Analysis Overview
SHA256
2812b83df1c5b798e27f6b502d6f56e7b2dcc5c92681ffadd04022d5b7ecc1f6
Threat Level: Known bad
The file 2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:39
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:39
Reported
2024-06-01 07:42
Platform
win7-20240508-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CyhwBhE.exe | N/A |
| N/A | N/A | C:\Windows\System\cvzwgQD.exe | N/A |
| N/A | N/A | C:\Windows\System\OiwFKPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMUBftx.exe | N/A |
| N/A | N/A | C:\Windows\System\zHLVcUe.exe | N/A |
| N/A | N/A | C:\Windows\System\mIdMjhP.exe | N/A |
| N/A | N/A | C:\Windows\System\NULmVgk.exe | N/A |
| N/A | N/A | C:\Windows\System\EComwkx.exe | N/A |
| N/A | N/A | C:\Windows\System\mNrCLNM.exe | N/A |
| N/A | N/A | C:\Windows\System\rRUAKWb.exe | N/A |
| N/A | N/A | C:\Windows\System\Engpspt.exe | N/A |
| N/A | N/A | C:\Windows\System\FbdoAuI.exe | N/A |
| N/A | N/A | C:\Windows\System\lzmDjJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\RozHNzE.exe | N/A |
| N/A | N/A | C:\Windows\System\iLfKNRo.exe | N/A |
| N/A | N/A | C:\Windows\System\CkPnPkj.exe | N/A |
| N/A | N/A | C:\Windows\System\upBFOdI.exe | N/A |
| N/A | N/A | C:\Windows\System\AJPtZsF.exe | N/A |
| N/A | N/A | C:\Windows\System\ASyUBSN.exe | N/A |
| N/A | N/A | C:\Windows\System\ldMBkKf.exe | N/A |
| N/A | N/A | C:\Windows\System\RGDHYYw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CyhwBhE.exe
C:\Windows\System\CyhwBhE.exe
C:\Windows\System\cvzwgQD.exe
C:\Windows\System\cvzwgQD.exe
C:\Windows\System\OiwFKPQ.exe
C:\Windows\System\OiwFKPQ.exe
C:\Windows\System\zHLVcUe.exe
C:\Windows\System\zHLVcUe.exe
C:\Windows\System\ZMUBftx.exe
C:\Windows\System\ZMUBftx.exe
C:\Windows\System\mIdMjhP.exe
C:\Windows\System\mIdMjhP.exe
C:\Windows\System\NULmVgk.exe
C:\Windows\System\NULmVgk.exe
C:\Windows\System\EComwkx.exe
C:\Windows\System\EComwkx.exe
C:\Windows\System\mNrCLNM.exe
C:\Windows\System\mNrCLNM.exe
C:\Windows\System\rRUAKWb.exe
C:\Windows\System\rRUAKWb.exe
C:\Windows\System\Engpspt.exe
C:\Windows\System\Engpspt.exe
C:\Windows\System\FbdoAuI.exe
C:\Windows\System\FbdoAuI.exe
C:\Windows\System\lzmDjJJ.exe
C:\Windows\System\lzmDjJJ.exe
C:\Windows\System\RozHNzE.exe
C:\Windows\System\RozHNzE.exe
C:\Windows\System\iLfKNRo.exe
C:\Windows\System\iLfKNRo.exe
C:\Windows\System\CkPnPkj.exe
C:\Windows\System\CkPnPkj.exe
C:\Windows\System\upBFOdI.exe
C:\Windows\System\upBFOdI.exe
C:\Windows\System\ASyUBSN.exe
C:\Windows\System\ASyUBSN.exe
C:\Windows\System\AJPtZsF.exe
C:\Windows\System\AJPtZsF.exe
C:\Windows\System\ldMBkKf.exe
C:\Windows\System\ldMBkKf.exe
C:\Windows\System\RGDHYYw.exe
C:\Windows\System\RGDHYYw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2324-0-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2324-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Windows\system\CyhwBhE.exe
| MD5 | cd0ba8527488125d87d92bb9d2c3905a |
| SHA1 | 4d426a270dfe4d69c09c4e4474684225bb40b612 |
| SHA256 | 4d1d92cd1168973d5da6e8f5a79c66f31e2c6ae991a072dd4c3e5457566f58a2 |
| SHA512 | 419daa9cb4a8878efde32af5c6e5dfb8021ed0150fb25f83306368e088adfe762eeff66518380645fa13e1cf921bb86768ebd5483bfad1ffa76620f47e6b5acc |
