Analysis Overview
SHA256
f30a992b2dfd53e2b8283141dd6948853bace5acaa6fad73a563aed6c4f88fd4
Threat Level: Known bad
The file 2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 09:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 09:23
Reported
2024-06-08 09:26
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FFzMrIx.exe | N/A |
| N/A | N/A | C:\Windows\System\tAjBhEW.exe | N/A |
| N/A | N/A | C:\Windows\System\DffThYN.exe | N/A |
| N/A | N/A | C:\Windows\System\GwTnymd.exe | N/A |
| N/A | N/A | C:\Windows\System\eJVFrKx.exe | N/A |
| N/A | N/A | C:\Windows\System\kYbTNks.exe | N/A |
| N/A | N/A | C:\Windows\System\zKyrkmV.exe | N/A |
| N/A | N/A | C:\Windows\System\fMnXMLA.exe | N/A |
| N/A | N/A | C:\Windows\System\bZomZVC.exe | N/A |
| N/A | N/A | C:\Windows\System\UwMgqTI.exe | N/A |
| N/A | N/A | C:\Windows\System\UYiVmDc.exe | N/A |
| N/A | N/A | C:\Windows\System\HRTWnde.exe | N/A |
| N/A | N/A | C:\Windows\System\JfUjjzr.exe | N/A |
| N/A | N/A | C:\Windows\System\imcgoWi.exe | N/A |
| N/A | N/A | C:\Windows\System\lbPFAiC.exe | N/A |
| N/A | N/A | C:\Windows\System\iybKgZg.exe | N/A |
| N/A | N/A | C:\Windows\System\KjoTmaY.exe | N/A |
| N/A | N/A | C:\Windows\System\JyUrpSg.exe | N/A |
| N/A | N/A | C:\Windows\System\HyNCNPP.exe | N/A |
| N/A | N/A | C:\Windows\System\uzMFuFU.exe | N/A |
| N/A | N/A | C:\Windows\System\NQAkhAM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FFzMrIx.exe
C:\Windows\System\FFzMrIx.exe
C:\Windows\System\tAjBhEW.exe
C:\Windows\System\tAjBhEW.exe
C:\Windows\System\DffThYN.exe
C:\Windows\System\DffThYN.exe
C:\Windows\System\eJVFrKx.exe
C:\Windows\System\eJVFrKx.exe
C:\Windows\System\GwTnymd.exe
C:\Windows\System\GwTnymd.exe
C:\Windows\System\kYbTNks.exe
C:\Windows\System\kYbTNks.exe
C:\Windows\System\zKyrkmV.exe
C:\Windows\System\zKyrkmV.exe
C:\Windows\System\fMnXMLA.exe
C:\Windows\System\fMnXMLA.exe
C:\Windows\System\bZomZVC.exe
C:\Windows\System\bZomZVC.exe
C:\Windows\System\UwMgqTI.exe
C:\Windows\System\UwMgqTI.exe
C:\Windows\System\UYiVmDc.exe
C:\Windows\System\UYiVmDc.exe
C:\Windows\System\HRTWnde.exe
C:\Windows\System\HRTWnde.exe
C:\Windows\System\JfUjjzr.exe
C:\Windows\System\JfUjjzr.exe
C:\Windows\System\imcgoWi.exe
C:\Windows\System\imcgoWi.exe
C:\Windows\System\lbPFAiC.exe
C:\Windows\System\lbPFAiC.exe
C:\Windows\System\KjoTmaY.exe
C:\Windows\System\KjoTmaY.exe
C:\Windows\System\iybKgZg.exe
C:\Windows\System\iybKgZg.exe
C:\Windows\System\JyUrpSg.exe
C:\Windows\System\JyUrpSg.exe
C:\Windows\System\HyNCNPP.exe
C:\Windows\System\HyNCNPP.exe
C:\Windows\System\uzMFuFU.exe
C:\Windows\System\uzMFuFU.exe
C:\Windows\System\NQAkhAM.exe
C:\Windows\System\NQAkhAM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2392-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2392-1-0x0000000000300000-0x0000000000310000-memory.dmp
C:\Windows\system\FFzMrIx.exe
| MD5 | c0eaf59e0768e50406a8c847ac06e9ab |
| SHA1 | 7f444f3f8121d6191ef06b530397b546d6ee584a |
| SHA256 | 4b8e990a33f816dc75292f139d08f78c7af3c8783471ae5f5ec8b8940747ca73 |
| SHA512 | bc2f43482cd156cea4a1c8c86d51970155a670211cbde8459c3d7531703623495001e92f612f9ca9b3898ed83439044574db93fb365c561493360daaaaa805c8 |
C:\Windows\system\tAjBhEW.exe
| MD5 | b103ae2d5826cded07768920f982d4bc |
| SHA1 | 066c831982d06d24f96fbcc1812cdc8e2820a340 |
