Analysis Overview
SHA256
0f8c4b87434281a7cbbe5d8412c8bfa9808567abc4bee020dca65d8841c9e1a0
Threat Level: Known bad
The file 2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 10:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 10:02
Reported
2024-06-06 10:05
Platform
win7-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kpwmblG.exe | N/A |
| N/A | N/A | C:\Windows\System\vnxbNmr.exe | N/A |
| N/A | N/A | C:\Windows\System\mnFPKiT.exe | N/A |
| N/A | N/A | C:\Windows\System\ezxingF.exe | N/A |
| N/A | N/A | C:\Windows\System\iXJsqBS.exe | N/A |
| N/A | N/A | C:\Windows\System\ppRjPcf.exe | N/A |
| N/A | N/A | C:\Windows\System\cJKKLHm.exe | N/A |
| N/A | N/A | C:\Windows\System\liSocVH.exe | N/A |
| N/A | N/A | C:\Windows\System\cotNido.exe | N/A |
| N/A | N/A | C:\Windows\System\aBpFMbp.exe | N/A |
| N/A | N/A | C:\Windows\System\eeXjzjd.exe | N/A |
| N/A | N/A | C:\Windows\System\fNjkSEg.exe | N/A |
| N/A | N/A | C:\Windows\System\HsYtIPU.exe | N/A |
| N/A | N/A | C:\Windows\System\EjVcuQS.exe | N/A |
| N/A | N/A | C:\Windows\System\aWPZtBg.exe | N/A |
| N/A | N/A | C:\Windows\System\oTeJmnY.exe | N/A |
| N/A | N/A | C:\Windows\System\SAKTVMw.exe | N/A |
| N/A | N/A | C:\Windows\System\IdibMTM.exe | N/A |
| N/A | N/A | C:\Windows\System\SFXcBXP.exe | N/A |
| N/A | N/A | C:\Windows\System\qkDyCSu.exe | N/A |
| N/A | N/A | C:\Windows\System\KQlKddt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kpwmblG.exe
C:\Windows\System\kpwmblG.exe
C:\Windows\System\vnxbNmr.exe
C:\Windows\System\vnxbNmr.exe
C:\Windows\System\mnFPKiT.exe
C:\Windows\System\mnFPKiT.exe
C:\Windows\System\ezxingF.exe
C:\Windows\System\ezxingF.exe
C:\Windows\System\iXJsqBS.exe
C:\Windows\System\iXJsqBS.exe
C:\Windows\System\ppRjPcf.exe
C:\Windows\System\ppRjPcf.exe
C:\Windows\System\cJKKLHm.exe
C:\Windows\System\cJKKLHm.exe
C:\Windows\System\liSocVH.exe
C:\Windows\System\liSocVH.exe
C:\Windows\System\cotNido.exe
C:\Windows\System\cotNido.exe
C:\Windows\System\aBpFMbp.exe
C:\Windows\System\aBpFMbp.exe
C:\Windows\System\eeXjzjd.exe
C:\Windows\System\eeXjzjd.exe
C:\Windows\System\fNjkSEg.exe
C:\Windows\System\fNjkSEg.exe
C:\Windows\System\HsYtIPU.exe
C:\Windows\System\HsYtIPU.exe
C:\Windows\System\EjVcuQS.exe
C:\Windows\System\EjVcuQS.exe
C:\Windows\System\aWPZtBg.exe
C:\Windows\System\aWPZtBg.exe
C:\Windows\System\oTeJmnY.exe
C:\Windows\System\oTeJmnY.exe
C:\Windows\System\SAKTVMw.exe
C:\Windows\System\SAKTVMw.exe
C:\Windows\System\IdibMTM.exe
C:\Windows\System\IdibMTM.exe
C:\Windows\System\SFXcBXP.exe
C:\Windows\System\SFXcBXP.exe
C:\Windows\System\qkDyCSu.exe
C:\Windows\System\qkDyCSu.exe
C:\Windows\System\KQlKddt.exe
C:\Windows\System\KQlKddt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1304-0-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1304-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\kpwmblG.exe
| MD5 | de698868c9f6a940b9171beaf489e234 |
| SHA1 | 734ee341786e2b38c3a72cf0590164a5c153e70a |
| SHA256 | 60694ccb00b1cfa76a8dbe5d9c66c4b969121c888853b6fb4cd3217044deb4c4 |
| SHA512 | 56af4c24b905829600e81433f1cd1cd01c7489c6dd05a49954a2807b83f433f73bac0239a07821158f205c275497cad02ddd19ab4c1065e38feb38f8d3bd4ce7 |
memory/1124-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp
\Windows\system\vnxbNmr.exe
| MD5 | a775e03d15ea05f58009898033b3188a |
| SHA1 | 8fede999cf7fe5ce6900fdcafe471a18861a05b9 |
