Analysis Overview
SHA256
82c6dd4c32d0e936aa89f3f240c5141265e5d2e0e75a355cfdb7c5594fd8b38a
Threat Level: Known bad
The file 2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:00
Reported
2024-06-01 17:03
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\alfVlgf.exe | N/A |
| N/A | N/A | C:\Windows\System\LaDxKGI.exe | N/A |
| N/A | N/A | C:\Windows\System\DtdJZAz.exe | N/A |
| N/A | N/A | C:\Windows\System\pSPWmfg.exe | N/A |
| N/A | N/A | C:\Windows\System\HHFIthS.exe | N/A |
| N/A | N/A | C:\Windows\System\zZFwBvC.exe | N/A |
| N/A | N/A | C:\Windows\System\LwBAFAK.exe | N/A |
| N/A | N/A | C:\Windows\System\ShMqxFw.exe | N/A |
| N/A | N/A | C:\Windows\System\UdNbfBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EYGXiwo.exe | N/A |
| N/A | N/A | C:\Windows\System\PkYQrgM.exe | N/A |
| N/A | N/A | C:\Windows\System\WHzZpFo.exe | N/A |
| N/A | N/A | C:\Windows\System\tUpIRpk.exe | N/A |
| N/A | N/A | C:\Windows\System\EFtfWEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wCZPbqh.exe | N/A |
| N/A | N/A | C:\Windows\System\HGVBGdt.exe | N/A |
| N/A | N/A | C:\Windows\System\TeMtdZR.exe | N/A |
| N/A | N/A | C:\Windows\System\piirGlS.exe | N/A |
| N/A | N/A | C:\Windows\System\qIqilzo.exe | N/A |
| N/A | N/A | C:\Windows\System\eUeQkPf.exe | N/A |
| N/A | N/A | C:\Windows\System\uLHyjjG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\alfVlgf.exe
C:\Windows\System\alfVlgf.exe
C:\Windows\System\LaDxKGI.exe
C:\Windows\System\LaDxKGI.exe
C:\Windows\System\DtdJZAz.exe
C:\Windows\System\DtdJZAz.exe
C:\Windows\System\pSPWmfg.exe
C:\Windows\System\pSPWmfg.exe
C:\Windows\System\HHFIthS.exe
C:\Windows\System\HHFIthS.exe
C:\Windows\System\zZFwBvC.exe
C:\Windows\System\zZFwBvC.exe
C:\Windows\System\LwBAFAK.exe
C:\Windows\System\LwBAFAK.exe
C:\Windows\System\ShMqxFw.exe
C:\Windows\System\ShMqxFw.exe
C:\Windows\System\PkYQrgM.exe
C:\Windows\System\PkYQrgM.exe
C:\Windows\System\UdNbfBZ.exe
C:\Windows\System\UdNbfBZ.exe
C:\Windows\System\WHzZpFo.exe
C:\Windows\System\WHzZpFo.exe
C:\Windows\System\EYGXiwo.exe
C:\Windows\System\EYGXiwo.exe
C:\Windows\System\tUpIRpk.exe
C:\Windows\System\tUpIRpk.exe
C:\Windows\System\EFtfWEZ.exe
C:\Windows\System\EFtfWEZ.exe
C:\Windows\System\TeMtdZR.exe
C:\Windows\System\TeMtdZR.exe
C:\Windows\System\wCZPbqh.exe
C:\Windows\System\wCZPbqh.exe
C:\Windows\System\piirGlS.exe
C:\Windows\System\piirGlS.exe
C:\Windows\System\HGVBGdt.exe
C:\Windows\System\HGVBGdt.exe
C:\Windows\System\qIqilzo.exe
C:\Windows\System\qIqilzo.exe
C:\Windows\System\eUeQkPf.exe
C:\Windows\System\eUeQkPf.exe
C:\Windows\System\uLHyjjG.exe
C:\Windows\System\uLHyjjG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2128-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2128-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\alfVlgf.exe
| MD5 | 9caf15c6abb5607c67e968042e4de57a |
| SHA1 | 420208aca7226be0e60966ff3200bccf336fde2a |
| SHA256 | ec801c38bfb9584037a77e543f9acbaee1ca2bc8869164beb6ec6cd1a845339f |
| SHA512 | a9531f35d4c2f2dca20b9ad8cb47b808cdf739d48bd9bb6387b21ca9805217859c9d24884014bed588cc63fe2b215297e9765537c3b5fb4b755cf8dd7c2feac5 |
memory/2128-6-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2356-9-0x000000013F920000-0x000000013FC74000-memory.dmp
\Windows\system\LaDxKGI.exe
| MD5 | 91ad6128ce7a032dd148054bb05dcd8b |
| SHA1 | 00e17590f285bf17361e09c4c836b300110873f5 |
