Analysis Overview
SHA256
72f739bdfe9de101b9641897b491ee14e1b9bb1cd5097ac977eb93d17d32b817
Threat Level: Known bad
The file 2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 14:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 14:43
Reported
2024-06-01 14:46
Platform
win7-20240221-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\niGmISK.exe | N/A |
| N/A | N/A | C:\Windows\System\xYYzDok.exe | N/A |
| N/A | N/A | C:\Windows\System\SqoKIGV.exe | N/A |
| N/A | N/A | C:\Windows\System\lAVtHTW.exe | N/A |
| N/A | N/A | C:\Windows\System\QgQBLNl.exe | N/A |
| N/A | N/A | C:\Windows\System\EPKQywY.exe | N/A |
| N/A | N/A | C:\Windows\System\uBimmFm.exe | N/A |
| N/A | N/A | C:\Windows\System\QsTTAzB.exe | N/A |
| N/A | N/A | C:\Windows\System\ngzuARR.exe | N/A |
| N/A | N/A | C:\Windows\System\PVCdLnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xOdCWGl.exe | N/A |
| N/A | N/A | C:\Windows\System\QTasuve.exe | N/A |
| N/A | N/A | C:\Windows\System\HpLncPo.exe | N/A |
| N/A | N/A | C:\Windows\System\gQmHqqk.exe | N/A |
| N/A | N/A | C:\Windows\System\CoRfJRN.exe | N/A |
| N/A | N/A | C:\Windows\System\OlTXbBE.exe | N/A |
| N/A | N/A | C:\Windows\System\PdpmgCL.exe | N/A |
| N/A | N/A | C:\Windows\System\rTmlVoA.exe | N/A |
| N/A | N/A | C:\Windows\System\oXVIeRC.exe | N/A |
| N/A | N/A | C:\Windows\System\RXaqXbF.exe | N/A |
| N/A | N/A | C:\Windows\System\bXHTfnw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\niGmISK.exe
C:\Windows\System\niGmISK.exe
C:\Windows\System\xYYzDok.exe
C:\Windows\System\xYYzDok.exe
C:\Windows\System\SqoKIGV.exe
C:\Windows\System\SqoKIGV.exe
C:\Windows\System\lAVtHTW.exe
C:\Windows\System\lAVtHTW.exe
C:\Windows\System\QgQBLNl.exe
C:\Windows\System\QgQBLNl.exe
C:\Windows\System\QsTTAzB.exe
C:\Windows\System\QsTTAzB.exe
C:\Windows\System\EPKQywY.exe
C:\Windows\System\EPKQywY.exe
C:\Windows\System\ngzuARR.exe
C:\Windows\System\ngzuARR.exe
C:\Windows\System\uBimmFm.exe
C:\Windows\System\uBimmFm.exe
C:\Windows\System\PVCdLnJ.exe
C:\Windows\System\PVCdLnJ.exe
C:\Windows\System\xOdCWGl.exe
C:\Windows\System\xOdCWGl.exe
C:\Windows\System\gQmHqqk.exe
C:\Windows\System\gQmHqqk.exe
C:\Windows\System\QTasuve.exe
C:\Windows\System\QTasuve.exe
C:\Windows\System\rTmlVoA.exe
C:\Windows\System\rTmlVoA.exe
C:\Windows\System\HpLncPo.exe
C:\Windows\System\HpLncPo.exe
C:\Windows\System\oXVIeRC.exe
C:\Windows\System\oXVIeRC.exe
C:\Windows\System\CoRfJRN.exe
C:\Windows\System\CoRfJRN.exe
C:\Windows\System\RXaqXbF.exe
C:\Windows\System\RXaqXbF.exe
C:\Windows\System\OlTXbBE.exe
C:\Windows\System\OlTXbBE.exe
C:\Windows\System\bXHTfnw.exe
C:\Windows\System\bXHTfnw.exe
C:\Windows\System\PdpmgCL.exe
C:\Windows\System\PdpmgCL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2704-0-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2704-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\niGmISK.exe
| MD5 | 41dd0c7b487938a848d9621e98897e9a |
| SHA1 | 23f2be8862c7b79828b78a7d06efdee439c5e517 |
| SHA256 | 8c8b28b943a8f53456c54988100907972b89f39cc895e37fb6419edd7e69e98c |
| SHA512 | f94c5b1712f2849f45b9c731cce23a5bf3ad8fee360d96cfd35ae317c3911db11489c095701784784bc28c0f3deb2ff731939a2f31fd9d516a7d6efd1a21b7d0 |
\Windows\system\xYYzDok.exe
| MD5 | 263651351ab1fb80fedbb1af033ffcde |
| SHA1 | 49f847e670dfca18f879d2675dd53bc0f7a1fb1d |
