Analysis Overview
SHA256
d609a3537c2943a264101bac876c2bd5bf03a1fa3ad6dd77e8c68d37310af66c
Threat Level: Known bad
The file 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 08:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 08:42
Reported
2024-06-08 08:45
Platform
win7-20240508-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MSKmQzY.exe | N/A |
| N/A | N/A | C:\Windows\System\XEqHYQO.exe | N/A |
| N/A | N/A | C:\Windows\System\VVMWImK.exe | N/A |
| N/A | N/A | C:\Windows\System\WqIhaAk.exe | N/A |
| N/A | N/A | C:\Windows\System\twWzNmP.exe | N/A |
| N/A | N/A | C:\Windows\System\QIzrlXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\oDlwaGS.exe | N/A |
| N/A | N/A | C:\Windows\System\CWRkqjz.exe | N/A |
| N/A | N/A | C:\Windows\System\brXADCH.exe | N/A |
| N/A | N/A | C:\Windows\System\pvSdPJE.exe | N/A |
| N/A | N/A | C:\Windows\System\zmTswFt.exe | N/A |
| N/A | N/A | C:\Windows\System\RiGpszq.exe | N/A |
| N/A | N/A | C:\Windows\System\slKiUth.exe | N/A |
| N/A | N/A | C:\Windows\System\XTJYLHE.exe | N/A |
| N/A | N/A | C:\Windows\System\ezIkzur.exe | N/A |
| N/A | N/A | C:\Windows\System\MWMlbOX.exe | N/A |
| N/A | N/A | C:\Windows\System\eDHAkqi.exe | N/A |
| N/A | N/A | C:\Windows\System\qRqcURA.exe | N/A |
| N/A | N/A | C:\Windows\System\CJcmDht.exe | N/A |
| N/A | N/A | C:\Windows\System\eyKmVLe.exe | N/A |
| N/A | N/A | C:\Windows\System\PZKLRHZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MSKmQzY.exe
C:\Windows\System\MSKmQzY.exe
C:\Windows\System\XEqHYQO.exe
C:\Windows\System\XEqHYQO.exe
C:\Windows\System\VVMWImK.exe
C:\Windows\System\VVMWImK.exe
C:\Windows\System\WqIhaAk.exe
C:\Windows\System\WqIhaAk.exe
C:\Windows\System\twWzNmP.exe
C:\Windows\System\twWzNmP.exe
C:\Windows\System\QIzrlXQ.exe
C:\Windows\System\QIzrlXQ.exe
C:\Windows\System\oDlwaGS.exe
C:\Windows\System\oDlwaGS.exe
C:\Windows\System\CWRkqjz.exe
C:\Windows\System\CWRkqjz.exe
C:\Windows\System\brXADCH.exe
C:\Windows\System\brXADCH.exe
C:\Windows\System\pvSdPJE.exe
C:\Windows\System\pvSdPJE.exe
C:\Windows\System\zmTswFt.exe
C:\Windows\System\zmTswFt.exe
C:\Windows\System\RiGpszq.exe
C:\Windows\System\RiGpszq.exe
C:\Windows\System\slKiUth.exe
C:\Windows\System\slKiUth.exe
C:\Windows\System\XTJYLHE.exe
C:\Windows\System\XTJYLHE.exe
C:\Windows\System\ezIkzur.exe
C:\Windows\System\ezIkzur.exe
C:\Windows\System\MWMlbOX.exe
C:\Windows\System\MWMlbOX.exe
C:\Windows\System\eDHAkqi.exe
C:\Windows\System\eDHAkqi.exe
C:\Windows\System\qRqcURA.exe
C:\Windows\System\qRqcURA.exe
C:\Windows\System\CJcmDht.exe
C:\Windows\System\CJcmDht.exe
C:\Windows\System\eyKmVLe.exe
C:\Windows\System\eyKmVLe.exe
C:\Windows\System\PZKLRHZ.exe
C:\Windows\System\PZKLRHZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1928-0-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1928-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\MSKmQzY.exe
| MD5 | 813db0636b55b65f9534cce08204f1a0 |
| SHA1 | ac5e95cd4dd8304bb6e66a7ab65f704a504d90fb |
| SHA256 | b1de3770d65a1b3a8a9828c588847d188471b19bb35c7795eb565ba8f61893cb |
| SHA512 | 19cba23caf0dcfaa65f54d194801743a50db08f7948e6896089e768fa2e8e0e39391a9a765e54003624424e6700fa2e10a6183e50700acf26ccb64687bb3f4c5 |
C:\Windows\system\XEqHYQO.exe
| MD5 | e16ce437529fb445cc1641f16fc3d14f |
| SHA1 | c53c14c23e04afb0d333c825f2ba8ad3192545e7 |
