Analysis Overview
SHA256
6a1599807c0b9470eff39ceb394749905a7cde78efe95134482b4fb13dfb06bb
Threat Level: Known bad
The file 2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:35
Reported
2024-06-01 07:37
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UUxJRWt.exe | N/A |
| N/A | N/A | C:\Windows\System\mliegAz.exe | N/A |
| N/A | N/A | C:\Windows\System\tdRaJti.exe | N/A |
| N/A | N/A | C:\Windows\System\qCbNCJM.exe | N/A |
| N/A | N/A | C:\Windows\System\bUxJguO.exe | N/A |
| N/A | N/A | C:\Windows\System\tlsInyL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNSeXeE.exe | N/A |
| N/A | N/A | C:\Windows\System\DfsZyPw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCGmnmw.exe | N/A |
| N/A | N/A | C:\Windows\System\KKDfimE.exe | N/A |
| N/A | N/A | C:\Windows\System\oPSPMBF.exe | N/A |
| N/A | N/A | C:\Windows\System\zlpaqIh.exe | N/A |
| N/A | N/A | C:\Windows\System\fiZqnfk.exe | N/A |
| N/A | N/A | C:\Windows\System\BSUjYXo.exe | N/A |
| N/A | N/A | C:\Windows\System\vgMqwwH.exe | N/A |
| N/A | N/A | C:\Windows\System\EfzCbmu.exe | N/A |
| N/A | N/A | C:\Windows\System\vBKSUyq.exe | N/A |
| N/A | N/A | C:\Windows\System\AMuVcKe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCRJopC.exe | N/A |
| N/A | N/A | C:\Windows\System\knpJrBj.exe | N/A |
| N/A | N/A | C:\Windows\System\ffsWkwk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UUxJRWt.exe
C:\Windows\System\UUxJRWt.exe
C:\Windows\System\mliegAz.exe
C:\Windows\System\mliegAz.exe
C:\Windows\System\tdRaJti.exe
C:\Windows\System\tdRaJti.exe
C:\Windows\System\qCbNCJM.exe
C:\Windows\System\qCbNCJM.exe
C:\Windows\System\bUxJguO.exe
C:\Windows\System\bUxJguO.exe
C:\Windows\System\tlsInyL.exe
C:\Windows\System\tlsInyL.exe
C:\Windows\System\ZNSeXeE.exe
C:\Windows\System\ZNSeXeE.exe
C:\Windows\System\DfsZyPw.exe
C:\Windows\System\DfsZyPw.exe
C:\Windows\System\ZCGmnmw.exe
C:\Windows\System\ZCGmnmw.exe
C:\Windows\System\KKDfimE.exe
C:\Windows\System\KKDfimE.exe
C:\Windows\System\oPSPMBF.exe
C:\Windows\System\oPSPMBF.exe
C:\Windows\System\zlpaqIh.exe
C:\Windows\System\zlpaqIh.exe
C:\Windows\System\fiZqnfk.exe
C:\Windows\System\fiZqnfk.exe
C:\Windows\System\vgMqwwH.exe
C:\Windows\System\vgMqwwH.exe
C:\Windows\System\BSUjYXo.exe
C:\Windows\System\BSUjYXo.exe
C:\Windows\System\EfzCbmu.exe
C:\Windows\System\EfzCbmu.exe
C:\Windows\System\vBKSUyq.exe
C:\Windows\System\vBKSUyq.exe
C:\Windows\System\AMuVcKe.exe
C:\Windows\System\AMuVcKe.exe
C:\Windows\System\knpJrBj.exe
C:\Windows\System\knpJrBj.exe
C:\Windows\System\ZCRJopC.exe
C:\Windows\System\ZCRJopC.exe
C:\Windows\System\ffsWkwk.exe
C:\Windows\System\ffsWkwk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2296-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2296-2-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\UUxJRWt.exe
| MD5 | 89111ce7e12805943035675929f08a68 |
| SHA1 | 547816c811aba536e172de8738946f2c7df604e3 |
| SHA256 | 835329bfc8953d483d84817bd2288878f82f3555e8fff1bfa5d6a0fbd9d53b1c |
| SHA512 | c5211d6fba4b7f87eb286f1593df6f9651d9647a7d341cf1d41f7124a187cfa7a1be83c8f81c4f192645c4ceb3678351aeb7f341d909c0dd186e43dba4ce032f |
memory/3060-9-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2296-8-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\mliegAz.exe
