Analysis Overview
SHA256
92f43619b2bfac52ae7ce61cd671b85d1a81361c6c11707ad5866b06bbcc3d25
Threat Level: Known bad
The file 2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 13:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 13:32
Reported
2024-06-01 13:35
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kVtXOeD.exe | N/A |
| N/A | N/A | C:\Windows\System\GwXBLxR.exe | N/A |
| N/A | N/A | C:\Windows\System\YZUehNL.exe | N/A |
| N/A | N/A | C:\Windows\System\CzGmxSt.exe | N/A |
| N/A | N/A | C:\Windows\System\evVQnCR.exe | N/A |
| N/A | N/A | C:\Windows\System\ezKfrqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uyUMdla.exe | N/A |
| N/A | N/A | C:\Windows\System\oGnceRf.exe | N/A |
| N/A | N/A | C:\Windows\System\Bbpcupq.exe | N/A |
| N/A | N/A | C:\Windows\System\XtfzFhe.exe | N/A |
| N/A | N/A | C:\Windows\System\jCQDlud.exe | N/A |
| N/A | N/A | C:\Windows\System\zcqBKAB.exe | N/A |
| N/A | N/A | C:\Windows\System\IDvRoLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\SrUvJBu.exe | N/A |
| N/A | N/A | C:\Windows\System\XRTANFd.exe | N/A |
| N/A | N/A | C:\Windows\System\bdBAWQE.exe | N/A |
| N/A | N/A | C:\Windows\System\CMftVCO.exe | N/A |
| N/A | N/A | C:\Windows\System\FrcHUHE.exe | N/A |
| N/A | N/A | C:\Windows\System\vbaCKEK.exe | N/A |
| N/A | N/A | C:\Windows\System\eCFXktP.exe | N/A |
| N/A | N/A | C:\Windows\System\awARTIm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kVtXOeD.exe
C:\Windows\System\kVtXOeD.exe
C:\Windows\System\GwXBLxR.exe
C:\Windows\System\GwXBLxR.exe
C:\Windows\System\YZUehNL.exe
C:\Windows\System\YZUehNL.exe
C:\Windows\System\CzGmxSt.exe
C:\Windows\System\CzGmxSt.exe
C:\Windows\System\evVQnCR.exe
C:\Windows\System\evVQnCR.exe
C:\Windows\System\ezKfrqJ.exe
C:\Windows\System\ezKfrqJ.exe
C:\Windows\System\uyUMdla.exe
C:\Windows\System\uyUMdla.exe
C:\Windows\System\oGnceRf.exe
C:\Windows\System\oGnceRf.exe
C:\Windows\System\Bbpcupq.exe
C:\Windows\System\Bbpcupq.exe
C:\Windows\System\XtfzFhe.exe
C:\Windows\System\XtfzFhe.exe
C:\Windows\System\jCQDlud.exe
C:\Windows\System\jCQDlud.exe
C:\Windows\System\zcqBKAB.exe
C:\Windows\System\zcqBKAB.exe
C:\Windows\System\IDvRoLQ.exe
C:\Windows\System\IDvRoLQ.exe
C:\Windows\System\SrUvJBu.exe
C:\Windows\System\SrUvJBu.exe
C:\Windows\System\XRTANFd.exe
C:\Windows\System\XRTANFd.exe
C:\Windows\System\vbaCKEK.exe
C:\Windows\System\vbaCKEK.exe
C:\Windows\System\bdBAWQE.exe
C:\Windows\System\bdBAWQE.exe
C:\Windows\System\eCFXktP.exe
C:\Windows\System\eCFXktP.exe
C:\Windows\System\CMftVCO.exe
C:\Windows\System\CMftVCO.exe
C:\Windows\System\awARTIm.exe
C:\Windows\System\awARTIm.exe
C:\Windows\System\FrcHUHE.exe
C:\Windows\System\FrcHUHE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2044-0-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2044-1-0x0000000000180000-0x0000000000190000-memory.dmp
C:\Windows\system\kVtXOeD.exe
| MD5 | 5dba9f98b32ed9ae8b979877cc4faa5f |
| SHA1 | a057d69930e357f58387a80c010e3af84c6d9966 |
| SHA256 | 6be9ba2edb5f37438ec0e95f993cf484be59b3c0e59350b8b9af78c4da0ddbda |
| SHA512 | 5d17ea1b1be08a2eb17cca0960d09936b6b3e058e3c78f11c3af45bbf320da77ba5f14288b314daa3b935507a8365f5416fefa3fa5b00b904fe05b6154d27719 |
\Windows\system\GwXBLxR.exe
| MD5 | 5f986a69e1c7b5a0be41aaa7b36b8b88 |
| SHA1 | b9963f842e69a71e5b0343f25757da7f9edd172e |
| SHA256 | 9755a5704d4e997a40b5ff151ad2dc7c565d561c4e2c55c5462437a8db65c384 |
