Analysis Overview
SHA256
6d0fca74a2b4dd0989795f9c807810e68007f89f010e9797369d75d4470e85a1
Threat Level: Known bad
The file 2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:28
Reported
2024-06-08 17:30
Platform
win7-20240215-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eLFZrSf.exe | N/A |
| N/A | N/A | C:\Windows\System\BcjIJyo.exe | N/A |
| N/A | N/A | C:\Windows\System\FOZxoAz.exe | N/A |
| N/A | N/A | C:\Windows\System\jESABMn.exe | N/A |
| N/A | N/A | C:\Windows\System\fnFlKYg.exe | N/A |
| N/A | N/A | C:\Windows\System\STmFKdR.exe | N/A |
| N/A | N/A | C:\Windows\System\lQsrfEC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgNFrle.exe | N/A |
| N/A | N/A | C:\Windows\System\gqtIAVi.exe | N/A |
| N/A | N/A | C:\Windows\System\okmfbxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YZHMRvl.exe | N/A |
| N/A | N/A | C:\Windows\System\qNatcTP.exe | N/A |
| N/A | N/A | C:\Windows\System\uEIYKsn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUCNMyn.exe | N/A |
| N/A | N/A | C:\Windows\System\znwcZEx.exe | N/A |
| N/A | N/A | C:\Windows\System\jumHBGX.exe | N/A |
| N/A | N/A | C:\Windows\System\LUnpTgM.exe | N/A |
| N/A | N/A | C:\Windows\System\BXRIoTh.exe | N/A |
| N/A | N/A | C:\Windows\System\WjtIxsW.exe | N/A |
| N/A | N/A | C:\Windows\System\gidOMJY.exe | N/A |
| N/A | N/A | C:\Windows\System\FWmHEgf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eLFZrSf.exe
C:\Windows\System\eLFZrSf.exe
C:\Windows\System\BcjIJyo.exe
C:\Windows\System\BcjIJyo.exe
C:\Windows\System\FOZxoAz.exe
C:\Windows\System\FOZxoAz.exe
C:\Windows\System\jESABMn.exe
C:\Windows\System\jESABMn.exe
C:\Windows\System\fnFlKYg.exe
C:\Windows\System\fnFlKYg.exe
C:\Windows\System\STmFKdR.exe
C:\Windows\System\STmFKdR.exe
C:\Windows\System\lQsrfEC.exe
C:\Windows\System\lQsrfEC.exe
C:\Windows\System\ZgNFrle.exe
C:\Windows\System\ZgNFrle.exe
C:\Windows\System\gqtIAVi.exe
C:\Windows\System\gqtIAVi.exe
C:\Windows\System\okmfbxZ.exe
C:\Windows\System\okmfbxZ.exe
C:\Windows\System\YZHMRvl.exe
C:\Windows\System\YZHMRvl.exe
C:\Windows\System\qNatcTP.exe
C:\Windows\System\qNatcTP.exe
C:\Windows\System\uEIYKsn.exe
C:\Windows\System\uEIYKsn.exe
C:\Windows\System\ZUCNMyn.exe
C:\Windows\System\ZUCNMyn.exe
C:\Windows\System\LUnpTgM.exe
C:\Windows\System\LUnpTgM.exe
C:\Windows\System\znwcZEx.exe
C:\Windows\System\znwcZEx.exe
C:\Windows\System\BXRIoTh.exe
C:\Windows\System\BXRIoTh.exe
C:\Windows\System\jumHBGX.exe
C:\Windows\System\jumHBGX.exe
C:\Windows\System\WjtIxsW.exe
C:\Windows\System\WjtIxsW.exe
C:\Windows\System\gidOMJY.exe
C:\Windows\System\gidOMJY.exe
C:\Windows\System\FWmHEgf.exe
C:\Windows\System\FWmHEgf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1728-0-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1728-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\eLFZrSf.exe
| MD5 | 49ca570156d395f4dcfc95be2ed7c285 |
| SHA1 | 68dd1b67698a5adfe2cea2d4a144c6b67dbc70c5 |
| SHA256 | 52ffcd7282dc8d13c162357018c15f4c3da8148b7f03864be6aafd162ef370cf |
| SHA512 | ab8e4b038874c3e51a74cf0017c035dca1b7e9eb6917543bde82a1cc7d1531a4b9e1c878543de62ab244876ae96777f87e0a7a3ca253ddb2783fed7ceab36f97 |
C:\Windows\system\BcjIJyo.exe
| MD5 | 41b8c94940834b430286fd6771db1759 |
| SHA1 | dc8e75c8de5fb5affe469d4798184ace7efcff44 |
