Analysis Overview
SHA256
a92b581c614e7c5ab32dcece872208efda7708e7b2357f182e5c3610c95c5c95
Threat Level: Known bad
The file 2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 12:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 12:26
Reported
2024-06-08 12:29
Platform
win7-20240508-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iNCzGSC.exe | N/A |
| N/A | N/A | C:\Windows\System\yFnvZBn.exe | N/A |
| N/A | N/A | C:\Windows\System\jZRFwEU.exe | N/A |
| N/A | N/A | C:\Windows\System\tdQgUIX.exe | N/A |
| N/A | N/A | C:\Windows\System\WzIlBQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\aRNCLmh.exe | N/A |
| N/A | N/A | C:\Windows\System\jhPqurN.exe | N/A |
| N/A | N/A | C:\Windows\System\ifvuHeS.exe | N/A |
| N/A | N/A | C:\Windows\System\NAaZSnm.exe | N/A |
| N/A | N/A | C:\Windows\System\pelcpiD.exe | N/A |
| N/A | N/A | C:\Windows\System\rHnUquP.exe | N/A |
| N/A | N/A | C:\Windows\System\dhdrFkn.exe | N/A |
| N/A | N/A | C:\Windows\System\yQJFBVW.exe | N/A |
| N/A | N/A | C:\Windows\System\ugZzhKb.exe | N/A |
| N/A | N/A | C:\Windows\System\tSYCHQB.exe | N/A |
| N/A | N/A | C:\Windows\System\QwfcrpB.exe | N/A |
| N/A | N/A | C:\Windows\System\tbJhpLU.exe | N/A |
| N/A | N/A | C:\Windows\System\eeQkvkc.exe | N/A |
| N/A | N/A | C:\Windows\System\uCxxAos.exe | N/A |
| N/A | N/A | C:\Windows\System\IKzYbtG.exe | N/A |
| N/A | N/A | C:\Windows\System\LCYQVfN.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iNCzGSC.exe
C:\Windows\System\iNCzGSC.exe
C:\Windows\System\yFnvZBn.exe
C:\Windows\System\yFnvZBn.exe
C:\Windows\System\jZRFwEU.exe
C:\Windows\System\jZRFwEU.exe
C:\Windows\System\tdQgUIX.exe
C:\Windows\System\tdQgUIX.exe
C:\Windows\System\WzIlBQJ.exe
C:\Windows\System\WzIlBQJ.exe
C:\Windows\System\aRNCLmh.exe
C:\Windows\System\aRNCLmh.exe
C:\Windows\System\jhPqurN.exe
C:\Windows\System\jhPqurN.exe
C:\Windows\System\ifvuHeS.exe
C:\Windows\System\ifvuHeS.exe
C:\Windows\System\NAaZSnm.exe
C:\Windows\System\NAaZSnm.exe
C:\Windows\System\pelcpiD.exe
C:\Windows\System\pelcpiD.exe
C:\Windows\System\rHnUquP.exe
C:\Windows\System\rHnUquP.exe
C:\Windows\System\dhdrFkn.exe
C:\Windows\System\dhdrFkn.exe
C:\Windows\System\yQJFBVW.exe
C:\Windows\System\yQJFBVW.exe
C:\Windows\System\ugZzhKb.exe
C:\Windows\System\ugZzhKb.exe
C:\Windows\System\tSYCHQB.exe
C:\Windows\System\tSYCHQB.exe
C:\Windows\System\QwfcrpB.exe
C:\Windows\System\QwfcrpB.exe
C:\Windows\System\tbJhpLU.exe
C:\Windows\System\tbJhpLU.exe
C:\Windows\System\eeQkvkc.exe
C:\Windows\System\eeQkvkc.exe
C:\Windows\System\uCxxAos.exe
C:\Windows\System\uCxxAos.exe
C:\Windows\System\IKzYbtG.exe
C:\Windows\System\IKzYbtG.exe
C:\Windows\System\LCYQVfN.exe
C:\Windows\System\LCYQVfN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2972-0-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2972-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\iNCzGSC.exe
| MD5 | 90e69951485f0bb3c1bf4f949de6106d |
| SHA1 | db95e5a117cd7d818575604fa811ad9a36829a02 |
| SHA256 | 27a201766ece763dde900c442af719ff131fea401bd6f0bd364c80033a0bad37 |
| SHA512 | 4b68af358ae57fa592f8ff1a28c6f536177e3e76310a1917fe308330a638357f6c48ea1b1a65b33d535c85b015085a85232976d3ef1bcfd5d7881fb1dc9e42be |
C:\Windows\system\jZRFwEU.exe
| MD5 | 4ae083a6b4718985abd5dfdf40f7aad6 |
| SHA1 | 01997fabf7115bbc5b1245b8b8e0fbb956efac0e |