| SHA256 | 54d7df3bb2bba128bf3d671c67a11689e7bf445e7e87cb4444f4909956f0bd88 |
| SHA512 | 290afcf376d512c0ce744032c7c29ee278d9ec4c87660f9a891a930add8e0baef647328a73b2d9a546803d7c4bc1acf979a2b280de46f172a9edb17eab2f34a1 |
memory/2800-13-0x000000013F430000-0x000000013F784000-memory.dmp
\Windows\system\mnFPKiT.exe
| MD5 | 2b0dedaeb2254b982771ed333d8b7df5 |
| SHA1 | a447c2be6bc0e4c84fe6b6e1305737f6cc354ea6 |
| SHA256 | 7a96963d8e56fcef8f085fa2469791bb825c32fcf18a72003d37584b796e999f |
| SHA512 | ce22b85bb8a1e6c45d433b303d9850a6dd7bfdb97c1c3f1c21521d72a85c4bbeb643e34b890a90d39d3a32f967dedbcdb92e67d0f705460832dfa98420f18c8a |
memory/2572-21-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1304-20-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\ezxingF.exe
| MD5 | c77eb68985d24d817823cb51c8e69524 |
| SHA1 | f0a3a28b52c407ceeb352f65fc5353316f07db51 |
| SHA256 | fb48cccb7df87f6ce0ba620254dbf004c96ff912728f2e242a88635fe49936a0 |
| SHA512 | 7373bcd94095a56b19640dd5665f5e5aee82312b96f01de1c7a84f2b36b3a0b11bf67d24fd44fe39616c8441cf8a29db53d30d520793eb0e1f8c83d47baa840c |
memory/1304-27-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2584-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\ppRjPcf.exe
| MD5 | f27dbee688ba83195d5d45582c5c4901 |
| SHA1 | 922da6f068766fc97f12f27b780c4c0f12e661f5 |
| SHA256 | f489de39ae815b99fb02353b1480fd87c51bb68f5213c50b649296dc1c5c5840 |
| SHA512 | 85adad51121ce6301fd07fb42afe6fef71e4dba7e678b1f5f6e449ad788294f09d27e00b5d76c02d090edac0345da33f17d15a929a449940bff364759e867a46 |
memory/1304-40-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\cJKKLHm.exe
| MD5 | 230efe91e2c4e04f7f1744b4a090680e |
| SHA1 | cfb1051dad0b75665f2572067231545b4524c595 |
| SHA256 | 648c7ef245ee986e409674b9ab4788905c11e325645d7684f5d3269099933582 |
| SHA512 | 6704aa69f5dc8b4cc35696d96365b048be8e99abb0ee1ce3bdea62cb714497e759a879dfd34c6b826c7367e93bbd56256148315af786430830ca6a70dddfdec8 |
memory/2748-48-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1304-47-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2612-41-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2696-34-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1304-33-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\iXJsqBS.exe
| MD5 | faf4fda482659c3d161736b9500c5301 |
| SHA1 | 1f150ae49ad90337dffcd90368b9be067e69cd0e |
| SHA256 | 798e6b22408c4185f6c47929433d5fb63a25f31a69317f1262654028edae6135 |
| SHA512 | 7fc0763290bc62f4cfcc0e29b8519295e6c15b1c19d5c95bceae7a5d5af7d1c4421e0882ae7c1fa958f008dfb4430189f467c1afc2f4bae1ffd9f5450186fd6d |
C:\Windows\system\liSocVH.exe
| MD5 | 99a7c9d4852ac1822dda7e82ddb7beef |
| SHA1 | c786cadc9df1a04a6bc8d903fc17ec0b7cef6b59 |
| SHA256 | 5f70010039e75583dabae478d8574cfe8b488c3d8c36dc35bb06476b91d4804f |
| SHA512 | d73f30999180b2dbc20b9df3f838a9a6f57c9ef15ce8cb6949ad1e2aa48d0da37110cdd522b3876ff465a59b30d7810ea9d6be8e6fe15e962432afd86c3d560c |
memory/2660-54-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1304-53-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1124-67-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2128-68-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\eeXjzjd.exe
| MD5 | cc2b843d6ad299dae4f8eec46bd2b76e |
| SHA1 | 41f4e15b283bcd7dad171edae4b4f2ef826d9aea |
| SHA256 | 2a906ef9714b5543d35974724331af149202ec32ff4947a992f7b69ad68e48fc |
