Analysis Overview
SHA256
c37eb2c40bc8aa574296fb57ce7c6702fcf5b46c71fd1df61389e62554b82652
Threat Level: Known bad
The file 2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike
Xmrig family
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 08:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 08:29
Reported
2024-06-10 08:31
Platform
win7-20231129-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UzIgcNL.exe | N/A |
| N/A | N/A | C:\Windows\System\tMTgDmC.exe | N/A |
| N/A | N/A | C:\Windows\System\NyMhfnT.exe | N/A |
| N/A | N/A | C:\Windows\System\SALqMvv.exe | N/A |
| N/A | N/A | C:\Windows\System\BcYYZxd.exe | N/A |
| N/A | N/A | C:\Windows\System\dHXJnWF.exe | N/A |
| N/A | N/A | C:\Windows\System\ekPniQc.exe | N/A |
| N/A | N/A | C:\Windows\System\pNWWhbW.exe | N/A |
| N/A | N/A | C:\Windows\System\ISybEKC.exe | N/A |
| N/A | N/A | C:\Windows\System\xvSNfDS.exe | N/A |
| N/A | N/A | C:\Windows\System\RPBHFLR.exe | N/A |
| N/A | N/A | C:\Windows\System\tpGNpqm.exe | N/A |
| N/A | N/A | C:\Windows\System\CPzsdaq.exe | N/A |
| N/A | N/A | C:\Windows\System\BzgtDGn.exe | N/A |
| N/A | N/A | C:\Windows\System\RNRQpgr.exe | N/A |
| N/A | N/A | C:\Windows\System\jdXJEaO.exe | N/A |
| N/A | N/A | C:\Windows\System\toqenLd.exe | N/A |
| N/A | N/A | C:\Windows\System\VGCbAMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QdHPKXG.exe | N/A |
| N/A | N/A | C:\Windows\System\NyqGdGq.exe | N/A |
| N/A | N/A | C:\Windows\System\ldgNxaV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UzIgcNL.exe
C:\Windows\System\UzIgcNL.exe
C:\Windows\System\tMTgDmC.exe
C:\Windows\System\tMTgDmC.exe
C:\Windows\System\NyMhfnT.exe
C:\Windows\System\NyMhfnT.exe
C:\Windows\System\SALqMvv.exe
C:\Windows\System\SALqMvv.exe
C:\Windows\System\BcYYZxd.exe
C:\Windows\System\BcYYZxd.exe
C:\Windows\System\dHXJnWF.exe
C:\Windows\System\dHXJnWF.exe
C:\Windows\System\ekPniQc.exe
C:\Windows\System\ekPniQc.exe
C:\Windows\System\pNWWhbW.exe
C:\Windows\System\pNWWhbW.exe
C:\Windows\System\ISybEKC.exe
C:\Windows\System\ISybEKC.exe
C:\Windows\System\xvSNfDS.exe
C:\Windows\System\xvSNfDS.exe
C:\Windows\System\RPBHFLR.exe
C:\Windows\System\RPBHFLR.exe
C:\Windows\System\tpGNpqm.exe
C:\Windows\System\tpGNpqm.exe
C:\Windows\System\CPzsdaq.exe
C:\Windows\System\CPzsdaq.exe
C:\Windows\System\BzgtDGn.exe
C:\Windows\System\BzgtDGn.exe
C:\Windows\System\RNRQpgr.exe
C:\Windows\System\RNRQpgr.exe
C:\Windows\System\jdXJEaO.exe
C:\Windows\System\jdXJEaO.exe
C:\Windows\System\toqenLd.exe
C:\Windows\System\toqenLd.exe
C:\Windows\System\VGCbAMZ.exe
C:\Windows\System\VGCbAMZ.exe
C:\Windows\System\QdHPKXG.exe
C:\Windows\System\QdHPKXG.exe
C:\Windows\System\NyqGdGq.exe
C:\Windows\System\NyqGdGq.exe
C:\Windows\System\ldgNxaV.exe
C:\Windows\System\ldgNxaV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1712-0-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1712-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\UzIgcNL.exe
| MD5 | 074073c05e07dc18bed8fe0a9317d2a3 |
| SHA1 | e26078e00c31bdec44509d665800214e3fb0806e |
| SHA256 | ee3e2e4efb92651927525fb94df5693504f9e1c84db327876110b1ce61ff7924 |
| SHA512 | f46f6750ff6b5e1202545715a98202868131ea25c5606034aed2b049c2f5ec8b33c38225be02f0643907b889acbd6544034febd19c25005ba1f063c773e21d62 |
memory/1712-6-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2372-9-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\tMTgDmC.exe