| SHA256 | ba71989e6eee2872239a2c20d312bc95694ee358aab82e7a780328ec40ace43e |
| SHA512 | 1fedcf8790ca1036e8eb3c3e23f9ce7f1ddf37575cac0fa22a63c4069313eec3ec4262ae7c5ccf0dea00a4d03148ff274129e7c830849e3cd1591a8acccc2600 |
C:\Windows\system\VVMWImK.exe
| MD5 | 630a84e4f8c4804888c4da288bd5d5f8 |
| SHA1 | a9cd2f5fe1da15eab70f2883b466e0a50a122c18 |
| SHA256 | dc600c4a9a3a41fdcb2d143cdd51b84ae5b3a93ddd40ab7a67f75630d298b22e |
| SHA512 | 0219ff4290431090513575c48f6ec5534e84b52716c7b96e57e02c77668b5b05082d9dfe0fbc2b9ead5392a31e766f52fc44e364537355c8cd79b94442cb9b5f |
C:\Windows\system\WqIhaAk.exe
| MD5 | 979483e23332b5438f1102f573e90a10 |
| SHA1 | 8aaab4c47f39c8d1f0ae65a8e70f4cfb7a4902a4 |
| SHA256 | 54df7acc83028f86e95461b2ce6d1c6bcc9fbc22a7110709fd19af8e899fc961 |
| SHA512 | 7fee476fd5d784246d39bbac68d155dd1b687dcc7b80679277c209c340143dd54e283607b5766a819bbdfbc1eb91b494661701bfa5cd67f90d157cf8bcdf8166 |
C:\Windows\system\twWzNmP.exe
| MD5 | da575eda49ae68b463c1d841fe50fb66 |
| SHA1 | 4360a9dd636a4f925e0aaabe01cce858094cef6d |
| SHA256 | bc15aeb42278d22019c843ef7782bba8f6901e332c813643748c73167f33c9b2 |
| SHA512 | 0f9404e1a32ed9021a90d37be4db1e6f92e9d8ac8b6b22852b56024a6d1320e4638e0effa50ef3931b21d4313f2da7cdd8f161be0dab196104f723b11201320e |
C:\Windows\system\QIzrlXQ.exe
| MD5 | fd9feaef287132abb26daa0339f7f075 |
| SHA1 | 44acf66a0777db69a123ef6976c6faac8cc704ef |
| SHA256 | 9825a8aadc31f3841d79dc0ef5b536ad6b4e823234b27ebf43bfd990f72521bc |
| SHA512 | 7bc1b7882b55efd905bde9643b754cb3092cb93ce074624744fda3cce3b1e628cd5bf6b362679f3bca70fb6f18dc622b5a01d50de2908f369f79034ca1308ccd |
C:\Windows\system\brXADCH.exe
| MD5 | ab4a34568a7a37cee983f19d8329f3d0 |
| SHA1 | 62ae1c729a796f84e77a346e13e6f9392b89a192 |
| SHA256 | 6052c94ee71069bf24e574a3d1d67a02341f169a4a6ce9acb10a75726bcb4ad2 |
| SHA512 | f97a4e2805ad0c3e1b07dda6e25f061ec1abd419d0d35870ae0d3c3571ab26ec2dcee3e901b158785a0936c81284d301903b4e8bcba7c8946470961b252e5ad2 |
C:\Windows\system\pvSdPJE.exe
| MD5 | 319c01507a2f5df3e5433669b09e8cff |
| SHA1 | 10ed191dbb879151aa41ae09f6b29993b1eaa1dd |
| SHA256 | 1498d33f0f975665cfe6630045e1a1dd13cfaa12659ee8dc8a2076731e9609b4 |
| SHA512 | defce5463769f1537509bd17d0b5288e866eba5870f13dc6e8ebc61213b63daf549c0331dc2970dd5c92a227b325f04341045fa09c635da39fcf878dbe806cfb |
C:\Windows\system\zmTswFt.exe
| MD5 | d10d916c1a8560ab5365e12822d991c5 |
| SHA1 | d34ddf06cd6be67a49da78c736dcfb47b65c31e9 |
| SHA256 | c02cd89a8cf30cd45549e85d5f6c2b3be7e735fef0c636a6f62fe5a21d90098d |
| SHA512 | dfff429a3de0bd5f55bd7803c1e16ab9c46b70aa20c1ceaa04cee89897fd0e0cde954c053c784027af3c7a174af2e9c3ef9c72ff4794c822703537fc2059897f |
C:\Windows\system\slKiUth.exe
| MD5 | c18e81921a22304cc2d5ada4a1a84e79 |
| SHA1 | ad7f5fe000437630dba611086e37ea6f32186899 |
| SHA256 | ce72817ea842acd012c485621c29471223b0cb3b6f5284c8f7548366583897af |
| SHA512 | 17ff99b51203518030a178c5111f9fe5199b1f310b26da4f80cdc249c9f205e5b8a3dc1186ba2242b48879cd35c4954248d23aa19632f7cae6f2deaaa9c340b2 |
C:\Windows\system\MWMlbOX.exe
| MD5 | 4a1b6742e04ffb5df78ce94045588aab |
| SHA1 | 2c52b587f7fb290304f10fdc851daad7d3c597dd |
| SHA256 | 828d3010dd9350338a77ce444a7dbb7bf7489a75868fa5dcd960f9d743f1ca16 |
| SHA512 | d32cc411d3fd7fb0f95365c8769bc7b9c79b3eb9adbfc2bd1f2310e5742a3f56b06bdcb3304be6c55196932ea7be702963dea7df7e5058feacc2e35c3897ad83 |
C:\Windows\system\eyKmVLe.exe