memory/2292-20-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2324-28-0x000000013FF80000-0x00000001402D4000-memory.dmp
\Windows\system\ZMUBftx.exe
| MD5 | 21c6e26c6a894b47971b2b738f0e91bc |
| SHA1 | 53cbf6fc493dddf2e1e8bc0d7579fbbcd311c67f |
| SHA256 | 00408afb4350adfeebfd7f99787e76810e7d648a120db910dc3e061967f6944d |
| SHA512 | 0afa8c506a173b13e3c8c16b04bd69a80709d3f09074b8617be3bb399fd5b220d1d5b7c55ff79cb48c0c599bce03cf44f525ed3d86bde33b33a117b0e05e4a5e |
memory/1308-19-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\OiwFKPQ.exe
| MD5 | 3dcb1fe98510c8faa44627192e5f5af7 |
| SHA1 | 624f2d97bf265011db8ffdaeea34d18b07e06b6c |
| SHA256 | 9c5fd1b0a69d440b3476db3854fdd94f59b6aba9d9ce6b2133c9a1c3c4fc9220 |
| SHA512 | ee638829e250e506fa468992d8090ee97341fc6d31b0415946553b47e0466a6a7dcd6e14c8f8fdb3f198dda06e7c60701eaef36432acf5a590a9fb15e8254b4c |
\Windows\system\cvzwgQD.exe
| MD5 | 9f20dae255048a531322ccb73d498d17 |
| SHA1 | 43660a1ba8792d934dedc2a6736afab252fafd16 |
| SHA256 | 45be14f96610d2499c7ca74fd55f7af2bdca42f4340ee5a3b21ea873bc1433b3 |
| SHA512 | cdf7707bba8f6a505a765ffd49f707cc3d7c06c7b64f54f704a200876d1b62f85e0ab53a94717fb0d946f52f888a1f87866b372b2ebfd907c92d05a0ea81b3f7 |
memory/1264-16-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\ldMBkKf.exe
| MD5 | 43f1e0d70519fab542cd6a43db077f73 |
| SHA1 | 7f825ad754e6d6e12eb9a19ae12e099078d5c2db |
| SHA256 | c926ad379e53665814b891c6014f8d0df8bfc0eb55a7cde2729c8d8d561a1e53 |
| SHA512 | 2f606d065f052fa813c1d8607ef8a6eca9152e27d94d7ccdadf4ce9481f0be8ecf0a1a40a98e43856a0c3bc235f6f96889d20c937a0758317eb1af2ec3067786 |
memory/2612-135-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\ASyUBSN.exe
| MD5 | 12c1616f42906c47d76649d23bbc92fc |
| SHA1 | eb2c4e395960aa05de7f7e0a3c39a669f3287790 |
| SHA256 | edbe387da0918b2bf2e91a164a6df8d7cbd6095d4e4c8839987d841757c06f23 |
| SHA512 | 5df1b2888febf9bc8020ed002e4f07361a21fdf844496af367ffbf342f0482cda459314c1d6158f486b245253d3dd8659bbd865070c18f824e80d4a9e786878a |
C:\Windows\system\RGDHYYw.exe
| MD5 | ab700f6af243aab5bb6b2a1e0002103c |
| SHA1 | c12de9b2057492c51fc8da3fbc3dc38246b01f52 |
| SHA256 | 8f1f0478fcc85444aa57bdd6c6ee8b13a813f59116c8bde271599afed7734013 |
| SHA512 | 8c3b2e568fba636fb5dafda74d464898147a360362284c36ee127ae33f85b3969d8974cc1a8ce2a6ecfa40951bb1c5abcfd6851f686d19791e90dd5435b97173 |
C:\Windows\system\AJPtZsF.exe
| MD5 | 1c19950a2d067b320bb901645a21c1df |
| SHA1 | 549c6f1a2ff3e6f79f71e1bc6c141745c9608445 |
| SHA256 | 27a7c2bd8744389c6e99d0e7c69db49b01512d89aacc43ee357bc28470165577 |
| SHA512 | 554ef2110e1e95e7b061bbb25c26b041aa6077466844fd24ec3fb7c6e96474be2b5c4c5e735116f0687a1f656c6418fcad81e1116826e334aa01c304db8daa3e |
C:\Windows\system\upBFOdI.exe
| MD5 | 7e35cbf156c355395bc5c285fadf04ed |
| SHA1 | 795dd19c122910e6b8acfc369afde6d78adcb255 |
| SHA256 | 5fe63a45bbbfc2be7fd1823a2a1fcd42453f5b073dd744b38f9d4c3494584b16 |
| SHA512 | eb5ded9079760489eeb16a699af355770bafaac7b3613de8f2ffa1f6058c5b2bab6b7dcb2c8b0c82a5ae03e66a5e2fcd83e7e9bf5ad2f6eb04908f904ae15fb2 |
C:\Windows\system\CkPnPkj.exe
| MD5 | 9667a75e222c095f546f96a04d4712dd |
| SHA1 | f6f4e538ab8c0dec75e16fe3e03c3d23c052c1da |
| SHA256 | 55bfaff0616d80f90cc8eb6a28481bc0e68557a620484045ca6cab76df558cdb |
