Analysis Overview
SHA256
868636caf19f355b3fab98425b82af5869e74b14100297874a91e71b22367858
Threat Level: Known bad
The file 2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 11:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 11:57
Reported
2024-06-11 12:00
Platform
win7-20231129-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\crWmVdX.exe | N/A |
| N/A | N/A | C:\Windows\System\cCoIROi.exe | N/A |
| N/A | N/A | C:\Windows\System\BHMvSIf.exe | N/A |
| N/A | N/A | C:\Windows\System\alhNVvu.exe | N/A |
| N/A | N/A | C:\Windows\System\oOZeKmR.exe | N/A |
| N/A | N/A | C:\Windows\System\zKNcjiu.exe | N/A |
| N/A | N/A | C:\Windows\System\ogoCYtc.exe | N/A |
| N/A | N/A | C:\Windows\System\lAXmjra.exe | N/A |
| N/A | N/A | C:\Windows\System\kFzsgrX.exe | N/A |
| N/A | N/A | C:\Windows\System\ekmfMbD.exe | N/A |
| N/A | N/A | C:\Windows\System\qGJJsbM.exe | N/A |
| N/A | N/A | C:\Windows\System\FrxYnYU.exe | N/A |
| N/A | N/A | C:\Windows\System\DQXlKLA.exe | N/A |
| N/A | N/A | C:\Windows\System\qbnmOMD.exe | N/A |
| N/A | N/A | C:\Windows\System\EoijjXt.exe | N/A |
| N/A | N/A | C:\Windows\System\aohCFdi.exe | N/A |
| N/A | N/A | C:\Windows\System\MHuvfpC.exe | N/A |
| N/A | N/A | C:\Windows\System\sDZSQTe.exe | N/A |
| N/A | N/A | C:\Windows\System\rkcpiUP.exe | N/A |
| N/A | N/A | C:\Windows\System\znOyXtw.exe | N/A |
| N/A | N/A | C:\Windows\System\DIKakwl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\crWmVdX.exe
C:\Windows\System\crWmVdX.exe
C:\Windows\System\cCoIROi.exe
C:\Windows\System\cCoIROi.exe
C:\Windows\System\BHMvSIf.exe
C:\Windows\System\BHMvSIf.exe
C:\Windows\System\alhNVvu.exe
C:\Windows\System\alhNVvu.exe
C:\Windows\System\zKNcjiu.exe
C:\Windows\System\zKNcjiu.exe
C:\Windows\System\oOZeKmR.exe
C:\Windows\System\oOZeKmR.exe
C:\Windows\System\ogoCYtc.exe
C:\Windows\System\ogoCYtc.exe
C:\Windows\System\lAXmjra.exe
C:\Windows\System\lAXmjra.exe
C:\Windows\System\kFzsgrX.exe
C:\Windows\System\kFzsgrX.exe
C:\Windows\System\ekmfMbD.exe
C:\Windows\System\ekmfMbD.exe
C:\Windows\System\qGJJsbM.exe
C:\Windows\System\qGJJsbM.exe
C:\Windows\System\FrxYnYU.exe
C:\Windows\System\FrxYnYU.exe
C:\Windows\System\DQXlKLA.exe
C:\Windows\System\DQXlKLA.exe
C:\Windows\System\qbnmOMD.exe
C:\Windows\System\qbnmOMD.exe
C:\Windows\System\EoijjXt.exe
C:\Windows\System\EoijjXt.exe
C:\Windows\System\aohCFdi.exe
C:\Windows\System\aohCFdi.exe
C:\Windows\System\MHuvfpC.exe
C:\Windows\System\MHuvfpC.exe
C:\Windows\System\sDZSQTe.exe
C:\Windows\System\sDZSQTe.exe
C:\Windows\System\rkcpiUP.exe
C:\Windows\System\rkcpiUP.exe
C:\Windows\System\znOyXtw.exe
C:\Windows\System\znOyXtw.exe
C:\Windows\System\DIKakwl.exe
C:\Windows\System\DIKakwl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1972-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1972-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\crWmVdX.exe
| MD5 | c71639c1c635f01b27a4ecaceda5a8dc |
| SHA1 | 320b780544c768a07fcc1d75e256b53bcac3b76b |
| SHA256 | d56632f014d922faff71e4bddba003acc16963f0f2f3d7f36a2b0dc6c06a67c0 |
| SHA512 | 3d1bed6bc6d2291853714ff57abddef7369d595795c633edf600c7cc8de6b0715e83125015728f0a8bbc7a84e3bcc83245e743f895c0800c71943618c6fa06cb |
memory/1972-6-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\BHMvSIf.exe
