Analysis Overview
SHA256
b62045e2f696b7908eec3e9c791cb015c4ace38ad0fb10a6288289b45bd455c0
Threat Level: Known bad
The file 2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 16:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 16:58
Reported
2024-06-01 17:01
Platform
win7-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fMMkiDG.exe | N/A |
| N/A | N/A | C:\Windows\System\igchGjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\xcMDtta.exe | N/A |
| N/A | N/A | C:\Windows\System\mBYIOzH.exe | N/A |
| N/A | N/A | C:\Windows\System\PhSyEMx.exe | N/A |
| N/A | N/A | C:\Windows\System\rFmUFFH.exe | N/A |
| N/A | N/A | C:\Windows\System\imrtWNk.exe | N/A |
| N/A | N/A | C:\Windows\System\MQCUuMr.exe | N/A |
| N/A | N/A | C:\Windows\System\TbEKlqE.exe | N/A |
| N/A | N/A | C:\Windows\System\OXdDZtH.exe | N/A |
| N/A | N/A | C:\Windows\System\KAPziLo.exe | N/A |
| N/A | N/A | C:\Windows\System\HdZMsSB.exe | N/A |
| N/A | N/A | C:\Windows\System\patmCwR.exe | N/A |
| N/A | N/A | C:\Windows\System\noSplHB.exe | N/A |
| N/A | N/A | C:\Windows\System\pUJgeui.exe | N/A |
| N/A | N/A | C:\Windows\System\sHLGmWH.exe | N/A |
| N/A | N/A | C:\Windows\System\oAQounP.exe | N/A |
| N/A | N/A | C:\Windows\System\SuopPRn.exe | N/A |
| N/A | N/A | C:\Windows\System\NIlXjHe.exe | N/A |
| N/A | N/A | C:\Windows\System\EhkqUpS.exe | N/A |
| N/A | N/A | C:\Windows\System\OveqwAO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fMMkiDG.exe
C:\Windows\System\fMMkiDG.exe
C:\Windows\System\igchGjZ.exe
C:\Windows\System\igchGjZ.exe
C:\Windows\System\mBYIOzH.exe
C:\Windows\System\mBYIOzH.exe
C:\Windows\System\xcMDtta.exe
C:\Windows\System\xcMDtta.exe
C:\Windows\System\PhSyEMx.exe
C:\Windows\System\PhSyEMx.exe
C:\Windows\System\rFmUFFH.exe
C:\Windows\System\rFmUFFH.exe
C:\Windows\System\imrtWNk.exe
C:\Windows\System\imrtWNk.exe
C:\Windows\System\MQCUuMr.exe
C:\Windows\System\MQCUuMr.exe
C:\Windows\System\TbEKlqE.exe
C:\Windows\System\TbEKlqE.exe
C:\Windows\System\OXdDZtH.exe
C:\Windows\System\OXdDZtH.exe
C:\Windows\System\KAPziLo.exe
C:\Windows\System\KAPziLo.exe
C:\Windows\System\HdZMsSB.exe
C:\Windows\System\HdZMsSB.exe
C:\Windows\System\patmCwR.exe
C:\Windows\System\patmCwR.exe
C:\Windows\System\noSplHB.exe
C:\Windows\System\noSplHB.exe
C:\Windows\System\sHLGmWH.exe
C:\Windows\System\sHLGmWH.exe
C:\Windows\System\pUJgeui.exe
C:\Windows\System\pUJgeui.exe
C:\Windows\System\oAQounP.exe
C:\Windows\System\oAQounP.exe
C:\Windows\System\SuopPRn.exe
C:\Windows\System\SuopPRn.exe
C:\Windows\System\NIlXjHe.exe
C:\Windows\System\NIlXjHe.exe
C:\Windows\System\EhkqUpS.exe
C:\Windows\System\EhkqUpS.exe
C:\Windows\System\OveqwAO.exe
C:\Windows\System\OveqwAO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1196-1-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1196-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\fMMkiDG.exe
| MD5 | bcfbdbd7522b9d4981df969650de3b10 |
| SHA1 | 978e1c09a06e822dec045146f76d33ca1d34983f |
| SHA256 | a9168fb23756997932e1b2f16fc519d595d61bc2fdb2d798998ea8e1d2ccac75 |
| SHA512 | 92f2e2fcdd8f3ae000edc3bbcb103f83635c8e9b6c7e111b0ecc025763e348428b4119d7c97cb648094a6ab512663015ed2f9713213e25eabf9891cdcf11c26d |
\Windows\system\igchGjZ.exe
| MD5 | 3fff3e67d52bcfae01cd3345efb634c1 |
| SHA1 | ae83e6517c86398d8426d6c97e53626cc4bdc8a6 |
