Analysis Overview
SHA256
90719454e16bd774106b9c5123f793ce64d797664a77f3643a68d8440694bc92
Threat Level: Known bad
The file 2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 06:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 06:46
Reported
2024-06-08 06:48
Platform
win7-20240419-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CwcmIpt.exe | N/A |
| N/A | N/A | C:\Windows\System\TJxlbBu.exe | N/A |
| N/A | N/A | C:\Windows\System\UMWprqO.exe | N/A |
| N/A | N/A | C:\Windows\System\AKOLgGM.exe | N/A |
| N/A | N/A | C:\Windows\System\NAFcCye.exe | N/A |
| N/A | N/A | C:\Windows\System\UJVKmhU.exe | N/A |
| N/A | N/A | C:\Windows\System\yHapLFY.exe | N/A |
| N/A | N/A | C:\Windows\System\tcSfWQy.exe | N/A |
| N/A | N/A | C:\Windows\System\YkRGWPx.exe | N/A |
| N/A | N/A | C:\Windows\System\wHzISEj.exe | N/A |
| N/A | N/A | C:\Windows\System\FyUxcJx.exe | N/A |
| N/A | N/A | C:\Windows\System\VyQwpEh.exe | N/A |
| N/A | N/A | C:\Windows\System\kZraFFR.exe | N/A |
| N/A | N/A | C:\Windows\System\hVaiXNV.exe | N/A |
| N/A | N/A | C:\Windows\System\dLRHRsI.exe | N/A |
| N/A | N/A | C:\Windows\System\RgidQMo.exe | N/A |
| N/A | N/A | C:\Windows\System\zvRMxGf.exe | N/A |
| N/A | N/A | C:\Windows\System\RKXDwKl.exe | N/A |
| N/A | N/A | C:\Windows\System\vMEyILd.exe | N/A |
| N/A | N/A | C:\Windows\System\UZutXqL.exe | N/A |
| N/A | N/A | C:\Windows\System\HQSQeVN.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CwcmIpt.exe
C:\Windows\System\CwcmIpt.exe
C:\Windows\System\TJxlbBu.exe
C:\Windows\System\TJxlbBu.exe
C:\Windows\System\UMWprqO.exe
C:\Windows\System\UMWprqO.exe
C:\Windows\System\AKOLgGM.exe
C:\Windows\System\AKOLgGM.exe
C:\Windows\System\UJVKmhU.exe
C:\Windows\System\UJVKmhU.exe
C:\Windows\System\NAFcCye.exe
C:\Windows\System\NAFcCye.exe
C:\Windows\System\yHapLFY.exe
C:\Windows\System\yHapLFY.exe
C:\Windows\System\tcSfWQy.exe
C:\Windows\System\tcSfWQy.exe
C:\Windows\System\YkRGWPx.exe
C:\Windows\System\YkRGWPx.exe
C:\Windows\System\wHzISEj.exe
C:\Windows\System\wHzISEj.exe
C:\Windows\System\FyUxcJx.exe
C:\Windows\System\FyUxcJx.exe
C:\Windows\System\VyQwpEh.exe
C:\Windows\System\VyQwpEh.exe
C:\Windows\System\kZraFFR.exe
C:\Windows\System\kZraFFR.exe
C:\Windows\System\hVaiXNV.exe
C:\Windows\System\hVaiXNV.exe
C:\Windows\System\dLRHRsI.exe
C:\Windows\System\dLRHRsI.exe
C:\Windows\System\RgidQMo.exe
C:\Windows\System\RgidQMo.exe
C:\Windows\System\zvRMxGf.exe
C:\Windows\System\zvRMxGf.exe
C:\Windows\System\RKXDwKl.exe
C:\Windows\System\RKXDwKl.exe
C:\Windows\System\vMEyILd.exe
C:\Windows\System\vMEyILd.exe
C:\Windows\System\UZutXqL.exe
C:\Windows\System\UZutXqL.exe
C:\Windows\System\HQSQeVN.exe
C:\Windows\System\HQSQeVN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2444-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2444-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\CwcmIpt.exe
| MD5 | cad6b3fb646ba62a9888d4e33cd8a3f3 |
| SHA1 | 8498414160492204133fea5562fde10b9f9b90a2 |
| SHA256 | 123d6845535a5d28462c6c9d2f85fb060b0dfe99d0f1431f0d72f58610b2e4ac |
| SHA512 | 41e7c16ee95a8df7e36a0855af587d85d775d634263f0cead13c3d3068499a2ed0a68b88fa19c60a3bf12205593557b1bee286a19aaab8a42c4b8a9feb032934 |
C:\Windows\system\TJxlbBu.exe
| MD5 | de65968e497d7a9fd24ffa71ed03e137 |
| SHA1 | f5cc41a8756563ab98def550d0586eab06f5c7da |
| SHA256 | afb9c890bbd915c97998fdc9ce72521d078d6ae344a13605a9eec4636e271f16 |