| SHA256 | 374b99dfbd04234db593f62dd37bff2449622081596754b0f0dd9a1e6eecdc8f |
| SHA512 | 413a63b16f9bb0b94b3416ca4867de7491dfd386b9d5fcabd4063089c3a33f54bbbe0522ce065f551cca6f6c8355111e2213e7b2350a7f8d4122ffdb6a844b21 |
memory/2392-16-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\DffThYN.exe
| MD5 | 2d19173a663cd568a192f6ae8c127ef7 |
| SHA1 | 12c38a62ae0e9c2c0697887ff39f2b27a006deca |
| SHA256 | 409258380f7cff40b4bc7d793c24e02b45526f5ca6fdc17937a527f9e0e5e1e2 |
| SHA512 | 742c79edff0a877da630bf43452c90f48bc0f58caf663db0b46b306363676c64e16db60ba27c100f8bdcbfae065ec64f8a7ad6065e26c44a78820fd133fce83a |
memory/2392-30-0x0000000002310000-0x0000000002664000-memory.dmp
\Windows\system\kYbTNks.exe
| MD5 | 341a79f7d6c5107681939dc1caf4fcde |
| SHA1 | 2fcf78d3558b5fb051ff1e131c3d36ef51c0cae0 |
| SHA256 | 6fdaf6d427e5d1158065e24ff39695acdf8e529061be99b4b3c447f8c8d87f17 |
| SHA512 | 6fc753a23602e846553e6b481abe0b644e1193dbc833446efe82ee22a155d3be7939f726a599888f5fff8ca5344173f2a387d1aa6aef7f32c9ea6642fc985cf8 |
C:\Windows\system\fMnXMLA.exe
| MD5 | 54a2ed50b414aa5f916622f5b105ef0b |
| SHA1 | 69250975ab8f0f143671e8b781f91ccfa866e21c |
| SHA256 | 02d925e4def0dc18811d8d9ff51c9c6bd356cd49e2a1dbfca0c3687e20eae748 |
| SHA512 | a70c39aae6aca081709701cfbf61d26c1c70ee3c591537b6db8094ab74ec311ca53a9cc725d6f727c510dbe837c7c0779a689634c2619bf36950df67619f741f |
C:\Windows\system\UwMgqTI.exe
| MD5 | e47ec0e0becb6b6a64754282ea7171ab |
| SHA1 | a9beaa2b5769c11714795a3d2a459dd38ec41ec0 |
| SHA256 | 2e15b0ddcc39bf3d5cca90918c75e65e9e2f59f427b0b70f69a3365eb9c74eb6 |
| SHA512 | 503d53650fcc900b9ce30a986e139d34e420d2eeedd673c97ba47ab637da8806fc4fca412f85a73c0ea38635e7575000061146cca4f02fc8e9d250e4bde227da |
memory/2504-71-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2192-81-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2988-86-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\NQAkhAM.exe
| MD5 | 4144caf6ae823072b2c3406ff9f8d402 |
| SHA1 | 4390d7bbd7b923e95705ef4df1c5220f39f968ce |
| SHA256 | 3dbfa13c619f6be6be124f0079f9edc5be235c2d64c4058f8b7d65dba09580b7 |
| SHA512 | 0cc8c9f12849ea0aca56bc5243bf045ab4839173ea222755ffc9fba733248105bf647b12fd597d9cf7c3b0aa544f7394cb53680c99cf861c32ea3fa15947e9a4 |
C:\Windows\system\uzMFuFU.exe
| MD5 | ae59852c74b030b43b911390a37ea5c0 |
| SHA1 | 7d5c151de3b4e143298982d72db9fa7321e09426 |
| SHA256 | 7ca02e29756c5e23061bbecd46b5ba7e883f65e7f76d5466db3e52eae8dc029a |
| SHA512 | 0812acbc7a31218ac3f911bb2200c6a745174a1b5bfb258c4d7219ea3a85f9e57eb37cb0f49515c9b238f22dd0e040be3ae938db20ff10ee82b879c23e896dea |
C:\Windows\system\JyUrpSg.exe
| MD5 | 74df90baa3281959efb7f229b1d98df5 |
| SHA1 | 15a299c26ad11f8125953a55fc6ff5d9a3177309 |
| SHA256 | 59e8997561f822e502f5960d45c13ce36eaacbe0030fc2574b3fcbffcd554e06 |
| SHA512 | f1c3ab10e9f91767560711f53ef14b74bfa643cdcb0b2b004607099471befcebf57958cb17082b255ba82115b0078fcbcb065b86d1cb77334b6e4443dc1c54cd |
C:\Windows\system\KjoTmaY.exe
| MD5 | ccd445465e31404dd634e231e4d772b2 |
| SHA1 | 87c34a1e2e4e735ed170ac6cac38cc199b129229 |
| SHA256 | 98a36ab6852d7f6309bdd5d1b65a7b9cbebf47bffa60043c7677815facdf967f |
| SHA512 | 61073b0f76234e9d117ab98bd3a9a2de034dd5949ac0c86e7e1d64635dbee6db239f38870f0ee3fa1580cdaafdee406f5081f99b3889db2734a2d1b131c6f909 |