| SHA256 | b7abab427f8c5c74101bf91374005b360206d4719b530fd3287f587872a49c24 |
| SHA512 | fa7e75b1fd3252a46cfe2becd70610f109a9f1ad3010a27a28750e63dfefbd1e2c193e43fd8da5bc31c9e75e4923081b5d47e1ae77d63eab329e81ad3448c739 |
\Windows\system\xcMDtta.exe
| MD5 | 41c9b749da3018b064013c712bdf50a0 |
| SHA1 | c28f309510efb7b7f5b207bfe6114ad297622388 |
| SHA256 | 541ec1de9f41a754cd8a2365a9bdca972ee3a5a91faa878036e578f1bf6fd017 |
| SHA512 | 9ff5d22474d8c5a20946565845bee2bc548098593e5e804980301a5104b36e65ce3a749cc708bedac0cea5414c804ad4550b93759619c5fbcdd260e9981feea4 |
memory/1196-23-0x0000000002210000-0x0000000002564000-memory.dmp
memory/1196-25-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1436-26-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\mBYIOzH.exe
| MD5 | f48c00a25ca92eee7a03024c33fff720 |
| SHA1 | 4bbf2a9a15d7ef38b11e694c75ec17d1c3651954 |
| SHA256 | 7e08eb358805c8f9f480eeff0016a53dc9ea1cb41e3c71718cdf140562a20482 |
| SHA512 | edf052e304d635b6db0582b648949ad633e6cb86806d55b350ea6d93bed35f1d11a509d95d8fc1a9b32c2509080a23f82a78d37154777e91fa03904aee7c5711 |
memory/1812-28-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2208-17-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\PhSyEMx.exe
| MD5 | 1d752b1e96f0a8eeab6a2c4f509cd47b |
| SHA1 | 561dcc1d4b3b7d9380b82d30d7d3df5e12f422df |
| SHA256 | cbc99d5edf8723be12aa539aab47810545c6684471e4745923905a53d7e1b5fe |
| SHA512 | 25b118c4c90d9b9d11dfee74f0c2a907bb9cb0e036bbeccc71c9e024900e0a0d6d6957cf869771eb70bb1d8904d3a7d14c76781a9dc4529b2df20b1c79b878d2 |
memory/2660-48-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2696-50-0x000000013F500000-0x000000013F854000-memory.dmp
C:\Windows\system\OXdDZtH.exe
| MD5 | e34d1bc57590a1aaa415ab3b71ebc286 |
| SHA1 | 86a1b1512bd410982ddb8268ed6f8c7342a736dd |
| SHA256 | 77c4d82ea7ac95b6eb4a636f7d21efcad6af213a79f14b789295d72f1ea84fc7 |
| SHA512 | 656ac4556d166b918648f73a30a092d0e283e7902c168da16280780c9b31d4070adbbf5827f55c3f2023b7d99a27bcff85b2e2deb7627cf3b6b9304021891558 |
memory/1624-62-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\noSplHB.exe
| MD5 | e58f2fbe9444027a6ab92ea7094ad0d5 |
| SHA1 | ce66ade05ab2a961da9a2eb386050c4f76b67158 |
| SHA256 | bc62dd9cc8b27ef64e4d6c4462266bb791dca1f3ce0186cfdd9278d28babd0b2 |
| SHA512 | 5f48b79fc3fa4a02c0918d33b76f2816593eda0aca570666634b98bdd651ff3630dfbd922cac39f6b71db6996484e3a288c4c96933e9d3e2d0e45b0ecf204dbc |
memory/2504-86-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\sHLGmWH.exe
| MD5 | a96289db173b9aaaadf0962c929536bc |
| SHA1 | ff5c7708dd9cd2f8597984002005a57665509a2e |
| SHA256 | 111395ea64859aa39a9f969853677a3ad526a54053fdab1b499420294bcdabb4 |
| SHA512 | b091210054c7097e2159362d097f790b6f4afd5121b56575f4f708cb05288841ebf7ba5b58540a4919f0108b59db338ebb0af08005fc2e79489a8f8f1634790f |
C:\Windows\system\NIlXjHe.exe
| MD5 | 8212286311f575825c3a66f3910c61c7 |
| SHA1 | 97d2964526d34dc52c8d5adbf921e649414f3efd |
| SHA256 | 0bf24598b8a4fc3098db153cdc382036a497192f3fa5bd679695d61a85e8e860 |
| SHA512 | 9e24d3158072166eb08fc1c37ba594c64bf2db595af6ec2a34750562fdb548778f08a8f1d7e707438345376ded90ecb606c2146333c5af1bffe45ad1236e9083 |
\Windows\system\OveqwAO.exe
| MD5 | 9b1cde911503dca1c3b36776fab5be34 |
| SHA1 | 9d25ce4a61c8fd2d2e6e55df5c132eb406b3062c |
