Analysis Overview
SHA256
decba63529a0136329c056891ce393eeda36f8762b67a52c41d4f161d2f7622f
Threat Level: Known bad
The file 2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 17:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 17:58
Reported
2024-06-09 18:01
Platform
win7-20240508-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XnUXFiD.exe | N/A |
| N/A | N/A | C:\Windows\System\jnHITZm.exe | N/A |
| N/A | N/A | C:\Windows\System\sUFVDxD.exe | N/A |
| N/A | N/A | C:\Windows\System\OVjePoD.exe | N/A |
| N/A | N/A | C:\Windows\System\QwmOEer.exe | N/A |
| N/A | N/A | C:\Windows\System\toYMnnB.exe | N/A |
| N/A | N/A | C:\Windows\System\udSaMLU.exe | N/A |
| N/A | N/A | C:\Windows\System\QJcCJSf.exe | N/A |
| N/A | N/A | C:\Windows\System\RdyrQqy.exe | N/A |
| N/A | N/A | C:\Windows\System\GOFqNKd.exe | N/A |
| N/A | N/A | C:\Windows\System\KBaCzRc.exe | N/A |
| N/A | N/A | C:\Windows\System\fpXwZIm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkzHBFe.exe | N/A |
| N/A | N/A | C:\Windows\System\TaRCfQs.exe | N/A |
| N/A | N/A | C:\Windows\System\IcQNEeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ttNTiqj.exe | N/A |
| N/A | N/A | C:\Windows\System\IFUuBwL.exe | N/A |
| N/A | N/A | C:\Windows\System\qKboJdI.exe | N/A |
| N/A | N/A | C:\Windows\System\BazUNzI.exe | N/A |
| N/A | N/A | C:\Windows\System\eOhUvzN.exe | N/A |
| N/A | N/A | C:\Windows\System\qooemgK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XnUXFiD.exe
C:\Windows\System\XnUXFiD.exe
C:\Windows\System\jnHITZm.exe
C:\Windows\System\jnHITZm.exe
C:\Windows\System\sUFVDxD.exe
C:\Windows\System\sUFVDxD.exe
C:\Windows\System\OVjePoD.exe
C:\Windows\System\OVjePoD.exe
C:\Windows\System\QwmOEer.exe
C:\Windows\System\QwmOEer.exe
C:\Windows\System\toYMnnB.exe
C:\Windows\System\toYMnnB.exe
C:\Windows\System\RdyrQqy.exe
C:\Windows\System\RdyrQqy.exe
C:\Windows\System\udSaMLU.exe
C:\Windows\System\udSaMLU.exe
C:\Windows\System\GOFqNKd.exe
C:\Windows\System\GOFqNKd.exe
C:\Windows\System\QJcCJSf.exe
C:\Windows\System\QJcCJSf.exe
C:\Windows\System\KBaCzRc.exe
C:\Windows\System\KBaCzRc.exe
C:\Windows\System\fpXwZIm.exe
C:\Windows\System\fpXwZIm.exe
C:\Windows\System\ZkzHBFe.exe
C:\Windows\System\ZkzHBFe.exe
C:\Windows\System\TaRCfQs.exe
C:\Windows\System\TaRCfQs.exe
C:\Windows\System\IcQNEeZ.exe
C:\Windows\System\IcQNEeZ.exe
C:\Windows\System\ttNTiqj.exe
C:\Windows\System\ttNTiqj.exe
C:\Windows\System\IFUuBwL.exe
C:\Windows\System\IFUuBwL.exe
C:\Windows\System\qKboJdI.exe
C:\Windows\System\qKboJdI.exe
C:\Windows\System\BazUNzI.exe
C:\Windows\System\BazUNzI.exe
C:\Windows\System\eOhUvzN.exe
C:\Windows\System\eOhUvzN.exe
C:\Windows\System\qooemgK.exe
C:\Windows\System\qooemgK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2428-0-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2428-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\XnUXFiD.exe
| MD5 | cdb9b4d2b6af453f225e2e944a469dcb |
| SHA1 | cff41a4eb97206cf69cbd695787d82d0b85e177c |
| SHA256 | b66b99d5a9a3f8b1c4ff09ac1b767b25f61ea94cca6e123e4ec17db62a28d042 |
| SHA512 | 6440c499c31fc6f4c55ee6f33e576cc2d45968e8e815990e9fda768bfada5f885a869d0a73c01f9789a032aef1ad625fd958dbb800d988a88f92daa949538d92 |
\Windows\system\jnHITZm.exe
| MD5 | 5a188ae5f4bb3df4e133d6783fe6276f |