C:\Windows\system\HyNCNPP.exe
| MD5 | d97113c312dc45e47163a5bc6af2a2db |
| SHA1 | 99563b14cc61b25c6bb421df08ba493b1c664c28 |
| SHA256 | 23f2926260d67d6edd4d67915d1618fb0cb37349f7feacef7244cfc5005ff910 |
| SHA512 | 4aed344debd1dba00c86caa7cd2a3c771ebb0c5f80f53e9b7852617182b08c985f47232879cc2be853a63141ac93ccbf6e3310cc2a5c78f865d4bd83f57f7d43 |
memory/2712-109-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\iybKgZg.exe
| MD5 | 758a9e7656db1b21c8cfe5b98cf47074 |
| SHA1 | 2d909f13e3c997d569fce3c343a0ed985fd31f29 |
| SHA256 | 0704657022a44fb56abe9a5d442fec6ca6b792b39ca90a91995ddd330f2b5378 |
| SHA512 | 47c41149f282a22a0f80b1f634a7c4d534a30fc9ee8d19aed92dd7acb1190b9e58bacde54b6e4b18e80d72a051cfdb8d4f9978f65f6c8e0b80fc02dc47c4beef |
memory/2392-114-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2808-102-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2776-139-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2392-101-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\lbPFAiC.exe
| MD5 | e946bd367e16384c6de2c1bd02f4bad1 |
| SHA1 | 7784a1dd95e1c4c72b9a916a7b5d22d44313f059 |
| SHA256 | 2e774dc15b8f1b8736a3e3d33a96e288077db2efd6ef9ad098cc66e0ba9e62eb |
| SHA512 | 1fecbdccc8c9aaa7acb28d269e6cd66c77b816886bc457723569d9987f16f787e01b51543e3bf78a59b35678ba4d931a37a489d26fd980b36dd3bf41ac1167aa |
C:\Windows\system\imcgoWi.exe
| MD5 | b1898123e3b92a3dbdebce4684fe610f |
| SHA1 | 98592dec2fb1362124147c4d4f3b49f041b42745 |
| SHA256 | 4c233c981842a86bb52fce662a4f94f4a0ef5abacfaee95f113b604a6daf3df8 |
| SHA512 | 38ff8b2582011b8cd5d823a9181783551bd90158e5600c387a6cd1e99a7e897cda72dccc93e568f5f26c5e4913356f4943b5b7d97ce2fc5c1a062234ff0418eb |
memory/2756-95-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2392-94-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\JfUjjzr.exe
| MD5 | 4651a43eb1eb9380bac1418baa01678d |
| SHA1 | af5a02d85ecf2cea5d9cf2d2e7377658fb821069 |
| SHA256 | f21ff1476f39cae0ff4e5ef70a10d582224a08a1a7f5c24079d6061db8224cf7 |
| SHA512 | 232c50526c02e132ca61aa01af5d82b3f4d59bbbd356213a048d237a85c97c6915ce45426041d6a1cc279988cba6b169aaf4cad998dad6033263fc3db5ee7522 |
memory/2392-85-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\HRTWnde.exe
| MD5 | 0277b5ee4824705c1324e81f67ffedf6 |
| SHA1 | 4a6faeafea979263452a301d2c76fef7ba599053 |
| SHA256 | a78d9493c80048c3e5c47b0454c9d9d4b5a54e5e37a01d5325a8b467213a230d |
| SHA512 | cb959b92ec98c2de8e53be815ce0dd3f60ffb24e97af9589b501a1f0a962dc2cd1ec5991d13fba93c33a145a1394c9d0fddbe7169de5c3eb6fd34dbd8495c98f |
memory/2392-80-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2584-79-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\UYiVmDc.exe
| MD5 | b4ec5771973072c0803c38a82f98fe5e |
| SHA1 | a9fbe9934f07b517419356b3dc8c84f2b20ff6ae |
| SHA256 | 6bce01db8b365501622e07a6a585bf69ea474fbc4445bfebff6511d7339a7acd |
| SHA512 | 855f30f2cf19477d7f0dcc8fd8201f66fc76c6bf97e84285546ee2ed8f648a9693cb8b5c39cbf8611df7e45845acd1609bd57a0543dce29aa360caa89846b14a |
memory/2152-70-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2624-65-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2392-64-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2836-58-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2392-57-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2392-63-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\bZomZVC.exe
