Analysis Overview
SHA256
539a2227cf2ea5d8abd9fe303c47451fa9a65ee882e291cf01b99b06387b7a33
Threat Level: Known bad
The file 2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 14:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 14:14
Reported
2024-06-11 14:16
Platform
win7-20240215-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cxZlPze.exe | N/A |
| N/A | N/A | C:\Windows\System\kksSyFa.exe | N/A |
| N/A | N/A | C:\Windows\System\QOzmKQP.exe | N/A |
| N/A | N/A | C:\Windows\System\xhSnJfi.exe | N/A |
| N/A | N/A | C:\Windows\System\heCscLH.exe | N/A |
| N/A | N/A | C:\Windows\System\WqHybCU.exe | N/A |
| N/A | N/A | C:\Windows\System\ohdAeFo.exe | N/A |
| N/A | N/A | C:\Windows\System\tnpPrCb.exe | N/A |
| N/A | N/A | C:\Windows\System\EIFYyOy.exe | N/A |
| N/A | N/A | C:\Windows\System\BFVGjyk.exe | N/A |
| N/A | N/A | C:\Windows\System\rgDjvdX.exe | N/A |
| N/A | N/A | C:\Windows\System\uVRXXOB.exe | N/A |
| N/A | N/A | C:\Windows\System\QcUIcif.exe | N/A |
| N/A | N/A | C:\Windows\System\sMYcmrI.exe | N/A |
| N/A | N/A | C:\Windows\System\JvZqttE.exe | N/A |
| N/A | N/A | C:\Windows\System\OzHvnSM.exe | N/A |
| N/A | N/A | C:\Windows\System\PTGPCrh.exe | N/A |
| N/A | N/A | C:\Windows\System\rNnHiIW.exe | N/A |
| N/A | N/A | C:\Windows\System\RHNLNdd.exe | N/A |
| N/A | N/A | C:\Windows\System\tcnIrFw.exe | N/A |
| N/A | N/A | C:\Windows\System\JICCoZO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cxZlPze.exe
C:\Windows\System\cxZlPze.exe
C:\Windows\System\kksSyFa.exe
C:\Windows\System\kksSyFa.exe
C:\Windows\System\QOzmKQP.exe
C:\Windows\System\QOzmKQP.exe
C:\Windows\System\xhSnJfi.exe
C:\Windows\System\xhSnJfi.exe
C:\Windows\System\heCscLH.exe
C:\Windows\System\heCscLH.exe
C:\Windows\System\WqHybCU.exe
C:\Windows\System\WqHybCU.exe
C:\Windows\System\ohdAeFo.exe
C:\Windows\System\ohdAeFo.exe
C:\Windows\System\tnpPrCb.exe
C:\Windows\System\tnpPrCb.exe
C:\Windows\System\EIFYyOy.exe
C:\Windows\System\EIFYyOy.exe
C:\Windows\System\BFVGjyk.exe
C:\Windows\System\BFVGjyk.exe
C:\Windows\System\rgDjvdX.exe
C:\Windows\System\rgDjvdX.exe
C:\Windows\System\uVRXXOB.exe
C:\Windows\System\uVRXXOB.exe
C:\Windows\System\QcUIcif.exe
C:\Windows\System\QcUIcif.exe
C:\Windows\System\sMYcmrI.exe
C:\Windows\System\sMYcmrI.exe
C:\Windows\System\JvZqttE.exe
C:\Windows\System\JvZqttE.exe
C:\Windows\System\OzHvnSM.exe
C:\Windows\System\OzHvnSM.exe
C:\Windows\System\PTGPCrh.exe
C:\Windows\System\PTGPCrh.exe
C:\Windows\System\rNnHiIW.exe
C:\Windows\System\rNnHiIW.exe
C:\Windows\System\RHNLNdd.exe
C:\Windows\System\RHNLNdd.exe
C:\Windows\System\tcnIrFw.exe
C:\Windows\System\tcnIrFw.exe
C:\Windows\System\JICCoZO.exe
C:\Windows\System\JICCoZO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1260-0-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1260-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\cxZlPze.exe
| MD5 | a72b2dd3c9c04924e4742f8409178a17 |
| SHA1 | c7589aafe0a62bd0c8b1603acb56414777a04ec1 |
| SHA256 | bebcbf097a904900040fd515cca5c6535a7e0f957987da5d7bc2eb1a0284862d |
| SHA512 | 71171167c7c7b21de1719ac35d81cb1af68d2fa020346d4f29a0e8359ac78504725c2e736d1fdf9139ba8bd91a0c6bb58f17ca0a453ef78b3b608c3d642179c1 |
memory/1456-8-0x000000013F790000-0x000000013FAE4000-memory.dmp
\Windows\system\kksSyFa.exe
| MD5 | acdabdfdb65f011c7c0ba70641d4279d |