| SHA512 | 01570baa35ffa827881d7b857c14d0d130b75f03fc709b40ff26de38bd93f3071742235c9c167c4c803cdaf4ad95973e0fc950716e4691a9a9bd96094e255cd5 |
memory/2836-16-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2444-7-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2392-14-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2444-12-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\UMWprqO.exe
| MD5 | 70c2afa05ca5b9dc26a215ba19923eee |
| SHA1 | d4238bdf103e4016383e89ca1f71b0c9dd2d001a |
| SHA256 | ca4fe17ced905fe683b3645809416d13fbbe6d4cd866bd846a71989b7f949196 |
| SHA512 | 8143aaf6ca371577b26b5a1bf45acd96f1e9efc0d921aaf2ef43e9015f302ff5ba19de23e0cffde3783117d8d69b9d2d14681982950768febb0c313774a0201a |
memory/2784-23-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\AKOLgGM.exe
| MD5 | e25f400f5c8743d32c094301de84ebba |
| SHA1 | 29a257794cb94c268ea55e5c630c06d2ded3ee8a |
| SHA256 | 5f0e3eb80e80b2c5b2b726e11a175c364fc4796cca2e36d3f7793c367f8cb17e |
| SHA512 | 17ea0e3932ffc16a3d1b4d69ddfbe80c775a052138fbd361f639bfec54c42285ce1ac82022da32ab821a13003b53fb45841feee4d06da8c4a60630f53c495cab |
memory/2444-28-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\NAFcCye.exe
| MD5 | 8a7fc4882b468136e3fae0f9de517ffc |
| SHA1 | 4f915db7823a0a270516e1f46e6d559da1a39371 |
| SHA256 | 5104ec62e1c5dae2eaac165427af09d9ae1951ba09f47159a8570284daab34b5 |
| SHA512 | 6a43b937a271bdc1619aee56240ff6238d523e027bab0911b21328027472bb16a5200804a783f670cb3ed02696e67790d5a2fe4ec61b6399136c89781d319968 |
memory/2672-29-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\UJVKmhU.exe
| MD5 | 5b700b36cacf763f2e5d681b524b3346 |
| SHA1 | ddfc521bc3a6802e859fb909cc9ec7f4bea4493c |
| SHA256 | b2ac55d34cbf62fbdb694d31b840a9602fce342628b55d5692494cd68780a617 |
| SHA512 | 84e0f6c95e7329434ea34bc9c89a3db78ebcb0afd5e670ece4e8606b850892b86072d3bca378d86df7b08399dc2b5f9a6c4a93a0aaecbdabb5930e8c20e2a1d5 |
memory/2148-42-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2444-41-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2644-38-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2444-37-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2444-22-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\yHapLFY.exe
| MD5 | 7fd120f22755dfbc7432e25af6bc9193 |
| SHA1 | 7f0a7534931fb6fc1868018ec8e20ccf0f750907 |
| SHA256 | abb6fd71a77bcfb2c30b33ec4153e1d7555fab6787ec431f8cf8a4bf0311ce54 |
| SHA512 | e9b16400c475cf324f5714bf3594a0f56a097ceda1af050c39c2894770f6cf27b1d28ffbb140ba70e6d09155f76eadaed6963fe56131ba6b24f226538cc9566a |
memory/2444-49-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2740-51-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\tcSfWQy.exe
| MD5 | 48df87400e67ea0869ada95536863dc9 |
| SHA1 | 1b1d8c65b52b64ffda6dd4e7cd2434cbfd4f3f56 |
| SHA256 | b1a1a94409b0ba5463018fb030517ddce430fc46d875851f423b7b9b04a0c0ea |
| SHA512 | 4ca98ba6a4ca02c14af515a07e8b1a6450b4384dafdfb0853928a61bce44396d7c506bc0100d510643e11637126a25e6bd7836105ab6ed538ce064eda68d3fb1 |
memory/2444-57-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2820-58-0x000000013F7D0000-0x000000013FB24000-memory.dmp
\Windows\system\YkRGWPx.exe
| MD5 | c71eba00bf9e8a220e7697efbb36f17f |
| SHA1 | 3f38c422cddfcb3bdc756f0233265cd6256d5d50 |
| SHA256 | 0048e1d269474697ca595f5c452e0bb30695de392d33cae7924950230a1f2b02 |