| MD5 | 9b1ee778194f5072600fde71e4134be3 |
| SHA1 | a7b9e9bed5a2a5679385f633adb4f8ccf5dee5e1 |
| SHA256 | 9fca7ac9185ace2ce2c01d489740db67319460123923c93604f95141dddb5d3e |
| SHA512 | 508dc064be28561f4ea8be7c6db554a80801d6ea0ebb1d6570bce716b8f89a281f09168abfadf3e27319bbad890c49e9e86024a239b877a9a68480e93dc6b485 |
C:\Windows\system\cCoIROi.exe
| MD5 | c356b603e10bf8cbe04875064aec21e3 |
| SHA1 | a669917cb74bcf536e4eefa29323a943b92f49a8 |
| SHA256 | 88bc7aad6732768305eb9db8850e509ee458ce11b2dcb73aff6d4efb444d0d9c |
| SHA512 | fcb806cd5c9c29b1b24d6cf33dedcdf011f3a3039c68ef895ec6f6c3cb804e95af670de949530947b7bc34db04578e15e24a5e13e8614d517bfcd45ebe25dd97 |
\Windows\system\oOZeKmR.exe
| MD5 | 599929f807018592ccfc20fdc1bfbb18 |
| SHA1 | 734e39e392b0da36e70a97fcae2714265223d3e9 |
| SHA256 | 53ac79174401e92a604693bdd4afd675921baa46c1ae6953604db15c29681f92 |
| SHA512 | 33d41ba0526b4d8284b0d2c858b8a0d0633b71b41920062101cb4607faaf222fb0cbd5ccb2d7f52daf78ae847de3b8bee383f91720de860212661e173dd0327d |
memory/1972-37-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2560-40-0x000000013FBF0000-0x000000013FF44000-memory.dmp
\Windows\system\zKNcjiu.exe
| MD5 | e8642ee9a1c1c19c1d0810a941a8116a |
| SHA1 | 3e881f5147071559749ffcda6f34a04d97008cf5 |
| SHA256 | 4d3e27746de87044ccc6a0757f50957bcc18691aa77d7cfb414271780bf084c3 |
| SHA512 | f78bdf6ce089cb140035fc849759c0d502075add10daff487812a19e5a5d097297a89efcd1db85bd073e9e8261fd71a11168e2e95bc8b5ce94415f923bc8b77e |
memory/2208-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1972-57-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2724-58-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2388-64-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\ekmfMbD.exe
| MD5 | 190d58acb493cfefbedc3c023541503a |
| SHA1 | 6c1f4ed6239d166ae7996a1e8e7a97193619d70b |
| SHA256 | 3ecd9824e6ae4f353b9578ff2be399eb9dc7871aa6f3a9fd0bda19d922091778 |
| SHA512 | 0f22c0b211263f488cfa775d36132197b687c60f603b0abdca5fee5b86c6dcbef55afaf136fc530bd0c412fd2e8844be7d23bf89a58081e3566f65743644fe78 |
memory/2308-63-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1972-67-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\kFzsgrX.exe
| MD5 | 6d8d73ea98689a60a0d51a8a7a29d868 |
| SHA1 | 25ac23e81355bbea77b36c606e23ba0287ee0185 |
| SHA256 | 7200e73f95c85b6d3abd019c740d4b0481b0727ad0f2d3063878b693de277c3b |
| SHA512 | 9481500c2a27d916d9cd7c7c712151cf6940b025972c2f4a731ab15469fb3d4e39eca98f4fd339e2fa1a71538584344557d3d0dfed1b4a155b783f492fe42f86 |
memory/1048-71-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/3032-86-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/764-93-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\EoijjXt.exe
| MD5 | 3eaaf6169520f8d67aa467d28144383a |
| SHA1 | 3afb4476ea9c0b4f205f1a8c245015f803a888bd |
| SHA256 | f34876c7e0568cacfeec25e2bf93bcda5b49c499d74489e2566b092e94fdb9d4 |
| SHA512 | 02d6f2b91a966ccd78679bbfb7843b140804af7b54694fe9b9bcce0c83bf2ec194e181ca081ee206ca397b7219b69048a1f98c66e478474ef07825f3a7c5918a |
C:\Windows\system\rkcpiUP.exe
| MD5 | 7b14e2b2936f84d22daf36cbf8e2a4bf |
| SHA1 | c86884b44c7547c7f2cded177c444dd7f9b2b562 |
| SHA256 | 76a727bcf9d5d6337b8d7e051105d5aa7374df4a264a57272adc15400d98abc4 |