| MD5 | e919da89f139c34624be7ff770e074f1 |
| SHA1 | 091103cc088b77f752d6ae860eae914b985f58c3 |
| SHA256 | dfbb31efb9d251c7589207bfcf80cb8e22dd0e5832983b3bf2785a143352cb88 |
| SHA512 | 0c66b780cc7a0995e92026572b60a83abc98b24b241c13f4a94f50b474750b1e9d7ced285a75a3457ddba5cff991ea797a4518b913faa0a1b0a892bd80aad96b |
memory/2400-16-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/1712-14-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\NyMhfnT.exe
| MD5 | c389743c3e0c3c2aad5a0204914bd0fe |
| SHA1 | 3e5ca33160322509fe007d47b9152c4b19176bc3 |
| SHA256 | 10760ae5fa1fa9c1bf2e827a0e8d605819945c2dc5bb673f5756252edb1ffc16 |
| SHA512 | 31e41e84d01d2c12becf6618278c904fcf29fae0b9b086c6453ad8f8892454e04a549c2ed6369c9db511bcc0d4a88d97a0dcadb62a4d9df010e94fc7fd5b9f5b |
C:\Windows\system\SALqMvv.exe
| MD5 | 0428687c0f09cbed174ad0d3e516edae |
| SHA1 | f30caa7d763f38cef7d5e0f04bb32704e3391e46 |
| SHA256 | d1b9e01e71cdeeb773f36acaafcd58856d24b3740f4ddc7e9cf6dcb9834b7735 |
| SHA512 | 993b205504c0f4af04bb147984d598c02b26e303fecbc28a199999b8ae3bb23b39a4a2ed5cb3ed5c5730e4cc04826e13f6b900bf84c1b4b6d55a7475c0a08cd0 |
memory/2552-29-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1712-28-0x000000013F490000-0x000000013F7E4000-memory.dmp
\Windows\system\BcYYZxd.exe
| MD5 | fc3accb50880168ddae19412d800d68a |
| SHA1 | 7991097771c7ae094088ec7739701d336b301433 |
| SHA256 | fd5cdc7f479b96fff058941e380571e42734da93f87db961ba3950476ab35f0a |
| SHA512 | 775e973f82757a3c4759a2b0235acf30e62dcdefc77e0354e407c2a7d660a773f5c6f9db776111a7c16c7aa6617279d41e63c56de1a79c38a94d3306b8c2847d |
memory/1712-32-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1712-21-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2740-25-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2616-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1712-43-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2692-44-0x000000013FDC0000-0x0000000140114000-memory.dmp
\Windows\system\dHXJnWF.exe
| MD5 | ef220b8ddd69264ba45b812699285259 |
| SHA1 | c37e115d347bebe3386d3814c52c09f13da8f424 |
| SHA256 | fd804f862500469d0cb8b50efc7f61373cb4401907802c6c9774e287f88e5c04 |
| SHA512 | 98010a63ea64df79384557322297414f2824868872dbb106d7826a3010dee7b95a487db5fb085b50a368d6e248790d08c368e6c19c2986d160b3c876f8070d4e |
\Windows\system\ekPniQc.exe
| MD5 | bef4340c9dd4f0fab2663cf84b5714ff |
| SHA1 | 535528dc6d38294fcf2c9b7722f00f8d8f90d4a1 |
| SHA256 | 653188f864b89540cdd6ce4a9c6737753e31ce4ec0ce5123827292df94ca33dc |
| SHA512 | 4d90bf1be1cf776ba36509f366aa55bdd04a58cedfcce38b59f53d92b18919f772354493981dbaf248accc300a951aa84fad165779d81c4916f51006fc31b7da |
C:\Windows\system\pNWWhbW.exe
| MD5 | 29a63f246b95061fffdffd68f6336fc9 |
| SHA1 | 33e2abf24410532e48dcc4950aa718f9c6826562 |
| SHA256 | cab26e6d9e74133182022a5bb87de1e80ad2c41d6ebd05322fac53eb94003cb3 |
| SHA512 | 80dac8cd3094beaa9795f61ea9ac0b54aaf451622bc29ac1933b34e440cd20d79ee68745825bb5ff0ed2a029ba74e074fc27c2a902511ef74878699b39b430a5 |
memory/2372-56-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2488-57-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2576-50-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\ISybEKC.exe
| MD5 | 1fa7769a3aa3b52ee59430dca3fffb42 |
| SHA1 | e8f383cc876eac5a60aad39014d1e6e896490c45 |