| SHA256 | 2d18367ae21ab39a4f608623221f66778b6c6819b582766ccd5d00c5d45075a8 |
| SHA512 | 3426266a45e32abdd14ad2486caf9d871c55146b02f72a6b8bed42904e874e43bdcf86fd74f1f3d5121a8b6272ec2cb282b6a614aa8cf803ae18bbba96a20b66 |
C:\Windows\system\EhkqUpS.exe
| MD5 | 49fd627ef25077a058284cbf0b281d4c |
| SHA1 | 52604cbd903374212e6aadde87f89e2be2eb88de |
| SHA256 | 14f64aa0808aef9b04c013df830522417d624b0d99bcc5ea0a2030083acf4765 |
| SHA512 | d821268a3921d934d42b380dde1b6e87a842a8a814cee3d83de13f79502b6348c31110dbc9e391fb5a4d5c0617b4a7ad30b03c768c7f6d7d1616b466fc264c0d |
C:\Windows\system\SuopPRn.exe
| MD5 | b49525616760379a0c99d280549fe69b |
| SHA1 | 560c2bdb5b717739969a12cfc3b76a6b5cf2c13c |
| SHA256 | cd00d1fb969d78dbb86c4c93bb76cd4196fef5ba68453f00d43ea2cb84294139 |
| SHA512 | eff2ebe366730539ec7615e1b156af16168f370ac3b872cbd59a08f92f99ca25637bd0b3612ebe117ffd03d4445c41d3655874b61581b9e266e44f8cfc26611a |
C:\Windows\system\oAQounP.exe
| MD5 | 94f786978f42d4a7912845d30c6aad0f |
| SHA1 | ae47a1584ba73613e749603394447ab4c1a12c33 |
| SHA256 | 4ff60ca7d34f1469e1582288ca1af0763a42339e7f90dd8a0dc9898f307b0f59 |
| SHA512 | 2efcaaeedfffffd2e0bfcb85e30c8167499cc988800f5275af392a9d8212328e3b6f8fc53a3e3a2583dda600dc01b0f1d1475ff628125f2ab0f2f6d03f249f4b |
memory/1196-96-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2696-134-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2660-133-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\pUJgeui.exe
| MD5 | 3ad4ddf8fa013c16f23c8b97699aa625 |
| SHA1 | b61cf7cdd27549460376d234e0905276a2d7be9b |
| SHA256 | f03551ecff1534c6ad8ffcc0de58d03ccf6d5c4301512d51a7e20a8031c55ee1 |
| SHA512 | 4e1a6784939d20196d60fe9368e4fc6476cc0bcfe9bcb61d85aa726744e12b56263c5b5ca43c39e060583f1b8c0c0057e8985b392c4a5adb539090f19800d6ef |
memory/2460-81-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1196-80-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\patmCwR.exe
| MD5 | df8dac6319b4a4bdeacf5be99b87d33f |
| SHA1 | a22dbff22fd266f84d5657572e591f73e181ebd0 |
| SHA256 | 77a710e26af6d5da84e84d4d3c36ffa281191037e49ec17c6574d95d917793e8 |
| SHA512 | f274ea1c0be35962983760cd59ef7fd8e080e89b77b2d0edf40d3b527b8868298de3d93fff14f5d2ee172267f313c3672f3c012ccc8353fc16b3576dd3117282 |
memory/2720-75-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\HdZMsSB.exe
| MD5 | 19803b1f5a2e7ec0b535a8ebd15015c1 |
| SHA1 | 54288a41b9a3371ae7058b62235bbf19870f3e59 |
| SHA256 | 92e9ab1dcddd455d5dfd22815defc9974035b8e95232814f2a9ff57ff5c80255 |
| SHA512 | 3222aa2f33987760579311e3c1d458e915a07e0b4d333da3c4eea5e5acc2d0c9e630573a1c548fd471cd3dca54b7a66366002973360728f6dfe74d51a0fe6d91 |
memory/1196-71-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1812-70-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2596-135-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2748-68-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\KAPziLo.exe
| MD5 | 2bf4520de9a0bae804141fcdaa34cded |
| SHA1 | 4120aac7ffe6b126b5218883dc8b5a61d0fb8fde |
| SHA256 | dcbcde207380e4467499ba132080887fab0960840953a8ab2a137544be5a4e40 |
| SHA512 | d9740e85d3552b26e6c596d6c62f19680f6675e57d2c82a4723eb6424baae7ca415981048b71e2a13a3e2b59762a6b211ce7a667e6eb47f3cbe500b13170b002 |