| SHA512 | 92154195568d9caaa7ed927562386fe03ff68aa7765515c4e5e7383c797ff844b7b53d2374c75635988611ad4089810c8075c55f1f7b180a17040e1c6a3d9d94 |
memory/3060-9-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2044-8-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2044-14-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2692-16-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2672-22-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1328-29-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2680-37-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2044-41-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2600-42-0x000000013FCF0000-0x0000000140044000-memory.dmp
C:\Windows\system\uyUMdla.exe
| MD5 | d612265ceb4bf2f54ac22ecaed04767c |
| SHA1 | c66c040ccd11075fa1f5752e57c54900fcd921d3 |
| SHA256 | 669e198b719f97bb9b10bcb40f22bec07fd51236311088e52829ca0c9ad41cf4 |
| SHA512 | a9321539c1fb5a0428346bef9c2994bf570dc7e428da64db9b717045d932e1cd7b4f402cdd50120eaa94ab24f579f2bf354a529cbe09377d81833f41bd58c6f6 |
memory/2184-51-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2044-57-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2156-58-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1112-65-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2636-78-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2692-82-0x000000013F900000-0x000000013FC54000-memory.dmp
\Windows\system\CMftVCO.exe
| MD5 | cb8b7e500c7b8a3947dafcc91150ff69 |
| SHA1 | 14f8cdc3578a9f9ad44722c1d142acf7afb9d0c9 |
| SHA256 | 35fede379b7972de0991d81941888bf55b37793b76e4b749c1e3f0ac4266dfdd |
| SHA512 | dd7955207b390397b1a68edb3d8f4b016042cdcc8da038885aab25d9525a6919fd3325329430664831b4ae51c1b48dedea6c947c57998823541eee5fe02de4f0 |
memory/1328-107-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\bdBAWQE.exe
| MD5 | cf4a339a4d11f2d1efe58c1d73c44afd |
| SHA1 | 64896372af5d99c6887d1bb0f00801d9744f463f |
| SHA256 | 237bb457a7124081aa4a991ed7b759fee8c49a566279984f0a32b0e3f3e5ea83 |
| SHA512 | 753323c5128c8cffde1d50156146b3d5f528cbaa51e3873853255242295b6fabf9232b7de9b4a601f9f18e00f1547a1b328a8d61006bcab0976c756f64e7c69f |
\Windows\system\awARTIm.exe
| MD5 | af713143be827f23e17ea149d8d3e59f |
| SHA1 | 02ac9b36227585f7397cd36dc8eb51c821a16941 |
| SHA256 | 263725a8345138c0cffd9c946a4b4cce73fd1f5ca8de616c74b5102e0791052e |
| SHA512 | 8400adfca35934b261981b6c2748f398bdbb4e4ba3503bfd9f04e96dcf36d29fb1c3a3dcd9166d2608a6c62ac0de3fb7b3a31a117b2e53f91913d54b2d42557f |
memory/2044-116-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2196-114-0x000000013FB70000-0x000000013FEC4000-memory.dmp
\Windows\system\eCFXktP.exe
| MD5 | ed93665d7dc2b46facd8c5730dae58bb |
| SHA1 | ed2d5fffd589572ab4df5eba04f9c078159b9ab1 |
| SHA256 | b5ce4a596a5fc6e756a9ff1f651c9032b0d84a98ddcd33d0e0b1d4c15ea337f4 |
| SHA512 | a8d09e45c60977f28d13dd6f74ef2c51ee47fab67942c9d5c618520a8ce6ed560e517dd9b7e59206cb16f701b48d5daa78238960199180837185ac1cef9af1f8 |
\Windows\system\vbaCKEK.exe
| MD5 | 54fe05029d5c5431e6855aa26dcf9916 |
| SHA1 | 05301b37d80e64c0b5ed4a63f70390837aa3955e |
| SHA256 | 9141ac3c9e31bc14fee87922c7fbbc5727a9b132d4067da39b0c7a301cce27c8 |
| SHA512 | 40e8329f54cc0e03c407978eb05e8a834d34b2e7ad9370370fc6a508cbc4a66b7c8c81437c792f5f5f78bbb3ef81fe2dfdcffd8826a96c6177c118af27c70c77 |
C:\Windows\system\FrcHUHE.exe