| SHA256 | 143585bf661bf4085f5bee055d38f2c2e571ec2ebbabb61f44ea88837928995a |
| SHA512 | a006b2a5febe16aa1eaac8a490a77f3e519f83c4da072d47ff821df1bf4c9da44bd3861a606ad2ec93b0ab9e21842992e716ae5d3205a5a43d8de7f264bbecda |
memory/2712-16-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1728-14-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1608-12-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1728-9-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\FOZxoAz.exe
| MD5 | 26a9f3ba6f2b6e58c486d8f306e1785e |
| SHA1 | c5cc87c5d44423c3f80a11c9797d46d717b5e76b |
| SHA256 | dd1896f6b7cdf903238ffb04e0a2f52e3177da116aeaf9cf0f1cfee783b731a2 |
| SHA512 | 098cc8ef97cc982de394029ad4f5a4103238dbb5c5e39c165b59c0d55b8b142f44934269e9180c8f7312b6cb0bec2c0155b869759e61512295f6c7739097292a |
memory/1728-21-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2596-23-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\jESABMn.exe
| MD5 | add96bd92cc0ee963341bb179dba4975 |
| SHA1 | 84321c62fc12ec5ab82d1e2e8e26387742653e8c |
| SHA256 | 0521ad682976aaa3781cc322b28c130f2f19950c894b489e3ae0b5ecbe395e1e |
| SHA512 | d66dcd333a740921c495479befb4ff07665f438f7f5c376b0ce1bdcc0991d06ada5a1d18fd4eb3288d0eb0f7f2194e1232fb4d3bd81d9e33416829965389af45 |
memory/1728-29-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\fnFlKYg.exe
| MD5 | e87369d7e2a6d8ae6eb6b6fe29005250 |
| SHA1 | 782c32cd103847a6dd27d3ae7c8e6d31e5a4ccac |
| SHA256 | c8350855b7fabba931e9e3f48788ccb53acb9fce068208dcb4205032bb2e728a |
| SHA512 | 79e512fa9ab13a565307843a5a1073170e0cddef1bc8fad8a04512a59b1ce2427e591b313aff8ffe0dc7f77737e75baa1f6eb2dc192a2a05e7a7c0dafe9e281e |
C:\Windows\system\STmFKdR.exe
| MD5 | f6a7ae28ae1376c029cca98bfa07dfee |
| SHA1 | 9934ec6d763ee162cb59b076df038ef0baedfe88 |
| SHA256 | aa1f6fde01187b4d78cdcd467c16c69d073fb175056337661ede59978b5950d1 |
| SHA512 | e0f66bdcbfaa82a32a1db15145fedd76d18f844169f45e2bb8c3b87f3746d11a6df0e95d3ff8bad9f1957c41f861d96b6d11bc78264013e5bce755de2d71348a |
memory/1728-38-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\lQsrfEC.exe
| MD5 | 707838ffc0764646ea357795df2b0485 |
| SHA1 | ad3471d36133498e06c2c2ee6ccdf89c34c49455 |
| SHA256 | 6cb6e62412dad3298d9d75155a59bc302c669bfacd4aa10397ea425d061a8418 |
| SHA512 | fbd461a02a436abca219d2dd4e504728d1b85c239453f83daf77cd7d1d7bebb7da3dcf36bb95327432aea841a7adce125eed673c8904758d02ac5c4702951e7a |
C:\Windows\system\ZgNFrle.exe
| MD5 | 1b5eb8a1cc16a4375430510e82ea7567 |
| SHA1 | ba6eb7d49915ffa2f6a85e23fcc42215313a0a40 |
| SHA256 | 0e1022e7e6229a67de846fb54acde61a5041b6001b6ce6493f9773241eae9ae4 |
| SHA512 | 093127eaf89ef587bd82afa85bc548dd7a4bc1c8ec9f5563d337164b00a49a21b72015312dea228e3808635efc1b2a66a048d2c32fff0a75a5e835f6226d3fc7 |
memory/2528-52-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2708-55-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1728-58-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2532-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1728-56-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2556-54-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1728-53-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2592-30-0x000000013F400000-0x000000013F754000-memory.dmp
\Windows\system\gqtIAVi.exe
| MD5 | 7d69f896061c4b18426543e285492cdb |
| SHA1 | 1c34561865acaa5b180e972b0ef29a5c943f07ed |