memory/1196-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2596-57-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2548-56-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1196-55-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\TbEKlqE.exe
| MD5 | 453563b1f29f81fc8932bcce9d795c81 |
| SHA1 | c4600a6a56fd27c8cf595a3894e6829c68381236 |
| SHA256 | dcf7e3e44d179ba85d62a15728ff9c3c9ef7ba6c1044651ddfe2f2b26b62a422 |
| SHA512 | 4dc950bfc0b7cdcac35adfd596749eadda9c79d4c5420fe4cf7441cc55ddd57d5e48bfcfddec7fc08d0f48ede6dd7e1ccc9be0f1d32e6dfc0e44bea8e61319b1 |
memory/1196-49-0x000000013F500000-0x000000013F854000-memory.dmp
C:\Windows\system\imrtWNk.exe
| MD5 | 889a645ac010636f96cc5c6efb717c94 |
| SHA1 | 98b7baf854d62ab4daf911102eaaa6a3ed47f80e |
| SHA256 | 8d5d64ebe0df638258e22c8ee2bcc5514267eb19eeff5a6bce1336d1bcd2c882 |
| SHA512 | 852b76337e0362d5c5f5f90d81ab9b826fc062c8c68d11f56caf8690dd97f13a39bdb95f20b2f290a047cc29806c22dfb133895d49e85a30168874e2055a8499 |
C:\Windows\system\MQCUuMr.exe
| MD5 | 818ef15d077bee564614b0533898a6d0 |
| SHA1 | 0bd0044f002d825e309f9d7a2d74cb003c1f061a |
| SHA256 | e5013a88ce5dec9049cdcea028252cc4113c7a58a3a822ab6dea913fb4f16b0b |
| SHA512 | f59be4e7fdb850f696ef486f929fba596695d42388ec0b54a2cf7d2d48eb30de950f29aa3156c378d7465bad0858fdf45bea16a1afc45787089b9b152833fd82 |
memory/1624-136-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2604-39-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\rFmUFFH.exe
| MD5 | 47435745bcc8adb5a34fdc208435218e |
| SHA1 | 9ee8a44fbebf507d54c358c3b4f1c0e0f9c462ea |
| SHA256 | 901edfd552024a055d3ccc24f6516d714998eede9e8c661856fe6afdb3837c6d |
| SHA512 | f115ba74c15090912425177a89a52019939a4550edd3714c18de377874d42ddc1aca4354d878dab99f785bedf5eea50e974fea0f43bd723f575ceb351367ece1 |
memory/3020-34-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1196-32-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1196-21-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2548-10-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1196-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2748-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1196-139-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2720-140-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1196-141-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2460-142-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2504-143-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1196-144-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2548-145-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2208-146-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1436-147-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2720-150-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2504-152-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2604-151-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1624-149-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2696-148-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1812-153-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2596-156-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2748-158-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2460-157-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2660-155-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/3020-154-0x000000013FB40000-0x000000013FE94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 16:58