| SHA256 | 1da39503a34e6b4ba3ee19d23f9b39af898df8e76fb113f3781261a27b5fb7c6 |
| SHA512 | 1f2b9a8e9a00d7bf854312e6d5874c015f640ee0a60afd0c47539e13873b52851c436fc0c799452eb31c70c678cf2f49ffc2726bb971c2d7e0c8ed7d273ab3a5 |
memory/1712-65-0x000000013F210000-0x000000013F564000-memory.dmp
memory/940-66-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2740-64-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2400-63-0x000000013F6C0000-0x000000013FA14000-memory.dmp
\Windows\system\xvSNfDS.exe
| MD5 | 93bcb0b14473e06ba99888194e857db5 |
| SHA1 | 9052f2a51aeaea4ae52ae219ce08347c74c637ff |
| SHA256 | 39558e7b41650a665b9670207428f4e42c8dcb6207ad93266db4ffe394bc4957 |
| SHA512 | b1ceb995bd9bf3ccd9f8f6a1604a98b7e3a73f0790ede3041efc37bd009b366a2129380199f4fe3473f5fbccd551692c55ded28fb50436c85206df2dc8aff874 |
\Windows\system\RPBHFLR.exe
| MD5 | 9415807da0994cf2dfc4708897cc69be |
| SHA1 | 34cbed343567b8d18ce7c89dcd56b1f21dc24f55 |
| SHA256 | 7978d073a7fec4fa42b578b77fbc64901a2958cd3b7e07bc57029171c08b297b |
| SHA512 | 809e0648bcbf3cefefdbda0f1ca00317a98b7a8af0061595ffeb32eb64cd11b178a341e7f35f4b61ff691ecb39ac0a74058463e000229e9aaeec59298ceabaf2 |
memory/1712-79-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2616-85-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1712-87-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2912-89-0x000000013F210000-0x000000013F564000-memory.dmp
C:\Windows\system\tpGNpqm.exe
| MD5 | b078032715d85c16dbcce7a6ef82add7 |
| SHA1 | 64aea06ef663ca93b50c2b259313f078378ab7de |
| SHA256 | 3ba3f230771144445365de76918f27371f8d4c3142ca35ba73ba9df13f86b8fb |
| SHA512 | ce1b9c59aa2b65daed029c127d3b502396aa02b3d209e6971c1ab598c73b52bae6a370ad24a5331559cad1d9269fcf439212201003220fc081413695b43360a6 |
memory/2972-80-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2552-77-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1824-94-0x000000013FCC0000-0x0000000140014000-memory.dmp
\Windows\system\jdXJEaO.exe
| MD5 | 96f7c6503709a2211c120e67a748b200 |
| SHA1 | a7f4f247861189723756843164542c332f100368 |
| SHA256 | 713053a7542c6b1db524a4702815ce62172b1e34865cdb5debc9b9239efeed0a |
| SHA512 | efa9cb45e8f714aff0c66a1b7da545837894ac60d604db964b54fbd6a2492aa9f9f6f49b75fdc6f0b7bc2abc231c5d7dcf3c47e49d9282821bbe130f047b4fee |
C:\Windows\system\toqenLd.exe
| MD5 | 637190c36b305f69aac0d6c54b0ba242 |
| SHA1 | d44f127f1ffaaa2ce6c64e16c12d9809594d9ee7 |
| SHA256 | 3c3589f5877b1b572e758f51231cf2b8a87aa57bdd637d395f117c1821d787e8 |
| SHA512 | 3b17e49faee2f0cb561264273077ce78a7b457e65607374bc638c4a077cb83cccf2f96c90a033897f64db8358fb0533c8ef453eae04e55599b4fab88750ff1ed |
C:\Windows\system\NyqGdGq.exe
| MD5 | e268912e5f1b4fe51e2e0f9182aa627b |
| SHA1 | fd3f95d56581466610930042c24ed80ba04375c4 |
| SHA256 | ef397cc987795024b571bda7c132e70ee1359fb806cccb1a825bc6993e6b81aa |
| SHA512 | 45e0caf09f8f0fe326ef5e2b3048f8ee6a2718bfca2c9020c17b59fe207fae4461fdf465be77e657bdeea47e6d3103143d97c3e4e7e9c3ee7095af76acb67ecc |
\Windows\system\ldgNxaV.exe
| MD5 | d7a85ddd6e51d1848505ed85de76a06a |
| SHA1 | 69bebe32fc0fe5eb55359bf6b6fe87714a4f2680 |
| SHA256 | 54b535fe887902d3562cac4170bbc015399e784653957771896caac70705a86f |
| SHA512 | 133078615965c2c171b0acfabe941c4a7c882a77749bfa68fe9a1c8dc2ad982f83914e7581322274d8550324bdb70041184473c2eb3e8455f8103e92f08b700c |
C:\Windows\system\QdHPKXG.exe
| MD5 | 8aeb3378c19a4de8ff1392b54f51b78e |