| SHA256 | d6400e5de4ec2c02d4b0645de28c87dc890eb3de96fb5f83cc250a4a28b52fbb |
| SHA512 | a74f8f37205374a5748fe478c6fda5bd514713c9ebdbc75cd1cfe2457a4c147b06ec62da4009bb80f7c0e31326c2e61bef6c0b9b3ac08295f339ed3de2a35bd1 |
C:\Windows\system\tdQgUIX.exe
| MD5 | c2f2cc5c541cfdbbb7775fab47ee3ec8 |
| SHA1 | 8a5bb7c9db9b3378ec0192708be582b7c73ca8c4 |
| SHA256 | 587028af1a24d1af37cdff6f53f5928f8c993d80e7c30d1b7b59a7d3fa34b15e |
| SHA512 | 38740ca3a786b57be4b93e55050906776eaa4b2950bf2c4978fab185a5fd3b9f2ede8e216ee94f595cfabdb1e40f7f6fd427642ec8b24e85851059a8bf9745c6 |
C:\Windows\system\ifvuHeS.exe
| MD5 | 9273ab9b4d9e65d031e05dc4c6270794 |
| SHA1 | 0b83e1bd74b0e20f90ebe4b7a3e4a267e13df0a4 |
| SHA256 | 7b9f92de44c4ee1d5e9231ba8e4bc15b396a4379e0b162e3ea1e4465b3bbccd5 |
| SHA512 | 8415761f36ef7c438406b28669e0069e5f567e2c97f81780ac0bcd579d522ceb3dbdb4675ee569a8c5a782e5bf1860ae591066302d44f520ed8ca5836d2f2d6a |
C:\Windows\system\rHnUquP.exe
| MD5 | 813990620918b10b69fc589ff6ce7cef |
| SHA1 | 7d6aa4cfb858fdd4873481186ecf7c22b33faa2c |
| SHA256 | 020d44a835754f30b493a4811c09d0fb498a8837f3101d8112013caa9f5d2d9e |
| SHA512 | 5ec283567e6debe9d99ec84804e8b48291a962af369fd07b2876625bcbe671ddb723abc09082804dc5d5b863dc6379a15d4107c352f68816717ab6344fa3a20c |
C:\Windows\system\tbJhpLU.exe
| MD5 | def8ecb7e32d64885cfd985f0e95653e |
| SHA1 | e627f417e194af756b56f020e83ffd9dc2078e8d |
| SHA256 | 34da9da346c303c75e21d39408fd1c112c27ed96452e43b64733b7a3d23301e4 |
| SHA512 | fec4d27994864d6410d1dfa7b40d65517f3e62cb8210784a84b9a0b497f5ea5cd38dc6fe57b5c51a88fb8bb240f97116c155eb58eadaf577946d76f1b7282a9a |
\Windows\system\LCYQVfN.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
C:\Windows\system\LCYQVfN.exe
| MD5 | 7f8a17e87204865cb8294f992f62a8b7 |
| SHA1 | 965d240fdcaff71315ed72fa19a6fb7bcd0cc41b |
| SHA256 | d2f6d40eee8aa5eeee364047b92c58e82120eddca6fa2b326a9430322de1d86a |
| SHA512 | e3007370624881b1cea1ef29a5575f7be06f05e38d2f7953b9be734b7627ef9829b6897833b5db61638ee69bd5e7c8c0e83d30482dc7ed493651dab40519ecb6 |
C:\Windows\system\IKzYbtG.exe
| MD5 | 68feab46483015e28152696c66456b6d |
| SHA1 | 6d26a93457378a77e89a0efd9e831e867aa98d23 |
| SHA256 | ab35a255a22ce36e9a21e0c6876cf779983f5b3f326f66228e7c464024bfd9ae |
| SHA512 | 131bdea08da06f581d491b9b0d22891b31365a580841627bdd2b50d802f142fa8d90cdfa8dfd2094bf5166931b577183267187d5433b482fe4f004bacfc37388 |
C:\Windows\system\uCxxAos.exe
| MD5 | 4c89a570703394d57f179e9d3b5b4259 |
| SHA1 | df94796a3dc473d9a617fbd524ff794ed2d00a11 |
| SHA256 | 12580a187336f0462bdbd08521ad01c5d3fa7a21a526bbe475e250d01fae0f90 |
| SHA512 | 9e12ef4a3effe39ab5098d65ef4cf25b71a461ec1e68c81263db12863061e797dd563f01cd9035a4c75309c54b8396949ee5a7ebca8c39d3d1ca447c9e7a8134 |
C:\Windows\system\eeQkvkc.exe
| MD5 | d2038aace393c2b9f8bcbdafb94cbd87 |
| SHA1 | fd600884a88cebac326a7e7913d0e0f9f6a83ebe |
| SHA256 | 9dcf7c6b26bcba96c9bd3a062979c43efe3a50e5409c7256faae119945ca2440 |
| SHA512 | 218ee4173d477d590b4d35eeb444cb47f199e5fb4fd2114a46b5d4a9acaae5df749050a64ed46b09bc6e62aa2d527dabbd8dc4c5dcfe68e37ebedfdccd88cf40 |
C:\Windows\system\QwfcrpB.exe
| MD5 | 4923a775c514f3ae0e09865704a76aa9 |
| SHA1 | fac0cec58bd3556095fbf0e402a5c2a46ed6f41c |
| SHA256 | d06e71a7242ab6b20e7ec280322c9d2e8c0dd1445fbd1628a3c5c5cd66930c85 |