| SHA1 | 8e9d4c91e6c15fc890080c3fee72374bc9bc742b |
| SHA256 | 75802c016b4d6ddbbe50ad77ab4356324c95b13474c2ee075e2f0a7f28785401 |
| SHA512 | 13b420366108522596d91c38ec5ae3e028f56e85bf0d6a07a4721c5ec68ef779ff7895e2457b6a3b32f56d5fe90e6f7892007a3fb7ca8c183c3c8e80c5db95d5 |
memory/2540-14-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\QOzmKQP.exe
| MD5 | a8757e4e4d37e60201dbc8e36d86fd05 |
| SHA1 | d6dfe71fb310a2e5af386573f64b0a1d9098172a |
| SHA256 | f7d8a9c66de92bb08153834c9ae8517adfd2170555614508c5be1823d9f28f87 |
| SHA512 | b546ecbdc11d9b2712d6495b07bffc3096aac8787e9e7c3fc0f67739f3e7df2faf6b360e4236da40f218ab257fe31fbbe7a5ed86fbd93f4e5e2b41e4ad37c6db |
memory/1260-18-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2608-21-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\xhSnJfi.exe
| MD5 | 29a2c91af01472bf3e29ed0365d60912 |
| SHA1 | 8f1dbef0ffdb796f481c2b12972a8cdfdb400b99 |
| SHA256 | f6ad98a544fd8ef1a708a446c7e0e48c30b2721c45526285385cc64a68e39693 |
| SHA512 | d4bf5b3cc37840247e1fda7ef25d01a7cdf09a0e41b8c746e9bb8345879571650a1a3c4f173319a150feb9c4b59fb99d1ce3f7047ab2508add18000bfd2f7796 |
memory/1260-27-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2528-28-0x000000013F770000-0x000000013FAC4000-memory.dmp
\Windows\system\heCscLH.exe
| MD5 | ef35f701680ffed19b45c915b0f3cd74 |
| SHA1 | 2d78d461505ef95f4b1fbdf3309b055fd71cbbf7 |
| SHA256 | ef7906ca221ed9d896657b29daf482bc7f5828b0d3d0706842004207b6ec113d |
| SHA512 | bd339dd24a11ed56b16552d947935afe3cefd94c2aed415c1e1a4cf04bac93421719be4442ca05d82e0b5c1b994bb38266c009440bb4a6ab710158a5e558da8f |
memory/2436-34-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\WqHybCU.exe
| MD5 | 794dc007fc3d42b5f7340a6558e19989 |
| SHA1 | 807f03b4a474c973d0e6a6e94717ee397cff7f4e |
| SHA256 | feb51b8cbda3df4b9704a8d12887b9809a4eb5a7cdc61988eaddfd7f87e2fde7 |
| SHA512 | ebf37731f3033bdd711edc8bfccb865d471b350036474de24162a9e06b88d9f08d4c0e986f8091e87c1a1a5811c206d43289c7d02a6df55517867e46b989f13c |
memory/2536-42-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/1260-38-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1260-32-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\ohdAeFo.exe
| MD5 | fb909b7a2175e5795720017f80688aef |
| SHA1 | 0699e221be3aa224f644893781bc039c35fff1a6 |
| SHA256 | 904f3e25fb7175df87093f7a639db429ef19d4fea0720cb08a59fc3a017bdc13 |
| SHA512 | a6ad7effe432f7b3556b247ff7dc5a607d895f81f479cf0c4f0aa0e276e6c812bfb79ba0e97bddaaa42291342b183778b55cd5abd78f5e898e8ccc1fefbd1d97 |
memory/1456-54-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2400-49-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2472-57-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1260-48-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/1260-55-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\tnpPrCb.exe
| MD5 | d5528e5e280d1104a03fba1f84be4be5 |
| SHA1 | 898cbfa2d115dcc97f85082672428595791eef0d |
| SHA256 | fb30e213c9fd21573a61cbb22846692e6a3a5ba5f9bea6f503c8dcf89eb725e2 |
| SHA512 | 0e4a1608f8032b7ea42c99e9357ea4d277a65bd33396b0ab1b31312448491538989c74525a142a5bbb2d9cd0850c99c7f15474324a7c69c840926f96b01944e8 |
\Windows\system\EIFYyOy.exe
| MD5 | 7358503b69c3f670d4a4706bd1cf8c4a |
| SHA1 | b097693896980a715a6ef3c1d98fc93ff8a3db59 |
| SHA256 | d8a0fe7794cf9963099c52168e5781eaec50ed147759abf3f59093a7354c8f54 |