| SHA256 | 7799eb3183d40ba1674e9e153f9d8e4957e0c1b51d0919cca825bca9cdfddd1d |
| SHA512 | c17b98325fd856295e7c1cb283663d7f318d95bcf4b2091796018c796232f73d210f729ebe6175776deb328aa9b13ce2bd89c55695d484558572890e271dde35 |
memory/1728-68-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1728-71-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2316-74-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1728-73-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2868-64-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\okmfbxZ.exe
| MD5 | 6fb995cf50dac3ce60871453b2120f14 |
| SHA1 | 567e746ebf08079d20e519a90c7f0983448bee8a |
| SHA256 | 25857737e291037181b137abbef6c20cd41880f0c956a55d25a30974ef92aaef |
| SHA512 | 54d0b5c37136e70248fc3f1a27677b26e2f0fa52a412b54e559cfb5a64237b625a8f1e4468fbdf4beda0dfa7e58d81fbdf1bb31191a6847a989d674dcb40d376 |
memory/1728-62-0x000000013FD30000-0x0000000140084000-memory.dmp
\Windows\system\uEIYKsn.exe
| MD5 | 8819ddf7ec3a2cd592cc350a1a725450 |
| SHA1 | 5897d55d32dce1a46ba8aa7aeb8268d2c3bccb09 |
| SHA256 | f45a9dd15076c625e5f7b0c2b69056bb19ebef689871e6f8eaa70463945e5baf |
| SHA512 | bd388d5a1eefca42a2160c56c80b39f96b94ecea71b5121c414769ac8720dd9ae84a3f558e973aab0805cbd1adcf5fbd822a413e37eff68d3626d977ce47302a |
C:\Windows\system\qNatcTP.exe
| MD5 | 51f6c853ad71d681a219ea5d036a8191 |
| SHA1 | 828d9769ec96dc761c01d1f5bafc64750bb66dc5 |
| SHA256 | 5b3594b2185740763ef81e0b2704fcd286b078f01ad6916bd66ee7527cf29c55 |
| SHA512 | f66e77d1b615a30c3f01603bfa168bff5edb91a0ac8ecacece2cab90e9107bbe34e43c1ae707e3973de12f6a69062227ec5beba2b6dad4ada46f752d639263c9 |
memory/2712-109-0x000000013F740000-0x000000013FA94000-memory.dmp
\Windows\system\LUnpTgM.exe
| MD5 | fbe444145075c82d6e668a358b1be1aa |
| SHA1 | 2cde933ed746841ef5fa8f9ea82dcaf2a4fad93b |
| SHA256 | 62fbb1566dd6bfd073f451a3baade0c900fd2715553cc4dc80d4bbe4bbcb1dd4 |
| SHA512 | d3a441c0aa04ee1b71d713e032063a9c3c1802fcb51f84fccc6171befff2c234d756150b5d1526be03099aa2cb0ae218392cd1c41182f9201599a38675e0448f |
C:\Windows\system\znwcZEx.exe
| MD5 | eddf5b0c26f9dd1949c10259fa0f9080 |
| SHA1 | cf64a7bef3f0d5da0a45b07913dee8090700b06d |
| SHA256 | ec167028e2ef14b1b05264c9f79181d370416c0a61a67caf9b11c06e022780aa |
| SHA512 | 58d08d7f70e4bad8aa2fdcf5aa9996b22ccea21dcb87f0cd063c37107c5b7a9e4c0047bd3a0ef03af6e7c3c47743e05ff317221fb20f63152f3cbf24d8973472 |
memory/1728-113-0x000000013FCF0000-0x0000000140044000-memory.dmp
\Windows\system\BXRIoTh.exe
| MD5 | 6232373f9bde9291f39894a30074315a |
| SHA1 | df379a7d6e338fb56f290c038382930394f32ecd |
| SHA256 | 6f06646af75c7837692bf63e6d70278df603f52061f5c837b83831119ebb05ee |
| SHA512 | edbe6acac15901e2c8cd333129b41ac84c09ec8055ae16b9f481a99e9c67ac84bd6b4b9f382da8b329768064589f7a2a15dc57370aa7d309605bb5c3d7aa8ace |
C:\Windows\system\jumHBGX.exe
| MD5 | 032f381e7c96eb1da6d00d6915ba4bb3 |
| SHA1 | b468bf81d0e5575f303627d0071d8dacd8461242 |
| SHA256 | 2d0d0346480f62afb67f804dc6480832091487575e2feb20bcb42bdf9765e87f |
| SHA512 | dead1fb6479af756ed48d643dc605d54bb558a6de87789e118f2b73cda05544a96c87ca2f1ab73fe0f427ac8120c2e7e780f645a6e3e502aaae79f33ca77727a |
