System\gRQwsKN.exe | N/A |
| N/A | N/A | C:\Windows\System\mKYjXzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IjfObNl.exe | N/A |
| N/A | N/A | C:\Windows\System\txVmdmX.exe | N/A |
| N/A | N/A | C:\Windows\System\tUajjTS.exe | N/A |
| N/A | N/A | C:\Windows\System\xZGFWqq.exe | N/A |
| N/A | N/A | C:\Windows\System\HSnuXtJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YPWkDck.exe | N/A |
| N/A | N/A | C:\Windows\System\zBbZJOE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RKmSXWQ.exe
C:\Windows\System\RKmSXWQ.exe
C:\Windows\System\kXGjjFl.exe
C:\Windows\System\kXGjjFl.exe
C:\Windows\System\OHevKea.exe
C:\Windows\System\OHevKea.exe
C:\Windows\System\EnHqTCV.exe
C:\Windows\System\EnHqTCV.exe
C:\Windows\System\SfOelpB.exe
C:\Windows\System\SfOelpB.exe
C:\Windows\System\lqLrDUj.exe
C:\Windows\System\lqLrDUj.exe
C:\Windows\System\eBNkFaC.exe
C:\Windows\System\eBNkFaC.exe
C:\Windows\System\PGOdTDM.exe
C:\Windows\System\PGOdTDM.exe
C:\Windows\System\MtgKIxS.exe
C:\Windows\System\MtgKIxS.exe
C:\Windows\System\AODeNMz.exe
C:\Windows\System\AODeNMz.exe
C:\Windows\System\KqCkXlm.exe
C:\Windows\System\KqCkXlm.exe
C:\Windows\System\TtMwVWA.exe
C:\Windows\System\TtMwVWA.exe
C:\Windows\System\gRQwsKN.exe
C:\Windows\System\gRQwsKN.exe
C:\Windows\System\mKYjXzQ.exe
C:\Windows\System\mKYjXzQ.exe
C:\Windows\System\IjfObNl.exe
C:\Windows\System\IjfObNl.exe
C:\Windows\System\txVmdmX.exe
C:\Windows\System\txVmdmX.exe
C:\Windows\System\tUajjTS.exe
C:\Windows\System\tUajjTS.exe
C:\Windows\System\xZGFWqq.exe
C:\Windows\System\xZGFWqq.exe
C:\Windows\System\HSnuXtJ.exe
C:\Windows\System\HSnuXtJ.exe
C:\Windows\System\zBbZJOE.exe
C:\Windows\System\zBbZJOE.exe
C:\Windows\System\YPWkDck.exe
C:\Windows\System\YPWkDck.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1596-0-0x00007FF722F40000-0x00007FF723294000-memory.dmp
memory/1596-1-0x000001D9B0E20000-0x000001D9B0E30000-memory.dmp
C:\Windows\System\RKmSXWQ.exe
| MD5 | a02bfe451559028024a915589ab22f17 |
| SHA1 | 19146d5cab3854a8e66bd219260f05be0d3d0107 |
| SHA256 | a20579353020bd181ba7c1098885719552a9390dae5d0060a94d28a86fa685fe |
| SHA512 | 4ca0c03ed85fc668e4418a4ab002a901ae6eb8df6ee92cfe9ba898cd5ee8a1e94a98c1b4c9057da73d1d731aae804340196236adba36e6fbdde96a33dcd2f1fb |
memory/1136-7-0x00007FF7215F0000-0x00007FF721944000-memory.dmp
C:\Windows\System\OHevKea.exe
| MD5 | 265355f60e12cfea2c85864f0bb85652 |
| SHA1 | 4e896659c72a46f4cc20ec187f6c5c3ccd55be8b |
| SHA256 | 438dcf00c44e15828af68f36179dd482ae063711c92bb681c45d5cb60c3f6627 |
| SHA512 | 78717417b0e3adbcc66099b0a5e71d71c8ffd9f863e3b2c3f5b004fbd67be9b239e84e37a4b52770116f3b80a108911709a52b7bab35d24e05c3d59673590fb7 |
C:\Windows\System\kXGjjFl.exe
| MD5 | 1cc70d0e479f518756e74d829b249c97 |
| SHA1 | 985e42660e5b687e9a273f88ce089f69806d7553 |
| SHA256 | 7af1283948ab9dfd3e050a0b5c8fde929e7ba60e6fbea4d0814f4c3d722d6d9a |
| SHA512 | c0acdec399784f565ceb9da88a2d3502999f647ba6058fd7758e5f8513b4a90794bd5e6ae0599a489481d9411587f24d5883378f4109899949140b5f4afde804 |
memory/2532-13-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp
memory/1512-20-0x00007FF6B2B80000-0x00007FF6B2ED4000-memory.dmp
