Analysis Overview
SHA256
271bb6abf65e6cb24fb3f383d69a6e701278a6cf09ab50e05f37017bdb29b36c
Threat Level: Known bad
The file 2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 09:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 09:45
Reported
2024-05-30 09:48
Platform
win7-20240221-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tnzxOpj.exe | N/A |
| N/A | N/A | C:\Windows\System\kRMreQH.exe | N/A |
| N/A | N/A | C:\Windows\System\WvONLQs.exe | N/A |
| N/A | N/A | C:\Windows\System\QphDJDr.exe | N/A |
| N/A | N/A | C:\Windows\System\YoTiwjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HpMfgqx.exe | N/A |
| N/A | N/A | C:\Windows\System\bMPhZtb.exe | N/A |
| N/A | N/A | C:\Windows\System\HwvoPeA.exe | N/A |
| N/A | N/A | C:\Windows\System\KFuPlRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GBXoTbx.exe | N/A |
| N/A | N/A | C:\Windows\System\aUHgJUC.exe | N/A |
| N/A | N/A | C:\Windows\System\JZBIkir.exe | N/A |
| N/A | N/A | C:\Windows\System\HObKDZL.exe | N/A |
| N/A | N/A | C:\Windows\System\qnczIdi.exe | N/A |
| N/A | N/A | C:\Windows\System\YuNsJGI.exe | N/A |
| N/A | N/A | C:\Windows\System\sUKFgQR.exe | N/A |
| N/A | N/A | C:\Windows\System\kjKvVnX.exe | N/A |
| N/A | N/A | C:\Windows\System\gASJbtk.exe | N/A |
| N/A | N/A | C:\Windows\System\nxRXpIh.exe | N/A |
| N/A | N/A | C:\Windows\System\qEtRZgY.exe | N/A |
| N/A | N/A | C:\Windows\System\KsejixU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tnzxOpj.exe
C:\Windows\System\tnzxOpj.exe
C:\Windows\System\kRMreQH.exe
C:\Windows\System\kRMreQH.exe
C:\Windows\System\WvONLQs.exe
C:\Windows\System\WvONLQs.exe
C:\Windows\System\QphDJDr.exe
C:\Windows\System\QphDJDr.exe
C:\Windows\System\YoTiwjZ.exe
C:\Windows\System\YoTiwjZ.exe
C:\Windows\System\HpMfgqx.exe
C:\Windows\System\HpMfgqx.exe
C:\Windows\System\bMPhZtb.exe
C:\Windows\System\bMPhZtb.exe
C:\Windows\System\HwvoPeA.exe
C:\Windows\System\HwvoPeA.exe
C:\Windows\System\KFuPlRJ.exe
C:\Windows\System\KFuPlRJ.exe
C:\Windows\System\GBXoTbx.exe
C:\Windows\System\GBXoTbx.exe
C:\Windows\System\aUHgJUC.exe
C:\Windows\System\aUHgJUC.exe
C:\Windows\System\JZBIkir.exe
C:\Windows\System\JZBIkir.exe
C:\Windows\System\HObKDZL.exe
C:\Windows\System\HObKDZL.exe
C:\Windows\System\gASJbtk.exe
C:\Windows\System\gASJbtk.exe
C:\Windows\System\qnczIdi.exe
C:\Windows\System\qnczIdi.exe
C:\Windows\System\nxRXpIh.exe
C:\Windows\System\nxRXpIh.exe
C:\Windows\System\YuNsJGI.exe
C:\Windows\System\YuNsJGI.exe
C:\Windows\System\qEtRZgY.exe
C:\Windows\System\qEtRZgY.exe
C:\Windows\System\sUKFgQR.exe
C:\Windows\System\sUKFgQR.exe
C:\Windows\System\KsejixU.exe
C:\Windows\System\KsejixU.exe
C:\Windows\System\kjKvVnX.exe
C:\Windows\System\kjKvVnX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2960-0-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2960-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\tnzxOpj.exe
| MD5 | 2b48e493a97283113d95d7ecc45a05b5 |
| SHA1 | a6c390a2676e31ca8e60ec80ad1d8f73a58bb642 |
| SHA256 | 2001c54b83d4e9bc4750cf50a6bc29db33e633d695580124ebb2c426b145cfcf |
| SHA512 | e90c1f8c76ec9e55d2154d376e87714a9e269564d738138e8b4ab4d6e23cdf8be4bc62466e23206ad2ed1df0d0d86fa64c6c08c4d05b826c0375a4567e4ac281 |
memory/3056-9-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2960-8-0x000000013FC20000-0x000000013FF71000-memory.dmp
C:\Windows\system\kRMreQH.exe
| MD5 | 16e90297b6bf56bfe899bd75bb02a87d |
| SHA1 | cba85c53e54dbca82dea9f64a3a3e9f49a726537 |
| SHA256 | 000cc152151ece63b9733b9800311ba1b2194707ac5812f0493a44fe67f36645 |
| SHA512 | 27e159abae650c69284e5a08da980d4277f01db818876fc4dd49e30751f5084f51e6371725b5afad0f9355a895fe1b4760f3e723828ac7d2638c03b67b123f54 |
memory/2156-15-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2512-23-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2960-22-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2960-14-0x0000000002350000-0x00000000026A1000-memory.dmp
\Windows\system\QphDJDr.exe
| MD5 | 4e305ac434b1ef63b62aa8ef6fad04f8 |
| SHA1 | aa4601d89cc0bb3cce4954f5183a631f3a100028 |
| SHA256 | cc0af98f2a60eed9c6924910306630bd3793d9632e4c9dc8ffa2ab0b691ed827 |
| SHA512 | 694826e83591f614d6088f2eff588a1ee91339ebab2d7bfe23d923ec48bd173f90f93f2c2ccd6c68ef661a6b2b4d66eddbe12060545f5ecc3fc037ae342962a8 |
C:\Windows\system\YoTiwjZ.exe
| MD5 | 8db8c7df22246335acbb22451995a8c6 |
| SHA1 | bd0a5ff8cdd7d828359625867b0ec36afbc46160 |
| SHA256 | 224a5bcf335d0b336cddfbde2c9e54f50d7478b36911719b217d6436fcd1b4de |
| SHA512 | 84e51a57c3d26a7cdb3908a1a0546b6f6ecacdafb372b9604ded2b50db4ce827f4316f06330c8cb6ff146ef0111c67812cc81b3aa416733310a038b2a5a90807 |
memory/1728-29-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2576-40-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2960-52-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2580-53-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2760-58-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\GBXoTbx.exe
| MD5 | 217c2cbf8f7656f3058c7fb5548f84a4 |
| SHA1 | 7c85263eaf50ecff0df5d83a4226133dcfeccbab |
| SHA256 | bc3f29712dffd8474b89b8bd667ac9112edb4164e3a4c8b2a6508b344ecddc78 |
| SHA512 | 897beda1d09b0dcfa2e93f9290030c2ef6ddb10cd9af678c47f5c33dd87c1f4a0d7491d610bc2f086776371d880ccfaec9f39175935d51cb08a2b72f18d99339 |
memory/2588-63-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2424-68-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2156-73-0x000000013F240000-0x000000013F591000-memory.dmp
\Windows\system\gASJbtk.exe
| MD5 | b7ccbffa1f5025f6a55f9f8595d60e79 |
| SHA1 | 59f67030d8dabfc6cb155ffa07cd59e48932fdaf |
| SHA256 | a2abf7cd40957a3a11d7070c3eca20aa9e581e433892a3ff8d270436e21c612b |
| SHA512 | a8aba2683528f5fc409a8a818604b9f9856f5775ce021cb87bf949640f6a2c0f83217b11bb2b1bd61375e62740693318adfae039f9c43284e9be41d7f03ab40d |
\Windows\system\KsejixU.exe
| MD5 | 3b9a3ba8e082df331f2cb7be04555a1a |
| SHA1 | 846a7e5e534fdf7fa2e21c9610c1989e6f24b6e5 |
| SHA256 | b7ea32b9b848e05ab547ddcd7b3b3191a576a8299ef73e2a9a9b1c8d0356111d |
| SHA512 | 6aac5a9836cee43844f6a8807c12a09522f6979df317411ca15a9be6cfe165800b423828a336512f5bf605f8f30f99fe7f6faf994ad50ee8370e19c629fa3d42 |
C:\Windows\system\YuNsJGI.exe
| MD5 | cb6cf1ecf389d85e53f6b0cfcc6ba8f6 |
| SHA1 | e4f1c71784f2ee00510d0941cb62183fb6397e58 |
| SHA256 | c43578c32e1ff6dc2575fd2162363fec09262c8629f2e0134fbe3dbbd3e05824 |
| SHA512 | 9b746974fd1858c4a4617a3472640f9b94e95862081111a10c7e70d2c1adfbafdbf97b7cec02bf50a558c12c2343f78da468aae340cdd85eafc2cf6f8ac23cb6 |
\Windows\system\qEtRZgY.exe
| MD5 | b8f858ed44eddfd8311542a460a67a84 |
| SHA1 | 3e550f6615606bc82cfe02c782470588f1225b94 |
| SHA256 | 8fecf7635e8fd4d5be50f4d3394aeca27fae1fb2fa8c29ceba207423a81eb26a |
| SHA512 | e4cea4247511a5e308e5992ea10b52c1cd6f1b2223ca3aad4f3967dd572e1a0c70b3e7fa5804e8bf9531d605195348432685581edb9708f32f1fcab393bb6a08 |
memory/2960-94-0x000000013FC90000-0x000000013FFE1000-memory.dmp
\Windows\system\nxRXpIh.exe
| MD5 | a516be3abff37fc58385eed5c9e93de4 |
| SHA1 | 98a56040f5b9fab557536a77650705a918ecb035 |
| SHA256 | 50a3fa93c1736db2e4d596ade37d5659a0b3f25099e2c06be65a33f2716ea372 |
| SHA512 | 29041e43c852f4192362df6c952c13ae464782f572d03284d3318764bda2a6560cfef30dfb8f9b8c432f74f0f0324995f246ee92afde3bb5aabd28c72b80c4e2 |
C:\Windows\system\kjKvVnX.exe
| MD5 | caa573ef95beb6bde4c091983892ef24 |
| SHA1 | 7ca0015bda2da34fce4798190bb230855678d483 |
| SHA256 | bf723189ade871425691b99775e9d6b5473216be1fe761219640cf9bf57d9012 |
| SHA512 | 462fc0617e0376384035a3903345b18929e4aa7664fd42e9ccc34d4148f43976804c6ca088fe19f001a3333b3bf5fa7d9810858d67cc534704a61df1976b8a05 |
C:\Windows\system\sUKFgQR.exe
| MD5 | cb912fd29310d626a67d94935023f9bf |
| SHA1 | 4255dc501f7f5898dde1994a8b7262cf173bc45d |
| SHA256 | 1a6ae772f57c69793a4cc0f65db78956cc2ffeb1d1c85fdd1c8eb4d69e650e52 |
| SHA512 | d14601618c89ceb5412608a0f75b376a2f6a7e09cbc62edc88b7ba005b1f11910b1844920a09393018893adcce4e1878e22f919c76c66743fbc94257734847eb |
memory/2484-75-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2960-74-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1856-98-0x000000013FC90000-0x000000013FFE1000-memory.dmp
C:\Windows\system\JZBIkir.exe
| MD5 | e11fe36d11f3a3bc6ede7b24b7045e4c |
| SHA1 | 38e9fa8e4d4dc4d179d9e60fa52dde70b925eea1 |
| SHA256 | 0b8c3d8720eefdc946713a904cdda64b05d692092378f67aa4be78a9406c4418 |
| SHA512 | c80652c97dd8370456c86384faa3448b33f6cc7c438e88e828aa2e3e4e9d457ba243b90c6bbfa89ddf74bdf6e4f4e1b678999858b6941f01ba14c44bc0657f92 |
memory/1728-90-0x000000013F6B0000-0x000000013FA01000-memory.dmp
C:\Windows\system\qnczIdi.exe
| MD5 | 1d10c25e6a8b60c0553d87e30cd60933 |
| SHA1 | 8a71790c24dd05da677dc1927fbb13680e07b351 |
| SHA256 | e720a23790a72b22734bb2a6b77f7f28647544ba4d15bb45cb75e56f9bbb3f1f |
| SHA512 | 75e09d308e555878fa35ef255bdab0095f8a67d5fb5f5cd4b3d6bd01c353f6a86f17ca83aa1eed7976fafcdb296cfc6616fbf5cdf10c77c6c0462524d54885fb |
memory/2960-88-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2464-87-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2960-86-0x000000013FC80000-0x000000013FFD1000-memory.dmp
C:\Windows\system\HObKDZL.exe
| MD5 | ddfe4560efc5822c95b7361748c7d4c3 |
| SHA1 | 0d27313b5beb2ec2cda6b4ed70e377a445cc8567 |
| SHA256 | eab632202f41dcbf215a9f45f88755ecb66332f0fbcd02a00b76e8ea11ff3083 |
| SHA512 | a9abc14ce259db8e53991065cbd9aff14da92ddf3bf14f663c408e68f80c3d47b7512dc5b1b84b99b8b7ac06f2671bdfd5ebffb81c8353148a0c831726c74985 |
C:\Windows\system\aUHgJUC.exe
| MD5 | 4dc4c05f61ac322080b65852e861281e |
| SHA1 | a83e6693182416cede21416c0f0b660f6f0e97c6 |
| SHA256 | 63f4f053f31d463da88ab8f3eede814806dc348028d783076c19fafa3809f650 |
| SHA512 | ce73524391e016f64ef003d59de4c683466333a4f6b0f101e969b8354d362e484962d3f797e50f097438e85cde95adddd783130cc6c99129100f02feef43054b |
C:\Windows\system\KFuPlRJ.exe
| MD5 | f89e2fce7a0fe4b560fc95274a3b1a9c |
| SHA1 | 4f444a875df393c0efebef8941e6312f74c68c6c |
| SHA256 | b8692dcd0951a1bbd04d203dd3e85db9ebb72a225781c8dfc67d8e3501a22725 |
| SHA512 | 5470e0808d8d27e7c05d223e1bbbc0e9ac336754437b48b8505fa9eca8e5a0f8927580c7193e27c87dcea483e46eab867e5842d7e51eaac1e5f3a59ac7c75917 |
memory/2960-51-0x000000013F530000-0x000000013F881000-memory.dmp
C:\Windows\system\HwvoPeA.exe
| MD5 | 4622ca6be63432e17936b3c0d43a5570 |
| SHA1 | 25d15fb11664b9ca474fd47ea91eff46106b78d1 |
| SHA256 | d57f35f1680e9fd38bb5b7648759f2c35b3c3fdb9a24486bd13df062f83e37be |
| SHA512 | 090460aad769693b724c0d2e54bc3bf6adc78af8bd876cf1fd3b1dc3555dbb0d28e833f9a58530d662806dfbc78cee70408c5642e6ed6024c9c7db741de4c528 |
memory/2688-46-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2960-45-0x0000000002350000-0x00000000026A1000-memory.dmp
C:\Windows\system\bMPhZtb.exe
| MD5 | e15cfdb6f3a68ce42a01535c4dce616e |
| SHA1 | 64564c7082d97ffffb91de5c2d38f8290f0b2eab |
| SHA256 | 4b65c60dd30e983959bcdd56225ddab590a16292074ee52c5d509b97c38d9b3e |
| SHA512 | 8671a911b4d040b4761f8ebf505a3694e2fd405d00d4028b8bdafb191d54bee51b6c462ccf9fc34660f4bcdd38da8edb535fa9c3b344e853bcca3ae208b8dd6e |
C:\Windows\system\HpMfgqx.exe
| MD5 | 1435a043d5b2c2547aa86fb943de410d |
| SHA1 | dfe3d0faebdca1020c13144342bb26f515fff94e |
| SHA256 | 82d020fb164f74af9fe83bf839eca9bb6f535142761d06afbd8a6cb57da9a93a |
| SHA512 | fefd805b325f94a361f790101d50bde10723af28be5155ca56fadff2c068e67aa8cc39939d39b2ba1a467c85c0236b1ae2340cd7c407a67dae8934268363dc8d |
memory/2960-28-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2644-35-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2960-34-0x0000000002350000-0x00000000026A1000-memory.dmp
C:\Windows\system\WvONLQs.exe
| MD5 | 94d3930478b78774eb802acd8e29c752 |
| SHA1 | 31ee85083f1df73683870d11e6847d7928259fe8 |
| SHA256 | 7a2f917146cd8a23e6a605da2c253f7e5a153326d2d695f0e2e1f73f1cac8339 |
| SHA512 | 9c3c0641495797e448b7bd88c22c5898e93001cff0d232de098966c86fa0450f4486a7728f22f08dbb1a3c65d087595e3afb9a209cfc6e646b3552e5daec8230 |
memory/2960-135-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2688-136-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2580-137-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2960-138-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1728-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/1856-153-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2464-151-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2484-150-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2424-149-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2588-148-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2948-152-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2760-147-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2576-144-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2644-143-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2740-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1604-159-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1772-157-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2664-155-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2692-154-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2308-158-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2960-161-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2960-160-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2960-162-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2960-184-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/3056-208-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2156-210-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2512-212-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1728-233-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2580-239-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2484-237-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2644-236-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2576-243-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1856-242-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2588-247-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2760-253-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2688-249-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2424-256-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2464-258-0x000000013FC80000-0x000000013FFD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 09:45
Reported
2024-05-30 09:48
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pLXKwOr.exe | N/A |
| N/A | N/A | C:\Windows\System\QiTrchS.exe | N/A |
| N/A | N/A | C:\Windows\System\nEfiuFp.exe | N/A |
| N/A | N/A | C:\Windows\System\qpvtobG.exe | N/A |
| N/A | N/A | C:\Windows\System\AFWnbKW.exe | N/A |
| N/A | N/A | C:\Windows\System\xYhjKQk.exe | N/A |
| N/A | N/A | C:\Windows\System\RbaxhDS.exe | N/A |
| N/A | N/A | C:\Windows\System\poKkSTW.exe | N/A |
| N/A | N/A | C:\Windows\System\IVCAErH.exe | N/A |
| N/A | N/A | C:\Windows\System\uaGfRWU.exe | N/A |
| N/A | N/A | C:\Windows\System\DIbPWhH.exe | N/A |
| N/A | N/A | C:\Windows\System\JzFaEAJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AGLyaTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EuMeUON.exe | N/A |
| N/A | N/A | C:\Windows\System\rOrBFOG.exe | N/A |
| N/A | N/A | C:\Windows\System\eZlTiZe.exe | N/A |
| N/A | N/A | C:\Windows\System\IlHBnld.exe | N/A |
| N/A | N/A | C:\Windows\System\tAOJRHT.exe | N/A |
| N/A | N/A | C:\Windows\System\znSsqpA.exe | N/A |
| N/A | N/A | C:\Windows\System\vIwFuBX.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpCYNcG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f2b0e68bf08f9fcfbd57e9f21aff5dc1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pLXKwOr.exe
C:\Windows\System\pLXKwOr.exe
C:\Windows\System\QiTrchS.exe
C:\Windows\System\QiTrchS.exe
C:\Windows\System\nEfiuFp.exe
C:\Windows\System\nEfiuFp.exe
C:\Windows\System\qpvtobG.exe
C:\Windows\System\qpvtobG.exe
C:\Windows\System\AFWnbKW.exe
C:\Windows\System\AFWnbKW.exe
C:\Windows\System\xYhjKQk.exe
C:\Windows\System\xYhjKQk.exe
C:\Windows\System\RbaxhDS.exe
C:\Windows\System\RbaxhDS.exe
C:\Windows\System\poKkSTW.exe
C:\Windows\System\poKkSTW.exe
C:\Windows\System\IVCAErH.exe
C:\Windows\System\IVCAErH.exe
C:\Windows\System\uaGfRWU.exe
C:\Windows\System\uaGfRWU.exe
C:\Windows\System\DIbPWhH.exe
C:\Windows\System\DIbPWhH.exe
C:\Windows\System\JzFaEAJ.exe
C:\Windows\System\JzFaEAJ.exe
C:\Windows\System\AGLyaTZ.exe
C:\Windows\System\AGLyaTZ.exe
C:\Windows\System\EuMeUON.exe
C:\Windows\System\EuMeUON.exe
C:\Windows\System\rOrBFOG.exe
C:\Windows\System\rOrBFOG.exe
C:\Windows\System\eZlTiZe.exe
C:\Windows\System\eZlTiZe.exe
C:\Windows\System\IlHBnld.exe
C:\Windows\System\IlHBnld.exe
C:\Windows\System\tAOJRHT.exe
C:\Windows\System\tAOJRHT.exe
C:\Windows\System\znSsqpA.exe
C:\Windows\System\znSsqpA.exe
C:\Windows\System\vIwFuBX.exe
C:\Windows\System\vIwFuBX.exe
C:\Windows\System\ZpCYNcG.exe
C:\Windows\System\ZpCYNcG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1848-0-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp
memory/1848-1-0x0000016CCF620000-0x0000016CCF630000-memory.dmp
C:\Windows\System\pLXKwOr.exe
| MD5 | 5ac7c5093daa3417a0d07c3a9dbc70c5 |
| SHA1 | b098ae707bdec473c668e9c8cdc09b69f2b0a185 |
| SHA256 | a4d763a09cbee43dd114337d66df5cf7768d290ec678fa1d1f104d45a0b8c038 |
| SHA512 | 6191269070a14e61ab5a936a8a7d67274ed756bac6590f53806983df807caeba2df0547caaddae94aaa3590bb67b495cc5aa8ad06892d315ba88ce0b630d78e8 |
C:\Windows\System\nEfiuFp.exe
| MD5 | d8d0681a0ba93c43cfdc35f2c0f658a7 |
| SHA1 | 0e8d323863d1661d6e6501a4a2cae207159446ca |
| SHA256 | 6ac71afc9abf851d6e9c9742c5cf5b39d63ceba87c0642fc140a57034dc5a47b |
| SHA512 | 977622ccf9f93273e6a089804e1e40df2fa5ef2be5cdcfdf380051958ddd2a6437dd5df421a88a187ca4d5acecb50e1aff00fc530ac0f06fceeb3c848d0bcf9a |
C:\Windows\System\AFWnbKW.exe
| MD5 | 12442cc2c19a710853871c0034fe815b |
| SHA1 | 4a5dd05f7f893ce8eef7b6c2fab52e40567fbff2 |
| SHA256 | 9b88c5d66a8f713d70fd2687bf51d4d39e8dfdea07a1ff7521a676a6dedbcbc3 |
| SHA512 | 755c7be927eefeb42c4168d2f409126445dd030f136761ad235dc8f633a81b0aa609b053d50fe19ae720fde2e555479ffe3746c7ad2052a9423973aad04ebd90 |
C:\Windows\System\qpvtobG.exe
| MD5 | 9251dc56bcf4e93c80c9358c3297a73d |
| SHA1 | 25a17d4306d661b7392c3f1163e3a1d3c55f8fc1 |
| SHA256 | ce63474c3a45936725a27c443c307c9f210d0a4fd108afdf85ffadab559b949b |
| SHA512 | 5316d37f9260ebad5425e9ba48f94376cce302e565d1c61f70809ebbcf1792c31a4f66d1ef30770fa5953f4f6e0bb2dbdf64899d64aca4ef644d91b2a623fdb6 |
memory/2732-45-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp
memory/3452-58-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp
C:\Windows\System\uaGfRWU.exe
| MD5 | 78d91efc4064e70cd8f7111921ce59bc |
| SHA1 | ce34831cf29b0367294b859047bdbc3f195730bd |
| SHA256 | 86e38bb8be0dc971727dceb9c33b91e5eb21ad2a7f5111e3cfb74e62761c0eaf |
| SHA512 | d7432047147e6d4b14a2d11847cb0e148cbb5071ac1f965ba6689f422cca4349c9309db2ee3804722f7b7e2a355a0ea039574dcacbdfcbe3cbb1d66615ba8fca |
C:\Windows\System\IVCAErH.exe
| MD5 | b8b3735efbce02f8690fd838c712272f |
| SHA1 | 3e7baf28905471e1ad0147cecb0eb33331dbfd9a |
| SHA256 | f8ac6017f9bf860389c2da12b63c7864e6b8fb9245e49b3e29a4f74fc683a169 |
| SHA512 | dbc198f75ac1b61fc3ac89b3069f392883d19b21d8a9b3ed244f878c8716bd8c00a706c7e898c327f74fad6823eb4cea6b6776ce1503d56c4fdadf5a41e04df8 |
C:\Windows\System\JzFaEAJ.exe
| MD5 | fa7b21c2ab39aacfc18ac5c67a942c42 |
| SHA1 | b664190d4b979f26501a38a2f9b330da4028fa50 |
| SHA256 | f534118865e73ee975409ccd6b03aac98627677c65528da3f465cf53c4d0eeb5 |
| SHA512 | f0340350652635adaa6f38b968d16b44b91ba23469a45086e5787364cf5dfed02c2ecc1d5e4c1bc0d7148d2c7bbfa636c9970822a8daae171e9721d772b24497 |
memory/856-84-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp
C:\Windows\System\EuMeUON.exe
| MD5 | 747ae85a4e2ac90d497c4a3e01452ffd |
| SHA1 | 7494ecc440c9ba4e3a093f05ef034d2e5b5db24f |
| SHA256 | fc5b37aff48770e21ab816559447752f3e385dfbb9b6ae2c2b0a37be9b1eeced |
| SHA512 | 979335c15e10bfe307049e3f08cadecf392e9ce474d7a3b98ec54832ff1be6f9b7a0cd39c4fb872ab5ba22b8b167713edb20e05b5f3cc130c2dc32c4d490d44c |
C:\Windows\System\eZlTiZe.exe
| MD5 | c832790b24a4a5213f1a3b2d5169ece3 |
| SHA1 | 04a12a91a72aa12ff9a80e8ad6886b80f2232c73 |
| SHA256 | e0b811edb16fd1822173c2f76283bc1ed2ef338fbc9932ca62273a4f6f594999 |
| SHA512 | d66f8d9adc0525c433fa2b63ed4c28d8bd620d0f9c225075c660ad8cbd3e7b2fc530217839c90da0854d71f969ffc64c5504efac5f1f59c7fc33fe32d5e802eb |
C:\Windows\System\rOrBFOG.exe
| MD5 | 567433f8378e0e9953387035c080b976 |
| SHA1 | 628ca425e6359824cb4d7b5d1ee7884bdf03a6cf |
| SHA256 | 5e6b58a99d858442344a1c2a9707ab5cc6cca50d9e707c901bc25f65e6d0ea5b |
| SHA512 | 78034a5d424d01b94e401d1aeaa2f203ee809c7fc94525569b520d36f2ef18b3b91108ad40d859b58dcd2c4a72e147386eeabb5581b3b48022e0c134cfa361b3 |
memory/2336-90-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp
C:\Windows\System\AGLyaTZ.exe
| MD5 | de94681a2387564df84a993db767d5b4 |
| SHA1 | 5a0482a33ba203f1f52f5d8936831b08dcc27bba |
| SHA256 | 049e2550514a3b53460470e55020bbd325b9b7456ed3d3342d8edb9c9a1f843a |
| SHA512 | 9fbaaecdecc4e58e867283c6c015884bdffbfeafa9b3ab3c711603f9d7f4569803ab7bfe04f69f928ac80c54a1a4e31b5def6052a665b02f653a23902808ab9a |
memory/1428-85-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp
memory/804-83-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp
memory/4976-79-0x00007FF6EAF50000-0x00007FF6EB2A1000-memory.dmp
memory/3416-77-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp
memory/3504-70-0x00007FF674C50000-0x00007FF674FA1000-memory.dmp
memory/2884-69-0x00007FF62F080000-0x00007FF62F3D1000-memory.dmp
C:\Windows\System\DIbPWhH.exe
| MD5 | 4fa2ffccbce593c2ce1ed44a59ee3a4f |
| SHA1 | 414aa5f33f6a7c396577fe036f932d3cff763de1 |
| SHA256 | 48c98d64464c69f4487a94169c1fbabfd5a526b138933136e6985e96fa6f11d5 |
| SHA512 | 2c623e0bb774560620ea41ce3ee2d4a8456aa122ecf80194221f82130cf1dd622d37a1a8e6d11b4a160d6bb0bbab1eeb10dd9ac430328837682013db76a31f67 |
C:\Windows\System\poKkSTW.exe
| MD5 | 2433ba6519c3a7f3b4cbc8a8a6065765 |
| SHA1 | b61de995e4af745ee1ece296fbc5fbf9e1a1cc37 |
| SHA256 | 4d3326edcc01f5597e14577061a54c8584e1fb83bcac30e37d4f76c08252a47a |
| SHA512 | c4c5a8af4e7b45e03a27ddeafe023bcfa9227aa90a4ac82d08bf27bc386287ce09a6cdf42b66deb620d38645556d7bf064f80002e3782f97c5615733aab9fb99 |
C:\Windows\System\RbaxhDS.exe
| MD5 | eba41ed13b5a9450bc1854663311f29e |
| SHA1 | baa9952412db258c2750f0f1008ad8563d3e7f7f |
| SHA256 | a145ad5fef5b2b2e185ae236567434e355e9194f939df8f224b8295d35a57e21 |
| SHA512 | 7261c8261c226c1e51a3b99b5844283639125b925da47ab21a77b63cc2c02d4a8f96e77618cfa777e3d10bf3225aaab7227307753e13e116eece5f7e8d4a97e8 |
C:\Windows\System\xYhjKQk.exe
| MD5 | d02a0472143ae76775d1a2af78a06030 |
| SHA1 | a99e8a7774a12080e83ba4753a982aed100af48d |
| SHA256 | e7b7ed95e08d6f6a72cebda8612768b9060846efb6757607fb2c844cabc39f7c |
| SHA512 | 42c7801598287da6b283212b131377c4396cc1b55394e8bddf654ea05bff47221ba38f77a704768e6a42e39007a15a2204e048f82208dc7983b669311c5d00c9 |
memory/2548-41-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp
memory/976-35-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp
memory/3028-23-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp
C:\Windows\System\QiTrchS.exe
| MD5 | d4d45672afae8c62253e46e271cb48a6 |
| SHA1 | b85d4e0dc1ac2eee7f075a6ae3348fbf5b4ce10c |
| SHA256 | 56a073404a105f17c3e441714d986ac6e414cbcdcdd468b7354547faf59d6c05 |
| SHA512 | db03a74ca6a0d93f96da86501879ac8ca6e67e878b8480c8b2e033090a72d75bf89909f15310227576d2d55fd655f4bfa1bc09d312237fe2d452c7678c3159ee |
memory/1396-15-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp
C:\Windows\System\IlHBnld.exe
| MD5 | 99a13e0eeb8da58d8ff36e197843711b |
| SHA1 | cc78efcd03522e14897718c924862d5f5dfd4529 |
| SHA256 | 9430b4deeaf653619162810bd2a9ea06d62e4fd30883e15bd700c5c052d8018c |
| SHA512 | 53b9deb7f8b9fcd2ccf1770d0bbe1af1113c856eea6f9e8582ec2b2b7002d63ac93b039ed39bfb9c36492e7524e03a61a2b806ed23e6e0eb99efc44fc9605b0b |
C:\Windows\System\znSsqpA.exe
| MD5 | 1d9a5c3b4634fe397b21e0479536d25e |
| SHA1 | 59b1b9e215568199f22f3aaf0b67557989ce25a8 |
| SHA256 | bd1449559a4047618f5f2c8d782eba21e047b5a566c6dbad961f13d10cc963ff |
| SHA512 | 33bcccb5812531849f5fc2a18f12c751038a9e3ad3af5cf71e9e3e1c13b85982fc22b3677e0d1467f1405fbaf6303d5c2b30440f791d8de8e6b47e47c2a6765f |
C:\Windows\System\ZpCYNcG.exe
| MD5 | 0cf74ba17f89618fff1c69386f5b7480 |
| SHA1 | 32a387fb1fd20f33f31caedfef45b1e5a8129fa1 |
| SHA256 | 7db147811203dc28941af686dff1d1df22f2f624ffcef177ec56191253a40927 |
| SHA512 | 36e6fce3f419ed2d9d4e292994e64e7dd44161f77cc48289a1d0c7cb75c0bb2231e4f6a94b13328476a86b8b0e1c0ab9096696adf4b668bb510d399da1b3c014 |
C:\Windows\System\vIwFuBX.exe
| MD5 | 4c391b7b13dc3268072b5fb2b72d663d |
| SHA1 | 85da8c090ead9a30410191a75cce21e192469e5a |
| SHA256 | 5dd2b573354ef952c0f6953c67191f1d9ba8f66df37ac7e80c13bccbab7e39a5 |
| SHA512 | 3a438e55251e99d65d418613b132e857d47801fc6127034185c9f4e20551d2e9759e10afe4c512f0039497e5ad199156c5b4e9effd12f6ad1bb3aa2126c4d6b5 |
memory/1848-116-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp
memory/3160-104-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp
C:\Windows\System\tAOJRHT.exe
| MD5 | ff98c2400da76d3a3d4cea9cc1735945 |
| SHA1 | 6dfe0650a49ee2b9a9a89a1a900daf8d32c1ff55 |
| SHA256 | eb85883ee5bfea361ed252b0536536121401f233b29f09c2679ea3a4d50a3be0 |
| SHA512 | faef3f5a9f792c2e0e6c066203f51bdc2740c67b8786e16347d8ed5d759618705e73c637d1d70fc560e23b56b1a1ee456bb949facded0100ebce8fed430bc264 |
memory/2620-98-0x00007FF6080C0000-0x00007FF608411000-memory.dmp
memory/1344-9-0x00007FF668590000-0x00007FF6688E1000-memory.dmp
memory/5060-126-0x00007FF78F6C0000-0x00007FF78FA11000-memory.dmp
memory/4508-127-0x00007FF60DC80000-0x00007FF60DFD1000-memory.dmp
memory/4056-128-0x00007FF612E90000-0x00007FF6131E1000-memory.dmp
memory/3740-125-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp
memory/976-133-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp
memory/2732-137-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp
memory/3416-138-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp
memory/2548-135-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp
memory/3028-132-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp
memory/1344-130-0x00007FF668590000-0x00007FF6688E1000-memory.dmp
memory/1396-131-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp
memory/1848-129-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp
memory/2336-144-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp
memory/1428-143-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp
memory/804-141-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp
memory/856-142-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp
memory/3452-140-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp
memory/3160-146-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp
memory/1848-151-0x00007FF62DE20000-0x00007FF62E171000-memory.dmp
memory/1344-196-0x00007FF668590000-0x00007FF6688E1000-memory.dmp
memory/1396-198-0x00007FF6BD3B0000-0x00007FF6BD701000-memory.dmp
memory/3028-200-0x00007FF6658E0000-0x00007FF665C31000-memory.dmp
memory/2884-202-0x00007FF62F080000-0x00007FF62F3D1000-memory.dmp
memory/976-204-0x00007FF65DCF0000-0x00007FF65E041000-memory.dmp
memory/3504-206-0x00007FF674C50000-0x00007FF674FA1000-memory.dmp
memory/2548-208-0x00007FF6BCA80000-0x00007FF6BCDD1000-memory.dmp
memory/4976-220-0x00007FF6EAF50000-0x00007FF6EB2A1000-memory.dmp
memory/2732-222-0x00007FF7B8E70000-0x00007FF7B91C1000-memory.dmp
memory/3452-224-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp
memory/3416-226-0x00007FF759CD0000-0x00007FF75A021000-memory.dmp
memory/804-228-0x00007FF6B9980000-0x00007FF6B9CD1000-memory.dmp
memory/856-230-0x00007FF7B7200000-0x00007FF7B7551000-memory.dmp
memory/1428-232-0x00007FF6C07B0000-0x00007FF6C0B01000-memory.dmp
memory/2620-236-0x00007FF6080C0000-0x00007FF608411000-memory.dmp
memory/2336-235-0x00007FF6509D0000-0x00007FF650D21000-memory.dmp
memory/3160-243-0x00007FF7E61E0000-0x00007FF7E6531000-memory.dmp
memory/3740-245-0x00007FF70AF20000-0x00007FF70B271000-memory.dmp
memory/4508-247-0x00007FF60DC80000-0x00007FF60DFD1000-memory.dmp
memory/5060-249-0x00007FF78F6C0000-0x00007FF78FA11000-memory.dmp
memory/4056-251-0x00007FF612E90000-0x00007FF6131E1000-memory.dmp