| MD5 | f3bafa34cc89c846a2b9ae9e13a35b9b |
| SHA1 | a7c7f80599ba2ea6d2512f23c5f59ffa83615eef |
| SHA256 | 65a6fc2c77086d856192ccb820a9e043df0349213d52c92c4254ab4f71e638c2 |
| SHA512 | 0974dd291991b7c5bec615ae4bc13d0204a58933ada32b50a4270dc0a294e06c423222a7166ce041ba0e8660b48597997aa0bef73871cc70e4934d092f51f448 |
C:\Windows\system\PZKLRHZ.exe
| MD5 | d7ac8a087588d77cc7575da7ae0f8c2f |
| SHA1 | 98f758cd3b4fcc7e23df2aaa0e3b5c51f65ed721 |
| SHA256 | e520d24af7187b527a8e5b17ae914b510211cea720f5f23de19d627afa2f6529 |
| SHA512 | afddf6c28c2caa7bdc3ed2dcb4e43d090569140253d500e869421f185db7e6e59ab6d38ff88aacd571b9bd0acfd568743b4075a76f146185fc80ab9c4b050813 |
C:\Windows\system\CJcmDht.exe
| MD5 | 49d71db7c33aa71a2f3e0d62d560d27c |
| SHA1 | a18674c130f88ce54162fe3ec7f9fc804f1341dc |
| SHA256 | 98e24c0800c3f48e1e7df3ba5fedd149de5cd4627edd9de185eb4e9ad3207336 |
| SHA512 | c861d9861255acb4b340b6a940854eea18e0c8f66b4c95779846f843b53f40c1999d2d2047c42982e4a3450c1af675dc9c4f2da34944507e500aa67be6a78b34 |
memory/1928-101-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1676-116-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1928-119-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2504-118-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1928-117-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2796-115-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2728-114-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1928-113-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2812-112-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1928-111-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2928-110-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2628-109-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1928-108-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2944-107-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2704-106-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1928-105-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2640-104-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1928-103-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2368-102-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2136-100-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1928-90-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1932-89-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2448-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
C:\Windows\system\qRqcURA.exe
| MD5 | 42e71bd3200c86af41a262047cd9f484 |
| SHA1 | 18994c9df71a02927da1526c8434aaff15f6b19b |
| SHA256 | 2dc1f2678840dcf88c0d704820ea3c8c14e281e863dec620b90cc9130561cea0 |
| SHA512 | 5fdbeda40f646b8dbd172591ae3609ab077826916aeb50500e44f2e26e6e215ca046f3733a79280dcb398170be2ff421498abc884278889612e5f95f82500299 |
C:\Windows\system\eDHAkqi.exe
| MD5 | ad684815dbb5d8aff65fdcf10bf27f31 |
| SHA1 | 3a8e33ee12811968dba7cc8668e3bb368e6e8654 |
| SHA256 | d4e20123d34f6337134cdb972365f517c9e47fc7d1246067f8141839113105b0 |
| SHA512 | 03945388566498d765f969bcc42a5dad46d3421efc6a49e9b21001a2226e796e9b872ff5a20d5facf9419c056c3794777b39081c0e8af77598ea7d699dfec2d9 |
C:\Windows\system\ezIkzur.exe
| MD5 | 44c489af4b283cae0458bf1763db0c44 |
| SHA1 | 58b9b60f48200944ad19f6543bf8c5879b66701c |
| SHA256 | 7149455bd339045cec68ad462e4df2299fac817dba47a1279d1d8449eb6d029c |