| SHA512 | 8415f2e555fd32274e934732e6cc584f87c3090c6ba40d5d4a5e9bbaf1f64171062384cdec073833a7d77cae44c193b9103baedbd19aa6406b8629e455cd9741 |
memory/1304-80-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2904-89-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\qkDyCSu.exe
| MD5 | 48e95301b25af1aee6772b42ae00e512 |
| SHA1 | 207dbaf0b29b0e83d2b2857e6b98c2e55f736128 |
| SHA256 | a543ae2ee29803acf4343d522c8aa567b97a255a4fc7ed17da4a5626e2c5b7c2 |
| SHA512 | d54a4037e866dbe8411ef4656eb632e6e9025024a07608a4e3433a7f233ca021f9076b5ea04e4020b8c198da1042ae0ee4fef9dffd6dcf0b56e5c95cdde98639 |
\Windows\system\KQlKddt.exe
| MD5 | b2ff9dd3e96cdb96540cc3f4ae134ea5 |
| SHA1 | 3be343861441bd54a1a20d053cd386fbf46031d0 |
| SHA256 | ea24c3450b7c80fbdeb062b801ee708f4d70b902b5b36773c09dbf79b59dc2f3 |
| SHA512 | e10813832f3c9cd55cfd71b8691c46ef8719127e51e2174ba39e2776b02777e57690e0e2fe55cb962d24926d28abe7ecba4afd0b954540256cb54b28e77d436d |
C:\Windows\system\SFXcBXP.exe
| MD5 | 91e00eb71f0457127c139ba107081ff7 |
| SHA1 | a8ecc70f340fe71d9b22c8e4bff57e1fa0c335f9 |
| SHA256 | fbd6e5f6b127a1fd7c054c2effe5ad1b3894cfe163f73da1534caa8be38026a0 |
| SHA512 | 7cb49c6aa638bd1d66615d137495692f7072b82aeea8752adf2bb63f28a9b958b4cffb1a4c22682c63770731bc7658ddf6b2c47fd2580f2b534ffd1c9a3fb2b0 |
C:\Windows\system\IdibMTM.exe
| MD5 | a4d99d8e28b3460058493ab4e7620943 |
| SHA1 | 04549dd3e1cc24f401aa1b1b2fa7a1a42ffab15e |
| SHA256 | aba1566dfd739381680ae475602b91ef2308cf006b8923a8a290fc79835089d7 |
| SHA512 | 7291092a0685a0aa2f08979cfadad911d374ffadb8ec797f8eeb976549fbc0a4425aaa0f3e5ace18e3af783ea0869a36a952154bc06d0a77f1d2e16cd3473eb8 |
C:\Windows\system\SAKTVMw.exe
| MD5 | ea9830f52020eeeb1a5c6c795d18f9fb |
| SHA1 | af019f7aa2857a9e220a847655b4811fee341200 |
| SHA256 | 0cca41fd5cca9e7a3a541e476e9814218adac107de6585f692a03f83d6011f77 |
| SHA512 | 050e12b858a2ed506057c2e63284bdfac6029b7da66be42c0bf6a8356d6dca8be0adb55b7c59759ec2eeafc663e80360aa10c10f3a5a38f99c51887fbbf4e3e0 |
memory/1304-103-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2696-102-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\aWPZtBg.exe
| MD5 | 603da57fbff33774ddb4e3ca18bf6327 |
| SHA1 | 99e2b8df479e699af3dd079e011aecf4389503e2 |
| SHA256 | b51ea46e41470e4616e777c70adbc7491394963d5c46836a3bb2a4093885ea91 |
| SHA512 | eb31ed11d20b2907f43286a0b3453958dcfa0baea08da563cebfa821b9833b1152a52569672533d8a0078cb65bfd8f090a013f1a4758c1afd65c3a4b7984a04a |
C:\Windows\system\oTeJmnY.exe
| MD5 | efc2fe7b4ff2aad73016febff93eef08 |
| SHA1 | e6d996ac4b31e6b71c404112545a3b0543383812 |
| SHA256 | d32c61b88c243510d06eb0d2ee4998dbacdcd1a2451dabb9265f8eafd3c433d6 |
| SHA512 | 3e0c909140806256fc37333dc470ca39199633ceb80dacba25e8c00922a6d372d0a9a91b82142d8784b042de32b3cfad23491cc203671fc6c196f4a5a8198e54 |
memory/2612-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2368-94-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1304-93-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\EjVcuQS.exe
| MD5 | 4205d924db15b96931e3f8e3ee010ebd |
| SHA1 | f608dd76d0b0b4f49a343285f4a2e0168fd8aff2 |
| SHA256 | a15a0be79a9f344b0333fd64bfbc8db855d893fc589e5c7eb805f85fcac5e552 |
| SHA512 | 6f2f55cea2d48726155aea8a40724c6b80dfd37c7a2f3f41e786a58950c6dbe93ca55ed545c71f3af541f114512cb7f98fc8ca407dfc0495b8cf2307664f72ff |