| SHA1 | 4845b5812e68f4aa5019c0793d51c659267f3a59 |
| SHA256 | 9907370cbc6172d2ee1663c1508bf2af88967494a0d22dceaa7b681406608ede |
| SHA512 | 86dfdbb63afa743b050cc4b60d424dc3572f7abf35dbb94e4d4308f0045938214ed1de9f1aee22a707f2d5d85d7c208517ca1203bb6c14339dc4743819135e2d |
C:\Windows\system\VGCbAMZ.exe
| MD5 | b10ccd0cb1fcb597542002b8cef5a214 |
| SHA1 | 804a2ae5883d3b0ce2ac3856430102a1e56bf205 |
| SHA256 | 348d6c193aefb18ae625804efa6cefc27b9fca9145f1589a28ba33e45bb35f6a |
| SHA512 | e9e9569e13fda8a4b4b0f2d4e3d8425247ecbea5698fff5f2f71251daba046cc03c5012728ab6bfbcff063dce7b66ff85fda16029ca3ddb0405932b105868a31 |
C:\Windows\system\RNRQpgr.exe
| MD5 | 5e67a4a151549f3ec82443a12e69ff5b |
| SHA1 | 97efab2db80808e151fbfc681267c5146169a09d |
| SHA256 | 79d735bc139329c71cc9a564e781843a970495b7d8b2424ff55908526a6325ab |
| SHA512 | b7e4f07b5d34985ff390715b9d4c0f56823dd12ffef4c4b1610f10cd7005e70447fedf846382e4c6c73ee3335e39d7ba8f63956dc440b0b861a3438ea43f6399 |
memory/1800-100-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1712-99-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\BzgtDGn.exe
| MD5 | bd389841cd67af7173f39d4d2f3bebf9 |
| SHA1 | 95d4381be75411089b8f392f8ca22e294f44ace1 |
| SHA256 | 6987642dcb4e6d31e5ef7f763acf751c5375e6e1a495d61f9bb85fa5bd962c3c |
| SHA512 | 0613d482a3d1d9c783f70eb9971e9ce3b6ec633aa3ccc37e32247353a21725cfba05dfd5aa027f280756f4677f6ffaf00594f4389766cdce330f378683a64eaf |
C:\Windows\system\CPzsdaq.exe
| MD5 | e7ceee3036ad9e051ddfeb744463c607 |
| SHA1 | 0195b0aaee4bfc8c6cb123aab8e9d9b479f961ae |
| SHA256 | fded4560e60d9d59baec99bb61a6acc7837782aeb35b43e269a0aa9d247b0987 |
| SHA512 | a2257989c5da1a7115af8365554cd1fb04f9c6c86af1cfc5a6253436eeb3710e6dd6125f7390b0cb6bf82a28a2dedbff64384b46170e0f4e72b142362c705068 |
memory/2532-73-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1712-72-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1712-137-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1712-138-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1712-139-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2972-140-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1712-141-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2912-142-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1712-143-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1824-144-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1800-145-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2372-146-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2400-147-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2740-148-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2552-149-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2692-150-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2616-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2576-152-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2488-153-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/940-154-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2532-155-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2972-156-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2912-157-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1824-158-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1800-159-0x000000013FB10000-0x000000013FE64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 08:29