| MD5 | b6ef0ae7dafd7151456c3e50c773e3e7 |
| SHA1 | 287f6435f4fe3c84f8bb861de112716553b57a9c |
| SHA256 | 5efbb305c017f8c3b6e523387672ac6189a53ea356a3db7bd6fe77370b181184 |
| SHA512 | 765683c04bb4a9e6887a8e2d986b458909bc073225b048110e79a822ef54bce70c03c0599f5b16023dd1dcbd624f6e3f0242731764e2ee1819d35d151d385dce |
C:\Windows\system\tdRaJti.exe
| MD5 | 7d8b84d63e4aa6dbb02cf7fbca8c42a4 |
| SHA1 | 9584efa90a287b943d2e63c46a5eb3ce5343ef24 |
| SHA256 | 8fe2ef4452f88ceac2a9800ad2cd20006b1795d5ee154e031a985a3453cd4aaa |
| SHA512 | 92ea1c666d7925a0ec6bc7f385720f967b1e7de0d4ccefd3e6eaa014d370fcf0d4e8e4f48181f0ea939993f2a41f651205307e9df61ee18d9becbbd0bc06eb0c |
\Windows\system\qCbNCJM.exe
| MD5 | a0e46ea121ae5eb9bbd0616439e3f86f |
| SHA1 | 59511c14031271b3654eae1d0a8fbbc68aa8e7af |
| SHA256 | ffcf9c631a444d9b614c6a1e5afa11a3d89ff42a7e5b3fd8a1f884c9d4a29996 |
| SHA512 | f8447dbb5363a004ad5793f970762f9890ec05146e8705c4bd592d2b47a38a5b98454605ae77efae8c85d1508d5dd8b6b2b5159129f1e12028800347d0decd0e |
memory/2692-26-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2296-29-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2616-28-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2296-27-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2184-25-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\tlsInyL.exe
| MD5 | 20c0ee4467d998e0371e8a548d3e6e11 |
| SHA1 | 0f057e880bf24bc8d35962e3f4fb80c56b5d8ff3 |
| SHA256 | 13cb3b1a568793ea70e83d04a0b08c19718c352a6d84a9eae0d7831f77a0f891 |
| SHA512 | 62da23a82ad7733d49872957b2b56a8dc6e15173ba37350684ff58ba78024c81172f853638b34d9f2032a2f04a83effda01d24775c26c91b24a9d85b646702fc |
memory/3024-35-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1604-42-0x000000013FA00000-0x000000013FD54000-memory.dmp
\Windows\system\ZNSeXeE.exe
| MD5 | 66758517bccae7f0ce7876bcd19c3a20 |
| SHA1 | 49c14c604d4a2d794cddd5267bf89725654823a9 |
| SHA256 | f60f20371237e9b39ebaf24dd994c04df33602ad295f471233b8e77b430117b4 |
| SHA512 | fd7c4bbf3b9cbad59b214cd7e9fcf9f1cdc313ea6716437e556d42a9f8c7c887aec4c25337e377765bcceab45eb9fb987033cf58b85bbfd5e4fb65a503f0781a |
C:\Windows\system\DfsZyPw.exe
| MD5 | 37159c62cf0dd89a45089c1a771b2b89 |
| SHA1 | b741c381b8b812fd200fbc5af83953c9b8c04199 |
| SHA256 | 97ac4664a7019565a5eaa2ddbb22adb9a79374faef6aa8eeaed11d56786f3de2 |
| SHA512 | c6452b1bf9a4febbe8585522a13f252856ca4ad9eb8c1819569748cba24e5282124c8b16afb9c3276e8dc178859499bfa99cb3c9b9cacce5fb920ec956b180dd |
memory/2296-56-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\ZCGmnmw.exe
| MD5 | 17d2c0d2877a082bb44cb607c2e9adf4 |
| SHA1 | 958f09ffe4400706216e7b10ffeb84fc848a7207 |
| SHA256 | cddde39b41bc1862d6dc7de4a08796b512e8fae973423a35f97a951da0cc048c |
| SHA512 | 7f424af37c69750192048c242481ba4282657d352834512e267c4b76d816579eb1da95d7758bbc113234f7551d1245b6d93d23de62e1f40adb6dc49e6deefb09 |
C:\Windows\system\KKDfimE.exe
| MD5 | b4ecf06e219e1aa90545dd947300cd18 |
| SHA1 | dea31ffb9b67bcc22ae78daf98e01674c7b42cfb |
| SHA256 | e0105c5add748f36863d96433cb234a5c8e6c01171f975d5f12112b6f25916b3 |
| SHA512 | 37b54ea6e7791e07660fbbd7519da4d52fc9d785ac10f753f7aa308319f08ef522d687ce0f7b97583ee14b93d65d69c36003fb49f58e76593fd582401c830741 |
