Analysis Overview
SHA256
543b85479fbc8e3b320e67067ab80ac0797b14b250460fc4e9f4017c6aa4b3f6
Threat Level: Known bad
The file 2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:53
Reported
2024-05-30 00:55
Platform
win7-20240419-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DMpJtqP.exe | N/A |
| N/A | N/A | C:\Windows\System\wpbBuuI.exe | N/A |
| N/A | N/A | C:\Windows\System\WBAcUMA.exe | N/A |
| N/A | N/A | C:\Windows\System\RmIeUPp.exe | N/A |
| N/A | N/A | C:\Windows\System\aJTJnbj.exe | N/A |
| N/A | N/A | C:\Windows\System\ehcbxIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IhaOUjI.exe | N/A |
| N/A | N/A | C:\Windows\System\hzceCYV.exe | N/A |
| N/A | N/A | C:\Windows\System\qwoZdjI.exe | N/A |
| N/A | N/A | C:\Windows\System\ilQYZBa.exe | N/A |
| N/A | N/A | C:\Windows\System\TCvFjOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\vPJSPor.exe | N/A |
| N/A | N/A | C:\Windows\System\QMNrVNM.exe | N/A |
| N/A | N/A | C:\Windows\System\vYVFIki.exe | N/A |
| N/A | N/A | C:\Windows\System\bWkPnse.exe | N/A |
| N/A | N/A | C:\Windows\System\zzUaMDT.exe | N/A |
| N/A | N/A | C:\Windows\System\ogJGYyk.exe | N/A |
| N/A | N/A | C:\Windows\System\NgkkORv.exe | N/A |
| N/A | N/A | C:\Windows\System\vcbAizs.exe | N/A |
| N/A | N/A | C:\Windows\System\GOClcpn.exe | N/A |
| N/A | N/A | C:\Windows\System\DWfVhlu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DMpJtqP.exe
C:\Windows\System\DMpJtqP.exe
C:\Windows\System\wpbBuuI.exe
C:\Windows\System\wpbBuuI.exe
C:\Windows\System\WBAcUMA.exe
C:\Windows\System\WBAcUMA.exe
C:\Windows\System\RmIeUPp.exe
C:\Windows\System\RmIeUPp.exe
C:\Windows\System\ehcbxIQ.exe
C:\Windows\System\ehcbxIQ.exe
C:\Windows\System\aJTJnbj.exe
C:\Windows\System\aJTJnbj.exe
C:\Windows\System\IhaOUjI.exe
C:\Windows\System\IhaOUjI.exe
C:\Windows\System\hzceCYV.exe
C:\Windows\System\hzceCYV.exe
C:\Windows\System\qwoZdjI.exe
C:\Windows\System\qwoZdjI.exe
C:\Windows\System\ilQYZBa.exe
C:\Windows\System\ilQYZBa.exe
C:\Windows\System\TCvFjOJ.exe
C:\Windows\System\TCvFjOJ.exe
C:\Windows\System\vPJSPor.exe
C:\Windows\System\vPJSPor.exe
C:\Windows\System\QMNrVNM.exe
C:\Windows\System\QMNrVNM.exe
C:\Windows\System\vYVFIki.exe
C:\Windows\System\vYVFIki.exe
C:\Windows\System\bWkPnse.exe
C:\Windows\System\bWkPnse.exe
C:\Windows\System\zzUaMDT.exe
C:\Windows\System\zzUaMDT.exe
C:\Windows\System\ogJGYyk.exe
C:\Windows\System\ogJGYyk.exe
C:\Windows\System\NgkkORv.exe
C:\Windows\System\NgkkORv.exe
C:\Windows\System\vcbAizs.exe
C:\Windows\System\vcbAizs.exe
C:\Windows\System\GOClcpn.exe
C:\Windows\System\GOClcpn.exe
C:\Windows\System\DWfVhlu.exe
C:\Windows\System\DWfVhlu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/992-0-0x000000013F220000-0x000000013F571000-memory.dmp
memory/992-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\DMpJtqP.exe
| MD5 | aeccd4a4f0ae439b958952c8ccbbe005 |
| SHA1 | 2835f945cdb76fb4f245f6eed1c83cf1647e7a23 |
| SHA256 | 4f9ad93d47c9b2b205c776c306b0c2ecbe4bea042d0ba6d1a57880046305442f |
| SHA512 | 1583b89ff77334f5e16470d3fed8bdfa062c94004e69892b954f2d42f704bd880bfa97997477995f6a9ace1f2accea73230351775a72ef8534e545b1c1d3c562 |
memory/1956-8-0x000000013F650000-0x000000013F9A1000-memory.dmp
\Windows\system\WBAcUMA.exe
| MD5 | fd32ed578e79e8fadebd7b55f02b6e8a |
| SHA1 | fbe963f9b8b1c2fa8af8d0c56adec11354fe7e38 |
| SHA256 | 07f1c544d0be907c26c7eef59bf0795531f1d289580b5daab3f184eff82ca8de |