| SHA256 | 8b9a7687a9df2276e0534174df8e26d82083a9624e4a259087fbf99bb0d5c0c5 |
| SHA512 | 578e4353c696059e60b7074152e7f864c1ca53f51c7789a7ba5253da39fecf7f0f6d2b8719f42553ab26d31d9991a12876906dde0e6be1427d880b54c559a5e5 |
memory/1532-15-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\DtdJZAz.exe
| MD5 | e71fb788bf217e742787ffc17b55766c |
| SHA1 | 13e54e6ade15b7d70a08cea159c1676b00935b26 |
| SHA256 | 5c9963c8fb058aaf5f3a567ccc220b3f67c095b9e7f1693cdca1c85fe63a426e |
| SHA512 | 7c8a1852891c712e627dec42b05cfdd568ff39013331155727846162445372d95f7ca90c134c29b590a39f6c799a791b46854f6bd5c0f34ed2150abd783b458f |
memory/2200-22-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2128-21-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\pSPWmfg.exe
| MD5 | 34640353e4705db8ed0413a4238353fa |
| SHA1 | afd0da373eefc6b9b9f275ab9a757c2ecace69be |
| SHA256 | 234ed108d9ae5efd84e389042c80eb34d6fcf522e0568212d5cd41a562d1a0cd |
| SHA512 | dae108389be16e9483960cb2cd65eedbdccafb2c30e3fbe6e898d9b3408b72dfca29f226a825da3f918e294421bf5398d2360055d250dffc731cf972ae4da5eb |
memory/2992-29-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2128-28-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2756-36-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2128-35-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\HHFIthS.exe
| MD5 | 5edd73faad9e584ca4455de8a98cc240 |
| SHA1 | febe7e334aab35dfbce85fb7d01e09d152e54f25 |
| SHA256 | bc3f4e02930156dd7ca05fc923f8982f5d82efe267521d067b7c07168eb488c6 |
| SHA512 | b3cdf898d663389b938e964c46939e074bc6d8873502fd299f720e5aeac54f75221a30e68a03a1818490b909cf7c8f3e1fc9f41846f3cb588609a93de6770341 |
C:\Windows\system\zZFwBvC.exe
| MD5 | f1952a12fa3652f352f9aea1ed059a99 |
| SHA1 | 5fbe36115c83e9c6811bacfddafe0066867823a0 |
| SHA256 | 35890335eac5e827f2cc377912d66307e520692123572a780bc832c281038221 |
| SHA512 | c7f3228c9641dbb54b9de2246c227d79e3f81527ea313a49ea321cf242a9edce0f7655ab082b4e0633fcd379f5b33f232ba783edf2fed831789e72306b86bcd5 |
memory/2128-42-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2668-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3068-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2128-55-0x0000000002360000-0x00000000026B4000-memory.dmp
\Windows\system\EYGXiwo.exe
| MD5 | 72e2cf916e5b973ed57b21ef99afc5ee |
| SHA1 | 0a7e008f17942246e6cf9543484cc0be66be028c |
| SHA256 | 8a6b0ebb9ad9978301b5930b6aac302876ce2a11c7bf30a5e4832433581300d7 |
| SHA512 | a44f00451e410e5472cf3f7fb7dbc9a9ce26c4bf65a7f0ee8e3c2492de3372a857dce707da5613ee706a7faf4e947ec66c23d619ee99f9110a7348cad3287185 |
memory/1532-78-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2128-75-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2128-74-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\PkYQrgM.exe
| MD5 | 117eb48c4e8cd859ec69b79c38dfb25f |
| SHA1 | e6c6c3e5832a024f90d093919e1df793c0c96f50 |
| SHA256 | 4835d7704fecade5685d8a8866ceab9ae3d6e26cc4adb72cac0fd94a37bb7ee4 |
| SHA512 | 4e344444784526d1e06da3560419d9aa4be2d03d2203053b0f57fad6939d1bab33c7bd880965b04044a70e87d88b08f86722afcbb6b07741c9e2594fd7351d82 |
memory/2516-87-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2812-86-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\WHzZpFo.exe
| MD5 | 5dd6992a282f58ee31c3b48db1164050 |
| SHA1 | 132ef8b53d80433f367b92103eab4bac00da6dca |