| SHA512 | 6c2ba9a520e468a139f865ff76b25c06241b5c20bda0230e090a4f77aea5fc98a4b771e4299f7369b3b927ae643ac9e15bbdf2122f084704bba4a403c0463d50 |
C:\Windows\system\XTJYLHE.exe
| MD5 | 1f8015258bc338144e41576ef80bf472 |
| SHA1 | 9495e48f41c626cd506653adb98d2ae602f87570 |
| SHA256 | e072610f0df1b615f7916ac055cb93601f7895aefb849e769267e295572bbc13 |
| SHA512 | 65c6d7dfb60aee413bbb7023b19ef1e0826ca411fdd8a1babb92bc6ac399292a6bf39a6bcc143011c1464ec4644bbb73edc8eaa311def6aef05c91d583911155 |
C:\Windows\system\RiGpszq.exe
| MD5 | cc9caade7f00dda13bfa4d87beba10b3 |
| SHA1 | 20f7be4fbdfc72d9da7a9296efea4e3d306d08d3 |
| SHA256 | 32c8dc7a0b31a44d36bcce3d154da4485d19b39a115c6acdd96ebfbf3735916e |
| SHA512 | 40c3472c60e81229bd5005e72c2774ea3712088c22d022e342c121645374b43db8ed22dfb3970bc99442d18532fc3851b31a5c140c52418227fd92b0228651de |
C:\Windows\system\CWRkqjz.exe
| MD5 | 9af547ea86fce9ae45be91d58d9c73e4 |
| SHA1 | b0fde15662ac124c033d8500aefcf69d002a058a |
| SHA256 | a532efb9b17cf023309cfbe300da85d4a9946a11694e6650cfdbc0e1d7460fed |
| SHA512 | 9d714a5a9e460c492271cd86920e886941708cfd1eb49e3fa3d7eb300e042766ef60caf9b16009dce6534e91e3b8779c19e7f3ae8d0de47617cd1716b8159e2b |
C:\Windows\system\oDlwaGS.exe
| MD5 | bd82ede5f165e54e725af8d2a7d80158 |
| SHA1 | a7deb30ba68b1f074044322a13a4162b37d9197b |
| SHA256 | 2cebf6b639de4988390d68d7374a0038da8073e88220c6a9e877efc5b9d98c13 |
| SHA512 | b0f494e2adfba615d984f33788bdce5e5e55a4780c37ac8164a29fd74c0cd42e17f407a8a0fb5018f115c2d58ce55450ae84dede8cf152c4cc08d13a09edffc9 |
memory/1928-130-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2448-131-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/1932-132-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1928-133-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1928-134-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2368-135-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2704-136-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2628-137-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2504-140-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2796-139-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2812-138-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2448-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2136-142-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2640-146-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1676-147-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2944-145-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2728-144-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2928-143-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2704-152-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1932-154-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2368-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2628-151-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2812-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2504-149-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2796-148-0x000000013F120000-0x000000013F474000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 08:42
Reported
2024-06-08 08:45
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PCfZiaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\jnkHbsD.exe | N/A |
| N/A | N/A | C:\Windows\System\EMnJZwO.exe | N/A |
