Analysis Overview
SHA256
e4f988fdf8637baab71e1683c014b562621ac00fa2937f5191efdce75bd64e88
Threat Level: Known bad
The file 2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:33
Reported
2024-06-01 11:36
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dZRkryR.exe | N/A |
| N/A | N/A | C:\Windows\System\lWpkXRD.exe | N/A |
| N/A | N/A | C:\Windows\System\ZsDVzSW.exe | N/A |
| N/A | N/A | C:\Windows\System\yymadwV.exe | N/A |
| N/A | N/A | C:\Windows\System\gYojtXr.exe | N/A |
| N/A | N/A | C:\Windows\System\HznnjwF.exe | N/A |
| N/A | N/A | C:\Windows\System\IyCqDRV.exe | N/A |
| N/A | N/A | C:\Windows\System\JLFYQep.exe | N/A |
| N/A | N/A | C:\Windows\System\xBwsGRc.exe | N/A |
| N/A | N/A | C:\Windows\System\KJaUvEC.exe | N/A |
| N/A | N/A | C:\Windows\System\MQswEaz.exe | N/A |
| N/A | N/A | C:\Windows\System\YSjOGwK.exe | N/A |
| N/A | N/A | C:\Windows\System\iBqfApq.exe | N/A |
| N/A | N/A | C:\Windows\System\EZdKDFy.exe | N/A |
| N/A | N/A | C:\Windows\System\ibMrzkG.exe | N/A |
| N/A | N/A | C:\Windows\System\PnapYMm.exe | N/A |
| N/A | N/A | C:\Windows\System\dxczxgU.exe | N/A |
| N/A | N/A | C:\Windows\System\naWCDXm.exe | N/A |
| N/A | N/A | C:\Windows\System\mQZhNYc.exe | N/A |
| N/A | N/A | C:\Windows\System\BIdwhEN.exe | N/A |
| N/A | N/A | C:\Windows\System\VEJreFr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dZRkryR.exe
C:\Windows\System\dZRkryR.exe
C:\Windows\System\lWpkXRD.exe
C:\Windows\System\lWpkXRD.exe
C:\Windows\System\ZsDVzSW.exe
C:\Windows\System\ZsDVzSW.exe
C:\Windows\System\yymadwV.exe
C:\Windows\System\yymadwV.exe
C:\Windows\System\gYojtXr.exe
C:\Windows\System\gYojtXr.exe
C:\Windows\System\HznnjwF.exe
C:\Windows\System\HznnjwF.exe
C:\Windows\System\IyCqDRV.exe
C:\Windows\System\IyCqDRV.exe
C:\Windows\System\JLFYQep.exe
C:\Windows\System\JLFYQep.exe
C:\Windows\System\xBwsGRc.exe
C:\Windows\System\xBwsGRc.exe
C:\Windows\System\KJaUvEC.exe
C:\Windows\System\KJaUvEC.exe
C:\Windows\System\MQswEaz.exe
C:\Windows\System\MQswEaz.exe
C:\Windows\System\YSjOGwK.exe
C:\Windows\System\YSjOGwK.exe
C:\Windows\System\iBqfApq.exe
C:\Windows\System\iBqfApq.exe
C:\Windows\System\EZdKDFy.exe
C:\Windows\System\EZdKDFy.exe
C:\Windows\System\ibMrzkG.exe
C:\Windows\System\ibMrzkG.exe
C:\Windows\System\PnapYMm.exe
C:\Windows\System\PnapYMm.exe
C:\Windows\System\dxczxgU.exe
C:\Windows\System\dxczxgU.exe
C:\Windows\System\naWCDXm.exe
C:\Windows\System\naWCDXm.exe
C:\Windows\System\mQZhNYc.exe
C:\Windows\System\mQZhNYc.exe
C:\Windows\System\BIdwhEN.exe
C:\Windows\System\BIdwhEN.exe
C:\Windows\System\VEJreFr.exe
C:\Windows\System\VEJreFr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2220-1-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2220-0-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\dZRkryR.exe
| MD5 | 093b6e6796849592667075b182a71df4 |
| SHA1 | 4144e19c29d95977db5c14bc13a84d28bcfc1d5d |
| SHA256 | 4beed4ec93300b9efdd1a82d2c47206169726bffbd7aa25f0ac3184d1194fcef |
| SHA512 | 249579cb600ec772f4f0c5d30fb382ec734fa02d4d22c05e21a5fac7b3d6ec32efef22dcb11be6f56253518ce29784e3acb7d264991fac30da721fdcb6fac8a6 |
memory/1044-9-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2220-7-0x000000013FD30000-0x0000000140084000-memory.dmp
\Windows\system\lWpkXRD.exe
| MD5 | 8290a538025cac3659219f713f5febdf |