| SHA256 | 3a5cee525c763bca6372c78d37f97acf461444a265a739e2570f4a716fbb1301 |
| SHA512 | 52f45b7e1a7359fa2be7c01e3432ead298fefb7956afe79c1a9f02c34076f549c452703dbf8c8a8bf18632a93c70e4c38aa0a032a357161c17b0da91447324d6 |
memory/2128-81-0x0000000002360000-0x00000000026B4000-memory.dmp
\Windows\system\tUpIRpk.exe
| MD5 | 7ee430cd3f5ddb0e2d4203bc40d5f390 |
| SHA1 | 140b54cf31115e0b41ab0bcd8ab33ccbca2b0882 |
| SHA256 | e928ef073747e003e00c03aa79a1ad0e315060a64ab3e823d36844a4b21c0cf8 |
| SHA512 | d0283f76fc5443c5a93e33edf1fe3f2b1cf0f6306411765760b34f9d8363696d9db0478bab95ef07d7434af42a00190e861d06387d0e34f23c0bfd745c61dd1d |
memory/2236-69-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2128-68-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\UdNbfBZ.exe
| MD5 | 3a7f7f7ad5daa3eae5d17a15b721ffc4 |
| SHA1 | c6ff5cd8685c9d93b8d6e6b91a5371d296ba9a1c |
| SHA256 | 101ade6863e0d7881194835cc14b012940af2f79062c9db8ce016cf55bccb1df |
| SHA512 | 32b44895db25fc4223e7c9b15f192d880820b656240fa3bfe690c76b8783760646d49b1b48ea9170073a68dcb06f64e2dcbca4e784ca297bd2488e658c233347 |
memory/2356-58-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\ShMqxFw.exe
| MD5 | a4caef9742faf53c3f0219fdd9cffea6 |
| SHA1 | 88959bee3031fed2dcdd29780de26596886bd616 |
| SHA256 | 49f6f653ada1e8efd9669092716abac839bf1da205623edda17123f4dad606d1 |
| SHA512 | 45790335b64e569e6e6c9104d9c9782c6c4583a293ab39394ff49a2a0849cfccebc7a1b6fff58d27a249c21feb039db91753098e125989a1ecad68bc0808dffd |
memory/2128-49-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\LwBAFAK.exe
| MD5 | a2997af4ec160d652b54eea4826b811d |
| SHA1 | fb7c6b7eb1264cffea79d8ae1c8f4d92c34a58f5 |
| SHA256 | ee1df58262d6ba02b03f2389b12094a1ea3f393014ee625df74daad9d2b12dce |
| SHA512 | af5950c5a7f08f0d22be5d0c7f576515a0a974d3ce9ce36f7129d33e86b2012eab1b492792716ddee12b8fd6a22e434d1596b4b46b27884614d8715f70bfda47 |
memory/2128-47-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2128-52-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/3068-91-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
\Windows\system\EFtfWEZ.exe
| MD5 | 3f7389c31d645cad7a2225eefe00d3ec |
| SHA1 | a833a5614c6e3c6f3fa52fe860d9fd5221df4400 |
| SHA256 | 9fba8477921d68eca03a45db988caf47811b512b9caf80635a16ba75a45b589e |
| SHA512 | 20aed2683309a98fd4502170030da2fbe3604f64d4c41ea16ddee2f5bf3ec42ddd092ed304317a6eb975ef5d05d485895b7dc7c2643c2a8044098eabfe4ce0af |
C:\Windows\system\wCZPbqh.exe
| MD5 | bda5acd4dcaf0620fd0587397143bb4c |
| SHA1 | eede1fd890b6c52a3e8283a9c25ad0473aeb4089 |
| SHA256 | f9ac310aa90554261f26187baf060ceac1925f56353728736b17332e7adee826 |
| SHA512 | bcde4ba922d4bdf74ece74534c557a16e1cdff94614b1671424e8b5d2ce944e265f12c7b0eda554a00fbcbf9869f9d0ce0861da948c7e311ced484e0b25d3318 |
C:\Windows\system\HGVBGdt.exe
| MD5 | 76c952198aebc9085907eb02c3a28413 |
| SHA1 | 430725c7fb43404162460a17d232c2ee819ec1ff |
| SHA256 | 44599f954d1628efd51a25fc73f6e3259ac9fc131f4b3327664ab78e0bac1cc7 |
| SHA512 | cf7a1f80457b411d9803c6cd914d07b9ffcc737a1b2327f65edb84c660be4bd8d07bb04058b3060f90145df6c48ac3ffafe0aba9aaa21626a7ba820b2167ef72 |
C:\Windows\system\piirGlS.exe
| MD5 | 206f4ea4ab5be0650f92017590ace671 |
| SHA1 | 26a439f4091add5cdddf3512d89a2dd7320e244d |
| SHA256 | 6c6ab46d37e8c6478037a83b779b05368a8a9f1d908925f7b196f115af3e988f |