memory/2840-105-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2576-101-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1728-100-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2752-99-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1728-97-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1728-96-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2484-95-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\ZUCNMyn.exe
| MD5 | aab8bb1494f7da943e73902fef86baf3 |
| SHA1 | 12d77052406fb4007caf0d51beb69d1cb5bf2ef1 |
| SHA256 | 9b3d57a77c02ab7b0016dde95a21ebbf89911dd52ff4ea0fb31750e0526f74e8 |
| SHA512 | 9a522e070e52141585531124f3cccfa3d7c33dc2a30bc8b229c46966121a26b7f2714f7ba6c8d75f4ed3a6b334746d7adf535ad0ff5cda860e45e44ceacb02f1 |
memory/1728-93-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\YZHMRvl.exe
| MD5 | 39c6308f51d124bb16a2f9ce1cf2d5c7 |
| SHA1 | a9e9ab1f909ce139a30733eb102984d73eb13ee9 |
| SHA256 | 10b8b377e24bbf12efef7d1499dbd923f7a1ba70ac5511356defecd700e6c49b |
| SHA512 | 18b5a070088c79730651a8dc95a4bd2b1286d6561cb20f70519bec82c8c3cc67664bc9db0c65213707bba856d4e0983a3639a0b5dd7f0094b0793fcb0708c926 |
\Windows\system\WjtIxsW.exe
| MD5 | 5728b0caa2f5b5d683756dcc1cd0e581 |
| SHA1 | 6c4b159837296c19563927a6e3bf60af8c11c3f9 |
| SHA256 | 2daba21211abdde9352bb774bd74914ea42eb119c3b37f4761379df9977a0613 |
| SHA512 | 59cdd35175768f6f4109b4053399f2bd364bdace0bab5531134617e58805ce270b0b359d96a99d391fe471e943c31963e561ef80a5d39db684c71136219c41f7 |
C:\Windows\system\gidOMJY.exe
| MD5 | 9d032310c99dcb3971b8ebee46f1a735 |
| SHA1 | 775f0ed0fa048ec7a44e6a47a5066e5dfdaabecb |
| SHA256 | 65462510c8af7aa9833d91e46f70f08da367cd8641502fd52d321e15336ea046 |
| SHA512 | 63fd620de618c3f1523792e331a076147ea4fadb32afeb9505c7d77daacf320b6332bd31676a99324665b472293b1851c3097e0e26bc62975dbc7a0f3af76c14 |
memory/2596-135-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\FWmHEgf.exe
| MD5 | 3909399fab93719cef82b2c7d90ddf81 |
| SHA1 | 4b2b5c4234f898dd5924ca6a7d5cb4abd5d2a873 |
| SHA256 | 861336257010e70aec87ef07db66de5799f309618bc20801198dbd29f46c48a6 |
| SHA512 | b1f7ddd7f8f7e427f220e35a67beceb53b2cd24fa5c77306a3a099b1d311a235db1606a082803a1462cfea262e7e4fcd7859c1308992817b5cffa78ce79f1f8d |
memory/2528-141-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1728-140-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1728-142-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1728-143-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2868-144-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1728-145-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1728-146-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1608-147-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2712-148-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2596-149-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2592-150-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2528-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2556-152-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2532-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2708-154-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2316-156-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2868-155-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2484-157-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2752-159-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2576-158-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2840-160-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:28