| MD5 | 333e7b59a3c080899c25642bbeca5dec |
| SHA1 | b3d7ad59cddcdda23df1bb05c0a98fe41d93698f |
| SHA256 | 278416471684c414c6199e6b52bd165ed2e38c9ea9ce70ad867399d8c65f252f |
| SHA512 | 452583f01e9b95f25c38388f40f8dd49526ac2a112f1212d01c9eadd0eba3e52ce1f4846785a003471709cbf4e9b80a29ca2a943143d686ee16a06a2d787b63f |
memory/2680-51-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2392-50-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2776-43-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2632-42-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\zKyrkmV.exe
| MD5 | 34a6004bda27c2999eec9f1437b21036 |
| SHA1 | 83abd51ff4141ea55aa46e9cf935dc53e4877534 |
| SHA256 | 8c4012f5413ffc6a571e903a5dbbdc000b805d5fab43cdee0835493816dade10 |
| SHA512 | cb04a47b97fb3c187f0eb3faf570b6b8c380b8d31714075eb35256fe0f731fed6d2cc6a7ace15b6a14af553868cd864e629000ca879ef68f67e8488a340162cd |
C:\Windows\system\eJVFrKx.exe
| MD5 | a5070c5ea9718a2f6e768845ad48a760 |
| SHA1 | c0d0fd76628d30eb543e20f16b3e048c9d5f19ca |
| SHA256 | 021fc64d3794c27d57f30e2ecde52b23d55448e8e8774912698cf82a24dda911 |
| SHA512 | 817971aeda75a1b26655ca8bf7b2948a2d375acb2a3499932e4cdfb8d1bde553bf428201d4d84a7d816fe96faea73cf77233f01ac648fdf6276b61cc7707cb3e |
memory/2712-36-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2392-35-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2392-34-0x0000000002310000-0x0000000002664000-memory.dmp
C:\Windows\system\GwTnymd.exe
| MD5 | 6d0ca8f274113e124ab721c313ad5460 |
| SHA1 | df92becbe918c826c48c0fde3f0f1ea517999b0f |
| SHA256 | 6bf920929a8e3563b099090969e015508f9273f6fd3a51da407eabbbc577f310 |
| SHA512 | e3ca084a1685b071272e5ab07de7325a9d0ec4fc6dff193767a32f52fa0696b18fe955155dc2df7ea3d9431e59d06867a9502e90a04f9d7ceedb4c22bd5cf66b |
memory/2584-25-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2392-21-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2624-140-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2152-14-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1936-13-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2392-8-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2392-141-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2504-142-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2392-143-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2988-144-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1936-145-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2152-146-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2584-147-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2712-148-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2680-150-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2632-149-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2836-152-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2776-151-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2624-153-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2504-154-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2192-155-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2988-156-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2756-157-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2808-158-0x000000013F940000-0x000000013FC94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 09:23