| SHA512 | b4031d51503ffabee5d37a9c03acf497e70c51e6ed2cd1abfd9701ea4d26b6ea4fae6f9073c4fb480236037aaf760fcc3095fa732e38e672ccaea7f3ff4d4337 |
C:\Windows\system\iLfKNRo.exe
| MD5 | 640da0ae09fe11c28c28028430b5d0b2 |
| SHA1 | 46cb555d8b9124c9ea8068452b8c6d8edf8891e9 |
| SHA256 | 4ec9762244844fc74e3ad83bd396d8d9dd25e472b3da469de5f5fd0c707b9678 |
| SHA512 | f705393818e2b7b47f97c4baf89ab7c7852f3c2d4bd9c0afd19395a766ccd9433e8307482d440e5215cc166395679d51638f42bdd89c0d3e8e65bb683723cd72 |
C:\Windows\system\RozHNzE.exe
| MD5 | 68b4224a68d2c7cbd954db1a8aebc214 |
| SHA1 | 1b1a280309390a638071d3c7c8898574252f416c |
| SHA256 | 5771ebd0e928544246bd9f8f8d0f2e11678a0fb03473148aa756a331ca876d69 |
| SHA512 | 449900711eb6cb7e1b2f8604bd5ba25693c50ecca40f367423cd33346f6dd542d2ef00e66a3930d20df70058c0020d022193742984648004968202849be700d7 |
memory/2324-101-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2076-85-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/3044-100-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2324-99-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2940-92-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2324-91-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\lzmDjJJ.exe
| MD5 | 4a402908a7e9b9672918be530788327f |
| SHA1 | e88d37adb07aaaf643ec8704d28486cfe78c4ec6 |
| SHA256 | 2d7f7fe43e68cffbce3a342c941e14092f3a7fc0909d35356ed4f3cde2eb9807 |
| SHA512 | 0ae272a9d7186639e9597ba6e6ab5c179574f473cad667e082b91a7a9865aefb6cc0f4a46c5dfcb48468e6f5c9d3f37fe6907c354659b16685825463accde622 |
C:\Windows\system\FbdoAuI.exe
| MD5 | de613523e01d7605d221578c60bc2147 |
| SHA1 | 07cd064b10bfc631ed35ff36e36caa6c7318c6db |
| SHA256 | b28f5bd1912180619b990fdc879baf452ff4a184419840e84a2147c85e7b797f |
| SHA512 | 7e895ba2fc3f02d2611a5a95af41ee4bbb9b5be6875e358d14bce3af68a220a1aa1eac517b4780b9728879c1d7d678b15b3ad73fba725b37d23b00c91715baf9 |
memory/2324-80-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1640-79-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2324-78-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2576-77-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2324-76-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\rRUAKWb.exe
| MD5 | a38284a6ee84355933b4bbdb528e67cf |
| SHA1 | ec7ad729828c0e194d3230497dfa30b0343f68c3 |
| SHA256 | 2d689542cbe0682e131131f9009294dd86c98de3914b5e07b9300e19fb66a243 |
| SHA512 | e3e594f1deef76cb00199ebfaf973a74832da69608fce8da0e2889ab1c9dfbe0202760dd0519f1c85900928eda18cd18169934e66d19f4f46b37f8e42c211477 |
memory/2324-56-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\EComwkx.exe
| MD5 | 97baedd223c57b1ca62a36439eaeee65 |
| SHA1 | 4a7106ac5dc8b6a21ea4f450d346ffab85a9a8db |
| SHA256 | 6e4dc8e5cc149ce113619331217a217b9bf2a0df41c08c1fbf82e4514f801e3c |
| SHA512 | 7bc0d2438a3c58272cbbf4859f5284451fe29626cdec548f107c4cb3f87f027516fd1b58e1ed58683a8e775915846d778f6c398ef936eefcf13be00f4d94da40 |
C:\Windows\system\Engpspt.exe
| MD5 | 196ad1df7bb8c2e4b7e849b2392f4446 |
| SHA1 | 135c6bd9467cf13766b67ff565d0701e6f14f948 |
| SHA256 | 0d3fbda06eff180b10746d37eb15201161587cf1021e2bbe663f72613e5766ff |
