Analysis Overview
SHA256
1fc4ac3736a393dc3beb491920aa1b353be72bfef033c05bfc35d26bd8275719
Threat Level: Known bad
The file 2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 11:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 11:55
Reported
2024-06-11 11:58
Platform
win7-20231129-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UtLQMGb.exe | N/A |
| N/A | N/A | C:\Windows\System\mYukFOr.exe | N/A |
| N/A | N/A | C:\Windows\System\SvQowBm.exe | N/A |
| N/A | N/A | C:\Windows\System\QweZySa.exe | N/A |
| N/A | N/A | C:\Windows\System\nQmmVAm.exe | N/A |
| N/A | N/A | C:\Windows\System\PAgrtRR.exe | N/A |
| N/A | N/A | C:\Windows\System\gCxVdDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BzVYkZf.exe | N/A |
| N/A | N/A | C:\Windows\System\vPEPAKP.exe | N/A |
| N/A | N/A | C:\Windows\System\MTsSeBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\knBxeQo.exe | N/A |
| N/A | N/A | C:\Windows\System\QCqHaUr.exe | N/A |
| N/A | N/A | C:\Windows\System\hxPULpd.exe | N/A |
| N/A | N/A | C:\Windows\System\YhheFtS.exe | N/A |
| N/A | N/A | C:\Windows\System\oIpOnWM.exe | N/A |
| N/A | N/A | C:\Windows\System\jHSDWMo.exe | N/A |
| N/A | N/A | C:\Windows\System\wGpBcCe.exe | N/A |
| N/A | N/A | C:\Windows\System\OHZAsct.exe | N/A |
| N/A | N/A | C:\Windows\System\FNfnKyZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YviJdaX.exe | N/A |
| N/A | N/A | C:\Windows\System\dSKnadV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UtLQMGb.exe
C:\Windows\System\UtLQMGb.exe
C:\Windows\System\mYukFOr.exe
C:\Windows\System\mYukFOr.exe
C:\Windows\System\QweZySa.exe
C:\Windows\System\QweZySa.exe
C:\Windows\System\SvQowBm.exe
C:\Windows\System\SvQowBm.exe
C:\Windows\System\nQmmVAm.exe
C:\Windows\System\nQmmVAm.exe
C:\Windows\System\PAgrtRR.exe
C:\Windows\System\PAgrtRR.exe
C:\Windows\System\gCxVdDZ.exe
C:\Windows\System\gCxVdDZ.exe
C:\Windows\System\BzVYkZf.exe
C:\Windows\System\BzVYkZf.exe
C:\Windows\System\vPEPAKP.exe
C:\Windows\System\vPEPAKP.exe
C:\Windows\System\MTsSeBZ.exe
C:\Windows\System\MTsSeBZ.exe
C:\Windows\System\knBxeQo.exe
C:\Windows\System\knBxeQo.exe
C:\Windows\System\QCqHaUr.exe
C:\Windows\System\QCqHaUr.exe
C:\Windows\System\hxPULpd.exe
C:\Windows\System\hxPULpd.exe
C:\Windows\System\YhheFtS.exe
C:\Windows\System\YhheFtS.exe
C:\Windows\System\oIpOnWM.exe
C:\Windows\System\oIpOnWM.exe
C:\Windows\System\jHSDWMo.exe
C:\Windows\System\jHSDWMo.exe
C:\Windows\System\wGpBcCe.exe
C:\Windows\System\wGpBcCe.exe
C:\Windows\System\OHZAsct.exe
C:\Windows\System\OHZAsct.exe
C:\Windows\System\FNfnKyZ.exe
C:\Windows\System\FNfnKyZ.exe
C:\Windows\System\YviJdaX.exe
C:\Windows\System\YviJdaX.exe
C:\Windows\System\dSKnadV.exe
C:\Windows\System\dSKnadV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2028-0-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2028-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\UtLQMGb.exe
| MD5 | b99c8302a6735495c4b90cc9e7066e90 |
| SHA1 | a96bbc5d8404784344ca863fd2024a63062c6e11 |
| SHA256 | bbe455c5c6cdffa7bec959a866aceaa89f045070bc5b678d7fc571475c073ba6 |