| SHA1 | e20d7af1fe4c1be4a967aae99a6ffb2067e3c5c6 |
| SHA256 | cab179f52042de83b625c055b696fe9985ad30e924b9322d9259bcf0d0ca0427 |
| SHA512 | 982360a482386148415cbc20b12e6c0c8c245737abe227d4b5257bfff88abcf0ada16e72c532a382ac39ec2846de98751fd7c98d6faf0cac5dbba5ad309d2a87 |
memory/2300-16-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\ZsDVzSW.exe
| MD5 | 4f4c2347184810c274f00660f440f5f5 |
| SHA1 | 3807d89f3cfd45cf20e6941a82ba4a355fd97bcd |
| SHA256 | 4651719e2cf8527ce1b2b628cedb8c779290516b74d6ec3bd6fd6e1439b7c7f9 |
| SHA512 | a6da63f7dd4099d16210c9b97ea07eaa7fabd855cfbe4a1cee675b4706561dec25984f750912c1e71a87a4432a5aa0a326ab1607901483e892a0cfc72ddf938e |
memory/2220-15-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\yymadwV.exe
| MD5 | fd02b0339a8534d94e5ab81a90fc680b |
| SHA1 | e4bc4d4a392df3a48ca8d2b08fcc7ee6423f07d5 |
| SHA256 | 8dc1b486515edf611d06b33a319382ba9d28f166a03327a3242f341bd0cd2c43 |
| SHA512 | ad4534c5af07fc8a775ff1bc46179a558ea1bd9fe7b0b6ca30c891be56f0b721a8db2c40f958a5f0440a2b886ca97c76bbee7f0dbde3d8cc006ef18029e22ddf |
memory/2220-28-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2644-29-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2376-23-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\xBwsGRc.exe
| MD5 | bc09a6fc1fc1cbaee341b4641c65853f |
| SHA1 | d330205c4705238717251d401a73a96f424886fc |
| SHA256 | 617fee0895a7d29a959e450a359c6b6db369fae7fc3d95cca45a6ee0a12fa172 |
| SHA512 | af389eb75eda949e8d17df98a0d14e5b1215151aa627e416c5b309fd84d5ab0b07759538638cd01b500136455fb99d9c5b064c95d49667f32c0c0df4e190fbc2 |
memory/2564-62-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2528-68-0x000000013F2D0000-0x000000013F624000-memory.dmp
C:\Windows\system\EZdKDFy.exe
| MD5 | c97c20c18f3312d3952c9c51198cc579 |
| SHA1 | fe675f0e4570ac441326850ab1c83d4df5d788ac |
| SHA256 | d940039ddff667dc857cd1d25b56cd7a643527d2c565ce1e772bad12a7bb0a91 |
| SHA512 | ce669475bd621dd291b6d78f614d084af817aa047ac4b16a67a060f4e60b0282e4eb35048d6c9f13b923912b5f8f15a65dfdbe321c46becb9b1ee094fc1046e8 |
C:\Windows\system\naWCDXm.exe
| MD5 | 1990363a5ae1ccd8e26e44d6bab8eccc |
| SHA1 | 52df02dd84393a81f8b7001da8a3fa3476eadb9a |
| SHA256 | 3a54d58b6bcc7d053eca615f34ce9c800aa159371ed46a1328da29cf6886eead |
| SHA512 | cd445760df43d813fb42c608036c5e0e476555d3eff672acb350a3db289a7461f82cf7cb532ac9509f4144575db566c5a4d3734a674f4be372f121333b1f6617 |
\Windows\system\VEJreFr.exe
| MD5 | 2a57bbaeb6eee601dd7e02e4b5f93404 |
| SHA1 | ca666f4e4fa5157c61c2732dd0893262d4ee7fce |
| SHA256 | 047800c79b9cef27c066ebb7357eb7652f9e7b1b7b10a0e4617659b813166baa |
| SHA512 | 6845089183879fb97a7cd1615cf22b79056eebafc8ee1a37237ce1aac39105039f38e2205dc5d7c4a5ab033db491d452257f862759ac99f4246f9054acdd30c4 |
C:\Windows\system\mQZhNYc.exe
| MD5 | 3905bb3ec66fa43ad493a29490bf449d |
| SHA1 | 02f51db0e925b474a89c518a9fdc63687df2958c |
| SHA256 | 9eb93e8e5002ce81cd6bb04c1e95f203471eb4b688205ece3710f0dbe9bf1d3f |
| SHA512 | f8658acf436394bfd72ba5a824715608d99284c02a930fda22dc1a6382b5ea6403c1789890d529681fe01d2afbbb865987bfa60fef24b9a178c2885562c24e43 |
C:\Windows\system\BIdwhEN.exe
| MD5 | af2327e35d5232ec006d85558f4d99ef |
| SHA1 | 2f5b6950caabbf1b55bef78d3b9e43e17f0b0127 |
| SHA256 | 5342209ba8397902a89543148bd390d1136752d39942a97106dbd3de76ebdfab |