Reported
2024-06-01 17:01
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oJlilfj.exe | N/A |
| N/A | N/A | C:\Windows\System\kpIpNcs.exe | N/A |
| N/A | N/A | C:\Windows\System\edKxFnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gjGrwYq.exe | N/A |
| N/A | N/A | C:\Windows\System\TSBiQBp.exe | N/A |
| N/A | N/A | C:\Windows\System\yxakvBr.exe | N/A |
| N/A | N/A | C:\Windows\System\MljqyaD.exe | N/A |
| N/A | N/A | C:\Windows\System\YuSPtjT.exe | N/A |
| N/A | N/A | C:\Windows\System\RYnElAC.exe | N/A |
| N/A | N/A | C:\Windows\System\OHclAFi.exe | N/A |
| N/A | N/A | C:\Windows\System\hrPGDgY.exe | N/A |
| N/A | N/A | C:\Windows\System\zvMbsIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\IAydSNq.exe | N/A |
| N/A | N/A | C:\Windows\System\UMieDoB.exe | N/A |
| N/A | N/A | C:\Windows\System\gjJrfGD.exe | N/A |
| N/A | N/A | C:\Windows\System\RDSAQxi.exe | N/A |
| N/A | N/A | C:\Windows\System\mKqxQzN.exe | N/A |
| N/A | N/A | C:\Windows\System\SkUxvoM.exe | N/A |
| N/A | N/A | C:\Windows\System\VxdJWLl.exe | N/A |
| N/A | N/A | C:\Windows\System\xuibCfh.exe | N/A |
| N/A | N/A | C:\Windows\System\octzLZU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oJlilfj.exe
C:\Windows\System\oJlilfj.exe
C:\Windows\System\kpIpNcs.exe
C:\Windows\System\kpIpNcs.exe
C:\Windows\System\edKxFnQ.exe
C:\Windows\System\edKxFnQ.exe
C:\Windows\System\gjGrwYq.exe
C:\Windows\System\gjGrwYq.exe
C:\Windows\System\TSBiQBp.exe
C:\Windows\System\TSBiQBp.exe
C:\Windows\System\yxakvBr.exe
C:\Windows\System\yxakvBr.exe
C:\Windows\System\MljqyaD.exe
C:\Windows\System\MljqyaD.exe
C:\Windows\System\YuSPtjT.exe
C:\Windows\System\YuSPtjT.exe
C:\Windows\System\RYnElAC.exe
C:\Windows\System\RYnElAC.exe
C:\Windows\System\OHclAFi.exe
C:\Windows\System\OHclAFi.exe
C:\Windows\System\hrPGDgY.exe
C:\Windows\System\hrPGDgY.exe
C:\Windows\System\zvMbsIJ.exe
C:\Windows\System\zvMbsIJ.exe
C:\Windows\System\IAydSNq.exe
C:\Windows\System\IAydSNq.exe
C:\Windows\System\UMieDoB.exe
C:\Windows\System\UMieDoB.exe
C:\Windows\System\gjJrfGD.exe
C:\Windows\System\gjJrfGD.exe
C:\Windows\System\RDSAQxi.exe
C:\Windows\System\RDSAQxi.exe
C:\Windows\System\mKqxQzN.exe
C:\Windows\System\mKqxQzN.exe
C:\Windows\System\SkUxvoM.exe
C:\Windows\System\SkUxvoM.exe
C:\Windows\System\VxdJWLl.exe
C:\Windows\System\VxdJWLl.exe
C:\Windows\System\xuibCfh.exe
C:\Windows\System\xuibCfh.exe
C:\Windows\System\octzLZU.exe
C:\Windows\System\octzLZU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3964-0-0x00007FF6DD7F0000-0x00007FF6DDB44000-memory.dmp
memory/3964-1-0x000001C208FE0000-0x000001C208FF0000-memory.dmp
C:\Windows\System\oJlilfj.exe
| MD5 | b1e34aa7cf11e47f28a532a9115a405e |
| SHA1 | 34c6101a0c1598ecc99648d63fae36a427947e67 |
| SHA256 | 58e1537520cb62abd652f9a62895c7e3c4bd123e0f5889609006920846b731e9 |
| SHA512 | d64c753baa74472068aa9e764aa5d6e15be5979dd48d372e1a78e6945242a4cb2f4ebb802cd5a1811a9ebe9c57063c55123f5e8c097ffa682c6acb89a44950c6 |
C:\Windows\System\kpIpNcs.exe
| MD5 | e2d5f13b5e52196897bd57ed6f7f3f87 |
| SHA1 | b2943a3b6d1f041b579033f69d7b9af965f76539 |
| SHA256 | e17028f3ea329dd2f0b8c1343d28f3f1f8d56fd8a2fb3936fd7c7a6ceee1b5df |
| SHA512 | f0e48825d53b443ae529bb30b7800a7d2297b3cd3c023ee4c078859aa233211c18cd0141b2d768d4388cc20e0d63c50060dc3409d7ff02b6555448ce213a59ba |