Reported
2024-06-08 09:26
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bcIoBfw.exe | N/A |
| N/A | N/A | C:\Windows\System\JtqREbF.exe | N/A |
| N/A | N/A | C:\Windows\System\PRlcgCr.exe | N/A |
| N/A | N/A | C:\Windows\System\dYdrawY.exe | N/A |
| N/A | N/A | C:\Windows\System\XKiDroH.exe | N/A |
| N/A | N/A | C:\Windows\System\JShmXEi.exe | N/A |
| N/A | N/A | C:\Windows\System\JlWVhuS.exe | N/A |
| N/A | N/A | C:\Windows\System\NavLHGS.exe | N/A |
| N/A | N/A | C:\Windows\System\aDFwzHz.exe | N/A |
| N/A | N/A | C:\Windows\System\YqNEtwu.exe | N/A |
| N/A | N/A | C:\Windows\System\kbHPPwt.exe | N/A |
| N/A | N/A | C:\Windows\System\ykpjTtU.exe | N/A |
| N/A | N/A | C:\Windows\System\tltOkuM.exe | N/A |
| N/A | N/A | C:\Windows\System\QnWnfYL.exe | N/A |
| N/A | N/A | C:\Windows\System\NMxYyYV.exe | N/A |
| N/A | N/A | C:\Windows\System\dRnEByc.exe | N/A |
| N/A | N/A | C:\Windows\System\nTfUBaz.exe | N/A |
| N/A | N/A | C:\Windows\System\FgMFCUj.exe | N/A |
| N/A | N/A | C:\Windows\System\PBGmWxv.exe | N/A |
| N/A | N/A | C:\Windows\System\oJxGGgu.exe | N/A |
| N/A | N/A | C:\Windows\System\hfDQSIy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bcIoBfw.exe
C:\Windows\System\bcIoBfw.exe
C:\Windows\System\JtqREbF.exe
C:\Windows\System\JtqREbF.exe
C:\Windows\System\PRlcgCr.exe
C:\Windows\System\PRlcgCr.exe
C:\Windows\System\dYdrawY.exe
C:\Windows\System\dYdrawY.exe
C:\Windows\System\XKiDroH.exe
C:\Windows\System\XKiDroH.exe
C:\Windows\System\JShmXEi.exe
C:\Windows\System\JShmXEi.exe
C:\Windows\System\JlWVhuS.exe
C:\Windows\System\JlWVhuS.exe
C:\Windows\System\NavLHGS.exe
C:\Windows\System\NavLHGS.exe
C:\Windows\System\aDFwzHz.exe
C:\Windows\System\aDFwzHz.exe
C:\Windows\System\YqNEtwu.exe
C:\Windows\System\YqNEtwu.exe
C:\Windows\System\kbHPPwt.exe
C:\Windows\System\kbHPPwt.exe
C:\Windows\System\ykpjTtU.exe
C:\Windows\System\ykpjTtU.exe
C:\Windows\System\tltOkuM.exe
C:\Windows\System\tltOkuM.exe
C:\Windows\System\QnWnfYL.exe
C:\Windows\System\QnWnfYL.exe
C:\Windows\System\NMxYyYV.exe
C:\Windows\System\NMxYyYV.exe
C:\Windows\System\dRnEByc.exe
C:\Windows\System\dRnEByc.exe
C:\Windows\System\nTfUBaz.exe
C:\Windows\System\nTfUBaz.exe
C:\Windows\System\FgMFCUj.exe
C:\Windows\System\FgMFCUj.exe
C:\Windows\System\PBGmWxv.exe
C:\Windows\System\PBGmWxv.exe
C:\Windows\System\oJxGGgu.exe
C:\Windows\System\oJxGGgu.exe
C:\Windows\System\hfDQSIy.exe
C:\Windows\System\hfDQSIy.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| GB | 216.58.201.106:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1848-0-0x00007FF632310000-0x00007FF632664000-memory.dmp
memory/1848-1-0x0000018BAA7A0000-0x0000018BAA7B0000-memory.dmp
C:\Windows\System\bcIoBfw.exe
| MD5 | fe601c9b551dd1e954abb41b4f0c7347 |
| SHA1 | d4866ce79ea9b04dc43d343a69af3aff8211b02d |
| SHA256 | 8f815c9282fb988639b65c0dcaf6a1be28cf642302d892506fe85a842b6bb8af |
| SHA512 | 2c9b1bf3942f5cf2d54b677f4ee0bc8387940f5e80efd92067627b29c78b0a05ad9482227c1728bcbc537c7f386aeced2543cf444b26f97aac16d0227e12c3de |
memory/4980-8-0x00007FF7FC090000-0x00007FF7FC3E4000-memory.dmp
C:\Windows\System\JtqREbF.exe
| MD5 | 3e2f9ad6487f3683ecb116188980c80c |
| SHA1 | 14dcf0e1932ef45301f15ab5487503b5bdd6852f |