| SHA512 | 9da5f05222841d409fa3f41ad9da9e17e52c555a6aba0eaaabeea627b022a5fe6d16817890ca6428a3393ff8136eceed7985a6ff24d8e37db5767d0373ccfb23 |
C:\Windows\system\dxczxgU.exe
| MD5 | 9b713da160f2a676d29f2cdeb50e42e7 |
| SHA1 | 3763c3af527eb8e329d21e6730db1d43a83aee04 |
| SHA256 | 2595f0b0c6c9a6ab493d238f65f0c0a190cbfd07263f8b110fb933850e41c6ae |
| SHA512 | 44057ea145addcc6dcb236656066bb05c40f8987f37b6d376d7dfa12b40362c85825e18a6613f7c9486626571c95a0b47ce810aacb93f1eab2b2408618bf1b1a |
C:\Windows\system\PnapYMm.exe
| MD5 | dc76774e226a7c25d35da688711fb304 |
| SHA1 | d4de70152e50f8f0e4cbcd7acb0fe1603535f36d |
| SHA256 | 8941271521aafcf517847ede0afe841fd04073d3af1e090d76bc9bbd59cd6ec7 |
| SHA512 | bf0adff6d718a0a553fb4bd48566b975e1a7002ff53caf0538c4a3b509120a64c4ea7c297c2bc776a1f09d1d6e3a22d8334df0572294a4266927bc2584666998 |
memory/2220-92-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\ibMrzkG.exe
| MD5 | e6a090008bcf16417318a749db9ed789 |
| SHA1 | b30190f787a4fedcf003bb6e6c47cfa85ba4d4c8 |
| SHA256 | b6a5b3e2099b144c39acbb9a300f3fdfaed38977da58b791a85b34d0dea9e94a |
| SHA512 | 729515b4d5ebba314f8d79b55de2c059fc63e44350c4167475ac9f9826d6d7f8588016c12c9a69e64ce09a16e49197f762879468aeb3ccb40fd3001af44a3fd0 |
memory/740-87-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2100-81-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2220-86-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2220-80-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2644-79-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\iBqfApq.exe
| MD5 | 831a6b93f2921d222ab9bf3eb6b977c9 |
| SHA1 | 96a7a8c4edf6c8dbf9dbcf18393f469fe1251047 |
| SHA256 | 256067710c0ac7d13cbde06b03bfa02de80ffecb4a6ef0c41d6158376f98c855 |
| SHA512 | 7d7f71a215fc073df43b9216108f1c0d79ba4e3ed5fda0a9d629cc6e44f158494f47d429678b1618e08da711842574be7c133feb2096df063e19593a34531e3d |
memory/2680-74-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\YSjOGwK.exe
| MD5 | 11742b782ff2b60c7e5618f8d3572a99 |
| SHA1 | a3f7d2fa031712df38cd347852e4dd65a8fce9a5 |
| SHA256 | d616678a398722984c113a4286dd60948a300c615583a58903bd21b232683c3c |
| SHA512 | be36cba0794cfd5899e11bf6ba782b6147870c1c51e96c3fa39600ddbc9e11e36d46f2904afadb6cc321399ae3e88609ba116674997a0fb2487ba76384711b5a |
memory/2220-70-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2076-134-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1044-67-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\MQswEaz.exe
| MD5 | d4200c46458296f35f0a329a2c9ed471 |
| SHA1 | 6dc286436027910770b38659365b3d15351aacd3 |
| SHA256 | d15075853f819adb5bfc356a93075d4e18195cbe82cc259b03702bd03e7d516e |
| SHA512 | 0115f7e28550f35cc89ac6ae123e28caadefdb8119d34af250ecdcdd3587b9ae7145b4ba22fd6a2cf0975ec83842510e6ea7925932006ffdf7c63c22e86876b9 |
memory/2220-61-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2804-56-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\KJaUvEC.exe
| MD5 | aa0406a5e09dd7d3b674c3a6530c0b27 |
| SHA1 | 611f18c1777f6f93366a3f1bbb482b611ec6e0c9 |
| SHA256 | 090a6f4b5291b3a261a586abb3fcb2d0b56b0a1b705c85a66671957da45e1605 |
| SHA512 | f949ba2f66c0b7714bfb2f5f929bda475699820279905405e6f72c5460b824e43dfe405981b2fbe9646fd795deee23087718b67506abf9c58df04e4e09368dec |
memory/2076-51-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\JLFYQep.exe