Reported
2024-06-10 08:32
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YccMvoE.exe | N/A |
| N/A | N/A | C:\Windows\System\NvNoFWr.exe | N/A |
| N/A | N/A | C:\Windows\System\wqnMwyW.exe | N/A |
| N/A | N/A | C:\Windows\System\szpBgXh.exe | N/A |
| N/A | N/A | C:\Windows\System\RLVTufY.exe | N/A |
| N/A | N/A | C:\Windows\System\gQBxBER.exe | N/A |
| N/A | N/A | C:\Windows\System\oVMPaGm.exe | N/A |
| N/A | N/A | C:\Windows\System\IcHamls.exe | N/A |
| N/A | N/A | C:\Windows\System\CDqztkE.exe | N/A |
| N/A | N/A | C:\Windows\System\RejVoIv.exe | N/A |
| N/A | N/A | C:\Windows\System\tQBDVYU.exe | N/A |
| N/A | N/A | C:\Windows\System\ojhgsGM.exe | N/A |
| N/A | N/A | C:\Windows\System\IXPEFgc.exe | N/A |
| N/A | N/A | C:\Windows\System\dMmXJlK.exe | N/A |
| N/A | N/A | C:\Windows\System\QlCNkvT.exe | N/A |
| N/A | N/A | C:\Windows\System\sILNLJI.exe | N/A |
| N/A | N/A | C:\Windows\System\KwENJgJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bCZjQdf.exe | N/A |
| N/A | N/A | C:\Windows\System\BDHcJpf.exe | N/A |
| N/A | N/A | C:\Windows\System\UiYkZDv.exe | N/A |
| N/A | N/A | C:\Windows\System\xWokFdl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YccMvoE.exe
C:\Windows\System\YccMvoE.exe
C:\Windows\System\NvNoFWr.exe
C:\Windows\System\NvNoFWr.exe
C:\Windows\System\wqnMwyW.exe
C:\Windows\System\wqnMwyW.exe
C:\Windows\System\szpBgXh.exe
C:\Windows\System\szpBgXh.exe
C:\Windows\System\RLVTufY.exe
C:\Windows\System\RLVTufY.exe
C:\Windows\System\gQBxBER.exe
C:\Windows\System\gQBxBER.exe
C:\Windows\System\oVMPaGm.exe
C:\Windows\System\oVMPaGm.exe
C:\Windows\System\IcHamls.exe
C:\Windows\System\IcHamls.exe
C:\Windows\System\CDqztkE.exe
C:\Windows\System\CDqztkE.exe
C:\Windows\System\RejVoIv.exe
C:\Windows\System\RejVoIv.exe
C:\Windows\System\ojhgsGM.exe
C:\Windows\System\ojhgsGM.exe
C:\Windows\System\tQBDVYU.exe
C:\Windows\System\tQBDVYU.exe
C:\Windows\System\IXPEFgc.exe
C:\Windows\System\IXPEFgc.exe
C:\Windows\System\dMmXJlK.exe
C:\Windows\System\dMmXJlK.exe
C:\Windows\System\QlCNkvT.exe
C:\Windows\System\QlCNkvT.exe
C:\Windows\System\sILNLJI.exe
C:\Windows\System\sILNLJI.exe
C:\Windows\System\KwENJgJ.exe
C:\Windows\System\KwENJgJ.exe
C:\Windows\System\bCZjQdf.exe
C:\Windows\System\bCZjQdf.exe
C:\Windows\System\BDHcJpf.exe
C:\Windows\System\BDHcJpf.exe
C:\Windows\System\UiYkZDv.exe
C:\Windows\System\UiYkZDv.exe
C:\Windows\System\xWokFdl.exe
C:\Windows\System\xWokFdl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2284-0-0x00007FF72DD80000-0x00007FF72E0D4000-memory.dmp
memory/2284-1-0x0000017E143F0000-0x0000017E14400000-memory.dmp
C:\Windows\System\YccMvoE.exe
| MD5 | f3dced515424961a03aef9e314b7010c |
| SHA1 | 31aa12a05afe15cf68102a9cddbb970daa698089 |
| SHA256 | 54d9100a8c2e1d2f7bbee5c75b57e11887d857f629e6e74276f8c17fbdb1f697 |
| SHA512 | dc2ce970bd99d635d2dc2d7113c5e427a9c28ff1d64be96bf9f181b66e4916cbe8ecb603a9bf445599da47aef3ca207f49e0ac835b7c6a977a0ab497c92462ed |
memory/4100-8-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp
C:\Windows\System\wqnMwyW.exe
| MD5 | e36013bd8d6c78eeb40d7af5ca1a0024 |
| SHA1 | aa2f76dc793a52eb17e6dc687eee4fbab3730edc |
| SHA256 | e3ad8fb3bfa5b90bc1b87bf512046a2f2f6eccc5df5125efa9918222f63917ba |
| SHA512 | 9514ebed2ca0012d8acdf889a4227e48c2160d9edab00f61fd75222456991d1011bef3f899649498bc175a6d66798d15fc3a3c680f6f28f79bc6588754b58f11 |