| SHA512 | b6e03ba2f19f231ad0fc573579b9f74d1b09ecf94301bee5cb10099639f08bf588d6844a53aa68ea446ca35de8bd4299766175b0aa4cc66d53e22afc7fdb9f5e |
C:\Windows\system\tSYCHQB.exe
| MD5 | 5c1ace3cb22fd62e009f274f93254bac |
| SHA1 | f4e15bd75d5dfd9ce8919650512849d4e0ed41e7 |
| SHA256 | 2c70f77d3aeba4be2b64d1342a5ad9d822e4f70743ba03893d2cfeeac9496f23 |
| SHA512 | fec1f3bd0a3d1bb0ec1cbbb093c90ddc13afd3701d9693353edf4b5bc3e14c187849db896783e9378e3d8f4031062afb6b0b07cf171178100f19c1fea57c8213 |
memory/2972-93-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2100-99-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2928-103-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2728-107-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2972-112-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2972-114-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2584-113-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2516-111-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2632-110-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2972-109-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2772-108-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2768-106-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2972-105-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2788-104-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2972-102-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2936-101-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2720-100-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2972-98-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2612-97-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2972-96-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1884-95-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2792-94-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\ugZzhKb.exe
| MD5 | 2fcd1ca99b353281ccdb294a4aa1fd61 |
| SHA1 | c557cd70f6a1a1d99755ddaa4525f6d471ac7aa3 |
| SHA256 | 2a2e633cbfc7a98b13520c5f43884d9826b4d1517852a2ce4f7e4da9e3635a50 |
| SHA512 | 55b05c37dce0b50fbd70ef67374cc1f6d65d1ee5b2189a2c4ab505d843a0f5d56c3f0f41804d6dd8209330baed10f02a15ea3149dc1b14618bce60849a22adb3 |
C:\Windows\system\yQJFBVW.exe
| MD5 | 3a46674e5968382f9f4318ac3b0c5c5f |
| SHA1 | bc36760ae81497f271790a3adca6cae18cb4163e |
| SHA256 | 200ad4e4b0adca70a8425d706a1b1efd0c812206cb8a53cda104270cf914f877 |
| SHA512 | 5655642287582fc2a330ab6abdaee31103aeca0e8c7b2de44ba0366a56af25dfd13dd50decdcbe87970c46879291d3fef2cb0f73e1c67a8b3a4bead13dabfc7e |
C:\Windows\system\dhdrFkn.exe
| MD5 | 787eb7e69ad35aabdeb5368e6da76f1a |
| SHA1 | cb322befd7f9c168958d53bc2f49dca2cdbe84bc |
| SHA256 | 0bf2ae8409c5346b5c7add6eb6f765af178d7d736962e27ffea40ddaccbb2cee |
| SHA512 | afbec0b4ded7fea46eaa8d902bdf97979f8c4ae6f8d4d1b0faa7cc2bf31c53eb5c13ef7bd105b1c1a5f390acb69261c5d317c7908e7b5003836d4ecea1fd5ab3 |
C:\Windows\system\pelcpiD.exe
| MD5 | db6851f18e18c9d331f14a4ab2784110 |
| SHA1 | 343a598202ed2f17e2de3198d7447fa9d2ec39d8 |
| SHA256 | ef2f3df8740a17ce7647e34f1fe24e22393b91262174963e835e0a0d0bc0b86d |
| SHA512 | 05ec16504a167f3e7f39f35393e5ccf8ed0b2d70289f4ff042de697edc939f30414b06ce7ccd589c8fb3148bb42125e014347b22d4007793a3589025c7cb302b |
C:\Windows\system\NAaZSnm.exe
| MD5 | 60e0014f58b4f1b8f563b273d2275660 |