| SHA256 | 761ad0ec4fb31e98a95144610b831bfaaeb0e572f1554f94ba3178dff1784b32 |
| SHA512 | ecb938c71c1d8390b2895b3225013c718dc2498f0767e94eb4887baa59917899b5730bbac0c7123dd8b5b5c6214a249443d0cc5a3b4d1024663d8dbb3409a112 |
\Windows\system\SqoKIGV.exe
| MD5 | c2b981e4ae13364b3060cb121c16eb7b |
| SHA1 | be3c9b7b23cecac530c76da8475b6c3b0a63a3ac |
| SHA256 | adecebb4dc931601d6ef99d82bf6d81678a87e2351feb6a2e9df58693aa35b50 |
| SHA512 | 63c5da616499ffe2b7d787613b7becb148a68e9ee301a9962d948d68eec8ea6d38d1709f0346fd79162043c0e4e27318d02019076bfb070f2f5a2e546540bdee |
memory/2308-18-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2504-52-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2912-28-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\PVCdLnJ.exe
| MD5 | a67bfbed8c330fd66f7004a18c925eda |
| SHA1 | b2d5fc413ab5a245ee4a3be8efe2525380d3c129 |
| SHA256 | 033ac1abf82a9e1fca94661409b4314c290b9408afb9e9403d5c938c6839f241 |
| SHA512 | 04941ec5525c53ce4cffd6a943c718f8805655af595998d9de5f1a95964eb3809bf8d64c3e2d260ecd5318fda8dff221caa99d34266e7eb2ba895dc314151fbc |
memory/2128-65-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\HpLncPo.exe
| MD5 | cc20d0b2b8c4f11e6c916e97bd188df8 |
| SHA1 | 3cf0488c3ccf45cc5b8bc50f65858ef3fb4ce219 |
| SHA256 | e6393d5c77fbca1c48bfe93827dca9d7b7a898462783d6430cb4a2dd4640f636 |
| SHA512 | cb0008b6d6feff3e0cc2378e149c2b72066a027bc8003f196152c124814a04dc7e1384100363c62335e3f66b4338f97c749a44e5869a461899a182309fbaf0e1 |
memory/2400-126-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\oXVIeRC.exe
| MD5 | 25b7622fd985b58b0202436109e91e24 |
| SHA1 | 23740c99003eee9e189827052b65cb1f0c22aea9 |
| SHA256 | 300288065311f84e5301cb919954ba204e9cf0521d63a751660c49f40481d054 |
| SHA512 | 353c1fc1bb5b18b6c2264d1c7c747327ce41ad4def522775ff94d297bc256513a604a21fb309b53e541896e38bf2c2f2cca4616da2967d0b8ef977b8f08ad5ed |
\Windows\system\bXHTfnw.exe
| MD5 | bb203b2cb117f6fec9e0f02fe01c169e |
| SHA1 | e1c2a0b00e3dfa6f6bc8b53d356cc690e31848b4 |
| SHA256 | d150399a5fa0903c0f8707086a4fccfe8546b469ef667beaca348ead0387b307 |
| SHA512 | 9bf77e70f9907fbcc76f393f7863695ee29913c0fd7a028e796d2d517a7ab1448cb73299de5cf546884bfa4e7a0b011a42c40f553b5d41f82a43bc0e92753895 |
\Windows\system\RXaqXbF.exe
| MD5 | 2e845762c87849ce7d818a049b5af305 |
| SHA1 | 9d4d64852becd6443477d1ae512ee9d131b4c622 |
| SHA256 | 726f2faf641b19f9707b970b2cb4560fef590d6c0a37adf0c2dd52c3d305c84d |
| SHA512 | 91c2871861d30618cdaf5eba6235f72bb52a97d5c9e692ad4911ad2f13db9c7f246f60fb83322ed51d2acdcc7feaa5fda6dfa0596912bdaa7cb30bdd7d9a9a57 |
\Windows\system\rTmlVoA.exe
| MD5 | 785b01fc626baf3dfa06d545fc4cb9d2 |
| SHA1 | 554bcb86b43e9a4e0a186d2bca4d411494381d79 |
| SHA256 | b521f9a8403abae855d4c2d8c0674261900c445512c3a523b82af9d8e63b32d4 |
| SHA512 | f1742c03a6dbb002662b5ee959e255a78ec628626db28cb57aa91a87461a490c35247f225aae15ed5b39f885bbd0e94f46879ef4d07be9072c3817d92034851a |
memory/2704-80-0x0000000002640000-0x0000000002994000-memory.dmp
\Windows\system\gQmHqqk.exe
| MD5 | 47f9ad2bd5f5b111f78aea23105f33b9 |
| SHA1 | eae833ea2907da227073865c260e5e89c0c513db |
| SHA256 | 5c7171927f7e0f2895ac92648c795f8159ee7dc3023a5233fb87d526eeff3375 |
| SHA512 | d32ebd3b8d21d630db249d8652477edd30fa68000887cfc7b9e2a896104b89a34a8633b28ef23a469c4a7a686f974d8f1a41f76c096ed3ece734c3d5b5e118c9 |