memory/4924-12-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp
memory/572-18-0x00007FF692730000-0x00007FF692A84000-memory.dmp
C:\Windows\System\szpBgXh.exe
| MD5 | f23c6c996a350f3281eff4994fb33032 |
| SHA1 | 9f19141726a45fd109b5a2a52fc08c0339694a71 |
| SHA256 | c61a5a5692536fa7d8bba33b860579c71827bd41cdeee91fa41005ebfed6f43d |
| SHA512 | 9d10ac9cadbf9a75f6c460e9b58df51a22ffd0703ad8573967d0b622c635ee055de3f12d8a6d836a8c210047a335f6a7bdc382e8500b0df6d437482fc72d55c0 |
C:\Windows\System\NvNoFWr.exe
| MD5 | c4876528035752b254f1bb2430088e73 |
| SHA1 | cd5225927ae2cbe7631753a9e80ab5e4cf880ec9 |
| SHA256 | 611e395f37e4578d1a5b1829625c67e387f0193088fdd10891144fec9deadfbc |
| SHA512 | 3629db9803b82db1553599f09abe292caf13b68e698a2c14f7e77d41d21896efb69d59706450e72df02c066e982754f76005757feb10b0d0ea21555152b65a1c |
C:\Windows\System\RLVTufY.exe
| MD5 | b23baf0d0f4f7c96c189557e4bf8deab |
| SHA1 | a74979a0df54ceb5cb361da0bd3d994c01474d78 |
| SHA256 | 0a226aec27643913b22153720e50a098a513a66bbc7f3d3aa49f57c66cfbc159 |
| SHA512 | 64bf224bc01e2ea0d0f5ddd20587d20ad9898a6d7cd92243a385e024ee79c923d88ab501a1ef1bfe25ef4f95196af9a33b6c7954249ccee1fd01c48bb4a2da57 |
memory/1528-35-0x00007FF6A1DE0000-0x00007FF6A2134000-memory.dmp
C:\Windows\System\gQBxBER.exe
| MD5 | 11b934f00491b07af7b279ec51be4ffd |
| SHA1 | 03ec7afa2f4c9425cc75a61304fe8fc8d78979a7 |
| SHA256 | c7e0f7ee80f836ef3d1cba39a946a72bbea51f4ac23369a2ba74d2fa2084cb96 |
| SHA512 | a85197ba82ed6a8a5bfd381c5bb0779c0b929b3329b72110620fd8ecea6e92a6f1391e9f9c6d3fbf77d764e4e413c631ee7670b55c80d360218438d175b93c91 |
memory/5104-36-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp
memory/440-27-0x00007FF6BEFE0000-0x00007FF6BF334000-memory.dmp
C:\Windows\System\oVMPaGm.exe
| MD5 | 6c6ca3c49ae5f6dfd68ea02d64142ca0 |
| SHA1 | 85afc85e4ebf8cd58a9c2c1afd0b9fac95bd795b |
| SHA256 | 850188dc48899bf9098fd75cb1ee0f8f771979578d4a972be5245729f2481075 |
| SHA512 | 366984610df8047524e7c391d8068df40e4ffc504edcb26748dbd5a4458fbd099290795147e4632536e30c92f72225f8daae469e39c0ae1834531cb847cafdde |
memory/2472-42-0x00007FF636060000-0x00007FF6363B4000-memory.dmp
C:\Windows\System\CDqztkE.exe
| MD5 | a0ce5349032d76b21e7f98e6b83aa776 |
| SHA1 | 19461a9365bf58f7791cd91a1a57e667ec8d7ce1 |
| SHA256 | f428107e55e89046df2baf56041c210e199c483cabf72a68c06b92bf8c320409 |
| SHA512 | 66f35aff821c283bc242969527dde1dccba71a08732605c148137c88954bd7f4b04c663410bc83bbd70051742f42f1639249dc2b1d01bb247830aee07578b636 |
C:\Windows\System\RejVoIv.exe
| MD5 | 162c2d01c900e5ed958b2cf7ac40ea71 |
| SHA1 | 92c384985ff7c8cd16841d1fc625a9069a7d03f7 |
| SHA256 | dbcebb223e6fb64574424eeb83e11221b21034f6e5c30c16ce79aa0ed5bba1fa |
| SHA512 | 5217951af6e47826a0bdbb856f64c8f45e19c62b2152739152046cb0183a4d5babd22a94f23b18894ad9bbd0d2ead07238e5acde3a57c6ea5ad160df455c2431 |
C:\Windows\System\IXPEFgc.exe
| MD5 | 24ffecc958620f5f9473f5faad7569dd |
| SHA1 | 8899869b4450c97250a843711d3eb3940d7c5082 |
| SHA256 | 795af3068ea0a68067f64ca467da004ae01ebe153d387be8f1dde0197da2a0dd |
| SHA512 | d35fe742e0231e4c7239f248e0b0c78d1615c027fc72194cebd7201f2e6494d1cc2c9598f50cbb8658cf60fc080d5c178d8f816bf140fb48b174bf2d9f0fd2a2 |
C:\Windows\System\QlCNkvT.exe
| MD5 | 9ae6993883e63e88632d4dc82725d749 |
| SHA1 | db919a22ba99c32c81db164ff517c81c0c215156 |
