Analysis Overview
SHA256
eab35c15969a9d45b680dc6a91241791e6ecfd4b674b52676918cb73c2476d93
Threat Level: Known bad
The file 2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 09:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 09:05
Reported
2024-06-10 09:07
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pNzsWnI.exe | N/A |
| N/A | N/A | C:\Windows\System\flRoBEE.exe | N/A |
| N/A | N/A | C:\Windows\System\VzrVwXT.exe | N/A |
| N/A | N/A | C:\Windows\System\EwVukqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\umTOQtg.exe | N/A |
| N/A | N/A | C:\Windows\System\dqUbnOf.exe | N/A |
| N/A | N/A | C:\Windows\System\zUlUpJd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDUFkGh.exe | N/A |
| N/A | N/A | C:\Windows\System\cMAUIBf.exe | N/A |
| N/A | N/A | C:\Windows\System\IkJDFLB.exe | N/A |
| N/A | N/A | C:\Windows\System\DUAMPTK.exe | N/A |
| N/A | N/A | C:\Windows\System\TIyYzwR.exe | N/A |
| N/A | N/A | C:\Windows\System\jqkePmK.exe | N/A |
| N/A | N/A | C:\Windows\System\Ohlfhas.exe | N/A |
| N/A | N/A | C:\Windows\System\cHhhkfD.exe | N/A |
| N/A | N/A | C:\Windows\System\BhaCgIa.exe | N/A |
| N/A | N/A | C:\Windows\System\zegaSiz.exe | N/A |
| N/A | N/A | C:\Windows\System\eJflpZt.exe | N/A |
| N/A | N/A | C:\Windows\System\RCIHRMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\biFIXPO.exe | N/A |
| N/A | N/A | C:\Windows\System\vXQuuhH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pNzsWnI.exe
C:\Windows\System\pNzsWnI.exe
C:\Windows\System\flRoBEE.exe
C:\Windows\System\flRoBEE.exe
C:\Windows\System\VzrVwXT.exe
C:\Windows\System\VzrVwXT.exe
C:\Windows\System\EwVukqZ.exe
C:\Windows\System\EwVukqZ.exe
C:\Windows\System\dqUbnOf.exe
C:\Windows\System\dqUbnOf.exe
C:\Windows\System\umTOQtg.exe
C:\Windows\System\umTOQtg.exe
C:\Windows\System\zUlUpJd.exe
C:\Windows\System\zUlUpJd.exe
C:\Windows\System\ZDUFkGh.exe
C:\Windows\System\ZDUFkGh.exe
C:\Windows\System\cMAUIBf.exe
C:\Windows\System\cMAUIBf.exe
C:\Windows\System\IkJDFLB.exe
C:\Windows\System\IkJDFLB.exe
C:\Windows\System\DUAMPTK.exe
C:\Windows\System\DUAMPTK.exe
C:\Windows\System\TIyYzwR.exe
C:\Windows\System\TIyYzwR.exe
C:\Windows\System\Ohlfhas.exe
C:\Windows\System\Ohlfhas.exe
C:\Windows\System\jqkePmK.exe
C:\Windows\System\jqkePmK.exe
C:\Windows\System\cHhhkfD.exe
C:\Windows\System\cHhhkfD.exe
C:\Windows\System\BhaCgIa.exe
C:\Windows\System\BhaCgIa.exe
C:\Windows\System\zegaSiz.exe
C:\Windows\System\zegaSiz.exe
C:\Windows\System\eJflpZt.exe
C:\Windows\System\eJflpZt.exe
C:\Windows\System\RCIHRMJ.exe
C:\Windows\System\RCIHRMJ.exe
C:\Windows\System\biFIXPO.exe
C:\Windows\System\biFIXPO.exe
C:\Windows\System\vXQuuhH.exe
C:\Windows\System\vXQuuhH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2108-0-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2108-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\pNzsWnI.exe
| MD5 | 935de49f937eae8e95955bd26bd80086 |
| SHA1 | 0d329ccb158486e593da15ebdf8aeb720fd93418 |
| SHA256 | a29b3e5ce67ec520fff78bb417bb85fd99e49ee1085c1a3edf323862a305a872 |
| SHA512 | 05e965cb72e22114b9b3484ffbb556e8884faf2ae064ece1a42a5f472eca4bf2a4b168c603e5c50ad725f31e100d05f383c2079a43f5fddd80103a122582fab8 |
memory/2108-8-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1700-12-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\EwVukqZ.exe