C:\Windows\System\EnHqTCV.exe
| MD5 | df5017105c7a6c180fe5ea084742b8ff |
| SHA1 | c87969a097ffaa971238bdf2feec84776afd737d |
| SHA256 | 34a4a49d9867e0b3455a7fb2d5d95834168175b913d8985982124e62936fa197 |
| SHA512 | 8314ee6530b54c2e3abca6883124b2db9750198aef7e7656f65e34fee100f63a4d585bf8caf8f5c32cf6763c3c01f40aa4c923750558956648e5d08f235b24ea |
memory/1808-26-0x00007FF6AAD50000-0x00007FF6AB0A4000-memory.dmp
C:\Windows\System\SfOelpB.exe
| MD5 | 2a02ab4465e45a8fb4f9e11121b29f34 |
| SHA1 | 46094c7e4946860fba624b6acae1f2b11104848a |
| SHA256 | ce74b2cea1dc073237b8c3a6a73a4ef4194b4e2e5602b502c368f1cf2b91c9c4 |
| SHA512 | 108aadaa2092d1a3831254f2f1bd1a0c3043c7af0c9a82328fa93ca6a483923fc22027c6b8392cd8c88c814228bc53f7fb23c0a7c3fb0ffeeb47fb2140b160de |
C:\Windows\System\lqLrDUj.exe
| MD5 | 50d1d71a9997648f3136815880351f22 |
| SHA1 | 6df24b9709ac74e9f74e94e833ef38164e1b2a3b |
| SHA256 | fbc9f9d5d5bab2d3ecf8f8cac629ad2a97f116268fb2b112e276d51b2bbdd4b2 |
| SHA512 | 492fde94154cef4d2d8e531847593dd9f4dc5bed2a79172c06686bdd7feecd21bbfd45dabf715072e87592efaa7ed2cb25ab2e295bf84eed5ddf87e9b4a7576b |
memory/1592-34-0x00007FF667DD0000-0x00007FF668124000-memory.dmp
memory/756-38-0x00007FF7446D0000-0x00007FF744A24000-memory.dmp
C:\Windows\System\eBNkFaC.exe
| MD5 | b75b515033ac6bdbab5936a2067d277a |
| SHA1 | d579eaa68b94287635122a51b2b27380a821658a |
| SHA256 | 5ab73272053e31eee0c268475fe06b2b2f4b6e49ec08ae364178ab56301f9a6b |
| SHA512 | 5eed875c403a31eb51a56fd7ac4ddc0a012a38318c8753025ecc0c2a23b44d4b2ec5db5eda44f82d27db56f30c49fa64abfb107b3e78f481b0615958a3d338b7 |
C:\Windows\System\PGOdTDM.exe
| MD5 | f36c58196573f1d9b100f7c818f8b141 |
| SHA1 | 2f2986eb38b972fab74c61bfe758f5d4b09da81b |
| SHA256 | a38d250c1ad96ce8db206826288c6cb3484f5463b5f99debeda9f81f6099412c |
| SHA512 | 6fc05eba115953518e51183dce1d91faaa1d18cc9b433908042ff4408e91c6203ee8dab0933c7c665fd26a4968dc538d32ad5e82c0b7c98b36d315f649b9e503 |
memory/1696-46-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp
memory/1620-49-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp
C:\Windows\System\AODeNMz.exe
| MD5 | 023bd04b653fac9248c00062f8ac0fb6 |
| SHA1 | 688cf95eac55ea769098fae98920b788990653cd |
| SHA256 | 9e7dd843be658692f3ffdf3666281043bf9079bdd6b98ceca269e2c6956a5698 |
| SHA512 | 4386e6a7fcd4465cba1dd642c072d2a279eaeb2abd5bffcfa3b89503331ae5cd433ed7f60376bb932a79919fbf2c19c0e10817d97745bf4e458117c736aa2299 |
C:\Windows\System\MtgKIxS.exe
| MD5 | 40f183304cfc53d16dc6d9c90839e518 |
| SHA1 | 2a76c6a82ab531999975314c3fdb91be6aef2c39 |
| SHA256 | 5c3d62a710d84d4e1bf59029f417a9215b864ce03a87075251d729f097e5a5a1 |
| SHA512 | 2ad5376bc32674ea9e2594628bad25432e8c899ba2d9fb9cfb031ecc52311a6dcc51e197afbea01268f72c3db09e4f96518614b3aa93dfe3cbfe4f1e125b1ac3 |
C:\Windows\System\KqCkXlm.exe
| MD5 | 121b56ba93232fb17d0555d63f57ecf3 |
| SHA1 | d3e99afa06693b2725f86aa006b5d4cbb3605d8c |
| SHA256 | 82d3073304ea49edbd3cdff035159a7c09b0ee2db4261376ce71028f6443eace |
| SHA512 | c33b06bec3519df2bc107198ff7f1b10f4f6c3edbbadacb388b84375b9c7ea21e4672f960628e78b869a264ba9cc8dad0a70b2712983bfa084c384bcd6340a4a |
memory/1136-67-0x00007FF7215F0000-0x00007FF721944000-memory.dmp