| SHA512 | 291a12cf206af72bf3b93989bc4c159eda3b4146f03215fc45ca5eee40d09bf52d7b11de3ce9aa7c21c5486160bc7438ea20404e204b41c858bf72f05000ad79 |
memory/1412-64-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1260-62-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\BFVGjyk.exe
| MD5 | effa997de78bf803c4e22c739d2cf561 |
| SHA1 | 82d259ff3afacb9eb00c94cef7209c54d30016a6 |
| SHA256 | 13576e346042e409b22f6f516bce7cfab0b0330aec88cfbb9dc1a2cd8d8b5694 |
| SHA512 | 3a616978d10ac2fc1923b58e34604909b02eb36d6ed9e62f27d1202287bb0d7faec664e5ec113464a17613eb1cee11eb63b5a3807669ea428fc39d549332d5df |
memory/2540-68-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1260-70-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2012-71-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\sMYcmrI.exe
| MD5 | 5dd67ab5cac457babbc8cd6b39823438 |
| SHA1 | 98b4c5349c0f789a1797e04de5992e8640bdd872 |
| SHA256 | a3e0861a9974cc0eb3d1cbb420e52b4bebb8dbfa85a935bd81a1e8f896a7a3e0 |
| SHA512 | 0f288087912ce2c414313fb8d186741ecd6a97569460507eab2c1bab7df7b962f6c6453b5c01df880db31cd761dfad0a1768066b33f62d90a535e92b7b04b93d |
C:\Windows\system\rgDjvdX.exe
| MD5 | ad483572d4c2a2a4f3c032eae13d0045 |
| SHA1 | b8f57808340617d78ea1f73aa766586f0ea05dec |
| SHA256 | 4266cacc0639d5b7923cf35e398d4867d2f681d2ddf5a841a93c73cd152c168d |
| SHA512 | 9f041d6a833179a7acff70a7bc1e04cb3ca49a52122ab22fae4c231acb5a57aafc523f31f77445d014416f48dd3fbc3c006608126ee490851c29f1c88ec75166 |
C:\Windows\system\OzHvnSM.exe
| MD5 | 94c98df78d9216bf32ae3400c72db1fb |
| SHA1 | 4d901a625e6c1ce9016e4883082cb2600e90ef22 |
| SHA256 | 64ef2dfab68412d02c889b9e4e660bb63a9ba6f11ff30001a6fa2136d02ad522 |
| SHA512 | 1f4bf4954e116e4d0940124da1ba2a46a6bf5a2e088f6e30fef155b8bbd9035e94ae1d498fe6962a2afad566db64196ac857e0222bddee7c89cb1fcd6be75a66 |
C:\Windows\system\rNnHiIW.exe
| MD5 | 1dfd5333a7ab391f156fb368d805ea55 |
| SHA1 | 4c54396ac79777957f08d5bc0592630b648e066e |
| SHA256 | c0995a56bca09512b33360e7d302baae6f47b6aa50ba36677c39fdfe0af19ad5 |
| SHA512 | b81ad3f08b5ba2b0bdea7751e60fa415d02dc9d15cb6ff29812398e52bb9f0146aff757091b347ca997cd1426035cf96386f510bee7c65bc650468912daf2f29 |
C:\Windows\system\RHNLNdd.exe
| MD5 | 5c9e951adf7faf398fd551b501e6f215 |
| SHA1 | 10878bf58194b78af5e7343a55ff5915f0bed6c4 |
| SHA256 | f9179513283093ebaef08643f6005fb346f83aaaf55596f57063f3436a914d80 |
| SHA512 | 96185a81abff9bc83727c9496755b934cdf14509f6685016a9685929c824509b4d84fd8704bee5935b6f3d09d0c8d04fe460d938629c9996f491ab044e525201 |
\Windows\system\JICCoZO.exe
| MD5 | fb4801128db36fe360c36b75e67bdf3a |
| SHA1 | 708e1a2544f81e6bae2c5e84fe18de6d7933ca3d |
| SHA256 | ab1b9ecbfd458cc47a38eb451f64555c0b073df42ec7ea9699b8cdf5e4b5bf33 |
| SHA512 | fc8ea0a4b2085de56d6b8e2831c8c1dfb80252ce9562e60c9d9a40baab1d79c9aa5623adcc6996b44f0b4698813c254853e84a876601c74379cd254409383310 |
C:\Windows\system\tcnIrFw.exe
| MD5 | ae977d8fe66a14ed43894b1da3a870e0 |
| SHA1 | 523e712edf83e1e7e1cca08fc5f8033a18fa4bd6 |
| SHA256 | 4ee3f1a8775d60913f8168023ba2765845589174eacbc2f574105a0a5b5255e4 |
| SHA512 | e8e53914f37fc35f9fdb5e97e8ab9fe4c8163aea8b3a96d66591235ab54d5202b17b8360d803784fea2aadbacbc9f2b4f5030101cc2306510752260cd6c9afe0 |
C:\Windows\system\PTGPCrh.exe
| MD5 | 568dbafa4bded58b5f4222ea397df6bf |