memory/1304-88-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\HsYtIPU.exe
| MD5 | 1887d59f836215f4cfc2eac43d509d5c |
| SHA1 | ed492e54b67bba32d1d22d06b12ca1a11430edff |
| SHA256 | 54436bbc0b519d273d760e5a2103fa2e126c2c4563def4f065a8a63e6b1b36ac |
| SHA512 | 6241ccc9697e72d9ff202249c53683fe5a16e898237b666a3e964514d7aad5d710168fef074f9cf108f957a39af47bdf34389102937659cb6acd6e2952a9ca70 |
memory/2008-81-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2800-79-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\fNjkSEg.exe
| MD5 | a06b7b3ec27c0b0660a98ba335a86df0 |
| SHA1 | bf3f0d3fc36c39db814e590f6ee9ff49ffdd170e |
| SHA256 | e91509cd6ee2900faade58e98c0c786161ed8cc46de0d36a9751cc1c85c77cba |
| SHA512 | e5b01bc46dfd1b6a3edc1454919104fd699b6daad0484df6a085479598f131c81b90ce5afe70e49b0420d6c1193bc07394469f99b694a9047685eeadfe74a39e |
memory/1676-74-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\aBpFMbp.exe
| MD5 | 1e0caa8a134fd288cf80720669a43bcc |
| SHA1 | a48a4615bd5decd8d0741b48d6a65d3fbb212bc2 |
| SHA256 | 7e77add69eb876484250a332e22bd9989588c1930c66604cd4904145f92bed1d |
| SHA512 | 63eb6c9087f6c2f5b1c0209fde8328db540899852f9fb71148c01401ce5e429168b0376783d9ae94601e0f244ee4a5083d05e98ef57c835601779f06e22814b2 |
memory/2492-62-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1304-61-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\cotNido.exe
| MD5 | ff690eac1e6a2429d49b33222296c0eb |
| SHA1 | e9725ec719fb7b0d0703afce500349cb67e2c2a8 |
| SHA256 | 10b9da7ef80b08205876a4853ff6489f9d5fb7bec4e646deb20d1b668709c50a |
| SHA512 | 85d75327325c4b2329f3b91c43940fd5617a2b828669744b13e262322574ce180c7901811e184d733a99fecc6a49049cdefd273c5ee5040af04adf91a23b71ed |
memory/2660-135-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2128-137-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1676-138-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1304-139-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2008-140-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1304-141-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2904-142-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1304-143-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2368-144-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1304-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1124-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2572-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2800-148-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2584-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2696-150-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2612-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2660-152-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2492-153-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2128-154-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1676-155-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2008-156-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2368-157-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2904-158-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2748-159-0x000000013F830000-0x000000013FB84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 10:02
Reported
2024-06-06 10:05
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nZYRlMz.exe | N/A |
| N/A | N/A | C:\Windows\System\IWraPVg.exe | N/A |