| N/A | N/A | C:\Windows\System\EqmrvcW.exe | N/A |
| N/A | N/A | C:\Windows\System\RfTuiMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SRdfHEc.exe | N/A |
| N/A | N/A | C:\Windows\System\yoihSwT.exe | N/A |
| N/A | N/A | C:\Windows\System\VdConld.exe | N/A |
| N/A | N/A | C:\Windows\System\dUOQjcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JeblYOh.exe | N/A |
| N/A | N/A | C:\Windows\System\WyHJrso.exe | N/A |
| N/A | N/A | C:\Windows\System\QACfghg.exe | N/A |
| N/A | N/A | C:\Windows\System\ztauxzT.exe | N/A |
| N/A | N/A | C:\Windows\System\rYOCRmb.exe | N/A |
| N/A | N/A | C:\Windows\System\dglZvJS.exe | N/A |
| N/A | N/A | C:\Windows\System\VCBprxR.exe | N/A |
| N/A | N/A | C:\Windows\System\vEMrFLN.exe | N/A |
| N/A | N/A | C:\Windows\System\nNNkcqG.exe | N/A |
| N/A | N/A | C:\Windows\System\njUztHS.exe | N/A |
| N/A | N/A | C:\Windows\System\tirQKHj.exe | N/A |
| N/A | N/A | C:\Windows\System\aSSaRSq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PCfZiaQ.exe
C:\Windows\System\PCfZiaQ.exe
C:\Windows\System\jnkHbsD.exe
C:\Windows\System\jnkHbsD.exe
C:\Windows\System\EMnJZwO.exe
C:\Windows\System\EMnJZwO.exe
C:\Windows\System\EqmrvcW.exe
C:\Windows\System\EqmrvcW.exe
C:\Windows\System\RfTuiMJ.exe
C:\Windows\System\RfTuiMJ.exe
C:\Windows\System\SRdfHEc.exe
C:\Windows\System\SRdfHEc.exe
C:\Windows\System\yoihSwT.exe
C:\Windows\System\yoihSwT.exe
C:\Windows\System\VdConld.exe
C:\Windows\System\VdConld.exe
C:\Windows\System\dUOQjcJ.exe
C:\Windows\System\dUOQjcJ.exe
C:\Windows\System\JeblYOh.exe
C:\Windows\System\JeblYOh.exe
C:\Windows\System\WyHJrso.exe
C:\Windows\System\WyHJrso.exe
C:\Windows\System\QACfghg.exe
C:\Windows\System\QACfghg.exe
C:\Windows\System\ztauxzT.exe
C:\Windows\System\ztauxzT.exe
C:\Windows\System\rYOCRmb.exe
C:\Windows\System\rYOCRmb.exe
C:\Windows\System\dglZvJS.exe
C:\Windows\System\dglZvJS.exe
C:\Windows\System\VCBprxR.exe
C:\Windows\System\VCBprxR.exe
C:\Windows\System\vEMrFLN.exe
C:\Windows\System\vEMrFLN.exe
C:\Windows\System\nNNkcqG.exe
C:\Windows\System\nNNkcqG.exe
C:\Windows\System\njUztHS.exe
C:\Windows\System\njUztHS.exe
C:\Windows\System\tirQKHj.exe
C:\Windows\System\tirQKHj.exe
C:\Windows\System\aSSaRSq.exe
C:\Windows\System\aSSaRSq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2860-0-0x00007FF634730000-0x00007FF634A84000-memory.dmp
memory/2860-1-0x000001BB3EAE0000-0x000001BB3EAF0000-memory.dmp
C:\Windows\System\PCfZiaQ.exe
| MD5 | 512313c7f252bd3a875ae69984fe0210 |
| SHA1 | 5aadbb3878d6df135a66763233658bf5dcb01405 |
| SHA256 | f29aecb71964461d73a1ce0ec9f20cda0e6b535b2990de6a655f242fb1f5059d |
| SHA512 | 971d74a8da1ca6566ec28980604f159ed3820631fb7b159e132695cfcf3c92bf4dfdc7cc2371cc4ca35e855cdbab8b95f6b954d8188f01fdc8aa9afd92b4203f |
memory/4720-7-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp
C:\Windows\System\jnkHbsD.exe
| MD5 | d66b73a95eeac5954953c77119384772 |
| SHA1 | 790f855a1d455b4edf47d7dab147b68fd977597e |
| SHA256 | 13e2df454f6bd4892a45adf0d5c173d18502ff09950c6c9ab52b706dd03f14ba |
| SHA512 | 3626fd6a8e2617b69369f54a3c7055a59b64e1db4113a72db01b87d5afe7e4fdcf4230d5d15a8f76d42c9d1034f978c270971560f8cf59c86d4e1106430e7bc7 |
C:\Windows\System\EMnJZwO.exe
| MD5 | 95a43fb5452a0ff0d73e6b9e7e854962 |
| SHA1 | 4d22bd85181e71792ff2ccb160516a4f85c0214e |
| SHA256 | d672dfd86620186a9839e51ff01e894fed5f2173ba837014806bfc6aaf43e739 |