| MD5 | 3cde96cc1b5d5f2f604fbbff680ba52f |
| SHA1 | c31b0565a8eb03b029980a4889a49d10e75b572d |
| SHA256 | 2de11cd9318c4f92961627c2c7e69e13fca81d9ca9669cb17ccfb2e364990957 |
| SHA512 | 94ac4f4d90e0a39e6bef3d47ba6f223d8eab2621e12cb0b02fa0f97c7b6ba57ff5a24be4811e1557025b018a9bebe44328d925ceafbc2dedd1443d74bd410f95 |
memory/2672-46-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2220-45-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\IyCqDRV.exe
| MD5 | 0c6fd0d792d55cf1950aa6a69fa0617f |
| SHA1 | fcc4ba7b734039d8a8f5a40280a60ca78234ede5 |
| SHA256 | 4e800900a51829b19aafcb251bbcd2e23e963135ae7a865054d757a0b3377447 |
| SHA512 | 136aa66ef01f6fb1e35ce25c73daaede2f5a4575172ecf75d0cca6d0db1f9c88fa14057ec80a20269f07916d9beb2bc109104495e03ba1ac3c00f15efc9dce4a |
memory/2804-135-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2664-40-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2708-35-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2220-34-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\HznnjwF.exe
| MD5 | 9bec93ed3581c27a14bc711d3c722a56 |
| SHA1 | 7b753d9069295129a6c5ddfb0f85e525d542a9f6 |
| SHA256 | 47b7513cbc2786dc5f8e45248b7abb412e0bf573f1ee3e9b0e2a106243eaf9ad |
| SHA512 | f597de56567f3d64bc3e629d26154084b8830a0a05a3928cd27258b7d0f82d50403e62e73964b8d150a6471842b99350c8f21916f638978ce634e7566e875ccf |
C:\Windows\system\gYojtXr.exe
| MD5 | 2967a3ad29ca4d4ab05c2afce959c151 |
| SHA1 | 884d12c194ee0585c12423c0c9e9408011263e1c |
| SHA256 | 9b6da1cf944200bf21890d3482a9c27e077a2a7dc06af39fd193cb7edf8f5a6d |
| SHA512 | d889d8a7173cb4d9d5528231cb86bbc635efab8840929c8c04ff84017a0f33bcea0dbae5026f144c8206891473e6ea5906154bdf861b1eef2193caee24585cfb |
memory/2220-22-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2564-136-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2528-137-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2220-138-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2680-139-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2220-140-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2100-141-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2220-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/740-143-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1044-144-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2300-145-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2376-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2680-147-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2564-149-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2100-157-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2528-156-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2804-155-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2672-154-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2708-153-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2644-152-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2664-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2076-150-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/740-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:33
Reported
2024-06-01 11:36
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jmNucrC.exe | N/A |
| N/A | N/A | C:\Windows\System\Socrbjh.exe | N/A |