C:\Windows\System\edKxFnQ.exe
| MD5 | 7ea63204cdfa0e5049d6ffd3e2af70df |
| SHA1 | 2645d9b148f36aa2a582d6441223d50df9f0e5b5 |
| SHA256 | 999437c4cd8fc1ca9f48782ec34ea944a3b16fe16db39f328441011c3f175c64 |
| SHA512 | b27060d2513d2f048a4eabcb5950e2e09474fb79e908c3e42b3fe2dfa3baf4b6ba57f3898e0f564d974ad0d4d0710b30a5da4823d0ff26c3c638aaac2e50152e |
memory/1164-20-0x00007FF6F0B50000-0x00007FF6F0EA4000-memory.dmp
memory/2012-19-0x00007FF766660000-0x00007FF7669B4000-memory.dmp
memory/4896-14-0x00007FF7063A0000-0x00007FF7066F4000-memory.dmp
C:\Windows\System\gjGrwYq.exe
| MD5 | d1d667afe1bd3e713e7dcfffde04f5ff |
| SHA1 | bbfd0d573722485784a4adb24f181c3d484f3e39 |
| SHA256 | 729eb2bd70c393e0973073982a4d49b0dbff57e04eb1d056408b3075ff4ea402 |
| SHA512 | f77d1c558e60fca3c837babd6d5b4a64aa4c4a536526c89bb3a34fdc03728a16ed404397b33fe5dcc8d764ac490482ee04a5742949ad07dd0aff2e678cedaa14 |
memory/3908-26-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
C:\Windows\System\TSBiQBp.exe
| MD5 | fc2c770ce7d0f5f1135ce42d65ba3aad |
| SHA1 | d3ffc200eae70898bc580ddd1301850852c593e4 |
| SHA256 | 98947c713b9531bcaa755bd88c73577de464eb3e2064901424294f181bde5ab2 |
| SHA512 | 1cab935325a23e449947ee28e5e90d23aebf69a17644051fb0f0ed1a1127ff92437555323c62ec2731e88e0654e784e4f45d64cc443a4eded551185dd05e3405 |
C:\Windows\System\yxakvBr.exe
| MD5 | 29a138675504427bca0f86ca344a7d94 |
| SHA1 | e37c6da066e0a96eb81491eae6f232963c8ddbeb |
| SHA256 | 1265210a1c28e1d4d669fb04f5f2eafa059ae33908861acc4984f61424691e81 |
| SHA512 | fe0e22910e8ea98b5b4a349be20fded8f6d5fa41348165956845791ed1fe137e28313a6ba2ce01202abe30683f0414bc294556a82d170da9c3772e51622493b5 |
memory/452-32-0x00007FF614600000-0x00007FF614954000-memory.dmp
memory/4112-37-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp
C:\Windows\System\MljqyaD.exe
| MD5 | 1a3733f7c5ef8c82846235aa1e192e07 |
| SHA1 | 696a1695c2f4d89bce0df9903e2725e1b12dfa5a |
| SHA256 | d9224c9453c16fb70555ef7839215ec2b68d837bcdf73ffbea790c91fdb7d71b |
| SHA512 | 647c64ca4df2fdd177376bb25ea250a993ef989efd51fe674985a79ac17dd1a5b5366c24a15e7d97e71eb7c24204e5f29e9da046896d2ed015ced2ea06532904 |
C:\Windows\System\YuSPtjT.exe
| MD5 | b934082b0c07895527f43788c143a19a |
| SHA1 | f5c8b220ff3cce01317b2ed3f64a47fb0b17f394 |
| SHA256 | d29f3ac4d0477bcde59e88f87f194a997fe05cc7e7ef6b03b1768c9b8051bc3c |
| SHA512 | 43e94c8ba9afd30aa1f91552a43b8888bd66b882bacc0b2a32700a5a9e0edd931bf0472bfb25137bb9b0b05b1698923516725249c231aa062c909719119063be |
memory/4144-45-0x00007FF74FF50000-0x00007FF7502A4000-memory.dmp
memory/1728-48-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp
C:\Windows\System\RYnElAC.exe
| MD5 | b241363a4c0f6e58b313a4a9f3df5397 |
| SHA1 | 2474fc004868412b9d1277556b05bb1e04d34ab2 |
| SHA256 | 5a09c473de0f6d245cd5fb3dcbfdfb5744ac497fd1eca1077a0248fc69458b7b |
| SHA512 | 228b7075917c7e6f8bcc5c9c0c16b1a78d988efb4568e8786b58070183ccfa6bffd371882a65005fd0751fdec3ed8f0826f9ff800d176b9a6598b3e039ad5995 |
memory/1528-56-0x00007FF75CB40000-0x00007FF75CE94000-memory.dmp
C:\Windows\System\OHclAFi.exe
| MD5 | 4194418d1acdd53219f1ed090865fb9f |
| SHA1 | 1a6f58d4c765e098aef3c6cf3dd79f7598f3b4e5 |
| SHA256 | 2a4e65ae4af63d86193a4cdefac7ba2a2cd614900e0d368c1f2101bdd60dfaaf |