memory/1472-125-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2704-124-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2704-123-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2600-122-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\PdpmgCL.exe
| MD5 | bf40e5ab2cbde5a208ee365da9079c08 |
| SHA1 | 0902c20614abcd40bbc61b3b24d9a383ceec4d43 |
| SHA256 | 1cd1c69f16269b0a382785e76ed0cd34dcaae08ce9408553d367be92d3763b4e |
| SHA512 | 0d4265da928da547377085ac77e2192edfc83c4e51d3d94e0c9b6a9dc87794a514866a990649cb98f89cecdb1068c1b8fd5dc43f07cfd14b47dd02f99bdf2987 |
C:\Windows\system\OlTXbBE.exe
| MD5 | 732cc25aeb7339c28a716c4a49b3ff47 |
| SHA1 | 286c9f435ddc7082a288a0f5c92fb3fbc134c842 |
| SHA256 | 0d8fc9d4a70e87dbbd1a2b99076632b0e6739f27b5aa37cf675d921dbe04e67a |
| SHA512 | f8d196a3a49824f5eb1e7ed16ddc532686c97f7b2564c0853f57aef9aa17db166928318cd39551ab15cabeedc085720b10430cc66c6eadabc42b73263144d0d6 |
C:\Windows\system\CoRfJRN.exe
| MD5 | b37adff8cd64c4b831c1d0f934f28122 |
| SHA1 | e2b3065d8569a29c811a80fea3e7b33ffc175e0b |
| SHA256 | 1f086479f07a0d3510ce5af277c76c4c5dcb1ab3bc555cb8089e1ef1724318da |
| SHA512 | a4ddde9a46d0fd687614d0ed2b440b74468c38117c2a90dd1165a2611395ce88bd275f5603f86f606d2aa6a283b785bd0346b43bd30df7dba5709f215dcf95af |
memory/2876-137-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2912-136-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\QTasuve.exe
| MD5 | 5965a57c46b4c70f977f47f4b8011221 |
| SHA1 | fd0c17614a23644a53050d20093c853cb2dc04b2 |
| SHA256 | 25099e65fa11ad224e6ce146544981c68855744c5f9bc213ddafcaae9c96cc86 |
| SHA512 | 8f676478ede16361959116836bc83965540ddf53df5bf467a1c7cee37e50df93ce384045a6c2865a4ab0dee0804294fde0912a06f965214b5bc103ca59ee8c32 |
memory/2704-85-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2704-84-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2428-83-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2704-82-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2704-76-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\xOdCWGl.exe
| MD5 | 86e4715266ab3decfd2cc80e2d1c511b |
| SHA1 | 870cfede59b46022e4a243ab7bb09050404f634d |
| SHA256 | 8ad1e21399ed46e7e56f1a62a621ad8627361616ba34604bc09dfe1a6a9e98ee |
| SHA512 | 38c9bfe1cb7cfd8330c60fd8067eef93ba80e7c5d98c761b57eef15bb91486a9098831f57f81021332cad4f9e9ff2f74ce7d4583c2536b62f552a7d058ec7fcf |
memory/2560-64-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2588-63-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\ngzuARR.exe
| MD5 | 619b106c21c3bbce6a927e198022cd93 |
| SHA1 | 4f7acea107d11845c2084af3c13aa16d8a500bc8 |
| SHA256 | 366fb45febb188074e62c9136a500a9bfeef3c11625383f95fefc3761bd00c3c |
| SHA512 | 9f4d750de4d96ed83171aab5f892ca077ba84a33238ef6d650b62d9628ed6abdb6353940a2407611c8d3b33f91ad1a0f8dee3dbd979fafcde7a1cacb057fa68f |
C:\Windows\system\QsTTAzB.exe
| MD5 | 8cd1ac0329e4ef7ce856173b66091e02 |
| SHA1 | 53f5a6b0a09daa36f180d7f01b0669840e825778 |
| SHA256 | 49bfa9bdbc3fedf15f3c5e7cbde1d58909ab34870905a1eb181e72c401111bc3 |
| SHA512 | 4d7d64f29648b3a759f07085be34c8b90a774c0e57406d5173194f5d29803b55d8b162c728fa042ad6882cf15d8932483bd2e5dbfbeda351e2a5a7b94ed9add9 |