| MD5 | e3f71a79ca5b63682051553402d7027e |
| SHA1 | 73de0f2cb95ce60600a096a0381f1ed4c3cd8055 |
| SHA256 | 098a760c09850b01a3490f2882821316632efb9e95c0456c083a35cefce04100 |
| SHA512 | d857de6b8288dc8d19ef34d934baff3140bb2ba6d39781f32e6f4d3f56a8ab1c0c39a16532829dab89e428bc116c457e204b4f0f9095dd6559c2bb7ed6598ba5 |
memory/2108-26-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\VzrVwXT.exe
| MD5 | 814618d3dab02367a21803a1f6a3953d |
| SHA1 | 8d0472d9a4d2c8b54f16b9ead8ed5fb306efb188 |
| SHA256 | 0e232de81ef25931b356f490fa2eeafc4516c1acb345c0c931f501d7befa3108 |
| SHA512 | 68cb1bbc5b2af6aa467aa4a5b88b8f41a9efc674105903d7fb3a7c58a21436d010c8d62eccb49934eb91d81ca14397c3b3a1b678998def097f9cb0ea1863d903 |
C:\Windows\system\umTOQtg.exe
| MD5 | 345ff4588e17e53049aa5e34fd479f30 |
| SHA1 | ecdb445a824bed930f9612275685bf3f453b5fc3 |
| SHA256 | 578b1362803844c463579e61d6edea654776c80d94247098ed78dc7950ac49b3 |
| SHA512 | e78bd6fe97a64ab5b020c9d29ea80d1c2de6313fe483c98ea44cab473391f05d55413a347c314d1ca570beb8ad26c57131273a2789a876b764fa5b46cccc54c9 |
memory/1316-38-0x000000013FF90000-0x00000001402E4000-memory.dmp
\Windows\system\dqUbnOf.exe
| MD5 | 1a6b84cfbf1644f9bbf3ed0f61a78a5b |
| SHA1 | 62ba00a8df669063fc73220e300bcb015b935620 |
| SHA256 | 789d38e2f0131324b1823a447de80cf634a44eedb56f2854256b2f79eea9647a |
| SHA512 | 05af46eb31dcfb3906b028b4c9e0622806228161ec2f6e3b0422d717edad21b45fbb3ac85424a5208fa950a52e51b14d96d5056a1f561e2231800b237a8963fb |
C:\Windows\system\zUlUpJd.exe
| MD5 | 21f5a348acaf7d8984b5552e1052c713 |
| SHA1 | d9ec9e4a22ad8349ad4e96392751c7fa4b5bbcae |
| SHA256 | e92dfaa272f9090d557e6f093f892f6d65a102d671e35ea78418234fcff9cce4 |
| SHA512 | bd5e74aa69b15216fd31b85fc22547e04cc7aa8d407ca10da0bf5f674ec2d17475f98a364809e0469763c978833eb9763d68c76b7b81ae6164541811e5354913 |
C:\Windows\system\ZDUFkGh.exe
| MD5 | e8981b0ba08bff3d7f9ba2cb412423bb |
| SHA1 | af0e08df921ea66febed30a3498d0df4d812be72 |
| SHA256 | 1e27a067988c7c12dfe6c7d4df38297198d5210f47e880eacc910459c9260ade |
| SHA512 | d25a0cef068ef732e65d7591a4dcf44baa3c3d66521068a84bdee129c07cad80490635419116a800e3be4586ccbd2385d1f2b90b569b12240ad39fd3ff5fd51a |
C:\Windows\system\IkJDFLB.exe
| MD5 | 293e8ab5e5fb24023bbb623d06c53114 |
| SHA1 | 9fca7c1dd9dcd3793805ac0473341a306bd9487b |
| SHA256 | 762b7c35f9345bb0bdfabfe1261e1e5d4e7ab6125511e6da56a877f295276921 |
| SHA512 | da759d6706636655721e01ef37cc4560b1ae48631653e1b8d438363542fcb3667eb06444bf455f8a88a7e67b09b31be26fdaeff7a4a4e0675e6acb0247f74867 |
memory/2672-63-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/3000-57-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2716-75-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1432-90-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\BhaCgIa.exe
| MD5 | decf72af444a007a058653f5928677c0 |
| SHA1 | 50f0ab34c99138728bacb53e8542c948c52d0a8e |
| SHA256 | 2f529a976e42617067aba21b6fb38c37202901ac006c50eebb6ad87f1e995db9 |
| SHA512 | ab61046b0e69fc7531f4ff363329914fb5276242ac28b5237dc3a5238ba48f96bccded56e848d15e7fe14777be8edcd3ebd182bd4c0d66e82ac09de114567b60 |
C:\Windows\system\eJflpZt.exe
| MD5 | 16f13dfc4e8b30eef7de6c254deb6c6b |
| SHA1 | 631971887aef3a03faed38f6d7234c849b605d2b |
| SHA256 | 15482688ed2e8c768a200f70054b7ff275a07f61586b924e379052e9c8af1300 |