| MD5 | 4dbad1c38c8515716e06726d0528a7f7 |
| SHA1 | be563a94f08defdc22a029506eded8d672404372 |
| SHA256 | d25ae5b1d75e52f5ba207e25e097653ce2f3aa8e2f9ad234e3fcb3e5f5e39098 |
| SHA512 | 2fd8ab7e7778776b2c0b65bfee763feec1f7bb42bd4f83c52491d826ad3e616b6ef9a0be916dc82950409fc42576f72469be8a36208a56724d181485b377a23b |
C:\Windows\system\SrUvJBu.exe
| MD5 | f4fd92179121e1c358d89b003ce74c74 |
| SHA1 | 54b334fb44891891983a1a9591324c403401a283 |
| SHA256 | 7146074374468bf13ef3a012beb4d48cc38a813947e5184f9cdebaf743d969e7 |
| SHA512 | 18f0a5eddad0b8725914f385c7a9f1c86517477579e5f08f0711a03e25903836df2e2c44d6ca7735f53884ca79f4b3f3944713cf44c1373a60f0831ea3e6adc9 |
memory/2044-111-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\XRTANFd.exe
| MD5 | 54311a46d26abd4bc83f76c4b9f2f0e0 |
| SHA1 | 6e64c4279f79b7a0c9980ea823912b9b08eb59a4 |
| SHA256 | ef013bb46d6f4cfe55dd05df72830f16a3329fd0e2f48053939a32fafc49efe9 |
| SHA512 | 08f18b7b637058910532008d4457409bb29300758fdc6b90ecaa101fff4ad54a822411865fa7150071cd781b140b0d025d293c479b95ba242d30b86ac7aaae26 |
memory/1584-94-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2044-93-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2672-92-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\IDvRoLQ.exe
| MD5 | 9d0eedf338c820be56a1fd18954f7fee |
| SHA1 | ff47a6b2c970239734b4d7daacc99e646e7a22b6 |
| SHA256 | 7ca8ccc64e2c9d56a2cef27904089c35baf193ac4b087731fe5068ba3a3a2eec |
| SHA512 | a57b5fc1066aa1c392d48b72b0b13919a8dc52619fae04b84a9593ad499f30a2f857d0aae37f42afa5d297eb56416095a6568dc8999071f8639d1488e2a2f88f |
memory/2756-84-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2044-83-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\zcqBKAB.exe
| MD5 | d68fa39dbc1c4caeaf19eaab3cbc2d7c |
| SHA1 | 73da1519436357fe37a4eb2157783c9170cff6e9 |
| SHA256 | 5b930baf148a05479eba40edc2b635418962539a968d19233481e6ea004daeab |
| SHA512 | 1c501bc7235cb00ae119a1fe27f6c46cef4b8a3dec0ecdee8a38e84a2c4486cbff0a2065a8afd033ee3c118e764e6dcf0b05495dabd65ecddc12d92bf6a2c826 |
C:\Windows\system\jCQDlud.exe
| MD5 | 36e5379bd9c612e89d9a7ff11ae1e41a |
| SHA1 | 3a14853a21a2a898a1074aee045367746649adde |
| SHA256 | 476d2db3f5e6e35b680778f4061e95b8ff5343814fb2383cd8471afd38172bb3 |
| SHA512 | 2358484158fea93e1e3d7db58d6ca37a09bf01b7d74417b138e5ad4ecca294fd1558606821039e42fb56ef5db751beabe56b18d9371a59b85db13fa8e41ef1dc |
memory/2616-72-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2044-71-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\XtfzFhe.exe
| MD5 | 7295740ad89581c0eaedbcdf8a479c78 |
| SHA1 | a0168330ffbbed02c51d555f0fa0724e76e7ffe4 |
| SHA256 | 9143e843953c20cfd6c58d7c80e211bd1e9d7e9b63980592d310129d1a5845fc |
| SHA512 | 65b7c970c1b27fd422a7a2b20c6ff29a0da91c1aa844d26eb7e80ad1a935d451db8006d18551d58fd0de00b90f1b9a4e5a68f81b9e8191e8ccc57bb80cd1a588 |
memory/2600-138-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2044-64-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\Bbpcupq.exe
| MD5 | 255d84d97ef67d019deb6550aaa194cc |
| SHA1 | 2df4c726fa64ba04596998d58d8d4294df662ca1 |
| SHA256 | 88665b5685179df9c43205025fb3edeb9ad13843e450bf2600fff54f6b0843d7 |
| SHA512 | 426115aac24d444a734fc8a203b108290b38836b8b49271a1d884b97ac0f010e25753062904688764cef53198b37c7c052e782175bc11b2a1ec6fe108cc33af2 |
C:\Windows\system\oGnceRf.exe
| MD5 | 9b06a605aedfda8e73c5515a30ed2fc7 |