| SHA1 | e0c68901873b6cfeb47519135ef6659e9b549909 |
| SHA256 | 44c5f67bf4b17a787dd47ea2e71171fa9788409279072eed335e5f3eb8dacc17 |
| SHA512 | c4eeda9d80dce3ecb7a95bbfdd578f80ef6f86dab57aa16f69c0e375e8e7c2373381216365c2d4bb386fc2b1a7586c1428a69ce5aa21e08c33ad372d2a97ea72 |
memory/2428-11-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2132-13-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\OVjePoD.exe
| MD5 | e70a95cf45fd60d5c8cbc34da2954885 |
| SHA1 | b6384d36692e2f3944469c6cff40201abe5dcd9b |
| SHA256 | 71d3a1df4e92fb708039200c946527d6ab19e1bf66ba947a16e1a03f45f78f07 |
| SHA512 | 0624e26a4be7e4a84f4f99149fea7bc779ef65b1ec08e39bb7298c1e6edf6ae396ecc715130cc9653a0a94604eb2ec2eb86c9c80306c0a38613c196291105c43 |
C:\Windows\system\QwmOEer.exe
| MD5 | 73672f99601a3b961fe65100f79c3e6e |
| SHA1 | 6364d4fea46ac01c4024bb689ab29299ccf66473 |
| SHA256 | 748f52d18103231846873a9f2a0f8f813cc14d374d243618a971d345cebaadb7 |
| SHA512 | 3dae9afb79812f3efc9e59fee914b7b1fd6e5850c5a983060bae1ab18e205cfd632c7a5294777945c64c1023de779b481886961b95ec44ad3563323297fbc6b3 |
memory/2480-35-0x000000013F7C0000-0x000000013FB14000-memory.dmp
\Windows\system\udSaMLU.exe
| MD5 | 60c40f24cb2f5e70091c29c0b497f985 |
| SHA1 | d2f3ce6fa48fe15957e9b4aa89d2f6d80116e855 |
| SHA256 | f32a81526043c00edda44dae800aa3d921668b93bd72b64823e010de1824cf25 |
| SHA512 | a723d7726a6a40cb484d9cb4db858ba303fab0a214169b6718bf502d45b448a3a8ba258ed2a181a82940d9f85a110a6e5fecaa94c649463b591c87cf283c73cd |
memory/2100-44-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\udSaMLU.exe
| MD5 | 18247d7880140b18ecd39ee1adfc731b |
| SHA1 | a157eaa9dd320bef6dfdb40a50d13608394c09ca |
| SHA256 | 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf |
| SHA512 | 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29 |
memory/2716-55-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1516-56-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2428-57-0x000000013FC30000-0x000000013FF84000-memory.dmp
\Windows\system\RdyrQqy.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
C:\Windows\system\RdyrQqy.exe
| MD5 | 71d538eb8d5f32334be0c3f28761127f |
| SHA1 | 8c4fb67098d51ec7175bb77ec5b24a17ac5bc862 |
| SHA256 | 392c96347bd1703f0196deaaf542f53bf39d38a881c1aa574974c7703b72f7a4 |
| SHA512 | 479856522a366a460c431d4a5843787145b1fea0ecf82e26b79d01626087c4d8ef033cef844b1d1bc2c723695cd61ca2a4dd030110e6a423cffb9326134c4b1e |
memory/2660-65-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2708-66-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/3060-49-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\GOFqNKd.exe
| MD5 | 4fcf4934143db424ccf986d18e167d5d |
| SHA1 | 03a0e4fdcc1460a1f12f29f988492a7c15140132 |
| SHA256 | 60a159c7bc3bffc2cccbaccf3ed9bc9500137a62789800dd5d5fd77beea5969f |
| SHA512 | e943c2bc8d866d99478b93b35901a35f4a933783e40f14815239ff1a00daf2c8d0f577628ad1d7960e693080a67e74658a86bdefc6a7b6072dade7f4ae16a25c |
memory/2524-63-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\fpXwZIm.exe
| MD5 | ec7b50fc6706ca48adc68513d369b392 |
| SHA1 | d395ba9c60749fdac4e7a0705ecd1827b7e65264 |
| SHA256 | caf26093059014458f8b5f07d90100537481c36ba957bcd6e10e4e82788bccb4 |
| SHA512 | 209e384efb0f4fb596078b19b882191ebc7520f6b81e090c2a8b261414a670e2f40c8add6c00686f3d66a1c50dc41c085389bcae97345e27c446b2d965ab0499 |