| SHA512 | 551cc0e39f5261f2564d60c2da3298d1437f8084f75cd9b0e7fecd6f83a49a8634112cf3dbafd715b4eb47fb83c4de44ebe38befa4fdb3cd85991e99e307983b |
\Windows\system\DIKakwl.exe
| MD5 | 6f5bdf26500c3ed0715b2e3f3305ab8e |
| SHA1 | 7fabe88ddccf6c9d2494b356e2b1aa1d373bc311 |
| SHA256 | 94ef5c6c8ef1a3728394188c73770b1a82a018b0637eb5d0055fb0d8eaea490b |
| SHA512 | 91d5c2abae2ea94b7a295c48d7195f1928dcc7f758a10041fed2b39214b332433990684a2347cf108dccd84e49d46b2313441c5e72cc84cf55395438b1bbe011 |
C:\Windows\system\znOyXtw.exe
| MD5 | 82bcf6b9777bc3976e7e42b9afd64676 |
| SHA1 | 9fbc2aba67ca457cfbdb14e508862fd97bfbb0b7 |
| SHA256 | 93c53446ed9a5b23dff9632686f378639c1b37f0e4a946885c5b94192e264cdb |
| SHA512 | eb9fa2234fce253546bd18d7850cef0d75bb03622b0324ba319a64d8ffa494611fdcfabb1d06300ad5240b42468f259471f483009d45e666ee05ea308f86faa4 |
C:\Windows\system\sDZSQTe.exe
| MD5 | 2d049440c9b6e32aa520ef85aeefeeb8 |
| SHA1 | fc41776c3f6fb9727f24e546313ccbc5062260f4 |
| SHA256 | 519a3313ffa0a182c8c118c6cb94de3068da79fc005c6770c193437a78dc22cc |
| SHA512 | 07709aa09281de7a757bf4cbf27b4bf47ac1a9374043ef5615dbbc8352a3d1fad954d794725600a06e92977bdbd900d3d44ef0670b815fe8d3b6b0ff957ac3c8 |
C:\Windows\system\MHuvfpC.exe
| MD5 | 7d542986e5ca9eefd2d51ab574ab1b02 |
| SHA1 | c82361293537a32bdc975514f1bfdb77609b049b |
| SHA256 | ea2ef4ef3a572cd20aff8cfe8bc86823d4df873fbb3decb28d8cbd3ab7e426b8 |
| SHA512 | 7726716a99eb8453177d74ccf5625a0036f80bafe38a51e8329bcbb92a710347ebcd731f03d4a0334389c17b9c85fb0a3d9fc4381f2f2f141c540234b0d931d6 |
C:\Windows\system\aohCFdi.exe
| MD5 | 4bc791a74c96a0840773761b8ad58b61 |
| SHA1 | f2973d6f8cbb78fae5830c693ed8c11419609e72 |
| SHA256 | 9ecb98f806a8d3653ec6ae3c95d860c9aa93b4a7f4c98f41963e04be568e4b89 |
| SHA512 | 2323f52a068b3a6442c572b547b4e09acc259885dd5300caf96cebd6e3b8dcfea2eb3e1b1c0a664f431c70df81a4f6c9cbafae7d6f122f4efe76648b28f37f41 |
memory/2388-137-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2680-101-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1972-92-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2524-91-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\DQXlKLA.exe
| MD5 | 99a53451fc6d7c4f7c08f55f3793668e |
| SHA1 | bdc2eec2b6c62d5bbea562e87593b7b0b275dea3 |
| SHA256 | 2fcb5c0cfd85b35126d2ad8b2b87bd78b7d18c53c25e09c66d368b0f6f6b4852 |
| SHA512 | f4b59e1768689192738fbb945b715a3ac319b38497217d6274582f8e25127a366ce3da9126a142f6b1c42d8f1ef820e00db61334a00b77c8e47e86550d7038f6 |
memory/2584-100-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\qbnmOMD.exe
| MD5 | ac17aa36cd35413f8f6ea818b946737f |
| SHA1 | d8d0a7e4da3a715bbf97b08060033a8d8ecc84ab |
| SHA256 | a2d4b1712d666d26b4cd9ca6659342c9579627ac8c6bda654a56158fceeac800 |
| SHA512 | ef271b1e6300e39039872a5a3092f1aad4e2ebdb032bb51458965d2317495a539e166d68a65f752a1b068e88765ed600da0a2f746363e2046c598daae4fe3f4b |
memory/2560-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1820-79-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\qGJJsbM.exe
| MD5 | c9cc683dc25c5ceffabcdb447d504af7 |
| SHA1 | b896939d0c68138d0b590b011cb800499a8eacfc |
| SHA256 | 71a2aa28b5cd25a5d1f86c4cbc16dc4adff3e304410d3da05202cc09dbd26829 |
| SHA512 | 6abadbb23c9459f9647efe480fc36f45f174b8063fbf60239b9439eb55a9074937bc96da6dadf9784e3ace57e6ea78df1d6ae0a24043f2ed16e5a2b87907cafc |