| SHA512 | 9f13315327dc3177e8457b7b19c836054e666675fca0f88eebcf8e43fcb349c17a1190d6c1a696ec084e52b63600f53e457eb00d5e33c5dd662c78f6fcabe355 |
\Windows\system\vXQuuhH.exe
| MD5 | f0795d008564909abd7acc429e21fe60 |
| SHA1 | 065f739b9f213e572e19c9f453dd0b3cd1c10d13 |
| SHA256 | 2a41d570cd0b22d7b16de70696e842fa6fc8958688a1d344055c4360fa4c1302 |
| SHA512 | a695d77a51e3a8155f2db205e6870fb7d50a9d962636883dce5137b376f5bbbbe6d03d03d49205a42412a2e47aebbcb7514acf98d915b5ea3e3952ec9c6f0bdb |
C:\Windows\system\RCIHRMJ.exe
| MD5 | 5d4bca88ec75fa4ea19e4ad4dc4c0259 |
| SHA1 | 1ba3402150ae4f839d1a1ad317d7e96dcf86a21e |
| SHA256 | 5fb7a08b1e668c210b110e85763dcd50fe560459b26f3bc3d54fc7f4a5c7a380 |
| SHA512 | 3e55339ca05451c5c172073c00091ddc9251d8908f762bde1064de4740c1079fa5ab8fa470c22fd366c33e1b08e3428bd699e5dd3fc727dd5854cb328eb9b60d |
C:\Windows\system\biFIXPO.exe
| MD5 | a36feecc26f07f7def14cc181e48eb89 |
| SHA1 | df6967e180bb9951dd29cf59dfb72167dc566307 |
| SHA256 | b2f23d94d3b4bd2e9198c1519db19fb10405e4accaa786cdbab8484827f46872 |
| SHA512 | 79a19992c6e7fb9157fe782089a0256eb9e215d4a002aa268d8f8035a81172d49071681cc0b5d43d0301d9b6f3233f27ab85bb5f4d7d9bb3e0ca0fec84f27911 |
C:\Windows\system\zegaSiz.exe
| MD5 | c03ad2aef63a7edf4476e93c24d52967 |
| SHA1 | 6321c12bb4596cf42ed1216aeae96c3e53c145c9 |
| SHA256 | 145e4eaa75841b5b7f6822275f6952586faf1381e7c2ec4c10d67cd2f3d9adf3 |
| SHA512 | 60164de847a317f2f9b3bdd827eaa040a04911a15bffec40a1ad9f88be8b67fad13eeb173eb4a082db0a1980b85966ffa84a8863c178c0e58caf9a5a2b0dc741 |
memory/2656-105-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\cHhhkfD.exe
| MD5 | 1a52ca6b3d96d261404365b62289dc17 |
| SHA1 | 87fea92c882d377a324841c33986e4e3f4289f84 |
| SHA256 | ecd3717f58ac6443b0ed9d8a014389fd29d68067e450576f072cae84fabb12b6 |
| SHA512 | 0bb7323e9a43939ef75d64437849a1472c75e8323ad957a7c23b71b3de7fdb53d018030c5c803bba4dfd9f30a2583c6d55eddce3b17d290d8a55d3a7f0dfc515 |
memory/2784-137-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2108-136-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1932-100-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1316-99-0x000000013FF90000-0x00000001402E4000-memory.dmp
\Windows\system\Ohlfhas.exe
| MD5 | 93f83c652688278651f0cc2b875ea512 |
| SHA1 | c17857a31833e6fa8c4fa9344ddd093f806d1cd2 |
| SHA256 | a2fc6620b121f770f6ddb194f31ee719ac206de408c22518ad29302faba4daad |
| SHA512 | 3ca7e84e41007b399193788ea27e8e3273a4e55ff8fdb8f2df4e953233dc16567601bfd9fe580e834baa3d96afda9b403d960fcd7b0bd595c5c4b009633dc12a |
memory/2108-89-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\jqkePmK.exe
| MD5 | 9dd3b97102b937d51cc6fa06792c5c5f |
| SHA1 | 4a2a18107655362dfdb0cec4a22e96f5b49d1bcd |
| SHA256 | de69da43b0510fcd8f6cda43a118eba8c58c18612f9cc2fdd02fda359aeb0c3a |
| SHA512 | 5fef027c026cd2f0b86fea33761db3bf74b3eedf2efc7b45b791703777de9dbcaf15bc60a6496c41b0df79d3b1675c99b57f6297733576e7436047be9c360318 |
memory/2224-77-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2108-76-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\TIyYzwR.exe
| MD5 | 67f83019df85b3dba3efee0dc7a318da |
| SHA1 | a8189537fce9130b690c938c11067a8c189116bf |
| SHA256 | cd816a2e753a7e145a3bfffa79613c5c2f340741356d8d902c55f510b969bc2a |
| SHA512 | 1ffba853b10f93cb3bfe67f7df2a6bb590a96be1eaa38482c3cf874c8e52b0c5d04dd497f44d5eb81faf9a6a7a0da8155396437ab34d61a0ae58c4e64544e1d8 |