memory/2548-77-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2428-76-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2428-87-0x000000013F060000-0x000000013F3B4000-memory.dmp
C:\Windows\system\TaRCfQs.exe
| MD5 | a1a74511bab4d3b13c630d0344d753d2 |
| SHA1 | 6f04d808868a80d5a239e45c1c29e630be50e351 |
| SHA256 | 6842cdd6f6ba56bb73b813d414392d41f9b3ca807b0a6f5357959edc28b7e997 |
| SHA512 | 5613e9d82e21e34e1ddc4d6af3345230f74913675619ba959a18f4d7f584dda93ac608f0aec20832ec78a72086bd2eef8c174c27c2db194f482f6dbb7cf27d94 |
memory/2428-89-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2952-88-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2960-93-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\ZkzHBFe.exe
| MD5 | 467f4878f1fbc1413a365ac04fb3d56f |
| SHA1 | b8e505a70fffbb3f7e2e7a49d10ec46db36bc79b |
| SHA256 | 75183c86fa400f25860933789472a80dfc4302426e7a28506a3e77cf25c00e6d |
| SHA512 | 222a5a17bc555a17179b6cd838292f25170ac70d784c144371d8274f3660f59171d733a96ee52a8caab10f1557ace015673ee69fb38611b02778016ff8ef3114 |
memory/2428-84-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2764-72-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\KBaCzRc.exe
| MD5 | bd1ec483da728155b9b7edd3a9e0caeb |
| SHA1 | 59672e7ac30da64ced2a5ef30b81cf31c85bf884 |
| SHA256 | 9c0a76a903d738a450c394c1844f42adf0543ad572c1b1f298e47d21f10a5b40 |
| SHA512 | fb584ced5d9459b5ea3f419c00511d0c7467f5cee295711b8b2be76464fcb7c4aa8c8302820ae9c798a44216bbc9f9c2f1faba7da96cd7a2579c7af4885a31eb |
memory/2428-61-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2428-59-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\QJcCJSf.exe
| MD5 | 0466f9b4627fdb5113626f8ca0cfc8ab |
| SHA1 | 27aabcd5bd1b6d29e568dd40fcdedf530d3f9ca1 |
| SHA256 | 1cd5b6b37c03eb0bc2dc7cc5d972847b071d9b6d392f9721c8506480358c7006 |
| SHA512 | 4588dac83f1a06f18815e8ab880b634b2a379fbc2e84b61e48f8d781bc176b0d9ffdf3fce27e0bba4bc5f0d4bcbec2aff3fc9cbc3460edcefcfa80e8e83a1d12 |
memory/2428-53-0x0000000002260000-0x00000000025B4000-memory.dmp
C:\Windows\system\toYMnnB.exe
| MD5 | a3558d6de228b2ee9ca137c00c50b0cd |
| SHA1 | 75b765434cfdc979fd5a5503fc04175275b159df |
| SHA256 | 3262f36921f55ec65d87cf3b0850fd10e4f8fe15d17750265297398ef21f668f |
| SHA512 | 5ed3be04d5a11ea7c5b95b242c2e56f029ff607e6ed0bcf7ff6896ac18d2ba4bbf1a3f74fdbe8f5447217ed5f9db82733fe5bc2bbb9ad9788808075d814cc032 |
memory/2428-23-0x000000013F3F0000-0x000000013F744000-memory.dmp
C:\Windows\system\sUFVDxD.exe
| MD5 | 0b0b09fc97547c7fb070763cb9448b72 |
| SHA1 | b725ac17deadda85da8fb5db7d8d61b5766984b6 |
| SHA256 | 7f812ae7bd10426e9b5482433973e9acc1fa3d1279c95f32d59cc72419ef1daa |
| SHA512 | 3cf86ff1e92893e10f500d81257e9b5fdbf6413e580624ccd877d5a458631c2060b829297377f01cf0a5ca6aba6ea29179d190ca3a97db77d32aca5a89c18980 |
memory/2936-17-0x000000013FFD0000-0x0000000140324000-memory.dmp
\Windows\system\ttNTiqj.exe
| MD5 | 484e2393d6765a29d161714a7314f401 |
| SHA1 | cb122ba5781c4a5affe5eeb8e6df94ef7f9c46ae |
| SHA256 | 576c9d2a67466fd17c47a60f06f1372a37e2768858237a80da0ff05276e1ab5c |
| SHA512 | d0f6d02d3e61a9e6affcee112d9071cafdd9c01912d894a86b58d7b8fd9303504ffdd0f96ba599907b6272a491fe16616f95518599545745c70d67dcb1729a9d |
C:\Windows\system\qKboJdI.exe
| MD5 | e2c3788aea105ae2c645d890031cdd96 |