| N/A | N/A | C:\Windows\System\NfgucsW.exe | N/A |
| N/A | N/A | C:\Windows\System\MzbsIIy.exe | N/A |
| N/A | N/A | C:\Windows\System\yGGnLjM.exe | N/A |
| N/A | N/A | C:\Windows\System\rGvWdKA.exe | N/A |
| N/A | N/A | C:\Windows\System\mmHvDpo.exe | N/A |
| N/A | N/A | C:\Windows\System\ExDkhXc.exe | N/A |
| N/A | N/A | C:\Windows\System\eYtcODq.exe | N/A |
| N/A | N/A | C:\Windows\System\ukGNVfS.exe | N/A |
| N/A | N/A | C:\Windows\System\AyDAueY.exe | N/A |
| N/A | N/A | C:\Windows\System\fneTGmO.exe | N/A |
| N/A | N/A | C:\Windows\System\OAwNddO.exe | N/A |
| N/A | N/A | C:\Windows\System\gxaGIvo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvAOwQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xrSNtWb.exe | N/A |
| N/A | N/A | C:\Windows\System\bJQCrhj.exe | N/A |
| N/A | N/A | C:\Windows\System\FZFbUsS.exe | N/A |
| N/A | N/A | C:\Windows\System\DfQpspo.exe | N/A |
| N/A | N/A | C:\Windows\System\FUkczOz.exe | N/A |
| N/A | N/A | C:\Windows\System\VJthdoK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_633ff58c2470ae6e49db3c439077d2cd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nZYRlMz.exe
C:\Windows\System\nZYRlMz.exe
C:\Windows\System\IWraPVg.exe
C:\Windows\System\IWraPVg.exe
C:\Windows\System\NfgucsW.exe
C:\Windows\System\NfgucsW.exe
C:\Windows\System\MzbsIIy.exe
C:\Windows\System\MzbsIIy.exe
C:\Windows\System\yGGnLjM.exe
C:\Windows\System\yGGnLjM.exe
C:\Windows\System\rGvWdKA.exe
C:\Windows\System\rGvWdKA.exe
C:\Windows\System\mmHvDpo.exe
C:\Windows\System\mmHvDpo.exe
C:\Windows\System\ExDkhXc.exe
C:\Windows\System\ExDkhXc.exe
C:\Windows\System\eYtcODq.exe
C:\Windows\System\eYtcODq.exe
C:\Windows\System\ukGNVfS.exe
C:\Windows\System\ukGNVfS.exe
C:\Windows\System\AyDAueY.exe
C:\Windows\System\AyDAueY.exe
C:\Windows\System\fneTGmO.exe
C:\Windows\System\fneTGmO.exe
C:\Windows\System\OAwNddO.exe
C:\Windows\System\OAwNddO.exe
C:\Windows\System\gxaGIvo.exe
C:\Windows\System\gxaGIvo.exe
C:\Windows\System\ZvAOwQQ.exe
C:\Windows\System\ZvAOwQQ.exe
C:\Windows\System\xrSNtWb.exe
C:\Windows\System\xrSNtWb.exe
C:\Windows\System\bJQCrhj.exe
C:\Windows\System\bJQCrhj.exe
C:\Windows\System\FZFbUsS.exe
C:\Windows\System\FZFbUsS.exe
C:\Windows\System\DfQpspo.exe
C:\Windows\System\DfQpspo.exe
C:\Windows\System\FUkczOz.exe
C:\Windows\System\FUkczOz.exe
C:\Windows\System\VJthdoK.exe
C:\Windows\System\VJthdoK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1760-0-0x00007FF71F720000-0x00007FF71FA74000-memory.dmp
memory/1760-1-0x0000018E63660000-0x0000018E63670000-memory.dmp
C:\Windows\System\nZYRlMz.exe
| MD5 | be8c81740b01ae9232d4a9775387d565 |
| SHA1 | e03707198b46cce3e07f314cf7bef62c893a9867 |
| SHA256 | 11fb8f4bcd814bfb76d0b414405924f9c074d0058f7edc6fbd3e9767ad9c5d30 |
| SHA512 | 17464aeffef0627966380989ca3489330b1bae062114a0b9c44666588e6718be264ddc89cba7ceeb0b527a2f2e22fcc792b9b51b1d734704d81fcda2aa40ebeb |
C:\Windows\System\IWraPVg.exe
| MD5 | de04d579cba010a9b2a699f1ead9b23f |
| SHA1 | 39cbb78a3dd4d7af47916f41e73d0767be83d9b5 |
| SHA256 | e0a1c76c6783e85a753fcb2fa74829d376ec07756a4afaf731f12f76b2b8f41e |
| SHA512 | a5788374486b4ac975f36461f35799fc710c6327de1dbc5c971127dc93d164b83475f3cf11d396ac92eb633b9d6425a03b5945113656006089262f1428b0eddd |
C:\Windows\System\NfgucsW.exe
| MD5 | d7c66d429139b5c0925cbb8e3a21904c |
| SHA1 | 64abfee29e3b9a3034ba8cb0365ca4bb51cccbab |
