Analysis Overview
SHA256
50c482eb8c8ec835a252cabc66a32e1e7e21450e8be87088d6c16a8c93a033d1
Threat Level: Known bad
The file 2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 16:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 16:25
Reported
2024-06-09 16:28
Platform
win7-20240221-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TVVkuZG.exe | N/A |
| N/A | N/A | C:\Windows\System\xWIddhv.exe | N/A |
| N/A | N/A | C:\Windows\System\QLCWpbM.exe | N/A |
| N/A | N/A | C:\Windows\System\KtHTgMa.exe | N/A |
| N/A | N/A | C:\Windows\System\PWLYtrI.exe | N/A |
| N/A | N/A | C:\Windows\System\BMQOGtb.exe | N/A |
| N/A | N/A | C:\Windows\System\aPgQeBR.exe | N/A |
| N/A | N/A | C:\Windows\System\wHnCrmt.exe | N/A |
| N/A | N/A | C:\Windows\System\CHXKUmM.exe | N/A |
| N/A | N/A | C:\Windows\System\OvTRkqO.exe | N/A |
| N/A | N/A | C:\Windows\System\eJgYiNB.exe | N/A |
| N/A | N/A | C:\Windows\System\rPVrzpw.exe | N/A |
| N/A | N/A | C:\Windows\System\rhooWSj.exe | N/A |
| N/A | N/A | C:\Windows\System\UHncPDO.exe | N/A |
| N/A | N/A | C:\Windows\System\HJgJCdS.exe | N/A |
| N/A | N/A | C:\Windows\System\wrKDSEv.exe | N/A |
| N/A | N/A | C:\Windows\System\cfHqfOK.exe | N/A |
| N/A | N/A | C:\Windows\System\pmYHerU.exe | N/A |
| N/A | N/A | C:\Windows\System\stXfQbW.exe | N/A |
| N/A | N/A | C:\Windows\System\csPrnRv.exe | N/A |
| N/A | N/A | C:\Windows\System\WdZPgLu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TVVkuZG.exe
C:\Windows\System\TVVkuZG.exe
C:\Windows\System\xWIddhv.exe
C:\Windows\System\xWIddhv.exe
C:\Windows\System\QLCWpbM.exe
C:\Windows\System\QLCWpbM.exe
C:\Windows\System\KtHTgMa.exe
C:\Windows\System\KtHTgMa.exe
C:\Windows\System\PWLYtrI.exe
C:\Windows\System\PWLYtrI.exe
C:\Windows\System\BMQOGtb.exe
C:\Windows\System\BMQOGtb.exe
C:\Windows\System\aPgQeBR.exe
C:\Windows\System\aPgQeBR.exe
C:\Windows\System\wHnCrmt.exe
C:\Windows\System\wHnCrmt.exe
C:\Windows\System\OvTRkqO.exe
C:\Windows\System\OvTRkqO.exe
C:\Windows\System\CHXKUmM.exe
C:\Windows\System\CHXKUmM.exe
C:\Windows\System\eJgYiNB.exe
C:\Windows\System\eJgYiNB.exe
C:\Windows\System\rPVrzpw.exe
C:\Windows\System\rPVrzpw.exe
C:\Windows\System\UHncPDO.exe
C:\Windows\System\UHncPDO.exe
C:\Windows\System\rhooWSj.exe
C:\Windows\System\rhooWSj.exe
C:\Windows\System\HJgJCdS.exe
C:\Windows\System\HJgJCdS.exe
C:\Windows\System\wrKDSEv.exe
C:\Windows\System\wrKDSEv.exe
C:\Windows\System\cfHqfOK.exe
C:\Windows\System\cfHqfOK.exe
C:\Windows\System\pmYHerU.exe
C:\Windows\System\pmYHerU.exe
C:\Windows\System\stXfQbW.exe
C:\Windows\System\stXfQbW.exe
C:\Windows\System\csPrnRv.exe
C:\Windows\System\csPrnRv.exe
C:\Windows\System\WdZPgLu.exe
C:\Windows\System\WdZPgLu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1920-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1920-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\TVVkuZG.exe
| MD5 | ee3645ea2fbadc8592f5a33ea3f21c74 |
| SHA1 | 8dfeb53a4d3a9a3fcadbbf14a2aba3a825d5f825 |
| SHA256 | 302cb1415313bcad11b49aca0eec63d187ab87c3f268bf359c07d2c05b975e9f |
| SHA512 | b8452cf078c9ed11cf0adbaf553c0bdb8c0454cfa9ca20967e5adac9ae791492bd14bfba9c487a8802340bcdd082c4225596e2663edc7f6314d8023be44a601a |
memory/2632-8-0x000000013FAC0000-0x000000013FE14000-memory.dmp
\Windows\system\xWIddhv.exe
| MD5 | a06e97fbc136838d39fe3bec045bcb89 |