| SHA1 | a8f80c987dfd4f4915cd11c444333d58d038c5ad |
| SHA256 | 0bc20e02f0733326ec98cf1ea7a7fd31de2b73f7de650ada0cd83bf2307533ce |
| SHA512 | fa98b9146fd4ed2da6d2588a5bbf8deeea0fa2ea6b47242507d7a960aa6f1fbad9dc2485e60f52443d6421bcfebd794576810046657d96aefd2b8a17d9773324 |
C:\Windows\system\JvZqttE.exe
| MD5 | d73268aecfb0ceec0cc574d737a8bd3f |
| SHA1 | 00f1222e2061517f9bdb795f1b4d3a538f827a2a |
| SHA256 | a826555a4149f56f30e5f27ea5284d0a2dbc43fa3f976a77143fd49bfbb63176 |
| SHA512 | b5c4f8e90f1784a73abc3f3b0f5211097ba3401c1400e2d95ca33ce1b68f57e17fb32be7c8af1922953591da8402fa220ba0e4e3de0a7ad5bf4bcda30e866212 |
C:\Windows\system\QcUIcif.exe
| MD5 | 7c5f49e67f87264676f080392d8d0784 |
| SHA1 | ec4874ae58b157783da47a1c491ce959df6e6be3 |
| SHA256 | b55b65d1cb7036e3166dd0f4bb70cbfa372331cd41531888737db229d4fc1694 |
| SHA512 | 4322dd8daf9d8fedc31a2fdfcb1d05515ed9c6ecce1543f62ad2c17dba519a41e696165de022caac82de29a0263dae37c07a9f753a1b56725d2be7e3d8d8ba3e |
C:\Windows\system\uVRXXOB.exe
| MD5 | a9065d9fc0e504aa633c106f3c92003c |
| SHA1 | 3b27b900a129ff667b4e69540795a393c29df73d |
| SHA256 | a0eba8254893945fe8387ce1e142014d5bfa50cda1361485dbd815c08559e795 |
| SHA512 | 37ce999510ae1b2ecc8d43618e978a284dca64ed5b93dd60263154039ec722da4c905e6128f121ed8a5edea9dc199d636ff7c8d2f377c773196a03cb2f15adfb |
memory/1260-79-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2712-128-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1260-129-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1260-131-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2764-130-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2608-134-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1260-135-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2768-136-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1260-133-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1928-132-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2436-137-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1412-138-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2012-139-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2712-140-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1260-141-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1456-142-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2540-143-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2608-144-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2528-145-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2536-146-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2436-147-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2400-148-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2472-149-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1412-150-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2012-151-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2764-152-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2768-154-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1928-153-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2712-155-0x000000013FA40000-0x000000013FD94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 14:14
Reported
2024-06-11 14:16
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lupbLbI.exe | N/A |
| N/A | N/A | C:\Windows\System\mtZaEzB.exe | N/A |