| SHA1 | 9785b4990925c677443358d9d62e22ef3e9bffc1 |
| SHA256 | 0db9f8c95a904f0829c0f0845ac45435b95e5ea8f5a792ba5a4860f0a9aa8bea |
| SHA512 | 4e7f66fe5c936858cdc04ab9a77f3c3b565907c841aafebeeacf3407334d74b37e38f000b2169da7b9c0ecd2341888581a94ab7ac5757b06a8febca38f0f2841 |
C:\Windows\system\IFUuBwL.exe
| MD5 | 8eb60047f4cddf245eff814bcad5361d |
| SHA1 | d21255f0d3f2e54d732f316ae06f312103acc3f1 |
| SHA256 | 08aedb4257c05db387cea6f2be7d039b6f95abd0e294a713a66d10955dfc31e0 |
| SHA512 | c046ab3e01c51a57015f98b6a3e03057694bbfb41351859ac2bfe2f792463a84320bfb2c3a572718e8d623f0fcad30da2a400fb6a22ce9a2d6ef8c5e3dd8d7c2 |
C:\Windows\system\BazUNzI.exe
| MD5 | e9c2fa97c6ed832e333c91479306ba60 |
| SHA1 | 271b60b4217d7c915470e1a5de5596c60cd22171 |
| SHA256 | bab8c31fb1970bb2682a12f0efc817506654b32f6605a6f4f50260b71d7d0dc0 |
| SHA512 | 00f5c420f289e9045f31e08c64c8c5f5a67b8355e857ecd03670e1bcb384b5ae1f2d1e76b07362acd700130065dbfc85c1375a37eff3b6888ea4c29ee47c7359 |
C:\Windows\system\eOhUvzN.exe
| MD5 | 11f89c193fd4b58fb7f0873c5fa351d7 |
| SHA1 | da4cabf0f40c38ec49704a60b179a1788ccf2da7 |
| SHA256 | 1a83ee90f1ba3e8013b96c3f9251df427f50194b12ce66c62fdd318bffbb7e63 |
| SHA512 | 467319358fa41558fc5bcfda39ec7f2549ce069c44696422243bec4e325a7576338204156c386a691eb9910f396ed1a5c378eb8eff62bcb9ac7baa9a16e95b47 |
C:\Windows\system\IcQNEeZ.exe
| MD5 | bb12847a012e290e9097106598099db4 |
| SHA1 | deccbb54ec622da7feecdfda3cd81a645a4f16e5 |
| SHA256 | 8a18f4740bef321c85e136128c821d367674d095558b0ddbec21791c5db705d3 |
| SHA512 | 38cdadb7c73ae42f47a3b7eb496eff74deac3cd16e65c57fd3576d4635e5e2c93471729b77398afc80eaf8ea6464dadb35d22ede3bb95762cd576afc1473202f |
C:\Windows\system\qooemgK.exe
| MD5 | 7e386f08f871c55a336ddaeac74cc69a |
| SHA1 | b551b4ec3be803f3c140c7c134b24a7de96d44f7 |
| SHA256 | 7f9f25bae120034e6100edeb88a27a642a41aa01bd13e3d01315c4fbdedbd76b |
| SHA512 | df81d06d3c910b6b19695deeaf4b580c4d6843f0434109f1fa76d67139a78c2bdb9422938c9262231d824ff1b9d8758ddc33e870e16caf8a993a1596ae350830 |
memory/2708-131-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2764-132-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2548-133-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2428-134-0x0000000002260000-0x00000000025B4000-memory.dmp
memory/2952-135-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2960-136-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2132-137-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2936-138-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2100-142-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2716-143-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/3060-141-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2524-144-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2660-145-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2480-140-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1516-139-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2764-147-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2548-146-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2960-148-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2708-149-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2952-150-0x000000013F040000-0x000000013F394000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 17:58