| SHA512 | 19df503eb08fb583e697d48a714960fc03c4a695cb37785244c6b7a3b1a786fcfa32437ddc6a4011bdeedf1fccde2baf0268aa7ca167d6c2dc0e405b62b1741e |
C:\Windows\system\wpbBuuI.exe
| MD5 | 9e52f44c9f4d5c5fe602ab9e762b9193 |
| SHA1 | e429a1f0687ace77b7207403607c23ec63b43388 |
| SHA256 | feaf3ae5aecd60658d36e9ed091c69062e1f9985123071c5564d9a3b25e6475f |
| SHA512 | ffb04e758f8be948c3b0d70464962c5b274b1f0beded8907b989c9e00a5630e8e624c473071a58d33c866cd4b1b775174fb536961d25b641fa69baaca699ec30 |
memory/992-21-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2500-20-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2116-19-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/992-35-0x000000013FD70000-0x00000001400C1000-memory.dmp
\Windows\system\aJTJnbj.exe
| MD5 | 579aa55db55f271fd9e4716771db8006 |
| SHA1 | 7f46f92af521bbb8571de85776faa8943d57847a |
| SHA256 | 49969a1e943227945445630a1b67b2a5f193e4533ae9ad686c2f5b804686db35 |
| SHA512 | 443568a45f769e5b582a297fba425d0f1f4253c03edec50130b1ae83c99a721eecf03aca87712e9b8a1d36f4241358037c6d3e71878af91304693c90cb996cfb |
C:\Windows\system\RmIeUPp.exe
| MD5 | fc37771ba51ca9178307ac548a31945e |
| SHA1 | dd1f5a053dda0e785e09e80ecfe1b8d3935496d5 |
| SHA256 | 62e29d2f969c85e91d469a5919839780d605601314dc8919faa79da136e43819 |
| SHA512 | 9415f4287c27662323ee549891c20f8dc927cd07e638cb6dc63cc591415b757a76a28446e1b9d40af60cc9a4639a77c80d15e823e660a94bf3663135453e7e86 |
\Windows\system\IhaOUjI.exe
| MD5 | 462fa7e50e17feeeef7851e7b76cf35f |
| SHA1 | 12758966eb5f8caec96fe634f793ce8a0751d102 |
| SHA256 | c5d41e6556f19f7d3d169af3db0103aa80161bdc73e8749a74dc65c72523d115 |
| SHA512 | 0c1658b59e6ece29bea97d3ecc21b9d19c4baed77d1f10841b05ad3abadff2b9b720b9da6f28033295b2face139b78dbd7e269fbb41db46d0b5cd7a391e42099 |
memory/992-39-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2728-54-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/992-57-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/1888-55-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1956-48-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2676-45-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2420-64-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2580-71-0x000000013FC40000-0x000000013FF91000-memory.dmp
\Windows\system\vYVFIki.exe
| MD5 | 027d123d65de436aa8ed9d4776bafcd8 |
| SHA1 | 6c04c08844aa5c7309edcfdba8002d4cc173812c |
| SHA256 | 3d8bbad238e69e31e52bfeac002da9ca5a984c2531ac4bf642a6c02910ad6316 |
| SHA512 | 3f5e7dfc9977666872aa6ca8db3b35ecc2b55e461dc8a67a0dbcf59a159bdc966a31826a63fa7c49a92c921b0f5b3ca316dee418d8ffd1809c1d5402d5b6ce71 |
C:\Windows\system\zzUaMDT.exe
| MD5 | 5eaf82e310a4b9e1b0eb03ef1f6deea8 |
| SHA1 | d2cf83abded6512e020dd90fc0db0f266a8f88cf |
| SHA256 | 2b8011c348b24fedbf91d2c8f9fe5906fdb761e8f58bd726817fe6c0dabc4689 |
| SHA512 | d95ffa617e8ff662d879bc01be3c25948252dd3afc7cb0696e6bd4ac59c44d211de8d7fbdfc842fc9bc550e9ccf1853a2c8826a94c0a1d9548ee73bda1bd8a3e |
C:\Windows\system\NgkkORv.exe
| MD5 | cab809836acfb08f31429aa0b043a400 |
| SHA1 | 9da8f59338b5e502bfb13a8fd25e05cddb3fb324 |
| SHA256 | 4b1ad9ea4b1f5c4e1f9cad0ad9b66e9c6eab01d5758aebda78f843ea246de965 |
| SHA512 | e8dcd5b9bd1e44fecde6d4daa1c7b2c492cc05e6f68d6a321f971fa3357fb638438bef522c0693d0a259cd275e61a2c23a15475732b3eca672a06753ed4e545a |
C:\Windows\system\vcbAizs.exe
| MD5 | 339cde1b92a7d82167c95291ef530cb6 |
| SHA1 | f83f9a553d07905007a0567d44822e9c43b684db |
| SHA256 | d5a1a2f6ccddfaf0ec8fb5937358e87cacfb9a1da7105808984a2d69f787c78a |
