Analysis Overview
SHA256
f885a0ba9a3f5b9ae909f059f1ec21811f5623175385a80fb2a5714f808963d5
Threat Level: Known bad
The file 2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:27
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:27
Reported
2024-06-10 04:30
Platform
win7-20240508-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EImiAzo.exe | N/A |
| N/A | N/A | C:\Windows\System\LMvIPBV.exe | N/A |
| N/A | N/A | C:\Windows\System\CwoaImV.exe | N/A |
| N/A | N/A | C:\Windows\System\tSvqgVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UvZdcdt.exe | N/A |
| N/A | N/A | C:\Windows\System\FwzygAN.exe | N/A |
| N/A | N/A | C:\Windows\System\xiAmTUl.exe | N/A |
| N/A | N/A | C:\Windows\System\SqfwRUr.exe | N/A |
| N/A | N/A | C:\Windows\System\KAQufJP.exe | N/A |
| N/A | N/A | C:\Windows\System\TuEkLAM.exe | N/A |
| N/A | N/A | C:\Windows\System\xtQCfdD.exe | N/A |
| N/A | N/A | C:\Windows\System\MWNfKcX.exe | N/A |
| N/A | N/A | C:\Windows\System\OiwIHJU.exe | N/A |
| N/A | N/A | C:\Windows\System\mlqXcnC.exe | N/A |
| N/A | N/A | C:\Windows\System\sannblE.exe | N/A |
| N/A | N/A | C:\Windows\System\yrHuWMT.exe | N/A |
| N/A | N/A | C:\Windows\System\zsMFbPH.exe | N/A |
| N/A | N/A | C:\Windows\System\bCsHFRC.exe | N/A |
| N/A | N/A | C:\Windows\System\jIzUfWl.exe | N/A |
| N/A | N/A | C:\Windows\System\sGGuaKw.exe | N/A |
| N/A | N/A | C:\Windows\System\xRCrwpG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EImiAzo.exe
C:\Windows\System\EImiAzo.exe
C:\Windows\System\LMvIPBV.exe
C:\Windows\System\LMvIPBV.exe
C:\Windows\System\CwoaImV.exe
C:\Windows\System\CwoaImV.exe
C:\Windows\System\tSvqgVQ.exe
C:\Windows\System\tSvqgVQ.exe
C:\Windows\System\UvZdcdt.exe
C:\Windows\System\UvZdcdt.exe
C:\Windows\System\FwzygAN.exe
C:\Windows\System\FwzygAN.exe
C:\Windows\System\xiAmTUl.exe
C:\Windows\System\xiAmTUl.exe
C:\Windows\System\SqfwRUr.exe
C:\Windows\System\SqfwRUr.exe
C:\Windows\System\KAQufJP.exe
C:\Windows\System\KAQufJP.exe
C:\Windows\System\TuEkLAM.exe
C:\Windows\System\TuEkLAM.exe
C:\Windows\System\xtQCfdD.exe
C:\Windows\System\xtQCfdD.exe
C:\Windows\System\MWNfKcX.exe
C:\Windows\System\MWNfKcX.exe
C:\Windows\System\OiwIHJU.exe
C:\Windows\System\OiwIHJU.exe
C:\Windows\System\mlqXcnC.exe
C:\Windows\System\mlqXcnC.exe
C:\Windows\System\sannblE.exe
C:\Windows\System\sannblE.exe
C:\Windows\System\yrHuWMT.exe
C:\Windows\System\yrHuWMT.exe
C:\Windows\System\zsMFbPH.exe
C:\Windows\System\zsMFbPH.exe
C:\Windows\System\bCsHFRC.exe
C:\Windows\System\bCsHFRC.exe
C:\Windows\System\jIzUfWl.exe
C:\Windows\System\jIzUfWl.exe
C:\Windows\System\sGGuaKw.exe
C:\Windows\System\sGGuaKw.exe
C:\Windows\System\xRCrwpG.exe
C:\Windows\System\xRCrwpG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2420-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2420-2-0x000000013F5C0000-0x000000013F914000-memory.dmp
\Windows\system\EImiAzo.exe
| MD5 | 6ad15c2ddaf1e16b02397357496c995d |
| SHA1 | 577c459e47bd89594789ed52e79f4263f1576afa |
| SHA256 | 5839807b21bd64c6518eedeaea7abfdd0a2a33e0b2b2180e731e1e9bc54d55ed |
| SHA512 | 0ba6de01e631bfb431fd68c544d82270c02e49c8fbd01dddfeebf28653d91a6ed7062ce013039a0be11a3ff0e00e9044cdef7eb9d8b5d20390e1d2af78a5e082 |
C:\Windows\system\LMvIPBV.exe
| MD5 | 00d0e663b1071c7bb24dccce80e425bc |
| SHA1 | 0794fe8f307d18f0ed8b34e5a3c48844263bc203 |