| SHA512 | b8a426b61f5225ea134da9e4bb0f465af30f84c19abf87a0c308890ed16af1cae05792bb00cc1d7e4bbabac226578c9e583eb162c81091f08b3e30335ddbaf2c |
memory/2612-63-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2324-62-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\mNrCLNM.exe
| MD5 | 9e3f44e46c91f1336dccb47f46cdb68c |
| SHA1 | 39f84a6942399cf75e131971860cb05c95e5f61c |
| SHA256 | b7d79a66f10097c163d95eea9d2b74105166786618ff2910d400b989b336e043 |
| SHA512 | a3dd2482b8d12bf03a167b45eb6c517ad6d2e9ad07253bdbf38efe3318c31ced53ed75875c5097fb59ff23c8c452250fe767f5831b2f879f0b2b999e4d26bfc4 |
memory/2872-59-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2096-50-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2324-49-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\NULmVgk.exe
| MD5 | 0bf76f9d03787bc6830584db6a0e0130 |
| SHA1 | b22df7641bd1eb80bd088f293402bbf9ef76f124 |
| SHA256 | 5742bb259302d733690ed8c8dc66435eaf1ec4d048a576ab7b92dfd1f7930e68 |
| SHA512 | 860bfb6ecf2281ebde15ab124840588bdfbf6378a4f114fc560cde8a48fe9996bffdda8c316bcb80f0dc1f864f07444a3981d7af152bc4d85876dea96bd4c426 |
memory/2992-43-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2696-42-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\mIdMjhP.exe
| MD5 | b8eaaf7d424d082e91e90ed2a7d57374 |
| SHA1 | c2878e5a720cfb85b5c1875ec4abf93cf09bc973 |
| SHA256 | 84529701e11ca8f25d3a7dec1d608c1448777747607db2a8cf392b08c4a8e1a9 |
| SHA512 | 1d746f87e085e8568eeeb0b187223c35d2bfa30a9ff3eee0389a527118a70260649c8084fe596f0752c267fc2e7bf1f9b50866f3cfb91b62517540be5033886b |
C:\Windows\system\zHLVcUe.exe
| MD5 | c2e5a43bec2efd5d34d08bb049aebde2 |
| SHA1 | 446e69ca4b2c2a6d31b81f4d327acc010bd9e5c2 |
| SHA256 | 1fda8f91717f75ba6aa6b97591da95039b99df7e51a6763f1ea0e660199c6fe8 |
| SHA512 | 21e2b8b958e2f2c75d3b2d1034370a82dbbd3940f4d95dcaf67577423606783a932bccf521dd3c7788b01c1b2a267dd0f9b05364a9c48812574197af69abf473 |
memory/2324-37-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2324-24-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2764-33-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2324-31-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2324-30-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2324-136-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2324-137-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2324-138-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/1264-139-0x000000013F120000-0x000000013F474000-memory.dmp
memory/1308-140-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2292-141-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2764-142-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2992-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2696-144-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2096-145-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2872-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2612-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2576-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1640-149-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2076-150-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2940-151-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/3044-152-0x000000013F7E0000-0x000000013FB34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:39