Reported
2024-06-08 17:30
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eLFZrSf.exe | N/A |
| N/A | N/A | C:\Windows\System\BcjIJyo.exe | N/A |
| N/A | N/A | C:\Windows\System\FOZxoAz.exe | N/A |
| N/A | N/A | C:\Windows\System\jESABMn.exe | N/A |
| N/A | N/A | C:\Windows\System\fnFlKYg.exe | N/A |
| N/A | N/A | C:\Windows\System\STmFKdR.exe | N/A |
| N/A | N/A | C:\Windows\System\lQsrfEC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgNFrle.exe | N/A |
| N/A | N/A | C:\Windows\System\gqtIAVi.exe | N/A |
| N/A | N/A | C:\Windows\System\okmfbxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YZHMRvl.exe | N/A |
| N/A | N/A | C:\Windows\System\qNatcTP.exe | N/A |
| N/A | N/A | C:\Windows\System\uEIYKsn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUCNMyn.exe | N/A |
| N/A | N/A | C:\Windows\System\LUnpTgM.exe | N/A |
| N/A | N/A | C:\Windows\System\znwcZEx.exe | N/A |
| N/A | N/A | C:\Windows\System\BXRIoTh.exe | N/A |
| N/A | N/A | C:\Windows\System\jumHBGX.exe | N/A |
| N/A | N/A | C:\Windows\System\WjtIxsW.exe | N/A |
| N/A | N/A | C:\Windows\System\gidOMJY.exe | N/A |
| N/A | N/A | C:\Windows\System\FWmHEgf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eLFZrSf.exe
C:\Windows\System\eLFZrSf.exe
C:\Windows\System\BcjIJyo.exe
C:\Windows\System\BcjIJyo.exe
C:\Windows\System\FOZxoAz.exe
C:\Windows\System\FOZxoAz.exe
C:\Windows\System\jESABMn.exe
C:\Windows\System\jESABMn.exe
C:\Windows\System\fnFlKYg.exe
C:\Windows\System\fnFlKYg.exe
C:\Windows\System\STmFKdR.exe
C:\Windows\System\STmFKdR.exe
C:\Windows\System\lQsrfEC.exe
C:\Windows\System\lQsrfEC.exe
C:\Windows\System\ZgNFrle.exe
C:\Windows\System\ZgNFrle.exe
C:\Windows\System\gqtIAVi.exe
C:\Windows\System\gqtIAVi.exe
C:\Windows\System\okmfbxZ.exe
C:\Windows\System\okmfbxZ.exe
C:\Windows\System\YZHMRvl.exe
C:\Windows\System\YZHMRvl.exe
C:\Windows\System\qNatcTP.exe
C:\Windows\System\qNatcTP.exe
C:\Windows\System\uEIYKsn.exe
C:\Windows\System\uEIYKsn.exe
C:\Windows\System\ZUCNMyn.exe
C:\Windows\System\ZUCNMyn.exe
C:\Windows\System\LUnpTgM.exe
C:\Windows\System\LUnpTgM.exe
C:\Windows\System\znwcZEx.exe
C:\Windows\System\znwcZEx.exe
C:\Windows\System\BXRIoTh.exe
C:\Windows\System\BXRIoTh.exe
C:\Windows\System\jumHBGX.exe
C:\Windows\System\jumHBGX.exe
C:\Windows\System\WjtIxsW.exe
C:\Windows\System\WjtIxsW.exe
C:\Windows\System\gidOMJY.exe
C:\Windows\System\gidOMJY.exe
C:\Windows\System\FWmHEgf.exe
C:\Windows\System\FWmHEgf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5116-0-0x00007FF6FE150000-0x00007FF6FE4A4000-memory.dmp
memory/5116-1-0x000001B777F90000-0x000001B777FA0000-memory.dmp
C:\Windows\System\eLFZrSf.exe
| MD5 | 49ca570156d395f4dcfc95be2ed7c285 |
| SHA1 | 68dd1b67698a5adfe2cea2d4a144c6b67dbc70c5 |
| SHA256 | 52ffcd7282dc8d13c162357018c15f4c3da8148b7f03864be6aafd162ef370cf |
| SHA512 | ab8e4b038874c3e51a74cf0017c035dca1b7e9eb6917543bde82a1cc7d1531a4b9e1c878543de62ab244876ae96777f87e0a7a3ca253ddb2783fed7ceab36f97 |
C:\Windows\System\FOZxoAz.exe
| MD5 | 26a9f3ba6f2b6e58c486d8f306e1785e |
| SHA1 | c5cc87c5d44423c3f80a11c9797d46d717b5e76b |
| SHA256 | dd1896f6b7cdf903238ffb04e0a2f52e3177da116aeaf9cf0f1cfee783b731a2 |