Reported
2024-06-09 18:00
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HVHOYEx.exe | N/A |
| N/A | N/A | C:\Windows\System\BNnsIMp.exe | N/A |
| N/A | N/A | C:\Windows\System\iRJWlpo.exe | N/A |
| N/A | N/A | C:\Windows\System\gNiNOyP.exe | N/A |
| N/A | N/A | C:\Windows\System\gtJnKiC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdbVEjk.exe | N/A |
| N/A | N/A | C:\Windows\System\cYMiDGM.exe | N/A |
| N/A | N/A | C:\Windows\System\FlgnTcB.exe | N/A |
| N/A | N/A | C:\Windows\System\EFfKAJj.exe | N/A |
| N/A | N/A | C:\Windows\System\kQBEPxz.exe | N/A |
| N/A | N/A | C:\Windows\System\vlWzEGC.exe | N/A |
| N/A | N/A | C:\Windows\System\nXtHFJN.exe | N/A |
| N/A | N/A | C:\Windows\System\BCOsxWh.exe | N/A |
| N/A | N/A | C:\Windows\System\pkiEtYA.exe | N/A |
| N/A | N/A | C:\Windows\System\VnvhMZR.exe | N/A |
| N/A | N/A | C:\Windows\System\sPbqidl.exe | N/A |
| N/A | N/A | C:\Windows\System\dubLnmC.exe | N/A |
| N/A | N/A | C:\Windows\System\wclZURQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HeGItKS.exe | N/A |
| N/A | N/A | C:\Windows\System\PZUjVRx.exe | N/A |
| N/A | N/A | C:\Windows\System\tVIjQlO.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HVHOYEx.exe
C:\Windows\System\HVHOYEx.exe
C:\Windows\System\BNnsIMp.exe
C:\Windows\System\BNnsIMp.exe
C:\Windows\System\iRJWlpo.exe
C:\Windows\System\iRJWlpo.exe
C:\Windows\System\gNiNOyP.exe
C:\Windows\System\gNiNOyP.exe
C:\Windows\System\gtJnKiC.exe
C:\Windows\System\gtJnKiC.exe
C:\Windows\System\ZdbVEjk.exe
C:\Windows\System\ZdbVEjk.exe
C:\Windows\System\cYMiDGM.exe
C:\Windows\System\cYMiDGM.exe
C:\Windows\System\FlgnTcB.exe
C:\Windows\System\FlgnTcB.exe
C:\Windows\System\EFfKAJj.exe
C:\Windows\System\EFfKAJj.exe
C:\Windows\System\kQBEPxz.exe
C:\Windows\System\kQBEPxz.exe
C:\Windows\System\vlWzEGC.exe
C:\Windows\System\vlWzEGC.exe
C:\Windows\System\nXtHFJN.exe
C:\Windows\System\nXtHFJN.exe
C:\Windows\System\BCOsxWh.exe
C:\Windows\System\BCOsxWh.exe
C:\Windows\System\pkiEtYA.exe
C:\Windows\System\pkiEtYA.exe
C:\Windows\System\VnvhMZR.exe
C:\Windows\System\VnvhMZR.exe
C:\Windows\System\sPbqidl.exe
C:\Windows\System\sPbqidl.exe
C:\Windows\System\dubLnmC.exe
C:\Windows\System\dubLnmC.exe
C:\Windows\System\wclZURQ.exe
C:\Windows\System\wclZURQ.exe
C:\Windows\System\HeGItKS.exe
C:\Windows\System\HeGItKS.exe
C:\Windows\System\PZUjVRx.exe
C:\Windows\System\PZUjVRx.exe
C:\Windows\System\tVIjQlO.exe
C:\Windows\System\tVIjQlO.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/1532-0-0x00007FF70F060000-0x00007FF70F3B4000-memory.dmp
memory/1532-1-0x000001E444160000-0x000001E444170000-memory.dmp
C:\Windows\System\HVHOYEx.exe
| MD5 | ef96084927b1e4706c6554fec5ffef80 |
| SHA1 | d9071665ebc9773a6fa4913cfd2d17a49b921638 |
| SHA256 | a83f0550c133ed4ca479b27893537d3a9321b3c92184ed74c8bacd9929ab4699 |
| SHA512 | 0390a50842620fef9ccd46298df8818477b2d49301c83e3b1a11e60a8b05338efdeb64b0117f9c5f8e2849984ba5711e32a59fd3622bf8dcbcbfd46bdd8d7f93 |
memory/996-8-0x00007FF6236B0000-0x00007FF623A04000-memory.dmp
C:\Windows\System\BNnsIMp.exe
| MD5 | 492174d936ae2361d5177255069403bf |
| SHA1 | 77408ac9fac8211b15a18f461cf4e56d3e088d22 |
| SHA256 | 018d41dad793599a36f1e0d02210db3083b574f82fdad61877eb425574c54d04 |