memory/1484-70-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2296-81-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2552-83-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2296-82-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\oPSPMBF.exe
| MD5 | d1e750a020b0f9e707e6a58304ee1745 |
| SHA1 | dc9894bdeacfa212760edb54507a1186b464863c |
| SHA256 | 14f5788fea6c9b921b5f5bd6dc9fc9636ba81874b2aa16663e6378d13ee106cd |
| SHA512 | bf28fa41df73e8df61db1d5f0c49fa66bc12006501cfc8edbdebc17f9685c354c5153358fae3ed3defbd850a1ef3b1b309e08a734e933107bf46637636a389ba |
memory/2780-91-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\fiZqnfk.exe
| MD5 | 52f403373ead9348c35d105441efca97 |
| SHA1 | 6daf4960495b09222b234c18bddecbdc92ec5753 |
| SHA256 | 35e1a2ac039d5357e777f49d4c15f609b77c1d0abb2481d721448b4f2c06f034 |
| SHA512 | e8143829771c019b6b79626f55833830dba9e12c04ef94848a47f5e2587566c46fbf9b17c14a2adcfe06d39efbf4f499b448fc0b77f9687fd01efe58e8dc3fbd |
memory/2296-89-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2296-88-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/1348-76-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2296-75-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\zlpaqIh.exe
| MD5 | 3e3c2ab71af71419032f72a95587234b |
| SHA1 | 51913bf27120498194f919c59ebcd2a99231fce0 |
| SHA256 | 6239df1a7a7df7d5013123ab47265ad69013e19e47e4458425def8e0a78e53b5 |
| SHA512 | 616f2c8314d89a038e419b20557938df07f9f92579083e7bb6a65422609e94fe246b9918dfe137a7100a8e0b296ffc39e9608c7242a99ec158d3c449d879dbcd |
memory/2296-69-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2284-63-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2296-62-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2468-49-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2296-48-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2540-57-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2296-34-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/3024-95-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\bUxJguO.exe
| MD5 | 1f242b01747803e9df2ed025346306fe |
| SHA1 | 61b2669fc02e7044f175e3e48787d55e80ee9bd9 |
| SHA256 | 8ebd8730dc6c446a2dfc529a07f403cf365c1e0ef172240ab7b4c343a3c653f8 |
| SHA512 | 5b3d96805cc2df831538ccd8757b095cf50e0cafe58773f8b70efaa8847a85cf8399b257f33be2ad7d3b0533bf37a4dda6444d59f5c339903d935ac572d23abc |
memory/2296-41-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1604-96-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2468-97-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
\Windows\system\vgMqwwH.exe
| MD5 | e729b4e55a5ec42df549d239d6f0da3b |
| SHA1 | e712e4524c96ae884ed886cf2a2531b5cbd58187 |
| SHA256 | 6a91d2ad9b44764b542351b2685e78c45a29fc95cd66954934dadcdc05a0f710 |
| SHA512 | 463fecc82bf9280821e2704d15d7d50d9870bf257145ce8429f02eb2dd4b2471cfd6fcfb6aeb87f639b5c30e32844598428b4cce28143588cc980a949b7fee62 |
C:\Windows\system\BSUjYXo.exe
| MD5 | b9f600d8c83f29df5a2df4cb0c0c6b52 |
| SHA1 | 1eed129d3acdd91c93cf0ce6de3e4e36f9e61a4b |
| SHA256 | aee646a9178d7521845516c41ae87704b5e82f867e04e2ae055aa33dcf6a66bf |
| SHA512 | 4bb26866a495ff307cdab445b3744d419e156c21200f795562a94010289f81b34e6537b0d65985e40b49d743ed11566cda94d5f5b9ba81268694e33035939fea |