| SHA512 | ed46419a540552a1eea0926d59777df57a75b1e9ab9d4cc31c239ae0056656212b9cf4f829feda5e67b5b4dabff4f9d3fbf55fc1e98ad545b8ebf4cdc2d556ed |
memory/3964-62-0x00007FF6DD7F0000-0x00007FF6DDB44000-memory.dmp
memory/2036-72-0x00007FF658250000-0x00007FF6585A4000-memory.dmp
C:\Windows\System\zvMbsIJ.exe
| MD5 | 11629c6159eaacfb444e402319617c29 |
| SHA1 | 6fa1e5ce90f3a855b3f948a49fba9ee39135631a |
| SHA256 | ce6fb0c5914d05c9ba12acac4af0e72fa827b6cc988ef6f766321eedb5f4accb |
| SHA512 | f86151e1c62017ac86d357c3cbc03df20056b536a19a9f0b5ac448e068078e56c25af0abcfa1bf6d252851ec51e966acb71f252dea6fa290662f2337fafafc0e |
C:\Windows\System\UMieDoB.exe
| MD5 | a06722bc38cf39b8cac088c07ca57157 |
| SHA1 | c9557f44a14100b7674ab8423127248f28f4887b |
| SHA256 | e87fe78ceb986099a5927feaec0446cbc4881dd4bb037917bd382068ea6aad54 |
| SHA512 | c397cc2bb840a828ae1ff338a66e510c56472e61fd3ba8c9f8ccf9de1e19d84c6847dbb16b1b6a5dbac008e470aa72f43b92f6d8b2657f901faa6e84ed04c1aa |
C:\Windows\System\gjJrfGD.exe
| MD5 | 7ca51e40b3245d1980a172985defaa20 |
| SHA1 | 3466b5a2329a38b0f204f4be90427043c09f9216 |
| SHA256 | ab769b71570408854f25dbc523b8c928d02779b9b35d94ce413be1bc136e5b96 |
| SHA512 | ed71bbf3c4df9cbf2b7d5056ac4f4df67eed625e519dc1e8ba3e0ea7958acd1df3bc5212230d642603e5539d3a5c70b98258bb9af6936233a9e3832f51ff5a7c |
C:\Windows\System\RDSAQxi.exe
| MD5 | 7cebdd2a580811ee2f2c0f206d427824 |
| SHA1 | c074eeae26161f2a6a889dfabfa050268071a737 |
| SHA256 | df574e3c943c1257c5925cef51f02e898c81eb06a88669504aa335035d038af7 |
| SHA512 | a93e6142a2ed29924f971cead0c4c9830cc5e1f0297a0cd05ca702cde60936e449d3c7c6b579b5e375c39a3b0c8cae710212be918d1176209fce6e515256c370 |
memory/3952-93-0x00007FF78C090000-0x00007FF78C3E4000-memory.dmp
memory/1912-98-0x00007FF7FB2F0000-0x00007FF7FB644000-memory.dmp
C:\Windows\System\mKqxQzN.exe
| MD5 | a9421dca4499b7b415ce29529312bd7d |
| SHA1 | 8d78b6b8d4fb7dd4754520a1ecd18c002e779631 |
| SHA256 | 2ef4d38449d4e3020955df2489834137ab4993da0ed31a13de24633cee6f4e78 |
| SHA512 | b0bb60cfc3fa847ce484e83b3c0ae2c41f02a97513f3434a5a88e5ba222b1ba2a1c96e7024d0c0aca202a973a8be6843e0f05cdb97ce7f2d76476e936c9da02f |
C:\Windows\System\SkUxvoM.exe
| MD5 | 81016c9af02a7328133967a72c4cce2c |
| SHA1 | 6faf37354148d472ed68f4491369e08388371dec |
| SHA256 | 28b3f5f5d8e34e448fda84925bb49a70c5cee96de5a4185b3cac807d9edfe93c |
| SHA512 | 46a827d524b1b659013abdec7a4dc3fbef82dc9be4334621be11718c26164da5fc42331cedcc57ef6bbb2f7d3a1fc1c7bf541d697b61a14038926b186ef4dab0 |
memory/2508-113-0x00007FF7CA6B0000-0x00007FF7CAA04000-memory.dmp
C:\Windows\System\VxdJWLl.exe
| MD5 | e914cf79a8c27b7655224a33fecdcfbe |
| SHA1 | b3fcf9bbe52dcae6db98bea3766c8aad4d1b3a55 |
| SHA256 | 1b15e6d91aa51edb0674765fc983bb9aaeb0b7c9c133963f20b5a4abaffa767f |
| SHA512 | b0a6a9e8356f5b23f4c5948b1e8ca13fa24b5306f44eb2e85d3759bdcdb1ae29561c3b98c6b22bb1afde480ad25d29a6ac29542dc8eed24f37869a568b3ff59e |
memory/1656-114-0x00007FF6A75C0000-0x00007FF6A7914000-memory.dmp
memory/3908-112-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
memory/1048-100-0x00007FF7C3570000-0x00007FF7C38C4000-memory.dmp
memory/4264-97-0x00007FF6F4080000-0x00007FF6F43D4000-memory.dmp
C:\Windows\System\IAydSNq.exe
| MD5 | caaad1bb67272113c64efa0e78ff2147 |
| SHA1 | d94d2ed4f76b8d22f21925779bce21d0220233aa |
| SHA256 | 8c4caa6bc883c6e0a70395087f0ec677117441e07915e183ecb50c98bb3d03b1 |