| SHA256 | 144c5227bed6e40c408f34cafa1dcbbcf2ad17a928f826abaacd7349f9acd83c |
| SHA512 | 40de189d9896c09e2a3c3fd3602091167af6648393948af97b743e92a5d1258f2dc21753eed4ccb62073b7cced0285783948f3477967f0d31901349616be5c8f |
memory/2420-15-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2884-16-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2052-13-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2420-10-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\CwoaImV.exe
| MD5 | 393693125e0daa12e0bf84dc2472cf12 |
| SHA1 | 759e2902020c6a870f7ed7dd523a9fcbe414bd17 |
| SHA256 | c73389cb4b5e29f50324ab4919939fe7dc4a02ec4ae1f02999cde85b2acda943 |
| SHA512 | ccf375bbb3fc869f946b0cb81324bd0033478768d5407069014d18da268ded2dde8f21ee56efcd997de4466ef94cda4383e330c117883655010ef11f87872104 |
C:\Windows\system\tSvqgVQ.exe
| MD5 | 2c2e1059d6a6c7097b60eb94227b58ec |
| SHA1 | 33fa77af5917e6998482f4a6bfcd61dab0bec237 |
| SHA256 | 5f1bd9456821025bec89d5a44a0a317575ad95794ba1d7b48d5c9b52caad4064 |
| SHA512 | d85990dd24d3d9ac4378db2bab07cf2edaa97a9a3cae49620f72c873bd10b0e5708023a7f985ff0dcce525109c54a1f602b4b7d805c835c7ee217adf450289a0 |
memory/2728-28-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\UvZdcdt.exe
| MD5 | 919cea352ec8fbcd6f83923ab164807b |
| SHA1 | 6b0099309d5299c4ac8e55b8353ad1347782cf25 |
| SHA256 | f3f0563b33e55c3d5b0fda79a202c7cddbd2c93c750565fdfbf9b40d46556a32 |
| SHA512 | 60e1f985737f21a047c59fc423429170783acaf746d4a4f338f66615eb6318f4632905dbf6461cec1d294bcd811a2a79cb44e6bd9b7746ac3f8bbf6e88200862 |
memory/2420-50-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2832-45-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\MWNfKcX.exe
| MD5 | 7d94c8cd8ec7830d1a1e3892d044fefb |
| SHA1 | 77acf06e7ddfdea1b4dd0819f1fd9bcb08e18bb2 |
| SHA256 | 2dbed0a4ebffe4c937bbc7b355e6afec8c0eb512ea12a8f5316634beefd03c5f |
| SHA512 | 3cca2b5aba9e4339d3dc2327b3990bbf64e6df46a40fe476a5b41909279cfe3e5cfd5bf4bc33fc269ff742631989b80574312da03212f30c9a91a2b49231720d |
memory/3032-75-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2968-87-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\zsMFbPH.exe
| MD5 | c71ebc13fcd9f99a715009b346e7ba22 |
| SHA1 | 0c2d990fed2d1b649dd7b3ffdc07157bf605e36e |
| SHA256 | bc58740d87d73ac1c4f17466dd10bb9ab812a6e73d19717ad975810dff975fad |
| SHA512 | e40123e2a78753a9d273abfca27c7140ca32673923daa99c1f53f40df2f23fdf59e05520ffb8a20298f1d0979c5bfce86caca8c77be8975963f988527234a05d |
C:\Windows\system\sGGuaKw.exe
| MD5 | 3696f209711d280f848b20e91146e56a |
| SHA1 | 8c329140d9ccc27386352758124b4b8164881eb3 |
| SHA256 | 40b931f8ed0779799f7511cab7c5c43b0fde2964a3b8cb109a74657080a0c083 |
| SHA512 | 7c717e6c50e7d8ee544905d3380c29f6e68b393bb92915d9b267980080e2cce371f58f2b6ee62a6da4207ad6ad9ef92899bcb86f2d20c82702b0d8c739bece67 |
\Windows\system\xRCrwpG.exe
| MD5 | 4b5a78b875ba1c7e9479a9400bd45178 |
| SHA1 | 09e446a9820d2bc11faad8d0af02b7a1b436a8df |
| SHA256 | f80ad85a57e85d71d477182987f4c8f1c6ef8769fa29c23f3ba89d284acfdb76 |
| SHA512 | bc1235cc97642793bf9399282cb72d777251816fe9476d83fbe5d01b0a527045b37f2cfcdfe69085220ff4cfe0e85b3330ed21e4ea259e854a6cce05d2047b20 |
C:\Windows\system\jIzUfWl.exe
| MD5 | 87c722ec64bf1f507b6691f215b8e727 |
| SHA1 | 9b3a76ad44fc19d0b09960455f159c7c019348d1 |