| SHA1 | 7f3c707b29ed202289063b1d2987569c0135f468 |
| SHA256 | 1c3b8fa2e6224a731669e1138a3902fc10366928c1194f2bc31957613f83ff02 |
| SHA512 | 98044f2d56c97704dfd9406d23530c698e5a795dce3145b6b7faa7df0cd355eb1cd873ec346caa8ca731a9b4942615f55035aa037e649b05a4dc709f3db0b48d |
memory/2044-50-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\ezKfrqJ.exe
| MD5 | fd8d14474f25919d34053276eb2dab08 |
| SHA1 | 8d9022f9e2c4751dddd310240de0cdc30a914a6e |
| SHA256 | 1afa38db597bfc0f0846e1cc66d2d1ff15bd002004135b0b852a32635a0ffd14 |
| SHA512 | 70e23202bcda3cb6ec9504393f7222848e26ded5fac4460a2eb8c49781b70cc179d09d95113fdf24b2a34513f5f837f8cf1548a1226cf66e5a3cf834a8e256b1 |
memory/2044-36-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2044-27-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\evVQnCR.exe
| MD5 | 9f53be3a7171b5eb2186916c1e012eff |
| SHA1 | 4c025a33a4d33489747e723bdda71f3bcb0d622d |
| SHA256 | 782c52c83caffed5e57f3354634d6368c70f36022b5f23bfa35a41da59beb7d0 |
| SHA512 | 1c4c076f7cb432317860b86291760a77da4c121c01217cac546029459a74fb22a9a0be7ca9bf7d7e1be8d05d0ec8ae0150239341a3e2076ade07b433d834a083 |
C:\Windows\system\CzGmxSt.exe
| MD5 | 3e1540b46f20357e32d28f6417c87817 |
| SHA1 | a9aa9b50eca3d19e5f82ed43d7db38e4ddb272f9 |
| SHA256 | b1ac656410cf54849ce06c1d11a50c11bebc9cc1cc0b0ee5475b8cba69903152 |
| SHA512 | c377041b6dd512e7c311ebac86b6a3cdce8a0cc6b1bad9df3db86f5abc87f0f80eccf5fe1dba89649ef5b18d8aaeea2c1992f596023428dd4ab8a7c3ca3994a8 |
memory/2044-21-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\YZUehNL.exe
| MD5 | 4a644eb21c103e366163475f28cb86fa |
| SHA1 | d793cb529d67b2a16ff49a39bf2ca18062e41942 |
| SHA256 | 79ef27da7d6632a8523eb6d35a49752bfc2965bcd694c01ed8efe0cae52c2c57 |
| SHA512 | 4cf565d1b26bb318ae13b96bcfac12316d6deb4d316d9e8617ff2440b89ca1b0016a685db8680da902f4be0a76f2a76d2ee322b6b8de85f9ef46e6843c2677e4 |
memory/2044-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2756-140-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2044-141-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2044-142-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/3060-143-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2692-144-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2672-145-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1328-146-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2680-147-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2600-148-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2184-149-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2156-150-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1112-151-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2616-152-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2636-153-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2756-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1584-155-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2196-156-0x000000013FB70000-0x000000013FEC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 13:32
Reported
2024-06-01 13:35
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nFNKgxw.exe | N/A |
| N/A | N/A | C:\Windows\System\SfQJNgG.exe | N/A |
| N/A | N/A | C:\Windows\System\HRvJrYO.exe | N/A |
| N/A | N/A | C:\Windows\System\kzkwJte.exe | N/A |
| N/A | N/A | C:\Windows\System\CeKLIbT.exe | N/A |