| SHA1 | 0c80a8c38cc79bb48d2069efabac7c3317788538 |
| SHA256 | 24a8fb66a7ac6b16bb4b265e77082a15cf2854a356019596c61d18c7a5656f56 |
| SHA512 | 4d5dc9efb4b313dc53e89655c0ad9eb81f9d461cbef68f1633be665348ab64b60a8532d42a9dac4e81d10bb796df2045fe21981adf1c4f9707d94850082996d8 |
memory/1920-12-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\QLCWpbM.exe
| MD5 | 8cd5aefb413ce8ff1cf6cb75fe6871ad |
| SHA1 | f35658535d8d3f1c2b3a9c593004a17d092f9cad |
| SHA256 | e424fcb3139f88a68591988bb70b1f7873efda97d3876baccc0ba636687b1c0c |
| SHA512 | 524ef3710bff14b8360c7454b2938f91c12ee4bf02702a3ac8213330e3080bd467ef2aa01dfe9fb7060246b84825a596f76fe08651365839a66cbe120ed8e07d |
\Windows\system\KtHTgMa.exe
| MD5 | 600af8de23e448e23beed8e7b28e4f5a |
| SHA1 | 699e39acd3642c82211048ed200b364d18092451 |
| SHA256 | ccd6f0ff0413f839140c2b329e3bbab429a8fc0ff6ea7a644243e2b619813436 |
| SHA512 | b55ebdde2a1526676681bb85137338eeb642f69a571ae2de8904a072498edf83d03af8811410abb67099ca2fa4559525af88c4f3d3a6d86231fe7f038c578551 |
memory/2556-26-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2712-27-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/3024-15-0x000000013F540000-0x000000013F894000-memory.dmp
\Windows\system\BMQOGtb.exe
| MD5 | 586f65445160a0cb8d9ed8433b218a4d |
| SHA1 | 2f96689c3b8030cecb35105688f4ce6104bffb07 |
| SHA256 | 544fe9970956e55be0dad96ba100bd6cd5c7c5e5c3a5769a74076d1e038b588c |
| SHA512 | 4ba417bdc3e8ab42e2fb2516471152f91d8c6e8ff070e12ab354786a8a10e3ec87f4ba81a04da38fc4ad6b20062ef638f5e4cc332643cd53dc45b822244d4878 |
memory/2576-33-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2512-38-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\PWLYtrI.exe
| MD5 | e0fd3afa2be58df3c59a55597c753c85 |
| SHA1 | b222320a8cd053400fd41d0284a4b3ee3bde5ed3 |
| SHA256 | a45cb5ce61abc4022fdff784ec1da96ccf709114c986fde8f71fd852ed6caf0f |
| SHA512 | 496374e0570e6b8e0b96c5c880b2b0654aa15acd8c4b27c8728b981bd12a0d81f04fb092da4190cfa731c3684bec1c66c1d2445b4e6a4f3a3664a389dca4f39c |
memory/1920-41-0x000000013FFC0000-0x0000000140314000-memory.dmp
\Windows\system\aPgQeBR.exe
| MD5 | 2e3404349867ab72a58d8d00ec81b9f2 |
| SHA1 | c3951041617d4015c0257ab6cc7768f4431264a4 |
| SHA256 | 6b6dc756d0e610045626a3ad3b5df745678253c760766a51474ecca88335f2bd |
| SHA512 | 7656aaef87baf48d7cbc6a38ac7c38681824626a2d5dcf645a1cd99db1938c07c78a0ef5e8805ded30f10b6acb08c0447891ede5645193ba69d06cd480c7d637 |
memory/1920-29-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2632-37-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3024-42-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\wHnCrmt.exe
| MD5 | 0f16933097b5f352831d359fe0897524 |
| SHA1 | 20d8c4e7144806b7478e534ef2d31fba870275f3 |
| SHA256 | f85237aec8f23d1cf58357ba85201bf2c89a32de31a86d87c22e5fafc0b785c1 |
| SHA512 | 26e89fb719b03fedbc097cc8fa070c097d9026e7ee3578348acdfd664f25cbebe118d02c2e241ab37cd88790f7661023867fd60fca1852ab2e604f025a6291ea |
memory/2372-54-0x000000013FFC0000-0x0000000140314000-memory.dmp
\Windows\system\CHXKUmM.exe
| MD5 | d76f3faf242e2cd3bcd0d3a0ec82ed78 |
| SHA1 | 129d36b955ed65dc65a93d241d4d9de37ba0cba5 |
| SHA256 | c96a9001a800d84470199e2fda6e83d5a9f10749f1e09df2954434c2ebee7ecb |
| SHA512 | 603073a9006b3dc00512d5399efd2e452a0f2bcaf32d7c0b3c563607106d6347cb165325b41e612d2c632f4263e188f8ff3babee7b48e57c9c30f76a65349d04 |