memory/1484-111-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1020-110-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2284-109-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2296-106-0x000000013FB90000-0x000000013FEE4000-memory.dmp
\Windows\system\EfzCbmu.exe
| MD5 | e607cd176acae67a649296ff4bd64b3e |
| SHA1 | 3d57a2ecdac0d789cf576efa1388a7677a6eee4d |
| SHA256 | 907d39339fcacd88fe0088845edd257e06e6af0e5ff0df3b3a701fac96b66efe |
| SHA512 | 80e358ee02f05a6b4fd545335a67dd872347f968543e29052748d91e4228b9a5bdbfe4ba99a9caf78ca7735c46d2fbce5b54171c8881bad65a5a4a59fee7a359 |
\Windows\system\vBKSUyq.exe
| MD5 | 2cf30f80942ffc1d9c89dd9c0a107417 |
| SHA1 | 415f51954a5283e8e6c22f774075b433586628ed |
| SHA256 | cbd257e1c8966e87f28159d57505281ee0b077faad17cb073b7810f28e4ce6e7 |
| SHA512 | 8a0c4cebb62d8f8cf51e2b40ab192bee9ea2cd893a8f07ebd8929a4003d342f4d709d0190afabbe52e27ccf5920120dd1cf58dc54a1655e696c2f53ad1bcc72a |
\Windows\system\AMuVcKe.exe
| MD5 | 1baf1db68fa2294e366ae54f80e2fa67 |
| SHA1 | 524178e8dbdca07a37ed99d0c945d78356b851cf |
| SHA256 | e8d24a281f6571113d3ed9f87ef22e126c58fcc9e393df23813f3a725e2f69bf |
| SHA512 | ae92a7bcfddbff7543e457a8bd4d2933428b3ad226190e56e8736aae044cb418b55fb827572e6f14de9b679dcf9a694862aa96d2cbce36eb33a2533838ee6977 |
C:\Windows\system\ZCRJopC.exe
| MD5 | 53e725ef66e2706bca8cf401a52d243b |
| SHA1 | 921eefac25ace625e56368db262793a988b453de |
| SHA256 | ffc3e18fd01666814dfb9b48aefdc557e2bc29c74290aac7b29cc3fe2351f68a |
| SHA512 | ce9ee8f00d3c59ee135ba9012c97d31c933f00b3b891ff3354af6fd538b0dd60cf5443857c68e49f3a46b07c18b51b0cbe347076ceca0e1fef46466bba4c8c9b |
memory/1348-133-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\knpJrBj.exe
| MD5 | 3f442dc1d5dbbac5c98deec1c4b18d8f |
| SHA1 | 61a29888515b64a5e6a176396670c8aeb25ba9ff |
| SHA256 | ab0e844eaa090769ca2baeb271458ef08c3c0d9885b39b653e857ba6c43a066a |
| SHA512 | 124298789dff066daa95886e4c48305f6ad762342a17cfd9ed9a77b0c2c882fbd5dd7e88bc82af01026b6878669a508a61f68a605ff9658f530c9774009b83f3 |
\Windows\system\ffsWkwk.exe
| MD5 | 9d741155dd5c886a93c2fe00164d4e4a |
| SHA1 | c54c20a1f3c1cc163371c47efeeb9d4efefef4a8 |
| SHA256 | b02eb718e018eca2db616762c241a98146a1c9e4a641c008005827b5914b8883 |
| SHA512 | aacd919ff70259ff6649554e3571471793c046a41985ea3ba92a5296a0f899ad50b09cc964a0852d12287bb687acca65f64d8beb05b8d759aaa9951853965854 |
memory/2552-142-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2296-143-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2780-144-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2296-145-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/3060-146-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2184-147-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2616-148-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2692-149-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/3024-150-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1604-151-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2540-152-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2468-153-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2284-154-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2552-155-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1484-156-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2780-157-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1348-158-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1020-159-0x000000013FB90000-0x000000013FEE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:35