memory/2776-138-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2520-70-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2108-69-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\DUAMPTK.exe
| MD5 | 202c93c39f27332d0ed9b0e302e1548e |
| SHA1 | 268dd8dcdd48ebd851775f3f05e0e5cb9cdb4e2f |
| SHA256 | bf7ab8ddca33d7230a5a5020b8086b804c0ac8ced2428dd204f8da339761ea44 |
| SHA512 | f46441bd012807e836eb27b2f2a72822c50b08daadccea903f8361d1f6f4cc897605b734f019ad97da9b4c4ad36c33b82650bd3e0b062c1d1a89becbaf97d968 |
memory/2108-62-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2948-61-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\cMAUIBf.exe
| MD5 | 4938293782849ecd50a36ecfa315d1fb |
| SHA1 | b43d72108389b01205b15e8f953846b25d4ca4e8 |
| SHA256 | 3fdcdfb9d71ab9a54d45b1d9f3cca7baca01c4567a989dc23055ffb14fe5c191 |
| SHA512 | 62c3586385b4fae7e87e08e716c3e23378b29c7666fb7131ae50387e47a8472f5cab9fddcd4109c8ea7af2f997e5507e075a7fe9332863fa3e4e40c74836613c |
memory/2776-52-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2784-47-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2108-46-0x0000000002230000-0x0000000002584000-memory.dmp
memory/3000-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2656-41-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2108-37-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2108-35-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2108-34-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\flRoBEE.exe
| MD5 | af17bbfc61965e2d8b2592c83696404a |
| SHA1 | 68049f40d05d606eb48dd2c193164c5e72bef7bd |
| SHA256 | 3ab451bbc6722b480b62b15d7d15d310707c26031011a80901315034205159b4 |
| SHA512 | 2f45e5832263e104d8f9d5062c84f1b54425f6cc3dcc66a474c1bf211b0c2235e122d00a11a16024885f45e6adb4fde32847c26140b688125c63a5a22ef1bde7 |
memory/2108-16-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2716-28-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2948-25-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2592-22-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2672-141-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2108-140-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2108-142-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2520-143-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2108-144-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2224-145-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2108-146-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1432-147-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1700-148-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2592-149-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2948-150-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1316-152-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2224-155-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2672-154-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2716-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1432-156-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2520-160-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1932-161-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3000-159-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2784-158-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2656-157-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2776-151-0x000000013F780000-0x000000013FAD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 09:05