| SHA512 | 116f8d845b8f11e4e16cc5df0f7403ca5d42e1acd19c5562ca1d3edba1f76934322a77b6d13337618d01cc55ea8dfce7e24043087f05ce289d337f435ff4abcd |
memory/2028-6-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\mYukFOr.exe
| MD5 | 9600c2fa07c4010730e06765ccc8ddf6 |
| SHA1 | 97021add3da4ece5b26c230058f6bd67ba20e5fa |
| SHA256 | 6e4366ddcfe630dc907f371ef023ae41f13ed52f65bed777bd6b0cf0f71472dc |
| SHA512 | ca1751fdec206d38facb9b84ef4d7d3a629970ef8cda3e234a2a071c1dee79ae160004388b45aa3fc4fac15381caf0921b001f86444ce862b02ba4a3e7492d09 |
\Windows\system\nQmmVAm.exe
| MD5 | c256132507be60c3c7b9bd4b8373b64e |
| SHA1 | 3ed480bf79f31e62769c25c25c57255452304de1 |
| SHA256 | b6e1947a58c777c062f9ffab700a17a8fa2674c2880c47495a008c6143d20689 |
| SHA512 | c32937dda3572f65af8b4e8e7d786303d691e9e034c0afb1e8262de9be814d3084f0270afdeccff0750d6e7dcf861b9531b392d54c3d40d052f2f82ff6c7dd01 |
C:\Windows\system\QweZySa.exe
| MD5 | 02c83a79f7647820137f33fbc939ad1f |
| SHA1 | a5423e924fce223e77360751dbcc898588612726 |
| SHA256 | 3f92dc9a25a446ad8aa4ea6e305d7f00366343180d7aad8f64f15f01dcc617b1 |
| SHA512 | 3e257aa421db95b7d12d39b1a1822c94d359cc98c17f7d7f23fcdd1437f48cb5fd745b6e179719409bd274877846059cc758afdcca2fab4ec0d3f04a35d01d35 |
C:\Windows\system\SvQowBm.exe
| MD5 | 9eaf340e6d4c020d4008784b2f873c84 |
| SHA1 | 3f831f3c5377f5a050ff99aad51776731a72f2d9 |
| SHA256 | 7617e78ff08240d46c3b61ba4eb9a303ac417f1338231d1acfe50945ee19360e |
| SHA512 | b9cf5b0053a98301a2ff07e0c332dcdb6137d08bc6968cc419ec4c1c0db4a89f86da5494772e5c64bc6fdda8c36410d3decaf8fd885c52874b88ee5e7067ee1d |
memory/3020-19-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2596-37-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2028-36-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2028-35-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2112-34-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2796-32-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2028-30-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2076-29-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\PAgrtRR.exe
| MD5 | cdd64e03de186620b928e4b5fb0f72cb |
| SHA1 | ccd471c3732e9058bbea865212174f3add0f41b7 |
| SHA256 | 2ccd2e7607ffcfb8e55258996ee3052e47b2c82306e44a7347947f9eeb4217eb |
| SHA512 | 030edecc8433c3381d8ead9f3bdfe21d0deb944d3ae2f5bb5a33b89e65e34c73bfd120c6d09b58f143929fde254f90ab2edd497e4d13827ff71cd63498c56813 |
memory/2028-43-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2476-44-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\BzVYkZf.exe
| MD5 | ee48eb25342dd855cff5bc3cda27ff83 |
| SHA1 | b8a4032c00074c624832cd1fada597591a7a1697 |
| SHA256 | 30c66623c688dc663e5c69efe9b85daf5fb321e122162e022e88541e7977e67f |
| SHA512 | d781de14adc65087125b431748a222d0a8d2170be4af466b633e08281b33a0e4f182f192f27d68c481e2438a0d1d5e3e87f1d862ef7acfd13d8da232bea97912 |
\Windows\system\MTsSeBZ.exe
| MD5 | f54c37c7c72082d29fc63dd88446551e |
| SHA1 | f4b736678faaae7b5577835f6d7e505d1cd84c29 |
| SHA256 | 1c65ad0a1e4446f83e2475f68b2d5d9f73b636f94476c047c3910193a4d3551b |
| SHA512 | 94f01795812d5a3878face14ed027b647561b5aea965adc6e43bcc3cfb5138ab1d2becd830dcad48911ed2047af4e0ea26e84b510addee5cb521768bf9214247 |