| SHA512 | f31257abcb53ceaa8c58bc2ec1853b3269ec42422b220949ed462cf1acee93c6cc2cd131bf0d193469f9ce73c5d11caea5f97ad895347f0d7f14ff168b5cfc28 |
C:\Windows\system\TeMtdZR.exe
| MD5 | 3e8c1de7e599a79a43635f13b18e47a4 |
| SHA1 | b02fe89b913b82310e2d82458c475817e54caf19 |
| SHA256 | 254d0ef2f18dd38e19c556fe679aa91eef629ecbd6c6a1898103e8c711ba7e5a |
| SHA512 | 9ec424d87686e36cf1728dd07bce5498214338afef947cb3f1a2b4348c6f2d80404290813171644c49784c397e55a3215c06234a9e1a74df98e6bd968f1787bb |
\Windows\system\qIqilzo.exe
| MD5 | 59efc480e3b97cb54d713299fa1c022a |
| SHA1 | 16285918db64c2a5831c1d31b50edf54736eeca0 |
| SHA256 | 946454e635154aaed6a40c384f6ab89df50e553d7c5d100f9051d9f476b9ab0c |
| SHA512 | 15cc68119a4ea81113e4b09300760c0c0c7364744c04ca79998362e33e56e20ca8dc45499ab2929dfd72bc8f0ad4f0f6a5c4e6366911c28424afb239bec58799 |
C:\Windows\system\eUeQkPf.exe
| MD5 | 25b17634372d3a7bccf7a7ef50d08391 |
| SHA1 | 42f80c4a3e7e098cdab26bd9b816775bc86c07e7 |
| SHA256 | 6933102220b5817282589e2fbf71bff62ce89b853b5e34bc647feb45357b1511 |
| SHA512 | 627512e9e5255c5ae4c379a939d3b7a082baa9cc75f52238783779467ef0cb49e2b1778b286fcde74692fee4972b13a28f0cab2418fe120debbff85fd34db3a9 |
\Windows\system\uLHyjjG.exe
| MD5 | 250e82e58e0071599aa59b1fd528b3f2 |
| SHA1 | 37bb0a5319ebe60f8755706ff82c97720c2d7210 |
| SHA256 | 7cf0c8064dd3d0d463887a0e782e632cda809eee8caf108b38e06509b0dfd172 |
| SHA512 | 902cfa36606dbaf108fe830c7027aeb391f31748b5ec15d628d433e04a8bf68053781d19b0cb483e5d6c7b93a137be49aaa37ce33372a8c892fcdc17e300fce5 |
memory/2128-123-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2128-122-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2128-121-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2808-118-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2128-110-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2236-138-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2128-139-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2580-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2516-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/3000-142-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2128-143-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2128-144-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2356-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1532-146-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2200-147-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2992-148-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2756-149-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2668-150-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3068-151-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2808-152-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2236-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2580-154-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2516-156-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2812-155-0x000000013F410000-0x000000013F764000-memory.dmp
memory/3000-157-0x000000013F590000-0x000000013F8E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:00
Reported
2024-06-01 17:03
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gxbfOhI.exe | N/A |
| N/A | N/A | C:\Windows\System\ssqxOQm.exe | N/A |
| N/A | N/A | C:\Windows\System\NdoTHVF.exe | N/A |
| N/A | N/A | C:\Windows\System\ySezUjD.exe | N/A |