| SHA1 | ea56b85c58ad530b20aa8a599d51724437d905e4 |
| SHA256 | 7a4d89304b2e357e923da059f321e6fc27b507123592d53291ed0e94bdb7faf3 |
| SHA512 | f29536663b613bd367688f883738a167008d1d5ad181f351d03b4943b811e69d2f9575e6d9afa73a32f1a238ed7ea0073a0567ed1d7d2f84824b806315a32a7f |
C:\Windows\system\jhPqurN.exe
| MD5 | b1280a310a974f5ae27fbd448d80fbbf |
| SHA1 | 6dfd05afd5a95953942dbb825b503209427225bf |
| SHA256 | 97a3d604858127b62202356c2348b3b15e5b74a0deebc433005358b59228794d |
| SHA512 | 0d9827e0d17fd0a75fe1b9b5890967b518cb03736cfd13326b6e1bfd5cbacd988b2c3db9e2751519a69c5b18ef4e5dc48b40417d082c339aecc546724530ae6f |
C:\Windows\system\aRNCLmh.exe
| MD5 | 9866d867ab99dc887d727af1e531b2c0 |
| SHA1 | 0a6b886ed9c77abd3b2e4fc40cdd90ed1bd31ecc |
| SHA256 | 8a3205dd0f60c2683f0da291ea45de167939215f0f96a6f039e7d5b9e828be04 |
| SHA512 | 417f6d96cc5331bedda96ba0524cbd3074861417e9213be3c66050d39690af78c8f3174ab43962bf193a653b6b507bf9b64fffa19ece2070a81fa36cfa065b6e |
C:\Windows\system\WzIlBQJ.exe
| MD5 | 39ae60141b97c03da8c9c1167cd0ec6c |
| SHA1 | 60453bac515d089278de350bbafda296d9a53c43 |
| SHA256 | 1f8be7204df6b0c8e0e79816be05ebb3f3b08a30160d763c6f1abfbba20f1153 |
| SHA512 | 13716d490eba984f8e212fac2f68004c486c0a3b369cc4ac2d72d80e9942d46ba8443c76918e050a0722db5ff0e7dda30d516aa81d66b3fb089af1adee8a2a0c |
C:\Windows\system\yFnvZBn.exe
| MD5 | 486a613836a4be0e0605adf2faecdb5b |
| SHA1 | 9f984e08e12c8eb76363d99bb260c8bae38a3942 |
| SHA256 | 6534b8b59a89db9de36215b6284699238b047c6e4ee0ae9a1a9c542a649eb4f3 |
| SHA512 | cfa80b1180e16b74ab0dde3d33c30e502c1a2181a3995dec56ea5b62fee89625aa2e38574a0d3a6a688035bcfa57b1dd85336b590135eb1ec4ffe95bcf65d288 |
memory/2972-129-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2928-130-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2788-131-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2772-133-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2516-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2584-136-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2632-134-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2768-132-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2792-137-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1884-138-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2100-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2720-140-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2936-141-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2612-142-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2728-143-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2788-144-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2928-146-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2772-148-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2768-147-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2632-145-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2584-149-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2516-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 12:26
Reported
2024-06-08 12:29
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fcaMnrK.exe | N/A |
| N/A | N/A | C:\Windows\System\dWtnWSy.exe | N/A |
| N/A | N/A | C:\Windows\System\BhiaftR.exe | N/A |
| N/A | N/A | C:\Windows\System\TdmVzgd.exe | N/A |
| N/A | N/A | C:\Windows\System\GQLqgqP.exe | N/A |