| SHA512 | 972ac8df9410c2d14e8f4ff3df2810b5701a7b7ee8802f25a8e0d15dbe55346c0e5f1e21715b414c13d59c902f798f1cd6715ec5deb765e1e31ae7cf2ca40bca |
memory/2836-64-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2572-66-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2444-65-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\wHzISEj.exe
| MD5 | f6e480cf85d5c30ff957bfb8a6c76438 |
| SHA1 | 6ec71ab31b8edf62043ce1aa8f2aaeb55698cd26 |
| SHA256 | 9de210346f29923e6988dab18e70a23e02954bbaaa10f184555681f035bde792 |
| SHA512 | f2a025aebeac774ab1cfc14b2faf7f2170743a0fe83b1b0d27b734ef78ef08b8fc0372eb085288103737ed31ffdcf68496d33c07078c8ace4dac14de26aed37a |
memory/2348-72-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\FyUxcJx.exe
| MD5 | 126d6684a3893b94640117abd616f14c |
| SHA1 | 6ed8c18fcdb1f64c6a29d856bdcb7c18b7285de2 |
| SHA256 | 25b8712dc0da2b67918691e36719023018dff0553a7f23765d65d3afe7cb6464 |
| SHA512 | 0a6c96b79235247303bbea4489de8287c6438b790e82934cb9066a25451c2400109e55fe4195d2c9c5baf4b881189677e4292788cf78a9c2c28c3f4e3ae84519 |
memory/1636-80-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2444-79-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2672-78-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\VyQwpEh.exe
| MD5 | 6578d837c32a3fc4b7fc07db23d37e84 |
| SHA1 | cfa332172d7fabf46f1dfd3a66b3ce9cbeb40194 |
| SHA256 | 64557716fd2e43bad29f4ed79af003f2ef913e8229fd66cfa167339fd2e994e7 |
| SHA512 | 0e68ab96f9d8dd77ef32d1496f97326121d1f18be6ad02cbe931ecac1e24071cd7b9a84bd37e235e77481144c86e74f94b04ff3237ae08d680235b05265a679c |
memory/2944-87-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2444-86-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2064-96-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2444-93-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\kZraFFR.exe
| MD5 | a5e4c1ad4ecc3f452eb0eb0d155dd7bf |
| SHA1 | 2ea4e110b175e73f1ab110159a15b61154b7c739 |
| SHA256 | 6b4a76f379af43c846cd94f34db7aaf36aef04ea109e3c3a6661f10ce729738d |
| SHA512 | cb6e4697ab06b0d53bc96a88e9bc3a7920ffba772d9da8cc07174338ff00f2fba4dacebfd092dd272f85b9e79820409504970d6a4d8666f574ae73706517d602 |
C:\Windows\system\dLRHRsI.exe
| MD5 | fd7a03e6523a2e951ce8575d2aac18ec |
| SHA1 | ccbb4480aca41d2c6146df350954581f15fca2fb |
| SHA256 | 7760d9a51091c61ed929bc9b8fd58154ee4671f0608e9b239fa1daff6aebcbdb |
| SHA512 | 4ff2e2429ee8f327fd56f422d1837af2a85f7412cfba67597b869b65f135c5c03d20967ebac659dc89fde7a866e6b51c0136e34043687fb2cc27482c802f1a14 |
C:\Windows\system\RKXDwKl.exe
| MD5 | 190f4e83de090f7bee7cccc6eeaefd9b |
| SHA1 | 96cee095663b3864ee06c177752ddc96bb82917c |
| SHA256 | 17e0f0d232710a21ab145efcd5461d3264b89288d835119338ee5b2688313314 |
| SHA512 | 8933bfc7437e1abb5277ffdd25007a523f3bb28c0bf44f9f324c6f4f0843a00724194eb6b417c5c036deee849fba1083b40a34108dd3fb2c5b1a39c3ea6c268f |
C:\Windows\system\UZutXqL.exe
| MD5 | 3cdd925862777e5bda32db4d11b2bc41 |
| SHA1 | 9e8b4653ff2e8a5e60182ee1ca3d95def2de4587 |
| SHA256 | c78be3e1ace5e4a1c5f35913ed68cef79802bfbf4a7f389c4f1df8d85ed1eb90 |
| SHA512 | a5b0ce6fb4713eb45fd5b140c834c0b160c658dd9f802a22b6a49a99d7ff496a124a9280d0fdbf83d2ec1e0eb80c8d26c005b60b1c00d7c456128d20fbdd5f4a |
\Windows\system\HQSQeVN.exe
| MD5 | 90eb166149525ec46f64ac77ef4962ea |
| SHA1 | cb2e55fb03cde225199a4e3167608130a2f05af0 |