| SHA256 | 06f122ac12f130642d2ae31c7ff80dcf7cf0804a66941530c32a523a782a5afc |
| SHA512 | b974c55462732700b0c9e1659bddb3c4c95d9577cd5f3233a8fe6d810acc6753382f312fc42e5d906ccb8ed2facf193218b318432f5a2173b685d57634deee62 |
memory/4560-91-0x00007FF603190000-0x00007FF6034E4000-memory.dmp
C:\Windows\System\sILNLJI.exe
| MD5 | 107d86450c46ec33242e730238e87e34 |
| SHA1 | bbdc7e69d6788737143e661bfbf7b42c60a0c93d |
| SHA256 | ae0b40f0c458b421e906686bd8f50710c8ea4eb23d51b0377e1451be28a2df1b |
| SHA512 | 6a7eebd28a2595cdd5ed637d475d70479d9a2613cbf61cacb2d07da21aa0e903df90d828531fb5be564f97a0573051e2688ed5fc165a732b7c6889fdeefaecb1 |
C:\Windows\System\KwENJgJ.exe
| MD5 | 1fec43d27f0b52a58f27f7d9b239dc9c |
| SHA1 | 938b23cf8fc2c1bd6b68ce4733b71397763b8814 |
| SHA256 | b0a409d71fb178ff03ec949c78d51fccac1edef2f1d236a1cea251887e6659f6 |
| SHA512 | 88bf7740ac690791e910b9e5b29b06020c80e57f6723a1596d706e2a495f1f44a4aba8c89f4a34128061484542f41aeab76065433b4ab74b29e1afe2207373b9 |
C:\Windows\System\BDHcJpf.exe
| MD5 | b970bb31af28443e508fa92f21be6732 |
| SHA1 | 4609613dd9accb0e561b813bffcb8d64c1ef81fa |
| SHA256 | 265c73a24d929e78e8f38f095bb035335198de7e2251a2407d659ba8b456f1a2 |
| SHA512 | f44330a9baf26cf54a6a6f1d8a399460cbf41c3ba1ad9b16d066c701625b522ce1d2e73e5af6704cd510edeb01df5657bdb6ecce4811481c9652d9b488aff329 |
C:\Windows\System\xWokFdl.exe
| MD5 | 1bca0f29ffab9c1fd0b4fefb89524a83 |
| SHA1 | 3b3c328ef05ac2f16a567fc6b5d047af5ae3f636 |
| SHA256 | b8b24c4b033d6e7c817929b9b0bca253afc814c0dd972d08ab93c74161c0ccc6 |
| SHA512 | 2ea4b22defedad7cdc5b18086d28a839099b2e466e95f6f46702cb3e7dc1de6069fe3cbfca0884c1739a51b886c32bcd0b0b953d680adf9976f21d90337368eb |
C:\Windows\System\UiYkZDv.exe
| MD5 | 310025bb61540be6855d87ebc1b8d27a |
| SHA1 | cf1c2414b9d2db650a86f9bb64e71fcc433f4b67 |
| SHA256 | 1cbf1ecf26477a57d9fa8f260987675c2481112d6ba2ca784ce99eae1705c541 |
| SHA512 | 63669f33597fe1aacbd14f1b054aa7d36c8078520375d29e6b36832d32c683cd9c41ee94d449e384d68ad727db749330aaa9e5c3df1af7d6957c1dadbd1e1747 |
C:\Windows\System\bCZjQdf.exe
| MD5 | eeb67ad957799b9c2cce591c37511797 |
| SHA1 | cc0819fb762e9b4fd1808faccbabef4f08b3131e |
| SHA256 | 6132b35d8957348c95b26cdb043cc02f76386bce5b7bcd92165c8238ba9eb4a4 |
| SHA512 | 66814e0e4a2c1788073cf3456f7ecc34523b1244566c376d507154525dddbf42650390a55e77fd2765195ad46367a46b46ecd5dc57ea76f0670b444c9be0cae8 |
memory/2284-98-0x00007FF72DD80000-0x00007FF72E0D4000-memory.dmp
memory/3908-92-0x00007FF653900000-0x00007FF653C54000-memory.dmp
memory/648-88-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp
C:\Windows\System\dMmXJlK.exe
| MD5 | ab30a0fe3837c6627443ee361b70c5d9 |
| SHA1 | e995670f84da145aa7346eedb3e36735ea63b1c0 |
| SHA256 | aab6330e18d98f6b94a4a6f3b0694c46ac94875adb034430f10ab69a7a52ae3a |
| SHA512 | 9b5f7aae109dbdfeeb57a9ebef41e594a5743ee803037233730d7fa21d171b43630d8f72f66a21188c75fadf8d7772e5cfba906f3933804add2b348631c9c491 |
memory/4260-84-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp
memory/2060-75-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp
C:\Windows\System\ojhgsGM.exe
| MD5 | 529e7cdfd74ee057564f61b2c785e509 |
| SHA1 | 67fd985038cafb63d8c812cbb02f3496f627b051 |
| SHA256 | 2c81d1791097ef2c8b47aa20d49c69277fe9d17c87fb55463b29463ef3e5626d |
| SHA512 | ecd8f8d533634cf98566de112f2dda2fa9f5b20f765a2f67d83cf5be8b6c86f19fc4c6861baf98b8e08fa03d92107ddbf4ae45d7e6b6d22efcb62bda2c04a51d |