memory/1920-60-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1920-61-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1920-65-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2060-66-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2576-67-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2368-70-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2464-57-0x000000013FF60000-0x00000001402B4000-memory.dmp
\Windows\system\OvTRkqO.exe
| MD5 | d97dbdd8779ab999e33ecb2a106e80a2 |
| SHA1 | 6c68e490ccd36d25a2760c715df9cfa6054c766a |
| SHA256 | 2bca3eb3a55aec744ebf2d8f42e496549dda9e15d46a787999253abc1c87cb53 |
| SHA512 | 44fee7cc9832ae732e3dbf32114c8fbf54d3c34043c01bb9b7bf7f4250b3b088b5ce0211f6ea1ec31041316c0ee2ea8fd7dbfae1c5c1ef8f436d133a606009e3 |
memory/2512-72-0x000000013FAE0000-0x000000013FE34000-memory.dmp
\Windows\system\eJgYiNB.exe
| MD5 | 5c5a14864b9d4b46206609cfd2728527 |
| SHA1 | 603ab2d8298f1281f671d07fe63b48cc1b4c8ed1 |
| SHA256 | 6c4a128d50c84dde5224dc04dd9ee3d8cec8abc76ceb4b2d97a5f49eaebbd2c5 |
| SHA512 | 176111c9ef4f79c44a7be7b68e39673578c9ad69e3ad27671ef4fa02a0230e0826dddf0b8a7cfd2b315fc2b871d862401cb4c0bcab297ceac731cb078d6ed91b |
\Windows\system\rPVrzpw.exe
| MD5 | b0753df69c48ed39e508932d09baf40a |
| SHA1 | bb4c53e25cc4034dd8a68692ff1b23cd39d597da |
| SHA256 | d2b0c0c8c1c3f5cb3b08c0085d4fb3a22ea3ecbf3a7c8ec881d1fc8e45631511 |
| SHA512 | 7c1ee4ef8a08e71e35d200c7db64fe277234a1aa9212171d24967d09277fbeca566edc7b293bfafe49a6f9e5779f6ac8af7cde67254178fadc2217abf0a4a1d9 |
memory/1920-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\rhooWSj.exe
| MD5 | 2fd6f0f3afb8d9009ececa840516abc4 |
| SHA1 | 40b8a6cf13e7081a1b938b84b7d844fd88502e52 |
| SHA256 | 3cc1e28bdc0f2c1071a090d5f8fdd51b32f0b6fde4fbed51592025393c033469 |
| SHA512 | c9b00141bfbb18e58338b699662aa4592466c6ae831836665c91ccecb1a5da28f97de87938f61ed008c7becf815fb0a274192054ea24ceb9c9442958ad384b1d |
memory/1920-76-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1920-95-0x000000013F1B0000-0x000000013F504000-memory.dmp
\Windows\system\HJgJCdS.exe
| MD5 | 23423b972960c58941086f19d0107472 |
| SHA1 | 9e5cd88f1c41a1a1be42e8934902b9522848f4db |
| SHA256 | ff1f715684f478eae4d996f9b31bd6b85e555a59b33ac35e3535fbf7b1d49bce |
| SHA512 | f88f42751abd2deff4f4d9fce5e411135872ac1b9e732f108e59f24d04a0dbbab7afaa727decca127a97890d8c3ca6e6f535fb7dc48384191d450c2b1caba2cc |
memory/2020-103-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1920-102-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\UHncPDO.exe
| MD5 | 26c572002fe4c0fd41013f2699a484b3 |
| SHA1 | dc0ea8211e1480200f64aefca53acc6804528269 |
| SHA256 | b627d6ea67f87488879f456dce35c0b3e52aa4cbb5fd32df77848c4e0dd325d4 |
| SHA512 | 520cafe4a05365de3cb650a9cc62eafade26828506e1b2acd77dfb1a292b82c795c749ff35b664aa50b0ce297817a3be7b6273674c7a3bdb0f772d318e7d69fb |
memory/832-99-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1920-98-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2328-97-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1920-96-0x000000013F100000-0x000000013F454000-memory.dmp
\Windows\system\cfHqfOK.exe
| MD5 | ba250b39501d248d7a192786cc12092b |
| SHA1 | 60b7ea9e964b8be636a9c6487fcdbc2340c95932 |
| SHA256 | 1ae7c533e6ba583a2f420cb0cb2b2c70903840ea573097eb076ae7a4b66ec15d |