Reported
2024-06-10 09:07
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\spbXoNB.exe | N/A |
| N/A | N/A | C:\Windows\System\zULoDgt.exe | N/A |
| N/A | N/A | C:\Windows\System\ErSANiW.exe | N/A |
| N/A | N/A | C:\Windows\System\mEzMFSL.exe | N/A |
| N/A | N/A | C:\Windows\System\tRRWBwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EwyCeTs.exe | N/A |
| N/A | N/A | C:\Windows\System\JxiEazm.exe | N/A |
| N/A | N/A | C:\Windows\System\sLNJhJL.exe | N/A |
| N/A | N/A | C:\Windows\System\ewskobZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cLaLOPe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoglCGF.exe | N/A |
| N/A | N/A | C:\Windows\System\TauPfWI.exe | N/A |
| N/A | N/A | C:\Windows\System\UqBqCfe.exe | N/A |
| N/A | N/A | C:\Windows\System\LvqIVKh.exe | N/A |
| N/A | N/A | C:\Windows\System\TnSffun.exe | N/A |
| N/A | N/A | C:\Windows\System\KEOGnjd.exe | N/A |
| N/A | N/A | C:\Windows\System\QfmRwLe.exe | N/A |
| N/A | N/A | C:\Windows\System\bFCkyyz.exe | N/A |
| N/A | N/A | C:\Windows\System\CjJTHej.exe | N/A |
| N/A | N/A | C:\Windows\System\qSnmMLT.exe | N/A |
| N/A | N/A | C:\Windows\System\HQYJtsY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\spbXoNB.exe
C:\Windows\System\spbXoNB.exe
C:\Windows\System\zULoDgt.exe
C:\Windows\System\zULoDgt.exe
C:\Windows\System\ErSANiW.exe
C:\Windows\System\ErSANiW.exe
C:\Windows\System\mEzMFSL.exe
C:\Windows\System\mEzMFSL.exe
C:\Windows\System\tRRWBwZ.exe
C:\Windows\System\tRRWBwZ.exe
C:\Windows\System\EwyCeTs.exe
C:\Windows\System\EwyCeTs.exe
C:\Windows\System\JxiEazm.exe
C:\Windows\System\JxiEazm.exe
C:\Windows\System\sLNJhJL.exe
C:\Windows\System\sLNJhJL.exe
C:\Windows\System\ewskobZ.exe
C:\Windows\System\ewskobZ.exe
C:\Windows\System\cLaLOPe.exe
C:\Windows\System\cLaLOPe.exe
C:\Windows\System\ZoglCGF.exe
C:\Windows\System\ZoglCGF.exe
C:\Windows\System\TauPfWI.exe
C:\Windows\System\TauPfWI.exe
C:\Windows\System\UqBqCfe.exe
C:\Windows\System\UqBqCfe.exe
C:\Windows\System\LvqIVKh.exe
C:\Windows\System\LvqIVKh.exe
C:\Windows\System\TnSffun.exe
C:\Windows\System\TnSffun.exe
C:\Windows\System\KEOGnjd.exe
C:\Windows\System\KEOGnjd.exe
C:\Windows\System\QfmRwLe.exe
C:\Windows\System\QfmRwLe.exe
C:\Windows\System\bFCkyyz.exe
C:\Windows\System\bFCkyyz.exe
C:\Windows\System\CjJTHej.exe
C:\Windows\System\CjJTHej.exe
C:\Windows\System\qSnmMLT.exe
C:\Windows\System\qSnmMLT.exe
C:\Windows\System\HQYJtsY.exe
C:\Windows\System\HQYJtsY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2964-0-0x00007FF66F9B0000-0x00007FF66FD04000-memory.dmp
memory/2964-1-0x000001832BDF0000-0x000001832BE00000-memory.dmp
C:\Windows\System\spbXoNB.exe
| MD5 | 1cf0ac145ee390442d37c6c87a186365 |
| SHA1 | 7ca17c4d2552afde195651cde9ccbf85f1eb2cb3 |
| SHA256 | c1df963dde6493868888e806e122918cf8a4d4a2a8c12026c6eadcb4e5e11bfd |
| SHA512 | e18fb15ae01e0d6f0d1a3f25cd241453e142555538a252190ce4bea381adaee2e799830bf8ace1f08cdf3e9d68a7d0f5cf1d5bbe669600e5e5871a297d1f8efe |
memory/916-8-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp
C:\Windows\System\ErSANiW.exe
| MD5 | 6a98e9869089ad014a47a8a11c75205b |
| SHA1 | f9f9a9f37fdd210cc39cff459314076b70ccab63 |