memory/2704-59-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2704-58-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2704-57-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2536-55-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2876-37-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2704-51-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\uBimmFm.exe
| MD5 | c0f15bc8bb9bff95d83b31fb2d4a758c |
| SHA1 | c69797825b3f2c737cad7a177b193b7894128376 |
| SHA256 | 34de5817ebc616dbe243155b7cf31f48a7b969f0193e449063022e24ae6ef462 |
| SHA512 | afc771f3544a981a284a44dfbcd7d33656344d5ea98de12d98a1a52a91cd0cd0dbe7ded15a05d4c4bfe202f707b80566284102eac95d60b9867a165dbe2ed9d3 |
memory/2504-138-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\EPKQywY.exe
| MD5 | 0ccd60b0e9cc347fbeeeb9f681fb338d |
| SHA1 | 29d5312b387295554d34e45edfdf6636d8b2ad8d |
| SHA256 | 726878b0615a4a5a3533f7c166f6ab155c111dbcc65200cb2cd6214f95cd3941 |
| SHA512 | 9c92ccf0a9dc45b0043b307469c601d673687fe83b994107513db312fdd5b9363cb5fe57d1345ee6f93edb2f48ea79dd453353891bdddfd7a506a2d5348fa3db |
memory/2704-34-0x0000000002640000-0x0000000002994000-memory.dmp
C:\Windows\system\QgQBLNl.exe
| MD5 | 4af45f41d27815c89a02c08ba7f8d9fa |
| SHA1 | 25090d2940bc65c717b4753bdb23272b54dfecbc |
| SHA256 | e8897995c4757c5874da9c43422f722218280c4f2af67d2ae491aa6a12f9fbcc |
| SHA512 | 107b9872878ef393482577473ee34442c8750755bf6fb69d1393a4cf89f3de9e7e7b0d50ae10a616a73d8cbd7be05bfba57375ff2c34928099b9dd5f86a457fe |
C:\Windows\system\lAVtHTW.exe
| MD5 | 6fe94f48edac15bef9df49236afd5723 |
| SHA1 | 07048b9bb560fa1107ecda30137f6135e62592a0 |
| SHA256 | 0924f3bdc3c8399d7d53dc7ee7c0d5ffb5dce73eca650a88ef960df8c39da26f |
| SHA512 | 530837adaf61700a4470af094235aacf6f4093c9d478f0c71f3ab1d016c6d87614904b4a85bfced2776628a430d327974fece9691727d7c269b60cad3a2e4d58 |
memory/2704-26-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2704-25-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/1708-24-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2012-23-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2704-22-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2536-139-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2588-140-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2128-142-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2560-141-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2704-143-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2704-145-0x0000000002640000-0x0000000002994000-memory.dmp
memory/2704-144-0x0000000002640000-0x0000000002994000-memory.dmp
memory/1708-146-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2308-147-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2012-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2912-149-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2876-150-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2504-151-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2536-152-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2128-154-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2560-153-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2428-155-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2600-156-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2400-158-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2588-157-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1472-159-0x000000013FBE0000-0x000000013FF34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 14:43