memory/1972-76-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\FrxYnYU.exe
| MD5 | 6444c0630a2f97f4921a51ea9b4ba144 |
| SHA1 | 6b26e7a6b99793a4ab100279b3e4ca1d8199331e |
| SHA256 | 8731a3e59e723ca3d6e33d0648a5e3d3a5993ac5f6e1bf741c02ea33802e3d03 |
| SHA512 | 2eb4492d89b0f03896dbc87794c209c29c82c51f01a14e6397126916fe165d87b30b152d65e911bf5dde20c666502bfe94994ba7d75f8db87867cf1fb62cdde3 |
memory/1972-81-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\lAXmjra.exe
| MD5 | 35ca4853124be72a33e87b1e96c7f824 |
| SHA1 | 8cad4d72cbf888800436b376e34f28cdf6aad52e |
| SHA256 | d2bd85a20fc07e39860b7861b7e0d0ce3bd971d3d0f8f0dbde9678c5c6250efd |
| SHA512 | 33f8f9e232697fbf9ed3a7b8e037217dce01f96342d133992cf1c90b8c08f7bf62e2c2b39dedd7d0f748a1ea38d34d872e2deb09c62806a966716e457d31a77b |
memory/2584-49-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1972-48-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1972-138-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\ogoCYtc.exe
| MD5 | 1c21d5a8d8c99075bba2fb923f228e39 |
| SHA1 | d9fecbae10e9c56ebec397930476f2c040a543a9 |
| SHA256 | 6bf5f9bd9643f0cb04d8abb118e3fe1de230d9bdad18fa0c657e2222a805500d |
| SHA512 | 5046f916e31611bf71d0d085983baa0302f4cb655a133b205e4e214b7e4f930a97791a2ecdf3fead816065f6366177073241850a091cc9f3fcf82716415e2e05 |
memory/2524-43-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1972-39-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1764-34-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/1972-28-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1892-27-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1972-25-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\alhNVvu.exe
| MD5 | 4dd1b8b267b45d98aa1d7026b9d84b97 |
| SHA1 | 3192f8ebe634ebe8abda4abc3443699961337816 |
| SHA256 | 7efe6fc4e3ddbb4c67df63572c56a92c548c5e6630ef350768d1fa174c9fdcf0 |
| SHA512 | a5fe4b5e3877cec639b521717b8d1df7ac7fcfe04f3c3f22edbf71fb336d70f74a83baba7b8075b4756d5fc7969b28290ffea712f2f2327d3bdc7780ba075899 |
memory/1972-19-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2308-11-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1048-139-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1972-140-0x0000000002420000-0x0000000002774000-memory.dmp
memory/3032-141-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/764-142-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2680-143-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2308-144-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1892-145-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1764-146-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2208-147-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2560-148-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2584-150-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2524-149-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2724-151-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2388-152-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/1048-153-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1820-154-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/3032-155-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/764-156-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2680-157-0x000000013FE00000-0x0000000140154000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 11:57