| SHA256 | c6402a8bc2d8bcb5a30e30e3ad7cb6bde9c044a317a73c3d2a5ebb733b1cf595 |
| SHA512 | 557f0b2b8a14691ba6bcce19b05cbf1a78e8a2118caa1f8a876d4bd7317fd97c2bdba062155864bcdf5c40ba0f2a9fab9a92f2d8450576ce4ab06d961b7ba18b |
C:\Windows\System\zULoDgt.exe
| MD5 | b48193a5e4d07a9f30cf631accf4e3ec |
| SHA1 | be92ecc8ea9627057412ed0365a1abe7a5172d53 |
| SHA256 | 8b956ffc339b08b34c1f2f2bb1741113d390405ee0239e9efe10ffed32bda015 |
| SHA512 | cdba4bef032c730b25ce4bfe4bf9dfcf6c32aa56766a7baeed2bc5569a9b0d3696e0c5e4549d46b5ba4abd099fdfbfc5347dcfb18dbd6dc467650c57d8443db2 |
memory/2756-14-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp
memory/2704-20-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp
C:\Windows\System\mEzMFSL.exe
| MD5 | 4d9c8dd88faceb5ff8e2af87c8cd546c |
| SHA1 | 994ff3c96e8734a2e460052eaec5f9c1fa166dfc |
| SHA256 | 94adab9d42f0801b3ffd05de05d4e5599cfccadbadacff5559cf30869a5880dd |
| SHA512 | f5456726a6513d08fc5f521fec80b14edc3f21ee1242a7b0a6f9cab99229febed0a8b10643048c9b81dcd902df31bb94dc24ce9f304b0ef142f49954563bf089 |
C:\Windows\System\tRRWBwZ.exe
| MD5 | a10fb387d037c6ffec1b7a916049bc34 |
| SHA1 | 944b0ef2307157ea6998c8aad740ae4edae1e9d0 |
| SHA256 | c80b3a22dde3e95477408d13c2eb1022718d5d3ee5dea3487d9df4dc93b1e17d |
| SHA512 | 531118e25119b0a0ad9ae1b8ce95e48f7a233bee70c9d4bcb87e2ab10418fdaa52169c41a9ea622855ab52ea048d72356ad3a848c8e8269fa58a6fc276167e80 |
C:\Windows\System\EwyCeTs.exe
| MD5 | 064eb49f692fb515cae0228deef0f6a3 |
| SHA1 | 6f08e051412ab5a27fc9f336c8ecff8da2835d9f |
| SHA256 | e3c72092ac70e34f962cca2ceefa5e4d37c569b903a5aa9c80318f90cf18574d |
| SHA512 | a98e20bea442006bd0de4e2e57452e6e334b94e918501e188d82c1f3796bfdb72ead1f8f6b7f97ead3d18c2752157cfc85a560fdeb0302ccb689455d38835b5a |
C:\Windows\System\JxiEazm.exe
| MD5 | 5242d4f6830ffa7af4413f6a21e98d6a |
| SHA1 | b73e6fa9e2507e83a11c98e72cdb9e4e3a3e710d |
| SHA256 | 98f8e1303e9828ce91ca4c65de3889ff12f01cff0475dee85751a74d0d6e43c0 |
| SHA512 | 3d1bb7cc2b493aabc639951a21d2889d9e136a3740b4a95a8d113cf988387b9b1826ab0a9c146c47406c7f7d9711d259b839983b11c4bd8f0f2e883e6d2ac306 |
memory/4320-49-0x00007FF755060000-0x00007FF7553B4000-memory.dmp
memory/5080-54-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp
memory/4260-59-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp
C:\Windows\System\cLaLOPe.exe
| MD5 | 7efaca95340326388c3720f14f9c7ff9 |
| SHA1 | e033110022e53a763a258256bbc20643515ee3ec |
| SHA256 | 66e0b4e44d6d5a459571a79621252d688c90b5ad458dbfb37aba0476557184a0 |
| SHA512 | 74264de012ebd197bed9d12611feadf4ddf4b065593754c096e25de9074111106c9994f20937feac2c796a0c92ff1d4199d0753c07a6b7dfad5550964c6358f2 |
memory/332-60-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp
C:\Windows\System\ewskobZ.exe
| MD5 | d939e1980f520508cf4a28aedfbfa637 |
| SHA1 | 42d0be31e9f7e986f10bf36537290016ef218ea5 |
| SHA256 | 5da832c18efd0e3b048c3906d92ff1fb85ccd14a750d0ad242b2c5268e3e62c4 |
| SHA512 | c41735d264fb4ff7343b05d6a80a63f51cd4a503582f056448a04066eb7b5912219ce3ed9994669c0a17b5a8f69d0633fbe3d978e044249c017ee312a6168d94 |
C:\Windows\System\TauPfWI.exe
| MD5 | 9eec65f559f307c3c8712478cb16281e |
| SHA1 | 6b4cb97508310412b72567ffdc9172928d5e1029 |
| SHA256 | abe227a0fb0dcd5217c58f6cf49949a64be1fe6bb33aa306992f8f57bf0000cf |