Reported
2024-06-01 07:37
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UUxJRWt.exe | N/A |
| N/A | N/A | C:\Windows\System\mliegAz.exe | N/A |
| N/A | N/A | C:\Windows\System\tdRaJti.exe | N/A |
| N/A | N/A | C:\Windows\System\qCbNCJM.exe | N/A |
| N/A | N/A | C:\Windows\System\bUxJguO.exe | N/A |
| N/A | N/A | C:\Windows\System\tlsInyL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNSeXeE.exe | N/A |
| N/A | N/A | C:\Windows\System\DfsZyPw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCGmnmw.exe | N/A |
| N/A | N/A | C:\Windows\System\KKDfimE.exe | N/A |
| N/A | N/A | C:\Windows\System\oPSPMBF.exe | N/A |
| N/A | N/A | C:\Windows\System\zlpaqIh.exe | N/A |
| N/A | N/A | C:\Windows\System\fiZqnfk.exe | N/A |
| N/A | N/A | C:\Windows\System\vgMqwwH.exe | N/A |
| N/A | N/A | C:\Windows\System\BSUjYXo.exe | N/A |
| N/A | N/A | C:\Windows\System\EfzCbmu.exe | N/A |
| N/A | N/A | C:\Windows\System\vBKSUyq.exe | N/A |
| N/A | N/A | C:\Windows\System\AMuVcKe.exe | N/A |
| N/A | N/A | C:\Windows\System\knpJrBj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCRJopC.exe | N/A |
| N/A | N/A | C:\Windows\System\ffsWkwk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UUxJRWt.exe
C:\Windows\System\UUxJRWt.exe
C:\Windows\System\mliegAz.exe
C:\Windows\System\mliegAz.exe
C:\Windows\System\tdRaJti.exe
C:\Windows\System\tdRaJti.exe
C:\Windows\System\qCbNCJM.exe
C:\Windows\System\qCbNCJM.exe
C:\Windows\System\bUxJguO.exe
C:\Windows\System\bUxJguO.exe
C:\Windows\System\tlsInyL.exe
C:\Windows\System\tlsInyL.exe
C:\Windows\System\ZNSeXeE.exe
C:\Windows\System\ZNSeXeE.exe
C:\Windows\System\DfsZyPw.exe
C:\Windows\System\DfsZyPw.exe
C:\Windows\System\ZCGmnmw.exe
C:\Windows\System\ZCGmnmw.exe
C:\Windows\System\KKDfimE.exe
C:\Windows\System\KKDfimE.exe
C:\Windows\System\oPSPMBF.exe
C:\Windows\System\oPSPMBF.exe
C:\Windows\System\zlpaqIh.exe
C:\Windows\System\zlpaqIh.exe
C:\Windows\System\fiZqnfk.exe
C:\Windows\System\fiZqnfk.exe
C:\Windows\System\vgMqwwH.exe
C:\Windows\System\vgMqwwH.exe
C:\Windows\System\BSUjYXo.exe
C:\Windows\System\BSUjYXo.exe
C:\Windows\System\EfzCbmu.exe
C:\Windows\System\EfzCbmu.exe
C:\Windows\System\vBKSUyq.exe
C:\Windows\System\vBKSUyq.exe
C:\Windows\System\AMuVcKe.exe
C:\Windows\System\AMuVcKe.exe
C:\Windows\System\knpJrBj.exe
C:\Windows\System\knpJrBj.exe
C:\Windows\System\ZCRJopC.exe
C:\Windows\System\ZCRJopC.exe
C:\Windows\System\ffsWkwk.exe
C:\Windows\System\ffsWkwk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4236-0-0x00007FF6E80A0000-0x00007FF6E83F4000-memory.dmp
memory/4236-1-0x0000015282870000-0x0000015282880000-memory.dmp
C:\Windows\System\UUxJRWt.exe
| MD5 | 89111ce7e12805943035675929f08a68 |
| SHA1 | 547816c811aba536e172de8738946f2c7df604e3 |
| SHA256 | 835329bfc8953d483d84817bd2288878f82f3555e8fff1bfa5d6a0fbd9d53b1c |
| SHA512 | c5211d6fba4b7f87eb286f1593df6f9651d9647a7d341cf1d41f7124a187cfa7a1be83c8f81c4f192645c4ceb3678351aeb7f341d909c0dd186e43dba4ce032f |
memory/4504-8-0x00007FF642DF0000-0x00007FF643144000-memory.dmp
C:\Windows\System\tdRaJti.exe
| MD5 | 7d8b84d63e4aa6dbb02cf7fbca8c42a4 |
| SHA1 | 9584efa90a287b943d2e63c46a5eb3ce5343ef24 |