C:\Windows\System\tQBDVYU.exe
| MD5 | 774dc800d16f4faeab2d2573c09fc4d9 |
| SHA1 | da3ff8fb794e68c727774156bc0e5a5f1bb7aa25 |
| SHA256 | 51877316bf080f1dd176ec8637e85b5031318b405049ccd782cf4c5daaa43376 |
| SHA512 | 1001ce75d8675f4ee99f8f4b7c76d6712a7086cef57ed72a285ad93e191a87e8a0fcd8448e3b7534f9d08757873fc19a83f45d2ff9e72daab8dfa17b91168b90 |
memory/952-56-0x00007FF612900000-0x00007FF612C54000-memory.dmp
memory/1008-52-0x00007FF705320000-0x00007FF705674000-memory.dmp
C:\Windows\System\IcHamls.exe
| MD5 | 7061caf90040c17b34576dc2254a280b |
| SHA1 | 3c271d49c3728be3dff4b77cf83b46bbfdfaee2e |
| SHA256 | 285b00cb5aa3bf3ca9d17d049111fc53729d16ec68d91e591cb412254dcd8c43 |
| SHA512 | 39154d5a20e046b9e92f2349707dd87a54d6328fa5d14ce22e914ee50297702081328ab3ed9baffe80196d687b4107c08fbc0361937235718215133cc0d38294 |
memory/3748-122-0x00007FF6B2740000-0x00007FF6B2A94000-memory.dmp
memory/4824-123-0x00007FF79FC80000-0x00007FF79FFD4000-memory.dmp
memory/1460-124-0x00007FF76BEE0000-0x00007FF76C234000-memory.dmp
memory/1572-125-0x00007FF6DBD10000-0x00007FF6DC064000-memory.dmp
memory/4804-127-0x00007FF6CEBD0000-0x00007FF6CEF24000-memory.dmp
memory/4100-128-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp
memory/384-129-0x00007FF783150000-0x00007FF7834A4000-memory.dmp
memory/4828-126-0x00007FF6CDA10000-0x00007FF6CDD64000-memory.dmp
memory/4924-130-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp
memory/572-131-0x00007FF692730000-0x00007FF692A84000-memory.dmp
memory/5104-132-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp
memory/2472-133-0x00007FF636060000-0x00007FF6363B4000-memory.dmp
memory/952-134-0x00007FF612900000-0x00007FF612C54000-memory.dmp
memory/1008-135-0x00007FF705320000-0x00007FF705674000-memory.dmp
memory/2060-136-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp
memory/4560-137-0x00007FF603190000-0x00007FF6034E4000-memory.dmp
memory/3908-138-0x00007FF653900000-0x00007FF653C54000-memory.dmp
memory/4100-139-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp
memory/4924-140-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp
memory/572-141-0x00007FF692730000-0x00007FF692A84000-memory.dmp
memory/440-142-0x00007FF6BEFE0000-0x00007FF6BF334000-memory.dmp
memory/1528-143-0x00007FF6A1DE0000-0x00007FF6A2134000-memory.dmp
memory/5104-144-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp
memory/2472-145-0x00007FF636060000-0x00007FF6363B4000-memory.dmp
memory/952-146-0x00007FF612900000-0x00007FF612C54000-memory.dmp
memory/1008-147-0x00007FF705320000-0x00007FF705674000-memory.dmp
memory/2060-148-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp
memory/3748-149-0x00007FF6B2740000-0x00007FF6B2A94000-memory.dmp
memory/4260-150-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp
memory/648-151-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp
memory/4824-152-0x00007FF79FC80000-0x00007FF79FFD4000-memory.dmp
memory/4560-153-0x00007FF603190000-0x00007FF6034E4000-memory.dmp
memory/3908-154-0x00007FF653900000-0x00007FF653C54000-memory.dmp
memory/384-155-0x00007FF783150000-0x00007FF7834A4000-memory.dmp
memory/1460-156-0x00007FF76BEE0000-0x00007FF76C234000-memory.dmp
memory/4804-158-0x00007FF6CEBD0000-0x00007FF6CEF24000-memory.dmp
memory/1572-159-0x00007FF6DBD10000-0x00007FF6DC064000-memory.dmp
memory/4828-157-0x00007FF6CDA10000-0x00007FF6CDD64000-memory.dmp