| SHA256 | b57a550aec758f70fb5b7ecc8a0fc84aeee3a305e0b0d173a16551c73098c778 |
| SHA512 | 15f4b245ad092f2a1a8f51e8944de64b6864c00e3f12158789d3fd4865e44dddaf7bc0657176337170b15dbafaa5be15be0d25243a9e5b43a287c97cadd88219 |
C:\Windows\system\bCsHFRC.exe
| MD5 | 11f747495026b4bd9e84b02c1a9cb928 |
| SHA1 | a796488ea81e83e720c6ffc1bdfe0891680fcb5c |
| SHA256 | 75d4a909a4cc31dbb3f6ef9447fe75e0d71df408a5b915e7c20a2aa9ce701374 |
| SHA512 | 5db91eeac9c837addf144d7c1294542947e07cfe43a8de2f3c4f765f1cc02a5360632702abb933774e55f8dde46bca6a7382b3a4f4fdaa08d3acf32f0131fe68 |
C:\Windows\system\yrHuWMT.exe
| MD5 | c1b7c167c455260ada4bd3e2c5e59fc7 |
| SHA1 | f12f8c7e8962ac5e23986522ee6a51f7f041002b |
| SHA256 | 57eb86831c8296605be2098d37c66298fcfe31445ff1e8df48f95d5464f39ac1 |
| SHA512 | 9c227e94ff801b84f653d036239a46526771e095e6a174c23d9a6ef8b556dc787f933ad25de21c93856b1362f85b81614754f5726c5e5ec09aca56cc94a9c074 |
C:\Windows\system\sannblE.exe
| MD5 | e6b4c9bd29abf5ec557c4a2781c303e8 |
| SHA1 | c7874023da9520c6602f959adcbbf19a5017e8a8 |
| SHA256 | 9648a51ee0043ed3970cd75e6de334e3dfc393e8907d42ce07c86b8c3964d7c7 |
| SHA512 | 67d3516156e328712db8e65de68d4744b341c1fa826461e5e0186138da81e7ff0d583e6c78c6cf3051c03d45bd511e99e3a5966ae68cfcb6efbe5ee712b14e81 |
memory/2420-86-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\mlqXcnC.exe
| MD5 | 8a64a8c256cfde79638d0f7af9154f91 |
| SHA1 | e0054a0c5bdbadd5fabd7765164e9b4e46ecfd4f |
| SHA256 | f06cbe48400da535125103cfd15f87b684578241590ff71f42090d7e9418b933 |
| SHA512 | 4a742a861dfeb8ca98adae313fde92cd3e2411c3415e2183127e7a53cf33f416cd5b088e24dc0401d4a85c50bb377ad2982c391dfd931265134e7eaaf085c585 |
memory/2992-81-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2420-80-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\OiwIHJU.exe
| MD5 | baaf0cd1e182a4c35c3b8451e1cc2a78 |
| SHA1 | 750a6f4c79599b9df7497b4dd1cfdb9aa91a4057 |
| SHA256 | 47c0c1c5550e68c37e1e6fcbac74eaf73a7626f43f2d3c0aa2e91180e493eb10 |
| SHA512 | 5d779446d03df4a660d1dbc27da89ce07ce9ce951e2c2782748900fe18bf02c3c5bfbe8427d9b14f4d77e68ab09cdc0c6e2cd9bc23e753816fc2729ab8889fc0 |
memory/2568-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2420-69-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2420-68-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\xtQCfdD.exe
| MD5 | c887648f9272a7a8d3a568b55e8ffc5a |
| SHA1 | 393cfd28aad01e5bbf1b50034a84aedde2415bc5 |
| SHA256 | 8ac5fca3d46ef26a3bbdd72f6d96010424a33d008916b8279d1415753ac150b8 |
| SHA512 | 191d197cb029291ab310d5cd87496d6f58d9ee812c64290ad377fc71c48d634cd78678dc999ab41f0327c052fb1705c466af75fea10d47ff59243e5f0e1c52dd |
memory/2516-63-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\TuEkLAM.exe
| MD5 | 9a2bc33b8e9e015a2811e1ae983ab999 |
| SHA1 | bf71ea301e45361784c8d0bbdeba5baf02050502 |
| SHA256 | ac098f6528ea3cf08916368f636daf57c21d471abea6907635e22998bfc8ba03 |
| SHA512 | b64dac5c7b8099100d4d66290586362451e2adc0440c1d8ff19e7eb23c1dc15d56d0352cec75909f75a51ae4fb34eef30d69d692acb76fd2233972b50828bc00 |
memory/2796-57-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2420-56-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2420-55-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\KAQufJP.exe
| MD5 | d31454484d86cee6418516419ce12883 |
| SHA1 | 09ec681718cc792c6b35463ea8a45c98a473de85 |