| SHA512 | c4a7bc1c566e20fc1894d74dabddfe29659642cb3512fc8d5cf330d4ac134a326dc6f2573848218d79fdb5833f279943a9e54fafad73cfa55535e7a0af773c2c |
C:\Windows\System\TnSffun.exe
| MD5 | 510c02608b1550ae74bcc676d09039b0 |
| SHA1 | de844bc4e6742be212342e9cefc473de8b4236ca |
| SHA256 | fbfe50c52bc5a16e57f66365945e0e5a16273089a138b9648af47aea03dafe9f |
| SHA512 | c9d409eef13978d51f659642b013086d3e521837918f6aba74f99f8ab93d7c7f0de71ba38866bd5d897eefb9b218e3f96e488ff97307006180123d78763d885f |
C:\Windows\System\KEOGnjd.exe
| MD5 | 4898f408bd1e61e89a8559a6e6fb640e |
| SHA1 | e63cead56661d7a832ef994c49840f98b5e356e4 |
| SHA256 | 38c6fe9e53cad8504f4c0cb71ab08fcf190ef9c675a8bbdb3fdde302ec0b4c3e |
| SHA512 | 1616dc79664872a5d547f8857df68881f5c7839043adad820903a568df38e570c28e71bc48d2042f7f8d617f19eed38939823449a26c5a63edc9892613c322de |
C:\Windows\System\CjJTHej.exe
| MD5 | 7afa1b058c314fc5629a014c9a1e1466 |
| SHA1 | 393416b9631fd8da63d9012784d7488f03d74faa |
| SHA256 | 814f64791ad00ec6caa28ec356d193dcd4c3e541ad6327f50cd31edb948c51a4 |
| SHA512 | 6260cdc981c0c3b6678de1316e92d956a3eeb1a4bf0dae0c2b210062a19cc9714950bd75d6db5a09315bc174197041689994dd42177dd69d61cf4bdbbb93d282 |
C:\Windows\System\qSnmMLT.exe
| MD5 | 5a575ac78a214f069b0ec31ac10371e0 |
| SHA1 | 61853af62988c2b0c090d262cee1ff5012625001 |
| SHA256 | 8194ed21b55b0af6084ce156d2e2b06cd11e594a37818a1c016a26fc9bcfb1c2 |
| SHA512 | 50ec9ce9ae2469ce5abc5982fedff5bc18687e7d3ae45854eb8892deb838ecb3fd3611f8fb0558001345590941724bf9a8f63c7c32698be968fcef1a2f57479c |
memory/4072-120-0x00007FF654770000-0x00007FF654AC4000-memory.dmp
memory/3600-122-0x00007FF7665D0000-0x00007FF766924000-memory.dmp
C:\Windows\System\HQYJtsY.exe
| MD5 | 336de0a0e5e03c5affab469c3a655d8c |
| SHA1 | 1b18b91d09d907ec3647822fccd680102b04a52b |
| SHA256 | c32686f2af6e2596e07fad6bc549e70e76aee7557b568e138c40749a12bd2f7d |
| SHA512 | 455ff176e465b37b106dfb36a74ee89837b81435f9e0d1d859c4507baf5de07b2bdfdbc233079ca844a48c3edf14057ffe01de6275105c88fb664c015a534fe2 |
memory/3100-121-0x00007FF743B80000-0x00007FF743ED4000-memory.dmp
memory/2816-119-0x00007FF6AF170000-0x00007FF6AF4C4000-memory.dmp
memory/532-118-0x00007FF6A5340000-0x00007FF6A5694000-memory.dmp
memory/4796-117-0x00007FF778820000-0x00007FF778B74000-memory.dmp
memory/2500-112-0x00007FF666420000-0x00007FF666774000-memory.dmp
memory/1136-111-0x00007FF6E40D0000-0x00007FF6E4424000-memory.dmp
C:\Windows\System\bFCkyyz.exe
| MD5 | e4db1964a72485333aa362f7f9983c46 |
| SHA1 | 3d32d222851d5097424d76703249625a13899202 |
| SHA256 | 624e523717f10998ffc97fd6a36b60feb263257c2e9f212655246e70b802b23a |
| SHA512 | 3da85afc069256518b3b13a1f6bf93a731aa324b453cde4597eafb050cd8d9e89d2afa93bd60f60e53039715d17bfe6ac1815943253edc34bd8f676cdd535566 |
C:\Windows\System\QfmRwLe.exe
| MD5 | 52d4711ac207638b740c33bfc67a6331 |
| SHA1 | b6b61595ae11b7f3592d320e7ae6fa641ec8b8ae |
| SHA256 | f49e21bfa4e3513fddfe9d8a39571a8c055c7979d86981744bb40fba3406e717 |
| SHA512 | ab1d6e906052f235714bc72191f60d0874a363ecb6005d6ef9386d823f1363c14fb42122a93b1102cc3689887c051496b5a6dd4c25eac3a6cd6842f8730904d1 |
memory/4556-106-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp
memory/1932-103-0x00007FF743220000-0x00007FF743574000-memory.dmp
C:\Windows\System\LvqIVKh.exe
| MD5 | fb0d7def63a56f929dbd4e807a53d5d0 |
| SHA1 | f1ff2bbc059359fa8b7ff832ffb3227644f5b0e1 |