| N/A | N/A | C:\Windows\System\rbNfZnc.exe | N/A |
| N/A | N/A | C:\Windows\System\yGtvSIA.exe | N/A |
| N/A | N/A | C:\Windows\System\NiiZceg.exe | N/A |
| N/A | N/A | C:\Windows\System\TawXTDe.exe | N/A |
| N/A | N/A | C:\Windows\System\UMwKnpn.exe | N/A |
| N/A | N/A | C:\Windows\System\uhjQSqo.exe | N/A |
| N/A | N/A | C:\Windows\System\BWgWbJY.exe | N/A |
| N/A | N/A | C:\Windows\System\iKBtNNI.exe | N/A |
| N/A | N/A | C:\Windows\System\EwEmeIp.exe | N/A |
| N/A | N/A | C:\Windows\System\XSbnaFj.exe | N/A |
| N/A | N/A | C:\Windows\System\vSXCwIW.exe | N/A |
| N/A | N/A | C:\Windows\System\AroTPPi.exe | N/A |
| N/A | N/A | C:\Windows\System\YgaeyFS.exe | N/A |
| N/A | N/A | C:\Windows\System\hqvGnfs.exe | N/A |
| N/A | N/A | C:\Windows\System\KHwZxWf.exe | N/A |
| N/A | N/A | C:\Windows\System\iTYJTUy.exe | N/A |
| N/A | N/A | C:\Windows\System\QYZGCJL.exe | N/A |
| N/A | N/A | C:\Windows\System\flsEawX.exe | N/A |
| N/A | N/A | C:\Windows\System\srZdlbh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8f31c8a9b31dfbb1a503f8dfa43a916f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jmNucrC.exe
C:\Windows\System\jmNucrC.exe
C:\Windows\System\Socrbjh.exe
C:\Windows\System\Socrbjh.exe
C:\Windows\System\rbNfZnc.exe
C:\Windows\System\rbNfZnc.exe
C:\Windows\System\yGtvSIA.exe
C:\Windows\System\yGtvSIA.exe
C:\Windows\System\NiiZceg.exe
C:\Windows\System\NiiZceg.exe
C:\Windows\System\TawXTDe.exe
C:\Windows\System\TawXTDe.exe
C:\Windows\System\UMwKnpn.exe
C:\Windows\System\UMwKnpn.exe
C:\Windows\System\uhjQSqo.exe
C:\Windows\System\uhjQSqo.exe
C:\Windows\System\BWgWbJY.exe
C:\Windows\System\BWgWbJY.exe
C:\Windows\System\iKBtNNI.exe
C:\Windows\System\iKBtNNI.exe
C:\Windows\System\EwEmeIp.exe
C:\Windows\System\EwEmeIp.exe
C:\Windows\System\XSbnaFj.exe
C:\Windows\System\XSbnaFj.exe
C:\Windows\System\vSXCwIW.exe
C:\Windows\System\vSXCwIW.exe
C:\Windows\System\AroTPPi.exe
C:\Windows\System\AroTPPi.exe
C:\Windows\System\YgaeyFS.exe
C:\Windows\System\YgaeyFS.exe
C:\Windows\System\hqvGnfs.exe
C:\Windows\System\hqvGnfs.exe
C:\Windows\System\KHwZxWf.exe
C:\Windows\System\KHwZxWf.exe
C:\Windows\System\iTYJTUy.exe
C:\Windows\System\iTYJTUy.exe
C:\Windows\System\QYZGCJL.exe
C:\Windows\System\QYZGCJL.exe
C:\Windows\System\flsEawX.exe
C:\Windows\System\flsEawX.exe
C:\Windows\System\srZdlbh.exe
C:\Windows\System\srZdlbh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1940-0-0x00007FF6CF620000-0x00007FF6CF974000-memory.dmp
memory/1940-1-0x000001EFF3ED0000-0x000001EFF3EE0000-memory.dmp
C:\Windows\System\jmNucrC.exe
| MD5 | 4f3aec2b086422cddea9269d32127aae |
| SHA1 | c67a61bd482424541be42c18910ccfc575d95815 |
| SHA256 | 423b46068b31098061d73fa9928ad38c53893974c2b333aaa2934c40a82df822 |
| SHA512 | 62c444daf5de154c6eff7c3af28bae9ec9ab569c6af08b5b51e53fbc2fd93b39a6814137cbdd98d147e84e78d72586f1bfe0ff9f142e6331de04def3abce01b5 |
memory/3796-9-0x00007FF68F120000-0x00007FF68F474000-memory.dmp
C:\Windows\System\Socrbjh.exe
| MD5 | fc3e2ec74b6d13bba4f021bbe729b505 |
| SHA1 | 539b043b027eb7cf08f47b991924abb73d535249 |
| SHA256 | af0cfc8cb1a0a880fd39a6a7b9210dd967be8c9772f1373f8cb6cc893ca43781 |
| SHA512 | 40515e96f7f0b2443c5922d0984b7c3208dd600d04a2e5f715f5c052692b7cdfbff31448223d967b67981205e8ce1b2395efc4986d68bfad998f4a89b7224f5d |