| SHA256 | b4f634eb393ab214fdcf70b5bb8b25fe560f969fd337d9d2307b4826568665b9 |
| SHA512 | 84433b5a254622499700010ed986ebdbc28c184a49c739c5f4bd94519efc2459e324ce75a292d0921c83faa85b964345afc42d668db7e9e13f91bf27a570bc90 |
memory/2420-44-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2696-51-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\SqfwRUr.exe
| MD5 | f63bc6312a8e77a4333b947895e0a420 |
| SHA1 | 8e4e5f508e4a0acecd831b3494e58122694df204 |
| SHA256 | fec579ae4c6f69c41294a85e4f439d154d1f2a240d55399df7e2263d98b588fc |
| SHA512 | 5dc7ed75c8751c09e5dfb40258cc68927245eb2d100ea020b75cee5dc7b60f0b4e8615f206cdfac6a76e61e592bd3d73838819bfaeddd812a9da44bb16f2e917 |
memory/2696-134-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\xiAmTUl.exe
| MD5 | 31104f2529b0aa418165dec80e3fb7ac |
| SHA1 | df56b0995d5498a689e34845786493dd768815ab |
| SHA256 | 0d6be84f6d74bf1c878f0ce6edc9eb5af46b7f9fb89442e2888d66c4754dc1ce |
| SHA512 | 0cba6ee18431f09ed89b01eb6ed9958ff55cb0c20c536c6565c5826036632127cadf4dad019bc5b2398840213e3a1feb16c45049b1ee7321682891bd01dfc1a7 |
memory/2800-39-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\FwzygAN.exe
| MD5 | f4df100cdd61d7ed29d963ac89c98425 |
| SHA1 | 3f3c0de286f9a391fbd5ebc7dab47177d2781385 |
| SHA256 | 39d00b5c73c72036e2cfe16690f0f87634126b5e765fd4e305042d236cdd1b45 |
| SHA512 | 8b143a91e408b903db609399fb9b9daccdae8832b0bfa58ea257da10482e7acdf4c7e580b0db11ed29fbff7fb587c52accb6a8f7ce1521dc99fb981280b71eac |
memory/2672-34-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2420-33-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2420-27-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1388-22-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2420-20-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2796-135-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2516-136-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2420-137-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2568-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2420-139-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/3032-140-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2420-141-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2992-142-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2420-143-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2968-144-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2420-145-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2052-146-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2884-147-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2728-149-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2516-151-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2968-153-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/3032-152-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2832-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2796-157-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2992-159-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2568-158-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2672-155-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1388-154-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2800-148-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2696-150-0x000000013F440000-0x000000013F794000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:27