| N/A | N/A | C:\Windows\System\hRpTFYV.exe | N/A |
| N/A | N/A | C:\Windows\System\DjRwVbj.exe | N/A |
| N/A | N/A | C:\Windows\System\HNYXbbB.exe | N/A |
| N/A | N/A | C:\Windows\System\DLgraHj.exe | N/A |
| N/A | N/A | C:\Windows\System\jcxQPlH.exe | N/A |
| N/A | N/A | C:\Windows\System\NWwcghX.exe | N/A |
| N/A | N/A | C:\Windows\System\zClryir.exe | N/A |
| N/A | N/A | C:\Windows\System\PMLdIRK.exe | N/A |
| N/A | N/A | C:\Windows\System\uEaaPgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\WpExRUF.exe | N/A |
| N/A | N/A | C:\Windows\System\EGPGanN.exe | N/A |
| N/A | N/A | C:\Windows\System\seOjAlj.exe | N/A |
| N/A | N/A | C:\Windows\System\jykXsSV.exe | N/A |
| N/A | N/A | C:\Windows\System\vugGTVn.exe | N/A |
| N/A | N/A | C:\Windows\System\pohuHFr.exe | N/A |
| N/A | N/A | C:\Windows\System\QlcecSU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nFNKgxw.exe
C:\Windows\System\nFNKgxw.exe
C:\Windows\System\SfQJNgG.exe
C:\Windows\System\SfQJNgG.exe
C:\Windows\System\HRvJrYO.exe
C:\Windows\System\HRvJrYO.exe
C:\Windows\System\kzkwJte.exe
C:\Windows\System\kzkwJte.exe
C:\Windows\System\CeKLIbT.exe
C:\Windows\System\CeKLIbT.exe
C:\Windows\System\hRpTFYV.exe
C:\Windows\System\hRpTFYV.exe
C:\Windows\System\DjRwVbj.exe
C:\Windows\System\DjRwVbj.exe
C:\Windows\System\HNYXbbB.exe
C:\Windows\System\HNYXbbB.exe
C:\Windows\System\DLgraHj.exe
C:\Windows\System\DLgraHj.exe
C:\Windows\System\jcxQPlH.exe
C:\Windows\System\jcxQPlH.exe
C:\Windows\System\NWwcghX.exe
C:\Windows\System\NWwcghX.exe
C:\Windows\System\zClryir.exe
C:\Windows\System\zClryir.exe
C:\Windows\System\PMLdIRK.exe
C:\Windows\System\PMLdIRK.exe
C:\Windows\System\uEaaPgQ.exe
C:\Windows\System\uEaaPgQ.exe
C:\Windows\System\WpExRUF.exe
C:\Windows\System\WpExRUF.exe
C:\Windows\System\EGPGanN.exe
C:\Windows\System\EGPGanN.exe
C:\Windows\System\seOjAlj.exe
C:\Windows\System\seOjAlj.exe
C:\Windows\System\jykXsSV.exe
C:\Windows\System\jykXsSV.exe
C:\Windows\System\vugGTVn.exe
C:\Windows\System\vugGTVn.exe
C:\Windows\System\pohuHFr.exe
C:\Windows\System\pohuHFr.exe
C:\Windows\System\QlcecSU.exe
C:\Windows\System\QlcecSU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4376-0-0x00007FF68DC30000-0x00007FF68DF84000-memory.dmp
memory/4376-1-0x000001D3D4810000-0x000001D3D4820000-memory.dmp
C:\Windows\System\nFNKgxw.exe
| MD5 | c6c6b2784cbd65c6d31b8b5d10cd8da0 |
| SHA1 | 4c38a66acae94af90d8d6532923ba7a45672a844 |
| SHA256 | 51f22725318893365462f2e9f1d20e778430840065291f2b2f50938c24472255 |
| SHA512 | 50c5b40378f77b9e415a1f913d597b0abeca7ea4e038b35702270b5489a1235157057afbcf9e2e6bd763e9039b623d9c3f0a057f6fa2a38b50319e516d0ff211 |
C:\Windows\System\HRvJrYO.exe
| MD5 | 96dab7102a23e55210aaae701a1daa0b |
| SHA1 | 8a8f4bdc4931f5b624f8f098c4232a350e892557 |
| SHA256 | 8d623bf971dbe7a5b394376df76d7547d9812f92ea0c4b15f544773ecce8c8ed |
| SHA512 | 5e76f69a946d2a8d8dc8f7197420102b5a5545c3797c361b1fbc209cccc588ab1dc3ce11758a42248c403f7c4f3795bbad119ed8607928b2be41e2b75b8a2918 |
memory/752-9-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp
memory/456-14-0x00007FF711C00000-0x00007FF711F54000-memory.dmp
memory/1252-20-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp
C:\Windows\System\SfQJNgG.exe
| MD5 | 3a95106124a9129e69a54d064e54e8eb |
| SHA1 | 9dd727d93e3985a18d4de704143289a2b18ed9e9 |
| SHA256 | 199e649b558acc8d4466b925d04ede7979673aeb318af0d72682a1200c284541 |