| N/A | N/A | C:\Windows\System\nRryjoI.exe | N/A |
| N/A | N/A | C:\Windows\System\DAOYlKi.exe | N/A |
| N/A | N/A | C:\Windows\System\eKwNpXV.exe | N/A |
| N/A | N/A | C:\Windows\System\DvqizSu.exe | N/A |
| N/A | N/A | C:\Windows\System\LFQCMYI.exe | N/A |
| N/A | N/A | C:\Windows\System\AfnApKf.exe | N/A |
| N/A | N/A | C:\Windows\System\XnLWXne.exe | N/A |
| N/A | N/A | C:\Windows\System\EYpEtMN.exe | N/A |
| N/A | N/A | C:\Windows\System\GkWfNIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JQEpiPC.exe | N/A |
| N/A | N/A | C:\Windows\System\RiiobCd.exe | N/A |
| N/A | N/A | C:\Windows\System\PFCXqAe.exe | N/A |
| N/A | N/A | C:\Windows\System\XruJGcl.exe | N/A |
| N/A | N/A | C:\Windows\System\CyXIXbE.exe | N/A |
| N/A | N/A | C:\Windows\System\VPiHake.exe | N/A |
| N/A | N/A | C:\Windows\System\BxuXVQp.exe | N/A |
| N/A | N/A | C:\Windows\System\JyWkzFw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_95aaf01ef3b1fe0c5ad6e4b6cd67edd3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gxbfOhI.exe
C:\Windows\System\gxbfOhI.exe
C:\Windows\System\ssqxOQm.exe
C:\Windows\System\ssqxOQm.exe
C:\Windows\System\NdoTHVF.exe
C:\Windows\System\NdoTHVF.exe
C:\Windows\System\ySezUjD.exe
C:\Windows\System\ySezUjD.exe
C:\Windows\System\nRryjoI.exe
C:\Windows\System\nRryjoI.exe
C:\Windows\System\DAOYlKi.exe
C:\Windows\System\DAOYlKi.exe
C:\Windows\System\eKwNpXV.exe
C:\Windows\System\eKwNpXV.exe
C:\Windows\System\DvqizSu.exe
C:\Windows\System\DvqizSu.exe
C:\Windows\System\LFQCMYI.exe
C:\Windows\System\LFQCMYI.exe
C:\Windows\System\AfnApKf.exe
C:\Windows\System\AfnApKf.exe
C:\Windows\System\XnLWXne.exe
C:\Windows\System\XnLWXne.exe
C:\Windows\System\EYpEtMN.exe
C:\Windows\System\EYpEtMN.exe
C:\Windows\System\GkWfNIQ.exe
C:\Windows\System\GkWfNIQ.exe
C:\Windows\System\JQEpiPC.exe
C:\Windows\System\JQEpiPC.exe
C:\Windows\System\RiiobCd.exe
C:\Windows\System\RiiobCd.exe
C:\Windows\System\PFCXqAe.exe
C:\Windows\System\PFCXqAe.exe
C:\Windows\System\XruJGcl.exe
C:\Windows\System\XruJGcl.exe
C:\Windows\System\CyXIXbE.exe
C:\Windows\System\CyXIXbE.exe
C:\Windows\System\VPiHake.exe
C:\Windows\System\VPiHake.exe
C:\Windows\System\BxuXVQp.exe
C:\Windows\System\BxuXVQp.exe
C:\Windows\System\JyWkzFw.exe
C:\Windows\System\JyWkzFw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4552-0-0x00007FF6795D0000-0x00007FF679924000-memory.dmp
memory/4552-1-0x0000019353C00000-0x0000019353C10000-memory.dmp
C:\Windows\System\gxbfOhI.exe
| MD5 | a96a9e97d7906f07417bf0c9d56df3ee |
| SHA1 | 78aa742817475154457d43c0bfdd716431dc5547 |
| SHA256 | 77208cd94c799775fb805109de3bbd0dbd5915cc669ac1793ada8dbd0f522f46 |
| SHA512 | 09d04fc6f76c4efa755eb7c15a86ab6d4a1668f966af8074555edcb20e6d4de89ab93a09d161b259f4d51ca5b17f143e3c1b8f36810e9479c34031bfef791dc8 |
memory/4828-8-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp
C:\Windows\System\NdoTHVF.exe
| MD5 | 583358dd3b7da570d9dec0b7caf4bbb8 |
| SHA1 | 211448997c837e94b19c3f204b1f5ea49e29c9ed |
| SHA256 | e3f5b522ca4a097216c7050908832fb7871a046c9eb417f85ebe833e5a4b522f |
| SHA512 | 4666414503de8e93a6e81076f5bb3474573470566f7f4ba8a4f78f3f9ae7955304e9bafd562ce5d6c192d121ac0de18bcfb9c725d52f4fa6f59035ebb2e8e9fc |
memory/3124-14-0x00007FF6E6150000-0x00007FF6E64A4000-memory.dmp
C:\Windows\System\ssqxOQm.exe
| MD5 | 03ea6107387487c35c4e879ad171ff61 |
| SHA1 | c670ed1367753a3790f081d2d5aa53476128c7e6 |