| SHA512 | 07777c901392d877f718c5a40929e6c372aee31f98299defe596c838cc93c8551bf0d705985d69d642bd6dccffaa4e99ec106ccd8e16e2711b0f386d85249bf3 |
\Windows\system\WdZPgLu.exe
| MD5 | 5fb234d2e7c4507e7f5693d783f73c62 |
| SHA1 | eebc16cb5e1cfe13ee0507c1cd019baa9b37ada6 |
| SHA256 | b7d4a45a5e3ad4c997da9fddb52d2e3a81cbd44a2eb651d6d4b86aaeeb4333ac |
| SHA512 | 32aca68220987e60fd3b8ff0200a7815a24d7930cd9e979660e408c14be2f42d7d51adba797e29c2a559a0f12b65ea5a3ff05b65e16bcd69c3f68f7c84eb82ba |
C:\Windows\system\stXfQbW.exe
| MD5 | 5824fc09be8c1efe981db6e1d99d7954 |
| SHA1 | 3bc4e6b10c32bde9b54008589e81635435918886 |
| SHA256 | 8e1b88375b9e239e83e01263eb7ad093efa2cca130608745fbf7ed6544126baa |
| SHA512 | 8e933a973dd87873fcc3075d42dfb0d83b2d6ac751afa430d51f10c1bf973356317ddd0445fa9c0218be7b9ac0a2b56cc244a3841ca90143b227817244d111a0 |
C:\Windows\system\csPrnRv.exe
| MD5 | dd1858fee6c441ed735f7f7cb2415bd0 |
| SHA1 | bbedec33e603087ea0e0871f6a8c1f9cdb703b40 |
| SHA256 | 19a24adf93f8866dcac48f13db11f5aa6c018c2388f371fe47a03be91fe0a57a |
| SHA512 | e8d7e480f0e0b44a9625a0effd182cd5e091243b84168de8aad189af4446e74c85746c592907106305e8c682e2d16a9264f8e7090c22c39449082bdf2642aafb |
C:\Windows\system\pmYHerU.exe
| MD5 | a7358e72b61cad0ad39a400310a9f119 |
| SHA1 | 37859077fe043b6c6ae2c1840bb0a6d3eabbe8dd |
| SHA256 | b04a3adcddd8c74fba65e3714a343516a2ec9e08cb69cb752a6318673158dc47 |
| SHA512 | ae870d05b314f7320826dc9d9f422a47834dc93138c5f30a28764fc0cc54a0d1054b9f6a3c67dfa9719c1d0b716356f80fa6ea5e5a14672ea578a4a0cf6d74b5 |
C:\Windows\system\wrKDSEv.exe
| MD5 | 0ace70819d694b080ca106d6765eca1b |
| SHA1 | d21c6645af5e4b6427604329b5b3018752dfd653 |
| SHA256 | 50faeb1187b1306289498270c0863929b989232213ae1060124ceb18260b9f19 |
| SHA512 | 63bb1e8c10ee1ecf938ef5de4d14608e37f85343755e360c98ab88fe422c8d7df4ae9be98e2c7dfece5bdcf015c3e18118ab9461ae34b301a3d073fbcd4bf820 |
memory/856-88-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1920-137-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2060-138-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1920-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1920-140-0x000000013F100000-0x000000013F454000-memory.dmp
memory/832-141-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2020-142-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2632-143-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/3024-144-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2556-145-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2712-146-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2512-147-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2464-148-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2372-149-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2368-151-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2576-150-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2060-152-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/856-153-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2328-154-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/832-155-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2020-156-0x000000013F1B0000-0x000000013F504000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 16:25
Reported
2024-06-09 16:28
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TVVkuZG.exe | N/A |