Reported
2024-06-11 11:59
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\crWmVdX.exe | N/A |
| N/A | N/A | C:\Windows\System\cCoIROi.exe | N/A |
| N/A | N/A | C:\Windows\System\BHMvSIf.exe | N/A |
| N/A | N/A | C:\Windows\System\alhNVvu.exe | N/A |
| N/A | N/A | C:\Windows\System\zKNcjiu.exe | N/A |
| N/A | N/A | C:\Windows\System\oOZeKmR.exe | N/A |
| N/A | N/A | C:\Windows\System\ogoCYtc.exe | N/A |
| N/A | N/A | C:\Windows\System\lAXmjra.exe | N/A |
| N/A | N/A | C:\Windows\System\kFzsgrX.exe | N/A |
| N/A | N/A | C:\Windows\System\ekmfMbD.exe | N/A |
| N/A | N/A | C:\Windows\System\qGJJsbM.exe | N/A |
| N/A | N/A | C:\Windows\System\FrxYnYU.exe | N/A |
| N/A | N/A | C:\Windows\System\DQXlKLA.exe | N/A |
| N/A | N/A | C:\Windows\System\qbnmOMD.exe | N/A |
| N/A | N/A | C:\Windows\System\EoijjXt.exe | N/A |
| N/A | N/A | C:\Windows\System\aohCFdi.exe | N/A |
| N/A | N/A | C:\Windows\System\MHuvfpC.exe | N/A |
| N/A | N/A | C:\Windows\System\sDZSQTe.exe | N/A |
| N/A | N/A | C:\Windows\System\rkcpiUP.exe | N/A |
| N/A | N/A | C:\Windows\System\znOyXtw.exe | N/A |
| N/A | N/A | C:\Windows\System\DIKakwl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f1b3c7ff6bde5452b8f3e12a9b9a240e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\crWmVdX.exe
C:\Windows\System\crWmVdX.exe
C:\Windows\System\cCoIROi.exe
C:\Windows\System\cCoIROi.exe
C:\Windows\System\BHMvSIf.exe
C:\Windows\System\BHMvSIf.exe
C:\Windows\System\alhNVvu.exe
C:\Windows\System\alhNVvu.exe
C:\Windows\System\zKNcjiu.exe
C:\Windows\System\zKNcjiu.exe
C:\Windows\System\oOZeKmR.exe
C:\Windows\System\oOZeKmR.exe
C:\Windows\System\ogoCYtc.exe
C:\Windows\System\ogoCYtc.exe
C:\Windows\System\lAXmjra.exe
C:\Windows\System\lAXmjra.exe
C:\Windows\System\kFzsgrX.exe
C:\Windows\System\kFzsgrX.exe
C:\Windows\System\ekmfMbD.exe
C:\Windows\System\ekmfMbD.exe
C:\Windows\System\qGJJsbM.exe
C:\Windows\System\qGJJsbM.exe
C:\Windows\System\FrxYnYU.exe
C:\Windows\System\FrxYnYU.exe
C:\Windows\System\DQXlKLA.exe
C:\Windows\System\DQXlKLA.exe
C:\Windows\System\qbnmOMD.exe
C:\Windows\System\qbnmOMD.exe
C:\Windows\System\EoijjXt.exe
C:\Windows\System\EoijjXt.exe
C:\Windows\System\aohCFdi.exe
C:\Windows\System\aohCFdi.exe
C:\Windows\System\MHuvfpC.exe
C:\Windows\System\MHuvfpC.exe
C:\Windows\System\sDZSQTe.exe
C:\Windows\System\sDZSQTe.exe
C:\Windows\System\rkcpiUP.exe
C:\Windows\System\rkcpiUP.exe
C:\Windows\System\znOyXtw.exe
C:\Windows\System\znOyXtw.exe
C:\Windows\System\DIKakwl.exe
C:\Windows\System\DIKakwl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/460-0-0x00007FF7155F0000-0x00007FF715944000-memory.dmp
memory/460-1-0x000001336B320000-0x000001336B330000-memory.dmp
C:\Windows\System\crWmVdX.exe
| MD5 | c71639c1c635f01b27a4ecaceda5a8dc |
| SHA1 | 320b780544c768a07fcc1d75e256b53bcac3b76b |
| SHA256 | d56632f014d922faff71e4bddba003acc16963f0f2f3d7f36a2b0dc6c06a67c0 |
| SHA512 | 3d1bed6bc6d2291853714ff57abddef7369d595795c633edf600c7cc8de6b0715e83125015728f0a8bbc7a84e3bcc83245e743f895c0800c71943618c6fa06cb |
memory/2708-8-0x00007FF76A300000-0x00007FF76A654000-memory.dmp