Reported
2024-06-01 07:42
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FjKcTIo.exe | N/A |
| N/A | N/A | C:\Windows\System\wmtwiAs.exe | N/A |
| N/A | N/A | C:\Windows\System\xagkThT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHofxwX.exe | N/A |
| N/A | N/A | C:\Windows\System\xnRvASr.exe | N/A |
| N/A | N/A | C:\Windows\System\oSIAFPb.exe | N/A |
| N/A | N/A | C:\Windows\System\XxAWNWl.exe | N/A |
| N/A | N/A | C:\Windows\System\XRZitva.exe | N/A |
| N/A | N/A | C:\Windows\System\opjZznO.exe | N/A |
| N/A | N/A | C:\Windows\System\KrmITbE.exe | N/A |
| N/A | N/A | C:\Windows\System\bHMNfco.exe | N/A |
| N/A | N/A | C:\Windows\System\FBZXodq.exe | N/A |
| N/A | N/A | C:\Windows\System\sHCPDPv.exe | N/A |
| N/A | N/A | C:\Windows\System\ttFlTeb.exe | N/A |
| N/A | N/A | C:\Windows\System\hjQHIfY.exe | N/A |
| N/A | N/A | C:\Windows\System\TIvrXUm.exe | N/A |
| N/A | N/A | C:\Windows\System\LpHwkyn.exe | N/A |
| N/A | N/A | C:\Windows\System\FOVURqb.exe | N/A |
| N/A | N/A | C:\Windows\System\lrPGQLW.exe | N/A |
| N/A | N/A | C:\Windows\System\AVuegPc.exe | N/A |
| N/A | N/A | C:\Windows\System\cAKeYbV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FjKcTIo.exe
C:\Windows\System\FjKcTIo.exe
C:\Windows\System\wmtwiAs.exe
C:\Windows\System\wmtwiAs.exe
C:\Windows\System\xagkThT.exe
C:\Windows\System\xagkThT.exe
C:\Windows\System\ZHofxwX.exe
C:\Windows\System\ZHofxwX.exe
C:\Windows\System\xnRvASr.exe
C:\Windows\System\xnRvASr.exe
C:\Windows\System\oSIAFPb.exe
C:\Windows\System\oSIAFPb.exe
C:\Windows\System\XxAWNWl.exe
C:\Windows\System\XxAWNWl.exe
C:\Windows\System\XRZitva.exe
C:\Windows\System\XRZitva.exe
C:\Windows\System\opjZznO.exe
C:\Windows\System\opjZznO.exe
C:\Windows\System\KrmITbE.exe
C:\Windows\System\KrmITbE.exe
C:\Windows\System\bHMNfco.exe
C:\Windows\System\bHMNfco.exe
C:\Windows\System\FBZXodq.exe
C:\Windows\System\FBZXodq.exe
C:\Windows\System\sHCPDPv.exe
C:\Windows\System\sHCPDPv.exe
C:\Windows\System\ttFlTeb.exe
C:\Windows\System\ttFlTeb.exe
C:\Windows\System\hjQHIfY.exe
C:\Windows\System\hjQHIfY.exe
C:\Windows\System\TIvrXUm.exe
C:\Windows\System\TIvrXUm.exe
C:\Windows\System\LpHwkyn.exe
C:\Windows\System\LpHwkyn.exe
C:\Windows\System\FOVURqb.exe
C:\Windows\System\FOVURqb.exe
C:\Windows\System\lrPGQLW.exe
C:\Windows\System\lrPGQLW.exe
C:\Windows\System\AVuegPc.exe
C:\Windows\System\AVuegPc.exe
C:\Windows\System\cAKeYbV.exe
C:\Windows\System\cAKeYbV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
memory/3592-0-0x00007FF67B4C0000-0x00007FF67B814000-memory.dmp
memory/3592-1-0x000001FAA4750000-0x000001FAA4760000-memory.dmp
C:\Windows\System\FjKcTIo.exe
| MD5 | 79201edd9bb31d514e5bf245ef7e078e |
| SHA1 | 0f12df8c5ff3419408f2830cc9150908a055a74b |
| SHA256 | 3aaf97731117a58cc131d38f118d6260a3980fad09e50e58eaa0592d02cbf573 |
| SHA512 | b1f97826711f5fc2d3b106b5b9dc8300ed8c4641b79f5f1bd043381b4b9587bfad0a4fbec43d7056dc9dbd4fb6257e20677b4d296e2024b78924b7736e4b685f |
memory/2380-8-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp
C:\Windows\System\xagkThT.exe
| MD5 | 9e2be0c0601bd00d4fc6d14c40f17ab0 |
| SHA1 | a76a7ef98aa0db2aa44f73319fc55f78c5b41fd0 |