| SHA256 | 0d4c7f38c0d0148bc47231c7f6e07bd6fda808b5348122cdf903d65edef505e7 |
| SHA512 | c0b8968bee6dbdc9746bca88cda26114f9f816d8aaa7d338ef0e34fb4c8ca606289b3bfffb1a591e987b0e564aca66dc647951cbe7e051249911fe837b3e02cb |
C:\Windows\system\vMEyILd.exe
| MD5 | ff020dacc36cea4eb974ab2dc63e468a |
| SHA1 | 8737ee5ca75da08b297baf930f97b5e462d4860b |
| SHA256 | e62d1042ccc9e139b6fd6ffc2aa823957f86407d54db6877bdc888cedd3348a5 |
| SHA512 | 8db266247af5f4dca41613e2e28606ab16e4196170855f0a95625bc07984825660206252564b8d2cb947eb89710bbcf52fa23ab45f594e002304c6b5e46887fb |
C:\Windows\system\zvRMxGf.exe
| MD5 | 825a4fb274c3c0916438e70c8ba2a4b1 |
| SHA1 | 46280485338b50c5970caa01cdd51b31b737956d |
| SHA256 | e0a09b242f39e8cc6bc35f77b80a238d3a2cc5c8192b9a6c3dddb00b6e81f192 |
| SHA512 | ec34a3825b7202eca789ba3c51b18dc48cf2936f9cfc3e98288930827cd76d39c1bfbbd834df5f56f0885e103100544ea5500acde0be6beda6fa6f7795f3c29e |
memory/1996-107-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2148-105-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2444-104-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2444-103-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\hVaiXNV.exe
| MD5 | b5478c78e5bf0f38ed929912ad82bf46 |
| SHA1 | f5cdfbecba34c9ac0d835ab88cc14620f74ae5a1 |
| SHA256 | 484517d9c47f1ff68815563921badb68028966c494f52f9a59de7bf519a3809c |
| SHA512 | 7bef23caa3424981a8100d3e5748b80b502eda973b8c95fc554d7115d341a54daf17221251c350d5177931c7f8ade99c5f48ebee5e1994cc6ba37441da80c89e |
memory/2644-100-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\RgidQMo.exe
| MD5 | c6c5c74e2de1ae3834a8682c04db7b59 |
| SHA1 | 8f624d90392f934a07782554700f0435ce85f596 |
| SHA256 | b5717af9e7a8af69d483b217fd196edd1487f65fd73f1c41ed75579b185784f2 |
| SHA512 | b7708fd77aacd56d7ea5fda9233bd48c0863b4a75bf2291070ab223541269c32f00f6d70d9bbc3474e8861f606bbf3562175e8d66f861359e8757c91a20543cc |
memory/2444-138-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2740-139-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2444-141-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2444-142-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2444-143-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2444-144-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2444-145-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2392-146-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2836-147-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2784-148-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2672-149-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2644-150-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2148-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2740-152-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2820-153-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2572-154-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2348-155-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1636-156-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2944-157-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2064-158-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1996-159-0x000000013F4B0000-0x000000013F804000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 06:46
Reported
2024-06-08 06:48
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FgwRaQm.exe | N/A |