C:\Windows\System\rbNfZnc.exe
| MD5 | 8f62ce3a9dec1f9849d9dad730f6fd94 |
| SHA1 | ff9a6d6d780bcb3a5549a5378eb9739704b524a8 |
| SHA256 | 6b98a497452e4bd82121a34d1b118831ff622a8c14866b64afa7edffeb5c081d |
| SHA512 | 731b5420520e1ff2af8ccc9a8881b296d4ced13cd95aae10c770194e77884c8b12b5c0c1ee3da37232a47ff3f17c4a6a6e78819862f731e10132cb6d741db5af |
memory/1736-14-0x00007FF787530000-0x00007FF787884000-memory.dmp
C:\Windows\System\yGtvSIA.exe
| MD5 | 9f95f66878c9260dcd65b36008054172 |
| SHA1 | f5b031121f4c1d045182fcc701afc001a886fd31 |
| SHA256 | 16f6ab48ee5085693b6f960d4fc1550ea9b705da45f6309affa6d3d92b54ee23 |
| SHA512 | 92807e2bb18841c19ec4602fb1cc05c132c79803107f1ad3ba47c09e14c7773731646af23e5dd9dd6227c968484600460fbe762d11475b3531f43c0763446287 |
memory/2736-21-0x00007FF791AF0000-0x00007FF791E44000-memory.dmp
memory/3016-26-0x00007FF737D60000-0x00007FF7380B4000-memory.dmp
C:\Windows\System\NiiZceg.exe
| MD5 | ebdc1fd5168380d76a9db65966dbabbd |
| SHA1 | ba9f18ec45507c61ac1fcb295c52a41f5c26ae85 |
| SHA256 | 8d9e8040c6e12f2631aef6c413c338e8d725b2faaf691389f589ac1bf045a39b |
| SHA512 | dfc056848da858b55a9df9751f81a6cd163db4bd6ed27375f310e8d6b1963abec951dbbbf40543ec061f6d09460d254ef6dff133fe4bb413c84a0ac92aaf6150 |
C:\Windows\System\TawXTDe.exe
| MD5 | b05271006b1b5178fd39e55f47ff4b3b |
| SHA1 | 12c6a550164a184ae131b1dbc952e7c0dd836429 |
| SHA256 | 6a2218aa3926a8a625f3c569e954c52f3e1a78f1c4002951002e81802afaf690 |
| SHA512 | db6c0834310e34961f7d622faf3985e2833bca40921b6133e06c005adc3850ee94cb087ab3abc4024b680ffe0d7de50847e1cde1878c6c0112e19420ef2bbfce |
memory/4516-36-0x00007FF6A9820000-0x00007FF6A9B74000-memory.dmp
C:\Windows\System\UMwKnpn.exe
| MD5 | aeb39fe36a150f9992b7bdb249d2cfee |
| SHA1 | ff55af3d62fb27408e7087b78c4d3caf94afd2a9 |
| SHA256 | a56da95dce672d60e7db7120c0b34b96ab0200b05c79f9ed0ad2a31ad5d426aa |
| SHA512 | a11791923bebc8666857bc2c592ceac1abcd763afd5db83b55b7b0606bab1b29375737a8bf62c30ebc79e75aa2edb3492e7908c42589f0df116372a7a8bcc60b |
memory/436-42-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp
memory/3620-49-0x00007FF693D70000-0x00007FF6940C4000-memory.dmp
C:\Windows\System\BWgWbJY.exe
| MD5 | 829dd416cb1f55e5158d934b7505c7b8 |
| SHA1 | a5d0afca948b902895e44597546175acc17df365 |
| SHA256 | f923943f3215955aa9e4b807ecf4823a507fe6c5250cc2e309f7b7605ada4de7 |
| SHA512 | 2cc78c689d4334016fe4fa4be7d095b8de6bbeaf9c4c63bf55352915971911a83eefc6bee37b888265875d8184bbbed35b61e01561ec5d3035bedcfec90993d2 |
C:\Windows\System\iKBtNNI.exe
| MD5 | dc1c38b84240872f143be89cefd4170f |
| SHA1 | 356abe82e9da6a49ec7621263f8da576d6249b6a |
| SHA256 | a3e559226d79a32b9050f24ac5b4bbec471abacf619a0fe27a4482680d537ad0 |
| SHA512 | 469dca32e5781daa09f098e7e49fa70c021e4b8eeb5c283aa75c375cc2e9e9b060a41db2480e33225d72a9f92d66c831530df90035bff3f7ba884d709a20ec1c |
C:\Windows\System\EwEmeIp.exe
| MD5 | edc87f1b3c29965562e1257373828005 |
| SHA1 | f82f025638324f9a79c13742315f2f991a501b51 |
| SHA256 | f0dccc7968bf4227e3aed8a626389a63a0155b225a85ad27637c28833c32e4f3 |
| SHA512 | 9abdab2b29977fd82f78246f167a324c34b86a0aea8f927bb40c883ab4df110b9db00b01592aed0d38ef036d6457b914418cbded012b8039b86cf7d1f844a68c |
C:\Windows\System\XSbnaFj.exe
| MD5 | ab07e8301a454018ed745a6b702c7711 |
| SHA1 | e3baeab8ea96eee1a1009908b0e67ceec5c55794 |