| SHA256 | cd9e4715fecbc9bde798909834c598013339134b335d195a5055a40551037e34 |
| SHA512 | f494a97df877da7e5342d7b0747ddf03f5948c0f9886b3f346d1fb1d7498315a79bda078414dedcb81a3f0b0780ba870bd1881bc9e371141f75fa8362803d130 |
C:\Windows\System\UqBqCfe.exe
| MD5 | 50140fe6d40bd1a90a0ddf66e3f2ffc3 |
| SHA1 | 2e73c2fa8cebacae11691fea092d62ad970c351b |
| SHA256 | 66b1a6ecbfe73dad756b4a553821a75ddb31540415f31c162dcd41940a7cd792 |
| SHA512 | a8953ae38e89831c209b7ba0e77ba172f5399b1d23180188990dd3214400127f877804b3fa3ccfd82dd4f73719fb1ba15ab3ee4e6c57b7a481e4c16f5c32e691 |
C:\Windows\System\ZoglCGF.exe
| MD5 | b89b6f925eee1feea5dd1171df654833 |
| SHA1 | 648d30f6548516bb01a80a270770a1575b5f21b9 |
| SHA256 | d3e07a63304fbd80d8ee4ac7c277502a1979902c07d6df3a8b496e355ea61a7e |
| SHA512 | e6a24e9562d27e5f3b8eb4e342aa0a66ffec3db912c57b4637b5af09a648c2b1cdd0807089a3883dc39c875bf5eacc4621d1b2cd403548e510b7d02d5d5552c4 |
memory/3824-55-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp
C:\Windows\System\sLNJhJL.exe
| MD5 | bcfb99f34817755beb7bc5f6f767d95b |
| SHA1 | 9d643bdb004405120372c5b6313b08e2139a94f6 |
| SHA256 | 352f259fe358f1d2a81f76381e71ab2de2e9bb375ac90d05c90acdb801312bef |
| SHA512 | f88f2dcc9106b0f3d902ac3a7e1c94a14d93acd80d52eb2ebdfcbe4308ca8c82f5d1065f5f9f2b36462ed284269af3cbdebe0c82307ba82bc17d5650591237a1 |
memory/4560-44-0x00007FF652F30000-0x00007FF653284000-memory.dmp
memory/2008-32-0x00007FF65B500000-0x00007FF65B854000-memory.dmp
memory/2964-127-0x00007FF66F9B0000-0x00007FF66FD04000-memory.dmp
memory/2204-128-0x00007FF774FB0000-0x00007FF775304000-memory.dmp
memory/916-129-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp
memory/2756-130-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp
memory/2704-131-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp
memory/5080-132-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp
memory/332-133-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp
memory/916-134-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp
memory/2756-135-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp
memory/2704-136-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp
memory/2008-137-0x00007FF65B500000-0x00007FF65B854000-memory.dmp
memory/4560-138-0x00007FF652F30000-0x00007FF653284000-memory.dmp
memory/4320-139-0x00007FF755060000-0x00007FF7553B4000-memory.dmp
memory/3824-140-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp
memory/4260-141-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp
memory/5080-142-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp
memory/332-143-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp
memory/1932-144-0x00007FF743220000-0x00007FF743574000-memory.dmp
memory/4556-145-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp
memory/1136-146-0x00007FF6E40D0000-0x00007FF6E4424000-memory.dmp
memory/2500-147-0x00007FF666420000-0x00007FF666774000-memory.dmp
memory/4796-148-0x00007FF778820000-0x00007FF778B74000-memory.dmp
memory/532-151-0x00007FF6A5340000-0x00007FF6A5694000-memory.dmp
memory/2816-150-0x00007FF6AF170000-0x00007FF6AF4C4000-memory.dmp
memory/4072-149-0x00007FF654770000-0x00007FF654AC4000-memory.dmp
memory/3600-153-0x00007FF7665D0000-0x00007FF766924000-memory.dmp
memory/3100-152-0x00007FF743B80000-0x00007FF743ED4000-memory.dmp
memory/2204-154-0x00007FF774FB0000-0x00007FF775304000-memory.dmp