| N/A | N/A | C:\Windows\System\QIiOxEV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwSOBJM.exe | N/A |
| N/A | N/A | C:\Windows\System\PQKyJcx.exe | N/A |
| N/A | N/A | C:\Windows\System\LYjCmVk.exe | N/A |
| N/A | N/A | C:\Windows\System\VvUTgea.exe | N/A |
| N/A | N/A | C:\Windows\System\MoHDDzV.exe | N/A |
| N/A | N/A | C:\Windows\System\lHhBZJE.exe | N/A |
| N/A | N/A | C:\Windows\System\sIluhPk.exe | N/A |
| N/A | N/A | C:\Windows\System\SbTUbnM.exe | N/A |
| N/A | N/A | C:\Windows\System\uunMMKR.exe | N/A |
| N/A | N/A | C:\Windows\System\HRzYkGy.exe | N/A |
| N/A | N/A | C:\Windows\System\cbDyTqo.exe | N/A |
| N/A | N/A | C:\Windows\System\hilcfLP.exe | N/A |
| N/A | N/A | C:\Windows\System\tZRufxB.exe | N/A |
| N/A | N/A | C:\Windows\System\JcxkJWT.exe | N/A |
| N/A | N/A | C:\Windows\System\AJYtNUo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_1967b789ec4e9e4ab9f670ffd1aa2969_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fcaMnrK.exe
C:\Windows\System\fcaMnrK.exe
C:\Windows\System\dWtnWSy.exe
C:\Windows\System\dWtnWSy.exe
C:\Windows\System\BhiaftR.exe
C:\Windows\System\BhiaftR.exe
C:\Windows\System\TdmVzgd.exe
C:\Windows\System\TdmVzgd.exe
C:\Windows\System\GQLqgqP.exe
C:\Windows\System\GQLqgqP.exe
C:\Windows\System\QIiOxEV.exe
C:\Windows\System\QIiOxEV.exe
C:\Windows\System\ZwSOBJM.exe
C:\Windows\System\ZwSOBJM.exe
C:\Windows\System\PQKyJcx.exe
C:\Windows\System\PQKyJcx.exe
C:\Windows\System\LYjCmVk.exe
C:\Windows\System\LYjCmVk.exe
C:\Windows\System\VvUTgea.exe
C:\Windows\System\VvUTgea.exe
C:\Windows\System\MoHDDzV.exe
C:\Windows\System\MoHDDzV.exe
C:\Windows\System\lHhBZJE.exe
C:\Windows\System\lHhBZJE.exe
C:\Windows\System\sIluhPk.exe
C:\Windows\System\sIluhPk.exe
C:\Windows\System\SbTUbnM.exe
C:\Windows\System\SbTUbnM.exe
C:\Windows\System\uunMMKR.exe
C:\Windows\System\uunMMKR.exe
C:\Windows\System\HRzYkGy.exe
C:\Windows\System\HRzYkGy.exe
C:\Windows\System\cbDyTqo.exe
C:\Windows\System\cbDyTqo.exe
C:\Windows\System\hilcfLP.exe
C:\Windows\System\hilcfLP.exe
C:\Windows\System\JcxkJWT.exe
C:\Windows\System\JcxkJWT.exe
C:\Windows\System\tZRufxB.exe
C:\Windows\System\tZRufxB.exe
C:\Windows\System\AJYtNUo.exe
C:\Windows\System\AJYtNUo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1684-0-0x00007FF7618E0000-0x00007FF761C34000-memory.dmp
memory/1684-1-0x000001E74FA70000-0x000001E74FA80000-memory.dmp
C:\Windows\System\fcaMnrK.exe
| MD5 | 713af1935395ff66a17d307ffdf79144 |
| SHA1 | 9dfaee6de3c6299bd25a52404b1495fffa29e998 |
| SHA256 | 77f11a51ec29212a08da6ea5c821527411a040f93dbb87d9465ca5a2366db359 |
| SHA512 | 0f9277fbda2ccc4fe91d672e55e410dd695bba365921bcd85e94185ab8fff346737cc57382a115e1451f9926133d9427aaf67ea3ed03e2c8bf0bdea5c997db69 |
memory/2724-8-0x00007FF624D40000-0x00007FF625094000-memory.dmp
C:\Windows\System\dWtnWSy.exe
| MD5 | 3efe7d2e4d7fb8fc3ba1967359d1126a |
| SHA1 | 942bba9800064288c43c09dbc9fe21b98721edf0 |
| SHA256 | eba527c3a174d0ed84146acb735e1247e7bc06f7dbd79fd5ffaa7fed1f5afc0c |
| SHA512 | bd045589f3d2b67a1979a3b1c9c90ff5f96873b5944d94dfb35a851ab6384e241825497cad18b3f6f2ab80ba1ff4286a589b5fb43805fa503e13becd54a1bda2 |
memory/3008-13-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp
C:\Windows\System\BhiaftR.exe
| MD5 | ff4db18711c9bf38c6f3a696b28ab7c8 |