| SHA512 | cbc906661fd5643ba66aae5ee9e4fece25fbf7df80a46fc0c14186117381a33186fef418c317109ac058686fd077a1c8d9c99ddfa70dfc1535657d93a5dad0b7 |
C:\Windows\System\kzkwJte.exe
| MD5 | 06801fd6a82ef6cb5d4e48d49016e262 |
| SHA1 | 2c0d489dbff56c37d4e336c473b5f902fd326b23 |
| SHA256 | 9d5229d86cce89ddf093011dd9012f82ea83d61ca0b31d06df4f90e660c97907 |
| SHA512 | c16773e756214a5ac3d57ff5c23b131e88fb3f1acb7f72aa2aff178d78fa62339e802fdefee8c16f50be27078576453191cc9fc79404df6e40c9ec1efba7f076 |
C:\Windows\System\CeKLIbT.exe
| MD5 | 4ee5636fa643233c22e2a51e628d4838 |
| SHA1 | bd597dbf38327478cdf79ccd413a0bcd16fa26a5 |
| SHA256 | 1074f643a8f462e44163ea182cab777cad1584ea4e8b5ca75de09abffb195c64 |
| SHA512 | ae13d5deaa992d3407c1d526bc5b89e510cc97190863d4ee37c462779054c5495edd60c14b594267c5c4e082957134376230fa6689e596819a1019602a593fc3 |
C:\Windows\System\hRpTFYV.exe
| MD5 | b2c8b2490ae0d53c0e679bb314a34dec |
| SHA1 | 36f576e53234213dc6939885e47c8ed00fa44a91 |
| SHA256 | 3c0a6f0e2ede3fa26d260819ad1a1ffbfd76f63cf1b53f40146c6071455c1e1a |
| SHA512 | 6a9bf9ae963b3d2af6e0f34f5318a8b4be119e44323bf64b55076e2ec0d49906b1b2e841f357d10291f587cb575b84d3fbd10bc2140949a1846755b4dac995ed |
memory/4228-34-0x00007FF76C300000-0x00007FF76C654000-memory.dmp
memory/704-36-0x00007FF772D40000-0x00007FF773094000-memory.dmp
C:\Windows\System\DjRwVbj.exe
| MD5 | 7916420a06315737e95678c031f532f1 |
| SHA1 | bd1bd405716c2e11913043e5c69cc14638f36501 |
| SHA256 | ea2be047fb2df1a5d28c5411ebe8815c49bac59d0721c8cca594ebc1bba79ddc |
| SHA512 | 81d22f1008847b29dc3548cea8cb466840a8930149ee21c6a70d95e299a98fbd858ac13cb2e77f6cb43701d39b92464887d659e9a517512f3d77886d7a9e19d4 |
C:\Windows\System\DLgraHj.exe
| MD5 | 90f44c77365b3a7f4e1c9b76ceb28d0e |
| SHA1 | fb3368d4f9f9a02b429bb7ec3fcd1940ae2e1b90 |
| SHA256 | 87f91e63f9d00b6376a3b86af33c4a99287f2f045db413ccac134cb232e15358 |
| SHA512 | 9ccd8b69844d35cff3350d5a478282cc2be60a02024c114b2886ac50d7f28907186f9ff25074a62e4de2b99fffd0d157173711f1f8579a36154c2c9493ccf93b |
C:\Windows\System\HNYXbbB.exe
| MD5 | 43ebfcdfa70402cda8982a729770dcae |
| SHA1 | 15c96b6313ceda05d0891fe3ca0d5b2457f91407 |
| SHA256 | 8de3066fa89556c602d93a6e5d7b38fb67e1802ea4a4651d64a787b736075141 |
| SHA512 | bf54aa6ebc4c56aa150a63c543bd60d01d593951decb2a6c66b4458c0be142adb4c66bae823fccf2e97bf96fa0c309a67337ce877d9610a4326302ae1027dcee |
C:\Windows\System\NWwcghX.exe
| MD5 | d51fda510f34eebd95412212f7344bc4 |
| SHA1 | bbcfddce10af7633887e98b4c860706727745534 |
| SHA256 | 92d4bef803561dd8c361de144b5e9b90b8f31c30c4ec40065c7ffead39c82f11 |
| SHA512 | 7ff957c21adf7e6d503d540a866b618bca32aaa282d60b28d8089a93da4ddb2d3c2ee3cb40611c79daf5cb980cbb23079f4e0b6db7ab5636f285c5f6841a5c30 |
C:\Windows\System\jcxQPlH.exe
| MD5 | e26916e14a3c4301660b14a17b216881 |
| SHA1 | a915138aa6276711fdf6ae4e44b7e058615bd7f7 |
| SHA256 | 8d0d86faee762888610b7fbcb8de0fdfac410413a19bedb8c2cf6f5a19f8846f |
| SHA512 | 9bc3838feee7ff6559313a4138e48722711274b04d185bc268b2417b3e073dcf3854447e50fb4c338eaf5f0e7053778c11f0ba759ae020b4132f221d57fde2c4 |
memory/1736-65-0x00007FF7BD1A0000-0x00007FF7BD4F4000-memory.dmp
C:\Windows\System\zClryir.exe
| MD5 | ca20e94eda590572acdd5f5e9fcaded0 |
| SHA1 | a6593f20a47209ebf11b4a55858c10000a3f3942 |
| SHA256 | b7ec878fbc5deea787d5f37a85003050a0275540067f837175a48a6090a34a4a |