| SHA256 | a40c8f6583bc6a4ee403f91fbb73e1639656928828815a3a8f8d6230d6cbfb17 |
| SHA512 | e20d93f9fb699bab091e07d2b7dff9b6d8c919b7602ca8e6506bb7562f9526eead33bdb56ee8e9edbc245c8107b4a4e51f0ef141c5ff62bf13a22b23e216f194 |
C:\Windows\System\yGGnLjM.exe
| MD5 | aa3b4e805095e6c7ab611aca5edde130 |
| SHA1 | f64dd13922ef66ce9de0f11a6cefaedcd778eeef |
| SHA256 | 1f6b14e519474d2eb42fcea043dfa56629b9611c472e0df3b817ca9bcf3a7c08 |
| SHA512 | 049499b279709139440b98889f736959928936f2f23ad9a61238476e82e3a6f43be7e1838e09b16da0794937f01dbd63a2c6902bd6d94ab01b31c740c15d03ec |
memory/3292-26-0x00007FF6DF910000-0x00007FF6DFC64000-memory.dmp
C:\Windows\System\MzbsIIy.exe
| MD5 | b204a006c44f5fc8ec0a37ac3ec0dbf5 |
| SHA1 | 8b4cc6409cd4b3a5504ee5da200f728aaa8ab6a4 |
| SHA256 | a4be7ac4e13697221f0828ddfa10d1a373c6f00d437e340a81d3ef87196029ef |
| SHA512 | fe7f3b276ed688932f6e5d64c95d3048c181e8d07b9b66154103c399d5d2f57f01f3d3e0e7c8c8eeafbc013adbf35547ad083476ea033381a8c4798f28b0690b |
memory/2232-29-0x00007FF6B7250000-0x00007FF6B75A4000-memory.dmp
memory/3448-27-0x00007FF7951E0000-0x00007FF795534000-memory.dmp
memory/4944-18-0x00007FF6FA200000-0x00007FF6FA554000-memory.dmp
C:\Windows\System\rGvWdKA.exe
| MD5 | 7e9659037d45b1f1505ff2458872740c |
| SHA1 | adcb59c48f46adac0e11cfcb6390e1f076d6fb7d |
| SHA256 | c923fab35bf51d5051a9df46601c3678e363e39e40f23aee311e702c8d255f4b |
| SHA512 | 4785908508635ae4dcf1ce78d7c8f1f13ef74f1fea8a78e7f40e081c1448cb2bb1d062dbb4d270432f53469b826a8b1470129e8485e5a20a4c7ac084567fcd90 |
memory/2588-38-0x00007FF71D340000-0x00007FF71D694000-memory.dmp
memory/5036-43-0x00007FF75CFA0000-0x00007FF75D2F4000-memory.dmp
C:\Windows\System\ExDkhXc.exe
| MD5 | 6337b1bd8737b875ad8960529e509038 |
| SHA1 | b01c4ce8e43ee30f2620d696f6fc7c14da00a43c |
| SHA256 | 15d516a9bca5ba29486b2ac46953b336bf48027f321940fc01526f889bbc6fee |
| SHA512 | a61f1ef744460e3c202b19eaa0f9af5348a0fbd691d3b9664cf9677deba6bdda6bcced82154bed1b086625a43f32b7da11cc895d4c0b98241ceae8c4fba8a2a0 |
C:\Windows\System\mmHvDpo.exe
| MD5 | 18ff0d02c1860e720f8461ea363f8160 |
| SHA1 | f1f0792342496f860776eb260e4edcf2c8378653 |
| SHA256 | 3545965f20cfd16987288211deb3141fef5e21445cb1aa678f8b9c82a7aa5106 |
| SHA512 | e65343445dabd6ce23058d8c4193a243fe9ef60524f81fcbcee8f6cd7804c59f65c5106dd460a2338f9267874eaa97d3fda04e201d3b8dfa73772f109c65121e |
memory/516-35-0x00007FF69E630000-0x00007FF69E984000-memory.dmp
memory/968-50-0x00007FF680B40000-0x00007FF680E94000-memory.dmp
C:\Windows\System\eYtcODq.exe
| MD5 | f45d67fcdc0fbab910ba23a4de551243 |
| SHA1 | 1496c787c35442d0e4b92fde420fe7ac0f0442e6 |
| SHA256 | a2f4f3db142e75d77dbed2c5a6a827f109c3bf49e683031cc23b2a50ff6aef07 |
| SHA512 | 4fb81cfeb17d8002eeeb392f51786795c37856ed89f492561d095cd99e7db1b71e5a7b56815b229923366f093356294baf3e82d1e467e7d49b49f8cc6c8c03af |
C:\Windows\System\ukGNVfS.exe
| MD5 | 67ddaf7584636b24e91efc756661f76d |
| SHA1 | 8396bf109868ff7d699c7d025e5e92c8bff4d01e |
| SHA256 | e6bd2d383ba33c30f98fc176c9d6816ff8530e388a3dc23da6a0d6448f647dc6 |
| SHA512 | 1359080ffd484dcb88c7ee8678a450a872f92b44bdf0fcd6e1c8f1ba2469a76ed6f4977e1c0c90ba4ee56b53eed4c85e04b3f5049ebc5e8bb58b7a1dd0931ddd |
memory/4960-58-0x00007FF6DD090000-0x00007FF6DD3E4000-memory.dmp
memory/452-64-0x00007FF6F0FF0000-0x00007FF6F1344000-memory.dmp
C:\Windows\System\AyDAueY.exe
| MD5 | e704f6f07215101412a257d4bcce4bfa |