| N/A | N/A | C:\Windows\System\nsrldcj.exe | N/A |
| N/A | N/A | C:\Windows\System\vDFUBBR.exe | N/A |
| N/A | N/A | C:\Windows\System\iSsWthy.exe | N/A |
| N/A | N/A | C:\Windows\System\kkSxHGO.exe | N/A |
| N/A | N/A | C:\Windows\System\PRkPQgq.exe | N/A |
| N/A | N/A | C:\Windows\System\zkXZDmi.exe | N/A |
| N/A | N/A | C:\Windows\System\MrDbTaT.exe | N/A |
| N/A | N/A | C:\Windows\System\IiQZbIM.exe | N/A |
| N/A | N/A | C:\Windows\System\aUJVChz.exe | N/A |
| N/A | N/A | C:\Windows\System\bSAWPEs.exe | N/A |
| N/A | N/A | C:\Windows\System\VYMmdfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qhHmZTL.exe | N/A |
| N/A | N/A | C:\Windows\System\KafNdsj.exe | N/A |
| N/A | N/A | C:\Windows\System\cjCxUGs.exe | N/A |
| N/A | N/A | C:\Windows\System\aEXhfvr.exe | N/A |
| N/A | N/A | C:\Windows\System\QwXDTcT.exe | N/A |
| N/A | N/A | C:\Windows\System\OOCLMbq.exe | N/A |
| N/A | N/A | C:\Windows\System\guELymC.exe | N/A |
| N/A | N/A | C:\Windows\System\jKcXMnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TJZnlgm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FgwRaQm.exe
C:\Windows\System\FgwRaQm.exe
C:\Windows\System\nsrldcj.exe
C:\Windows\System\nsrldcj.exe
C:\Windows\System\vDFUBBR.exe
C:\Windows\System\vDFUBBR.exe
C:\Windows\System\iSsWthy.exe
C:\Windows\System\iSsWthy.exe
C:\Windows\System\kkSxHGO.exe
C:\Windows\System\kkSxHGO.exe
C:\Windows\System\PRkPQgq.exe
C:\Windows\System\PRkPQgq.exe
C:\Windows\System\zkXZDmi.exe
C:\Windows\System\zkXZDmi.exe
C:\Windows\System\MrDbTaT.exe
C:\Windows\System\MrDbTaT.exe
C:\Windows\System\aUJVChz.exe
C:\Windows\System\aUJVChz.exe
C:\Windows\System\IiQZbIM.exe
C:\Windows\System\IiQZbIM.exe
C:\Windows\System\bSAWPEs.exe
C:\Windows\System\bSAWPEs.exe
C:\Windows\System\VYMmdfQ.exe
C:\Windows\System\VYMmdfQ.exe
C:\Windows\System\qhHmZTL.exe
C:\Windows\System\qhHmZTL.exe
C:\Windows\System\KafNdsj.exe
C:\Windows\System\KafNdsj.exe
C:\Windows\System\cjCxUGs.exe
C:\Windows\System\cjCxUGs.exe
C:\Windows\System\aEXhfvr.exe
C:\Windows\System\aEXhfvr.exe
C:\Windows\System\QwXDTcT.exe
C:\Windows\System\QwXDTcT.exe
C:\Windows\System\OOCLMbq.exe
C:\Windows\System\OOCLMbq.exe
C:\Windows\System\guELymC.exe
C:\Windows\System\guELymC.exe
C:\Windows\System\jKcXMnQ.exe
C:\Windows\System\jKcXMnQ.exe
C:\Windows\System\TJZnlgm.exe
C:\Windows\System\TJZnlgm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/1636-0-0x00007FF637940000-0x00007FF637C94000-memory.dmp
memory/1636-1-0x000001AC40B50000-0x000001AC40B60000-memory.dmp
C:\Windows\System\FgwRaQm.exe
| MD5 | 873470d907a364e3035107c8571852bd |
| SHA1 | 4c3bebcd67199277e832aa9955a7d23ae15de4f5 |
| SHA256 | 44efa421c39054ecadaff05816887bcc67dfbec4741d881f7bc649e5cb64a346 |
| SHA512 | 76ed4bc889a687615aae9fe0acac69046e6235f644045e505cde5cd382df52af228690b9d9392cf8679db78128b2a58c2f0401469722a3bfa1a714701e6e131f |
C:\Windows\System\nsrldcj.exe
| MD5 | 64a33aeee181c418fd96280eee6cd86a |
| SHA1 | c7d3517f10c27f9647da6673480a5458858dd72c |
| SHA256 | 0454e5ec90c4ce712c78b1afceddb1b5d36d7945cdf4024ac314c849559dc22d |
| SHA512 | 8d1e3b4cbb6b51a465b3a9af3349faaebcd4f52687f5c5f7b7ac0f337372a48f1beac3dae388f7f7b3ebf768727d4596f49ccffddd8e31d44fdca2dd53137b99 |
C:\Windows\System\vDFUBBR.exe
| MD5 | 1ddce6cb6c0de3c13a10e3cd14fc473d |
| SHA1 | 0c20cca3d9362970aed2ef53748f43291bcc687b |
| SHA256 | 0d5cbaddf99abf639b25638f48ac25692d8f88c30702d738806433866a55561a |