| SHA512 | 098cc8ef97cc982de394029ad4f5a4103238dbb5c5e39c165b59c0d55b8b142f44934269e9180c8f7312b6cb0bec2c0155b869759e61512295f6c7739097292a |
memory/2452-14-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
C:\Windows\System\jESABMn.exe
| MD5 | add96bd92cc0ee963341bb179dba4975 |
| SHA1 | 84321c62fc12ec5ab82d1e2e8e26387742653e8c |
| SHA256 | 0521ad682976aaa3781cc322b28c130f2f19950c894b489e3ae0b5ecbe395e1e |
| SHA512 | d66dcd333a740921c495479befb4ff07665f438f7f5c376b0ce1bdcc0991d06ada5a1d18fd4eb3288d0eb0f7f2194e1232fb4d3bd81d9e33416829965389af45 |
C:\Windows\System\fnFlKYg.exe
| MD5 | e87369d7e2a6d8ae6eb6b6fe29005250 |
| SHA1 | 782c32cd103847a6dd27d3ae7c8e6d31e5a4ccac |
| SHA256 | c8350855b7fabba931e9e3f48788ccb53acb9fce068208dcb4205032bb2e728a |
| SHA512 | 79e512fa9ab13a565307843a5a1073170e0cddef1bc8fad8a04512a59b1ce2427e591b313aff8ffe0dc7f77737e75baa1f6eb2dc192a2a05e7a7c0dafe9e281e |
memory/1408-28-0x00007FF7AA8A0000-0x00007FF7AABF4000-memory.dmp
memory/3052-25-0x00007FF67EF00000-0x00007FF67F254000-memory.dmp
C:\Windows\System\BcjIJyo.exe
| MD5 | 41b8c94940834b430286fd6771db1759 |
| SHA1 | dc8e75c8de5fb5affe469d4798184ace7efcff44 |
| SHA256 | 143585bf661bf4085f5bee055d38f2c2e571ec2ebbabb61f44ea88837928995a |
| SHA512 | a006b2a5febe16aa1eaac8a490a77f3e519f83c4da072d47ff821df1bf4c9da44bd3861a606ad2ec93b0ab9e21842992e716ae5d3205a5a43d8de7f264bbecda |
memory/4420-6-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp
memory/3544-29-0x00007FF664400000-0x00007FF664754000-memory.dmp
C:\Windows\System\lQsrfEC.exe
| MD5 | 707838ffc0764646ea357795df2b0485 |
| SHA1 | ad3471d36133498e06c2c2ee6ccdf89c34c49455 |
| SHA256 | 6cb6e62412dad3298d9d75155a59bc302c669bfacd4aa10397ea425d061a8418 |
| SHA512 | fbd461a02a436abca219d2dd4e504728d1b85c239453f83daf77cd7d1d7bebb7da3dcf36bb95327432aea841a7adce125eed673c8904758d02ac5c4702951e7a |
memory/8-49-0x00007FF7254B0000-0x00007FF725804000-memory.dmp
C:\Windows\System\gqtIAVi.exe
| MD5 | 7d69f896061c4b18426543e285492cdb |
| SHA1 | 1c34561865acaa5b180e972b0ef29a5c943f07ed |
| SHA256 | 7799eb3183d40ba1674e9e153f9d8e4957e0c1b51d0919cca825bca9cdfddd1d |
| SHA512 | c17b98325fd856295e7c1cb283663d7f318d95bcf4b2091796018c796232f73d210f729ebe6175776deb328aa9b13ce2bd89c55695d484558572890e271dde35 |
C:\Windows\System\okmfbxZ.exe
| MD5 | 6fb995cf50dac3ce60871453b2120f14 |
| SHA1 | 567e746ebf08079d20e519a90c7f0983448bee8a |
| SHA256 | 25857737e291037181b137abbef6c20cd41880f0c956a55d25a30974ef92aaef |
| SHA512 | 54d0b5c37136e70248fc3f1a27677b26e2f0fa52a412b54e559cfb5a64237b625a8f1e4468fbdf4beda0dfa7e58d81fbdf1bb31191a6847a989d674dcb40d376 |
C:\Windows\System\YZHMRvl.exe
| MD5 | 39c6308f51d124bb16a2f9ce1cf2d5c7 |
| SHA1 | a9e9ab1f909ce139a30733eb102984d73eb13ee9 |
| SHA256 | 10b8b377e24bbf12efef7d1499dbd923f7a1ba70ac5511356defecd700e6c49b |
| SHA512 | 18b5a070088c79730651a8dc95a4bd2b1286d6561cb20f70519bec82c8c3cc67664bc9db0c65213707bba856d4e0983a3639a0b5dd7f0094b0793fcb0708c926 |
C:\Windows\System\qNatcTP.exe
| MD5 | 51f6c853ad71d681a219ea5d036a8191 |
| SHA1 | 828d9769ec96dc761c01d1f5bafc64750bb66dc5 |
| SHA256 | 5b3594b2185740763ef81e0b2704fcd286b078f01ad6916bd66ee7527cf29c55 |
| SHA512 | f66e77d1b615a30c3f01603bfa168bff5edb91a0ac8ecacece2cab90e9107bbe34e43c1ae707e3973de12f6a69062227ec5beba2b6dad4ada46f752d639263c9 |
C:\Windows\System\uEIYKsn.exe