| SHA1 | 2df49d537eb8d37264a13df058fc60ebe713e2b3 |
| SHA256 | e310975158a7ab1d3c89613974c03252200f1c423a03dde13a0f71c105d2e748 |
| SHA512 | 270e9e7f07d8b299b1e22b592b45acf631bcfa41a7f898a2b5d86e5becb3e0cb5ccfc934d7a54a8d557235d45272769bd213e72b734951ac7df90342144ca88e |
C:\Windows\System\TdmVzgd.exe
| MD5 | 9d93820652c17073526f19a05de18a55 |
| SHA1 | 78f1fb6bad468caec96811720bef8fa6c084623a |
| SHA256 | dc05cb31229069870ace0c9e41a510d7da0360219ebd42afd6993ebb668d5f31 |
| SHA512 | 1ec3b949420bcea117efcc5bb71bc823af5d102668f04ce419bf82112c168cb5d2f5e0a27e720a81388fb0d5eeafdd8a1024fba84d614b659dac081acf6c430d |
C:\Windows\System\GQLqgqP.exe
| MD5 | 074d154230c8d557020972b9ac682cf9 |
| SHA1 | 846aee67244d8f4deab043d5a0ccb18883a414fd |
| SHA256 | f51209c19bf84b08a447f3545df2396d9ffcee8d741c9fe6457b05bb22cee3e9 |
| SHA512 | 33f7cb51f186642575f16252a539f7441259f123cdcc5b893de5ff687728754d7c05e613f4ac892cbec0d71e2816b07ad11005419617ab034388854d4ef095c1 |
memory/2116-32-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp
memory/740-26-0x00007FF6A2F60000-0x00007FF6A32B4000-memory.dmp
C:\Windows\System\QIiOxEV.exe
| MD5 | fee59e00940f6dba2b75f346e6940dd1 |
| SHA1 | 22c5075b8efae119f0ce6baf092c078cba746c0a |
| SHA256 | d80f37732f21abc4d2b2a8deb29598e23f58f23cd3e1b66ceb2966076e3ac7c4 |
| SHA512 | e9642b6cd2117143c164b50627699989960a70965289398db384ca6abf6b4045379f2e27febd126d5f44156bbfca655b18d52afc91530eddaea781e877f8822b |
memory/2528-38-0x00007FF752DA0000-0x00007FF7530F4000-memory.dmp
memory/3960-20-0x00007FF768F10000-0x00007FF769264000-memory.dmp
C:\Windows\System\ZwSOBJM.exe
| MD5 | e72f4b640595a82aedc9747a91995907 |
| SHA1 | 4111e1ab7068699e7ab7e94519245e150390f11a |
| SHA256 | 086b948e5c6c9f3f9eb4486515bc776f464c76866c017f7c3dd7d3a5ba7762e6 |
| SHA512 | 8f31e42d2efc7a72f976d5a1a71dfb29a8a10e2b6333c1ac2f276a3dce35452aac3f96a42ee33616fccc98d8f63d724d7f6292dfdd240cdfac38a1cef290c8e0 |
memory/2800-44-0x00007FF70DDC0000-0x00007FF70E114000-memory.dmp
C:\Windows\System\PQKyJcx.exe
| MD5 | 7b5900c3397bcfa82fe40355a5e41b7f |
| SHA1 | 016c041081df8242b8da7311f9a1bc7066278f3f |
| SHA256 | 2f31dab544f8e8b75e518846da3802ce34a55a98465d4847e99322416b6934a5 |
| SHA512 | 16482785b368dbe6ca945b2ce76f78c999e9f394ab9e4af1c936c9b758aab7548df48c964926a8c78d02d587348e816ee25c37f796d508f989a47d2cb8a4102f |
C:\Windows\System\LYjCmVk.exe
| MD5 | 9114416b15e563a7f8810d9f91770df8 |
| SHA1 | 4dca297b403e4f18c35a7a6950780f8e59da973f |
| SHA256 | 666ecb4b3be75ec8537afaf1cdb74405f7da892bb9cc90483641eee5a0fcc1ac |
| SHA512 | 918c03be08b98e8053f61cdcbac94ac81f894a15f6d2e374e3be3cccf8d5082a508fe9bc0b515b7309babce3f5a97868e74d37c3f27d93cddf155bbde8b5e660 |
C:\Windows\System\VvUTgea.exe
| MD5 | f91e42b1269611774dbb6ded078bb02f |
| SHA1 | 86a7592e67a478372b3c28ed5d0d5fe6cbb79562 |
| SHA256 | c22f05139f33a3c7b86314f21e8b75c04ccec7a81b283a4a8a9c100c8a71d3b5 |
| SHA512 | 17b25b81efb319a840c341662766bb73d4e4aa15504e01c17ba7a035c520066a402d3144da23d1bcc9576341f55a79d74fb28f496183db0b59aeb03f488bceaa |
memory/2820-55-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp
memory/1556-62-0x00007FF65C820000-0x00007FF65CB74000-memory.dmp
memory/1684-61-0x00007FF7618E0000-0x00007FF761C34000-memory.dmp
C:\Windows\System\MoHDDzV.exe
| MD5 | 8f7ad8d50a1c8e76dbb9a8e6467cbd6e |