Reported
2024-06-10 04:30
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KciteBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\smjQTLz.exe | N/A |
| N/A | N/A | C:\Windows\System\MgykiHj.exe | N/A |
| N/A | N/A | C:\Windows\System\taDTWgv.exe | N/A |
| N/A | N/A | C:\Windows\System\JFTSSkq.exe | N/A |
| N/A | N/A | C:\Windows\System\SXIaQPm.exe | N/A |
| N/A | N/A | C:\Windows\System\QwvzDrw.exe | N/A |
| N/A | N/A | C:\Windows\System\EMBnLhq.exe | N/A |
| N/A | N/A | C:\Windows\System\ONzgrBT.exe | N/A |
| N/A | N/A | C:\Windows\System\zveJdJS.exe | N/A |
| N/A | N/A | C:\Windows\System\pZcsFLt.exe | N/A |
| N/A | N/A | C:\Windows\System\EWEEesw.exe | N/A |
| N/A | N/A | C:\Windows\System\bzcgDUA.exe | N/A |
| N/A | N/A | C:\Windows\System\qEBgope.exe | N/A |
| N/A | N/A | C:\Windows\System\qeBaaPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QukCseZ.exe | N/A |
| N/A | N/A | C:\Windows\System\htffbGS.exe | N/A |
| N/A | N/A | C:\Windows\System\dvBPdHN.exe | N/A |
| N/A | N/A | C:\Windows\System\NXAtUIT.exe | N/A |
| N/A | N/A | C:\Windows\System\WiWBLDG.exe | N/A |
| N/A | N/A | C:\Windows\System\UFRdMLo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KciteBZ.exe
C:\Windows\System\KciteBZ.exe
C:\Windows\System\smjQTLz.exe
C:\Windows\System\smjQTLz.exe
C:\Windows\System\MgykiHj.exe
C:\Windows\System\MgykiHj.exe
C:\Windows\System\taDTWgv.exe
C:\Windows\System\taDTWgv.exe
C:\Windows\System\JFTSSkq.exe
C:\Windows\System\JFTSSkq.exe
C:\Windows\System\SXIaQPm.exe
C:\Windows\System\SXIaQPm.exe
C:\Windows\System\QwvzDrw.exe
C:\Windows\System\QwvzDrw.exe
C:\Windows\System\EMBnLhq.exe
C:\Windows\System\EMBnLhq.exe
C:\Windows\System\ONzgrBT.exe
C:\Windows\System\ONzgrBT.exe
C:\Windows\System\zveJdJS.exe
C:\Windows\System\zveJdJS.exe
C:\Windows\System\pZcsFLt.exe
C:\Windows\System\pZcsFLt.exe
C:\Windows\System\EWEEesw.exe
C:\Windows\System\EWEEesw.exe
C:\Windows\System\bzcgDUA.exe
C:\Windows\System\bzcgDUA.exe
C:\Windows\System\qEBgope.exe
C:\Windows\System\qEBgope.exe
C:\Windows\System\qeBaaPQ.exe
C:\Windows\System\qeBaaPQ.exe
C:\Windows\System\QukCseZ.exe
C:\Windows\System\QukCseZ.exe
C:\Windows\System\htffbGS.exe
C:\Windows\System\htffbGS.exe
C:\Windows\System\dvBPdHN.exe
C:\Windows\System\dvBPdHN.exe
C:\Windows\System\NXAtUIT.exe
C:\Windows\System\NXAtUIT.exe
C:\Windows\System\WiWBLDG.exe
C:\Windows\System\WiWBLDG.exe
C:\Windows\System\UFRdMLo.exe
C:\Windows\System\UFRdMLo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4900-0-0x00007FF6960B0000-0x00007FF696404000-memory.dmp
memory/4900-1-0x000001A3C5290000-0x000001A3C52A0000-memory.dmp
C:\Windows\System\KciteBZ.exe
| MD5 | 15f4114f51dd8191690d864e275ee0cd |
| SHA1 | 945623cebd61bff2ceec2f33d1665eaa5aa804c7 |
| SHA256 | 10ebc8cae1b64221dd2c4341e7c32a6dc12b3f8399fe6b16959c0019f2583716 |
| SHA512 | af68dbb844e6bdd90ec936f4a65be406fd355031c0904697bdb14eeed5b2991bb5f37a673d2c012b75e9287e152b0d2660a90709a49d8be2d9379c45d4e857b4 |
memory/1696-8-0x00007FF652810000-0x00007FF652B64000-memory.dmp
C:\Windows\System\smjQTLz.exe
| MD5 | dbbcce0e92916e01759d865790b0febd |
| SHA1 | 163563440862f462bc33c9b50ea41b94ae666d96 |
| SHA256 | 45f1778efe9bd1249ec0a062246201db4a064200a83edcbf8bb1fbf331995cfe |