| SHA256 | 1122c5ddab0d0ed857c49eec6baf488c1d2fb20fb5b526b9c15ef7c4b7537e37 |
| SHA512 | 7bb0e8d2a8793538fc4bb0d587bc4cefb81a3510ad07450038f91cbfbddab02c067f7497bb8acdbadf4fb201b2da12f8af3c29425a81169f6285e54f01e63498 |
C:\Windows\System\wmtwiAs.exe
| MD5 | 0b71bc8b98f00c1f87cb54bee2fc6fb2 |
| SHA1 | d2abf92e2771a232d9aa1a8fcadfdb0ff4b0f635 |
| SHA256 | 7f0c73d1efac9b114f104bdceb9c8a96e40af4d17ea2d886448c2e94dec44c5f |
| SHA512 | bcf95bb444947228df6499462ff4d2be267e3dc598ab84b02416d867240961f4ad036ae045c1b28ada30d5a8304f9b1fa9b5c736885862f575421ec53ff1c044 |
memory/1268-14-0x00007FF7E6A70000-0x00007FF7E6DC4000-memory.dmp
C:\Windows\System\ZHofxwX.exe
| MD5 | 46d5604c6ba4b9947969c379e49c4908 |
| SHA1 | e2acaea09b8856bf35bd65eceb6b3b2bd11d85a1 |
| SHA256 | d29d8a281cf8da1615fc195bf773fbd3f328020d59abbbb5e45ab8dec8fbdb93 |
| SHA512 | 053a2fa7c8c53efd3cefd4ebf7e83604c21c0858a52b8045e49cbc6f13ee1d33c5666ead3515de3836c3b6c3478fabd882da4566ead55888751679f52478c97f |
memory/1560-21-0x00007FF775BE0000-0x00007FF775F34000-memory.dmp
C:\Windows\System\xnRvASr.exe
| MD5 | 2dfd79b5b526baacceab6970dfb06d20 |
| SHA1 | 56f12c126a077b5dbd49c241bca038aae17f74d9 |
| SHA256 | 1e4cec97ef1bfcc64d306f67ad45e41c770fcdcdb16d48e427fe6bc20fe3f16e |
| SHA512 | 26689f98884ce30b27503cdd11073900992a82a71509f9bac55f12612f757af49c19f3330a222a21dde41b7e9aec0ad47a06f897cf78c0584f5b1cc710c93b65 |
memory/3368-32-0x00007FF6442E0000-0x00007FF644634000-memory.dmp
memory/1528-26-0x00007FF7A3DC0000-0x00007FF7A4114000-memory.dmp
C:\Windows\System\oSIAFPb.exe
| MD5 | f2c6d7b6b8b242e96e36c751a404a387 |
| SHA1 | 1e2c9fa117577b27a8c4c5f2dd94400aae75c322 |
| SHA256 | 565d6bf565e0de0f621e788611f1daf60f1ea2b3a97301666f95451e344f5997 |
| SHA512 | 81000b2fa8de455a668bda413c4c63c67195dd1553f5fc44f8921aa290a9c3ac988d0f24323ec214434412849ff173e52959dc613d24be9a3d3081ebe6eb80cc |
C:\Windows\System\XxAWNWl.exe
| MD5 | 673d0d3adfacebf9559908cebb6bb420 |
| SHA1 | de68d279f4036145d885197633c02303b237154d |
| SHA256 | 3d16e0f70b1498159a5232b5d406fd0c233655c7f801eed5fa203ca34a349475 |
| SHA512 | af325975da19b771353e12e248da10a084d0fa72078a4fca31cffb298630be0ba0280513b53aae28eb664944c2a6dd67e5adcd7c0dac985b39479c57dd3f8c29 |
C:\Windows\System\opjZznO.exe
| MD5 | 1d24676f10e1127891d8abaf4f6ac336 |
| SHA1 | 78b62dc1ecfbe629f09ab079c62f889976ace995 |
| SHA256 | d515432a8d11c1260defc46b1e1940aa0ac8cabe62807ab6b961e96fe48074df |
| SHA512 | 7a1701be3d9a4bc934681bfbc062ac360cf9b2bf6ffeb182f6e4a5a653958abca1b06c53bc3f365f045e45cccc27c4c9b34c8af855b85c8bc29226e43616930f |
C:\Windows\System\KrmITbE.exe
| MD5 | bc5c99d3213e25acdd5a2eee20535f8a |
| SHA1 | cfad284c54343c5cb5c6c1a06b0e3cd1c8979dc4 |
| SHA256 | 1e313461b66ab658143bb7ac8bd7783924b86f18a422f53ce36251d048b1d2ea |
| SHA512 | 85b49ce498af576408511f366e2a991fbd0e7171728115167d07a63822f11c810b5e155d63738873c8a4230e95a56d7258c7a435573c818517d97eb2b99b913f |
C:\Windows\System\FBZXodq.exe
| MD5 | 1cafdc295896839c80faa838f0aec496 |
| SHA1 | 6025b272ade99fd57328d1c632b86561aa5e0198 |
| SHA256 | eccbfdad486aa3906f97ddbda036bf41b61bf614ea66bbb022a5fd52be9757f3 |
| SHA512 | 2cfdd87baf22d233729607f7b9373d408efd77b35d577a81f219a578719d653b79ec73694f979d906e520b077c550fda8dd86d12f735c5cda528122c8c83447d |