| SHA256 | 8fe2ef4452f88ceac2a9800ad2cd20006b1795d5ee154e031a985a3453cd4aaa |
| SHA512 | 92ea1c666d7925a0ec6bc7f385720f967b1e7de0d4ccefd3e6eaa014d370fcf0d4e8e4f48181f0ea939993f2a41f651205307e9df61ee18d9becbbd0bc06eb0c |
C:\Windows\System\mliegAz.exe
| MD5 | b6ef0ae7dafd7151456c3e50c773e3e7 |
| SHA1 | 287f6435f4fe3c84f8bb861de112716553b57a9c |
| SHA256 | 5efbb305c017f8c3b6e523387672ac6189a53ea356a3db7bd6fe77370b181184 |
| SHA512 | 765683c04bb4a9e6887a8e2d986b458909bc073225b048110e79a822ef54bce70c03c0599f5b16023dd1dcbd624f6e3f0242731764e2ee1819d35d151d385dce |
memory/888-14-0x00007FF6A6480000-0x00007FF6A67D4000-memory.dmp
memory/1444-18-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp
C:\Windows\System\qCbNCJM.exe
| MD5 | a0e46ea121ae5eb9bbd0616439e3f86f |
| SHA1 | 59511c14031271b3654eae1d0a8fbbc68aa8e7af |
| SHA256 | ffcf9c631a444d9b614c6a1e5afa11a3d89ff42a7e5b3fd8a1f884c9d4a29996 |
| SHA512 | f8447dbb5363a004ad5793f970762f9890ec05146e8705c4bd592d2b47a38a5b98454605ae77efae8c85d1508d5dd8b6b2b5159129f1e12028800347d0decd0e |
memory/1360-24-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp
C:\Windows\System\bUxJguO.exe
| MD5 | 1f242b01747803e9df2ed025346306fe |
| SHA1 | 61b2669fc02e7044f175e3e48787d55e80ee9bd9 |
| SHA256 | 8ebd8730dc6c446a2dfc529a07f403cf365c1e0ef172240ab7b4c343a3c653f8 |
| SHA512 | 5b3d96805cc2df831538ccd8757b095cf50e0cafe58773f8b70efaa8847a85cf8399b257f33be2ad7d3b0533bf37a4dda6444d59f5c339903d935ac572d23abc |
memory/4728-30-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp
C:\Windows\System\tlsInyL.exe
| MD5 | 20c0ee4467d998e0371e8a548d3e6e11 |
| SHA1 | 0f057e880bf24bc8d35962e3f4fb80c56b5d8ff3 |
| SHA256 | 13cb3b1a568793ea70e83d04a0b08c19718c352a6d84a9eae0d7831f77a0f891 |
| SHA512 | 62da23a82ad7733d49872957b2b56a8dc6e15173ba37350684ff58ba78024c81172f853638b34d9f2032a2f04a83effda01d24775c26c91b24a9d85b646702fc |
C:\Windows\System\ZNSeXeE.exe
| MD5 | 66758517bccae7f0ce7876bcd19c3a20 |
| SHA1 | 49c14c604d4a2d794cddd5267bf89725654823a9 |
| SHA256 | f60f20371237e9b39ebaf24dd994c04df33602ad295f471233b8e77b430117b4 |
| SHA512 | fd7c4bbf3b9cbad59b214cd7e9fcf9f1cdc313ea6716437e556d42a9f8c7c887aec4c25337e377765bcceab45eb9fb987033cf58b85bbfd5e4fb65a503f0781a |
memory/5008-42-0x00007FF7A79D0000-0x00007FF7A7D24000-memory.dmp
memory/3892-44-0x00007FF6FF7C0000-0x00007FF6FFB14000-memory.dmp
C:\Windows\System\DfsZyPw.exe
| MD5 | 37159c62cf0dd89a45089c1a771b2b89 |
| SHA1 | b741c381b8b812fd200fbc5af83953c9b8c04199 |
| SHA256 | 97ac4664a7019565a5eaa2ddbb22adb9a79374faef6aa8eeaed11d56786f3de2 |
| SHA512 | c6452b1bf9a4febbe8585522a13f252856ca4ad9eb8c1819569748cba24e5282124c8b16afb9c3276e8dc178859499bfa99cb3c9b9cacce5fb920ec956b180dd |
C:\Windows\System\ZCGmnmw.exe
| MD5 | 17d2c0d2877a082bb44cb607c2e9adf4 |
| SHA1 | 958f09ffe4400706216e7b10ffeb84fc848a7207 |
| SHA256 | cddde39b41bc1862d6dc7de4a08796b512e8fae973423a35f97a951da0cc048c |
| SHA512 | 7f424af37c69750192048c242481ba4282657d352834512e267c4b76d816579eb1da95d7758bbc113234f7551d1245b6d93d23de62e1f40adb6dc49e6deefb09 |
C:\Windows\System\KKDfimE.exe
| MD5 | b4ecf06e219e1aa90545dd947300cd18 |
| SHA1 | dea31ffb9b67bcc22ae78daf98e01674c7b42cfb |
| SHA256 | e0105c5add748f36863d96433cb234a5c8e6c01171f975d5f12112b6f25916b3 |