| N/A | N/A | C:\Windows\System\xWIddhv.exe | N/A |
| N/A | N/A | C:\Windows\System\QLCWpbM.exe | N/A |
| N/A | N/A | C:\Windows\System\KtHTgMa.exe | N/A |
| N/A | N/A | C:\Windows\System\PWLYtrI.exe | N/A |
| N/A | N/A | C:\Windows\System\BMQOGtb.exe | N/A |
| N/A | N/A | C:\Windows\System\aPgQeBR.exe | N/A |
| N/A | N/A | C:\Windows\System\wHnCrmt.exe | N/A |
| N/A | N/A | C:\Windows\System\OvTRkqO.exe | N/A |
| N/A | N/A | C:\Windows\System\CHXKUmM.exe | N/A |
| N/A | N/A | C:\Windows\System\eJgYiNB.exe | N/A |
| N/A | N/A | C:\Windows\System\rPVrzpw.exe | N/A |
| N/A | N/A | C:\Windows\System\UHncPDO.exe | N/A |
| N/A | N/A | C:\Windows\System\rhooWSj.exe | N/A |
| N/A | N/A | C:\Windows\System\HJgJCdS.exe | N/A |
| N/A | N/A | C:\Windows\System\wrKDSEv.exe | N/A |
| N/A | N/A | C:\Windows\System\cfHqfOK.exe | N/A |
| N/A | N/A | C:\Windows\System\pmYHerU.exe | N/A |
| N/A | N/A | C:\Windows\System\stXfQbW.exe | N/A |
| N/A | N/A | C:\Windows\System\csPrnRv.exe | N/A |
| N/A | N/A | C:\Windows\System\WdZPgLu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TVVkuZG.exe
C:\Windows\System\TVVkuZG.exe
C:\Windows\System\xWIddhv.exe
C:\Windows\System\xWIddhv.exe
C:\Windows\System\QLCWpbM.exe
C:\Windows\System\QLCWpbM.exe
C:\Windows\System\KtHTgMa.exe
C:\Windows\System\KtHTgMa.exe
C:\Windows\System\PWLYtrI.exe
C:\Windows\System\PWLYtrI.exe
C:\Windows\System\BMQOGtb.exe
C:\Windows\System\BMQOGtb.exe
C:\Windows\System\aPgQeBR.exe
C:\Windows\System\aPgQeBR.exe
C:\Windows\System\wHnCrmt.exe
C:\Windows\System\wHnCrmt.exe
C:\Windows\System\OvTRkqO.exe
C:\Windows\System\OvTRkqO.exe
C:\Windows\System\CHXKUmM.exe
C:\Windows\System\CHXKUmM.exe
C:\Windows\System\eJgYiNB.exe
C:\Windows\System\eJgYiNB.exe
C:\Windows\System\rPVrzpw.exe
C:\Windows\System\rPVrzpw.exe
C:\Windows\System\UHncPDO.exe
C:\Windows\System\UHncPDO.exe
C:\Windows\System\rhooWSj.exe
C:\Windows\System\rhooWSj.exe
C:\Windows\System\HJgJCdS.exe
C:\Windows\System\HJgJCdS.exe
C:\Windows\System\wrKDSEv.exe
C:\Windows\System\wrKDSEv.exe
C:\Windows\System\cfHqfOK.exe
C:\Windows\System\cfHqfOK.exe
C:\Windows\System\pmYHerU.exe
C:\Windows\System\pmYHerU.exe
C:\Windows\System\stXfQbW.exe
C:\Windows\System\stXfQbW.exe
C:\Windows\System\csPrnRv.exe
C:\Windows\System\csPrnRv.exe
C:\Windows\System\WdZPgLu.exe
C:\Windows\System\WdZPgLu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2964-0-0x00007FF794440000-0x00007FF794794000-memory.dmp
memory/2964-1-0x00000277A1210000-0x00000277A1220000-memory.dmp
C:\Windows\System\TVVkuZG.exe
| MD5 | ee3645ea2fbadc8592f5a33ea3f21c74 |
| SHA1 | 8dfeb53a4d3a9a3fcadbbf14a2aba3a825d5f825 |
| SHA256 | 302cb1415313bcad11b49aca0eec63d187ab87c3f268bf359c07d2c05b975e9f |
| SHA512 | b8452cf078c9ed11cf0adbaf553c0bdb8c0454cfa9ca20967e5adac9ae791492bd14bfba9c487a8802340bcdd082c4225596e2663edc7f6314d8023be44a601a |
memory/2824-8-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp
C:\Windows\System\xWIddhv.exe
| MD5 | a06e97fbc136838d39fe3bec045bcb89 |
| SHA1 | 0c80a8c38cc79bb48d2069efabac7c3317788538 |
| SHA256 | 24a8fb66a7ac6b16bb4b265e77082a15cf2854a356019596c61d18c7a5656f56 |
| SHA512 | 4d5dc9efb4b313dc53e89655c0ad9eb81f9d461cbef68f1633be665348ab64b60a8532d42a9dac4e81d10bb796df2045fe21981adf1c4f9707d94850082996d8 |
C:\Windows\System\QLCWpbM.exe
| MD5 | 8cd5aefb413ce8ff1cf6cb75fe6871ad |