| MD5 | 8819ddf7ec3a2cd592cc350a1a725450 |
| SHA1 | 5897d55d32dce1a46ba8aa7aeb8268d2c3bccb09 |
| SHA256 | f45a9dd15076c625e5f7b0c2b69056bb19ebef689871e6f8eaa70463945e5baf |
| SHA512 | bd388d5a1eefca42a2160c56c80b39f96b94ecea71b5121c414769ac8720dd9ae84a3f558e973aab0805cbd1adcf5fbd822a413e37eff68d3626d977ce47302a |
C:\Windows\System\LUnpTgM.exe
| MD5 | fbe444145075c82d6e668a358b1be1aa |
| SHA1 | 2cde933ed746841ef5fa8f9ea82dcaf2a4fad93b |
| SHA256 | 62fbb1566dd6bfd073f451a3baade0c900fd2715553cc4dc80d4bbe4bbcb1dd4 |
| SHA512 | d3a441c0aa04ee1b71d713e032063a9c3c1802fcb51f84fccc6171befff2c234d756150b5d1526be03099aa2cb0ae218392cd1c41182f9201599a38675e0448f |
C:\Windows\System\znwcZEx.exe
| MD5 | eddf5b0c26f9dd1949c10259fa0f9080 |
| SHA1 | cf64a7bef3f0d5da0a45b07913dee8090700b06d |
| SHA256 | ec167028e2ef14b1b05264c9f79181d370416c0a61a67caf9b11c06e022780aa |
| SHA512 | 58d08d7f70e4bad8aa2fdcf5aa9996b22ccea21dcb87f0cd063c37107c5b7a9e4c0047bd3a0ef03af6e7c3c47743e05ff317221fb20f63152f3cbf24d8973472 |
C:\Windows\System\BXRIoTh.exe
| MD5 | 6232373f9bde9291f39894a30074315a |
| SHA1 | df379a7d6e338fb56f290c038382930394f32ecd |
| SHA256 | 6f06646af75c7837692bf63e6d70278df603f52061f5c837b83831119ebb05ee |
| SHA512 | edbe6acac15901e2c8cd333129b41ac84c09ec8055ae16b9f481a99e9c67ac84bd6b4b9f382da8b329768064589f7a2a15dc57370aa7d309605bb5c3d7aa8ace |
C:\Windows\System\WjtIxsW.exe
| MD5 | 5728b0caa2f5b5d683756dcc1cd0e581 |
| SHA1 | 6c4b159837296c19563927a6e3bf60af8c11c3f9 |
| SHA256 | 2daba21211abdde9352bb774bd74914ea42eb119c3b37f4761379df9977a0613 |
| SHA512 | 59cdd35175768f6f4109b4053399f2bd364bdace0bab5531134617e58805ce270b0b359d96a99d391fe471e943c31963e561ef80a5d39db684c71136219c41f7 |
C:\Windows\System\FWmHEgf.exe
| MD5 | 3909399fab93719cef82b2c7d90ddf81 |
| SHA1 | 4b2b5c4234f898dd5924ca6a7d5cb4abd5d2a873 |
| SHA256 | 861336257010e70aec87ef07db66de5799f309618bc20801198dbd29f46c48a6 |
| SHA512 | b1f7ddd7f8f7e427f220e35a67beceb53b2cd24fa5c77306a3a099b1d311a235db1606a082803a1462cfea262e7e4fcd7859c1308992817b5cffa78ce79f1f8d |
C:\Windows\System\gidOMJY.exe
| MD5 | 9d032310c99dcb3971b8ebee46f1a735 |
| SHA1 | 775f0ed0fa048ec7a44e6a47a5066e5dfdaabecb |
| SHA256 | 65462510c8af7aa9833d91e46f70f08da367cd8641502fd52d321e15336ea046 |
| SHA512 | 63fd620de618c3f1523792e331a076147ea4fadb32afeb9505c7d77daacf320b6332bd31676a99324665b472293b1851c3097e0e26bc62975dbc7a0f3af76c14 |
C:\Windows\System\jumHBGX.exe
| MD5 | 032f381e7c96eb1da6d00d6915ba4bb3 |
| SHA1 | b468bf81d0e5575f303627d0071d8dacd8461242 |
| SHA256 | 2d0d0346480f62afb67f804dc6480832091487575e2feb20bcb42bdf9765e87f |
| SHA512 | dead1fb6479af756ed48d643dc605d54bb558a6de87789e118f2b73cda05544a96c87ca2f1ab73fe0f427ac8120c2e7e780f645a6e3e502aaae79f33ca77727a |
C:\Windows\System\ZUCNMyn.exe
| MD5 | aab8bb1494f7da943e73902fef86baf3 |
| SHA1 | 12d77052406fb4007caf0d51beb69d1cb5bf2ef1 |
| SHA256 | 9b3d57a77c02ab7b0016dde95a21ebbf89911dd52ff4ea0fb31750e0526f74e8 |
| SHA512 | 9a522e070e52141585531124f3cccfa3d7c33dc2a30bc8b229c46966121a26b7f2714f7ba6c8d75f4ed3a6b334746d7adf535ad0ff5cda860e45e44ceacb02f1 |
memory/1716-60-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp
memory/1968-56-0x00007FF768170000-0x00007FF7684C4000-memory.dmp
C:\Windows\System\ZgNFrle.exe
| MD5 | 1b5eb8a1cc16a4375430510e82ea7567 |