| SHA512 | eddf242a47fcf68e7c7a2f91fb2e29e0f9c5d7820e01e58190a5d0e154dbf3a1ac688470e431eead07e636eb847e37c58292593c229e9b5189985d17d5dd5f1b |
\Windows\system\DWfVhlu.exe
| MD5 | 90ee4539d485723783893112f847c184 |
| SHA1 | a9cb3647848f466f6b5f06466eeb52ba3e7ab39e |
| SHA256 | 754393812623612068e5d93b4a9e2017315d642bbb1a39365d86fef3b5f782d1 |
| SHA512 | 680837ee0ab09752752307927f0f969cde6a3c88328ca0e03fe094113258793c88704a0e879695a8d3d7f57ed9c682111aecc2d35f2a21e511ee924db43dfdf9 |
C:\Windows\system\GOClcpn.exe
| MD5 | 9e3dd12dad968fa060a640055a3ccb85 |
| SHA1 | 610a7c93c136818eaa310391f39fde5ee69e9e8c |
| SHA256 | 59a4586fa9300bcfe7de26e3da33abfb57489d60d01c5b55135bf92fab3fb007 |
| SHA512 | faa61dc2a5c66c0d14d80698c5092eb45f06deec58f9b8280a766418324a164afb30f28164d6b2e28ba9c58a384bb233c0a64656aaeca91947aa7622e38947c8 |
C:\Windows\system\ogJGYyk.exe
| MD5 | 038fa10ff5d63b05173b1bd48970f243 |
| SHA1 | 51e70fd1a0522993f975e32a1d6b9807f56b5952 |
| SHA256 | 8f58c2227beefd0ef99cc8e7c27d198db13f95762d9a3583f7b794ac90f7cfec |
| SHA512 | 6449ee25f25859f26aafe3b2e09dac51691eb67284a5d15a39f1feca00f2c5ce138bd76fb394c3f3c219e071bd144a12ca75764af02f917eea10f54d2f97d192 |
C:\Windows\system\bWkPnse.exe
| MD5 | 05d3f3d6107895c8be5aa0e7fb9842c2 |
| SHA1 | f935b95db2315309fe40af3409d18c20db8c0aa1 |
| SHA256 | 1ebcc73e9bade1d0f619dc821a2ca85c256cd1ba064190b29be0ade4d4610f8b |
| SHA512 | f3d494bf9182ae2a746c2a593772abeaab54d96f24b3e6215d1506508fd45ef8b4c68800cf39dd42da77eb453d165469067aa31b3a5e3d592a8ebc6f7eded9c0 |
memory/2676-136-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/992-102-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2712-101-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2772-99-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/992-98-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2508-91-0x000000013FF10000-0x0000000140261000-memory.dmp
C:\Windows\system\QMNrVNM.exe
| MD5 | 569f1ad2245821d86b97af8217e9a36a |
| SHA1 | be3f9ca98d8e4aa304cc187cf62e45d3c47be984 |
| SHA256 | db8c308dec569908cc948d228152402c03af7d4d2a4467907b4dd4fdfc4ec438 |
| SHA512 | 5bf10634b0b9cdfa9619c24e132bfed1e22c4d29d7e92a51fef570c7ee84f1c86d429eb2e512b2d1ebabe75d4aca1a397d58a167db84acf5b476d6d0de4e2873 |
memory/2664-86-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/992-85-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2932-77-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/992-76-0x000000013FB80000-0x000000013FED1000-memory.dmp
C:\Windows\system\TCvFjOJ.exe
| MD5 | 3b103a4a2a71800c24e5c904be152c36 |
| SHA1 | 602664b88ecb73292dc32642c6f2009754909758 |
| SHA256 | 410e114633fb275fa520d702bbf40104602ba5f05a61d5d034224f4430baab63 |
| SHA512 | d172fd624bddcb277b3be7966bad27472c7e7069f8fc4d8547acf8c615b5b5f7e127c07be8e55e448d08cdfbae2ad84974408d796dc06010cb2fc7972bd5f1cd |
C:\Windows\system\vPJSPor.exe
| MD5 | 28d4d0dea2946a3c464dfcf03d922bcb |
| SHA1 | 290eead935a4bb263b15f078e88c21aefebb1561 |
| SHA256 | 1a08ad43ea4b5f8d46b12532ea99ac79844db1b940b5983480befe504e175a13 |
| SHA512 | f4d48a1a53e7e6fe93834d101c0f26c1d4cf5a9a3ff5aab0ba59f013381dbc9927faa8a0aba61dba94c4550f7f0c93d44fdcc0c9a6bab66d79a1ffacc959e5e0 |
memory/1888-137-0x000000013F530000-0x000000013F881000-memory.dmp
memory/992-63-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/992-62-0x0000000002350000-0x00000000026A1000-memory.dmp
C:\Windows\system\qwoZdjI.exe
| MD5 | 8b426dab72cebb529d27ebbb4eac52b6 |
| SHA1 | 689dfc1afb98a76ef7232fcfd7c7740650eab025 |