| SHA256 | 0f5b2f4f62c1022ec9716a05337b6c5842665d20ca2db4b0c4c231a987919d2a |
| SHA512 | e109043c1b41f13d60abfe9c5dcfde8f7631187b6aa23af8e9fb5d954a9d506c2c99ae36ba32fa397f32c283d69d1f85b8865513056ec35f8aad88e41e6c0195 |
memory/4188-14-0x00007FF73BBC0000-0x00007FF73BF14000-memory.dmp
C:\Windows\System\PRlcgCr.exe
| MD5 | d076d48ffff2bdda59725b628e3fa7c4 |
| SHA1 | 58532032a054f28c68f50cd7bd4632ea098a45a8 |
| SHA256 | bd3084fd6dd17da33f7f6829a42d629364da7b228e868137dd9e8972849fea68 |
| SHA512 | ddf70871cbc7de8d097011c50d35790cffc923c8a05d61732aad3f1df8e5116057022f4148fef5111e5ca6660945e2eddadb6246a703d6775dd2265b081a63c2 |
C:\Windows\System\dYdrawY.exe
| MD5 | dc0494be5d22ca92710ca2d0db65e64b |
| SHA1 | 1b2015955d2b775ef2e41f4c32f0cac58ed9f2dd |
| SHA256 | 1f505cc752e7111767458e11f7dd667077d395bb5d915c346cf04cf5070d2f25 |
| SHA512 | e39b31e91dad3e055041506394be9644434df5449906c1b7ddae860d7d9214e9bd12f02279b737e4ccbb46640aad4b79ff03a301fb7b150380f1429a0089a7e9 |
memory/2996-20-0x00007FF7B34E0000-0x00007FF7B3834000-memory.dmp
memory/2576-24-0x00007FF6F9200000-0x00007FF6F9554000-memory.dmp
C:\Windows\System\XKiDroH.exe
| MD5 | a62572f117a58c5c985eb4e6aa51f353 |
| SHA1 | ca0587dfb604faa37f27e76f100685c7308659cb |
| SHA256 | be66662aaaa4aac240dee235190fef5fc73401615edad15ba63980116e893a3f |
| SHA512 | c57f3a60cb0cab2caae2766751c3e89e6e6b343c969561904082884c60d43a07c826290feeb028fd38a2fe37c87c8b411bd8e7cad95c8dc6e913dfce6165b643 |
C:\Windows\System\JShmXEi.exe
| MD5 | 0e71746aa2d3cc36adb6a66cc8f181aa |
| SHA1 | dd4bead81b87103db255b1f46f7e79288b41490b |
| SHA256 | 2aa94cc5353ec0679df56a6a01733605fe7356b7dff66f75eacbee4cb4f729ad |
| SHA512 | 5dcda1e40fa6c85ec4c550ddf0e628f8b6908f3cebd4500416cd99b34fe0fd82ce80f4b4761ed8bc1b7655c3db188fc33fd5257d5538ef4aef1024f6411ab86d |
C:\Windows\System\JlWVhuS.exe
| MD5 | 50d0dc79fe86a84feb7d7b600bba5064 |
| SHA1 | 5eeeb85b1df359d3f0d77b9188d1f1e0154431e7 |
| SHA256 | c141b5ae613dc38d647133605475345ebb6ec74baceae94bec25bc05c4972793 |
| SHA512 | 722afdac8ee0b30c6ddcd6a8f7ef4c686b6bacb723ace0a9e881d24c8451fdd0226558e7347e72e2b44dbb64bf33e118ef28950983d63fff1e6e335eea297d84 |
memory/2872-44-0x00007FF621280000-0x00007FF6215D4000-memory.dmp
memory/1412-36-0x00007FF781E80000-0x00007FF7821D4000-memory.dmp
memory/3004-29-0x00007FF7AC3B0000-0x00007FF7AC704000-memory.dmp
C:\Windows\System\NavLHGS.exe
| MD5 | 973b774de24d0805dd8b657e64f1119a |
| SHA1 | fb1d66b6f121a753c70f3d91587ae332bf5b69b3 |
| SHA256 | 84f1fe938e9662d6591a68dc23eac07db14271dc5c2dc5c60c6299c1ee7271e9 |
| SHA512 | fb3f4330dbc3e1fc3d5ac6a138a769c6511212d7d3c1f5d7092cefa401680f187c98b0d856bfbdc4090b39c82eacfc20420937297c321919e992d8b2c94a187e |
memory/2948-50-0x00007FF717F50000-0x00007FF7182A4000-memory.dmp
C:\Windows\System\aDFwzHz.exe
| MD5 | 9f1152c923b412604214df01d30290ea |
| SHA1 | 62f4e6df7f3d9e97911cbdfaa2b7445564074e3a |
| SHA256 | d8cae2a3eb5bd4063aaaf2cef21546604cc039db40207dbe535cbb9b410c91ab |
| SHA512 | 0fc3620a094cfc289ad60d244dcb251db03a9d74d0837611578a7f547aafbdbde1c4e59fab4adcbf490f24dd054ab11bf7267aba9f57567d6c475f8898836c75 |
C:\Windows\System\YqNEtwu.exe
| MD5 | 30399492166c3a762399d7c097a6b519 |
| SHA1 | 1f4fb48717ff7c708b9b7cb440ebe371264fd696 |
| SHA256 | e901289a69da6480d405bdaa7ad06decc5c8eb3ec687a1b2baca26461a92ca3a |