| SHA1 | 8e1f49dfb2c0ef2f52e6ef6b6985724d5030cd16 |
| SHA256 | 1eabe8e93c903983ff98f6ee876d0248b2fcbf51fe99db71723477859d0a0a64 |
| SHA512 | 4999f236d24096f6fa368d1523fe8a4fe7ed7c5f75213e5dd1cbd88dc1e0e073cbe2dfad6877fbda8c2b0e3a904c2b23d6f66640e3a9a117bcc8417917a4850a |
memory/1484-69-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp
memory/4272-74-0x00007FF7F0380000-0x00007FF7F06D4000-memory.dmp
C:\Windows\System\gxaGIvo.exe
| MD5 | 2c838128c1a246a184aa6206076fb810 |
| SHA1 | e89ea1db58a1e3050db5f72f62a5ad5e4f924d35 |
| SHA256 | 0e9d88437e8688dbddaa50aa2590a5a702a20feacebfce288cfd1a831b8a16c3 |
| SHA512 | 5a7a233ed0d51270939914b32c2461573d9b15d367f124bd796c405cecd3d983019df429af20ee30c9dadaea9a3996c98f9e32ce3650389f39682024cb7d9660 |
C:\Windows\System\fneTGmO.exe
| MD5 | 8f5befa1eddea29166d1501f8e3d3eda |
| SHA1 | 61cade4dfea0312aedfe5a9976fc5d065827815c |
| SHA256 | c920009830c02f3fbe8becb29f1afdaa29370bec6b08dc01dccff464d69c0aff |
| SHA512 | bbf65e646260e8d75edffc4c159aab54dc4401fbf3c789e00c34a4dd14a06018b1ef1001ac76124c7b688204cb75fdf6908b0fe266ad129129d28f2c275b9054 |
memory/1760-99-0x00007FF71F720000-0x00007FF71FA74000-memory.dmp
C:\Windows\System\DfQpspo.exe
| MD5 | 9da8ae920aa9a4bbd6678815015cfea0 |
| SHA1 | becad90a5b64810193cb7b78c1037e8de3295ea9 |
| SHA256 | 4fdb533edaab97f03ed6e6fd4ab5b25e69738361d45af1bed1b9110c44e1c998 |
| SHA512 | 1c00be549b350a6bc27f5d2e5c98b9102e7a4a1620b1abf26f9938442dd8c613b9cee3cf1ddc7a451c42698b454563bbef3fe6e8db66739b6cae0b52aaff0420 |
C:\Windows\System\VJthdoK.exe
| MD5 | fb690a51a76fd71ef05f3148784dae08 |
| SHA1 | a8e503027131ced5ee94f326913d6f5ff6f07e5e |
| SHA256 | ec10e2b68672fa00fc83fe170ba1150c92a805014c96f266c2f3d84c154a419c |
| SHA512 | 3b3104bfa16683e88d27a1b7f558bedefcc8e155d4a5b61a57140ea75ec5f3904301bdd20ae1df2d2692e1a7ffe6ce0ec2558a3959f10030f6d1496b1bdf2028 |
C:\Windows\System\FUkczOz.exe
| MD5 | 2c83123cc7183c3c66b8725ae4e0c13f |
| SHA1 | 5c7c0c19576560f7d730b5529dd0ef67c47182c5 |
| SHA256 | c7fa56c2d5c087ac2591c22a35c1a008356c1470a780a0e1962332b9ee7aa802 |
| SHA512 | 22b1a6e3b9fcb1595bbc7acea687f307cd01129fd013e661e56f486cb5e4da8896640b0ca2fc08fc143dd3752e67670afce25d9a336c4f0338ac69739de06c6f |
memory/5020-127-0x00007FF6BBD00000-0x00007FF6BC054000-memory.dmp
memory/4460-128-0x00007FF6CB6F0000-0x00007FF6CBA44000-memory.dmp
memory/1496-126-0x00007FF797C30000-0x00007FF797F84000-memory.dmp
memory/1508-121-0x00007FF749AA0000-0x00007FF749DF4000-memory.dmp
memory/4676-117-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp
C:\Windows\System\bJQCrhj.exe
| MD5 | 990da95ffbf0cc9a46830b6e19e19dc3 |
| SHA1 | d5f734a91a2bc0fa5729794e702f542051992e6e |
| SHA256 | 55832d7b508d0928df3179d7893faf40f14d88ca2b681a95c81ee0a55e217f77 |
| SHA512 | 59a036b08eda4c6a00075f0ca8132a6e66fad43f5576bcc2842c6ca8440b183538e02d612250082d01e62d16d5329c551efac54f38b52e9b8765649b2592498a |
memory/3152-112-0x00007FF7DD140000-0x00007FF7DD494000-memory.dmp
memory/516-111-0x00007FF69E630000-0x00007FF69E984000-memory.dmp
C:\Windows\System\FZFbUsS.exe
| MD5 | 4e023bcfcf6fdc176667d4acc0d7a804 |
| SHA1 | d3ce69fa6dc01a3342387b100ff6a66e2a0e9f08 |
| SHA256 | ef2bac4787d39367ebd5ec5d8153cbe529a6d52edc8bc6c16588e0eb7acb5ba4 |
| SHA512 | 33dd71956f3cc14be239ba07703f505a69f872571b17e09e546aaab467c973cf8631a750f1d901b5f638d1489b98cd79778de4b5132d2eb2dd6e68334504921c |