| SHA512 | cb60a7ed7a0d14a49449eae68e3a60cea175f28658f4079f14aedc162ce760ba38941d010ac3cfd682df5a88589f17daaa4b1d7f4dbe2fa1b681c348216c705c |
C:\Windows\System\PMLdIRK.exe
| MD5 | f078e656dbff1f1d7dbb6acaa2e3792d |
| SHA1 | c7307e1d137b2359f4af1c2598a430e9a513ca98 |
| SHA256 | 97d1bf3b249ff565b3551ef5e087513a2231b3cf2624255aaa5a786d30779142 |
| SHA512 | f3e9fc7eb7509cefcb1f6c94f7e71e37afd110adf95383740acedd81365c912b8bcefedbce8940dadb72c76246dd8080f15cd85308398206a17f2bd68c4dad46 |
C:\Windows\System\EGPGanN.exe
| MD5 | 9b8ad6b255531a28bc22b4cc2e644b3f |
| SHA1 | 0535b4d6dec862053cfc7a8f7756fc9cdd870a68 |
| SHA256 | 940f69d37749ba2fe376b71fa58daa3216c6fe8ae44209f02fd4b3b0c7d85fec |
| SHA512 | 3380d0e5667d80828d1d0c5057e0e5147fe945c21e9d4b2478464b4e629c701717e45c89a4012f94c4f7160ad5a8aa5e0146e1519cafd42684168b27dd07778a |
C:\Windows\System\uEaaPgQ.exe
| MD5 | ec49ed0ff13d1223e54e6b5df4965454 |
| SHA1 | a044150528ec89600462c58338e02fb11d9c9e6b |
| SHA256 | a7e9e5d468b4aecaaa676251422db9bed946d6d355237edca843bbb83cef7d7c |
| SHA512 | f88aa0396275f27f946f16756ce095d6ed56e575bf87200384d522252280ccdf6ccf635a5a750152b4c9bdbd2c7fe0b431b953dd881a2bc7f9babb8b944e3a55 |
memory/752-102-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp
C:\Windows\System\jykXsSV.exe
| MD5 | f5af38bfb5f709c79d6aaaed35d3240b |
| SHA1 | d2c71aa26272a43fe6d0804e18510c0859de6a61 |
| SHA256 | 11f5099dc80106d39e4f1888b28315749facce832965adb298673f12ab91190c |
| SHA512 | bfecdc1931a7b4369eefb2c66d13c3fc581fe364e6ac7246429fd2d925bebfe47e92ed97e331d3e646ebf4985c212e3622f2b742a7faf75fac44b7d89b5e5e35 |
C:\Windows\System\seOjAlj.exe
| MD5 | 7d985f7002ae2a3b50a2b1ef66e4c1e7 |
| SHA1 | 5d1164db340eaba2e95a66aab2989091bdef30f6 |
| SHA256 | 3b14d51ef7b7a98fd3febb9dc657dc04527018f550259957b559aced39d748fb |
| SHA512 | 7eff3c3da0fc7aaeb1d94e84094659c5d2a9b26af311df397fc260dee5fe293cb5de4310bbead49dd388cf33bca3efed8664d59f79cde0349f19dd4c36271446 |
C:\Windows\System\WpExRUF.exe
| MD5 | 433d4932dd6273046fbe702c3d12c272 |
| SHA1 | 07c40901e4663ee6f4c03b3627eacd4ca5c6b58a |
| SHA256 | a120ac70d8b94103cc4adf045ee78c3656b3f12dc9eadf118c09704540aef83a |
| SHA512 | 6566dbae3429a064b9b47898d18bc99e8ae3669a972678546786159d3eea248a11ebcc824635b5c9217ec3f3757e32988ae2f1e7725f2f8cf1e046ec829e0e1b |
memory/1592-104-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp
memory/2252-103-0x00007FF6A7DB0000-0x00007FF6A8104000-memory.dmp
memory/4376-101-0x00007FF68DC30000-0x00007FF68DF84000-memory.dmp
memory/4612-100-0x00007FF6675B0000-0x00007FF667904000-memory.dmp
memory/932-99-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp
memory/4464-96-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp
memory/5044-91-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp
memory/2812-83-0x00007FF618830000-0x00007FF618B84000-memory.dmp
memory/2288-68-0x00007FF799C00000-0x00007FF799F54000-memory.dmp
memory/544-56-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp
memory/4968-53-0x00007FF777660000-0x00007FF7779B4000-memory.dmp
memory/1368-49-0x00007FF6188F0000-0x00007FF618C44000-memory.dmp
memory/1928-35-0x00007FF730340000-0x00007FF730694000-memory.dmp
C:\Windows\System\pohuHFr.exe
| MD5 | e8990193f42d4f6e8e3b80407f9e1db1 |
| SHA1 | c30ac4d545b25ea8f55884341360d2675abab321 |
| SHA256 | f02a33c7fe87322f351eb46cfb4c990d3e5fe62c500cbde17649231ac3471687 |