| N/A | N/A | C:\Windows\System\IpkbBDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\foDaTKz.exe | N/A |
| N/A | N/A | C:\Windows\System\lPlcosz.exe | N/A |
| N/A | N/A | C:\Windows\System\JYNwyKI.exe | N/A |
| N/A | N/A | C:\Windows\System\livNZrM.exe | N/A |
| N/A | N/A | C:\Windows\System\xRFDrYv.exe | N/A |
| N/A | N/A | C:\Windows\System\CFoRrgw.exe | N/A |
| N/A | N/A | C:\Windows\System\ApUoKLT.exe | N/A |
| N/A | N/A | C:\Windows\System\toEmXFB.exe | N/A |
| N/A | N/A | C:\Windows\System\OYvxIyI.exe | N/A |
| N/A | N/A | C:\Windows\System\jBZrsHw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkoQEYP.exe | N/A |
| N/A | N/A | C:\Windows\System\xXfbvdr.exe | N/A |
| N/A | N/A | C:\Windows\System\xiQPRMM.exe | N/A |
| N/A | N/A | C:\Windows\System\NefYXLf.exe | N/A |
| N/A | N/A | C:\Windows\System\jKTOOfv.exe | N/A |
| N/A | N/A | C:\Windows\System\hoFxtql.exe | N/A |
| N/A | N/A | C:\Windows\System\epluYuD.exe | N/A |
| N/A | N/A | C:\Windows\System\soaLDGM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_dd4dfd3204977d47d80c5c1765179d8d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lupbLbI.exe
C:\Windows\System\lupbLbI.exe
C:\Windows\System\mtZaEzB.exe
C:\Windows\System\mtZaEzB.exe
C:\Windows\System\IpkbBDZ.exe
C:\Windows\System\IpkbBDZ.exe
C:\Windows\System\foDaTKz.exe
C:\Windows\System\foDaTKz.exe
C:\Windows\System\lPlcosz.exe
C:\Windows\System\lPlcosz.exe
C:\Windows\System\livNZrM.exe
C:\Windows\System\livNZrM.exe
C:\Windows\System\JYNwyKI.exe
C:\Windows\System\JYNwyKI.exe
C:\Windows\System\xRFDrYv.exe
C:\Windows\System\xRFDrYv.exe
C:\Windows\System\CFoRrgw.exe
C:\Windows\System\CFoRrgw.exe
C:\Windows\System\ApUoKLT.exe
C:\Windows\System\ApUoKLT.exe
C:\Windows\System\OYvxIyI.exe
C:\Windows\System\OYvxIyI.exe
C:\Windows\System\toEmXFB.exe
C:\Windows\System\toEmXFB.exe
C:\Windows\System\jBZrsHw.exe
C:\Windows\System\jBZrsHw.exe
C:\Windows\System\ZkoQEYP.exe
C:\Windows\System\ZkoQEYP.exe
C:\Windows\System\xXfbvdr.exe
C:\Windows\System\xXfbvdr.exe
C:\Windows\System\xiQPRMM.exe
C:\Windows\System\xiQPRMM.exe
C:\Windows\System\NefYXLf.exe
C:\Windows\System\NefYXLf.exe
C:\Windows\System\jKTOOfv.exe
C:\Windows\System\jKTOOfv.exe
C:\Windows\System\hoFxtql.exe
C:\Windows\System\hoFxtql.exe
C:\Windows\System\epluYuD.exe
C:\Windows\System\epluYuD.exe
C:\Windows\System\soaLDGM.exe
C:\Windows\System\soaLDGM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1552-0-0x00007FF7ACD40000-0x00007FF7AD094000-memory.dmp
memory/1552-1-0x0000023E68DD0000-0x0000023E68DE0000-memory.dmp
C:\Windows\System\lupbLbI.exe
| MD5 | b8f4dcc0b0401aa2d5bff2eba4cd740a |
| SHA1 | 52abb36a7ba85a258a5b8218d9c3d80dd354e765 |
| SHA256 | dfd3f8a25d2509193e2abd8263ff832ec9e8c086a00778390c02be7e39f44a13 |
| SHA512 | 100c8603d699b0cee9f24a7cab97903794cdaed249b96ee0c11c46dafa7f0985b30d772e37e8fe4c304b27348145e0e2c47f52f416df753ff677e8c65e5d7f13 |
memory/1584-8-0x00007FF7D56E0000-0x00007FF7D5A34000-memory.dmp
C:\Windows\System\IpkbBDZ.exe
| MD5 | b3cdc82a6cb54bdad2cc682b80ed8929 |
| SHA1 | cc881aaab25b0f2b2be550291dd0349eb30696fa |
| SHA256 | e72226465c8d1a1edafc2d898eb5d1b16e766255220c3b4ac0353e73c28913de |
| SHA512 | 137cccf7c9e7f2129554de64ead6047e792799afc5efd6c65d5eb38b6eba5bcc6e8132a8c7ecaa229efe3764ec123ceef4a284e1b8b76483a7e04e7db47e3ccc |
C:\Windows\System\mtZaEzB.exe
| MD5 | 71a445429defe74dd05f1b2945dbced1 |
| SHA1 | 73b28b9741b15ab0fd7d3f74d288cd789248106d |
| SHA256 | 085c84377f5f480e51a299102ced3bb94525846cf00e7051d33d6ebf73a99a75 |
| SHA512 | d4f74804679b9b7d82fd1bab61df249fbec0c38dab8f27f4a951f3091a02574cee1916defcce0b893fd568e523c8d5f8058c38574c01cb32236ec1ab7cefa28e |
memory/1688-14-0x00007FF6773B0000-0x00007FF677704000-memory.dmp
C:\Windows\System\foDaTKz.exe
| MD5 | 04a03a9e82b1f27410221afdb3c37819 |
| SHA1 | 3b1514e5ef4f36742a822c01e1db2853763e8016 |
| SHA256 | 1c6433e096f1ee3a1c4aefcb7213616be8d44094d21ec330a7531c14c51f74d0 |
| SHA512 | 75dd269d03cfb11204854b5a51ac5c56191e56bcff518ea3409a0beb109e46c99cdaaf6a17c9b7739b84e57d38866febfaf6f8963945f9feb70e74b2a4d0cb31 |
memory/436-31-0x00007FF704260000-0x00007FF7045B4000-memory.dmp
C:\Windows\System\JYNwyKI.exe
| MD5 | 3bbfb54495035c6ec0dce3899d57b1d9 |
| SHA1 | 740084798e7e93b0a8d94944e5938cfd8f685af3 |
| SHA256 | 84d5e6c2a7dc0a684dddaf92cfcb26c1bc23401e504811509bc7231967a64d5f |
| SHA512 | e87237a6be4fb3032d444c4c9e76a1b01317350332d72dee429de6f9abe6c7ccaffcc5de261470e5be6c58a146bbc65cc12876f92adea4ac3a6e3e75bbf97bfa |
C:\Windows\System\livNZrM.exe
| MD5 | 1eb14d5194c4251dccafdc56b56936c0 |
| SHA1 | 66e0815be213d4ff73e1e3aa3aa56c11b9612269 |
| SHA256 | 5e78123d727e8274ca53dd6835df64884777f3bd482a9d2ed7e359581e06a41a |
| SHA512 | 55859b14e687f339e55e0ca6275e5e1a60fc8d8b783733648e81fb5260b158c2dd5effa91fe8c793bbaa123f47605283a068f93d7298ee11812953286d6617f3 |
C:\Windows\System\xRFDrYv.exe
| MD5 | c46e85085a590894250dd51b1d6b7303 |
| SHA1 | a94207637cac964fec7d18eba55b2266269d7ecd |
| SHA256 | 741cfbc0f661a13bb3d35f50ae99c8dd55ea6c1526649d9e47536161d2b35870 |
| SHA512 | 4bf8bc523e85efff7c817affdbee787d8693560eca31510a879aef9284b1178ba0fee4bbaa26984876c1383dc77af532be5cc89fa7d079323326163ef9cf1970 |
C:\Windows\System\CFoRrgw.exe
| MD5 | c725c2fb869c2e10d4aeca16ecb6933b |
| SHA1 | 7ac8f66e299cb2df3824ea0315ed1a981cf8d3f8 |
| SHA256 | f681a4152b27d45d146b559b5e0ea1fcfdf96d596d0d574f7b02268cd29234b0 |
| SHA512 | ecc4bf5fcaf2e3ae872a980a47f17057244a896b455c7ee2530fefef497680658978abf516a02e1ed792cd814ded6dec72fcd370fb1d1361f557850af5c48e98 |
C:\Windows\System\ApUoKLT.exe
| MD5 | 38c785163ab64e134ed4d964ff904168 |
| SHA1 | 4b42799062a73d5fa48715a09bf60a56cfc18a58 |
| SHA256 | acfc9d34543d06423f302512313bf4bc8d2f9ca2559987699dfbeca955af84eb |
| SHA512 | d83f153e84012d7606b3ff2fe135d32d4059760ce665007f0ca4dc9a78946ec96b311f6a889d79d2b0381ac0f2fc33ca4c10e15a59c1383c35d16643ea15239f |
memory/3636-60-0x00007FF6BB090000-0x00007FF6BB3E4000-memory.dmp
memory/4224-64-0x00007FF7297C0000-0x00007FF729B14000-memory.dmp
C:\Windows\System\toEmXFB.exe
| MD5 | 476f14203afb64046bb9a8905f002b1f |
| SHA1 | dd3b963b0a124da7fd7c7b12e0fa048c474d5c39 |
| SHA256 | a8c51ff4da89f8cab1f1b977d144d6e0206457c891251b338849149cb770881d |
| SHA512 | 6f9ad844726c7ecadedcccea63d14921d43827d587f19ca0975340f349e2a9e420fc8152198764ba6e3d51e8a0f9715c43697a1cf95fbcd164964605544fb8e0 |
memory/1160-74-0x00007FF686800000-0x00007FF686B54000-memory.dmp
memory/2988-78-0x00007FF716F00000-0x00007FF717254000-memory.dmp
C:\Windows\System\jBZrsHw.exe
| MD5 | 3f315699a9ebc3256d6f13ca00dabecd |
| SHA1 | 55b29edec5126fcb8bc7281cd088aacf4ebec5e3 |
| SHA256 | e1b85e74fbd2e52cc1ee889c1112bbd7ecb54b1e7336eefc88c79fefc1abceff |
| SHA512 | e44abb270c71b0218a7b4ea94832080dcb55b3c8690e6b10940ecc6452949c8e52803bd654b556b6ba719f1ffd2385d00c0078983a682128c48b1e7e27d7502c |
memory/1556-76-0x00007FF67FC40000-0x00007FF67FF94000-memory.dmp
memory/3688-75-0x00007FF70CA50000-0x00007FF70CDA4000-memory.dmp
C:\Windows\System\OYvxIyI.exe
| MD5 | 6e30e0289d4d91983b33be072098d8a9 |
| SHA1 | 347cfed0dfde9bd23be765f2db8444f2af0048dd |
| SHA256 | c3f45f55e5bd331f17ebb5decf0a1b46d884ad0054368c4f12b9dd9191840c24 |
| SHA512 | 4a72cd3f3e618d80d56bb9e8a82f4a8d9695ff58f6eeffc2fdb9d04653ce56a5dc77ab9d8308ff7bdac53b484a7e01b988f8335f21326474a5e98f95a3a9bfbe |
memory/3564-70-0x00007FF768790000-0x00007FF768AE4000-memory.dmp
memory/3012-65-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp
memory/3196-49-0x00007FF685590000-0x00007FF6858E4000-memory.dmp
C:\Windows\System\lPlcosz.exe
| MD5 | 6d4e17ea0e3c41a43dac5f764441c0f8 |
| SHA1 | 7e62d7350e945f6febdce6e54df583b98886cf51 |
| SHA256 | 235d88fb60721af1dde8c7b3af50d5efdd643caa2b89e35c92f03ccc95c550c2 |
| SHA512 | 23283d3f7a2a0c02c92beb24bfd40dfdafabb302d23f643d9d3da410507c132ab3c518cbaf6b769a9bef00fde0747453d37960cd2b16f7c244a8b28b473f67ee |
memory/1472-24-0x00007FF759C70000-0x00007FF759FC4000-memory.dmp
C:\Windows\System\ZkoQEYP.exe
| MD5 | 1bcd3709677272c3b8a72d8037ccc591 |
| SHA1 | b5d4c4487f65ac0b361bbc03f484cf7fb5eee9e5 |
| SHA256 | 449b9350e650551dd4fe28508c75af9cd208f77890aefb77aca0e038cf5c64fb |
| SHA512 | b7455ba569ef0770077c6a47facaeeb7a36ee38c1cbe008bdc62806513778ceefdcee5390487bcb197a55b0ba5f8482e103f6fe5277346b8d95a9eceb8cc5ee4 |
C:\Windows\System\xXfbvdr.exe
| MD5 | c21c72475a302b051f0b9e92739c3a72 |
| SHA1 | 5560cb9addcf0c48145de47ebcd45b6dac825d78 |
| SHA256 | b8bada637162e621f015b9a4f80461db6e7d5f90803ba7e453332a528c2a45fa |
| SHA512 | 9d858d187ec6c453e9204aed4d692f1900c0aac7f416af5612343ef5f03db8d055f388f844435bfa35655d8c05e1c7e9a83f19395721d0570aa06faad2f3675c |
memory/552-88-0x00007FF66B870000-0x00007FF66BBC4000-memory.dmp
C:\Windows\System\NefYXLf.exe
| MD5 | 62f5d40d302a2c4d2e6fa1356266dbd0 |
| SHA1 | 9d36a027517fe57542790d025ff5864936471e5a |
| SHA256 | f23fffb28b020b33eb03c56716783d2dbca00f5b3cde1d2f74c54a68aca5855c |
| SHA512 | 998cf69732ab45daa9533c9076a085c418694bbfa74a16de737fbc8d30480503446d4f8ab79f6196b11b241c5558e6be0eec7644b521467bb366ce18b71f3dfb |
C:\Windows\System\xiQPRMM.exe
| MD5 | f5c9b2fa8628252e22af24bc05691538 |
| SHA1 | 5d3b7a1bae8d7c7f189416db819baf1e0db87213 |
| SHA256 | 9b55a7a930d657acf951fa96f78434a2f01d47258d2b365710a2423eb9176d56 |
| SHA512 | a424803d46786d9aacc2fe12b3c7cf1301ea49645d41e7ccaada2b56ed02cffc30af4d3a0aff2d91ef4f877176e281a3bfc773375e99ebfee011af377e38a2f6 |
C:\Windows\System\jKTOOfv.exe
| MD5 | c603c3a8d7dd4101ab76005302858064 |
| SHA1 | cf27c4dbcb51adff9e863232f54bc45b9c33cf29 |
| SHA256 | bb59dae338840b0b7f39f6ceac1e77c03185a2364c36f1ae2514e113f3d6fa9b |
| SHA512 | d206318d7766047a2f273ec45447b9b4033745dcaba88f431f7893b04b086453ec1551148ab666a9aa1d27d4b1ea7168932dda0e1b2a00c0afa0f6f86e6c98a9 |
memory/4396-110-0x00007FF61B3A0000-0x00007FF61B6F4000-memory.dmp
memory/4360-106-0x00007FF7E8100000-0x00007FF7E8454000-memory.dmp
memory/212-105-0x00007FF761DC0000-0x00007FF762114000-memory.dmp
memory/1688-100-0x00007FF6773B0000-0x00007FF677704000-memory.dmp
memory/1552-99-0x00007FF7ACD40000-0x00007FF7AD094000-memory.dmp
memory/4572-93-0x00007FF66B2F0000-0x00007FF66B644000-memory.dmp
C:\Windows\System\hoFxtql.exe
| MD5 | 64f6f8448fce75d1c6e1acf61bdbdc0f |
| SHA1 | e07080a955b3c63aad6a9a7b9470859a231e536b |
| SHA256 | ce56dfd6c06fb866ef39f2e0b48474075c55720158194d9eb165603f4bfac745 |
| SHA512 | c7105db531a1a59d744560a88da959ab584889f4c031f3e3d8a59c3ea65da2ca2ed0a0ada80fb203c3493c06e50b0724c08cacab3980aacc4afaa3461cb14aca |
memory/1472-116-0x00007FF759C70000-0x00007FF759FC4000-memory.dmp
C:\Windows\System\epluYuD.exe
| MD5 | c78098da4c5a55d3668515f0bf17187a |
| SHA1 | ef55e9c382f949536c7a6f59130fc2d832ae333c |
| SHA256 | 641eff2c0c38b1e2837a0c37f68e0e47ffd122490ace8cd47d1bb7bd40a612c8 |
| SHA512 | 4a8600d0b20a3b9b145fe1bd96c838cd8805570896f65f7a3b1a3d31e2f9fd99c8a9350a01fbaf27befd3f0f3660042c9fad6a46870728644b06fe9228025ef8 |
C:\Windows\System\soaLDGM.exe
| MD5 | 722e5554922fa2f35e7d753058c2c5a3 |
| SHA1 | b0a979f1bb34980fa2ebed032d12f560cd48fa03 |
| SHA256 | c07e2c9f298129be871d0f9a74f4845b6c1541113b09d72e8e6b29f8e50c810c |
| SHA512 | 65674e57ac942384d947407ef115412a3bceaa141efe6c85e3d391dcc231623ce478f73352a095a7c714abcfef2ba1e2bd5f49ee745273700b52b11a9ae04451 |
memory/3064-119-0x00007FF723D00000-0x00007FF724054000-memory.dmp
memory/3532-129-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp
memory/3196-131-0x00007FF685590000-0x00007FF6858E4000-memory.dmp
memory/436-130-0x00007FF704260000-0x00007FF7045B4000-memory.dmp
memory/4240-132-0x00007FF665BA0000-0x00007FF665EF4000-memory.dmp
memory/3012-133-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp
memory/1556-134-0x00007FF67FC40000-0x00007FF67FF94000-memory.dmp
memory/2988-135-0x00007FF716F00000-0x00007FF717254000-memory.dmp
memory/212-136-0x00007FF761DC0000-0x00007FF762114000-memory.dmp
memory/4396-137-0x00007FF61B3A0000-0x00007FF61B6F4000-memory.dmp
memory/4360-138-0x00007FF7E8100000-0x00007FF7E8454000-memory.dmp
memory/3064-139-0x00007FF723D00000-0x00007FF724054000-memory.dmp
memory/1584-140-0x00007FF7D56E0000-0x00007FF7D5A34000-memory.dmp
memory/1688-141-0x00007FF6773B0000-0x00007FF677704000-memory.dmp
memory/1472-142-0x00007FF759C70000-0x00007FF759FC4000-memory.dmp
memory/436-143-0x00007FF704260000-0x00007FF7045B4000-memory.dmp
memory/3196-144-0x00007FF685590000-0x00007FF6858E4000-memory.dmp
memory/3564-145-0x00007FF768790000-0x00007FF768AE4000-memory.dmp
memory/3636-146-0x00007FF6BB090000-0x00007FF6BB3E4000-memory.dmp
memory/4224-147-0x00007FF7297C0000-0x00007FF729B14000-memory.dmp
memory/1160-148-0x00007FF686800000-0x00007FF686B54000-memory.dmp
memory/3012-149-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp
memory/3688-150-0x00007FF70CA50000-0x00007FF70CDA4000-memory.dmp
memory/1556-152-0x00007FF67FC40000-0x00007FF67FF94000-memory.dmp
memory/2988-151-0x00007FF716F00000-0x00007FF717254000-memory.dmp
memory/552-153-0x00007FF66B870000-0x00007FF66BBC4000-memory.dmp
memory/4572-154-0x00007FF66B2F0000-0x00007FF66B644000-memory.dmp
memory/212-155-0x00007FF761DC0000-0x00007FF762114000-memory.dmp
memory/4360-156-0x00007FF7E8100000-0x00007FF7E8454000-memory.dmp
memory/4396-157-0x00007FF61B3A0000-0x00007FF61B6F4000-memory.dmp
memory/3064-158-0x00007FF723D00000-0x00007FF724054000-memory.dmp
memory/3532-159-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp
memory/4240-160-0x00007FF665BA0000-0x00007FF665EF4000-memory.dmp