| SHA512 | 38ac2912b44f83dfae6f27a17d64490138a49245fd84285bddc6ecab0a191ab0f259ad78d5480627607a6a88a0060c16cdbf17b097ff3541c52d3502c681c061 |
C:\Windows\System\MgykiHj.exe
| MD5 | 3c5ee0132c63fe88659aff486487a6aa |
| SHA1 | ea726844b83a80a6819c05537a159b7454870b7b |
| SHA256 | aa790994836331c0c3615a6c92502aa9dc8e703a21a7b30c1ef1de8fec5e725e |
| SHA512 | b247dacb200027515666a40a094e50da21c9fdb04bdd78427d9d66ce2ca32986b4522d59f144178cbacd0fdcdb0326f69601e489e95270ea0d9b81df989c2c81 |
memory/2784-14-0x00007FF6348F0000-0x00007FF634C44000-memory.dmp
C:\Windows\System\taDTWgv.exe
| MD5 | 00b45d18548416652756e177b2bf05ef |
| SHA1 | 28546e633c6adedf239d343680e5fae5afccbc90 |
| SHA256 | 80f124c19db54f6266f0effcf4934b63a6f0d10817198ac71539d5ea37a21ffe |
| SHA512 | 1fd03acacd020b1ac015fe51997885696ef5e523141f9fd4f525c465333d5b347ee969b54855da4b74d11240aabc82e28a09c20fdebc362d7705f43cfea6966a |
memory/2012-25-0x00007FF7691F0000-0x00007FF769544000-memory.dmp
C:\Windows\System\JFTSSkq.exe
| MD5 | ab3b6aca10ee16d48bb68026475ca5d9 |
| SHA1 | d7f917327a7b4a358fda73b0c55eef6c02a127d5 |
| SHA256 | 8d12f2a173583c9362ec789d066a01886d064f85af7a7f8dba7859c7d6ff12ed |
| SHA512 | ada1f1073572a1212ffec12be359c21883fc8f75a05fdc3c80c449bccaa278b7b01406d6994d5ff89f6c708ca71d07867c835cffd0fbc1b10d014ea6a89a7037 |
C:\Windows\System\SXIaQPm.exe
| MD5 | ab4f828d1c958a70a0f365fc9bf9c6d5 |
| SHA1 | a050b26493b5f001a231b2a876f2577e6e95a467 |
| SHA256 | cfc25d1ef8f48734405d53e7379eb0e2c8acbb8358b8660f5c236e49af38f1d5 |
| SHA512 | 4b28f17706b211dc34cb3078ee113be2b0faabf7ba910ff75538a542ebaa7e69f6eebf033422d098eae577312fbdcf58ee756b7855ab15e027c50253559736d9 |
memory/5012-34-0x00007FF6DCB50000-0x00007FF6DCEA4000-memory.dmp
memory/4556-26-0x00007FF715700000-0x00007FF715A54000-memory.dmp
memory/536-38-0x00007FF6D85F0000-0x00007FF6D8944000-memory.dmp
C:\Windows\System\QwvzDrw.exe
| MD5 | df799037fa670ca2069595f88c559ce2 |
| SHA1 | 3cd50e1eac30761cbd47fc64788f3681dc328b3f |
| SHA256 | b094be82b5f1f9e5c42616a23e1109e64e83fb3d5da9733b62c90b702d5279eb |
| SHA512 | 9fe0b2c48cc478b73d4f5a178ce6183b6f24f498c599ad90031061b4df86b61e7ca419297f3f997bc33d315560568166723c89c2e7b30086f56c26c3abdcc4c2 |
C:\Windows\System\EMBnLhq.exe
| MD5 | 962bd3694f54b8d82ff7ec3ecc32451a |
| SHA1 | 460e199783dd7bbf76c4c09988b81b214d9a79fe |
| SHA256 | 1c2ad99d75c630cfbe26cb8f9ec4af1df5140ce3ed7e19eadb96f4c193e424fa |
| SHA512 | 45e17fe8d20ca459ac78f8406ab7cb745d12f4f5507a58444c66330d3eeb8233dc6c838b3f2d99d45f8f0568b9754bc4f83e5d62f3845e86f108a99386d2406d |
memory/3788-44-0x00007FF625A50000-0x00007FF625DA4000-memory.dmp
memory/4740-50-0x00007FF6F8550000-0x00007FF6F88A4000-memory.dmp
C:\Windows\System\ONzgrBT.exe
| MD5 | 8393b2840d9a688ea9594451dbf51274 |
| SHA1 | 927b2b22e28b33e44c885ad4bdd41fe85372d592 |
| SHA256 | 8118fd8040ef7b4121ee38af8eab13796f38f1f43da66a1bb7a8c83bfcc55d3a |
| SHA512 | 4a036b55eb2df976bca85a1463807ad74458937fb297a713656205b07406742808a99f7279eacbffd5efa51ae49ec7a0b6af7c409eaf140faaf55e748d7c45a2 |
memory/1768-55-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp
C:\Windows\System\zveJdJS.exe
| MD5 | fbcdc50313d3f4947e621b1ba50a1c6b |
| SHA1 | 53a0e91bc752f373337aef63c9d31934989b0deb |
| SHA256 | 73f1a7ce09375426d15815c59de45bf2feb8ce3a8cc063f44f195fae5b284496 |
| SHA512 | 86b8f4e95fa95477b7e2658d1b68d4b764cbb13a37e45da7e662006cf0d3a144b349b8cb8affce963d5a8691c0486e4a9e7e7505c3a8da5d5fdba2000fd85818 |