| SHA256 | 70d796c8a65721f092d13c87ece1343855117470b8dc7f6450bfbb01e4d905d8 |
| SHA512 | 59aadbfba80897f87f2ced15faa530d5f1b02d46d4de5de9c7a4cc4d5a868f7d30b5369321c85cdceb8a6eba89cde8c03420a81235487cbe181003ed397412fd |
C:\Windows\System\ySezUjD.exe
| MD5 | 0c5c9336b782f22ed904fd7212525b7b |
| SHA1 | fecdf84133715ee4b8710d14c188d482eb894548 |
| SHA256 | bd9f22bdc548060d0da28aa8b72aa68192658b1f62fdcbb11a9366845eefbf8c |
| SHA512 | f60442c88d8d68c1f243362616143684b9d35ef6fef97a9c91332d7816f0e6c67f6f7f003f371c5b55d31750a8b5e50304ff6f5da11ecc0c2e48fb553632fc0e |
C:\Windows\System\nRryjoI.exe
| MD5 | db37d94d85a0d67804784390a488bcdf |
| SHA1 | ba6098282876b5dbcb60b05e8d20c9764aaaab42 |
| SHA256 | eb134e0557a16f648d974a7b1d6d70bbeba44aa59283a78e379d736dfaeddac0 |
| SHA512 | 0bd4d7c291893fd265d0a689ecf70e07f64d5883f6a2b820ac2364cf66048cfb1641936335196f8b6501071e8c4b0733bbea1de2cf8e67dac6d8b4ed14d1af83 |
C:\Windows\System\eKwNpXV.exe
| MD5 | 6faef2867347308c32e4b6ffead9cef5 |
| SHA1 | 85897d29c92ecdb5898e238b4e4b5f52257cbcfa |
| SHA256 | 1a66844e8a4bae3b78241ed40f53bf4f159ac245fc2acf8f6ce3ddf0381ae798 |
| SHA512 | 8cadba9686a252c0dd8a78d7f53fb7271f27984e6a9d1251bc6663a65e674ef8aa3d99e3d11694a54aaa47a63630bac30d1c7a6ff0a90c551dda044246ae961e |
C:\Windows\System\LFQCMYI.exe
| MD5 | 572c81b2dcc15f4ed17fbb2b541cb8db |
| SHA1 | ab0572eaec7be4d2136e7fa1bbb4d4572a1a3479 |
| SHA256 | a28c33d1ea3d0c83c7a637364cc8a12a277bcb11c805efab7ba6d1794fe03805 |
| SHA512 | 8c6c9ca4dd7615c50cb2c5a15bc762785125ddca028085b2aaa86ad97213d581e84bd8c1b751a819d78d50deed83cb5dd1bb16d6d097686fca4026eb15d8891f |
memory/1476-54-0x00007FF621030000-0x00007FF621384000-memory.dmp
C:\Windows\System\XnLWXne.exe
| MD5 | 7893481d1f2f9ec1c412f0862b965b9b |
| SHA1 | 67493934eb37214a1360381795b5cc2792d2f963 |
| SHA256 | f3c6ad58d230e3b4e84bf9b162860ed745b92704b76bc6b634cbd818a1968107 |
| SHA512 | d39bda9e432aefe5849c475ef8ce397c57b57ba566f5c15b6b053098a6846c4ec8bbe96a63b928b6a77efd6a4de310c2fe690527aaa8fa529adfeef4579f8223 |
C:\Windows\System\EYpEtMN.exe
| MD5 | cfc9fe8ea474f93c62ec3a68e3f25a6a |
| SHA1 | ca41558242f075eb3348dd016982fbe31f52f67f |
| SHA256 | 7db3c8b69f3db97c53987d94efbda5728e158d2de069f556e5a247e97db0c8f0 |
| SHA512 | b6e37e24c37e5a0bf886bc067583a21a0244fc7729e6d266a98e05dc154cae5ab26589cf000c42fd1439d391203e4cf22da3e302da2288a70c4a7a0e9d4fdce8 |
memory/3884-75-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp
C:\Windows\System\GkWfNIQ.exe
| MD5 | 01f09d5daabd8e5c0e8f35fd45717989 |
| SHA1 | ac6d457f099a08258102b3097ef24dddf8fb508e |
| SHA256 | 0d85297ad2be7aa5be667987a84fbe24b08b6b5a52ae9034562534ee4b1bc11d |
| SHA512 | 2ee29f1558287be4c6044fc4a4ea34bc6c3426f5ad3d466456c9ea8cc8cda03429fc12370b9d4b54808c74e63a6b8fdb2a5a79af4520bb565582dfe6fc75fc7d |
memory/1540-76-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp
memory/3332-74-0x00007FF610CB0000-0x00007FF611004000-memory.dmp
memory/3120-73-0x00007FF6C7FB0000-0x00007FF6C8304000-memory.dmp
C:\Windows\System\AfnApKf.exe
| MD5 | 950f76a1c06f0f96fb3b2095e6393c24 |
| SHA1 | b7c950e4427343efb0f2d494bbd35b3eea7a4c58 |
| SHA256 | b22d63da844196688815ca56e1ca4ecac169f07490ba45b2265dbfce395f5f54 |
| SHA512 | ccfe3824b23dc70268546f6e3410786863c46facc4987cf16ae4d99cce355542947b69a567003dfd15d00089a4c482dcbd3d434269807047b8914cc34ca70f55 |
C:\Windows\System\DvqizSu.exe