C:\Windows\System\cCoIROi.exe
| MD5 | c356b603e10bf8cbe04875064aec21e3 |
| SHA1 | a669917cb74bcf536e4eefa29323a943b92f49a8 |
| SHA256 | 88bc7aad6732768305eb9db8850e509ee458ce11b2dcb73aff6d4efb444d0d9c |
| SHA512 | fcb806cd5c9c29b1b24d6cf33dedcdf011f3a3039c68ef895ec6f6c3cb804e95af670de949530947b7bc34db04578e15e24a5e13e8614d517bfcd45ebe25dd97 |
C:\Windows\System\BHMvSIf.exe
| MD5 | 9b1ee778194f5072600fde71e4134be3 |
| SHA1 | a7b9e9bed5a2a5679385f633adb4f8ccf5dee5e1 |
| SHA256 | 9fca7ac9185ace2ce2c01d489740db67319460123923c93604f95141dddb5d3e |
| SHA512 | 508dc064be28561f4ea8be7c6db554a80801d6ea0ebb1d6570bce716b8f89a281f09168abfadf3e27319bbad890c49e9e86024a239b877a9a68480e93dc6b485 |
memory/2368-20-0x00007FF74EE20000-0x00007FF74F174000-memory.dmp
memory/3900-14-0x00007FF7424F0000-0x00007FF742844000-memory.dmp
C:\Windows\System\alhNVvu.exe
| MD5 | 4dd1b8b267b45d98aa1d7026b9d84b97 |
| SHA1 | 3192f8ebe634ebe8abda4abc3443699961337816 |
| SHA256 | 7efe6fc4e3ddbb4c67df63572c56a92c548c5e6630ef350768d1fa174c9fdcf0 |
| SHA512 | a5fe4b5e3877cec639b521717b8d1df7ac7fcfe04f3c3f22edbf71fb336d70f74a83baba7b8075b4756d5fc7969b28290ffea712f2f2327d3bdc7780ba075899 |
C:\Windows\System\zKNcjiu.exe
| MD5 | e8642ee9a1c1c19c1d0810a941a8116a |
| SHA1 | 3e881f5147071559749ffcda6f34a04d97008cf5 |
| SHA256 | 4d3e27746de87044ccc6a0757f50957bcc18691aa77d7cfb414271780bf084c3 |
| SHA512 | f78bdf6ce089cb140035fc849759c0d502075add10daff487812a19e5a5d097297a89efcd1db85bd073e9e8261fd71a11168e2e95bc8b5ce94415f923bc8b77e |
C:\Windows\System\ogoCYtc.exe
| MD5 | 1c21d5a8d8c99075bba2fb923f228e39 |
| SHA1 | d9fecbae10e9c56ebec397930476f2c040a543a9 |
| SHA256 | 6bf5f9bd9643f0cb04d8abb118e3fe1de230d9bdad18fa0c657e2222a805500d |
| SHA512 | 5046f916e31611bf71d0d085983baa0302f4cb655a133b205e4e214b7e4f930a97791a2ecdf3fead816065f6366177073241850a091cc9f3fcf82716415e2e05 |
memory/4532-40-0x00007FF7439D0000-0x00007FF743D24000-memory.dmp
C:\Windows\System\lAXmjra.exe
| MD5 | 35ca4853124be72a33e87b1e96c7f824 |
| SHA1 | 8cad4d72cbf888800436b376e34f28cdf6aad52e |
| SHA256 | d2bd85a20fc07e39860b7861b7e0d0ce3bd971d3d0f8f0dbde9678c5c6250efd |
| SHA512 | 33f8f9e232697fbf9ed3a7b8e037217dce01f96342d133992cf1c90b8c08f7bf62e2c2b39dedd7d0f748a1ea38d34d872e2deb09c62806a966716e457d31a77b |
memory/4028-47-0x00007FF75F870000-0x00007FF75FBC4000-memory.dmp
memory/5100-48-0x00007FF74FEE0000-0x00007FF750234000-memory.dmp
C:\Windows\System\kFzsgrX.exe
| MD5 | 6d8d73ea98689a60a0d51a8a7a29d868 |
| SHA1 | 25ac23e81355bbea77b36c606e23ba0287ee0185 |
| SHA256 | 7200e73f95c85b6d3abd019c740d4b0481b0727ad0f2d3063878b693de277c3b |
| SHA512 | 9481500c2a27d916d9cd7c7c712151cf6940b025972c2f4a731ab15469fb3d4e39eca98f4fd339e2fa1a71538584344557d3d0dfed1b4a155b783f492fe42f86 |
C:\Windows\System\ekmfMbD.exe
| MD5 | 190d58acb493cfefbedc3c023541503a |
| SHA1 | 6c1f4ed6239d166ae7996a1e8e7a97193619d70b |
| SHA256 | 3ecd9824e6ae4f353b9578ff2be399eb9dc7871aa6f3a9fd0bda19d922091778 |
| SHA512 | 0f22c0b211263f488cfa775d36132197b687c60f603b0abdca5fee5b86c6dcbef55afaf136fc530bd0c412fd2e8844be7d23bf89a58081e3566f65743644fe78 |
C:\Windows\System\qGJJsbM.exe
| MD5 | c9cc683dc25c5ceffabcdb447d504af7 |
| SHA1 | b896939d0c68138d0b590b011cb800499a8eacfc |