| SHA512 | e0daaece483c745b808fb3e625356121a059579e034d574ef1b893476c7e4beb70ff04983f9558e474c2e6425dffe86f9254b48834d5a51257a0d0493cb0da5b |
memory/2304-14-0x00007FF6520B0000-0x00007FF652404000-memory.dmp
C:\Windows\System\EqmrvcW.exe
| MD5 | 6ba7ad1c71f8f34ca39df5306dfb1535 |
| SHA1 | 5ab0345b1d77a3f81fa28ecf332440314f7e8f9a |
| SHA256 | ea1d4c24b721fcb191865903d70c59e674cb6e35388c03bf37c8c1a7de734bf4 |
| SHA512 | 7fbe27051196c189f33ea3231fb3dcc1344f7dc5b5ab1b1d70fb73c15b2ba8bcefa8a580ec1350debac94f82f23dce2dab3f9730dd9353db85c1d24e83179134 |
memory/2484-20-0x00007FF6AE250000-0x00007FF6AE5A4000-memory.dmp
C:\Windows\System\RfTuiMJ.exe
| MD5 | bec1db0ebcee6dab1f1e9767f044be67 |
| SHA1 | 168036158a48a9bcc90493677ff9f20e7f9a784d |
| SHA256 | 3fb79c161772743c9caa21ab5fe23a11342caeca6f675e0f69e28984d495077f |
| SHA512 | 995dfd2ac6f5fedac50a9b7397611dc8c73752bf8712b3c9963f8a64b0653322fc2fe5f7e4b19ec061003d4efb82b9e32e1f7fc399b4a485261e626808b3e2f9 |
memory/3236-26-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp
C:\Windows\System\SRdfHEc.exe
| MD5 | dc8a5173567a526809c5c9ae5a13eaf4 |
| SHA1 | b1e8b83404d8f437d12ff3c1981718dce4b0c8ff |
| SHA256 | 988e7c0dcd1a8d0b391a67004499c8a87b406024d1f73af2bd3e88f8343ba829 |
| SHA512 | 413a2c09b70a5e92a7b0ed0d079eb690e30a59a9561c9c11d85e1f4f23097ac6deaeef588454ce474624345a97035f7ae963af732229506a0dca951919f84a38 |
memory/3752-36-0x00007FF783800000-0x00007FF783B54000-memory.dmp
memory/4760-32-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp
C:\Windows\System\yoihSwT.exe
| MD5 | 9945b7c605c2abc0faff699e277a1dc2 |
| SHA1 | 97f5ca07dee4d354faea6317ec610ebe025224c3 |
| SHA256 | 049e20bf3cbae8a4f8cb493812d2d5bbad1cc2a831467ebb014cffc5cc775caa |
| SHA512 | db9a76ae4b0d10405e8fee4ae6d44432d068742297f3dbaa6cc51d544c0b2a964ad875e6e2544593e5c35d6e31dfbad743e2414e5ed451b7e3e9218169ec6c36 |
memory/4552-44-0x00007FF6D4F00000-0x00007FF6D5254000-memory.dmp
C:\Windows\System\VdConld.exe
| MD5 | 95f9f26e8196baf1a33713fc7d36cd2f |
| SHA1 | 2cebd3f5612d0cbe875ad5b546e96a7cfef92c3a |
| SHA256 | 38cbca533e0c423664c15484e2b3423cd5faf32480fcb12e4689260eb154f07e |
| SHA512 | b961833206ee5a83f68546379e77738ed946a8b17709147555bcfd521f7f9d0ecee2a3edcf5583a95a0f721b44f45457a75bded88eeb63a278ab02f536f43ad9 |
C:\Windows\System\dUOQjcJ.exe
| MD5 | f21514bb5ea2643334ccb23cbeae867b |
| SHA1 | 684d9f01f56fdd004fe6d000f2adde041a09c6d6 |
| SHA256 | 9420bf5a1dee5f089aa3fcfe549db46a71161e8072ec4c3481e3dc30782f3504 |
| SHA512 | 8a6c78be2a058584b303c305ae0a2598bb0f48d9c1e613042a3c75094e72d26b9893e9de57bdb5bfacfe63b6b6fdbc1801c9dc282c13b6512889cc0d3fcb724b |
memory/2832-50-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp
memory/316-56-0x00007FF69E7C0000-0x00007FF69EB14000-memory.dmp
C:\Windows\System\JeblYOh.exe
| MD5 | 90e18da6b9e586be51396c6197d59cfd |
| SHA1 | b93f19af0ce17d4ed534b14a2ccfdc9d4cced3f8 |
| SHA256 | 6685f179c391ab10a5eae6c0f8ab25c8bb6b450a7d5a57aa234d61a009243624 |
| SHA512 | 4e0d1791b669753c79a7ba136b68a4616edd55d9c129d8afe9e56eb4e9611ae3fdc4e1c1bab9241b2961034b04909c91218ff22669222e74c7a1c020765233de |
C:\Windows\System\WyHJrso.exe
| MD5 | 2672b62b3ab8840ef3ef946aa569c86b |
| SHA1 | b3379f408d10956b849951143ebc3dfd37c708cb |
| SHA256 | 5653cc8035449646486c3021388580d98d7d6d40defd256e11566c880be3a2c4 |