C:\Windows\System\TtMwVWA.exe
| MD5 | 2632a56e1308a8120a9773dba4310456 |
| SHA1 | ef4a0565331fce7b731fd949c671b5348f844368 |
| SHA256 | b873b72b83f0e523804da89c340095eec95eef18915a6e116c9337c78d0a96d3 |
| SHA512 | ab3ae425adf897ce279b4c413917aaabdd45f524b71a882bf6b33813eb93c122ca6a4417ca8b9bf996a3e22db85e88d6fd1a005b567ae472685abce391d5e6ee |
C:\Windows\System\gRQwsKN.exe
| MD5 | 9d1f213fec22208b5e241db9db233c63 |
| SHA1 | f65ddbd910cfe7cd8f792c6666ab0a9cfcba74fb |
| SHA256 | a8f4328f075953092c106a7b4e9fcddcc958affc39d14174b47d81ab009b3cd9 |
| SHA512 | 54b84b38b02bda3aa82f2510b043e98ab3a50b2f58adbdd1fc577b0ff953cea339f4e004f6eb5bce9bf1f6659006c7fba4e493986adcab2c37ec67197b527610 |
memory/4772-83-0x00007FF7C7760000-0x00007FF7C7AB4000-memory.dmp
memory/4268-89-0x00007FF73F500000-0x00007FF73F854000-memory.dmp
C:\Windows\System\mKYjXzQ.exe
| MD5 | f59b3b6c3def64a0f34253ebf260220c |
| SHA1 | 670bbc76aa1fc301d4ce1e63b8d72b37e9b9853f |
| SHA256 | b4b0db74c4a66554e02f44f535af12766c88281ee8951808792613010e01602d |
| SHA512 | a5562f7859dc509dd6cfe6ea1b58585215fd71bbf3cbfd196ec035dd77e28a5fd6d20747163cc6da3330a1d8c32df4d5ef506adf68e78984384cccb7ffb02089 |
memory/2652-94-0x00007FF62D4D0000-0x00007FF62D824000-memory.dmp
C:\Windows\System\IjfObNl.exe
| MD5 | 33f27b3ca896afbedb25be8e0cfbb49f |
| SHA1 | a28b006adb6166b5c6b2890ede30633d209ef171 |
| SHA256 | 145bbb235f413f6dcee4b4273508cf7bc8a3311c7534b44da5695de5f1e2cb3e |
| SHA512 | 91bf2045c804c8aedfad690f5ddb09103515edbb2adac3e9e06359d466ac128b410ea8a156fbfe839d29396a7a1de7dc3f75b6c77b6b0ff6385be07da7050e0b |
memory/556-90-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp
memory/2532-78-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp
memory/2952-70-0x00007FF635700000-0x00007FF635A54000-memory.dmp
memory/3784-63-0x00007FF625280000-0x00007FF6255D4000-memory.dmp
memory/1596-62-0x00007FF722F40000-0x00007FF723294000-memory.dmp
memory/4716-54-0x00007FF746DB0000-0x00007FF747104000-memory.dmp
C:\Windows\System\txVmdmX.exe
| MD5 | 2b724e4cdceee75b5207d8ef05e6eeb2 |
| SHA1 | 77e5e3a53e58800555123ec9b9ff783fdb67dda9 |
| SHA256 | c4df56bf6dcd58ac4b5aae4c05c8f99be9a3f27abe3a9f9ebcac82f1e08d9275 |
| SHA512 | 7be21405af31d0cf6aba98d9628f27a08b1f925af0c4f3b0964a2203f76c70b55c32133fb3ac098dfa7020bd0de8f3e02627a01230301c6fa13d455150479bd7 |
C:\Windows\System\tUajjTS.exe
| MD5 | 33769a651d734cd12a8ae7eaf92a8c30 |
| SHA1 | dfc9556fc8163eb76331a58eb466f097b57df675 |
| SHA256 | 003b3faa65a3521e7eb0e838c0f765705afda4f996a7fe82a2938bc10897e7a1 |
| SHA512 | ee07a027412ff15b4fe4caea1801875d70d042c28ea8942d409c1092970ea11605fe04f027730b95f3f67e65efea5d1a296390a298aa692a87aef1e85e6aac7f |
C:\Windows\System\xZGFWqq.exe
| MD5 | 410c9bf6c0f36bd5825e0343369fad76 |
| SHA1 | aa298cecb774aaab41ef5de0314a23c03614de13 |
| SHA256 | 633cef6fe802fd6eebfa75d66ba76123d2ae7cfb510e7c8abb286975202b103b |
| SHA512 | 7c91f84299eea8e7d6ef8e9df8dd98fec6e1a7ab2426a19f71057aa5894375f0e711e8357dd3d9b4d74cab88d9c69ebb1a87e2d76ac584de02221923c6f45dbe |
memory/3120-109-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp
C:\Windows\System\HSnuXtJ.exe