| SHA256 | 68619af4ee0ec7e41ca1c35c43cb81d99854c4a2634ab21cf1066fda9bf548d4 |
| SHA512 | 9b1675cc887ef2d67080f4279232783a94ccc49547aba19017fb8a1ed2ad1cc63a20dd99a038b86ae9dee5ffd694fc7b37b680720b3f2b7849ab2cf6aa3794ac |
C:\Windows\System\AroTPPi.exe
| MD5 | d01532153e666a222cc6f5ce1f218e7f |
| SHA1 | f7ad9ef78121e3d7548a1fabe0c836d11016c94c |
| SHA256 | f713128d09e5890120da1489b6b8b6eeaa5c255103e79af247c81c7504c0c981 |
| SHA512 | 36a70808895a90dc516f730498623ea72652153fcd7ae9aff18d49697ecc335823eb3e2bc06769e8fce4a8e57609717828c17f195efaf768a73c3bf0c9ac4544 |
C:\Windows\System\KHwZxWf.exe
| MD5 | 8cc16c89ad9d53990658b03111bf52e4 |
| SHA1 | 8b9b5e0c11f73ba5ef18a93dd58d4f8186132dde |
| SHA256 | a5ed9468a28509fd1cb51aeb4690105d76a6106fceeb873417d89ba3a35da653 |
| SHA512 | 9f0620482e0111b28e7b4f229f5a75b0aea90de446ddf1e20a298fc9c7382abc5218adace35e5ff5c19a41b34dbb0433f5bfb3815860f4f93f854149f4967ab8 |
C:\Windows\System\YgaeyFS.exe
| MD5 | 87e2ecee179d9967a99be0f39ac3d939 |
| SHA1 | 82b00e03be30898a0689d81e03110109e355b5fa |
| SHA256 | f67f8cc3b61c677398e78b36076221c4a2e13dd2d39eb94254c791c89166f129 |
| SHA512 | 1e03f103e48aaec9f596072466e2ef6f0142c4b3a7a84ef95d5f6beb2ab68a5a221d3e3140fb4565c37e2c8aa88d970366ee7266d1909a9335ea59f8e6d36c4c |
memory/3376-98-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp
C:\Windows\System\hqvGnfs.exe
| MD5 | 7ae42621229a2db447fc876fb43b03d4 |
| SHA1 | b9ad14e608cf9bc64ab9cbba16c4f6acc24953f2 |
| SHA256 | 1e3cf75ab5929aef587b0d459a1eff6930980f2db64f62f51334ff31ec75ec78 |
| SHA512 | fb2c8cd84ad06ab27e14bc3886e07a10636a60ffd627662ea4040e32ed0334f79e0627c79626cf5206fc30d92dfc14764452eec7b3a733a3aa60c910631a4836 |
memory/4720-93-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp
C:\Windows\System\vSXCwIW.exe
| MD5 | b09792614e0f37482deca88c7bb3a90c |
| SHA1 | d64c83795ff2cf19b53e2174990f337e37bee895 |
| SHA256 | b0ae1eb9df65051c6119392dca5787be71475b2a053aa1496cda54a747194d28 |
| SHA512 | e67d1580bffefd25dfa4e21b00506caa0f40102e0b04a785dcb27a3edd00755a4268accd1a06a083881d3c5a36494ea0a71443078fdeaa31d7aa526a0221125b |
memory/4628-89-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp
memory/4852-85-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp
memory/2768-84-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp
memory/748-78-0x00007FF74ADD0000-0x00007FF74B124000-memory.dmp
memory/2776-65-0x00007FF680D20000-0x00007FF681074000-memory.dmp
memory/1940-64-0x00007FF6CF620000-0x00007FF6CF974000-memory.dmp
memory/1444-57-0x00007FF744010000-0x00007FF744364000-memory.dmp
memory/5016-55-0x00007FF6D1CD0000-0x00007FF6D2024000-memory.dmp
C:\Windows\System\uhjQSqo.exe
| MD5 | 97fb13b92bebc9b9289c6d72f0be53bc |
| SHA1 | e4e66a28075defff3a530bfb10e2c5643d8e1949 |
| SHA256 | 81e0d93247c4453eec3233935194fcfe950a89f4e31949526cb86adeb5b5c126 |
| SHA512 | a53a7debdc31abeb613b427ea79b87eef210f170d7fb4c87d2823cca32fa031c358681a6a7a4edd7e271927ff7388f11a195a283ef1bc9c51dc6ba8d2da5bcd9 |
memory/3656-104-0x00007FF751030000-0x00007FF751384000-memory.dmp
memory/4784-112-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp
C:\Windows\System\iTYJTUy.exe
| MD5 | b3506b2bbf3075ee27782de9e419bc5e |
| SHA1 | 334383d839068e855d9b0eebbe932c7e1d15995b |
| SHA256 | 16e308d40fb9572a0b35e5f687537b2f13d5738d4e6f205970ab992ca7d259b9 |