C:\Windows\System\xrSNtWb.exe
| MD5 | b9dd2ad76125778ebd706494990f3922 |
| SHA1 | 648dfa6fa60733c27dce6dcb7f1f64c9b27e5108 |
| SHA256 | 120f4511c6695335527b78a67e99e36bb585e8754ad6011e04a986d4d852ba24 |
| SHA512 | 16c246d89e25c80ab92627c2e2b87c2d3b5d74c17a3640d2e218d315c23740029bbfc8dbf44c89eb05912c52e838d74c0d69a42f39ffa417bf083e9c30a489fc |
memory/1012-102-0x00007FF7E6C40000-0x00007FF7E6F94000-memory.dmp
C:\Windows\System\ZvAOwQQ.exe
| MD5 | 75dd639f2ace273e1de0978e433241d1 |
| SHA1 | 3fdd43f4c9bc34abd326b10cf1581d926a6c00cc |
| SHA256 | 309cc1eee5ad7ee59af27dd8f5dc869c054ac0facf15542ab38b629b4d49c6d7 |
| SHA512 | 9f953866735f9b21eb35286baeed1fffe75f3c8ed7ad636eaa8a033b51ea32aebd4d491fad8c9de3efd74366739449b9ffa11654de0e2f5cb6a884bfe1a210a1 |
memory/2860-94-0x00007FF7F5240000-0x00007FF7F5594000-memory.dmp
memory/4908-88-0x00007FF7897F0000-0x00007FF789B44000-memory.dmp
C:\Windows\System\OAwNddO.exe
| MD5 | fec4037d6f2e0e766fc74df28159f0a6 |
| SHA1 | bb6c119807aa1adedeef4828e939899487d37cd4 |
| SHA256 | 8cf9fc558760375406379b55c5210b39fd6f9597e5f939e64a2ff9308a810a24 |
| SHA512 | de44d9a2b163acb036d20f04f8dd21cf83082b50fa601f70e4b1f8951c61be86c5f198141b4ffbcf92a6b90f809f42e7b2efc9825169b5484cec06816140be7b |
memory/2588-130-0x00007FF71D340000-0x00007FF71D694000-memory.dmp
memory/5036-131-0x00007FF75CFA0000-0x00007FF75D2F4000-memory.dmp
memory/4960-132-0x00007FF6DD090000-0x00007FF6DD3E4000-memory.dmp
memory/452-133-0x00007FF6F0FF0000-0x00007FF6F1344000-memory.dmp
memory/1484-134-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp
memory/4272-135-0x00007FF7F0380000-0x00007FF7F06D4000-memory.dmp
memory/2860-136-0x00007FF7F5240000-0x00007FF7F5594000-memory.dmp
memory/4676-137-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp
memory/1012-138-0x00007FF7E6C40000-0x00007FF7E6F94000-memory.dmp
memory/3152-139-0x00007FF7DD140000-0x00007FF7DD494000-memory.dmp
memory/1508-140-0x00007FF749AA0000-0x00007FF749DF4000-memory.dmp
memory/4944-141-0x00007FF6FA200000-0x00007FF6FA554000-memory.dmp
memory/2232-142-0x00007FF6B7250000-0x00007FF6B75A4000-memory.dmp
memory/3292-143-0x00007FF6DF910000-0x00007FF6DFC64000-memory.dmp
memory/3448-144-0x00007FF7951E0000-0x00007FF795534000-memory.dmp
memory/516-145-0x00007FF69E630000-0x00007FF69E984000-memory.dmp
memory/5036-147-0x00007FF75CFA0000-0x00007FF75D2F4000-memory.dmp
memory/2588-146-0x00007FF71D340000-0x00007FF71D694000-memory.dmp
memory/968-148-0x00007FF680B40000-0x00007FF680E94000-memory.dmp
memory/4960-149-0x00007FF6DD090000-0x00007FF6DD3E4000-memory.dmp
memory/452-150-0x00007FF6F0FF0000-0x00007FF6F1344000-memory.dmp
memory/1484-152-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp
memory/4908-151-0x00007FF7897F0000-0x00007FF789B44000-memory.dmp
memory/4272-153-0x00007FF7F0380000-0x00007FF7F06D4000-memory.dmp
memory/2860-155-0x00007FF7F5240000-0x00007FF7F5594000-memory.dmp
memory/5020-154-0x00007FF6BBD00000-0x00007FF6BC054000-memory.dmp
memory/1012-156-0x00007FF7E6C40000-0x00007FF7E6F94000-memory.dmp
memory/1496-160-0x00007FF797C30000-0x00007FF797F84000-memory.dmp
memory/3152-161-0x00007FF7DD140000-0x00007FF7DD494000-memory.dmp
memory/4676-159-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp
memory/4460-158-0x00007FF6CB6F0000-0x00007FF6CBA44000-memory.dmp
memory/1508-157-0x00007FF749AA0000-0x00007FF749DF4000-memory.dmp