| SHA1 | f35658535d8d3f1c2b3a9c593004a17d092f9cad |
| SHA256 | e424fcb3139f88a68591988bb70b1f7873efda97d3876baccc0ba636687b1c0c |
| SHA512 | 524ef3710bff14b8360c7454b2938f91c12ee4bf02702a3ac8213330e3080bd467ef2aa01dfe9fb7060246b84825a596f76fe08651365839a66cbe120ed8e07d |
memory/1452-20-0x00007FF603800000-0x00007FF603B54000-memory.dmp
memory/2756-14-0x00007FF61A930000-0x00007FF61AC84000-memory.dmp
C:\Windows\System\KtHTgMa.exe
| MD5 | 600af8de23e448e23beed8e7b28e4f5a |
| SHA1 | 699e39acd3642c82211048ed200b364d18092451 |
| SHA256 | ccd6f0ff0413f839140c2b329e3bbab429a8fc0ff6ea7a644243e2b619813436 |
| SHA512 | b55ebdde2a1526676681bb85137338eeb642f69a571ae2de8904a072498edf83d03af8811410abb67099ca2fa4559525af88c4f3d3a6d86231fe7f038c578551 |
C:\Windows\System\BMQOGtb.exe
| MD5 | 586f65445160a0cb8d9ed8433b218a4d |
| SHA1 | 2f96689c3b8030cecb35105688f4ce6104bffb07 |
| SHA256 | 544fe9970956e55be0dad96ba100bd6cd5c7c5e5c3a5769a74076d1e038b588c |
| SHA512 | 4ba417bdc3e8ab42e2fb2516471152f91d8c6e8ff070e12ab354786a8a10e3ec87f4ba81a04da38fc4ad6b20062ef638f5e4cc332643cd53dc45b822244d4878 |
C:\Windows\System\PWLYtrI.exe
| MD5 | e0fd3afa2be58df3c59a55597c753c85 |
| SHA1 | b222320a8cd053400fd41d0284a4b3ee3bde5ed3 |
| SHA256 | a45cb5ce61abc4022fdff784ec1da96ccf709114c986fde8f71fd852ed6caf0f |
| SHA512 | 496374e0570e6b8e0b96c5c880b2b0654aa15acd8c4b27c8728b981bd12a0d81f04fb092da4190cfa731c3684bec1c66c1d2445b4e6a4f3a3664a389dca4f39c |
C:\Windows\System\aPgQeBR.exe
| MD5 | 2e3404349867ab72a58d8d00ec81b9f2 |
| SHA1 | c3951041617d4015c0257ab6cc7768f4431264a4 |
| SHA256 | 6b6dc756d0e610045626a3ad3b5df745678253c760766a51474ecca88335f2bd |
| SHA512 | 7656aaef87baf48d7cbc6a38ac7c38681824626a2d5dcf645a1cd99db1938c07c78a0ef5e8805ded30f10b6acb08c0447891ede5645193ba69d06cd480c7d637 |
C:\Windows\System\wHnCrmt.exe
| MD5 | 0f16933097b5f352831d359fe0897524 |
| SHA1 | 20d8c4e7144806b7478e534ef2d31fba870275f3 |
| SHA256 | f85237aec8f23d1cf58357ba85201bf2c89a32de31a86d87c22e5fafc0b785c1 |
| SHA512 | 26e89fb719b03fedbc097cc8fa070c097d9026e7ee3578348acdfd664f25cbebe118d02c2e241ab37cd88790f7661023867fd60fca1852ab2e604f025a6291ea |
memory/4260-46-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp
memory/4320-45-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp
memory/3628-37-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp
memory/1276-36-0x00007FF76C110000-0x00007FF76C464000-memory.dmp
memory/2008-28-0x00007FF6B97A0000-0x00007FF6B9AF4000-memory.dmp
C:\Windows\System\OvTRkqO.exe
| MD5 | d97dbdd8779ab999e33ecb2a106e80a2 |
| SHA1 | 6c68e490ccd36d25a2760c715df9cfa6054c766a |
| SHA256 | 2bca3eb3a55aec744ebf2d8f42e496549dda9e15d46a787999253abc1c87cb53 |
| SHA512 | 44fee7cc9832ae732e3dbf32114c8fbf54d3c34043c01bb9b7bf7f4250b3b088b5ce0211f6ea1ec31041316c0ee2ea8fd7dbfae1c5c1ef8f436d133a606009e3 |
memory/748-56-0x00007FF632C40000-0x00007FF632F94000-memory.dmp
C:\Windows\System\CHXKUmM.exe
| MD5 | d76f3faf242e2cd3bcd0d3a0ec82ed78 |
| SHA1 | 129d36b955ed65dc65a93d241d4d9de37ba0cba5 |
| SHA256 | c96a9001a800d84470199e2fda6e83d5a9f10749f1e09df2954434c2ebee7ecb |
| SHA512 | 603073a9006b3dc00512d5399efd2e452a0f2bcaf32d7c0b3c563607106d6347cb165325b41e612d2c632f4263e188f8ff3babee7b48e57c9c30f76a65349d04 |
memory/3428-64-0x00007FF6863B0000-0x00007FF686704000-memory.dmp
C:\Windows\System\rPVrzpw.exe
| MD5 | b0753df69c48ed39e508932d09baf40a |