| SHA512 | 8498a5baaf4a18bcf436d251493af257f39decff159ba5f34fb5318023080c047894c7977e634b79b0a0381f8e13c31907f67397ab13be1a365720598728c343 |
C:\Windows\System\QYZGCJL.exe
| MD5 | 915206c2d481da371f18f4c7d5c2328c |
| SHA1 | dfdfbaa7a53b7790c80aeaec1b8ef1c930c30106 |
| SHA256 | 736bf491e5656dc38e2894fbc20fc80fd39d448358f5a41a2bfef992f935310c |
| SHA512 | 9bbe218ddef5a71412bde9125cece7ec6e0e340396e4a2932209eef3d81cc09231ea4f0a0fed99feb8920c8c95d40d7db5450cafa972347b4a9e90aa795a3081 |
memory/4436-114-0x00007FF671740000-0x00007FF671A94000-memory.dmp
memory/436-113-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp
C:\Windows\System\flsEawX.exe
| MD5 | f6e31270ac7ed7c7ae70a118c4f43562 |
| SHA1 | 3e1da8a89ad9678f1c8dd3e535752eeaecbff8f2 |
| SHA256 | ad19e4c79c17af395be9dfd397b13159b98e07a41d44d8040441a099913ee16b |
| SHA512 | 4476b29de001cb0335973e0de8925901c1447a412172e17c47528ccf654b80cb5c381d7d0699ba57b3068e390f94a653cc9703169d5c4b4dc1177da83f19b3a9 |
C:\Windows\System\srZdlbh.exe
| MD5 | 7c832af2279652acdb624c3a084eea27 |
| SHA1 | d74ad6c48ea1ff5703cd87d4cde3a4cb6056d395 |
| SHA256 | 1f82390cd01618c499061196f7e20cb29eafdc3effe2faa6dc79735c6790a60a |
| SHA512 | e8318aaed9cefcc1acd3b7d15b52a8e3407beda21255cd68b94e4566b42d626d5d28bd4f8a24adc9b87cd03b9740cc755f6025df074ab8229ba569a2d5617a2e |
memory/3968-125-0x00007FF7ECF50000-0x00007FF7ED2A4000-memory.dmp
memory/2796-129-0x00007FF6643F0000-0x00007FF664744000-memory.dmp
memory/2768-130-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp
memory/4628-131-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp
memory/4852-132-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp
memory/4720-133-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp
memory/3376-134-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp
memory/4784-135-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp
memory/4436-136-0x00007FF671740000-0x00007FF671A94000-memory.dmp
memory/3796-137-0x00007FF68F120000-0x00007FF68F474000-memory.dmp
memory/1736-138-0x00007FF787530000-0x00007FF787884000-memory.dmp
memory/2736-139-0x00007FF791AF0000-0x00007FF791E44000-memory.dmp
memory/3016-140-0x00007FF737D60000-0x00007FF7380B4000-memory.dmp
memory/4516-141-0x00007FF6A9820000-0x00007FF6A9B74000-memory.dmp
memory/436-142-0x00007FF6E5340000-0x00007FF6E5694000-memory.dmp
memory/3620-143-0x00007FF693D70000-0x00007FF6940C4000-memory.dmp
memory/5016-144-0x00007FF6D1CD0000-0x00007FF6D2024000-memory.dmp
memory/1444-145-0x00007FF744010000-0x00007FF744364000-memory.dmp
memory/2776-146-0x00007FF680D20000-0x00007FF681074000-memory.dmp
memory/748-147-0x00007FF74ADD0000-0x00007FF74B124000-memory.dmp
memory/2768-148-0x00007FF79F930000-0x00007FF79FC84000-memory.dmp
memory/4852-149-0x00007FF7FDD80000-0x00007FF7FE0D4000-memory.dmp
memory/3376-150-0x00007FF74C940000-0x00007FF74CC94000-memory.dmp
memory/4720-151-0x00007FF6D3290000-0x00007FF6D35E4000-memory.dmp
memory/3656-152-0x00007FF751030000-0x00007FF751384000-memory.dmp
memory/4628-153-0x00007FF7F24B0000-0x00007FF7F2804000-memory.dmp
memory/4784-154-0x00007FF7EFE60000-0x00007FF7F01B4000-memory.dmp
memory/4436-155-0x00007FF671740000-0x00007FF671A94000-memory.dmp
memory/3968-156-0x00007FF7ECF50000-0x00007FF7ED2A4000-memory.dmp
memory/2796-157-0x00007FF6643F0000-0x00007FF664744000-memory.dmp