Reported
2024-06-01 14:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dlipMph.exe | N/A |
| N/A | N/A | C:\Windows\System\vQrsxmR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWvVRTE.exe | N/A |
| N/A | N/A | C:\Windows\System\vskGxgF.exe | N/A |
| N/A | N/A | C:\Windows\System\UvZRHZt.exe | N/A |
| N/A | N/A | C:\Windows\System\BzgDCKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aQSTWjE.exe | N/A |
| N/A | N/A | C:\Windows\System\bDkyBup.exe | N/A |
| N/A | N/A | C:\Windows\System\oEzttvg.exe | N/A |
| N/A | N/A | C:\Windows\System\XlCDkbb.exe | N/A |
| N/A | N/A | C:\Windows\System\bWloBdA.exe | N/A |
| N/A | N/A | C:\Windows\System\gxzsqzk.exe | N/A |
| N/A | N/A | C:\Windows\System\wueJdXN.exe | N/A |
| N/A | N/A | C:\Windows\System\KvVxuGB.exe | N/A |
| N/A | N/A | C:\Windows\System\LMNCjfs.exe | N/A |
| N/A | N/A | C:\Windows\System\NwMwsXC.exe | N/A |
| N/A | N/A | C:\Windows\System\EesWnFX.exe | N/A |
| N/A | N/A | C:\Windows\System\SimjzMf.exe | N/A |
| N/A | N/A | C:\Windows\System\zFblvxx.exe | N/A |
| N/A | N/A | C:\Windows\System\iKKiqxi.exe | N/A |
| N/A | N/A | C:\Windows\System\hwRmRWM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5497e75f86123fd662b7912fea9fa50b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dlipMph.exe
C:\Windows\System\dlipMph.exe
C:\Windows\System\vQrsxmR.exe
C:\Windows\System\vQrsxmR.exe
C:\Windows\System\ZWvVRTE.exe
C:\Windows\System\ZWvVRTE.exe
C:\Windows\System\vskGxgF.exe
C:\Windows\System\vskGxgF.exe
C:\Windows\System\UvZRHZt.exe
C:\Windows\System\UvZRHZt.exe
C:\Windows\System\BzgDCKQ.exe
C:\Windows\System\BzgDCKQ.exe
C:\Windows\System\aQSTWjE.exe
C:\Windows\System\aQSTWjE.exe
C:\Windows\System\bDkyBup.exe
C:\Windows\System\bDkyBup.exe
C:\Windows\System\oEzttvg.exe
C:\Windows\System\oEzttvg.exe
C:\Windows\System\XlCDkbb.exe
C:\Windows\System\XlCDkbb.exe
C:\Windows\System\bWloBdA.exe
C:\Windows\System\bWloBdA.exe
C:\Windows\System\gxzsqzk.exe
C:\Windows\System\gxzsqzk.exe
C:\Windows\System\wueJdXN.exe
C:\Windows\System\wueJdXN.exe
C:\Windows\System\KvVxuGB.exe
C:\Windows\System\KvVxuGB.exe
C:\Windows\System\LMNCjfs.exe
C:\Windows\System\LMNCjfs.exe
C:\Windows\System\NwMwsXC.exe
C:\Windows\System\NwMwsXC.exe
C:\Windows\System\EesWnFX.exe
C:\Windows\System\EesWnFX.exe
C:\Windows\System\SimjzMf.exe
C:\Windows\System\SimjzMf.exe
C:\Windows\System\zFblvxx.exe
C:\Windows\System\zFblvxx.exe
C:\Windows\System\iKKiqxi.exe
C:\Windows\System\iKKiqxi.exe
C:\Windows\System\hwRmRWM.exe
C:\Windows\System\hwRmRWM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/1100-0-0x00007FF63A3C0000-0x00007FF63A714000-memory.dmp
memory/1100-1-0x000001E031B10000-0x000001E031B20000-memory.dmp
C:\Windows\System\dlipMph.exe
| MD5 | 24422bb6dd658b744ab3fa9c9f7ebef7 |
| SHA1 | 4be66d2a3b741b9f6abd8f5c61e4c077ac9de5f0 |
| SHA256 | 4017ff51f353b284b807ca007702a837120cab5e69e6fb8d0d33906ddf76c1b0 |
| SHA512 | dd042e690eb4e58a15a81105aeabb596f2e3cefa54a20874cd2286d4ea6c0a4256e1312fb5956acba789002d2d231200e8465ed7a1868161946a2b90665f005e |
C:\Windows\System\ZWvVRTE.exe
| MD5 | 7966207413432cad56419f63a330e5e4 |
| SHA1 | e684b6f293df614213157fcb2c81cb8774406f30 |