| SHA1 | bb4c53e25cc4034dd8a68692ff1b23cd39d597da |
| SHA256 | d2b0c0c8c1c3f5cb3b08c0085d4fb3a22ea3ecbf3a7c8ec881d1fc8e45631511 |
| SHA512 | 7c1ee4ef8a08e71e35d200c7db64fe277234a1aa9212171d24967d09277fbeca566edc7b293bfafe49a6f9e5779f6ac8af7cde67254178fadc2217abf0a4a1d9 |
C:\Windows\System\HJgJCdS.exe
| MD5 | 23423b972960c58941086f19d0107472 |
| SHA1 | 9e5cd88f1c41a1a1be42e8934902b9522848f4db |
| SHA256 | ff1f715684f478eae4d996f9b31bd6b85e555a59b33ac35e3535fbf7b1d49bce |
| SHA512 | f88f42751abd2deff4f4d9fce5e411135872ac1b9e732f108e59f24d04a0dbbab7afaa727decca127a97890d8c3ca6e6f535fb7dc48384191d450c2b1caba2cc |
memory/816-92-0x00007FF7A2350000-0x00007FF7A26A4000-memory.dmp
C:\Windows\System\wrKDSEv.exe
| MD5 | 0ace70819d694b080ca106d6765eca1b |
| SHA1 | d21c6645af5e4b6427604329b5b3018752dfd653 |
| SHA256 | 50faeb1187b1306289498270c0863929b989232213ae1060124ceb18260b9f19 |
| SHA512 | 63bb1e8c10ee1ecf938ef5de4d14608e37f85343755e360c98ab88fe422c8d7df4ae9be98e2c7dfece5bdcf015c3e18118ab9461ae34b301a3d073fbcd4bf820 |
memory/4880-96-0x00007FF7A0060000-0x00007FF7A03B4000-memory.dmp
memory/4788-98-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp
C:\Windows\System\cfHqfOK.exe
| MD5 | ba250b39501d248d7a192786cc12092b |
| SHA1 | 60b7ea9e964b8be636a9c6487fcdbc2340c95932 |
| SHA256 | 1ae7c533e6ba583a2f420cb0cb2b2c70903840ea573097eb076ae7a4b66ec15d |
| SHA512 | 07777c901392d877f718c5a40929e6c372aee31f98299defe596c838cc93c8551bf0d705985d69d642bd6dccffaa4e99ec106ccd8e16e2711b0f386d85249bf3 |
C:\Windows\System\pmYHerU.exe
| MD5 | a7358e72b61cad0ad39a400310a9f119 |
| SHA1 | 37859077fe043b6c6ae2c1840bb0a6d3eabbe8dd |
| SHA256 | b04a3adcddd8c74fba65e3714a343516a2ec9e08cb69cb752a6318673158dc47 |
| SHA512 | ae870d05b314f7320826dc9d9f422a47834dc93138c5f30a28764fc0cc54a0d1054b9f6a3c67dfa9719c1d0b716356f80fa6ea5e5a14672ea578a4a0cf6d74b5 |
C:\Windows\System\csPrnRv.exe
| MD5 | dd1858fee6c441ed735f7f7cb2415bd0 |
| SHA1 | bbedec33e603087ea0e0871f6a8c1f9cdb703b40 |
| SHA256 | 19a24adf93f8866dcac48f13db11f5aa6c018c2388f371fe47a03be91fe0a57a |
| SHA512 | e8d7e480f0e0b44a9625a0effd182cd5e091243b84168de8aad189af4446e74c85746c592907106305e8c682e2d16a9264f8e7090c22c39449082bdf2642aafb |
memory/4392-126-0x00007FF602470000-0x00007FF6027C4000-memory.dmp
memory/2384-131-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp
C:\Windows\System\WdZPgLu.exe
| MD5 | 5fb234d2e7c4507e7f5693d783f73c62 |
| SHA1 | eebc16cb5e1cfe13ee0507c1cd019baa9b37ada6 |
| SHA256 | b7d4a45a5e3ad4c997da9fddb52d2e3a81cbd44a2eb651d6d4b86aaeeb4333ac |
| SHA512 | 32aca68220987e60fd3b8ff0200a7815a24d7930cd9e979660e408c14be2f42d7d51adba797e29c2a559a0f12b65ea5a3ff05b65e16bcd69c3f68f7c84eb82ba |
memory/3628-128-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp
memory/1276-127-0x00007FF76C110000-0x00007FF76C464000-memory.dmp
memory/3904-125-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp
C:\Windows\System\stXfQbW.exe
| MD5 | 5824fc09be8c1efe981db6e1d99d7954 |
| SHA1 | 3bc4e6b10c32bde9b54008589e81635435918886 |
| SHA256 | 8e1b88375b9e239e83e01263eb7ad093efa2cca130608745fbf7ed6544126baa |
| SHA512 | 8e933a973dd87873fcc3075d42dfb0d83b2d6ac751afa430d51f10c1bf973356317ddd0445fa9c0218be7b9ac0a2b56cc244a3841ca90143b227817244d111a0 |
memory/3764-119-0x00007FF77E880000-0x00007FF77EBD4000-memory.dmp