| SHA1 | ba6eb7d49915ffa2f6a85e23fcc42215313a0a40 |
| SHA256 | 0e1022e7e6229a67de846fb54acde61a5041b6001b6ce6493f9773241eae9ae4 |
| SHA512 | 093127eaf89ef587bd82afa85bc548dd7a4bc1c8ec9f5563d337164b00a49a21b72015312dea228e3808635efc1b2a66a048d2c32fff0a75a5e835f6226d3fc7 |
memory/3932-50-0x00007FF731790000-0x00007FF731AE4000-memory.dmp
memory/3100-48-0x00007FF64EE60000-0x00007FF64F1B4000-memory.dmp
C:\Windows\System\STmFKdR.exe
| MD5 | f6a7ae28ae1376c029cca98bfa07dfee |
| SHA1 | 9934ec6d763ee162cb59b076df038ef0baedfe88 |
| SHA256 | aa1f6fde01187b4d78cdcd467c16c69d073fb175056337661ede59978b5950d1 |
| SHA512 | e0f66bdcbfaa82a32a1db15145fedd76d18f844169f45e2bb8c3b87f3746d11a6df0e95d3ff8bad9f1957c41f861d96b6d11bc78264013e5bce755de2d71348a |
memory/5076-117-0x00007FF7BF330000-0x00007FF7BF684000-memory.dmp
memory/700-118-0x00007FF653090000-0x00007FF6533E4000-memory.dmp
memory/4760-119-0x00007FF664C10000-0x00007FF664F64000-memory.dmp
memory/2456-120-0x00007FF6989A0000-0x00007FF698CF4000-memory.dmp
memory/4452-121-0x00007FF679740000-0x00007FF679A94000-memory.dmp
memory/4436-122-0x00007FF77F000000-0x00007FF77F354000-memory.dmp
memory/2908-123-0x00007FF620B10000-0x00007FF620E64000-memory.dmp
memory/4900-124-0x00007FF7EC150000-0x00007FF7EC4A4000-memory.dmp
memory/2380-125-0x00007FF7FC170000-0x00007FF7FC4C4000-memory.dmp
memory/3040-127-0x00007FF614280000-0x00007FF6145D4000-memory.dmp
memory/3260-126-0x00007FF603500000-0x00007FF603854000-memory.dmp
memory/5116-128-0x00007FF6FE150000-0x00007FF6FE4A4000-memory.dmp
memory/4420-129-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp
memory/2452-130-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
memory/3544-131-0x00007FF664400000-0x00007FF664754000-memory.dmp
memory/3932-132-0x00007FF731790000-0x00007FF731AE4000-memory.dmp
memory/1968-133-0x00007FF768170000-0x00007FF7684C4000-memory.dmp
memory/1716-134-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp
memory/2452-135-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
memory/4420-136-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp
memory/3052-138-0x00007FF67EF00000-0x00007FF67F254000-memory.dmp
memory/1408-137-0x00007FF7AA8A0000-0x00007FF7AABF4000-memory.dmp
memory/3544-139-0x00007FF664400000-0x00007FF664754000-memory.dmp
memory/3100-140-0x00007FF64EE60000-0x00007FF64F1B4000-memory.dmp
memory/8-141-0x00007FF7254B0000-0x00007FF725804000-memory.dmp
memory/3932-142-0x00007FF731790000-0x00007FF731AE4000-memory.dmp
memory/1968-143-0x00007FF768170000-0x00007FF7684C4000-memory.dmp
memory/1716-144-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp
memory/5076-145-0x00007FF7BF330000-0x00007FF7BF684000-memory.dmp
memory/700-146-0x00007FF653090000-0x00007FF6533E4000-memory.dmp
memory/4760-147-0x00007FF664C10000-0x00007FF664F64000-memory.dmp
memory/4452-148-0x00007FF679740000-0x00007FF679A94000-memory.dmp
memory/2456-149-0x00007FF6989A0000-0x00007FF698CF4000-memory.dmp
memory/4436-152-0x00007FF77F000000-0x00007FF77F354000-memory.dmp
memory/4900-151-0x00007FF7EC150000-0x00007FF7EC4A4000-memory.dmp
memory/2908-150-0x00007FF620B10000-0x00007FF620E64000-memory.dmp
memory/2380-153-0x00007FF7FC170000-0x00007FF7FC4C4000-memory.dmp
memory/3260-154-0x00007FF603500000-0x00007FF603854000-memory.dmp
memory/3040-155-0x00007FF614280000-0x00007FF6145D4000-memory.dmp