| SHA256 | a10b6b90a6f3e6067578614cdbd53e93702baccc83f6d626c575a86d50899496 |
| SHA512 | f71f084f4d6cb70e09a2866acef58c74dbb2cc0decd17be1d0fa19b1b6d92e8bcfbb628864a1f502636f149339227647d164513ef1052f2217f19f4eea22775f |
C:\Windows\System\vskGxgF.exe
| MD5 | 876712c4f26ef598d0001a4493f42caa |
| SHA1 | d6cf458716795f0916021b0ca37899cf9a66e99c |
| SHA256 | c8fba1d748e2b747eddbb0bd2f96b82e98407ae5b1c576107a526947bdfce925 |
| SHA512 | 1b09a73134dfb1c7ee438dd0228937d694d7db22efc4bfa55afc199fa4a85361d196355951d42c9478b6ed6c235e2c36b2d3589fd617d5316f487188494a035d |
memory/1020-30-0x00007FF602540000-0x00007FF602894000-memory.dmp
memory/4124-36-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp
C:\Windows\System\aQSTWjE.exe
| MD5 | f6a8705639d687573f176288ee0b1d4d |
| SHA1 | d60c2a0258d0fe743fc1ad70ac2aa42aa44994c0 |
| SHA256 | 69d0a45498ee0a2fbdcdab85e3ada3605a925935aa0270ce3dc09329134be043 |
| SHA512 | 4dde57517827400031f1ddcc37b29a91dec0be00ad882b24eb6717db71b7604038d17b579b4ea4a781258e28422365e8bf8195110ebc5910791a4ee9a490d092 |
C:\Windows\System\oEzttvg.exe
| MD5 | 71f040db8633b4a862aff799b8fff2a8 |
| SHA1 | 78ad65c0265e46309f4b298afb6fd2db633524e2 |
| SHA256 | 51d26e1e2fb756ced352efc74412d916df565532a467a64db8507c533de4efd6 |
| SHA512 | 8a4895219ab236bc8990544ba0a7e7f616639a134eb4e4129501a7097fa5fcefb36076da81b98310cb5d905c93e727f9f7eb4da1fc6997d1caef29998fa77ac7 |
C:\Windows\System\KvVxuGB.exe
| MD5 | 352ec3ecf623ece23bdf90dd3dae6ff1 |
| SHA1 | 746ec874c4040cacb20d3ea17f687dfdc17e0fa9 |
| SHA256 | 812efe26135cdb50a74edb156501730205965008c5c6663eb32c391f3c465c80 |
| SHA512 | 842972bc0e23cdc52f74e53dbc2a787e850abb5e2e20bceaec06ea6667a74780ddef653b5d7cc076fc9bd7937afb7e2d1afd8d6740b8c50651d2e97030ac265b |
C:\Windows\System\NwMwsXC.exe
| MD5 | 008adacff36cdc9a852cb42a3c4a9d76 |
| SHA1 | 7f0556a4efc4d9bda4597b2c926b9f82620c6932 |
| SHA256 | 81a60b1b31009b5ce9c22399c05687e049eb208e1b390507b52f3ee700a78b29 |
| SHA512 | 5d9b00ca85384f2db11a5654a33d8382196db94c2318a7197192150b4b92985a96d5cbe910170fcb964fa176c0a36fbfedbbeecffd03baa7d86df23b4fc481ff |
memory/2436-86-0x00007FF7113C0000-0x00007FF711714000-memory.dmp
memory/2644-93-0x00007FF63EEF0000-0x00007FF63F244000-memory.dmp
memory/1932-96-0x00007FF6B5E20000-0x00007FF6B6174000-memory.dmp
memory/1180-97-0x00007FF70FA70000-0x00007FF70FDC4000-memory.dmp
memory/4600-95-0x00007FF7DBFB0000-0x00007FF7DC304000-memory.dmp
memory/2408-94-0x00007FF636790000-0x00007FF636AE4000-memory.dmp
memory/2016-92-0x00007FF758690000-0x00007FF7589E4000-memory.dmp
memory/4340-91-0x00007FF707DF0000-0x00007FF708144000-memory.dmp
C:\Windows\System\LMNCjfs.exe
| MD5 | 915c39bd40eeb40394caffe555340507 |
| SHA1 | 1b53b89c13cd38257500adb00eb936318b2e6427 |
| SHA256 | 316d9a1e19e8c66f3805dd2d45eef18f3887c7e491c15b0b0b6aa7a9a87004bf |
| SHA512 | b2b523532fd5c1ce7d9beb9b03ad08b9e860e676cd02ef4d836cda360ec28076172698469be7a85bd6e06cee50688dc195c2a5ae5b0d73dcfc8a861ca5874076 |
memory/5028-83-0x00007FF770B40000-0x00007FF770E94000-memory.dmp
memory/4516-82-0x00007FF6AE440000-0x00007FF6AE794000-memory.dmp
C:\Windows\System\wueJdXN.exe
| MD5 | 372817da4607a6b9641344832fce6c82 |
| SHA1 | fd112763cf949a65a5a3fce6e61090561d639edb |
| SHA256 | 4958db49099f7788dbc3a98b00c20d2fb2bba22d337c2cd8ab1519acbc90387e |