| SHA256 | 81d219d81d18454a0960d4a3bc99a00756faf3232bcb2bdcc0ef484fa501eae9 |
| SHA512 | 8b0c96a1440e836efe16c4cf9839be5bed391c212f03765db390960a97b406d14de79d4defa73144e66fde0ca1dddc13dd9404b83680b6e075f82416d6bca834 |
memory/992-70-0x000000013FC40000-0x000000013FF91000-memory.dmp
C:\Windows\system\ilQYZBa.exe
| MD5 | e39791ccc761ceb434888e806ee7ecdc |
| SHA1 | e339cadf9a46cb518db2d64ab5aa96dfa3b8d86b |
| SHA256 | 704ee90b8a5243ca7bf6a50f5b27ca85395e00e3420e9bdf1875fe094ce533db |
| SHA512 | 399994b81026cc5e507dc721ec8770cfcc715d0fa7da3a618a4ee214eaede301c0342e225f286bd7d3a9e1b02b9ebabe844e8e2e04225195e10cbbec662e8ecc |
memory/992-44-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\ehcbxIQ.exe
| MD5 | b1d7320730877576cfadf54bfd2d965f |
| SHA1 | b93a382c3229b1f8ad1d094cc032825519defa64 |
| SHA256 | 04c2c24e668e0e02048d81d209a07dff31df5f29e5480723bce9a99125b40731 |
| SHA512 | 3ff1cd984f011b11e732a0a6d2200dbe3b5c9d1008b4f1229dc8a5d00916535260eabaffd71763321fbd3298262b4fcd789589f5b940013d574219f4730c5e63 |
memory/2712-41-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2520-31-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/992-27-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\hzceCYV.exe
| MD5 | 450ea39cdd8959d333acba72da7010e1 |
| SHA1 | de6c580fa248c42b892c4b53e52040b0c61e278e |
| SHA256 | a985c13f44e020db247afb6d735aa060ce54e2f5cdaa482ce2e82aa89a1a2d15 |
| SHA512 | 9467c23d3fd4773d6edc437a756bce79466479fbcab3c0423ff9fb08cf73929d5233e45c4771bd0e048b9948878d1c4c82a85e0500e61252fbb93b10b3f4b330 |
memory/992-138-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/992-139-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2420-148-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2580-150-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/992-149-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2508-153-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2932-151-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/2380-160-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/1012-159-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/992-162-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/1304-161-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1552-158-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1628-157-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/1536-156-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2068-155-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/992-163-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/992-164-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/992-165-0x000000013F220000-0x000000013F571000-memory.dmp
memory/992-187-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/992-188-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1956-216-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2116-218-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2500-220-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2520-222-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2712-224-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2676-227-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1888-230-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2728-229-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2420-232-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2580-234-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2932-236-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/2664-238-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2508-249-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2772-251-0x000000013F1F0000-0x000000013F541000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:53
Reported
2024-05-30 00:55
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HpSpMRI.exe | N/A |
| N/A | N/A | C:\Windows\System\RYUBwex.exe | N/A |
| N/A | N/A | C:\Windows\System\FsbHeWD.exe | N/A |
| N/A | N/A | C:\Windows\System\rmmopqb.exe | N/A |
| N/A | N/A | C:\Windows\System\uIZWTpT.exe | N/A |
| N/A | N/A | C:\Windows\System\dSxxJJv.exe | N/A |
| N/A | N/A | C:\Windows\System\SKYyMZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zONhzar.exe | N/A |
| N/A | N/A | C:\Windows\System\kgfoKJK.exe | N/A |
| N/A | N/A | C:\Windows\System\CLZgiGD.exe | N/A |
| N/A | N/A | C:\Windows\System\pWbWWJE.exe | N/A |
| N/A | N/A | C:\Windows\System\npFBCXZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WMdDqSy.exe | N/A |
| N/A | N/A | C:\Windows\System\XlbkOHE.exe | N/A |
| N/A | N/A | C:\Windows\System\auMFqHO.exe | N/A |
| N/A | N/A | C:\Windows\System\IXJeTnV.exe | N/A |
| N/A | N/A | C:\Windows\System\EgWpCTY.exe | N/A |
| N/A | N/A | C:\Windows\System\LcOjWiB.exe | N/A |
| N/A | N/A | C:\Windows\System\gJbMZSR.exe | N/A |
| N/A | N/A | C:\Windows\System\WGkPYlk.exe | N/A |
| N/A | N/A | C:\Windows\System\OQnspwT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6df242552618a750c61992e66bd84953_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HpSpMRI.exe
C:\Windows\System\HpSpMRI.exe
C:\Windows\System\RYUBwex.exe
C:\Windows\System\RYUBwex.exe
C:\Windows\System\FsbHeWD.exe
C:\Windows\System\FsbHeWD.exe
C:\Windows\System\rmmopqb.exe
C:\Windows\System\rmmopqb.exe
C:\Windows\System\uIZWTpT.exe
C:\Windows\System\uIZWTpT.exe
C:\Windows\System\dSxxJJv.exe
C:\Windows\System\dSxxJJv.exe
C:\Windows\System\SKYyMZJ.exe
C:\Windows\System\SKYyMZJ.exe
C:\Windows\System\zONhzar.exe
C:\Windows\System\zONhzar.exe
C:\Windows\System\kgfoKJK.exe
C:\Windows\System\kgfoKJK.exe
C:\Windows\System\CLZgiGD.exe
C:\Windows\System\CLZgiGD.exe
C:\Windows\System\pWbWWJE.exe
C:\Windows\System\pWbWWJE.exe
C:\Windows\System\npFBCXZ.exe
C:\Windows\System\npFBCXZ.exe
C:\Windows\System\WMdDqSy.exe
C:\Windows\System\WMdDqSy.exe
C:\Windows\System\XlbkOHE.exe
C:\Windows\System\XlbkOHE.exe
C:\Windows\System\auMFqHO.exe
C:\Windows\System\auMFqHO.exe
C:\Windows\System\IXJeTnV.exe
C:\Windows\System\IXJeTnV.exe
C:\Windows\System\EgWpCTY.exe
C:\Windows\System\EgWpCTY.exe
C:\Windows\System\LcOjWiB.exe
C:\Windows\System\LcOjWiB.exe
C:\Windows\System\gJbMZSR.exe
C:\Windows\System\gJbMZSR.exe
C:\Windows\System\WGkPYlk.exe
C:\Windows\System\WGkPYlk.exe
C:\Windows\System\OQnspwT.exe
C:\Windows\System\OQnspwT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp
memory/2056-1-0x00000188F8070000-0x00000188F8080000-memory.dmp
C:\Windows\System\HpSpMRI.exe
| MD5 | 8ec02f498e01692e49ea6a08aa95b197 |
| SHA1 | fff9c323a299d4afec02b85c74efcbf1a72d5767 |
| SHA256 | 2588fad268a0048acc45a13b65533b0a1b5e2c4a516cd6a5105b9700936dd963 |
| SHA512 | e313f9f20a13e8f7a56a03ba7972e42baec72eba11f204c64cb9711e2768f09fa41543064500f87568695b28efea87bf4b559a0b5a3445e84ade5795b4f43e95 |
memory/1784-8-0x00007FF64C990000-0x00007FF64CCE1000-memory.dmp
C:\Windows\System\RYUBwex.exe
| MD5 | a1fd2ba8129c3a8372db11f1e6d5c914 |
| SHA1 | 9b32c07bad6f30b87af6fdd1e18b05d792f67fd6 |
| SHA256 | 24b7459cc00788536b1a0a45ca6099c6fb6a25586cd031c1adca1f8d35e9ffe8 |
| SHA512 | df5fdc6e1475c6497177f31252f9cc3ecd3dfa8cfd4c7642036822fbe4a9e59a92d8168f63153ecd2d521ab8fcea3957246e2772e91f36cc88f7a91e6c4fd365 |
memory/1188-12-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp
C:\Windows\System\FsbHeWD.exe
| MD5 | be879b4497e044b74a8d9bbe2f43b1bf |
| SHA1 | 494f68279e502faedd90a2f2cf10b6bf8001bd48 |
| SHA256 | c29269447f96d793360aae9d380d49547ae04dd9424a1769435443e99937e354 |
| SHA512 | 6b4bcdd771593adc8519d1cf6edfa069d1b65ccdc3240dd394adad2194f5821b038c901f85a3c7307eceb6242ad53fc4accf07935b4a36dae8b858041f7ff1ab |
memory/2000-19-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp
C:\Windows\System\rmmopqb.exe
| MD5 | 2a253d42827ae158ca4939c3f23c6b43 |
| SHA1 | 410cef92e2e6cf4cbbba31f2b6f0e5f070fa7b65 |
| SHA256 | e5e24ec178ce1ba4060f13c8b8f749b6e60879c083339ce89f6719153365def6 |
| SHA512 | 255df1c798d4ffba64e19f12d8e4b460a6ec1f8f212f24b20033daf993c1a7636d109ccf654073a015b9912aecb4a3a01e37a055c18844dcdd45c62578e8ef96 |
C:\Windows\System\uIZWTpT.exe
| MD5 | 83b8631d4e2650f57a325bcd6aa25d65 |
| SHA1 | 82e0ed479d3078ca271bf2717d644fcf1e6352b0 |
| SHA256 | 6f88b9ed0c75bbabd7e8acb51d73dd6b14293efc606ef046f461036340ef9654 |
| SHA512 | 301cc7479f7bde4dcdc68f7cd45af4579aaa9d9ccf1d087f1ce41d08ecdae4b119efa6bc6cc31eb567797ba19054db1bbb671392ba368797cb74fe3313b5ff0c |
memory/2524-31-0x00007FF6EFB20000-0x00007FF6EFE71000-memory.dmp
C:\Windows\System\dSxxJJv.exe
| MD5 | 364de4b49f4aaf6c490cf22439a94aeb |
| SHA1 | 2e453e848d6274001efec00f1c48716e186ed1bd |
| SHA256 | 63b692dc0a1527771fdbcf8474fa0437c2f8d7931263813c0b3bef8b158b2afe |
| SHA512 | b0c86ffbe1e4bd1fd6661aac7d831c32ea74488c690c4538087fbbb741a1c239551e15bb8a5091525fcbc760d5234e11f8bd2db39dfce7b728f378f7ebe96e92 |
C:\Windows\System\zONhzar.exe
| MD5 | b665e2205b801b62e3a1955b17324364 |
| SHA1 | 5eee90179ba2d782b97e83af5651eb505d2e1c89 |
| SHA256 | 85d5dd746dc6cf692730d55135bcda01141615236f3da0ff09c3cc8d3b40c8b9 |
| SHA512 | 6c0f39c3bfcff58851220c1fd5339e888876efa91d663b2d80ac0478603afcb11e0df7addddfdf81c05c25e24a7ab7b1587e3e7f686b323e8f46485d8a148bd0 |
memory/1600-45-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp
C:\Windows\System\SKYyMZJ.exe
| MD5 | d868b3fe4c9ef9719232739ec6ab9ba5 |
| SHA1 | 9834957a8b17912fcdbbaa8b575eb6ca9b6f16b5 |
| SHA256 | 3d8dfd50cafbc51d5c9be406a83d29c1cc85740680dd7ad5c72fa81230cc1b3e |
| SHA512 | 301ea89fc6134382b905675c21cf4043dbf2ad57ab1b39e557899827705dbec1dd755bd64be6d540a828af671443985e4567f0f170159e5fadb72bde3abed039 |
memory/4020-46-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp
memory/736-40-0x00007FF68BA90000-0x00007FF68BDE1000-memory.dmp
memory/1260-32-0x00007FF6DB650000-0x00007FF6DB9A1000-memory.dmp
C:\Windows\System\kgfoKJK.exe
| MD5 | 1763cfa6645a0ddf7b2e03e94e175b1b |
| SHA1 | 19d2acd248cfc232e56ac09989be2fbf230f448e |
| SHA256 | 10776d5aaf2aa22c56512016fb3a24d300734d99ae2b620b4c5aa412f99ff825 |
| SHA512 | 55721361e370a9887448f6ccba4224a6e21edf8e88a559f2819d6af6b810740704087aaf9827953e42b294abedd804862e77d1457ebd2604882a76812d9f76ad |
C:\Windows\System\CLZgiGD.exe
| MD5 | 16cde79e43e78c6fb2c5a56cd895c1a6 |
| SHA1 | 2ea830428a2ebd8308c6372af5d5ccc07d4063d0 |
| SHA256 | 0e68d1a412a866a2269b2c5c76c9a02de6b24d14087fd79f335d24f64d52ad92 |
| SHA512 | eed3f12134c0e281298747efe4def26e778c64e3bde0ae3160f1836c0d695884cfa92bc435827659f919c92f0ed6a89146c4f1655b478eee5a5f7150286f51ed |
C:\Windows\System\pWbWWJE.exe
| MD5 | ef21ae1b2dccd80e47c8efae0a610f92 |
| SHA1 | 14cd7dd5cf874e645c823afff2f600bfac8880b6 |
| SHA256 | 7cec7f445574a8394c9f40359465c5cd496b05c98dbe2995b402f651204219f7 |
| SHA512 | d4f49821915a9fdc8fd67f141238b3c01ba84aec00b4e505b8ea13a47f95a93a935c2341e6c054700d024ce98b73eb832fb58d9cdd3356e6c078184089ed99f2 |
memory/3808-70-0x00007FF661DA0000-0x00007FF6620F1000-memory.dmp
memory/1188-69-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp
memory/1368-63-0x00007FF7D2220000-0x00007FF7D2571000-memory.dmp
memory/2056-62-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp
memory/1388-60-0x00007FF636490000-0x00007FF6367E1000-memory.dmp
C:\Windows\System\npFBCXZ.exe
| MD5 | c13c18f0b791d8a1e003659d8050f18e |
| SHA1 | 25392b396635e49fb0288e19459d65874f633f21 |
| SHA256 | 3f9f795bbd875f30d879973bab718b6373c87f0a5be0dae4d1f48c7df1e6655c |
| SHA512 | 684de30d428db614e0b6d84bded7690c3a4f482d328464681e4cd9b64e7c6f6fe7371d96c10fcbd09a6bf511a6df95e2e978184b33f019f11cb5a0d2922751cf |
memory/3676-74-0x00007FF70C120000-0x00007FF70C471000-memory.dmp
C:\Windows\System\WMdDqSy.exe
| MD5 | f168d239ba1bc98f57ce4e66c9f1b306 |
| SHA1 | 2f579195a8c971174f10ee6fd929189063774155 |
| SHA256 | 8140a56e33a9c667f633f2f6be53e484e17c0b90e9c021f4ed05c70eda99c1c1 |
| SHA512 | 73c8af2ed1cc58bc0d447cd02e7519c671bba92fa1de4917d1034033154c98f5fe59fa8a6a77504e2238fc550d26216184e8f3ef4ac45ff7a114a6177b204960 |
C:\Windows\System\XlbkOHE.exe
| MD5 | a3bc32827123f39cd7c8b1888e0f1a45 |
| SHA1 | ab701a42d96456d8a296e231eeebf3441d9a04cf |
| SHA256 | ed9283ee7df0ffd5b4b8aae49add6c70e79c28e77a7568b9de349030594b4259 |
| SHA512 | a44791ad6e7992e4b9dd8375cd7f6fe75a505f60b9a511f0776369f7d27a553c87b086781aaf8eaf03707644a9395ef0f4fb8fed7998b90cc4d6f74aaa4819ee |
memory/2000-90-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp
C:\Windows\System\EgWpCTY.exe
| MD5 | a9c481f5416b618003cd30e483d88c02 |
| SHA1 | c9fec9fe22692c60283300adbf333a5834eb96f5 |
| SHA256 | 850742abafa0826c5f494f0ca044263f3198e83754dc089a80773d3cad8b7af1 |
| SHA512 | 8908016cd93805cddbeb3ef176777b18b22c430874ec9f553545b9e069625fcfe451d5e667367dbce704fa2a7ac9e591040cf4bb07654b4e21ffb88443f94987 |
memory/684-111-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp
C:\Windows\System\LcOjWiB.exe
| MD5 | 0e1c488c8536dfa59b3bec8893e4d525 |
| SHA1 | 43322f50b8b9769136d79095a32450cd77d9727f |
| SHA256 | 1406f4bbb980d48093579c72465e759d3cadd8717b871147eb37705fbe955911 |
| SHA512 | a94dffdb85a5943dc2ce6fddfb8e41eaf57517cd32b56a8362da5359c3fd00d5eedc80ffbbc25ece33f2625b06244bb67afb28fdd42b2dbf37d44d6170de7c50 |
memory/4584-105-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp
C:\Windows\System\IXJeTnV.exe
| MD5 | affa568ac7102ff8f3bd5883eb3be165 |
| SHA1 | 5b271e28ce037e7754a68f82286ea719569f1372 |
| SHA256 | 9939f79cf03439f22d9e04e3a48b7a03cb3e035e88fbe9a27e3bce7956e1961b |
| SHA512 | 889fbe934b67d991e8b9c8fb010442d31526fb0cac41e985833facbb28b1bf8fee294446878d640e2c05f1d30de891392959b2c56f11edbd9a79cfaa68825f6b |
memory/1512-102-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp
memory/4868-101-0x00007FF72BB00000-0x00007FF72BE51000-memory.dmp
memory/4408-97-0x00007FF620910000-0x00007FF620C61000-memory.dmp
memory/4328-96-0x00007FF7FD0D0000-0x00007FF7FD421000-memory.dmp
C:\Windows\System\gJbMZSR.exe
| MD5 | 66195e414900fc85d67a9a6a5d83f431 |
| SHA1 | 1be1e244593d61b208139d0313a456160817a0f5 |
| SHA256 | 15a66325a247888880a4d8678423fcd6fff9e5137762caabe817661338367f0d |
| SHA512 | 7331fb218400ff0503f9b0d30c84fc1b116a42160bb1a1041fd462fe7118a45f1d268aac00d0e039916e5da3f9cb135eeaf1e42b78763073eb82eea2a2498deb |
memory/4908-122-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp
C:\Windows\System\OQnspwT.exe
| MD5 | c2a5b95721186f51dee54a9640d21c17 |
| SHA1 | 0b78a03100d4586c4e381558b8324159eef4bf41 |
| SHA256 | e3e297b3184f11bb947f0b5714058bc1a32fb0f646cadb7b70f7e37f7dd5328e |
| SHA512 | 2ee0000b56816a27b9f3dcf581666406095cd567076f6c6631efff9ab4b1f1de50d4fb70fd977524bfdcd75281c4b2a5187a3f08c7def7c3393106c2b7b23a2d |
memory/1180-127-0x00007FF742650000-0x00007FF7429A1000-memory.dmp
memory/1968-126-0x00007FF662080000-0x00007FF6623D1000-memory.dmp
C:\Windows\System\WGkPYlk.exe
| MD5 | 14c5eae72f11bd5e5b0ac4fd07f6dd8b |
| SHA1 | b6ec91abc213b2acd4a87a87e72a979daab5f51b |
| SHA256 | 57b06967283f334b6c30a7464d9baf1db5c498ac51ec05fd60222f37a60d5d5b |
| SHA512 | 148a10afed5a2bcfac28a86c2d5f54ba9fc7e8ce8e959603a103826c8d24da5e1a64becc3d784b146186665477eca6380fe87e2652cba7ab305614e1497e9931 |
memory/4020-123-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp
memory/1600-118-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp
C:\Windows\System\auMFqHO.exe
| MD5 | 6668f979dcd078e12112f0d5f5227b1f |
| SHA1 | 364d23003e8c4711b6fc05da7b6a224d3621fd42 |
| SHA256 | ce6bd26a1bff22b558d051749a17856e0128befb77a2ebf0df8878aa9e5f802b |
| SHA512 | cb172cab31c6a7d9da8115603b406fed2ffaf0cd564818c1b6517c3e898eff75c0c08b1ff50e6abef48d7674f6a70af7c94aeb77f06589f2c04d0f411c1a9853 |
memory/2056-133-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp
memory/1512-149-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp
memory/3676-153-0x00007FF70C120000-0x00007FF70C471000-memory.dmp
memory/4908-152-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp
memory/684-151-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp
memory/4584-150-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp
memory/1180-155-0x00007FF742650000-0x00007FF7429A1000-memory.dmp
memory/1968-154-0x00007FF662080000-0x00007FF6623D1000-memory.dmp
memory/2056-156-0x00007FF786F70000-0x00007FF7872C1000-memory.dmp
memory/1784-202-0x00007FF64C990000-0x00007FF64CCE1000-memory.dmp
memory/1188-204-0x00007FF7848B0000-0x00007FF784C01000-memory.dmp
memory/2000-206-0x00007FF63E570000-0x00007FF63E8C1000-memory.dmp
memory/2524-208-0x00007FF6EFB20000-0x00007FF6EFE71000-memory.dmp
memory/1260-210-0x00007FF6DB650000-0x00007FF6DB9A1000-memory.dmp
memory/736-212-0x00007FF68BA90000-0x00007FF68BDE1000-memory.dmp
memory/4020-215-0x00007FF7B9CF0000-0x00007FF7BA041000-memory.dmp
memory/1600-216-0x00007FF65FA00000-0x00007FF65FD51000-memory.dmp
memory/1388-223-0x00007FF636490000-0x00007FF6367E1000-memory.dmp
memory/1368-225-0x00007FF7D2220000-0x00007FF7D2571000-memory.dmp
memory/3808-227-0x00007FF661DA0000-0x00007FF6620F1000-memory.dmp
memory/3676-229-0x00007FF70C120000-0x00007FF70C471000-memory.dmp
memory/4328-231-0x00007FF7FD0D0000-0x00007FF7FD421000-memory.dmp
memory/4868-233-0x00007FF72BB00000-0x00007FF72BE51000-memory.dmp
memory/4408-235-0x00007FF620910000-0x00007FF620C61000-memory.dmp
memory/1512-237-0x00007FF7DE6B0000-0x00007FF7DEA01000-memory.dmp
memory/4584-239-0x00007FF67F380000-0x00007FF67F6D1000-memory.dmp
memory/684-245-0x00007FF653B90000-0x00007FF653EE1000-memory.dmp
memory/4908-247-0x00007FF6F0050000-0x00007FF6F03A1000-memory.dmp
memory/1180-249-0x00007FF742650000-0x00007FF7429A1000-memory.dmp
memory/1968-251-0x00007FF662080000-0x00007FF6623D1000-memory.dmp