| SHA512 | 78595632c00902e76deb5d953967ce8e1d444ac9606dae1f5539ea8112021df84c493e8b3a8e8b0d5186337282a510cfbbfa12373f9a9db2bbd9a9b5a6c939de |
memory/4404-70-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp
C:\Windows\System\QACfghg.exe
| MD5 | e607e5fdc5e4df27863185870579cd01 |
| SHA1 | 167a6fbc442f423388921db5296f395c4e4bbf1b |
| SHA256 | 58b521ad94fb2c9f7b528403529095df758fc43989c012c78bb1b381c53c1648 |
| SHA512 | a5243060ae639f719cf9d66c8ff3835489f15daa9b94a30f5112db642ab966309935f916f5fe0fdcb8bca0f22f165f0d83a46c53432603d38c52967e14837880 |
C:\Windows\System\ztauxzT.exe
| MD5 | 06e5867b194bed018f1922bc6dd527c6 |
| SHA1 | 8eb69ec32a391d4069d88358cce1d6c28d79432a |
| SHA256 | 77e757adedaa0f791bd8a37125d5fb0698bb61d70b97005264d2b211a74caae4 |
| SHA512 | 40d70491860ba651947d9574d2c01154cddee4c59ac166b4d90605edc635679427b979f2d0de82e3180eb816b458939a91c3e6481beff73cb1beecdb976e5deb |
memory/2016-83-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp
C:\Windows\System\rYOCRmb.exe
| MD5 | 76491e2f5283d134507ddc62f4e6edbc |
| SHA1 | 7a3b652c4f36648721661f8dd4506f23e89fc253 |
| SHA256 | 245544d12e113cecd5515effc04a98d9377d24ae826abaae4b6773857639da7c |
| SHA512 | 921723962e9ad532e2518cac5adf0a029652f7ae8011d5fa5c7b6eed03237c8a0e0b25a9be1015ab903b17bd3cabbd4c2c20ab11b2943714899de4e3118a8035 |
memory/4040-80-0x00007FF6483E0000-0x00007FF648734000-memory.dmp
memory/4720-67-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp
memory/4332-63-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp
memory/2860-60-0x00007FF634730000-0x00007FF634A84000-memory.dmp
memory/3236-88-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp
memory/1200-89-0x00007FF607250000-0x00007FF6075A4000-memory.dmp
C:\Windows\System\dglZvJS.exe
| MD5 | e4cef3c3e94b9d5d0706a98cd47295bf |
| SHA1 | 8ceddd4197f4c82083bbca1a23ca0e314bc2f5eb |
| SHA256 | c6131cf62fdbde3c5413a61b4bd45a80a1936209de2b5fa5010275ae9072d064 |
| SHA512 | 522b888eae704bc784e9fb0c845da1d0ba592891a29135c489bac6f8e08c6b6cf5917934be6c87f33e9dfc73950399c96811d06a023d43e3ab3d2dc9b93a9a30 |
C:\Windows\System\VCBprxR.exe
| MD5 | fda7e19aed43fa1a49ffe89c388a94fd |
| SHA1 | e937b4d8ba7b963a815e98225d2724d0209a8f9e |
| SHA256 | c42922a3b9170e8854d44f544d9868997711c1abee796e179122c70198dcfefc |
| SHA512 | fca492a8f61dc7c03967ba725c93f0ac9c1a0422df4912cd6dc02b94ec62b996129d682eb4121add902fa3e4306d0c80ecd80ea91df276391febe20fb447fb3f |
memory/4564-101-0x00007FF7A4550000-0x00007FF7A48A4000-memory.dmp
memory/4052-109-0x00007FF6101C0000-0x00007FF610514000-memory.dmp
C:\Windows\System\nNNkcqG.exe
| MD5 | e7dda3ac14535f5b57e621e83f31e900 |
| SHA1 | 977b536f6c55aee5e52e5028663631bc957855b2 |
| SHA256 | 54e3d5075a1c8835d9cd7f58b71dfadc34e944dd56af774722139aafff5f9387 |
| SHA512 | 2ed886f33768fbcbcb1ee69797f8b361904932ac1f4b3f5ee439f1fce0aafc5ed9301479f0d521bf49c64c61057bcb428fc8024588e2453e5285d6199c60ec6a |
C:\Windows\System\vEMrFLN.exe
| MD5 | 8fa22e74f19a662577aee8873880c1be |
| SHA1 | a5530ee53a9e9ab7084126acf98d9695c88a789f |
| SHA256 | 6bef8902f2bb28c584f8fe1422bc233f78f117247e814ccb490f1c3c34929244 |
| SHA512 | 13ddf3cf9f8ccd91162d8230dc2c1496ca0c25fefba4d460e6543008b337c91c73977a4ecb8cee9b50e4209be8720a056f495738f4eb0f9c76c2b1df6d3c7e0b |
memory/3752-106-0x00007FF783800000-0x00007FF783B54000-memory.dmp
memory/4388-104-0x00007FF754200000-0x00007FF754554000-memory.dmp