| SHA512 | d450e3e7f84a685e2c0e50b49f69b394aeaba5091f12659b12732251249525f36a18a05868c500000e39ac9df453d7da395f0e463b180b463be6744beef3fab4 |
C:\Windows\System\gxzsqzk.exe
| MD5 | 8a7d37896c3d6ea9ab2a292867c8f86f |
| SHA1 | 4b90dd391496d21eb39bb53a2de619e6c03b5b3d |
| SHA256 | 89e8a768668f146f7f2920f51778279250834f68237618b28d2ce8fd82be1839 |
| SHA512 | 894658838365c37015dd31034b0cb8433667daa978f5e5c5c2209b40fe057bced7b77568f1f81a811318034e11eb57155ead7c27b49aca1008e05604dbddf313 |
C:\Windows\System\bWloBdA.exe
| MD5 | 8306952167a9a3a4ff2070987ce329a4 |
| SHA1 | 362543a3d8dd62fcb8fe084765df2ecce11b2359 |
| SHA256 | 0a70a387d01948c455169daf19612f6217247f26a4dbeb5bdbcfdba7710d594b |
| SHA512 | 413af472e3d9f04fc7035380f2ee6667f3d0d6bcaa219843863b81a5234edcc05d99acb182af648bfcf6656f4e25e4b899d861e317b841df6a8bddab1d343ffa |
C:\Windows\System\XlCDkbb.exe
| MD5 | aabed4bf5c20c32d23f5213c385a34ef |
| SHA1 | e7bdc8d2cf927e742ccc6e6010293498e70568da |
| SHA256 | 356cc818d33fefae7d7f3930c843f7310f5e4c3f8fd3ae0d69522109c8f27d84 |
| SHA512 | cd6bbb90f20c1d92167b05f2a75c2d118a5d3988e1ff13dcab9d310496979e1754a136ac99fdcae53a67b7eaa78781c3e0bafc1d72faade8c57e09bbe63f2ede |
C:\Windows\System\bDkyBup.exe
| MD5 | f124cdafae7756fa42ebb5ebd77df2aa |
| SHA1 | 1fb25554e6c22370b156f36bbc450f365307f7a4 |
| SHA256 | b927167b537ec47a9728611f0956945365bd126249de8277ed039ee79deadfc3 |
| SHA512 | f8b9d5ae5b241152af3e28fe69301f27af7a2a22ea5f824e06985c1d9634df7b7dec084fe2c756ef5d2ad08d5588beee15fec55d24f9f16c2d7ee262ef97bafa |
memory/464-43-0x00007FF6AB320000-0x00007FF6AB674000-memory.dmp
C:\Windows\System\BzgDCKQ.exe
| MD5 | ccba81f1e1d1643a5250002e9ddddd6e |
| SHA1 | 6339c3fa398110cb64a78aeb005708cf30fb20a0 |
| SHA256 | d1a684e66cbc28c19f6d33d9e4bc26961dd8b9a34229354462af7962eeacbef9 |
| SHA512 | 892d04d5f52b658e154a45104ae253387c36289dbc9b33d0fa010d84cc9f359ef6c2b94ac62a7ae340d5b3869d94389880d3529467002920b16c27249b4bbfe1 |
C:\Windows\System\UvZRHZt.exe
| MD5 | 5a4923d02286fc60572ad3c3ba3877f6 |
| SHA1 | 5f69403da468e8e7b6d005a877df6e6eb10cd765 |
| SHA256 | 09f5e50ac37153c0752e616ffee48868fa92dfdff14969cb3054eb23b0d2a402 |
| SHA512 | eaa856cec432c19a5137c285f1237e61b80a92fa8acd8dab89283c22a1981e0062121a00d8d00336502013cd19ea8d8f393475ce1a7f3e48ef2c23b9616f33af |
memory/8-27-0x00007FF62DB40000-0x00007FF62DE94000-memory.dmp
memory/4352-17-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp
C:\Windows\System\vQrsxmR.exe
| MD5 | b5f561a5dfda91a77ac0d0ecfe5e39f8 |
| SHA1 | ca0c84e106bff4e71b5f9504b5ad1c6247d19e89 |
| SHA256 | 8a3db64eb70adc6fd505dfbb3ef1aecb2fac0bae40f72608e9a2b89660904dbf |
| SHA512 | bfe177fc187de58b6d113b9b48f6c60796dbc0f32a7417d8d93c6b8700c05a0dc2b133b04795380b0675859f1fcfb00daf9a3c92b60978737aed31ff4e146a5d |
memory/3908-7-0x00007FF709E40000-0x00007FF70A194000-memory.dmp
C:\Windows\System\EesWnFX.exe
| MD5 | 6b7ea87dd02e3d6393c852824ec29c08 |
| SHA1 | 078acb499cb835d58cbfe8ad4edabe6a3ea28c60 |
| SHA256 | 12a2444d6201d935a2c74ca06e3cb4949bc150f0ffda16b623eba80bad1e8f29 |
| SHA512 | 31fe4c43e639fa923a9df046957dad26802ed96f6e0b15bea7fae29b530e0ddf57bcfa2541e9300377cd6753ea09a797309eb6962cb6b79464af1182c309f4fd |
memory/3020-102-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp
C:\Windows\System\SimjzMf.exe
| MD5 | 33e24da74fa04c905a72a0658b284ee0 |
| SHA1 | cf74f8008a13378a222db5a57a7723f72a905acd |