| SHA512 | 30ad4e05f89ca66d20434d59076f56ca2828db15e09469bdee452862f9e672e786f0a54879cf51c96fc73b6886dca37f7e91a061e8797a495e2fe58e53c5f12f |
C:\Windows\System\iRJWlpo.exe
| MD5 | d0030bad1492cdfaa90d93b509f30920 |
| SHA1 | f85f573b318209f303adcdbf18d59faf5b80a4b5 |
| SHA256 | cfe205482513dc5dcaa9a340dd1c41c71f93a23fe3c605335b4071e93c1bf01d |
| SHA512 | 9b0182f357fdcb39b9871e6f4eb9cd49eaf10c2d76feeb6eb0a1256d541855044f3cf82f282a51b28420f94cfa09a5d515e86f990161a2fd03360184a4ee7eb6 |
memory/4412-24-0x00007FF633290000-0x00007FF6335E4000-memory.dmp
C:\Windows\System\gNiNOyP.exe
| MD5 | abff19123c6c355354d6962c332665e5 |
| SHA1 | 31fda3998742f4d4a5ba3d61999c4bca7e4835c4 |
| SHA256 | 3bc0fdf83a4efeadfa165898fe8493bbb7d2c3cf1d1639d46c179e3ae8ac0d2e |
| SHA512 | 9a2f051345bd75c52000d1f5488f74a4b33243fe9715cd6d20c5f76e5c9c079d1f8171d2d9bbce0577440c892d8fb27d441e7f4bd16b381a4f6485df7fcc0043 |
C:\Windows\System\ZdbVEjk.exe
| MD5 | c4ff13c607fc6c20d6ac025d70987f9a |
| SHA1 | cd632b09d7368763bd1b50f6044c9e584fcd9cd9 |
| SHA256 | 53af948e4e0ec436f795ebd05c5a4a37d69ed610775eac2b75844cd8fbd3925e |
| SHA512 | b2d0b23452cf47bc83f0267f12e16aea28be017a83d8ea0f4d570a641969126167c79521c722a20f39222097c0d3ec6b304e83fe63d2ac2a9418edb21e54e5e4 |
C:\Windows\System\cYMiDGM.exe
| MD5 | 6923975fa55045a530fb322841f2ddfe |
| SHA1 | 2b382f49e4318f220f899782d1f4f045c3b80618 |
| SHA256 | 83348d53bd6a1a1dfa109672d150602ef1684ede7eca578be788dd161e9061ff |
| SHA512 | 575fbcbd8e3f2bb29f6b18643149e22bd716f8ea07aa5355a13c4b6f32826e18373422dddb429e9adabf5116f605a72adde0267bff95dc8ad3b02620b38a0c07 |
memory/4584-39-0x00007FF794170000-0x00007FF7944C4000-memory.dmp
memory/540-44-0x00007FF626050000-0x00007FF6263A4000-memory.dmp
C:\Windows\System\gtJnKiC.exe
| MD5 | 968e303c9e579d9449ddfc0c931d04eb |
| SHA1 | 23c1b65691f8dc3003b904a618f7612bed2d17d2 |
| SHA256 | 962e15a52b040e2826f9d87d61596951698d3517beeb2d50f4d9f90bdf840075 |
| SHA512 | 3c8ff0ebf7f4d40676d86221f51dce86e884f17f68df2068dbfbe9665221cb489c3eabfaf809e00879d61aed9882f5689526de4f37bd62413f9c7b474385fb76 |
memory/3956-33-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
memory/3212-19-0x00007FF6231D0000-0x00007FF623524000-memory.dmp
memory/4296-23-0x00007FF610930000-0x00007FF610C84000-memory.dmp
C:\Windows\System\FlgnTcB.exe
| MD5 | b9518031864d1e150fc5ffe2998bc992 |
| SHA1 | f8873ead00bf75de5a5f7783cd815d6512eb2fc1 |
| SHA256 | 8ffbef81fee286079a224417377988d2a14cc453f447b5aa6b79dc8b68cd0a45 |
| SHA512 | f133a897a97c71902fe00531ea92c5a05877ff9236817e41bf07c91afd61bb240a84f09c56400b8493d68695f55a8b363e96918e3b6cd3b959e02ea562742ce7 |
C:\Windows\System\EFfKAJj.exe
| MD5 | d6645014f0bf76fb98f342ac2be5a8a0 |
| SHA1 | 2c7cdb6ca1eb12830e1c185c594fad79368e22e6 |
| SHA256 | 374fc140c4d718d002e78c9e462a80df75306375d73fbbcef5f222aaff26519d |
| SHA512 | 26d536d68c081761ad052747a783d4fafd264525939ebe0ea99816b6d502a8590989110a9260b7bc6f3fc40e1570b987a07c4ffa0ee782699778fae82f02c038 |
memory/1680-50-0x00007FF7F0780000-0x00007FF7F0AD4000-memory.dmp
C:\Windows\System\kQBEPxz.exe
| MD5 | 0e27abfde6ad8c43ef187ec23e63eff1 |
| SHA1 | cd8954c5ba585cae0d6898e55384936276896b62 |
| SHA256 | 4f361907ccad2d2a51e1f4532d51e1335baa6875e768042f34b3927aa4c68f65 |
| SHA512 | 67fb36eee34e795acead3f4715b4f94c99c9e5c353014f55c2ad8075eb014037fe4639b1ff3a061b469ec8919cc640ca36768f1fb966830f4f3a3c6dee76d0c6 |