| SHA512 | 37b54ea6e7791e07660fbbd7519da4d52fc9d785ac10f753f7aa308319f08ef522d687ce0f7b97583ee14b93d65d69c36003fb49f58e76593fd582401c830741 |
memory/4236-64-0x00007FF6E80A0000-0x00007FF6E83F4000-memory.dmp
C:\Windows\System\oPSPMBF.exe
| MD5 | d1e750a020b0f9e707e6a58304ee1745 |
| SHA1 | dc9894bdeacfa212760edb54507a1186b464863c |
| SHA256 | 14f5788fea6c9b921b5f5bd6dc9fc9636ba81874b2aa16663e6378d13ee106cd |
| SHA512 | bf28fa41df73e8df61db1d5f0c49fa66bc12006501cfc8edbdebc17f9685c354c5153358fae3ed3defbd850a1ef3b1b309e08a734e933107bf46637636a389ba |
memory/4296-71-0x00007FF7F8EB0000-0x00007FF7F9204000-memory.dmp
C:\Windows\System\zlpaqIh.exe
| MD5 | 3e3c2ab71af71419032f72a95587234b |
| SHA1 | 51913bf27120498194f919c59ebcd2a99231fce0 |
| SHA256 | 6239df1a7a7df7d5013123ab47265ad69013e19e47e4458425def8e0a78e53b5 |
| SHA512 | 616f2c8314d89a038e419b20557938df07f9f92579083e7bb6a65422609e94fe246b9918dfe137a7100a8e0b296ffc39e9608c7242a99ec158d3c449d879dbcd |
C:\Windows\System\fiZqnfk.exe
| MD5 | 52f403373ead9348c35d105441efca97 |
| SHA1 | 6daf4960495b09222b234c18bddecbdc92ec5753 |
| SHA256 | 35e1a2ac039d5357e777f49d4c15f609b77c1d0abb2481d721448b4f2c06f034 |
| SHA512 | e8143829771c019b6b79626f55833830dba9e12c04ef94848a47f5e2587566c46fbf9b17c14a2adcfe06d39efbf4f499b448fc0b77f9687fd01efe58e8dc3fbd |
C:\Windows\System\BSUjYXo.exe
| MD5 | b9f600d8c83f29df5a2df4cb0c0c6b52 |
| SHA1 | 1eed129d3acdd91c93cf0ce6de3e4e36f9e61a4b |
| SHA256 | aee646a9178d7521845516c41ae87704b5e82f867e04e2ae055aa33dcf6a66bf |
| SHA512 | 4bb26866a495ff307cdab445b3744d419e156c21200f795562a94010289f81b34e6537b0d65985e40b49d743ed11566cda94d5f5b9ba81268694e33035939fea |
C:\Windows\System\EfzCbmu.exe
| MD5 | e607cd176acae67a649296ff4bd64b3e |
| SHA1 | 3d57a2ecdac0d789cf576efa1388a7677a6eee4d |
| SHA256 | 907d39339fcacd88fe0088845edd257e06e6af0e5ff0df3b3a701fac96b66efe |
| SHA512 | 80e358ee02f05a6b4fd545335a67dd872347f968543e29052748d91e4228b9a5bdbfe4ba99a9caf78ca7735c46d2fbce5b54171c8881bad65a5a4a59fee7a359 |
C:\Windows\System\vBKSUyq.exe
| MD5 | 2cf30f80942ffc1d9c89dd9c0a107417 |
| SHA1 | 415f51954a5283e8e6c22f774075b433586628ed |
| SHA256 | cbd257e1c8966e87f28159d57505281ee0b077faad17cb073b7810f28e4ce6e7 |
| SHA512 | 8a0c4cebb62d8f8cf51e2b40ab192bee9ea2cd893a8f07ebd8929a4003d342f4d709d0190afabbe52e27ccf5920120dd1cf58dc54a1655e696c2f53ad1bcc72a |
C:\Windows\System\knpJrBj.exe
| MD5 | 3f442dc1d5dbbac5c98deec1c4b18d8f |
| SHA1 | 61a29888515b64a5e6a176396670c8aeb25ba9ff |
| SHA256 | ab0e844eaa090769ca2baeb271458ef08c3c0d9885b39b653e857ba6c43a066a |
| SHA512 | 124298789dff066daa95886e4c48305f6ad762342a17cfd9ed9a77b0c2c882fbd5dd7e88bc82af01026b6878669a508a61f68a605ff9658f530c9774009b83f3 |
C:\Windows\System\ZCRJopC.exe
| MD5 | 53e725ef66e2706bca8cf401a52d243b |
| SHA1 | 921eefac25ace625e56368db262793a988b453de |
| SHA256 | ffc3e18fd01666814dfb9b48aefdc557e2bc29c74290aac7b29cc3fe2351f68a |
| SHA512 | ce9ee8f00d3c59ee135ba9012c97d31c933f00b3b891ff3354af6fd538b0dd60cf5443857c68e49f3a46b07c18b51b0cbe347076ceca0e1fef46466bba4c8c9b |
C:\Windows\System\ffsWkwk.exe
| MD5 | 9d741155dd5c886a93c2fe00164d4e4a |
| SHA1 | c54c20a1f3c1cc163371c47efeeb9d4efefef4a8 |
| SHA256 | b02eb718e018eca2db616762c241a98146a1c9e4a641c008005827b5914b8883 |