| SHA1 | 9fe1cf6ba137d13a2a97f15dfa8eb909f630fbb3 |
| SHA256 | 5761408a045a9c8770c8f0f05d01b890fb5e5264611d61cc51f8312ac4494836 |
| SHA512 | e4f910e6f84b915d35226075ca0ce9d6e63ce57e5b80430775a8f25ae5ad96cf99e0fe2ef804e80294a0a61348b02ed51fc0e5ee965cbb13bc398a81dafb9f60 |
memory/2424-50-0x00007FF769570000-0x00007FF7698C4000-memory.dmp
memory/2724-69-0x00007FF624D40000-0x00007FF625094000-memory.dmp
C:\Windows\System\SbTUbnM.exe
| MD5 | 8aab2f7a0e5f9de2b2a20a52ad5d341f |
| SHA1 | 021d3af044a86221f11fc1a0fe67b8f5d98122ca |
| SHA256 | 8f6c01bfe50106968a8daa8f29db314fcefbee3ff7ad59c6fc728d8d1ed56b85 |
| SHA512 | b815c29372ab136c644fad49af7e786366b7f321d0c27230801e9146e307b69c83e902664d9485c51979b24658d2f461073ab7430fbe6b18d2f5db92ba56feda |
C:\Windows\System\SbTUbnM.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\System\uunMMKR.exe
| MD5 | bd5ca8baf000c9081593cb685aa32eb5 |
| SHA1 | 4a49b809751f88a416a225e524872060e708619f |
| SHA256 | 8089d89a42bfd175fcb6a98b173c4eebaa4803d0968c8f2c6314cc40b970cf34 |
| SHA512 | 204206f27efe94074df4370bbe87cd2d942231d6908fde8bdc51120741ca1cfed291104ec7711abc791695527190617f7783ce4ecf1a9121510f5c638fe17d72 |
memory/3328-91-0x00007FF720CF0000-0x00007FF721044000-memory.dmp
memory/2780-86-0x00007FF71B540000-0x00007FF71B894000-memory.dmp
C:\Windows\System\sIluhPk.exe
| MD5 | edcb13e228b691faefa72220e914225a |
| SHA1 | 50ea50eaef4e0c2903f305328877dd1280aaeff0 |
| SHA256 | 6f3140063813be4cf54362184fdb63d7bb4e1290104a8952a7538442e58884e6 |
| SHA512 | d447b7a2ae2bb1b444ec74852daba2130a4d64b2ece9a3c90b30e040eaa72ae73ffa868387181b8ff5770d27b8208ea5c33ed4e9c370f9245044d9d2534a7c4d |
memory/2980-78-0x00007FF640240000-0x00007FF640594000-memory.dmp
C:\Windows\System\HRzYkGy.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2116-112-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp
C:\Windows\System\JcxkJWT.exe
| MD5 | 4340d610b2784a6376382f7021f797b6 |
| SHA1 | bd81e4c48c18bb403cf684bd2dffd81baf480f36 |
| SHA256 | cbbc31b4990274001568328fa61f8beac03eff8d1f2580d84c243b6ff82d7929 |
| SHA512 | c5c801294facd833d9ceb9e57eecc216027644c3309a3e6a05dbeb45118639714c0546e1d91a95157e6a839267febf2320dff2d5f4fc318374b6e70f8b3c48ff |
C:\Windows\System\tZRufxB.exe
| MD5 | dc35b9fe00fc82181bcfedd4ffcf6f18 |
| SHA1 | ff0914018859329ff355485e0b2ebace3d6e5f31 |
| SHA256 | 2783321511320a92abed62e0b60f3bd4722f3a0d38c277b885cebcf7476fa921 |
| SHA512 | d12f5963befe639f3ccd75bbad573b3a75b28874465ede1f7128dcc1c93e9c4a22dc8c15e241c38576046e4908baad30a63decd41c2c668d9e182730923fefc5 |
C:\Windows\System\AJYtNUo.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\AJYtNUo.exe
| MD5 | f1b352a2a74553ff8f8404d494fb1771 |
| SHA1 | c278f2d0e535eb94cf060c93a37a1b69cfceaeda |
| SHA256 | 484bdbb063ce0faf9a0fff7d2c6a999215b738e675f5e52db6376b542dd2b09a |
| SHA512 | d029031ccbc2b4ea0e73896e6c149fc3367d227add796665862716a85049a089a78a2c21a585ddc25506562f1822f6084c81a63ea9f4b67a1be09e850c1cb93b |
C:\Windows\System\hilcfLP.exe
| MD5 | 959db281250f57b66e4ba7b423029ff8 |
| SHA1 | 3c8468e1ec6bd303f49961cd8f2ddfec98b16c30 |
| SHA256 | fcef73bbff8391a88acd38e735bf6bda0b0dd33918162807c5feacf1548da7e2 |
| SHA512 | ecafd6daeda1321ad3895dc9ae6a2f97d9e6e9d05eeaaea3668fb2ec579b351be0c72de5fab68446403f122bbb88c7994a0b782c329fcbfeca24e455dc67ad51 |
C:\Windows\System\cbDyTqo.exe
| MD5 | 22645b8821d57b046e2b094cc85361ce |
| SHA1 | 2b37223dca5b33bebcc10d6317701f92c0c5ed95 |
| SHA256 | ed52cb7ca79d40291a173a7c605355b9991e34e3c33dd99c102151cfeea79c44 |
| SHA512 | 4e3f69e26fbc98a33cf0115124d1709b979ad37bb4ed0a707dbbd7485228c668cefeccc59a2db7dda78110a137fcd80e47327237db1e906fff2bef0d47de61a1 |
memory/1824-106-0x00007FF731110000-0x00007FF731464000-memory.dmp
memory/2016-105-0x00007FF604A00000-0x00007FF604D54000-memory.dmp
C:\Windows\System\HRzYkGy.exe
| MD5 | 5a97df0c15e4a2ad914fbfabab30e908 |
| SHA1 | 46d5bd73d9e69859d175664ce773e3473f8d4685 |
| SHA256 | 60e086c79bb2935937ce6e36957b2f80af114328476002d440d0c5cabcd2a8cf |
| SHA512 | 7f9571c9f6c8fd9759f537be9513c9472763dd047445a40330ef93dd0501ba552ba693f51252fa41931890185bb4f37fce821fad1c83b58e240998b31dcfca82 |
C:\Windows\System\lHhBZJE.exe
| MD5 | 0c184f45f5ba9725f50686b4048f9300 |
| SHA1 | 10827ac90f12eaceecc301bc51298a9e640ece92 |
| SHA256 | 0e6cb78add8b8752cf9b256a5c9b0c423a0839997bdfff8ce66d9b869f1299e6 |
| SHA512 | 4048f53c0d11b582fa26f971fb6d7c738d5961d0f6d2c0ca5829d8215a14f11ab484fbe6f3f1ce313a9a825ec8d3db65debdec86b4e35baf193db1e0f7861ed2 |
memory/3008-75-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp
memory/2720-70-0x00007FF6511B0000-0x00007FF651504000-memory.dmp
memory/2860-127-0x00007FF704620000-0x00007FF704974000-memory.dmp
memory/3064-128-0x00007FF7899E0000-0x00007FF789D34000-memory.dmp
memory/4428-131-0x00007FF747850000-0x00007FF747BA4000-memory.dmp
memory/3084-130-0x00007FF6FB450000-0x00007FF6FB7A4000-memory.dmp
memory/3424-129-0x00007FF6645E0000-0x00007FF664934000-memory.dmp
memory/2820-132-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp
memory/2980-133-0x00007FF640240000-0x00007FF640594000-memory.dmp
memory/2016-135-0x00007FF604A00000-0x00007FF604D54000-memory.dmp
memory/3328-134-0x00007FF720CF0000-0x00007FF721044000-memory.dmp
memory/2860-136-0x00007FF704620000-0x00007FF704974000-memory.dmp
memory/2724-137-0x00007FF624D40000-0x00007FF625094000-memory.dmp
memory/3008-138-0x00007FF6FF290000-0x00007FF6FF5E4000-memory.dmp
memory/3960-139-0x00007FF768F10000-0x00007FF769264000-memory.dmp
memory/740-140-0x00007FF6A2F60000-0x00007FF6A32B4000-memory.dmp
memory/2528-142-0x00007FF752DA0000-0x00007FF7530F4000-memory.dmp
memory/2116-141-0x00007FF64FC30000-0x00007FF64FF84000-memory.dmp
memory/2800-143-0x00007FF70DDC0000-0x00007FF70E114000-memory.dmp
memory/2424-144-0x00007FF769570000-0x00007FF7698C4000-memory.dmp
memory/1556-146-0x00007FF65C820000-0x00007FF65CB74000-memory.dmp
memory/2820-145-0x00007FF7BA880000-0x00007FF7BABD4000-memory.dmp
memory/2720-147-0x00007FF6511B0000-0x00007FF651504000-memory.dmp
memory/2780-149-0x00007FF71B540000-0x00007FF71B894000-memory.dmp
memory/2980-148-0x00007FF640240000-0x00007FF640594000-memory.dmp
memory/3328-150-0x00007FF720CF0000-0x00007FF721044000-memory.dmp
memory/1824-151-0x00007FF731110000-0x00007FF731464000-memory.dmp
memory/2016-152-0x00007FF604A00000-0x00007FF604D54000-memory.dmp
memory/3064-154-0x00007FF7899E0000-0x00007FF789D34000-memory.dmp
memory/4428-156-0x00007FF747850000-0x00007FF747BA4000-memory.dmp
memory/3424-155-0x00007FF6645E0000-0x00007FF664934000-memory.dmp
memory/3084-157-0x00007FF6FB450000-0x00007FF6FB7A4000-memory.dmp
memory/2860-153-0x00007FF704620000-0x00007FF704974000-memory.dmp