| SHA256 | acb4a55039c3522577e5ea09f3d5a397be0950d8571e7083022df337da9d55a4 |
| SHA512 | 9ed43515bf96a908016fb65214f7a9da2319c667164a60d473bf32fe066b7e9b08c679cf448ec29b0c0e2b2f548959cd7c05cbdaac1ba78d56abc1bbc09154ec |
C:\Windows\System\iKKiqxi.exe
| MD5 | c4199dc9f1237147a51f4ad5f0c67662 |
| SHA1 | e6a2305f3dd77fac35c0f313fdecea303f30fdd8 |
| SHA256 | 18ff04c953e9ef6ec169f9f26a1a9d576f74b9f96469dae5313ea9f99f878066 |
| SHA512 | d42ca1239db0d587eab67c4ca01dec8f6c3e603902f59845def31fa9c3960f4134f46fce8258861ac580601b3b2b5be6706761bb61bcf4e117ce5f75929b19d7 |
C:\Windows\System\zFblvxx.exe
| MD5 | 2f444ca8ab4d50be47f03ed4b8ec8b84 |
| SHA1 | b33d30c57f0b8f512548266abfed8c764222dd85 |
| SHA256 | 03d92d0a1951634057bdb10e789bf08706645b9d9a986c3421d97cac4bf96e90 |
| SHA512 | e8e979872cd0adba8171995bcab76be06f84130bafb73221573dffb66098c51971f0973bb10184e65b02804ba6be0d2e93c75989bb2641ddb3e90a371599f214 |
C:\Windows\System\hwRmRWM.exe
| MD5 | 90c3405661f1fac41be6a7e158161d7e |
| SHA1 | fed854b673f0923ecf866f3acb31bdaef314a097 |
| SHA256 | 03929998d05c42ba1061bcbe8e0c466316124fa778527f4997d286ea1a32890c |
| SHA512 | eb744d32a3cebebf2a081c42d936ed8a113a072c47457a5ca9e6dcbb3e4fd75c440402e8deebd57474a2074bb32e91b6a27bbc0fc3448b38ed3d457628594fce |
memory/1304-123-0x00007FF781320000-0x00007FF781674000-memory.dmp
memory/768-114-0x00007FF7E2380000-0x00007FF7E26D4000-memory.dmp
memory/4852-126-0x00007FF644A40000-0x00007FF644D94000-memory.dmp
memory/1428-127-0x00007FF6A2150000-0x00007FF6A24A4000-memory.dmp
memory/1100-128-0x00007FF63A3C0000-0x00007FF63A714000-memory.dmp
memory/3908-129-0x00007FF709E40000-0x00007FF70A194000-memory.dmp
memory/4352-130-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp
memory/1020-131-0x00007FF602540000-0x00007FF602894000-memory.dmp
memory/4124-132-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp
memory/3020-133-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp
memory/3908-134-0x00007FF709E40000-0x00007FF70A194000-memory.dmp
memory/4352-135-0x00007FF666F90000-0x00007FF6672E4000-memory.dmp
memory/8-136-0x00007FF62DB40000-0x00007FF62DE94000-memory.dmp
memory/1020-137-0x00007FF602540000-0x00007FF602894000-memory.dmp
memory/464-138-0x00007FF6AB320000-0x00007FF6AB674000-memory.dmp
memory/4124-139-0x00007FF628AF0000-0x00007FF628E44000-memory.dmp
memory/5028-141-0x00007FF770B40000-0x00007FF770E94000-memory.dmp
memory/1932-142-0x00007FF6B5E20000-0x00007FF6B6174000-memory.dmp
memory/4516-140-0x00007FF6AE440000-0x00007FF6AE794000-memory.dmp
memory/2436-144-0x00007FF7113C0000-0x00007FF711714000-memory.dmp
memory/4340-146-0x00007FF707DF0000-0x00007FF708144000-memory.dmp
memory/2644-147-0x00007FF63EEF0000-0x00007FF63F244000-memory.dmp
memory/4600-149-0x00007FF7DBFB0000-0x00007FF7DC304000-memory.dmp
memory/2408-148-0x00007FF636790000-0x00007FF636AE4000-memory.dmp
memory/1180-143-0x00007FF70FA70000-0x00007FF70FDC4000-memory.dmp
memory/2016-145-0x00007FF758690000-0x00007FF7589E4000-memory.dmp
memory/3020-150-0x00007FF6A8D00000-0x00007FF6A9054000-memory.dmp
memory/768-151-0x00007FF7E2380000-0x00007FF7E26D4000-memory.dmp
memory/1304-152-0x00007FF781320000-0x00007FF781674000-memory.dmp
memory/4852-153-0x00007FF644A40000-0x00007FF644D94000-memory.dmp
memory/1428-154-0x00007FF6A2150000-0x00007FF6A24A4000-memory.dmp