memory/4608-106-0x00007FF704060000-0x00007FF7043B4000-memory.dmp
memory/1388-93-0x00007FF7D1500000-0x00007FF7D1854000-memory.dmp
memory/2824-86-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp
C:\Windows\System\rhooWSj.exe
| MD5 | 2fd6f0f3afb8d9009ececa840516abc4 |
| SHA1 | 40b8a6cf13e7081a1b938b84b7d844fd88502e52 |
| SHA256 | 3cc1e28bdc0f2c1071a090d5f8fdd51b32f0b6fde4fbed51592025393c033469 |
| SHA512 | c9b00141bfbb18e58338b699662aa4592466c6ae831836665c91ccecb1a5da28f97de87938f61ed008c7becf815fb0a274192054ea24ceb9c9442958ad384b1d |
C:\Windows\System\UHncPDO.exe
| MD5 | 26c572002fe4c0fd41013f2699a484b3 |
| SHA1 | dc0ea8211e1480200f64aefca53acc6804528269 |
| SHA256 | b627d6ea67f87488879f456dce35c0b3e52aa4cbb5fd32df77848c4e0dd325d4 |
| SHA512 | 520cafe4a05365de3cb650a9cc62eafade26828506e1b2acd77dfb1a292b82c795c749ff35b664aa50b0ce297817a3be7b6273674c7a3bdb0f772d318e7d69fb |
memory/216-75-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp
memory/2964-74-0x00007FF794440000-0x00007FF794794000-memory.dmp
memory/1404-71-0x00007FF6A5D70000-0x00007FF6A60C4000-memory.dmp
C:\Windows\System\eJgYiNB.exe
| MD5 | 5c5a14864b9d4b46206609cfd2728527 |
| SHA1 | 603ab2d8298f1281f671d07fe63b48cc1b4c8ed1 |
| SHA256 | 6c4a128d50c84dde5224dc04dd9ee3d8cec8abc76ceb4b2d97a5f49eaebbd2c5 |
| SHA512 | 176111c9ef4f79c44a7be7b68e39673578c9ad69e3ad27671ef4fa02a0230e0826dddf0b8a7cfd2b315fc2b871d862401cb4c0bcab297ceac731cb078d6ed91b |
memory/4320-132-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp
memory/4260-133-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp
memory/216-134-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp
memory/4788-135-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp
memory/4608-136-0x00007FF704060000-0x00007FF7043B4000-memory.dmp
memory/3904-137-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp
memory/2384-138-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp
memory/2824-139-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp
memory/2756-140-0x00007FF61A930000-0x00007FF61AC84000-memory.dmp
memory/1452-141-0x00007FF603800000-0x00007FF603B54000-memory.dmp
memory/2008-142-0x00007FF6B97A0000-0x00007FF6B9AF4000-memory.dmp
memory/1276-143-0x00007FF76C110000-0x00007FF76C464000-memory.dmp
memory/3628-144-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp
memory/4320-145-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp
memory/4260-146-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp
memory/748-147-0x00007FF632C40000-0x00007FF632F94000-memory.dmp
memory/3428-148-0x00007FF6863B0000-0x00007FF686704000-memory.dmp
memory/1404-149-0x00007FF6A5D70000-0x00007FF6A60C4000-memory.dmp
memory/216-150-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp
memory/1388-151-0x00007FF7D1500000-0x00007FF7D1854000-memory.dmp
memory/816-152-0x00007FF7A2350000-0x00007FF7A26A4000-memory.dmp
memory/4880-153-0x00007FF7A0060000-0x00007FF7A03B4000-memory.dmp
memory/3764-155-0x00007FF77E880000-0x00007FF77EBD4000-memory.dmp
memory/4788-154-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp
memory/4608-156-0x00007FF704060000-0x00007FF7043B4000-memory.dmp
memory/3904-157-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp
memory/2384-159-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp
memory/4392-158-0x00007FF602470000-0x00007FF6027C4000-memory.dmp