| SHA256 | 71a2aa28b5cd25a5d1f86c4cbc16dc4adff3e304410d3da05202cc09dbd26829 |
| SHA512 | 6abadbb23c9459f9647efe480fc36f45f174b8063fbf60239b9439eb55a9074937bc96da6dadf9784e3ace57e6ea78df1d6ae0a24043f2ed16e5a2b87907cafc |
C:\Windows\System\FrxYnYU.exe
| MD5 | 6444c0630a2f97f4921a51ea9b4ba144 |
| SHA1 | 6b26e7a6b99793a4ab100279b3e4ca1d8199331e |
| SHA256 | 8731a3e59e723ca3d6e33d0648a5e3d3a5993ac5f6e1bf741c02ea33802e3d03 |
| SHA512 | 2eb4492d89b0f03896dbc87794c209c29c82c51f01a14e6397126916fe165d87b30b152d65e911bf5dde20c666502bfe94994ba7d75f8db87867cf1fb62cdde3 |
C:\Windows\System\qbnmOMD.exe
| MD5 | ac17aa36cd35413f8f6ea818b946737f |
| SHA1 | d8d0a7e4da3a715bbf97b08060033a8d8ecc84ab |
| SHA256 | a2d4b1712d666d26b4cd9ca6659342c9579627ac8c6bda654a56158fceeac800 |
| SHA512 | ef271b1e6300e39039872a5a3092f1aad4e2ebdb032bb51458965d2317495a539e166d68a65f752a1b068e88765ed600da0a2f746363e2046c598daae4fe3f4b |
C:\Windows\System\MHuvfpC.exe
| MD5 | 7d542986e5ca9eefd2d51ab574ab1b02 |
| SHA1 | c82361293537a32bdc975514f1bfdb77609b049b |
| SHA256 | ea2ef4ef3a572cd20aff8cfe8bc86823d4df873fbb3decb28d8cbd3ab7e426b8 |
| SHA512 | 7726716a99eb8453177d74ccf5625a0036f80bafe38a51e8329bcbb92a710347ebcd731f03d4a0334389c17b9c85fb0a3d9fc4381f2f2f141c540234b0d931d6 |
C:\Windows\System\rkcpiUP.exe
| MD5 | 7b14e2b2936f84d22daf36cbf8e2a4bf |
| SHA1 | c86884b44c7547c7f2cded177c444dd7f9b2b562 |
| SHA256 | 76a727bcf9d5d6337b8d7e051105d5aa7374df4a264a57272adc15400d98abc4 |
| SHA512 | 551cc0e39f5261f2564d60c2da3298d1437f8084f75cd9b0e7fecd6f83a49a8634112cf3dbafd715b4eb47fb83c4de44ebe38befa4fdb3cd85991e99e307983b |
C:\Windows\System\DIKakwl.exe
| MD5 | 6f5bdf26500c3ed0715b2e3f3305ab8e |
| SHA1 | 7fabe88ddccf6c9d2494b356e2b1aa1d373bc311 |
| SHA256 | 94ef5c6c8ef1a3728394188c73770b1a82a018b0637eb5d0055fb0d8eaea490b |
| SHA512 | 91d5c2abae2ea94b7a295c48d7195f1928dcc7f758a10041fed2b39214b332433990684a2347cf108dccd84e49d46b2313441c5e72cc84cf55395438b1bbe011 |
C:\Windows\System\znOyXtw.exe
| MD5 | 82bcf6b9777bc3976e7e42b9afd64676 |
| SHA1 | 9fbc2aba67ca457cfbdb14e508862fd97bfbb0b7 |
| SHA256 | 93c53446ed9a5b23dff9632686f378639c1b37f0e4a946885c5b94192e264cdb |
| SHA512 | eb9fa2234fce253546bd18d7850cef0d75bb03622b0324ba319a64d8ffa494611fdcfabb1d06300ad5240b42468f259471f483009d45e666ee05ea308f86faa4 |
C:\Windows\System\sDZSQTe.exe
| MD5 | 2d049440c9b6e32aa520ef85aeefeeb8 |
| SHA1 | fc41776c3f6fb9727f24e546313ccbc5062260f4 |
| SHA256 | 519a3313ffa0a182c8c118c6cb94de3068da79fc005c6770c193437a78dc22cc |
| SHA512 | 07709aa09281de7a757bf4cbf27b4bf47ac1a9374043ef5615dbbc8352a3d1fad954d794725600a06e92977bdbd900d3d44ef0670b815fe8d3b6b0ff957ac3c8 |
C:\Windows\System\aohCFdi.exe
| MD5 | 4bc791a74c96a0840773761b8ad58b61 |
| SHA1 | f2973d6f8cbb78fae5830c693ed8c11419609e72 |
| SHA256 | 9ecb98f806a8d3653ec6ae3c95d860c9aa93b4a7f4c98f41963e04be568e4b89 |
| SHA512 | 2323f52a068b3a6442c572b547b4e09acc259885dd5300caf96cebd6e3b8dcfea2eb3e1b1c0a664f431c70df81a4f6c9cbafae7d6f122f4efe76648b28f37f41 |
C:\Windows\System\EoijjXt.exe
| MD5 | 3eaaf6169520f8d67aa467d28144383a |
| SHA1 | 3afb4476ea9c0b4f205f1a8c245015f803a888bd |
| SHA256 | f34876c7e0568cacfeec25e2bf93bcda5b49c499d74489e2566b092e94fdb9d4 |