| SHA512 | 6d02fef56bb1fa9d7ad3341f8e43a9a0543ebe25ebba4fb934bea240e538ade5ed5ad3df92c035a18f58fd955eb4b3ef45e027343658ac214f0084eeb63c33bc |
memory/1848-64-0x00007FF632310000-0x00007FF632664000-memory.dmp
memory/4980-67-0x00007FF7FC090000-0x00007FF7FC3E4000-memory.dmp
C:\Windows\System\ykpjTtU.exe
| MD5 | 343edb5ad666e8de232d603008e43b92 |
| SHA1 | b0544df9a84e521ba31ccd7a84a5b770170f9593 |
| SHA256 | cd09d5602018485c1927a5c279136498c8499888f51451caa960fe2aaeb4fffa |
| SHA512 | 60b06e69b2169c05acbe95af3a28a3ab114517fa23047e1caad805e5d3c7354eb83b9a29c4d488c6cc7c1015f5b347b78ff52d9e4275c34be554c89f197c9ffb |
C:\Windows\System\tltOkuM.exe
| MD5 | 7fd35bfd958b412fc6f987c4aa557c16 |
| SHA1 | acee60e0f0bb9d2617ddfce6b5b8dfa1456d2a4d |
| SHA256 | ecb3d5f784cbc73c5c01bdaeb02078e25894b899c9e7d126b0d0cc58cec8495c |
| SHA512 | a994079db76788189ff76199ceff92aa172e7a8da1cf4c6894a9fea55f09d11465cb62abe1406bd3bf90f744fbf1a72fbc4601a2147ea5e970614310f5866484 |
C:\Windows\System\QnWnfYL.exe
| MD5 | ae152fccf51b711cea4a9334934b9b88 |
| SHA1 | 38b3c2306d0d80c27543a10934dad9bebb29b7d6 |
| SHA256 | fa5b956bbc2a5ec14e1448b74cc8bcc26787bd70b286f37b7b165e2591cdd4f5 |
| SHA512 | bfae8b7fc0ee6c6e8f29dfea58da7acd0d9162289852f205adf965423cb94243b40a2eead16c18350c561523d272e713f4c50c159c66103dcb5878238020f711 |
C:\Windows\System\FgMFCUj.exe
| MD5 | ad6e52eaad271b58317deb6f1228eedf |
| SHA1 | 2632fedd69c70ef26afb517c42dfa1c7085a895d |
| SHA256 | a9d085805179b71f4f3fa346c102ad1052e217112a479cc95b31ae3ec4304932 |
| SHA512 | 86ae01fe7b80de057e1dec8a6c2295e31600e79e4ac66cbbf0ffb70ecb2f0dbff916e3177011e90b8b72ff3c693d519453a44a5cdbf00532d0af8436fd3c3a31 |
C:\Windows\System\PBGmWxv.exe
| MD5 | d4a60d9c4ab3c4d6c8d4517fb55d5187 |
| SHA1 | c2f047e700b2a8236f18ad8aa377e54d1e24b9b9 |
| SHA256 | 9802d32a7ce95ac614b1ecd1a07d4bd0ab67d6f512e36ed347063f0901dc5ba3 |
| SHA512 | 5cfee2b25d31c624afce33f67011b5fe787e74ac2a52e973ec553b1c5e950ad7e4635428913547bb74702847f096cd797fe78d75fed82fdb245395d47538cc8d |
C:\Windows\System\hfDQSIy.exe
| MD5 | 66ab5bfbbf3afb7f1daa17ce0581daa8 |
| SHA1 | ac993d75fd4e6e50887f6dba65dfe6ab5916b122 |
| SHA256 | 0e6984d0000411444fff2e2f72250212e7684e2061217288cee6ba1df91e0da7 |
| SHA512 | 75da79bb532bc7d32eb29c4b6164ae1463ee5f092247707ac7c7cd038d91b2e9312c3da066a2affaee78273f97fe27ac002258e6b8e3e8a64d6913d778bb2101 |
C:\Windows\System\oJxGGgu.exe
| MD5 | eb722647d69de306657ab17b2f37c6c2 |
| SHA1 | 3baf6603c9b2917b39f1a3e04aa2b1e0e4202c97 |
| SHA256 | 5f8e14284244658f478e38a17e3a96929ffcba6ce1b0795b6d72b6a67d1ace66 |
| SHA512 | c89e472494f034600b1ee7ecbd362d9ef451540d21e863e37af1b1b04e7bbd369620d4855c37a82a294d8a081ef4f9b5c275a31d37c5e86ac98f0b260b4db068 |
C:\Windows\System\nTfUBaz.exe
| MD5 | e2f35c4fdf43c9dbd6f4b7698e81f68b |
| SHA1 | fe3a8848aa888595cf6db6de6908fd0d84973b87 |
| SHA256 | ff9368c134a676316554dd7f80daa2e79d6490b52886c99ef1bc38182e208870 |
| SHA512 | ec5d964058212c9c50a2b95a985381b3fd1803ee14af20f90dae981c7507a0bbc631ca76dfbed2ada4ae32b02424db2a90c38070815af672b6905648714f0af1 |
C:\Windows\System\dRnEByc.exe
| MD5 | 3e616c3c46e6ad446af9626448726b37 |
| SHA1 | fa0566c5e1b471a5c4ed6043e028fbdccb194565 |
| SHA256 | 167ff2568435e6f8daaf5aa3cddf07fab8e5c878ad0487e1eb2c6f65f7004487 |