| MD5 | a75edbc2ea663a2ab211d107282f4b5a |
| SHA1 | e8887e96ab8f2f1c0500675347e2b14e4e3a77b5 |
| SHA256 | eb122e8d4a2885e280ef43480cec179c5263125b22aff26eff2123f4ce570514 |
| SHA512 | 2095c74f5297722e894a05127b74d3bacaa1aefacf6bfd986f5a3e36116d337083306262a5211747af3dc7bb0f75e7fd753fb6b653fcdc4652eedd1cdccb6799 |
memory/2164-51-0x00007FF739590000-0x00007FF7398E4000-memory.dmp
memory/2580-44-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp
memory/1080-40-0x00007FF7722F0000-0x00007FF772644000-memory.dmp
memory/4328-39-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp
C:\Windows\System\DAOYlKi.exe
| MD5 | 669980cb6291046715181571804f1ffe |
| SHA1 | e1a68a4108126642edb93cb10eb3a0c0efdebcdf |
| SHA256 | 55aed6e7b10c222599fbe31856c4f3f023dae07b4985a6d1b8bb59fb72c4ae11 |
| SHA512 | e77320eb8612a4870c602cdcc84604a7cd38c933b44925748882862b3cedf4621780be682572dbeaab4e176bddb1ba7084ad5a8988dc91c486f7f91442182c83 |
memory/3340-31-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp
memory/4804-18-0x00007FF768750000-0x00007FF768AA4000-memory.dmp
C:\Windows\System\JQEpiPC.exe
| MD5 | 28fe561609fc7bd60109aa3b37de76ae |
| SHA1 | cb8565e0062e81e96d0ef68c1d10d5a8f726173e |
| SHA256 | 0f996557512e62159b76976108e6e5716f14f39789b20b4d01bf79f514717570 |
| SHA512 | 76cb7cdd14f0fc1c77772604b50b445631ebea68aa3907e736fb8236fdc50342e6ca3d06ba3d962b645d0ae5fd202eb2871526da67d015c0edfca007c80c02c0 |
C:\Windows\System\RiiobCd.exe
| MD5 | f2f28395667451c943c15db98c41d38a |
| SHA1 | e372744ed9c95150f488f3b41b1f07e355cb54c1 |
| SHA256 | 21d3277b1ce1ee8585a0092d1d33458e68416d4abd8238bceffc9f9cc2487ade |
| SHA512 | e4f78178a09b2ec28672b3a00ec3ad190d3f5802a82363521148b0566f514b58445da9d6895c8a58da536da432f26b5197ebd2b3c9e3f3214d9e5ac356970976 |
C:\Windows\System\PFCXqAe.exe
| MD5 | f3bc5df0107c153d1268839b6be704d7 |
| SHA1 | fb72819f870330c2a02716020ea6c070b8c12313 |
| SHA256 | 4adce3f866d861502de733f3eba6ff7e1eaa93aab413a1cee5a466517b971216 |
| SHA512 | 8f5dee862083a02817a50b999bda97839bd33889255abb702e4a7d6e481ce05c63ff185b89f6cb38e90c199cd87fc2cde90ed12ab28c8446546d9a5d24ceb7c3 |
memory/2412-99-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp
memory/4552-102-0x00007FF6795D0000-0x00007FF679924000-memory.dmp
memory/4828-107-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp
C:\Windows\System\XruJGcl.exe
| MD5 | 73a67d5d698ad2b3d3945c435a2ded25 |
| SHA1 | 5bb08ac2e8024d3dcaf99542f909eb4d94a2ffc8 |
| SHA256 | 1cfa9f45b7f15bd16c33f1e9c4f7fc11354674cc5d68d890d43eada40578c0ad |
| SHA512 | 1c637240a190536975054675e9d718ec98ebc19996189397a0ecd2196b01d0f9fd6cda312c846885583cd7c018024c2418e6b207f45919c41e411df1fdadb8f3 |
C:\Windows\System\VPiHake.exe
| MD5 | f20d4ca219aa3e6012fd26e0eac30a17 |
| SHA1 | 27354465cbc8ae14ab777d38a40af2b1cbb3288f |
| SHA256 | 25d0bc6674d281ae2173a191520971c210a4a31d37f2ac2a9d0c1bb9ac114c7a |
| SHA512 | e19f6d5132f2c8eb868b55c13d3f4c6adf418b24ec8a2faca9ae09b2e3f8dbbcc1a0357198956109a613adfcc97c0776f931e203853b6828db5903747647c7bb |
C:\Windows\System\BxuXVQp.exe
| MD5 | 5adc7980cc1fa26ce7d1fa750989c911 |
| SHA1 | 83b41293665c622be9002eedfea70bd9de7decbd |
| SHA256 | da8082c45b22a15f966636222ffee4d455fe8a4e1d0710cf44ac35a5e6cdac4c |
| SHA512 | 756eb6057ecd930e2c78b6908af9e4327c887de20e79f5bd4d341d490b12c4a8420bfad13c6718195424a18b9f1d9a0c1d65a7b97c53fa3dc9b6f50b16a68090 |