| SHA512 | cbbf7ba9e3ec9625bc5da9b0f1c9ebfe1e8bb47b7e84ac480e88e86f630d4facb8f0b7443d162bdccdb4ddc251e0f2a23e9ed32f463b05a760ba7aaab5ed4130 |
C:\Windows\System\vugGTVn.exe
| MD5 | 7a7fe7ff556c6d8dbcdb3c2f2fd2f4d4 |
| SHA1 | c500fd22a1907faba010df97fa1131c6917c8f9e |
| SHA256 | bd6ecd9e490073873569baee352cf6bf9719973c60a1178012eda592f24beac3 |
| SHA512 | 3aa1d424cacff76557edef47a4c54f11a7b4d4c23aa4fa97f6de4391018db32e43ef61d5755c9848713270806f0d47200adde407c09c0046d14790ae3cffae8d |
memory/884-126-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp
memory/456-124-0x00007FF711C00000-0x00007FF711F54000-memory.dmp
C:\Windows\System\QlcecSU.exe
| MD5 | d0b8c32ee0ac22399935f18aa8dc90c7 |
| SHA1 | d36da611ecd8b2bcd19ef5b2c8dca7b2d8a4bbcd |
| SHA256 | 4f945bfdb8c1c39c744ac1f8ae82f143cab5d0c7d2430f9251ce8c767ab9758a |
| SHA512 | eb876243df34ffefee58df929f74ba54d0dfa278900df6be8cab4bd755050c40279e7a880744e6a8163c0d74e7821f7d307dfb16830af09d1d9ddf73aeac2719 |
memory/2316-122-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp
memory/2332-121-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp
memory/1252-131-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp
memory/704-132-0x00007FF772D40000-0x00007FF773094000-memory.dmp
memory/4968-133-0x00007FF777660000-0x00007FF7779B4000-memory.dmp
memory/544-134-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp
memory/2288-135-0x00007FF799C00000-0x00007FF799F54000-memory.dmp
memory/5044-136-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp
memory/4464-137-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp
memory/932-138-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp
memory/4612-139-0x00007FF6675B0000-0x00007FF667904000-memory.dmp
memory/1592-140-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp
memory/2332-141-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp
memory/2316-142-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp
memory/884-143-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp
memory/752-144-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp
memory/456-145-0x00007FF711C00000-0x00007FF711F54000-memory.dmp
memory/1252-146-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp
memory/4228-147-0x00007FF76C300000-0x00007FF76C654000-memory.dmp
memory/1928-148-0x00007FF730340000-0x00007FF730694000-memory.dmp
memory/1368-149-0x00007FF6188F0000-0x00007FF618C44000-memory.dmp
memory/704-150-0x00007FF772D40000-0x00007FF773094000-memory.dmp
memory/4968-151-0x00007FF777660000-0x00007FF7779B4000-memory.dmp
memory/544-152-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp
memory/2812-153-0x00007FF618830000-0x00007FF618B84000-memory.dmp
memory/1736-154-0x00007FF7BD1A0000-0x00007FF7BD4F4000-memory.dmp
memory/2288-155-0x00007FF799C00000-0x00007FF799F54000-memory.dmp
memory/5044-156-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp
memory/2252-157-0x00007FF6A7DB0000-0x00007FF6A8104000-memory.dmp
memory/932-158-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp
memory/4464-159-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp
memory/4612-161-0x00007FF6675B0000-0x00007FF667904000-memory.dmp
memory/1592-160-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp
memory/2332-162-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp
memory/2316-164-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp
memory/884-163-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp