Analysis Overview
SHA256
4328bc94b5d8f62eb0293efc1ab857275220b8b564cd7038f54a6251bd925147
Threat Level: Known bad
The file 2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:15
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:15
Reported
2024-06-01 11:18
Platform
win7-20240419-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gdwqpgN.exe | N/A |
| N/A | N/A | C:\Windows\System\qmLEylZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CulpRoX.exe | N/A |
| N/A | N/A | C:\Windows\System\QZUWHSS.exe | N/A |
| N/A | N/A | C:\Windows\System\rrqZtus.exe | N/A |
| N/A | N/A | C:\Windows\System\hilekFY.exe | N/A |
| N/A | N/A | C:\Windows\System\RblfDVc.exe | N/A |
| N/A | N/A | C:\Windows\System\xbLkiNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jvQxwEK.exe | N/A |
| N/A | N/A | C:\Windows\System\SJVcSyg.exe | N/A |
| N/A | N/A | C:\Windows\System\nRCSwSp.exe | N/A |
| N/A | N/A | C:\Windows\System\bBiVbwx.exe | N/A |
| N/A | N/A | C:\Windows\System\TekStts.exe | N/A |
| N/A | N/A | C:\Windows\System\YpwNqvd.exe | N/A |
| N/A | N/A | C:\Windows\System\LcFjjlf.exe | N/A |
| N/A | N/A | C:\Windows\System\xeeFdcK.exe | N/A |
| N/A | N/A | C:\Windows\System\lmXjgip.exe | N/A |
| N/A | N/A | C:\Windows\System\OAUJTME.exe | N/A |
| N/A | N/A | C:\Windows\System\qZKfDjA.exe | N/A |
| N/A | N/A | C:\Windows\System\KJQxfBX.exe | N/A |
| N/A | N/A | C:\Windows\System\rcnvBuC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gdwqpgN.exe
C:\Windows\System\gdwqpgN.exe
C:\Windows\System\qmLEylZ.exe
C:\Windows\System\qmLEylZ.exe
C:\Windows\System\CulpRoX.exe
C:\Windows\System\CulpRoX.exe
C:\Windows\System\QZUWHSS.exe
C:\Windows\System\QZUWHSS.exe
C:\Windows\System\rrqZtus.exe
C:\Windows\System\rrqZtus.exe
C:\Windows\System\hilekFY.exe
C:\Windows\System\hilekFY.exe
C:\Windows\System\RblfDVc.exe
C:\Windows\System\RblfDVc.exe
C:\Windows\System\xbLkiNZ.exe
C:\Windows\System\xbLkiNZ.exe
C:\Windows\System\jvQxwEK.exe
C:\Windows\System\jvQxwEK.exe
C:\Windows\System\SJVcSyg.exe
C:\Windows\System\SJVcSyg.exe
C:\Windows\System\nRCSwSp.exe
C:\Windows\System\nRCSwSp.exe
C:\Windows\System\bBiVbwx.exe
C:\Windows\System\bBiVbwx.exe
C:\Windows\System\TekStts.exe
C:\Windows\System\TekStts.exe
C:\Windows\System\YpwNqvd.exe
C:\Windows\System\YpwNqvd.exe
C:\Windows\System\OAUJTME.exe
C:\Windows\System\OAUJTME.exe
C:\Windows\System\LcFjjlf.exe
C:\Windows\System\LcFjjlf.exe
C:\Windows\System\qZKfDjA.exe
C:\Windows\System\qZKfDjA.exe
C:\Windows\System\xeeFdcK.exe
C:\Windows\System\xeeFdcK.exe
C:\Windows\System\KJQxfBX.exe
C:\Windows\System\KJQxfBX.exe
C:\Windows\System\lmXjgip.exe
C:\Windows\System\lmXjgip.exe
C:\Windows\System\rcnvBuC.exe
C:\Windows\System\rcnvBuC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1008-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1008-2-0x000000013F280000-0x000000013F5D4000-memory.dmp
\Windows\system\gdwqpgN.exe
| MD5 | ec9f12562dbdbc8bddcfa1877bb8426c |
| SHA1 | ae815a8b204213b92bdc9b2c515617c13a8805ce |
| SHA256 | 6f4371ef2eb798d39b84efe5c6ec7180d3d8adb24a37a31b212f981e3559d078 |
| SHA512 | 4f26eae23f0f4bf365544c2d0383077751587b8eb72d8d47fe8c0712597cbd9e881fbc09f81701a8bbea89e00e0b5c6561d9df1459b317cfe3b21b89e8d44f70 |
\Windows\system\qmLEylZ.exe
| MD5 | e5f30c4046e37fc3cf603ca9c9edb54d |
| SHA1 | 2692638f3e2cfddc7c3805261d1626f44042bd32 |
| SHA256 | 2b59227ab3e60c7c7f21bf8e48b412845cd47e4f826f81235212217644d56510 |
| SHA512 | 9e338f1129f12aff92832394aa67f1b530678d515d8538474d4afa7ccd52d471642592cc4c9711e07d0f20bc1570674540dfcc2a12c2a367d1dfb8fa9a6e8344 |
memory/1008-13-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2056-11-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2424-15-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1008-6-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\CulpRoX.exe
| MD5 | 1507cb440086891c82dd289e1072825a |
| SHA1 | 0f8ec2b3cd0f2c02920af175229eb79ed58b3197 |
| SHA256 | 31b681ef1a57dc70825172b38aa097912b6af50efb2d0f2b375afe180a1543f3 |
| SHA512 | 4c28ba0e2b23d25e977735d44348ee9f3d8022d83763641c59ef7beee49dd58227f711c905f889e82bda38ecc6a92dff5e821b743507ef8f4e393f54d12a2894 |
\Windows\system\QZUWHSS.exe
| MD5 | fa8016ae588cd9b18c33e04f8f84e0d2 |
| SHA1 | 0d6c7d4f9343907dc259325d02c75ec7b4cf9110 |
| SHA256 | 7d60badbed7387d9b1693758666fb0dc0cdc285b1cd3bb24cf7d3abf454ebfcd |
| SHA512 | fd9539085018dff6ad7823e3f2f87476cc6999420a34ec94a143045641b17e7e29085fc347c784a32d0a9b16bbfd3e8cb941adc00ff7d4129c109ce634a73040 |
memory/2756-29-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1008-27-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1008-20-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2572-23-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\rrqZtus.exe
| MD5 | e7ba8a5b47b01706bff5c0c8ee698c66 |
| SHA1 | cb8b18824e76b4f8dd376e9e677d98b4bf9901dc |
| SHA256 | 16cb9149db6e718d060b3c586c9701ae3c13af755a7bc770539be41132cbf0ae |
| SHA512 | 3d49e981f50d7c3164792e7ec31119d5e8751243998fef0788fdc2f69da89a5f6de13913f45749a032cd12bbd15050aab875c64290e6ca60dde2c364d96f1038 |
\Windows\system\hilekFY.exe
| MD5 | 7b4736cbde479bf4568888e035e32625 |
| SHA1 | db2b87d0820bef7b65a544d14a7c822fb9db393b |
| SHA256 | f2c64cdb9f4813941a05be6c0a7b97172babea0fce553c3ecddf12d4b3fc69fe |
| SHA512 | e7f1ff32c09a9e06a44652db563c9ec48f7613d8e2f322dae3478f0e3d5fc37142ed25a3e947054f0b575f74383d6edc8ead4e49203df4bd065ed4385b86faad |
memory/1008-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2740-37-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1008-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1008-41-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1008-40-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2488-45-0x000000013FFA0000-0x00000001402F4000-memory.dmp
\Windows\system\RblfDVc.exe
| MD5 | 336f4065171d218069b95cfd10f7b62e |
| SHA1 | 5ae3662ced1ebea644017f8c4ac7ee80e36b27d7 |
| SHA256 | 2acd9820745e9742e6ded9625bbe5c231c33d7082be3124ee1eb57f51eb5e4e8 |
| SHA512 | ef393d2e1244b79bb61b6f45022b6d15c610a50dd8393290c96db38f0f9872adede5664a5ae79fadff16f5ec321a666ea6e1564405c47b5a561c81f861c4b993 |
memory/2580-53-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2056-49-0x000000013F8B0000-0x000000013FC04000-memory.dmp
\Windows\system\xbLkiNZ.exe
| MD5 | 61d67de1638d7ea411458f3498cadf13 |
| SHA1 | def0d4b887887b5d1ee6c9031eae86dd3baf488e |
| SHA256 | 8da47192788feca6f395f1ba157109b60cb0ce2d1a49459d4408946eeded1436 |
| SHA512 | 51bf0041f47c3d1bbdb0c9aa5a626abb29d4db9a6135ddabfa09e2ccdefe955dfe40acb0423d21cb7d1e08ccb31f9e4aaf2e55de07c16bc7cb7362019a4fc41f |
memory/2424-59-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2496-60-0x000000013FED0000-0x0000000140224000-memory.dmp
\Windows\system\jvQxwEK.exe
| MD5 | f71a3cce15b821cc5f2e847a6edcc56b |
| SHA1 | 372b8ecda31b27e94fcab1e73657ef6d8c81f67e |
| SHA256 | b6c5a4b12d11104317b0d8df62f4af9aa61c2db02cad25c2912432da22e6e2d3 |
| SHA512 | 0e6a8a55c67b583cf4851b47673ccb0873dfadaf376970696ff678bdb1113e47360d271e51ed2050f87a6ea622866ea512009942d57492870ba0fcec1c47de9a |
memory/3016-67-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2572-66-0x000000013F300000-0x000000013F654000-memory.dmp
\Windows\system\SJVcSyg.exe
| MD5 | 59ab2097497cd9fb65e193010aef402b |
| SHA1 | 149d8546a0f047efdb5837eb21b76a8134ec272f |
| SHA256 | 9bc564c3c80684147d91f1361d77f996425e2569c7dc820411e864b9e7106214 |
| SHA512 | ac02aa1a2a215ad7ce979ceb08238c5a46f602062b57f86df6c598abf783e5c04b21d8e345cfa2575157841ed4d1dc31abe072c3dfa473256d1e15eb568d565c |
C:\Windows\system\nRCSwSp.exe
| MD5 | abaaadeb577e7228e3f6d9d08ba6d67b |
| SHA1 | 91e56f89e117d443ff1cec984a9be28a1495eacc |
| SHA256 | f9deca587a0f8a2c7cf999334687ce88916be899161cf19dcd83cb9a8710b7e6 |
| SHA512 | 60ed82ffa8e643a3bc632ee2d20ab069a9fe76a588432d3a6fff2f8bcd5027b54c1b114b0301071ba458eb090c43dccf032fbac68826c2ad0ec44b63f3e37b04 |
\Windows\system\bBiVbwx.exe
| MD5 | 215e42b083c4e448cecd11b3ca00daa7 |
| SHA1 | 2a93bf35994c80233b83684d97527530038d2384 |
| SHA256 | 068288b620a738a3e65ec0677084ef87d9df231f68ab0ce1439b5bc8ca4edb4e |
| SHA512 | 38d24587f1f0b8b47f8a60f8bc5926d16973c244b38ff565787f37a4e6fbe3f8ce59710992fc757d651de55e7c54801d1546566e375e0481f86422d413c253b0 |
memory/2756-82-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1228-89-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2720-88-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1008-87-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2524-86-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1008-85-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1008-84-0x000000013F960000-0x000000013FCB4000-memory.dmp
C:\Windows\system\TekStts.exe
| MD5 | 50bacb4dcd3ce3c401f92e0a08a2facc |
| SHA1 | 9f30d499a92a41d1275f38f1eae02913917b5023 |
| SHA256 | 5379ab893258d88dfbfa96fabe79a3fa31766395eca0b52475cee1f5c538e644 |
| SHA512 | 516c8623b31c976fe303753249e30d9e2ab0b41e0537c5472308ea158d59a0945b4d8c38ac76d7331f959e4acc258b7cfbf95f087acfa721d30fb31ab099e567 |
C:\Windows\system\LcFjjlf.exe
| MD5 | a8a16c96fc5fe98c53b42c38751fff0f |
| SHA1 | b253b583b25f431ccae605f5343d8bdba916e67c |
| SHA256 | 096d7f006e93fa4135d688b80e209bfb17840b7356775a996f2433718e0580b3 |
| SHA512 | 6105a19853655aeae715338befe5a5e1c2fa80bd6a5af316091a537ad8adc489bf9fa17488f8a2eee416b6b5b9f623d534f05ab13121224b8b0cfe3f9151e542 |
C:\Windows\system\qZKfDjA.exe
| MD5 | 2aee9922cb20dbb8bf9dacc28ebac99d |
| SHA1 | a796341b2876cffe95b6bc9029f77dfb089f0543 |
| SHA256 | f49a9984ad3c3c5e4f5efabe984a5b077c02a013cc0a9b1413694fc68f96e734 |
| SHA512 | 3efefa571160209f10b029ae029d4438891118deb190e132116c5a4c64dada5afa796a92237c9c84f9cec8277017d72c614b850f83de2037122cb32311b3da40 |
C:\Windows\system\rcnvBuC.exe
| MD5 | 6155add31e2340b06bec8b50c85a4972 |
| SHA1 | 4a1762fbc632e5f8b6e65c1d84087a71a102c5fe |
| SHA256 | cd1b65d147cd07c6ef18300323f70904418a93401ca8a7c2b5fbbd8843d5828b |
| SHA512 | 5e9b35f8595df42565ac7218237ee8ec90693d9d77a23ed8da9840920d200f9391b414e4f6fad37663172da60083780410c82e55237f604ebd61c890376e6846 |
memory/1412-122-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\KJQxfBX.exe
| MD5 | 846489f1092fc18c26b69e4484755562 |
| SHA1 | bc23159da14e385a186d1f07509cb95627e1efdf |
| SHA256 | 226a5998f559d7ee607c9b6941447389ed5df919858a02fee6edbaedbfbcd224 |
| SHA512 | e731039723baf7286243bd0ebcc73cadf1c68ffebd86c36eef4503ceb5f55a577e11047043a037fbc7a2c6f0622352a001b226d4b381662540aee150a5f9d593 |
C:\Windows\system\YpwNqvd.exe
| MD5 | f88ee1966b7abdfdd355cf3b1103baf4 |
| SHA1 | 7098673e540499f1295d0fb291885e657b881774 |
| SHA256 | ef4f772a5d4e39cc3d1cf6309e8f1ac702bd150c11c7b6ceeab84d1668470223 |
| SHA512 | f62c459fa7f9efbef4f719bfecf148b564de52aed90ef6e6f915ee4e3b48d3fed26c78fa3eb7262b0fa8aa8c2d40c1ce0e765b996e98bb83244b101efb1a6c92 |
memory/1008-100-0x000000013F960000-0x000000013FCB4000-memory.dmp
\Windows\system\OAUJTME.exe
| MD5 | 95cf2eab1180b7b7e8093b7cf8937191 |
| SHA1 | c278a880c69a264291e6836d4839bdb9d3e0f70a |
| SHA256 | 9363a33641b7684e139b9419a28df141f00819a1a393edcbc4fbb8111c72765a |
| SHA512 | cec6480a82b8b350c4d245555798caa9203be277614ff1f56c4f06a7034440d9001cdc81107f357265d14744dff27dbf8176ed420b4e20fae0390955c5124caa |
C:\Windows\system\lmXjgip.exe
| MD5 | ade61fe7f5cf9c366723389dfeed1658 |
| SHA1 | 24e35097518400222df58ed967a38ecb07c42f40 |
| SHA256 | 3c915ae6e450793c767dbd13db1778280f86c063da61772c072a7b9a95bffe88 |
| SHA512 | 1d7ed4c46b05901b2e16cfa992b9260ed415e6ee5d0a66e51552d678d686a92d2488d3bf5a39a33ed059e8ab136a8f37970dd22964ead06e18db5a76917a8bae |
C:\Windows\system\xeeFdcK.exe
| MD5 | 3fe60a864a3070ccebd44fba0cadfffe |
| SHA1 | d5335030664a41a653a5ead530d5f6fb618e4a8b |
| SHA256 | 018d461c30224bf74475976d7dc27bcbbece166d3e66e6a11a8728a624de9d9b |
| SHA512 | 691ef5e547df395651df9ca13976764edb12a25ec6be296616360712b1b9d18275fb8731dbdfbfccd4877477f1992bbe5a27090aad5aa469d2cc39ed040a603a |
memory/2568-106-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2488-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1008-138-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1008-139-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1008-140-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2568-141-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2056-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2424-143-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2756-144-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2740-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2572-146-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2488-147-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2580-148-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2496-149-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/3016-150-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2524-152-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1228-151-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2720-153-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1412-154-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2568-155-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:15
Reported
2024-06-01 11:18
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mqsJShq.exe | N/A |
| N/A | N/A | C:\Windows\System\XDyMDvD.exe | N/A |
| N/A | N/A | C:\Windows\System\MewzzJe.exe | N/A |
| N/A | N/A | C:\Windows\System\YhjrxWx.exe | N/A |
| N/A | N/A | C:\Windows\System\fBkOkBp.exe | N/A |
| N/A | N/A | C:\Windows\System\lJvGUUw.exe | N/A |
| N/A | N/A | C:\Windows\System\lpfzfsn.exe | N/A |
| N/A | N/A | C:\Windows\System\ixhccaX.exe | N/A |
| N/A | N/A | C:\Windows\System\fHzjIwO.exe | N/A |
| N/A | N/A | C:\Windows\System\yKEtlHl.exe | N/A |
| N/A | N/A | C:\Windows\System\oxOIeAf.exe | N/A |
| N/A | N/A | C:\Windows\System\bBaCvNP.exe | N/A |
| N/A | N/A | C:\Windows\System\guQqpEY.exe | N/A |
| N/A | N/A | C:\Windows\System\UAHWCFO.exe | N/A |
| N/A | N/A | C:\Windows\System\MEqwKpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mgisGEl.exe | N/A |
| N/A | N/A | C:\Windows\System\XbeFDaT.exe | N/A |
| N/A | N/A | C:\Windows\System\zXgFtaW.exe | N/A |
| N/A | N/A | C:\Windows\System\pQRWUmN.exe | N/A |
| N/A | N/A | C:\Windows\System\OPvgJQs.exe | N/A |
| N/A | N/A | C:\Windows\System\POnqRby.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_819fbca4de80f7d4c58e7b60e7d0e4fc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mqsJShq.exe
C:\Windows\System\mqsJShq.exe
C:\Windows\System\XDyMDvD.exe
C:\Windows\System\XDyMDvD.exe
C:\Windows\System\MewzzJe.exe
C:\Windows\System\MewzzJe.exe
C:\Windows\System\YhjrxWx.exe
C:\Windows\System\YhjrxWx.exe
C:\Windows\System\fBkOkBp.exe
C:\Windows\System\fBkOkBp.exe
C:\Windows\System\lJvGUUw.exe
C:\Windows\System\lJvGUUw.exe
C:\Windows\System\lpfzfsn.exe
C:\Windows\System\lpfzfsn.exe
C:\Windows\System\ixhccaX.exe
C:\Windows\System\ixhccaX.exe
C:\Windows\System\fHzjIwO.exe
C:\Windows\System\fHzjIwO.exe
C:\Windows\System\yKEtlHl.exe
C:\Windows\System\yKEtlHl.exe
C:\Windows\System\oxOIeAf.exe
C:\Windows\System\oxOIeAf.exe
C:\Windows\System\bBaCvNP.exe
C:\Windows\System\bBaCvNP.exe
C:\Windows\System\guQqpEY.exe
C:\Windows\System\guQqpEY.exe
C:\Windows\System\UAHWCFO.exe
C:\Windows\System\UAHWCFO.exe
C:\Windows\System\MEqwKpQ.exe
C:\Windows\System\MEqwKpQ.exe
C:\Windows\System\mgisGEl.exe
C:\Windows\System\mgisGEl.exe
C:\Windows\System\XbeFDaT.exe
C:\Windows\System\XbeFDaT.exe
C:\Windows\System\zXgFtaW.exe
C:\Windows\System\zXgFtaW.exe
C:\Windows\System\pQRWUmN.exe
C:\Windows\System\pQRWUmN.exe
C:\Windows\System\POnqRby.exe
C:\Windows\System\POnqRby.exe
C:\Windows\System\OPvgJQs.exe
C:\Windows\System\OPvgJQs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3012-0-0x00007FF75C5B0000-0x00007FF75C904000-memory.dmp
memory/3012-1-0x000001F239A80000-0x000001F239A90000-memory.dmp
C:\Windows\System\mqsJShq.exe
| MD5 | 159b4631d4db5b30bf1228f6c22cf562 |
| SHA1 | a8e7f634caa6054be7f6103e38a7bc826e607603 |
| SHA256 | 47be5d27a4a5b8c4c2575a41de9942daac2a31987a326538806805ae1e0fb54d |
| SHA512 | 875a7ef4a4fe834aa69ac690c0c130525cef4b0d3511107c16c82c5aa796c71a4ceca75341539e71ca50ba4b991fc243db5742f74a509a5757a365483e3b2ee1 |
C:\Windows\System\MewzzJe.exe
| MD5 | d79081e737bb461f4a1499cd1ed71ff0 |
| SHA1 | 33a78067ed5f33c00905205f50bb1b86b0fb3110 |
| SHA256 | a02a5749aa327ffa0935cc2ad68cad2ccaee3f93f69fefbf5a18eeb5b6570ecc |
| SHA512 | 4cbe3be574fa668faae4e577907e34a10031e3c9fbe0364a847fe398cfe612bf59c328ba557de5dcb288dd059be37b82a23d205ccc92f605db821bc1ad4f4058 |
memory/4732-10-0x00007FF6935B0000-0x00007FF693904000-memory.dmp
C:\Windows\System\XDyMDvD.exe
| MD5 | 504be61bf1f0e7d86a468f3608c630ad |
| SHA1 | 4d9489c03abebc09a4779743c79dc957c24d90e3 |
| SHA256 | 89c8d0ec0fe2214e95c8529a44e6d25ea9e614069f0bf9702e19eb33428bae78 |
| SHA512 | 2cd4f5526faef9d76b5e65768925daf4ccec4fd0c33e5445a1b26534fd59032f7b13557d8b80afbab22783a7a3ac60f3dc3951283987703abc772acf19bfc724 |
memory/704-26-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp
C:\Windows\System\fBkOkBp.exe
| MD5 | c97ea841a516f4547278886450b8f680 |
| SHA1 | 3d87c8b1d1fa5384d64be430655f2472f81652c6 |
| SHA256 | 2c40fd2cd06da8a160301c5308ef5fe70ed6468d835a4f4c163f6f3ac66f4fee |
| SHA512 | 39fdf4a21a5b11bb4b818b305b7828575e3974847ea453dece40e1aaaadb7bc76f4dd54cfa6a2f802d319b39e7cb5724ca8381aa916e72edfddbecb10b1702e9 |
C:\Windows\System\lJvGUUw.exe
| MD5 | 1ffe0c0178e395c24eb3fe5a79ed53d0 |
| SHA1 | d2bc794ebb593bdcb9f17065c046bcc0218a5698 |
| SHA256 | e6b7df6ec39a988c665e4ce2f0a8281369b35b8826702cf88c7d3f9890035336 |
| SHA512 | 9d7daadeb8690d318982b7febbe0b737574a147a8df57cdf17e8a1797e394e542e5c60ffe57728c3f38e0c8d7ccc6be713cd1b939c0d3b00300e98860f9e4a4b |
memory/2864-42-0x00007FF7C5A40000-0x00007FF7C5D94000-memory.dmp
memory/4640-43-0x00007FF74FAC0000-0x00007FF74FE14000-memory.dmp
memory/2768-44-0x00007FF7932B0000-0x00007FF793604000-memory.dmp
C:\Windows\System\lpfzfsn.exe
| MD5 | 71328457c40c91b62889cd9883b12e70 |
| SHA1 | 7d368844dc540ea15d0712db5aad638448eba728 |
| SHA256 | 80747fbd9c1c5e320478611b0b541d88045029ab26094cbe7ed4deb6a2857567 |
| SHA512 | 225408137cd716ad70c6e9e9cfb13c7ac1f26b7289095b3de8dbd1d9a7987b158b5e62bb2958d454530ceb6ac9f7291c233c61bd30aaf91da1bca748837194e7 |
C:\Windows\System\YhjrxWx.exe
| MD5 | b3e129d4fbd16cc455dd8acd1fcdf75f |
| SHA1 | 7b1c7ae6116dcd86cc157c285d579b309a6ece17 |
| SHA256 | d6b5c97d65cc143cff68b800f8ce0abc69a4b936c6c2618efa3cf66b77c383de |
| SHA512 | b5f57b28a55f7d0f37ff35e5133d03e3d0dd3c09fff80f042e1b363d43fb43a7c303dbeaa6deb6e47a66500c3a4d0aab21c5713b76a956114c2ae27e453bf717 |
memory/3472-25-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp
memory/772-17-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp
C:\Windows\System\ixhccaX.exe
| MD5 | cc46baa045e185f1aa930944da08a451 |
| SHA1 | 15ce5b86d5786579e106198313d5ed597497ad81 |
| SHA256 | 25e80aad341b89fed6415485d154af95c799a45eb938f309d911fc0ba3a22158 |
| SHA512 | ebe962866a936ca375ec778e8204a781a01fa252daf1b49a3bcb995d36791583de4320997a34e07f587236e216b2cc717a95533fbb5704c6105d2e640abb1854 |
memory/4560-49-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp
C:\Windows\System\fHzjIwO.exe
| MD5 | 47c276590b77321de38c096be2b1c27d |
| SHA1 | fecd0f3e7ca8ab6bf8ab665f07e66ee91c0e2d8f |
| SHA256 | 59bd43e6e4a9ada5993a417758cac768daaf5d85d738770c8509f1828a7c8239 |
| SHA512 | 38910f44a2818686119bb42af8192a71cbdd1d4b9c492438da43c697e5e6602adeb3439feb466cbc76d10260700b17516f567296d256991cf3de1d327dabc4a1 |
C:\Windows\System\oxOIeAf.exe
| MD5 | 4abd022244a285f8246722b36525342a |
| SHA1 | 1ef9d33db0de98de213001e899f18ac28ecb10e2 |
| SHA256 | 1f0fa77f22d85d59eba993d61d01ebb2da08341bc7162d5edf8987afd6764554 |
| SHA512 | 7c4317858eea218ab5f45aef6f993067dcd049318e9a7b7a15e5fff71f88d12dd471010992ce50cf6d1be5563a14ee6cf47da9fa08aa9fdc1cc6fd2d4a8e8b3a |
memory/332-72-0x00007FF611EF0000-0x00007FF612244000-memory.dmp
C:\Windows\System\UAHWCFO.exe
| MD5 | e45c5eebd2c20441baae1c992afab714 |
| SHA1 | 3f0e303d7a493189a10f78e579e2e0ea4e39d486 |
| SHA256 | 87973bb6e942f38042d57f8a63c8a398869fc18ca8c1acb92493f1cf7ad10e04 |
| SHA512 | bbfd8a381ea7cc03301fddf2b0585166afd25187c706e9860d5f094570767b46da4ed52bac31b1932b9d84ed359c64b043a3c9abf07d92db121dcb9f27d20510 |
C:\Windows\System\guQqpEY.exe
| MD5 | 7f040dc04b9577154970cfe253c262dd |
| SHA1 | eab6efe204d35858ebb5fc661593cee7bcd93f9a |
| SHA256 | 84d29fb9154b7130b101eccde698a509277f6df39d797eb6aaeb2e34250e9a67 |
| SHA512 | 4d8ce1e438ca6cc7e6afb69745868a6095b74cb18fc9854ae6c575a362e035ee95a6022cdc8d2f69ed091a1b43c1ed1dd799c7b8c4bd99f305f65904ca3d4cc7 |
C:\Windows\System\bBaCvNP.exe
| MD5 | c4ea0246c23b06a58dfd8fe098c493f3 |
| SHA1 | 7c89fdee6a9caccb48eba2f53fa8d34aeddb3cf9 |
| SHA256 | 7af9416e8fa2f441d99c38043c4b6480e9aba868d81346fe9249ee46e4ea78c7 |
| SHA512 | 9510ebd538fe1d2508b0598e30767ab2bc6f446f75dfc842ce5dbb9fe7ca1b264f278656945daa3d63b81e6f7d6567bd71703ff31b4937c33f8af83b50825563 |
memory/2916-75-0x00007FF70F640000-0x00007FF70F994000-memory.dmp
memory/2452-67-0x00007FF6413D0000-0x00007FF641724000-memory.dmp
C:\Windows\System\yKEtlHl.exe
| MD5 | 8f5d434d12cd6e5539466c9b570f04bf |
| SHA1 | f115cf39fe26c69483c8a41b6508178c261f5d33 |
| SHA256 | 5304e3a9e0b8ef0846823dedfeea5bf73f5a17c7495db65f70a44f0c526c6930 |
| SHA512 | 0285a9c4c8a4a59c4a6e910d06868855493f4d07f8a6aca1f0be23b5f934b230de961bbe65509fc698b18079653b16e01c2bbedb116fe0f3895ca2c8f6229423 |
memory/3136-58-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp
C:\Windows\System\MEqwKpQ.exe
| MD5 | ccf9e00cad25411b3a6de8fe28950fb3 |
| SHA1 | 90f52377e5354081e8219c688ee11c7bc9bdab76 |
| SHA256 | 7911f646a0d8b265c99e707bbac6ab2eb159f412a8ebbf3a8ddff160e3363ce4 |
| SHA512 | a56e713de921ac927b87ccc10d8952ae60b47ecf67abe4814abb63220fc7ee9b97d8e5326d8b721d157672427775259d0caa26958ce17624bd96e672e4875491 |
memory/3012-85-0x00007FF75C5B0000-0x00007FF75C904000-memory.dmp
memory/3204-95-0x00007FF68B1B0000-0x00007FF68B504000-memory.dmp
memory/4628-94-0x00007FF6AC450000-0x00007FF6AC7A4000-memory.dmp
memory/4812-99-0x00007FF6326F0000-0x00007FF632A44000-memory.dmp
memory/4500-106-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp
memory/772-108-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp
C:\Windows\System\pQRWUmN.exe
| MD5 | 0542f0b7b6c7ba8dd9b8198ae698145c |
| SHA1 | aaf495faa0cbe881bcf5013c991e1370ebe05f67 |
| SHA256 | c681ae9cdd1d1ff4a38c59312826b46f6c21672d80c40f3c40458b1409736fba |
| SHA512 | 89ba08606494b36537144e182c1479efc6187525413bdf45fc91c5064923c9fec4aeb03059bff27f62bfe6d6a581cb54a938ba2122d29f74198de1ef1d8076dc |
C:\Windows\System\zXgFtaW.exe
| MD5 | c6f72796e5376ffd9aa42666720090b7 |
| SHA1 | 3bcf254c005afd1a1d9fca9f592bd3f61c430c98 |
| SHA256 | d9ae8f529853ece58c4e258fc8ceba868c8f4b73df9e6ad864c0947e1c016394 |
| SHA512 | b1e8246656c370bc688948f0a944d79dd98725c9baa509a8d5a795d68243b97ac755bfd696437af90c8d537b10d3e772778272d3f83a01e27e1cbf6e7242cf9e |
C:\Windows\System\XbeFDaT.exe
| MD5 | 12e1889325a2744e9aeb5abef58dfc3a |
| SHA1 | 05692d02224e1218e3209d63ee4b051158ae59bf |
| SHA256 | 7ae60596b80724ebfe03c56e2546f56dec857c09ea0628e9330c878037427347 |
| SHA512 | 0dd0dbba5b680852074289f6305fea6641234cec6f4f0b4f45cee2e18cea0ef2231df2d2fefd48c30c54c9e441a8f7e838e6131bfee3b7a86f0afe800f78dd30 |
memory/4440-111-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp
memory/1372-107-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp
C:\Windows\System\mgisGEl.exe
| MD5 | dfb6dacc52ef46e57c6dea3f52e54060 |
| SHA1 | dec83730afa24a8c60e199d9f325d04be22e9250 |
| SHA256 | 3be516d8c7446fd420e75e3894371a85a670746d7b8cf3a1ad85dcc7118ec158 |
| SHA512 | 1f4b5ff61065fbc6c66dd011ec994f9acbf247ad316d61ec21d37c369c20f56d4488877a0d1a1c0501488abe4efc435e3b5e5ebc518ae2c82baecfc511c0a902 |
memory/3472-98-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp
memory/704-122-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp
memory/4076-126-0x00007FF6460C0000-0x00007FF646414000-memory.dmp
memory/3476-130-0x00007FF755210000-0x00007FF755564000-memory.dmp
C:\Windows\System\POnqRby.exe
| MD5 | c19b8612d700f95a34f4f303e42a48ff |
| SHA1 | 5d89e8662c024984f4e33bc8aa46ea0efeb9e492 |
| SHA256 | fdc05bd7e318d49a967a3e669b50a4cddfa168039806575b253e722e5699307e |
| SHA512 | 7396b7a2751e9e951c6bca179734a5643b7ec8f8a67a91e2a7ec93707287d49401d8cebb7b98170c657efd3cd2cbc725f436f4dff9f6ae2e320462958bb75c8f |
memory/1388-131-0x00007FF752590000-0x00007FF7528E4000-memory.dmp
C:\Windows\System\OPvgJQs.exe
| MD5 | 94864e60242c5f883133df101fd31dfc |
| SHA1 | 09bb289a7c2b35d9c6da85ac7f7b8c3edda380aa |
| SHA256 | 3a050ec9586dedeb3d6fe93c0e877d402bf3612cb239ab8136757c2005c0b72e |
| SHA512 | 9c7ff7d185d234fd0b522e9b77426b391a20394e492b8730feb29444cfa0c41ab2f2b8674c397413bb8a441b1337f451e3b58f65a8500089a80cff2bc6f5b012 |
memory/4560-132-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp
memory/3136-133-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp
memory/2916-134-0x00007FF70F640000-0x00007FF70F994000-memory.dmp
memory/4500-135-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp
memory/1372-136-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp
memory/4440-137-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp
memory/4732-138-0x00007FF6935B0000-0x00007FF693904000-memory.dmp
memory/772-139-0x00007FF6A5B00000-0x00007FF6A5E54000-memory.dmp
memory/3472-140-0x00007FF776C50000-0x00007FF776FA4000-memory.dmp
memory/704-141-0x00007FF762D90000-0x00007FF7630E4000-memory.dmp
memory/2864-142-0x00007FF7C5A40000-0x00007FF7C5D94000-memory.dmp
memory/2768-144-0x00007FF7932B0000-0x00007FF793604000-memory.dmp
memory/4640-143-0x00007FF74FAC0000-0x00007FF74FE14000-memory.dmp
memory/4560-145-0x00007FF67B970000-0x00007FF67BCC4000-memory.dmp
memory/3136-146-0x00007FF7E2120000-0x00007FF7E2474000-memory.dmp
memory/332-147-0x00007FF611EF0000-0x00007FF612244000-memory.dmp
memory/2452-148-0x00007FF6413D0000-0x00007FF641724000-memory.dmp
memory/4628-149-0x00007FF6AC450000-0x00007FF6AC7A4000-memory.dmp
memory/3204-150-0x00007FF68B1B0000-0x00007FF68B504000-memory.dmp
memory/2916-151-0x00007FF70F640000-0x00007FF70F994000-memory.dmp
memory/4500-152-0x00007FF7C5890000-0x00007FF7C5BE4000-memory.dmp
memory/4812-153-0x00007FF6326F0000-0x00007FF632A44000-memory.dmp
memory/1372-155-0x00007FF743C80000-0x00007FF743FD4000-memory.dmp
memory/4440-154-0x00007FF7958E0000-0x00007FF795C34000-memory.dmp
memory/4076-156-0x00007FF6460C0000-0x00007FF646414000-memory.dmp
memory/3476-157-0x00007FF755210000-0x00007FF755564000-memory.dmp
memory/1388-158-0x00007FF752590000-0x00007FF7528E4000-memory.dmp