| SHA512 | ca828c602fb8fcdb1d19a769a99f04085e81c7dabbb174e7d8da667e6d6f488ec03e72be5d79db8fa636bfbff46b57480ca39cd6e31592bf179441359693ff8c |
C:\Windows\System\iSsWthy.exe
| MD5 | b31d126e82573ff1bb32ca13e40b0901 |
| SHA1 | 74d5c6ff66001d60ebe27504988a02869f421af7 |
| SHA256 | e19b7a010288aebd88a0ee16d33d561cfbe17388f1837c6df8e6e5f0fd266043 |
| SHA512 | 1c76400fbffc4d33b061e18042706771e14de167f811d7a0105de44ac54d68edd5ee1c2151e6dc8071dc8577b946c5d9ff6ef4fad8ddf404e1cf1a32bbdbb6a6 |
C:\Windows\System\kkSxHGO.exe
| MD5 | ae2e4b4720a1378316891ab9d4ba1f9c |
| SHA1 | 8e4d46ae18592c0d89f95897be7412c908ffd853 |
| SHA256 | 071a95c47cf98c7f45cf154b1372d15ecd7efb2d50f1085cb409b20f7cdb2bd2 |
| SHA512 | 5263acd71ba11ee3922a47ebe8369afa52e07dd7c38c6ed57b74717df49156a3770a30c668b5003e4209bf3c60b3259b0b7c54b01d6e87717fe2fc96fc74ad68 |
C:\Windows\System\MrDbTaT.exe
| MD5 | 8a9d14f1220cf50c4d51a5b76b8c9522 |
| SHA1 | 7917fda4b462341b43ac3c57abfbed5dd68cf59d |
| SHA256 | 1a83ce3fd429307dadc3264371d876e4406c4f09580f590bc554a2aa5a229a7d |
| SHA512 | a398e60ceed261714dbf35bc677ba4c1404043717d22a03cb19963fb81ffb829d007837b3f6e63e204284c9e558b636700e37a533155bc9e719d35f392fe9dee |
memory/992-50-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp
C:\Windows\System\zkXZDmi.exe
| MD5 | e17b41d25934b7f6ba3278facf163d77 |
| SHA1 | 13e7813a2e78f127e1ff09676ecbf1bd2e22eb50 |
| SHA256 | 4c8770c627b747736e90c69c7649cd06c0e5b24815807d2c2dfbabc13b479bb1 |
| SHA512 | 69fb51760956ceef60267de8ba5422a1437ec9724f1f21c9ab75806dfa9b0cdf69fbaef110630050e6b48d11eb03f0aa4d28e97b190fa180935ec31f29728e3d |
C:\Windows\System\aUJVChz.exe
| MD5 | 060fb1ed5e7feed557bbaf1dfbd8fff6 |
| SHA1 | a588076a1527027376187efbde3c638e837fd8f9 |
| SHA256 | 73d73d7bf66a24ec4ed1ec2b9da1fc3c8bbd9593593a9e63a5cfe912c51b5025 |
| SHA512 | 82d7e30e67c19ab64f1a76ba75b7ab8f8b2d01970759134df7867b36f24bbc938cf2add48a25abcdcca9ec0c31431b3a769767ebf7add5618952853741df6871 |
C:\Windows\System\bSAWPEs.exe
| MD5 | bbbd63b9307e65e77c91b1e97964ac7c |
| SHA1 | 794138e2b6abbfd282a326231e017bdd733f6f2b |
| SHA256 | 5f4773d5c2121d03124ac7e885d0c36d5392410d9d9231e4d2524b1f890513a8 |
| SHA512 | 8f1a67b7bb09c52c25e90ed5fbcd93a4f187fab88ee1b11daccbebb30519c18ac86d64add7fb9dd66392d81380e742aecf2f5a786cb7a78aa76f8d72cbac0f69 |
memory/3496-63-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp
C:\Windows\System\IiQZbIM.exe
| MD5 | c54273518dd993b9547aa1349a8a99ca |
| SHA1 | a232c259dfc9143a5bbcd1d0bc6109bdcecfca15 |
| SHA256 | 74c269aa3a330279ae4cbb8d1ef778402996f242cc95ff0ff3f8743db5c4d683 |
| SHA512 | 8f683c6e73662910d4d44e4d04e4884c8c39c636294dd7c37b20cf5551480e331cb86edc0e3c2bdc7702e74b958a7c4d5b2fde1233ed9e5bc1cbfd940dc190ae |
memory/688-60-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp
memory/3172-59-0x00007FF7BEE10000-0x00007FF7BF164000-memory.dmp
memory/4004-54-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp
C:\Windows\System\PRkPQgq.exe
| MD5 | 305af1a957c289bf29643e436ccea4eb |
| SHA1 | 51dd904a0708c821af419ef31a0a72a5a31262c4 |
| SHA256 | 1ff043858dd92938be0e92df1a412aa6765291f3994abc6acee976c9e818d316 |
| SHA512 | 614c2d6dab9453a1d8eebcbd955bd3684de490206818d6de071064a377744f116ca92d122dff85d345baaa2ba9294d285bc75ee868c7ecc11ae473736c7bae51 |
memory/2248-34-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp
memory/1420-31-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp
memory/2408-29-0x00007FF6734F0000-0x00007FF673844000-memory.dmp
memory/3292-22-0x00007FF64E350000-0x00007FF64E6A4000-memory.dmp
memory/2692-16-0x00007FF67B3B0000-0x00007FF67B704000-memory.dmp
memory/2120-13-0x00007FF668450000-0x00007FF6687A4000-memory.dmp
C:\Windows\System\VYMmdfQ.exe
| MD5 | b6a6e4b5c7c2e45bba4ff84978897dcf |
| SHA1 | e55e860d4b4fdaf8d4207b6ab9558bd9fb95c0de |
| SHA256 | cc4d40e16afc4453454e0670bb280d016a1dbd1ec6c2271125e81a1013965994 |
| SHA512 | 85f5ceb91e0cf060003fd4adbf2107594ccef36c3e201a895d6c11b00af7e32f02cc950b34f63c55faab81fdfe7bfcb2f7737ebc5fcf3854e52cb834a2f3518f |
memory/1636-74-0x00007FF637940000-0x00007FF637C94000-memory.dmp
memory/1444-75-0x00007FF701EF0000-0x00007FF702244000-memory.dmp
C:\Windows\System\qhHmZTL.exe
| MD5 | fd737af59df9fef7b0d8c4962b30722c |
| SHA1 | ffff45b24795aadcefbe75e0d76d9f2aa8f3b142 |
| SHA256 | 1af53f25adf1e6d29609cd8d3bdce1669f3e5bea4195d0f262344b01dcb4d5a9 |
| SHA512 | 5d57b613e67c807290c81923f99cab80e42387dec025831536e86cc2fcf1cc378a9d86d4eff41917b6d8a07d1e5bf1b81d6b5f7b14163f99e9b217546633d374 |
memory/1940-80-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp
C:\Windows\System\KafNdsj.exe
| MD5 | b3e77a75ab0bb563376a7630203062d5 |
| SHA1 | 09edd60ec55b5129c22ffc9580c553fa2545408f |
| SHA256 | 8d6f95773e75f61263ea67c960f63f57f3f6be7d7543959d663284dbe8cfcfe8 |
| SHA512 | f6c74d8393952320f3a2049963ba95463fd6687f69fe2ae9211519ab2bd818d7c690ba74a6207c0f75f2cb9da2f20acb3e5da32bdc576e58b21dbfcd742a84a2 |
memory/1472-87-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp
C:\Windows\System\cjCxUGs.exe
| MD5 | 1cee4b0392637e83a150028fe0643e93 |
| SHA1 | 62f3bc010c6dd560f81543c9a5c38c6eb71ed9e1 |
| SHA256 | f3aff6f6019412304ec074405f5646f623f97012f2293ae05fa588fa174bbcd9 |
| SHA512 | 5de2c5d269c8fdac1b6a157860bb0937d3489337b0897f4f92c3b00bc12309166e966bfc8aa381545f44af55f021838d8cbbee7d06317ef4228e0339d3c0347a |
C:\Windows\System\aEXhfvr.exe
| MD5 | 0784353cf508e8d8d0effed8f5332030 |
| SHA1 | b9c7c899fea244b03d079ca7a255ea0b4994b170 |
| SHA256 | d0f38ae5743117527b5dd94b57b91cf7b8946f117af42cc5000e80a93a6a17d0 |
| SHA512 | 76bbc1a05cbef0fe50c1b9136643ef0e93385a2f4ec5d5f3364d6236bf4dc243e6ac11a6f60c4b7bf4fcbb4eecfd516001a54dde51d0e8d77e567ba751e3735a |
memory/4764-92-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
memory/2408-91-0x00007FF6734F0000-0x00007FF673844000-memory.dmp
memory/1440-100-0x00007FF690950000-0x00007FF690CA4000-memory.dmp
C:\Windows\System\QwXDTcT.exe
| MD5 | 27d8e30c6fdae93db8dc7dcf4e896cfd |
| SHA1 | e01752f1f16142a7ec4d5dfbc155b0c41e5aa1f6 |
| SHA256 | ad4f8afb165be2b9453fa8985ed0675ef4eb9f4cc201a0b23835c60c8a0c29c2 |
| SHA512 | 96efb52c9c6596004ddc4f8067b6bf1fd710283bdfbffacd37a7df12fb020a49f095c09db81a78c1e415ec9d3f233428b9884cd1d82dc5dd6ea11d0a930641a1 |
memory/1420-104-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp
C:\Windows\System\OOCLMbq.exe
| MD5 | 979557cb2fd9f0f1a1af4e7e07a9bbac |
| SHA1 | e78c9d638403e3df5478080aefd2b185cd3da491 |
| SHA256 | 8ed71f141b9051b0c81d38d7f31584a2d3d6bb0ab309fc99cfd42b19dd3e1796 |
| SHA512 | 12487841b51e3eed4cb1f29987eb5c3a9759fff9b819d32d1ca2d33d449490b58ffb8d79bb516385354c982404c55d72a0066aff97cc0f248b4af7667e30eab1 |
C:\Windows\System\guELymC.exe
| MD5 | 378c731e3cfd420919bac38aa4e1f3e4 |