C:\Windows\System\JyWkzFw.exe
| MD5 | 9142c2fad2997bb542cdb5c03042bc4f |
| SHA1 | efa3350a24ac361056b675d6718b718db90172da |
| SHA256 | 9e99fa9ecfa9eb777f6a924892dad443bea60fb7013eefc467d85e960041a6b7 |
| SHA512 | 48dbb7a48b868fefe8bb8030020eef2cd96a7a56f274ac79f5168493386629f68fd019c38c046b4236ffb64673f4dafcb1fb73d3e5efb52a9747b3a4241324cd |
C:\Windows\System\CyXIXbE.exe
| MD5 | e17603be99f75d14c8731c8f4fd37306 |
| SHA1 | bc34ad3f0bf0808720b95057dcecc8f3754fc7e8 |
| SHA256 | 56a0414dbead3b5da4c377b577c192c6705b2e11c1f82afe77de0407fae688d8 |
| SHA512 | c3338246380057ed0492e24843b2168cd1bc0bc395542fa182f33b5faa99b5d2e3a4dd57ecb1206be3190648d73cafcb1755c5d4f7038f8a79a77e4da10bc38c |
memory/3288-106-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp
memory/1532-105-0x00007FF65A2D0000-0x00007FF65A624000-memory.dmp
memory/4720-89-0x00007FF62E580000-0x00007FF62E8D4000-memory.dmp
memory/408-126-0x00007FF785B40000-0x00007FF785E94000-memory.dmp
memory/2540-128-0x00007FF727170000-0x00007FF7274C4000-memory.dmp
memory/1424-127-0x00007FF786FB0000-0x00007FF787304000-memory.dmp
memory/2032-129-0x00007FF6CF670000-0x00007FF6CF9C4000-memory.dmp
memory/3340-131-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp
memory/4328-132-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp
memory/4804-130-0x00007FF768750000-0x00007FF768AA4000-memory.dmp
memory/1080-134-0x00007FF7722F0000-0x00007FF772644000-memory.dmp
memory/2580-133-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp
memory/2164-135-0x00007FF739590000-0x00007FF7398E4000-memory.dmp
memory/1476-136-0x00007FF621030000-0x00007FF621384000-memory.dmp
memory/3884-137-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp
memory/2412-139-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp
memory/1540-138-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp
memory/3288-140-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp
memory/408-141-0x00007FF785B40000-0x00007FF785E94000-memory.dmp
memory/4828-142-0x00007FF785B90000-0x00007FF785EE4000-memory.dmp
memory/3124-143-0x00007FF6E6150000-0x00007FF6E64A4000-memory.dmp
memory/4804-144-0x00007FF768750000-0x00007FF768AA4000-memory.dmp
memory/3340-145-0x00007FF7EE060000-0x00007FF7EE3B4000-memory.dmp
memory/1080-146-0x00007FF7722F0000-0x00007FF772644000-memory.dmp
memory/4328-147-0x00007FF646BF0000-0x00007FF646F44000-memory.dmp
memory/2580-148-0x00007FF6A0AE0000-0x00007FF6A0E34000-memory.dmp
memory/1476-150-0x00007FF621030000-0x00007FF621384000-memory.dmp
memory/3120-151-0x00007FF6C7FB0000-0x00007FF6C8304000-memory.dmp
memory/2164-149-0x00007FF739590000-0x00007FF7398E4000-memory.dmp
memory/3884-152-0x00007FF6D0870000-0x00007FF6D0BC4000-memory.dmp
memory/1540-153-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp
memory/3332-154-0x00007FF610CB0000-0x00007FF611004000-memory.dmp
memory/4720-155-0x00007FF62E580000-0x00007FF62E8D4000-memory.dmp
memory/1532-156-0x00007FF65A2D0000-0x00007FF65A624000-memory.dmp
memory/2412-157-0x00007FF6A9070000-0x00007FF6A93C4000-memory.dmp
memory/3288-158-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp
memory/408-159-0x00007FF785B40000-0x00007FF785E94000-memory.dmp
memory/2032-160-0x00007FF6CF670000-0x00007FF6CF9C4000-memory.dmp
memory/1424-162-0x00007FF786FB0000-0x00007FF787304000-memory.dmp
memory/2540-161-0x00007FF727170000-0x00007FF7274C4000-memory.dmp