C:\Windows\System\pZcsFLt.exe
| MD5 | 856e41706037da0d5338074c645764dd |
| SHA1 | 4851d8c9e6cd6278445c23027c41fd0f24a45740 |
| SHA256 | 539f33a8f5a42f7be0515fbee7a022576e3c5d2220d9066c53491cb32013869d |
| SHA512 | 4d8b215031dada54db7b8307ca1466c5e6afc4c2700ace5e26e49b9880b8fdacb759ac6d6cae66e20c37a0e0f0ccc013cda90d0b0f10fbae0c69910be4f3dfb6 |
memory/544-66-0x00007FF686970000-0x00007FF686CC4000-memory.dmp
memory/1956-67-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp
memory/4900-62-0x00007FF6960B0000-0x00007FF696404000-memory.dmp
C:\Windows\System\EWEEesw.exe
| MD5 | d9576bd10e10b05f85f25dd52b835bd7 |
| SHA1 | 20a779a1caba743aa5e01635e950d789863541d8 |
| SHA256 | 641ce21253a195c666078e729ab5a0d3bad690957653b68c51bdcf6327b6d7ab |
| SHA512 | db19936ab05074e35c3c706d38b0318d60592524d2d743824c441b34f6fe32758419a89f5ffa63022ab0b33477b01417b44371208dedc11b28806e22c8c38b1d |
memory/3564-78-0x00007FF79F3F0000-0x00007FF79F744000-memory.dmp
C:\Windows\System\bzcgDUA.exe
| MD5 | 54e9f8b8c74535073d8d663e8a1c2598 |
| SHA1 | 6d8efa0bed44d2647d196909efefcb77ec092d16 |
| SHA256 | 21a63a0047d19659d442fa2086e7d4da4d9b34d3ab6dbda9937cd7a8cf8281b5 |
| SHA512 | b3f1677c2b823195ee378a652c95b1be8ba75a5e80f838afaac3cd754c5fa7c00a416c3d48f0598e8c24c8e733d2a7db5da86a6f514b2e74721e24a70df39032 |
C:\Windows\System\qEBgope.exe
| MD5 | eabb9d23abcc5f1e863a5087c25522c5 |
| SHA1 | f67b9bca35cdcb0b56ef45c6b3d1d73211c571bb |
| SHA256 | 34ed383f07e127bab46f4f7ca21b48af17d99e6a767f1fb5bb4b78e332ee19aa |
| SHA512 | 4c7f505cc4027b6ddf2be46994d0b59e244038516550699b3d18a50f4dfb0cd35925a4bc1e7c25d3c4020e8256a6b0a0ae697ea66254245e414262e72c28171d |
memory/1968-79-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp
memory/4060-89-0x00007FF77DE60000-0x00007FF77E1B4000-memory.dmp
C:\Windows\System\qeBaaPQ.exe
| MD5 | a540bd0837e5f4baa89af82c658553c0 |
| SHA1 | 72adb4b2b68905adf6bacb0e64bbaaf17bdfe626 |
| SHA256 | 8d5c12ddda3bd7650ed97d7438f079e54a645edf63ef639e95c902fbb7bde698 |
| SHA512 | 6fea099395065caff80efa1f2042d9558a97c611ab2a45d34b02bad0145e4d22bc31ddc8df06b2de8720e0c926105a7242a5c4b60b237c1359493395b512574c |
C:\Windows\System\htffbGS.exe
| MD5 | a16262103b38d391207f22d76bd50dc3 |
| SHA1 | f924ac9b00191003fa401474ad65a10d325ef4cf |
| SHA256 | 5e932245223e00fc5423dab49c169a8f753931d3e5557021ed3344169c23bb8c |
| SHA512 | fa2f2e479fe0a4a442027b8fee134151774594cf81a365ecad2e0038c700177342bcaf0b6a9f3bc822a2738c1a1c2bdb81e503d7eeeeba6906d2f7e8155401f6 |
C:\Windows\System\dvBPdHN.exe
| MD5 | 06afb531c748539bb87004e870c1c461 |
| SHA1 | 5be714dfbf7079ceb961ea0ac2859f321020f4a7 |
| SHA256 | e04ff1072690cb5740d105e5a50a4b1c76cd7c85c630cdfc2e84adb0b8e72555 |
| SHA512 | d42380e11d4d54f4628d95d9088e4a8277cad5d30a649b6fe79115a13697e09f013a8241a932a1be1a984aded7644e67a600717f456d0165c8f0d9504a914254 |
memory/1768-110-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp
memory/5076-109-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp
memory/2088-103-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp
C:\Windows\System\QukCseZ.exe
| MD5 | 9070da721642844c32e1a5a2f22fa910 |
| SHA1 | 8418a216032fc2eea1dd46b91390f2fe809376a5 |
| SHA256 | 78c8968e42712b751b07835d36292b420021e4d2fe70d9a5bc21f0b3d5947cea |