| SHA512 | aacd919ff70259ff6649554e3571471793c046a41985ea3ba92a5296a0f899ad50b09cc964a0852d12287bb687acca65f64d8beb05b8d759aaa9951853965854 |
C:\Windows\System\AMuVcKe.exe
| MD5 | 1baf1db68fa2294e366ae54f80e2fa67 |
| SHA1 | 524178e8dbdca07a37ed99d0c945d78356b851cf |
| SHA256 | e8d24a281f6571113d3ed9f87ef22e126c58fcc9e393df23813f3a725e2f69bf |
| SHA512 | ae92a7bcfddbff7543e457a8bd4d2933428b3ad226190e56e8736aae044cb418b55fb827572e6f14de9b679dcf9a694862aa96d2cbce36eb33a2533838ee6977 |
C:\Windows\System\vgMqwwH.exe
| MD5 | e729b4e55a5ec42df549d239d6f0da3b |
| SHA1 | e712e4524c96ae884ed886cf2a2531b5cbd58187 |
| SHA256 | 6a91d2ad9b44764b542351b2685e78c45a29fc95cd66954934dadcdc05a0f710 |
| SHA512 | 463fecc82bf9280821e2704d15d7d50d9870bf257145ce8429f02eb2dd4b2471cfd6fcfb6aeb87f639b5c30e32844598428b4cce28143588cc980a949b7fee62 |
memory/1012-65-0x00007FF70C210000-0x00007FF70C564000-memory.dmp
memory/2580-55-0x00007FF716D40000-0x00007FF717094000-memory.dmp
memory/2560-51-0x00007FF7EEEF0000-0x00007FF7EF244000-memory.dmp
memory/3188-119-0x00007FF73A470000-0x00007FF73A7C4000-memory.dmp
memory/4012-120-0x00007FF693900000-0x00007FF693C54000-memory.dmp
memory/1824-121-0x00007FF7847D0000-0x00007FF784B24000-memory.dmp
memory/4352-122-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp
memory/3392-123-0x00007FF67CF80000-0x00007FF67D2D4000-memory.dmp
memory/3448-124-0x00007FF7C9050000-0x00007FF7C93A4000-memory.dmp
memory/4992-125-0x00007FF674560000-0x00007FF6748B4000-memory.dmp
memory/1652-126-0x00007FF6C3F10000-0x00007FF6C4264000-memory.dmp
memory/4020-128-0x00007FF7972C0000-0x00007FF797614000-memory.dmp
memory/3428-127-0x00007FF6AD6A0000-0x00007FF6AD9F4000-memory.dmp
memory/1444-129-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp
memory/1360-130-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp
memory/4728-131-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp
memory/2580-132-0x00007FF716D40000-0x00007FF717094000-memory.dmp
memory/4504-133-0x00007FF642DF0000-0x00007FF643144000-memory.dmp
memory/888-134-0x00007FF6A6480000-0x00007FF6A67D4000-memory.dmp
memory/1444-135-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp
memory/1360-136-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp
memory/4728-137-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp
memory/5008-138-0x00007FF7A79D0000-0x00007FF7A7D24000-memory.dmp
memory/3892-139-0x00007FF6FF7C0000-0x00007FF6FFB14000-memory.dmp
memory/2560-140-0x00007FF7EEEF0000-0x00007FF7EF244000-memory.dmp
memory/1012-141-0x00007FF70C210000-0x00007FF70C564000-memory.dmp
memory/2580-142-0x00007FF716D40000-0x00007FF717094000-memory.dmp
memory/4296-143-0x00007FF7F8EB0000-0x00007FF7F9204000-memory.dmp
memory/3188-144-0x00007FF73A470000-0x00007FF73A7C4000-memory.dmp
memory/4012-145-0x00007FF693900000-0x00007FF693C54000-memory.dmp
memory/1824-146-0x00007FF7847D0000-0x00007FF784B24000-memory.dmp
memory/4352-147-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp
memory/3448-148-0x00007FF7C9050000-0x00007FF7C93A4000-memory.dmp
memory/3392-149-0x00007FF67CF80000-0x00007FF67D2D4000-memory.dmp
memory/1652-151-0x00007FF6C3F10000-0x00007FF6C4264000-memory.dmp
memory/4020-153-0x00007FF7972C0000-0x00007FF797614000-memory.dmp
memory/4992-152-0x00007FF674560000-0x00007FF6748B4000-memory.dmp
memory/3428-150-0x00007FF6AD6A0000-0x00007FF6AD9F4000-memory.dmp