C:\Windows\System\TIvrXUm.exe
| MD5 | 7d2b745776c48c9f1b5bc32262cd25c2 |
| SHA1 | dfb0871405c45bc0e6afcf53bf05cd257b2cb887 |
| SHA256 | 3b90585bf1970bf620ab4bc9b9deb61e4f236764c629739f4bc806fa2df78906 |
| SHA512 | c852bec3ec00f334923405d7509d2b3799c9a6323e5ff634004df084a0a074ca0e3a29d52c1550ac866cbfc9580a821bcdab4ab74e892db80b3c856b55336de6 |
C:\Windows\System\lrPGQLW.exe
| MD5 | 5348e765325f7eee44fc471f9bc249aa |
| SHA1 | 830d74898c817fe85f479b12e0329db2e3a407d6 |
| SHA256 | e1d04be41fe08ab5c4b08d13cbcd52d9e42bfe4a8c03dc2eb0826cde39dbf7db |
| SHA512 | 8e3d67c54adbd5fac2c923a7273ee31326de0c4a819d286f2d3188fd2c4d362c1173803b77660ceeb4e080eefa4141963caeaf5caeadd74ec4e36a83a358eca3 |
C:\Windows\System\cAKeYbV.exe
| MD5 | f51674e16afb6ed451661041f67d135d |
| SHA1 | cbd6311438e7877712bcc71202c562c93ad02dec |
| SHA256 | 32c3906d0d865cdad49d2271c5e7ebc4337409ef511ee140ed39faca0ad19976 |
| SHA512 | afa5590730c4fed328296826e4ca1b329f88a948bd5cf156962bf68248791d74df4bfd78b2fca57267d43d2b54360b97ce77d3eceb631e08ab6916a1e9461cc7 |
C:\Windows\System\AVuegPc.exe
| MD5 | c126bac5482d89be9a77428a9a6e7ee0 |
| SHA1 | 616283037b01d19b0c5ea8cf6219adfa83c54eec |
| SHA256 | 0c5fdb3db89cae5e9e7c5829d3ae42f69e6b5cef6c08f88b19cd901a7eaf715b |
| SHA512 | a793c718fe22cb50620f21ee4ebb5ad268276188980ee0c5712edfcbbe9d6e5d4984e581e4a30916571392d3842d0d194e2658f84ae8956647640f1cbc6b820a |
C:\Windows\System\FOVURqb.exe
| MD5 | 18eab07e5b385b1a3e9c58d8a27ab528 |
| SHA1 | 8149415d58d32f6f2b32a38ce18343290afe3d59 |
| SHA256 | d958a3aadcd036eb930481d511c65f117676132632190e9afde7866b17bf4a98 |
| SHA512 | 3d6f56aafcb15bcf6573fc83520e05a84499e14c58a014285a7258a3b52c0f609ee1027050175803ed8929053447de6b968f415691e5bff092e6f74732f4f142 |
C:\Windows\System\LpHwkyn.exe
| MD5 | 6cb6adeac73f4ac1df4d04361fc6e9dd |
| SHA1 | 47bf099939669df73c5b18c72cc00cc7de1c095f |
| SHA256 | e880a123fedd9f607e15def0705f9d6667932467f8e965aab6ce7a88a1f6848c |
| SHA512 | 021e9de2035d0ad9b55a6dc6126f5b4455b10eba85038dd4c784f753dfbdb81e96ff580051be1ae3d1f129da255d407e2c7c3620e5d11aa2daa8eec8a529a2c0 |
C:\Windows\System\hjQHIfY.exe
| MD5 | 70933f4de15414688b8317fe6ad1ad77 |
| SHA1 | b54657364d55ff31c8930c230489c88d077ba783 |
| SHA256 | 8d830f3d63e37eb80e6c49c4aed67b24589ee37d3957ad1b9e9d6d6842c603f8 |
| SHA512 | 3c63ab3c38648d787c24d9e13b35e1da50c590dfb9a4d3eb3cf6492fdab5f82c52133db1f3cd00e7e203b52bc7b4641d2397945d7cb1f884479cfbc198a1a458 |
C:\Windows\System\ttFlTeb.exe
| MD5 | 1ed65d5cd5c697e8f8a9987576f15898 |
| SHA1 | fc9946ab103845614dbf0c8ad5d7ad7d3766613a |
| SHA256 | faf75aa3b640f8b845bcb799a19a8d12b1a83066f4f3c8802f8c52e1239f2c60 |
| SHA512 | fa1e220bb22a822885eed6479233702d9785c6c2b988ff2860e30b164b5fac9fc7157e5eca6f6c1e128fb16595532a47518d185935e14215579d828c13e391fe |
C:\Windows\System\sHCPDPv.exe
| MD5 | 3eb5d9c771f189088abc387318211a69 |
| SHA1 | 6cf27541727166ef383ae9289e69b3b28d4ed8cb |
| SHA256 | 6dda2d24df1fdfd1727f9bddfcc2b5e4f58ac9d5f9c73318228f881151a882a9 |
| SHA512 | cc5c64b00c7bca61dd61f129cb3225d8c825fede16e289841011260a84ea13685f0ccd33dad3b1264ffcdeda40988e9aee84b3e8375558fe6b4e8019a390f9dc |
C:\Windows\System\bHMNfco.exe
| MD5 | b86a2cfed7c882ef0ddbc473967757a8 |