| SHA512 | 352aa069a3e8a3d0794e228ce0933e090bc9c6f3b2d37dfe8f9d949bd620ddb2d7828f3b0dee0268b7b9c9633bd4839d61e937291caae56fc4b1a9ac5a09037b |
memory/4844-99-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp
memory/1656-96-0x00007FF659910000-0x00007FF659C64000-memory.dmp
C:\Windows\System\NXAtUIT.exe
| MD5 | e7d322f1653faae93487d4294fa73050 |
| SHA1 | 99350aacaf3b38a9c5fb4c80b0860290147379c4 |
| SHA256 | cc4c912d57b693e490c6a136cf12020865c3ccb519ce942a8716757be0b9f2dc |
| SHA512 | 6a962eb9a62226491d470dd2214ea27a99243d000ff1e8f30849d9eae256ed1729dd690e262e0d441dec937bcb5eef42ec380cae04ba6f1e54f6adde85d86a1f |
memory/2408-124-0x00007FF7E21E0000-0x00007FF7E2534000-memory.dmp
C:\Windows\System\WiWBLDG.exe
| MD5 | 38d1229792165d34f4192dc93e69b8a1 |
| SHA1 | fe37eb80d756bd2fbfa8d2ce370f05c2ff5bd679 |
| SHA256 | 83d3f6bb6fb9c249974c5b0ad2561401fbaf021065f44803374f08241d8b7885 |
| SHA512 | d25e4be25af1ea30ece55ef16b8f40b718ca2bebc5ce0f2a2c010d022cb625b520f7cc915b428714f88a82f19b6e7d9748c84674eb5e7f64eadddacc15c2c572 |
memory/3724-118-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp
C:\Windows\System\UFRdMLo.exe
| MD5 | 321acf34847f7945fde1c848299386c5 |
| SHA1 | 20ce7ec5adf9e05b723c2eaa9b90ade62887bf04 |
| SHA256 | 69a7500e84970167c53963b7cc7736dc9292fc3fb84d0b9b54fed734d94f2c26 |
| SHA512 | 54df9672a745715b95e99c2a271755bfe7fe7242d014d083fd98ad92dc389d023609dea2979ed195d599bfbb051781b0bbf0bb9d8451961dcc0afc5cb739b6d0 |
memory/1956-129-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp
memory/4356-130-0x00007FF72FCE0000-0x00007FF730034000-memory.dmp
memory/1968-131-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp
memory/4844-132-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp
memory/2088-133-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp
memory/5076-134-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp
memory/3724-135-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp
memory/1696-136-0x00007FF652810000-0x00007FF652B64000-memory.dmp
memory/2784-137-0x00007FF6348F0000-0x00007FF634C44000-memory.dmp
memory/2012-138-0x00007FF7691F0000-0x00007FF769544000-memory.dmp
memory/4556-139-0x00007FF715700000-0x00007FF715A54000-memory.dmp
memory/5012-140-0x00007FF6DCB50000-0x00007FF6DCEA4000-memory.dmp
memory/536-141-0x00007FF6D85F0000-0x00007FF6D8944000-memory.dmp
memory/3788-142-0x00007FF625A50000-0x00007FF625DA4000-memory.dmp
memory/4740-143-0x00007FF6F8550000-0x00007FF6F88A4000-memory.dmp
memory/1768-144-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp
memory/544-145-0x00007FF686970000-0x00007FF686CC4000-memory.dmp
memory/1956-146-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp
memory/3564-147-0x00007FF79F3F0000-0x00007FF79F744000-memory.dmp
memory/4060-149-0x00007FF77DE60000-0x00007FF77E1B4000-memory.dmp
memory/1968-148-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp
memory/1656-150-0x00007FF659910000-0x00007FF659C64000-memory.dmp
memory/4844-151-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp
memory/2088-152-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp
memory/5076-153-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp
memory/3724-154-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp
memory/2408-155-0x00007FF7E21E0000-0x00007FF7E2534000-memory.dmp
memory/4356-156-0x00007FF72FCE0000-0x00007FF730034000-memory.dmp