| SHA512 | 02d6f2b91a966ccd78679bbfb7843b140804af7b54694fe9b9bcce0c83bf2ec194e181ca081ee206ca397b7219b69048a1f98c66e478474ef07825f3a7c5918a |
C:\Windows\System\DQXlKLA.exe
| MD5 | 99a53451fc6d7c4f7c08f55f3793668e |
| SHA1 | bdc2eec2b6c62d5bbea562e87593b7b0b275dea3 |
| SHA256 | 2fcb5c0cfd85b35126d2ad8b2b87bd78b7d18c53c25e09c66d368b0f6f6b4852 |
| SHA512 | f4b59e1768689192738fbb945b715a3ac319b38497217d6274582f8e25127a366ce3da9126a142f6b1c42d8f1ef820e00db61334a00b77c8e47e86550d7038f6 |
memory/1248-50-0x00007FF6559B0000-0x00007FF655D04000-memory.dmp
memory/1676-49-0x00007FF6C3760000-0x00007FF6C3AB4000-memory.dmp
C:\Windows\System\oOZeKmR.exe
| MD5 | 599929f807018592ccfc20fdc1bfbb18 |
| SHA1 | 734e39e392b0da36e70a97fcae2714265223d3e9 |
| SHA256 | 53ac79174401e92a604693bdd4afd675921baa46c1ae6953604db15c29681f92 |
| SHA512 | 33d41ba0526b4d8284b0d2c858b8a0d0633b71b41920062101cb4607faaf222fb0cbd5ccb2d7f52daf78ae847de3b8bee383f91720de860212661e173dd0327d |
memory/3052-116-0x00007FF661880000-0x00007FF661BD4000-memory.dmp
memory/2092-117-0x00007FF61BB80000-0x00007FF61BED4000-memory.dmp
memory/1456-115-0x00007FF657630000-0x00007FF657984000-memory.dmp
memory/3688-118-0x00007FF782320000-0x00007FF782674000-memory.dmp
memory/4032-119-0x00007FF66D6C0000-0x00007FF66DA14000-memory.dmp
memory/5028-121-0x00007FF7ADE90000-0x00007FF7AE1E4000-memory.dmp
memory/4128-120-0x00007FF62F410000-0x00007FF62F764000-memory.dmp
memory/5076-122-0x00007FF6D4D50000-0x00007FF6D50A4000-memory.dmp
memory/4424-123-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp
memory/216-124-0x00007FF690BE0000-0x00007FF690F34000-memory.dmp
memory/4548-125-0x00007FF76E1F0000-0x00007FF76E544000-memory.dmp
memory/2236-126-0x00007FF7DBCD0000-0x00007FF7DC024000-memory.dmp
memory/4628-127-0x00007FF7A1A30000-0x00007FF7A1D84000-memory.dmp
memory/460-128-0x00007FF7155F0000-0x00007FF715944000-memory.dmp
memory/2708-129-0x00007FF76A300000-0x00007FF76A654000-memory.dmp
memory/2708-130-0x00007FF76A300000-0x00007FF76A654000-memory.dmp
memory/3900-131-0x00007FF7424F0000-0x00007FF742844000-memory.dmp
memory/2368-132-0x00007FF74EE20000-0x00007FF74F174000-memory.dmp
memory/4532-133-0x00007FF7439D0000-0x00007FF743D24000-memory.dmp
memory/4028-134-0x00007FF75F870000-0x00007FF75FBC4000-memory.dmp
memory/5100-135-0x00007FF74FEE0000-0x00007FF750234000-memory.dmp
memory/1676-136-0x00007FF6C3760000-0x00007FF6C3AB4000-memory.dmp
memory/1456-137-0x00007FF657630000-0x00007FF657984000-memory.dmp
memory/1248-138-0x00007FF6559B0000-0x00007FF655D04000-memory.dmp
memory/3052-139-0x00007FF661880000-0x00007FF661BD4000-memory.dmp
memory/2092-140-0x00007FF61BB80000-0x00007FF61BED4000-memory.dmp
memory/3688-141-0x00007FF782320000-0x00007FF782674000-memory.dmp
memory/4128-143-0x00007FF62F410000-0x00007FF62F764000-memory.dmp
memory/4032-142-0x00007FF66D6C0000-0x00007FF66DA14000-memory.dmp
memory/4424-144-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp
memory/5076-145-0x00007FF6D4D50000-0x00007FF6D50A4000-memory.dmp
memory/5028-146-0x00007FF7ADE90000-0x00007FF7AE1E4000-memory.dmp
memory/216-147-0x00007FF690BE0000-0x00007FF690F34000-memory.dmp
memory/4548-149-0x00007FF76E1F0000-0x00007FF76E544000-memory.dmp
memory/2236-150-0x00007FF7DBCD0000-0x00007FF7DC024000-memory.dmp
memory/4628-148-0x00007FF7A1A30000-0x00007FF7A1D84000-memory.dmp