| SHA1 | b999628df11a90223c8a568ea188c9ffab55fb48 |
| SHA256 | 0872d529132a46cbbf0fc5737df432567eb6cdfdcce8a733222ee6d45ce9de93 |
| SHA512 | feb65e9f59bf08f6cec43754d4772171b774743c0f1ef7f756cd31f7657fb88c1cb6869a5fc74c0d3eea0f0edd0869a1076eaa31a9f6cc2af30b4720779a421c |
C:\Windows\System\XRZitva.exe
| MD5 | ec9e6eb731f6b28bc7f843e5c7576066 |
| SHA1 | 4028e252c1ef8478b7ff26c749cdfc62ae51228f |
| SHA256 | bd7de0d5a2121cd49e71e5759af182218ace813f065ccd1bff25ac53f5dc9cc9 |
| SHA512 | 3c9da812aeecc2b0c04e856c33e1f4d508f93db4fcbf02c715e77cb0008ecc5598a5ff2295e0c3066dd1e90fc474e936c4b3f568810735e0544a2a8e792e82a5 |
memory/512-112-0x00007FF7E96E0000-0x00007FF7E9A34000-memory.dmp
memory/1472-113-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp
memory/1236-114-0x00007FF704FD0000-0x00007FF705324000-memory.dmp
memory/1068-115-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp
memory/864-117-0x00007FF78DD00000-0x00007FF78E054000-memory.dmp
memory/2624-118-0x00007FF76F830000-0x00007FF76FB84000-memory.dmp
memory/4184-119-0x00007FF71E000000-0x00007FF71E354000-memory.dmp
memory/2240-116-0x00007FF730120000-0x00007FF730474000-memory.dmp
memory/4984-120-0x00007FF6580C0000-0x00007FF658414000-memory.dmp
memory/2252-121-0x00007FF7C7AB0000-0x00007FF7C7E04000-memory.dmp
memory/2180-122-0x00007FF67A9D0000-0x00007FF67AD24000-memory.dmp
memory/3700-123-0x00007FF628A40000-0x00007FF628D94000-memory.dmp
memory/3744-124-0x00007FF636BD0000-0x00007FF636F24000-memory.dmp
memory/2528-125-0x00007FF7D14F0000-0x00007FF7D1844000-memory.dmp
memory/3616-126-0x00007FF7C9890000-0x00007FF7C9BE4000-memory.dmp
memory/2456-127-0x00007FF69AC90000-0x00007FF69AFE4000-memory.dmp
memory/3592-128-0x00007FF67B4C0000-0x00007FF67B814000-memory.dmp
memory/2380-129-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp
memory/2380-130-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp
memory/1268-131-0x00007FF7E6A70000-0x00007FF7E6DC4000-memory.dmp
memory/1560-132-0x00007FF775BE0000-0x00007FF775F34000-memory.dmp
memory/1528-133-0x00007FF7A3DC0000-0x00007FF7A4114000-memory.dmp
memory/3368-134-0x00007FF6442E0000-0x00007FF644634000-memory.dmp
memory/512-135-0x00007FF7E96E0000-0x00007FF7E9A34000-memory.dmp
memory/1472-136-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp
memory/1236-137-0x00007FF704FD0000-0x00007FF705324000-memory.dmp
memory/1068-138-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp
memory/2240-140-0x00007FF730120000-0x00007FF730474000-memory.dmp
memory/864-139-0x00007FF78DD00000-0x00007FF78E054000-memory.dmp
memory/2252-142-0x00007FF7C7AB0000-0x00007FF7C7E04000-memory.dmp
memory/2624-141-0x00007FF76F830000-0x00007FF76FB84000-memory.dmp
memory/4184-145-0x00007FF71E000000-0x00007FF71E354000-memory.dmp
memory/4984-144-0x00007FF6580C0000-0x00007FF658414000-memory.dmp
memory/2180-143-0x00007FF67A9D0000-0x00007FF67AD24000-memory.dmp
memory/2528-146-0x00007FF7D14F0000-0x00007FF7D1844000-memory.dmp
memory/3744-148-0x00007FF636BD0000-0x00007FF636F24000-memory.dmp
memory/3700-150-0x00007FF628A40000-0x00007FF628D94000-memory.dmp
memory/2456-149-0x00007FF69AC90000-0x00007FF69AFE4000-memory.dmp
memory/3616-147-0x00007FF7C9890000-0x00007FF7C9BE4000-memory.dmp