memory/4760-99-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp
memory/2808-116-0x00007FF689C50000-0x00007FF689FA4000-memory.dmp
C:\Windows\System\njUztHS.exe
| MD5 | a346524a981867f710c5b9142d484c96 |
| SHA1 | 5d0bd5a8ec21fffab4184568505077e1b51ed221 |
| SHA256 | 3db2304893221ece71a9edbff501227c9a0a13f03fc14c3d4b9c7b3a7c79c97d |
| SHA512 | 582784300cc345a528e9c98be199f4bd75bc7c9ef90cc81100415f7cf06877599b24447b4e66520438a9f9d79d4e92d4c275a810fc7e4fac017b083c24e9d5ea |
memory/2832-115-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp
memory/1288-122-0x00007FF6D04E0000-0x00007FF6D0834000-memory.dmp
C:\Windows\System\tirQKHj.exe
| MD5 | afc3f716dba55c7d8c94f9069389ad7d |
| SHA1 | bd055b8043707467dbce1c3a5a980e7b7ee83acd |
| SHA256 | a9717904ce091c0a558b17348a67c31f9007f61b812df3074a3b00ccf3a4e274 |
| SHA512 | bc1caed8f2489ea94777083ac47ae94a350aafab8e2d5c58d19e30f4ac06f7f6123bbae0d7f53bf0e4b096c4724d83129508c8bfc49fec1934660ee464189f49 |
memory/4332-127-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp
C:\Windows\System\aSSaRSq.exe
| MD5 | 53b43fc42a5c1c00789728229f92c220 |
| SHA1 | b88c2925d12b71c6dbd17e5d1839078fdf2cc5e7 |
| SHA256 | d53cd73529432cc5f13e998012d0ef558a7886a8cf7eb2341f31988dbd3b725d |
| SHA512 | 5297700400a5f6ddc10d921a8d2aac4f230b465b3c0afacfa737ba743712acc9c2bd510c25fd2a6b60c55c4e5d9889791ebc0001336110e3885edfe2d36eda22 |
memory/4040-134-0x00007FF6483E0000-0x00007FF648734000-memory.dmp
memory/684-133-0x00007FF601680000-0x00007FF6019D4000-memory.dmp
memory/4404-132-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp
memory/856-130-0x00007FF653240000-0x00007FF653594000-memory.dmp
memory/2016-137-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp
memory/4052-138-0x00007FF6101C0000-0x00007FF610514000-memory.dmp
memory/856-139-0x00007FF653240000-0x00007FF653594000-memory.dmp
memory/684-140-0x00007FF601680000-0x00007FF6019D4000-memory.dmp
memory/4720-141-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp
memory/2304-142-0x00007FF6520B0000-0x00007FF652404000-memory.dmp
memory/2484-143-0x00007FF6AE250000-0x00007FF6AE5A4000-memory.dmp
memory/3236-144-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp
memory/4760-145-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp
memory/3752-146-0x00007FF783800000-0x00007FF783B54000-memory.dmp
memory/4552-147-0x00007FF6D4F00000-0x00007FF6D5254000-memory.dmp
memory/2832-148-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp
memory/316-149-0x00007FF69E7C0000-0x00007FF69EB14000-memory.dmp
memory/4332-150-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp
memory/4404-151-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp
memory/4040-152-0x00007FF6483E0000-0x00007FF648734000-memory.dmp
memory/2016-153-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp
memory/1200-154-0x00007FF607250000-0x00007FF6075A4000-memory.dmp
memory/4564-155-0x00007FF7A4550000-0x00007FF7A48A4000-memory.dmp
memory/4388-156-0x00007FF754200000-0x00007FF754554000-memory.dmp
memory/4052-157-0x00007FF6101C0000-0x00007FF610514000-memory.dmp
memory/2808-158-0x00007FF689C50000-0x00007FF689FA4000-memory.dmp
memory/1288-159-0x00007FF6D04E0000-0x00007FF6D0834000-memory.dmp
memory/856-160-0x00007FF653240000-0x00007FF653594000-memory.dmp
memory/684-161-0x00007FF601680000-0x00007FF6019D4000-memory.dmp