| SHA1 | 731aab77f6b9dc462d8a0fe75e4201e6eab4b194 |
| SHA256 | 38b8bdd9d449d6c20e146851c8eb668da9da6da1a584baeed62b6229f76e4fdb |
| SHA512 | ba93c3e49b35d8273f6be57a13f324b02af3528d770449bc91cbb1f625453e39435c801a377b9ac77e2017f7de1681270e249affc6edfff583266b8e839d3cd1 |
C:\Windows\System\jKcXMnQ.exe
| MD5 | 688ae6d734f3c7565a6f80feb13e39f4 |
| SHA1 | dc088e46416e05e8c0b25e119d311e9995e7d1c6 |
| SHA256 | 39e2c57670d237eef982e15246590d67f153aed2a584aa3ffb5bed3bc700ed5d |
| SHA512 | 5f3484e5c3e9471bee0bfb997cebe6fca4f2eeae594b785a9950a2ef399206a58f6639bfe2cf6c9282beb78e490273fe1c8281b7977b598e4588fb6d6acddbe9 |
C:\Windows\System\TJZnlgm.exe
| MD5 | c60314c5450e09bdb439da02f3dc9bb0 |
| SHA1 | f773023c6889f05de4c3a3ec42a06c3c472a9b0b |
| SHA256 | 968687cb6964293430d18ebd022983a2f1ffb15adc03b6bb5bf669a2f17359d7 |
| SHA512 | ceda93d7bca3f0662c4a481f2c7d06ba9e4d2971fa80ca1d2615a5056bef107b30c6c2e35b9806af65dd3b73a989c5197cd189482a911fb4951470836d9f13a8 |
memory/992-124-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp
memory/1036-119-0x00007FF7FDEB0000-0x00007FF7FE204000-memory.dmp
memory/2248-116-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp
memory/2472-113-0x00007FF765610000-0x00007FF765964000-memory.dmp
memory/4004-131-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp
memory/2464-132-0x00007FF69DD00000-0x00007FF69E054000-memory.dmp
memory/848-130-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp
memory/1768-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp
memory/688-134-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp
memory/3496-135-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp
memory/1940-136-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp
memory/4764-137-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
memory/2472-138-0x00007FF765610000-0x00007FF765964000-memory.dmp
memory/848-139-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp
memory/2120-140-0x00007FF668450000-0x00007FF6687A4000-memory.dmp
memory/2692-141-0x00007FF67B3B0000-0x00007FF67B704000-memory.dmp
memory/3292-142-0x00007FF64E350000-0x00007FF64E6A4000-memory.dmp
memory/2408-143-0x00007FF6734F0000-0x00007FF673844000-memory.dmp
memory/1420-144-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp
memory/3172-145-0x00007FF7BEE10000-0x00007FF7BF164000-memory.dmp
memory/2248-146-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp
memory/992-147-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp
memory/3496-149-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp
memory/4004-150-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp
memory/688-148-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp
memory/1444-151-0x00007FF701EF0000-0x00007FF702244000-memory.dmp
memory/1940-152-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp
memory/1472-153-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp
memory/4764-154-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp
memory/1440-155-0x00007FF690950000-0x00007FF690CA4000-memory.dmp
memory/1036-156-0x00007FF7FDEB0000-0x00007FF7FE204000-memory.dmp
memory/2472-157-0x00007FF765610000-0x00007FF765964000-memory.dmp
memory/2464-158-0x00007FF69DD00000-0x00007FF69E054000-memory.dmp
memory/848-160-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp
memory/1768-159-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp