Analysis Overview
SHA256
7be60f99fb8a5f9fb7fdcdf4584d0bc5346f78ab8a3c677a9c5a58a54fd181d2
Threat Level: Known bad
The file 2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 12:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 12:35
Reported
2024-06-08 12:37
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KRsnGIp.exe | N/A |
| N/A | N/A | C:\Windows\System\Fmluany.exe | N/A |
| N/A | N/A | C:\Windows\System\HNyZcdp.exe | N/A |
| N/A | N/A | C:\Windows\System\MHazAVm.exe | N/A |
| N/A | N/A | C:\Windows\System\sWVGekw.exe | N/A |
| N/A | N/A | C:\Windows\System\MTuArke.exe | N/A |
| N/A | N/A | C:\Windows\System\dWRxBRD.exe | N/A |
| N/A | N/A | C:\Windows\System\NrnwHxH.exe | N/A |
| N/A | N/A | C:\Windows\System\EUrfsaN.exe | N/A |
| N/A | N/A | C:\Windows\System\uRgHevw.exe | N/A |
| N/A | N/A | C:\Windows\System\JzvYWRr.exe | N/A |
| N/A | N/A | C:\Windows\System\moSTRNV.exe | N/A |
| N/A | N/A | C:\Windows\System\MTWXvxU.exe | N/A |
| N/A | N/A | C:\Windows\System\STUaixh.exe | N/A |
| N/A | N/A | C:\Windows\System\jdeHpmv.exe | N/A |
| N/A | N/A | C:\Windows\System\liQaZxj.exe | N/A |
| N/A | N/A | C:\Windows\System\KopIdHg.exe | N/A |
| N/A | N/A | C:\Windows\System\oDNGDhl.exe | N/A |
| N/A | N/A | C:\Windows\System\SxhIUhG.exe | N/A |
| N/A | N/A | C:\Windows\System\VDWBkMO.exe | N/A |
| N/A | N/A | C:\Windows\System\VvEnrlj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KRsnGIp.exe
C:\Windows\System\KRsnGIp.exe
C:\Windows\System\Fmluany.exe
C:\Windows\System\Fmluany.exe
C:\Windows\System\HNyZcdp.exe
C:\Windows\System\HNyZcdp.exe
C:\Windows\System\MHazAVm.exe
C:\Windows\System\MHazAVm.exe
C:\Windows\System\MTuArke.exe
C:\Windows\System\MTuArke.exe
C:\Windows\System\sWVGekw.exe
C:\Windows\System\sWVGekw.exe
C:\Windows\System\dWRxBRD.exe
C:\Windows\System\dWRxBRD.exe
C:\Windows\System\NrnwHxH.exe
C:\Windows\System\NrnwHxH.exe
C:\Windows\System\EUrfsaN.exe
C:\Windows\System\EUrfsaN.exe
C:\Windows\System\uRgHevw.exe
C:\Windows\System\uRgHevw.exe
C:\Windows\System\JzvYWRr.exe
C:\Windows\System\JzvYWRr.exe
C:\Windows\System\moSTRNV.exe
C:\Windows\System\moSTRNV.exe
C:\Windows\System\MTWXvxU.exe
C:\Windows\System\MTWXvxU.exe
C:\Windows\System\STUaixh.exe
C:\Windows\System\STUaixh.exe
C:\Windows\System\jdeHpmv.exe
C:\Windows\System\jdeHpmv.exe
C:\Windows\System\liQaZxj.exe
C:\Windows\System\liQaZxj.exe
C:\Windows\System\KopIdHg.exe
C:\Windows\System\KopIdHg.exe
C:\Windows\System\oDNGDhl.exe
C:\Windows\System\oDNGDhl.exe
C:\Windows\System\SxhIUhG.exe
C:\Windows\System\SxhIUhG.exe
C:\Windows\System\VDWBkMO.exe
C:\Windows\System\VDWBkMO.exe
C:\Windows\System\VvEnrlj.exe
C:\Windows\System\VvEnrlj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2408-1-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2408-0-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\KRsnGIp.exe
| MD5 | e1a31a251b709fcc75609b8d955b029a |
| SHA1 | c34dacd2ea6bd2d386c1575fabf6053ce5971d23 |
| SHA256 | 0e29fba91b7a148248795f641cea541d54d6836cd0dc274fc22effad19dcea87 |
| SHA512 | ba292cc113d00bf52be61fe93772f9f295824500ab9fc5f7ab04eb9be3b1fd68871b62be19e3af08dc374e49901eca9fdf1de0b62335c43e11fc70ee93a0c64a |
memory/2428-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp
\Windows\system\Fmluany.exe
| MD5 | a814f8248ab21a6ff5c063c377a885bf |
| SHA1 | b2cd121f98d021d3f496857be72053005ad68019 |
| SHA256 | 681d5fc5e2e535ae473602c0e1c3a8fe48703595c1b07777ed0d126d5e3e7dc6 |
| SHA512 | 0f122518f14ef9ad12e6e93df3a2cf13428ba62b3babd5f4dadfea88b6252e6d373ce9b450a2cc7005f076bb2c67fdcbdeb247cc7573819ab76140ff57cedac6 |
memory/1400-14-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\HNyZcdp.exe
| MD5 | 85585875add30e97f25d8d14d5cd72e5 |
| SHA1 | 06649941f8b243d29f6ead634606f4e4182da752 |
| SHA256 | 24005614c9338e9b56f91f16e0920b32d8c8f89316199707b6e33181d52a0024 |
| SHA512 | f9b674cc5a4d9a6f7c0cce53ac135a1f74158514befff58e3ddf502ec8176fbea6ecd03e5e9d23c64b6e975f08b80982496f4c9587108491aa6340ba8b1155a8 |
memory/2448-20-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2408-19-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\MHazAVm.exe
| MD5 | 6d32464e329d724b818a42f9b6b16ba3 |
| SHA1 | e214133098cc636f25cc176c6bb9d528e873703d |
| SHA256 | 21a5efaf8680445e2e5c29353cfc39aaac2b0b97adfb97b9e114d6bd2b3029e8 |
| SHA512 | effa99c2edec67e3dd4aa49ed1dbff5892f5e8eaca3e930cde429de8fadf9677d2fe06720388927c53abb52d22145c2fe1ab0a921c3c4bd354a783fe25270a5b |
memory/2708-39-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\MTuArke.exe
| MD5 | b735803980c4ec1e6ee6a012e692f828 |
| SHA1 | 1e71f30067b32d2dce85f8b95431ad69d8fbb5c9 |
| SHA256 | bbe1d4dfa4a6ddc7697efd0583fcc31dbf52fed45259786f22192ddad9ebfdb1 |
| SHA512 | 6fa479a89289a2831d24789b704d61fd3a122773de02fa5869f3043a6756fc29179705680e9161385c217337b4efa80d2bf01c458f85946d7dfdfdcd0d3ce694 |
memory/2668-41-0x000000013F1B0000-0x000000013F504000-memory.dmp
\Windows\system\NrnwHxH.exe
| MD5 | cc66e388489d1891e84f554728672fd9 |
| SHA1 | e1402ac2e3034b214d4b2e811c2b2bb74ecf72a8 |
| SHA256 | 9e78ba37edf4610c593ab10a39da66495e2b5b91612e8049154492af4d9d800e |
| SHA512 | 839b3d77f7da1aa0995311c647f030a7f899e6970a52168aa4fdb4978c3aaef67c7cc9ac76fe978ce4f20c71d274fcfea31bc0a9640b5c1c81a33b9a2c591edf |
memory/2408-53-0x000000013F520000-0x000000013F874000-memory.dmp
\Windows\system\dWRxBRD.exe
| MD5 | 6203d28a7a9b7a28063ff3b50135b397 |
| SHA1 | f8d3bfe72cb67e33e5a3b5a5c2deac00c4c12595 |
| SHA256 | 237530c2ec4877973457790b169123daf61a1ab34040d4b1f15e2898c1a1a575 |
| SHA512 | d39c3a7f74706e67cc076683ba879378810c3cc9f501cd2f9cb271c7de82f9f55c9900d1497d11ddea2194a62a9b3fe2fc9dc7ac349731b3bd28f4043c229c79 |
memory/2760-48-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2408-47-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2676-54-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2408-38-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2616-34-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2408-33-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\sWVGekw.exe
| MD5 | 75f1686716333cd3368d20e43b19297a |
| SHA1 | c30c5e5731325539550bb562a6e3cda120c784c7 |
| SHA256 | 1dd3f80d81169e05e1d57f6e3a737d7bca598d953506348dc3f2c3eb4a9b22f5 |
| SHA512 | 0bdb0eb7659a826f53990a2dd5d387a51b4195bca59b083515e461de320b3cb7c6ecf7491fc4faf95dbc989a8189d8449224e83d2a7c318b75c39c68e77f5977 |
memory/2408-30-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2408-57-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\EUrfsaN.exe
| MD5 | 809c58fbdb7ca5c84056ba0a0dc47d57 |
| SHA1 | fe3c6687eb78bd32c21aa086833584767097f40a |
| SHA256 | 39815ba4321fb548565443b7e95072d604840c75df3b11dc3462d0e3ce3cf6a9 |
| SHA512 | 2cae3c5ab4c94277e01dfcc8988cf1a4cd4c45e0a4adb4417f810afa4c49d054ae47b3289d29024b7434957062d0305ae911c83b821d8ea4c52619cb98035bde |
memory/2428-61-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2532-65-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2408-62-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\uRgHevw.exe
| MD5 | 69d06a79b789e302ea8eb4107a2102ea |
| SHA1 | f1e3dab0901cb67bd533d2f0834a7711e69b6523 |
| SHA256 | 16cc785761f334a50e16e84373ed0ec18c581316fef7244434965ac45feea082 |
| SHA512 | 661377a9b5d1c5264443c788619cbb2527315b3c96a02e7b8a88448a6a639c0bbbccba48886f4ee99438be72985a897c948032f39b3ab8cd8c45454650c2f4c4 |
memory/1400-71-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2072-73-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2408-72-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\JzvYWRr.exe
| MD5 | 0279b302254494724e4250c02afba26f |
| SHA1 | e5d7229af814d7eb8009643e2162a53ae36da30f |
| SHA256 | 040799ddb5192a3befc2befa44371a84ff01792945cd1b7f8a282bf67ee26c81 |
| SHA512 | c169f74cb6a390246e8388acd4f1a4efa854ba2a556b9b6c9112185cf5b272a496b5515b0c4064aa7b2da574675586b8008622c470a0e64aa7f48b22bb3fec8b |
memory/2560-83-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2616-82-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2408-80-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2408-78-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2448-75-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\moSTRNV.exe
| MD5 | ce502276be4d478b05dc3dc19098f0b9 |
| SHA1 | 91c50964a1df7f46002b96831ceb5204933edb9e |
| SHA256 | b526e663c7d616d72d72b894a06b19a87d101e7b7b96a1646cfade9bcaa6a388 |
| SHA512 | 45c0bccee6fe5014ec8aeef75a12d577b3d02ba20585d1e1d4f92a17356b5f9d5c0974f7f38e0d2e53301e303d73e049c27c19107c1650320da0e9adda721200 |
memory/2864-89-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\STUaixh.exe
| MD5 | d9e64f6496388657f56b2a69bb2cdd9e |
| SHA1 | d23c56377494f3b12cede6ea1e6cfe34842e7add |
| SHA256 | 8c2155f4c119bf5bf475a59163f6b76469bf8400b0d236ac0df111655055bc41 |
| SHA512 | b05ae19b88937c8c631bcf01c9611ce3629227d6c63becaa6df561e8763d06da94657d08a6a90162fd2922388bc2daca3b3b480ec7825d3fc2a5b79f05e49a5d |
memory/2676-102-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/3024-104-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3004-97-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\oDNGDhl.exe
| MD5 | 687d2c4d4cc69ed00337394a36fed61f |
| SHA1 | 4bfeb8b6e1c9d2ec1d8c8522a0add7e40a10db8f |
| SHA256 | 8f6bb7760b25e8411d41ba65b07de53996b100cb74f3378cd90027f215836110 |
| SHA512 | 780dcf0d2f8be1d7d65670e8e78e1f2f5fe20e381f9af718e212bfafcbb26785921ad2a9b5ca9849f4a22b4ad32a9318dc3d151de8d5d933a874b8d88bec3d75 |
\Windows\system\VvEnrlj.exe
| MD5 | aaee5ccafd104f2d525674a4372fb775 |
| SHA1 | 047582b02cf846c1dd2ea25155e149162b63cd94 |
| SHA256 | 8daaf03238aaf488ca21d30b74d810e3493627cc972c9b9d9edce3bcf64f6ff5 |
| SHA512 | 7fa1397a7ecf1faf9bc4e1b3de99fa26406a4700dbd0c2de653c7f65e5fdc7eccc96958ffe6cb458e2024a75d0280ca3190eb548bb9a56d3aa3eb4813641d0c0 |
C:\Windows\system\VDWBkMO.exe
| MD5 | babae703e86666b3e0a12a9fdc747f5c |
| SHA1 | c2eb9533bba4f5d9441daa56eb99a078520f90ec |
| SHA256 | 348ad98016bf0e1e270bc83d4c8dc7978335967bb312ccd50d792d818e3c76cf |
| SHA512 | 12f3db2c3dc8bcbc533cba379c5b159a8b14a7dc8eea85f6fb714428e569ab4af22e0355d7392011e799dc8ee66fc03611ca6faa1c0731ba80e2e29e223b14fe |
C:\Windows\system\SxhIUhG.exe
| MD5 | 5f768581c87df40d483cb12e20f70f53 |
| SHA1 | 58285bebce27e5cc90340ca2560fe4fa42af753a |
| SHA256 | cc4904862146d7cf39bd602229377f31f69d193f724b1e483de0ee54d27e605b |
| SHA512 | 0a026ca11536d2430d8ef2cdc50051304298bae7d317666f1bda65dd42c2d105a191f6d162effeff805a6fa31926f7fbc50c264506be734f5b5b654ea5048cb9 |
C:\Windows\system\KopIdHg.exe
| MD5 | bd1bdac0203d6b0ba100705a6c9c5253 |
| SHA1 | fc40cd871a1a39b899cbf13732b55cd2bd37081a |
| SHA256 | 90fb2de7f9da26edae021e23be01af43a5ed2952b0077f20c1cce2df45e44bcb |
| SHA512 | 2f566f04e7374f17c46ae341d48d5524f224bd717fd8f8ee7afe1afd9959e8e28d59375dc4dd4a2ccf45558ed8e77892fea93949c8905c4155cad55d3743111d |
C:\Windows\system\jdeHpmv.exe
| MD5 | e10a6ac50359a946c328fc9f72993127 |
| SHA1 | 925b975aeb136c328537be5181f7a1aaffaf6144 |
| SHA256 | 8ead03fb7de7eebf921bc0cb02d2b81dbebf0d8dea9eefacaede45db25be2f3f |
| SHA512 | 8554349afcd005b997c0f1693972c4539e68d57cb4f124e9ac9e84164222f706ba3929eba40d68d2ff3102f61930605e5d0c38219de641f1d9845656b3716eb6 |
memory/2408-106-0x0000000002240000-0x0000000002594000-memory.dmp
C:\Windows\system\liQaZxj.exe
| MD5 | 47c68f550d0b23b35a0397243d838be0 |
| SHA1 | 51d71b5c4f6e134fd6d3626eda17491d5fa5940d |
| SHA256 | f54fff8b7dd63bcc94f09e2590be26d1e9bf1605544d670746d25be63549b53f |
| SHA512 | 47676aece93abbe5dcadcf1ac69b0e11a48c239c22fdb4512632529a56ea1d8c63c870c74653aedeaa4430853dd12cea0b47e2f01e3dc14b284c68cec9b1f9d2 |
memory/2760-96-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\MTWXvxU.exe
| MD5 | c4cb3441c964c9bb75df30dd2c0dc975 |
| SHA1 | 4eab1eae5c1bed3fb9f27883315a674b552fdb56 |
| SHA256 | f7ccc35689b0edf5bdcceab2f859144fd72b38294034376a143d5a1417b04f46 |
| SHA512 | b05e6e978091cbe94b32a776e0adedf54cf560fdfd2016a42088e44c39fc7c5553adf815c889b9b70e479d8539b3dbd1044624d6636a3e4d8875be0f50d4ed90 |
memory/2408-93-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2668-91-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2408-141-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2408-142-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2408-143-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2408-144-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3004-145-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2408-146-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3024-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2428-148-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1400-149-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2448-150-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2708-151-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2616-152-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2668-153-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2760-155-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2676-154-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2532-156-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2072-157-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2560-158-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2864-159-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3024-160-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3004-161-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 12:35
Reported
2024-06-08 12:37
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NBMSRjh.exe | N/A |
| N/A | N/A | C:\Windows\System\aVeucWn.exe | N/A |
| N/A | N/A | C:\Windows\System\qxaEtnt.exe | N/A |
| N/A | N/A | C:\Windows\System\uOEKVxY.exe | N/A |
| N/A | N/A | C:\Windows\System\cCrvMKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\voAtsRI.exe | N/A |
| N/A | N/A | C:\Windows\System\nHOZlzF.exe | N/A |
| N/A | N/A | C:\Windows\System\fyZsMzc.exe | N/A |
| N/A | N/A | C:\Windows\System\GxjuYsP.exe | N/A |
| N/A | N/A | C:\Windows\System\OzxQnAY.exe | N/A |
| N/A | N/A | C:\Windows\System\gTjxRMm.exe | N/A |
| N/A | N/A | C:\Windows\System\eOOBFvE.exe | N/A |
| N/A | N/A | C:\Windows\System\KcmjPDG.exe | N/A |
| N/A | N/A | C:\Windows\System\uZZEocw.exe | N/A |
| N/A | N/A | C:\Windows\System\iBPEsBX.exe | N/A |
| N/A | N/A | C:\Windows\System\CFFegge.exe | N/A |
| N/A | N/A | C:\Windows\System\boDrGcL.exe | N/A |
| N/A | N/A | C:\Windows\System\mAsOLFq.exe | N/A |
| N/A | N/A | C:\Windows\System\DfhVTAf.exe | N/A |
| N/A | N/A | C:\Windows\System\knEXgQT.exe | N/A |
| N/A | N/A | C:\Windows\System\gpLKywA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9a7ebb724342a0f26bc653cee9c1c348_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NBMSRjh.exe
C:\Windows\System\NBMSRjh.exe
C:\Windows\System\aVeucWn.exe
C:\Windows\System\aVeucWn.exe
C:\Windows\System\qxaEtnt.exe
C:\Windows\System\qxaEtnt.exe
C:\Windows\System\uOEKVxY.exe
C:\Windows\System\uOEKVxY.exe
C:\Windows\System\cCrvMKZ.exe
C:\Windows\System\cCrvMKZ.exe
C:\Windows\System\voAtsRI.exe
C:\Windows\System\voAtsRI.exe
C:\Windows\System\nHOZlzF.exe
C:\Windows\System\nHOZlzF.exe
C:\Windows\System\fyZsMzc.exe
C:\Windows\System\fyZsMzc.exe
C:\Windows\System\GxjuYsP.exe
C:\Windows\System\GxjuYsP.exe
C:\Windows\System\OzxQnAY.exe
C:\Windows\System\OzxQnAY.exe
C:\Windows\System\gTjxRMm.exe
C:\Windows\System\gTjxRMm.exe
C:\Windows\System\eOOBFvE.exe
C:\Windows\System\eOOBFvE.exe
C:\Windows\System\KcmjPDG.exe
C:\Windows\System\KcmjPDG.exe
C:\Windows\System\uZZEocw.exe
C:\Windows\System\uZZEocw.exe
C:\Windows\System\iBPEsBX.exe
C:\Windows\System\iBPEsBX.exe
C:\Windows\System\CFFegge.exe
C:\Windows\System\CFFegge.exe
C:\Windows\System\boDrGcL.exe
C:\Windows\System\boDrGcL.exe
C:\Windows\System\mAsOLFq.exe
C:\Windows\System\mAsOLFq.exe
C:\Windows\System\DfhVTAf.exe
C:\Windows\System\DfhVTAf.exe
C:\Windows\System\knEXgQT.exe
C:\Windows\System\knEXgQT.exe
C:\Windows\System\gpLKywA.exe
C:\Windows\System\gpLKywA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4468-0-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp
memory/4468-1-0x00000238F10F0000-0x00000238F1100000-memory.dmp
C:\Windows\System\NBMSRjh.exe
| MD5 | 1ff441287eb9a0d5ff2a43c7731f2b2a |
| SHA1 | 7ea00b097dbebea4a4f45b994b2c7dac650026f5 |
| SHA256 | c93a80ece2e55a2d673b6adceb62849fb29e0429d260e53a58eb43f84c371ad4 |
| SHA512 | e2f9d615a87d7574e2a0231c462631199a539a80d5847a32efcc49f081ce72d0c7edb52d2d59b95ed848e28da9c23a8bf1d8783b9a4a3e910cd4e5ad76bdc689 |
C:\Windows\System\qxaEtnt.exe
| MD5 | 7b3a940cdf7718914c2182fad9f89a6f |
| SHA1 | 41747781cb4651dfa332a0bdac4eccefc0d81fa8 |
| SHA256 | b6546a614632c5125fc613b2804bf2db6c7ff153702ea560c58baf65b2637b6d |
| SHA512 | a0a559685e8d3abb70f5feca6d1c54983cdd08766cdbec81f917ff0e1f22826ef1cda8cb1068b5262fff0e0f1366167b7e76c9b18ff7c2ca1d9a33db6370d9e1 |
C:\Windows\System\aVeucWn.exe
| MD5 | d4fe4ba1603bbaad528e7925f94e64f3 |
| SHA1 | 1252a18efebe362cf99effb97c99076216c68831 |
| SHA256 | e91a726214de099875823a31b94ea635ba4d050d6fc63420f6f5e89330c2b079 |
| SHA512 | 8bce6052737843db39d70504678fd569e1600e0f57180f86784dfe514a6e4e58f8d7b92e3def2ac1586479e671656896aac820aed390811d61f719566d02cbcd |
C:\Windows\System\cCrvMKZ.exe
| MD5 | 9b52db840dd6ca9ff5544b1383273402 |
| SHA1 | d84f44c93a00f9fa6e13092d232ea320903f5ed6 |
| SHA256 | ba6688ac5cb31d8d7c77a8fab1342fba2978a69a34a525159a750e6ba2ec967a |
| SHA512 | 40a6d48275f5e8d032ba1a3d7ba2788b18b14f2ab6fbe856c92b6dd35181ce62f9a944029aa77da8f742d0cc5303bdbee1b066e8dc727ca590ef92f38c48dcd9 |
C:\Windows\System\uOEKVxY.exe
| MD5 | 64213e35cdd5d4132660117ee6cfde95 |
| SHA1 | 1417b8253824001e69455d3742989de3783013dc |
| SHA256 | bb3051aaf547269d591b69783c589c225d47b847c57700af9c712db787354c55 |
| SHA512 | 35f0b48a78b69c1d6ab6ea92466056cfc73d9603fbe58778365086330a7692912e082df54e87537064f65e5ce223b91493f487ede42547b1872ae76f20453b42 |
memory/4916-24-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp
memory/1984-18-0x00007FF615DC0000-0x00007FF616114000-memory.dmp
memory/5092-10-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp
memory/4416-25-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp
C:\Windows\System\voAtsRI.exe
| MD5 | e3c7608364f80d93004eff0ded9cc926 |
| SHA1 | bff3e5e9d38d1c38317adee3bd522da6ee5786ec |
| SHA256 | 5901dc136c4a191f6cc020963ca319d0be3cef647c35339fe2b180b261b66c03 |
| SHA512 | 58dbc621f7e270e4d2b332cd57930a66caa72f75fc80590175277909e909e52dd6e3cfc09a9e3af27e3970e96362dacb7463c2cfb00f8340cc173d060c3d3cef |
C:\Windows\System\nHOZlzF.exe
| MD5 | 94e2617bd6985d8aa3c98dbcef075e41 |
| SHA1 | 2f7d7a23eecf92f738679a92a70c4e0d5218a3b6 |
| SHA256 | fe421496c56e976ff786cb0eb5b0235bec9ba104ba5122c5cdb420875d70d8d1 |
| SHA512 | c3ab82bbb04b6597f72752bf0bba9f08477ae66d56996a98c148ad799a65c6961acde951086c37370cfecd583a8dd0479f62194fbb083b97e0b449ae05157393 |
C:\Windows\System\GxjuYsP.exe
| MD5 | a8175b0ecfe2610686224df53e2b026f |
| SHA1 | 84451c4bed55e0352e37387dd4f9f15836d30d4a |
| SHA256 | cdeb69ceb1528461f1f6ec657df5f58e4fcad77adaa95434bf3de3d737a56643 |
| SHA512 | 5d7433e3b19ebdc77f1f767bad67b259de53a049df8923394af1dde97b442a9d35d80a8f480d2de7fab6d9c86637fc1270c7e69102128eec290707723c114bee |
C:\Windows\System\OzxQnAY.exe
| MD5 | 53fa329820b873a982f27f22f2291634 |
| SHA1 | 893884a3fb51c8d9d6680301d57dfe32e55ff87f |
| SHA256 | 0c47da51da633b3d9b96b00b4381954fb8e7fdad368be15bd11b3fae96b7bcf1 |
| SHA512 | 5bb5b18ac513af419d19b5652cdc485e7e2a1acbb05b2bf3dc29bcf625557a2df7481732a2fe935af10a0cc67a99b5ea6f4b49a0416a20528a8224437b6bcd64 |
C:\Windows\System\gTjxRMm.exe
| MD5 | 486667971ecb2f1ec311ac7ff44da69e |
| SHA1 | f037952ebf661253107fba37536b58bc12957e67 |
| SHA256 | 0ce95ec8cdded05f455ac0a7dc8185882df605877fc341b46cacd70aff77db9f |
| SHA512 | b4ebb52086d1bb3127fb6766e4c24bd325ee99da67ec0e819193575332ca10dcad7ca641cc6e0549d2bc5a6e4f40c2f0a8897df775f9366f0cb3412f28d691bc |
memory/4048-66-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp
memory/4444-65-0x00007FF6E4C40000-0x00007FF6E4F94000-memory.dmp
memory/3304-56-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp
C:\Windows\System\fyZsMzc.exe
| MD5 | 55c77d2ca94d931cc2aa321dcbc02672 |
| SHA1 | 4b343ccc8e7fa1c7cc5abac923fafed585204f92 |
| SHA256 | 1c4c9bb348e16b428a62ab4df80c10a22e69043c2c8ca9b59a262bba3c559eb2 |
| SHA512 | 0b3eb1517ac29e18bbefee958bf25fde56f32a3af1b13a4febb0cf0e6d26b241acf7ad4b61c467ba63474f4bc99c71ec1b7c4396851061c30521b49e8083d5dc |
memory/4676-51-0x00007FF694B00000-0x00007FF694E54000-memory.dmp
memory/2180-45-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp
memory/3348-37-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp
memory/1820-26-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp
C:\Windows\System\KcmjPDG.exe
| MD5 | 7ecbbb9dd8c60ba345a68fce801baa18 |
| SHA1 | 756cbabc4c8faaf22a1404fbd1c2fed81e4bcb3f |
| SHA256 | b074278fa53ce1a1d38885c8d025246356baeb4186903fc1e3c8f4f602f1fb23 |
| SHA512 | 39c77d6617cb70a2d0d4b61af0200814358f001fc4b660edacefce9d2bad75cf4b83e49c9bc0d5993ecd4abf4080a4c2a7d3ce92738a71db15d354d71d34aa58 |
C:\Windows\System\eOOBFvE.exe
| MD5 | 7e01900ae8f87bcc09f0bb027c32fcf6 |
| SHA1 | 2acc28afc0d64d1a74042c5ecd1aa34a27db2e1f |
| SHA256 | 9473a1ea55d26acf7eafa24893049b605dad6a01d7e0a621a8bd31dbab76905b |
| SHA512 | 68d97cf83efcfb567621e0d3344d8dbaac337d2b5dc0c540fb2d8c74c5f56f72aae7c5402dd137a3a480e1f262e2fd46dd81739b1ef9c91d53b7860a64312dc1 |
C:\Windows\System\uZZEocw.exe
| MD5 | 18395fa6ac0c829d9804f40e2b29dfb1 |
| SHA1 | c8aa9d9e73bab7dde28bd445762693375c961107 |
| SHA256 | 8b70eba480214c564fe4382a1262939bae57018726214420792a4fb8920c0950 |
| SHA512 | 9ae25e6798ae742cac8776582f5c1995ac088c0ca7aed7a51c2f482a425242aba61239db2f7122ade1617898f2b17fefd156b8d2c863ae1b35823c92fcbc7bd6 |
C:\Windows\System\iBPEsBX.exe
| MD5 | 70d872c1a00d66ab7e94e09b2fd2bab0 |
| SHA1 | 8d892b68753029956975543f581b45486be5dddd |
| SHA256 | e5ab8620524a5866b161473448ce904d19dca10f555c3573391e259a8968c844 |
| SHA512 | 31dcddd49eb27cd7b71152c74a00dc795d2f347df86ee9fc26d6691cefeb047b636e5e07b0ee07e0f0eeee0c8fbd4489a1b6be48ffb92c51742d487a2d83c302 |
memory/1416-92-0x00007FF77ECA0000-0x00007FF77EFF4000-memory.dmp
memory/5092-91-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp
memory/4132-85-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp
memory/4496-84-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp
memory/4468-80-0x00007FF76D350000-0x00007FF76D6A4000-memory.dmp
memory/4036-74-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp
C:\Windows\System\CFFegge.exe
| MD5 | 46162c023818fa715e1abc268481ba9b |
| SHA1 | 5d50d87c7088d93fe1750271ee6515fe4bc02817 |
| SHA256 | 08f2935a00924faf97bb6737cc4ce088b58ad4dc0d71aecefc80d06edf25f577 |
| SHA512 | 98f418ad8c4e8ff7d4dcea96f792e63426a41fa6a6e8366a8dae4dc161518f552f368affbadd0cb1192861b165bc614f96b1791decf69ae010f20f7d319ee5a9 |
memory/1984-100-0x00007FF615DC0000-0x00007FF616114000-memory.dmp
C:\Windows\System\boDrGcL.exe
| MD5 | 15506d619841c35fa3fb0a1f45da6662 |
| SHA1 | 63753273a0d0949b721cd49ae103c59161206b5b |
| SHA256 | f8edde7665374b761dc1a952a6166fdd61c7408b92fe1f50e2a579c2c46a7b68 |
| SHA512 | 21bd1c369598861cf3462d15e6bf5405a38ecafcb4d7991e38ef1103d342de2763a8365a645c5b49d97e8cf23fd09c3dc496a195a7f531c029c45d01909ba722 |
memory/4364-103-0x00007FF72F530000-0x00007FF72F884000-memory.dmp
memory/4916-105-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp
C:\Windows\System\mAsOLFq.exe
| MD5 | 4480f8d7ba5c9a9e8540e8283b902544 |
| SHA1 | df5fa3491157612c7d43aeeef708acbac7fb876e |
| SHA256 | 00813502be40dc34e7297443e288d65aecae17322e9788790a4878a9d78cc654 |
| SHA512 | 50b15f0bde17bcf8e50c7aff5ac02df8f97cc3e4ed4499cec0a2257b41df6bb768833f09eda152c583aceaf4debe7d1aa7a5f20fd19fadc58db6c1ec86511f2a |
C:\Windows\System\DfhVTAf.exe
| MD5 | cd1e3b7eb33224885c1c92802cb03aa3 |
| SHA1 | a58a00528d98582dcc971daa1b0f51eca419c0bc |
| SHA256 | 55915564a8727542ff4de128b733421d1fa7123edd60968c7984592e30814de8 |
| SHA512 | 4082f2f95e4d9410d4077236d40c990ebc248a4ec09e07771bc50b372f5ab150b16cb79bbe9bfb0eca45986c5c11642d56efe74f99eb3ef1efd0593fd2772f0d |
memory/4948-126-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp
memory/4676-128-0x00007FF694B00000-0x00007FF694E54000-memory.dmp
C:\Windows\System\knEXgQT.exe
| MD5 | 8ad5811a58ef68820df8c0a743143161 |
| SHA1 | 6947ecfbed9ef67fb91e1ee211e4aad1dc6186bc |
| SHA256 | 75e077350517db8e5ccc1fc194e27ee70c46ad19cc56fb19efc53d751c99a485 |
| SHA512 | 39b004daa4905ca0627247866b40c6a7fec04c1756a343882ad7f84cbf3b95d0ef5c9b4e60d853b3e58cb3ea1871e0f10ed524a6dfa13838650df81e131ea7c6 |
memory/3260-129-0x00007FF651E10000-0x00007FF652164000-memory.dmp
memory/2180-127-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp
memory/552-114-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp
memory/1580-113-0x00007FF72D340000-0x00007FF72D694000-memory.dmp
memory/3348-110-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp
memory/1820-109-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp
memory/4416-106-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp
C:\Windows\System\gpLKywA.exe
| MD5 | 64251ae772b619fa47a2919a51383761 |
| SHA1 | 269449424cc6fed745f0a6435707bcff8a2befeb |
| SHA256 | 572a770717275cd27cb50736aea1746c100c4ee9161d3455e3404b1cacf4a643 |
| SHA512 | 01939b1555abf44c6620858faa5a617e0b42d8ebdb70cfa5afbf407e17a00afcb1f64cc2b417ebc1e5523a43939618bba2922bd7a9380a731bcbeb16a1273b32 |
memory/392-136-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp
memory/3304-137-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp
memory/4048-138-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp
memory/4496-139-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp
memory/4036-140-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp
memory/4132-141-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp
memory/1580-142-0x00007FF72D340000-0x00007FF72D694000-memory.dmp
memory/552-143-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp
memory/4948-144-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp
memory/392-145-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp
memory/5092-146-0x00007FF6D72E0000-0x00007FF6D7634000-memory.dmp
memory/1984-147-0x00007FF615DC0000-0x00007FF616114000-memory.dmp
memory/4916-148-0x00007FF6E64C0000-0x00007FF6E6814000-memory.dmp
memory/4416-149-0x00007FF65B050000-0x00007FF65B3A4000-memory.dmp
memory/1820-150-0x00007FF63D6D0000-0x00007FF63DA24000-memory.dmp
memory/3348-151-0x00007FF62D350000-0x00007FF62D6A4000-memory.dmp
memory/2180-152-0x00007FF6896B0000-0x00007FF689A04000-memory.dmp
memory/4676-153-0x00007FF694B00000-0x00007FF694E54000-memory.dmp
memory/4444-155-0x00007FF6E4C40000-0x00007FF6E4F94000-memory.dmp
memory/3304-154-0x00007FF7EC4D0000-0x00007FF7EC824000-memory.dmp
memory/4048-156-0x00007FF7FC630000-0x00007FF7FC984000-memory.dmp
memory/4036-157-0x00007FF6A8DA0000-0x00007FF6A90F4000-memory.dmp
memory/1416-158-0x00007FF77ECA0000-0x00007FF77EFF4000-memory.dmp
memory/4496-159-0x00007FF7E5F50000-0x00007FF7E62A4000-memory.dmp
memory/4132-160-0x00007FF7E69C0000-0x00007FF7E6D14000-memory.dmp
memory/4364-161-0x00007FF72F530000-0x00007FF72F884000-memory.dmp
memory/1580-162-0x00007FF72D340000-0x00007FF72D694000-memory.dmp
memory/3260-163-0x00007FF651E10000-0x00007FF652164000-memory.dmp
memory/552-164-0x00007FF6A0020000-0x00007FF6A0374000-memory.dmp
memory/4948-165-0x00007FF60FAA0000-0x00007FF60FDF4000-memory.dmp
memory/392-166-0x00007FF6F9BA0000-0x00007FF6F9EF4000-memory.dmp