memory/4680-54-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp
memory/1532-62-0x00007FF70F060000-0x00007FF70F3B4000-memory.dmp
memory/4432-63-0x00007FF6C2440000-0x00007FF6C2794000-memory.dmp
C:\Windows\System\vlWzEGC.exe
| MD5 | 12a90f447533c3a1949dc51f291c7ce1 |
| SHA1 | f44bcb1ac414d80ea00dfdbfa036b9fdd94bb9c5 |
| SHA256 | 801a7833706ef1481eaf73e1e5abc63ffb7156a7483610e3e59bb8ac780e4f77 |
| SHA512 | 1491cbb04c34addfaa8fe2f7515cd55e666bc7954a5373aa9da32027c1833e2059f0b00ccebd9c80eb2d7f0d73e7c43421155f11a1f4b7ea973988fbd6527150 |
memory/3212-69-0x00007FF6231D0000-0x00007FF623524000-memory.dmp
memory/4692-70-0x00007FF7D3280000-0x00007FF7D35D4000-memory.dmp
C:\Windows\System\nXtHFJN.exe
| MD5 | f0ccd3d0f248e6dc7adbb8ae15b21642 |
| SHA1 | 4d25d2a90c4235164df0d82b5342a1d67d389dd2 |
| SHA256 | da397a8bd675fcbc927482456cf34af9da54341b3b31f5c1e5f44f0ec2514c4f |
| SHA512 | b75d3265ea39ffb0f79f9fa4b83f17d57692ccbb5b4c79cbd7f8b98f4ae4e1d9126ca4a2b63fcb46daf8d077fc88c105d6afa5608f306ab5cc75ac5f878a2ec2 |
memory/1316-76-0x00007FF61D0C0000-0x00007FF61D414000-memory.dmp
C:\Windows\System\BCOsxWh.exe
| MD5 | c5c1da3f86830bf50a00c35c7b78b5c6 |
| SHA1 | 05821501fa0ed7a4a801f31a7deed5af3ae9fe75 |
| SHA256 | 3a98742de44e511cc4bc67fd0f9b56c12d7e54a4a24db337b16d3c879f1ebdb0 |
| SHA512 | b1a61ae07620f14fe6dc32ee07b6bdcb5d6ac1b27716c5cd57dc72d6bc3fcc79e58098760318c3678e12d36ea6a3a0f387c97f3d88ee49ad4ee27eb83da36d30 |
memory/1256-82-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp
C:\Windows\System\pkiEtYA.exe
| MD5 | 00eb867da51e3f99018a2bafea84e0d1 |
| SHA1 | d44eb6f384ac95a652e21b7d0127a96a24d57ff0 |
| SHA256 | 7a2c8164dbffca9ad94eaa2a8597c4c8d2ce9af7ba4b42f29bfef2e567417c23 |
| SHA512 | 29b1a83b578889f2afa067fcbda637e56cbaa1e9f772b0574e05b679a4e545f028038b8f562edfc0d5d0cc26d6c44485b05715bad7ebf0f2e336099ee5bd635c |
memory/2152-87-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp
memory/4412-86-0x00007FF633290000-0x00007FF6335E4000-memory.dmp
C:\Windows\System\VnvhMZR.exe
| MD5 | edd24db7ee0e47ede0029e6be35dc3c3 |
| SHA1 | 8aba1d9f4504c28f76bb7e782d2e02827c818196 |
| SHA256 | 0fb2645512ac655c37475d2f3c8f5f0f6f9b1859acf66503247e75073197de0a |
| SHA512 | b598790677d15c82a8895e39d08eb84a899d0b0e6842855a33cc2a6766a8f53fd169dc31f8e772bb6f6f3e87324abd6530a8a4566eff1cadb74c5fa54cf444dc |
memory/3956-93-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
memory/1660-96-0x00007FF7DBA20000-0x00007FF7DBD74000-memory.dmp
C:\Windows\System\sPbqidl.exe
| MD5 | b5692af7f0d64ac3281ff43f997f4a48 |
| SHA1 | 0aaaa1c690112dec35f9379f0765a9c995194d4b |
| SHA256 | 1109d23a14406c7a1cbebc3f5ee4b454180dbb8c7c5ffe9633599eae1f480e73 |
| SHA512 | 5f23c5ce502daf7b38c1dbbc5874ae370599b9d9ba2e3dc5a474ecc76da026c558afdef731c76bb12178288215629d337c19972de2ced504b44f90ec72c98054 |
memory/4584-102-0x00007FF794170000-0x00007FF7944C4000-memory.dmp
memory/3988-103-0x00007FF6AA030000-0x00007FF6AA384000-memory.dmp
C:\Windows\System\HeGItKS.exe
| MD5 | d2af9d6f6c6e2bfd93674bd509637053 |
| SHA1 | 8740d988f07f976e9801208b7525311071f2cd12 |
| SHA256 | 7595bb0e6ca9033d61a761a7f89c4ea716df7b176d61a5e9dd5aa430808e8620 |
| SHA512 | 1ef6ff51837a017fe4789c5052594ab74d11a092a072f4d3ea978c8fb00cc9218588acb646040328d8559ab9b365d68fa3529bb2eb09ea403a2544f04c0a5f0f |