| SHA512 | 500794d15a9a9538c2e00bd6a6a134ff8b710835b8d03f6f58553746e29b6da19efb3b92c148f20b8159872845c0e67124d0fae84756c66cf537a749bc4b695d |
memory/2864-118-0x00007FF6A9950000-0x00007FF6A9CA4000-memory.dmp
memory/3276-73-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp
C:\Windows\System\hrPGDgY.exe
| MD5 | 525151cb153234c551eb112d03bc5851 |
| SHA1 | 9040e132b135c50f172084bf3417abaf1fe6bb84 |
| SHA256 | 8f0616fa20921a57eb5d571d66abb9b7e7bdf41b019e979e4ed25915a8d988a2 |
| SHA512 | 1c0becdc8aca7e0457c7b1df7b5bcb6156389a5f4276bb0aa0660e92944f0c0c6f18834cbafa9bb3ff003add9dd1fc494111d042b84158e800a1dd0044b2e89c |
memory/5040-66-0x00007FF700D40000-0x00007FF701094000-memory.dmp
C:\Windows\System\xuibCfh.exe
| MD5 | 646ce5239f9ec5287686ba18b59b6c4f |
| SHA1 | e299493721345e446fb8db45c3dacfddecd9e7b3 |
| SHA256 | 590ef8e4d1745293eba236c3c4bcfc3e4b4eb9c1146a81993830690ef392566c |
| SHA512 | d1c06782da3c9ad2b0951934aa65a2e1d68622a10b468369bc70bc77023e5e35906d15685277193ab57a34dae961a82a8b389ef4b9dfbe2155c79919bab7a9e9 |
C:\Windows\System\octzLZU.exe
| MD5 | 111f2538b1d81553f19fb5365e325fa2 |
| SHA1 | b3c83a29b794422bf1bd9bd6fbae221572592e4e |
| SHA256 | abdaa2bade56dfdfba4b947023ee5f57e55d9ac48754096fd99213cbd8494313 |
| SHA512 | c95011f6dad5f2307fb4c8463271407d8be04c016b6df3194ce708c63b407e68d7d39339644c633742b7d1cf1166bad13deba49bb4600f4e03fcc84943d9da46 |
memory/640-128-0x00007FF603020000-0x00007FF603374000-memory.dmp
memory/4112-122-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp
memory/1208-125-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp
memory/1728-131-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp
memory/2036-132-0x00007FF658250000-0x00007FF6585A4000-memory.dmp
memory/3276-133-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp
memory/1208-134-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp
memory/640-135-0x00007FF603020000-0x00007FF603374000-memory.dmp
memory/4896-136-0x00007FF7063A0000-0x00007FF7066F4000-memory.dmp
memory/2012-137-0x00007FF766660000-0x00007FF7669B4000-memory.dmp
memory/1164-138-0x00007FF6F0B50000-0x00007FF6F0EA4000-memory.dmp
memory/3908-139-0x00007FF63B130000-0x00007FF63B484000-memory.dmp
memory/452-140-0x00007FF614600000-0x00007FF614954000-memory.dmp
memory/4112-141-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp
memory/4144-142-0x00007FF74FF50000-0x00007FF7502A4000-memory.dmp
memory/1728-143-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp
memory/1528-144-0x00007FF75CB40000-0x00007FF75CE94000-memory.dmp
memory/5040-145-0x00007FF700D40000-0x00007FF701094000-memory.dmp
memory/2036-146-0x00007FF658250000-0x00007FF6585A4000-memory.dmp
memory/3276-147-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp
memory/4264-148-0x00007FF6F4080000-0x00007FF6F43D4000-memory.dmp
memory/3952-149-0x00007FF78C090000-0x00007FF78C3E4000-memory.dmp
memory/1912-150-0x00007FF7FB2F0000-0x00007FF7FB644000-memory.dmp
memory/1048-151-0x00007FF7C3570000-0x00007FF7C38C4000-memory.dmp
memory/2508-152-0x00007FF7CA6B0000-0x00007FF7CAA04000-memory.dmp
memory/1656-153-0x00007FF6A75C0000-0x00007FF6A7914000-memory.dmp
memory/2864-154-0x00007FF6A9950000-0x00007FF6A9CA4000-memory.dmp
memory/1208-155-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp
memory/640-156-0x00007FF603020000-0x00007FF603374000-memory.dmp