memory/2480-73-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2028-67-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2800-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
\Windows\system\hxPULpd.exe
| MD5 | 69effbe44c2e98ca06ac65a55059894c |
| SHA1 | 96141de7be8f2ab1650c99763896d3064787c925 |
| SHA256 | 9a658bb61c591b27b4e1b134b55963ef30a708dfaba03d009e7b0ccfe09d8b53 |
| SHA512 | a096c6c8ee8ad87e4c314de888920761f6f8809e47b9ee34fde0c912dbf271ee9092ccc7dcfd4791cc59ac643b75c2ea0240854ec3913046041b3e5f2165e3e5 |
C:\Windows\system\YhheFtS.exe
| MD5 | 8342fb0315750bf7adfc0e675d2e9779 |
| SHA1 | bb6d3a3508960291a8978ee03d443344173a9046 |
| SHA256 | 07f5e6091d1b887c788588e1fc528272252259905f305639fc825f3ae19be532 |
| SHA512 | b6f0de8d1a50cb19513c365bbd5d928c985e8f58423d3f0140d9e84d3f026f0175e2def78eb15d57c56f31d27ba81644bb4d93242cb4592d6f0d735dc113e36c |
memory/816-94-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2820-100-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2028-93-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2028-99-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2964-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2028-84-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\QCqHaUr.exe
| MD5 | 17b40fc95eaa88451e751a6d0bac5fb4 |
| SHA1 | cd0cf1127e7619434df94162e1b0fe22b48f8d73 |
| SHA256 | dc8b3748cedeb49a6af4bbc6a27b208cf24dce79365a09f37fe47a12af54c097 |
| SHA512 | 3e15bcf6eb6be87a1bfdab6822fb104a681678f4b0178c18a0ccdac440150311d97e293960c876dfa8ea3d2e36679b786d5be19f56d9530194ed78b5e70cdf14 |
memory/2028-78-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\knBxeQo.exe
| MD5 | aff976e94179045dd9680cc56a5be2a9 |
| SHA1 | 7f7f78dfba1dc2e982b467ec70b3f6ad52a483a7 |
| SHA256 | b28fe87e15555173b7649fed52461d68d0e495252c81793fe391c110ba7e71d5 |
| SHA512 | af95c536a49ce37667948d46889136de8f341cff8765ce66e800b3682419eb784c70ea9749b6b91c83eda0c2b9f44acd95fdedccf089d14905703442b7e9011a |
memory/2028-66-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2732-64-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\vPEPAKP.exe
| MD5 | b0fe59d5c775e54e77fc499567983851 |
| SHA1 | e698eb332c8aa757a7a11f70768d4ad0d4a6d061 |
| SHA256 | d0724e75d8dba56640813d70e2b45130de01fdecd1e284df946e1364ca55e007 |
| SHA512 | 992e92d2c7a25fa556bf5bfe97436928749403b039aa6d4139f4fb8d4d253b54b9824d7dd7b817d94c0180c97f514cb5193677cda41052a967377180b0e7def9 |
memory/2028-62-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2492-60-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2028-58-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2348-107-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\oIpOnWM.exe
| MD5 | 46382a2e8b43e0b09bdb8484650f9609 |
| SHA1 | b2d08939db946cf02ae25a033fa95adebe61c928 |
| SHA256 | 0acf0249506c9767c795eac38aa1f9dea7c832283fbc461d7571bfbe6de78794 |
| SHA512 | 7cdd1fb0abc1b77ed8422b05df3b429da5bcf54b1fec45101c6f2802e7c8fbd97da51d2eac9d8ea3d90ce0259921dfaba74c14f66ebd0469b66d9bfc8cd73729 |
memory/2028-108-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2348-50-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\gCxVdDZ.exe