| SHA512 | f8196949de4dfb1c2cb38d67b1fb0567c458ba51022c95047d9d709bfb3ee8bb6108e8381969829d7b8a156af12f0d38c1762f8932ee2948636b9316b6910547 |
C:\Windows\System\NMxYyYV.exe
| MD5 | 083dd11909a769285b223e1e0c92378f |
| SHA1 | 619a404a97a62fa1fde6755b84157400876f80f0 |
| SHA256 | 564f852ba0c81b7948345a5c2066d85d80f07ab110ac97eef1c4c09e50bb99a2 |
| SHA512 | f3c3853fe64ee414b860ece1e77450b943f0b655858f238f70559569d15c7a64d47926c77146bb05243d8bd52c93d814ffda484aebf9cad93234d1c8e217ea03 |
C:\Windows\System\kbHPPwt.exe
| MD5 | 9cf705b331fe1776f63456eb746b05e1 |
| SHA1 | 7693ff91c7aafc851406b1f0e4a6adcb0273fa9c |
| SHA256 | 323b69ea8b4e3a4037c4d93f5454de9cb6e68737a557f2a287e596cad865d209 |
| SHA512 | a073f1b8173deb4bfa690850adb4a21e005bb2e2da579a425e4e59160ada5f8d8559c2eafc6185eeab4f08a045c9bb673638b526de0795377c4c7c5e8b748d69 |
memory/4808-66-0x00007FF6463F0000-0x00007FF646744000-memory.dmp
memory/5112-62-0x00007FF7CB910000-0x00007FF7CBC64000-memory.dmp
memory/952-119-0x00007FF6742E0000-0x00007FF674634000-memory.dmp
memory/2896-120-0x00007FF7AE3B0000-0x00007FF7AE704000-memory.dmp
memory/1580-121-0x00007FF72ACF0000-0x00007FF72B044000-memory.dmp
memory/2660-123-0x00007FF633410000-0x00007FF633764000-memory.dmp
memory/860-122-0x00007FF76E980000-0x00007FF76ECD4000-memory.dmp
memory/2024-124-0x00007FF600A70000-0x00007FF600DC4000-memory.dmp
memory/224-125-0x00007FF682610000-0x00007FF682964000-memory.dmp
memory/4660-126-0x00007FF6285C0000-0x00007FF628914000-memory.dmp
memory/4380-127-0x00007FF71A4C0000-0x00007FF71A814000-memory.dmp
memory/5068-129-0x00007FF6ABA70000-0x00007FF6ABDC4000-memory.dmp
memory/4188-130-0x00007FF73BBC0000-0x00007FF73BF14000-memory.dmp
memory/4708-128-0x00007FF697B70000-0x00007FF697EC4000-memory.dmp
memory/2996-131-0x00007FF7B34E0000-0x00007FF7B3834000-memory.dmp
memory/2576-132-0x00007FF6F9200000-0x00007FF6F9554000-memory.dmp
memory/3004-133-0x00007FF7AC3B0000-0x00007FF7AC704000-memory.dmp
memory/1412-134-0x00007FF781E80000-0x00007FF7821D4000-memory.dmp
memory/4980-135-0x00007FF7FC090000-0x00007FF7FC3E4000-memory.dmp
memory/4188-136-0x00007FF73BBC0000-0x00007FF73BF14000-memory.dmp
memory/2996-137-0x00007FF7B34E0000-0x00007FF7B3834000-memory.dmp
memory/2576-138-0x00007FF6F9200000-0x00007FF6F9554000-memory.dmp
memory/3004-139-0x00007FF7AC3B0000-0x00007FF7AC704000-memory.dmp
memory/2872-141-0x00007FF621280000-0x00007FF6215D4000-memory.dmp
memory/1412-140-0x00007FF781E80000-0x00007FF7821D4000-memory.dmp
memory/2948-142-0x00007FF717F50000-0x00007FF7182A4000-memory.dmp
memory/5112-143-0x00007FF7CB910000-0x00007FF7CBC64000-memory.dmp
memory/4808-144-0x00007FF6463F0000-0x00007FF646744000-memory.dmp
memory/5068-145-0x00007FF6ABA70000-0x00007FF6ABDC4000-memory.dmp
memory/952-146-0x00007FF6742E0000-0x00007FF674634000-memory.dmp
memory/2896-147-0x00007FF7AE3B0000-0x00007FF7AE704000-memory.dmp
memory/860-149-0x00007FF76E980000-0x00007FF76ECD4000-memory.dmp
memory/2024-151-0x00007FF600A70000-0x00007FF600DC4000-memory.dmp
memory/1580-150-0x00007FF72ACF0000-0x00007FF72B044000-memory.dmp
memory/2660-148-0x00007FF633410000-0x00007FF633764000-memory.dmp
memory/4708-152-0x00007FF697B70000-0x00007FF697EC4000-memory.dmp
memory/4660-153-0x00007FF6285C0000-0x00007FF628914000-memory.dmp
memory/224-154-0x00007FF682610000-0x00007FF682964000-memory.dmp
memory/4380-155-0x00007FF71A4C0000-0x00007FF71A814000-memory.dmp