| MD5 | 2f7ed284cc33ce637ff8f87b54ffe771 |
| SHA1 | 79fb98d89404bd3e9be2d0190b2a608c07a1e350 |
| SHA256 | bfb4555eb73951eb35d73960944568317655718ce56f5dba57c04f4d7e1f9050 |
| SHA512 | b25d312d3c40fd114cfa0736af6a97b22a29653d265356c7202d4776ab0c7636741a65c445a5d102f878c1bf1521d4420e6d5654835846fa03343242c27f3729 |
C:\Windows\System\zBbZJOE.exe
| MD5 | 12d9884fe3997c4cf260867881c162b8 |
| SHA1 | 6f312297364892b6f7e453c68eac36fab72d522b |
| SHA256 | a28c5117787422e5c617af54311b8ce515a0acff88d9a038f230ba27ad3fb9cb |
| SHA512 | 3aff6f3c01e04bfebf062b7c23b60b4a2e752494c8b351188e213ff1a2342aeba6bd985c465bf35db79c82a2c16e23d1a2c499cc257ea192b6261f9ed2433cda |
C:\Windows\System\YPWkDck.exe
| MD5 | 16cc8a45526e8ad68451b3941d03fabf |
| SHA1 | 0a6f9bbe1e2b77fa263ac43823fd8e784f7d6f9a |
| SHA256 | d5928e3c8a8fd4a9edd0764c7323491d57231ee099c7bf51cb8cbf413909a8cf |
| SHA512 | 5ef555af8bc44e19aa75d6f367394b42f94b8005500bb8b0e1f18ef11309da6194db7d154e9170a545e82a3350809271f970a424a668e54995b0f6f789c851a2 |
memory/3456-115-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp
memory/1956-103-0x00007FF606DB0000-0x00007FF607104000-memory.dmp
memory/4636-128-0x00007FF6B2730000-0x00007FF6B2A84000-memory.dmp
memory/1620-130-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp
memory/4716-132-0x00007FF746DB0000-0x00007FF747104000-memory.dmp
memory/1368-131-0x00007FF67DBB0000-0x00007FF67DF04000-memory.dmp
memory/5016-129-0x00007FF7C7820000-0x00007FF7C7B74000-memory.dmp
memory/2952-133-0x00007FF635700000-0x00007FF635A54000-memory.dmp
memory/556-134-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp
memory/3120-135-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp
memory/3456-136-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp
memory/1136-137-0x00007FF7215F0000-0x00007FF721944000-memory.dmp
memory/2532-138-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp
memory/1512-139-0x00007FF6B2B80000-0x00007FF6B2ED4000-memory.dmp
memory/1808-140-0x00007FF6AAD50000-0x00007FF6AB0A4000-memory.dmp
memory/1592-141-0x00007FF667DD0000-0x00007FF668124000-memory.dmp
memory/756-142-0x00007FF7446D0000-0x00007FF744A24000-memory.dmp
memory/1696-143-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp
memory/4716-144-0x00007FF746DB0000-0x00007FF747104000-memory.dmp
memory/3784-146-0x00007FF625280000-0x00007FF6255D4000-memory.dmp
memory/1620-145-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp
memory/2952-147-0x00007FF635700000-0x00007FF635A54000-memory.dmp
memory/4772-148-0x00007FF7C7760000-0x00007FF7C7AB4000-memory.dmp
memory/4268-149-0x00007FF73F500000-0x00007FF73F854000-memory.dmp
memory/2652-150-0x00007FF62D4D0000-0x00007FF62D824000-memory.dmp
memory/556-151-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp
memory/1956-152-0x00007FF606DB0000-0x00007FF607104000-memory.dmp
memory/3120-153-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp
memory/3456-154-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp
memory/4636-155-0x00007FF6B2730000-0x00007FF6B2A84000-memory.dmp
memory/1368-156-0x00007FF67DBB0000-0x00007FF67DF04000-memory.dmp
memory/5016-157-0x00007FF7C7820000-0x00007FF7C7B74000-memory.dmp