memory/1072-116-0x00007FF7A37C0000-0x00007FF7A3B14000-memory.dmp
memory/2372-114-0x00007FF7A0020000-0x00007FF7A0374000-memory.dmp
C:\Windows\System\wclZURQ.exe
| MD5 | 1bccbc90c6085c82d440f50cfe2da3d2 |
| SHA1 | d1568b626a7d2b9aa7b1a8ab06637ae5d43a6c58 |
| SHA256 | 116638a400c151371b99e5cf48497ce0d7c998277205a4cb4b38ee45e30f0924 |
| SHA512 | 3a9da468a023ea98e1fa88f4ff56f3e38fbe2a9cd66e4f57b8639d49cda0da7947f1896477c88fba9e7717122fc816ae092ad734808906bda3be4c62398d83ad |
C:\Windows\System\dubLnmC.exe
| MD5 | bd653e74a633e1fa071c8f28c40e2e17 |
| SHA1 | bbd6b7b7525663d61a7491d263d24e6b3485148e |
| SHA256 | 681aac75ed2ae59eef0c4b4161fcda4a9d0027f74bd7c3b78cb7d4fbffd0ae92 |
| SHA512 | 83c0d4715958c56622e49367b23900f7e83bf71ef5a1feed21da40afa6b92d5f86714e238ebfca3f9d160a1726159e68f8d5f7a12226eafa5d26023bdfd785c6 |
C:\Windows\System\PZUjVRx.exe
| MD5 | e1e1b5027ae640f68fbcc6746875c9ff |
| SHA1 | 6c3cef0b1f7c7ab61cf4fcfd44c9b064f0b0b373 |
| SHA256 | 828c2ddfee429d7055ef2aa5dc446d2b8efa20e641a0fc449ceac10a91c43b8c |
| SHA512 | 669cafda91cb09f9c4791fd82629065cae552d8926b47e67c2deedd8b940144863874ca151e4d6a0cb60a4691facb4a404bc48c7870958728922f65f4f3a60f4 |
memory/4680-127-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp
memory/1644-128-0x00007FF6D1F50000-0x00007FF6D22A4000-memory.dmp
memory/3752-121-0x00007FF679610000-0x00007FF679964000-memory.dmp
C:\Windows\System\tVIjQlO.exe
| MD5 | 8ff669b89e21c1713d5c9f756eafc51a |
| SHA1 | a3341f052e35de4fb1d51f3c7b04e46c026524f3 |
| SHA256 | 7f0bf531805ce65248658a3df1585da53f96711142d5120e1a51e7897ad021de |
| SHA512 | de562b5995223938df4447bb5710ea93de5acf53a11af0d9fb144ae288e0736732eddd6e56c7010fc7fda6a7225b5a1f1d0497e17c3d7f65e33b39ef4ec1efa1 |
memory/1116-133-0x00007FF728E00000-0x00007FF729154000-memory.dmp
memory/2152-134-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp
memory/996-135-0x00007FF6236B0000-0x00007FF623A04000-memory.dmp
memory/3212-136-0x00007FF6231D0000-0x00007FF623524000-memory.dmp
memory/4296-137-0x00007FF610930000-0x00007FF610C84000-memory.dmp
memory/4412-138-0x00007FF633290000-0x00007FF6335E4000-memory.dmp
memory/3956-139-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp
memory/540-141-0x00007FF626050000-0x00007FF6263A4000-memory.dmp
memory/4584-140-0x00007FF794170000-0x00007FF7944C4000-memory.dmp
memory/1680-142-0x00007FF7F0780000-0x00007FF7F0AD4000-memory.dmp
memory/4432-144-0x00007FF6C2440000-0x00007FF6C2794000-memory.dmp
memory/4680-143-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp
memory/4692-145-0x00007FF7D3280000-0x00007FF7D35D4000-memory.dmp
memory/1316-146-0x00007FF61D0C0000-0x00007FF61D414000-memory.dmp
memory/1256-147-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp
memory/2152-148-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp
memory/1660-149-0x00007FF7DBA20000-0x00007FF7DBD74000-memory.dmp
memory/3988-150-0x00007FF6AA030000-0x00007FF6AA384000-memory.dmp
memory/2372-152-0x00007FF7A0020000-0x00007FF7A0374000-memory.dmp
memory/1072-151-0x00007FF7A37C0000-0x00007FF7A3B14000-memory.dmp
memory/3752-153-0x00007FF679610000-0x00007FF679964000-memory.dmp
memory/1644-154-0x00007FF6D1F50000-0x00007FF6D22A4000-memory.dmp
memory/1116-155-0x00007FF728E00000-0x00007FF729154000-memory.dmp