| MD5 | e72ad466ffbbecb84621afef92d3da83 |
| SHA1 | 4ab86324b203b462a9ab2c4a13b0fdc2a4a6b09b |
| SHA256 | ce9adf0dbf581dc2cb9a1dec50c6f8ea419a218b50792e1ffd94efac23e68375 |
| SHA512 | 2a3362af8f898ee09124724ac0935cd8fdedbf8a6ff0075ab97528b9b20802b65e178cea6682745721721d4fcf6eda08aec72f0c8334481a33fbdbe424d0d0e7 |
memory/2028-48-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2028-27-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\FNfnKyZ.exe
| MD5 | aa62089919dc1abb582b061095373d88 |
| SHA1 | d8485e3a36b844c611034e082e7c106e68b28a14 |
| SHA256 | 10bf1403c588db7795d9bb680d97434af31e651a16b6424b17af133234545288 |
| SHA512 | 4ef0e404be7bfb67ae7f2d03872585d2939e3ab2cc6a3e1549e6e799a1577e5cbf2391d4671dc204ed16d547c778e019257f89e63169d37f0cd48cc77139790f |
\Windows\system\dSKnadV.exe
| MD5 | 66f405d11b3e517f77628bf8c3f7c8bc |
| SHA1 | d87fc9630b33622b58a07413bc1458cbf0c94bd6 |
| SHA256 | e46ee2c07196e25be85f420d5abfad0b79f8a0fd6c2146c5917361ad7c24474d |
| SHA512 | ef36d1dab426b52fd98849854167527050714aa8b3699cedc17894aed535668f707927d56563b8389496c55a80df15aab59f7a476a8ea8597763aad911e9bc17 |
C:\Windows\system\YviJdaX.exe
| MD5 | bbca29b4783df128d9128c09a0ed6c90 |
| SHA1 | ee925231f1e0af5b2d7962f58b55ddbe766ebf72 |
| SHA256 | f25275b90ca696e810ed421c8c4e34a460a2fd1eb69c0d57300e7a2ca180454d |
| SHA512 | 58cc7e4c0d3bc5d1b0cd062954f6b93152e610ceb5c38042a9ae38981bea5c04707425dc803c64ce48bbd3e94c372e6c1fd7582f1d6b45cf363f0678b9255511 |
C:\Windows\system\wGpBcCe.exe
| MD5 | 06f839370fd041f1f8957cdb2d228fe9 |
| SHA1 | 5bc6a5c191b87da3d6648939fd504ab1df4f1300 |
| SHA256 | 6313a46bf22abe69da128ae24fdc4e88646d1bfce7f37ad74f75a0756184373b |
| SHA512 | f0770b6c9177ab8a56b9a2a8a8b6e7774fd01857c540ddbe1bb1937a261cf7b45a2e374ef0b5b0963c23eb209782d0188171fd470d587fb65ce92086cc66c3f7 |
C:\Windows\system\OHZAsct.exe
| MD5 | 1d552d6ac691c064ed8b074973b6d63b |
| SHA1 | 120d885b221c790ee2f3215b2a4232556db9fe36 |
| SHA256 | 2c600c2b287bcff6e27f41d02b329f8f14028f402bb3ff45cfd17347f41fcc9d |
| SHA512 | 705f9996d084b6419ce971afd1aeba73541fc0b26d9b00a50182cb79814d46cfa845f3eb7778b62f9f989a11b6493b7abec15f50acfef7ba64f994327881ae5d |
C:\Windows\system\jHSDWMo.exe
| MD5 | fabc981e02f38e9536c87f438ea0bb58 |
| SHA1 | b2ab070f8f097280fd5c886b10bf86af016a4434 |
| SHA256 | 3c165f4f8d0a85f3c0b6a6c1c43d1d6a9e9664d032b6e921425753b1ff4ce225 |
| SHA512 | 3b721f31e0a126201b05cb1dda0a5bfbfad94acfcf7b09aa5a6c6acd1f18ff2d1bfd91deccd0b8dd950d48777affac9b414b41e6d08f25349b97b001278e65d7 |
memory/2028-138-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2732-139-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2028-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2800-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2028-142-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2964-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2028-144-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2820-145-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2076-146-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/3020-147-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2796-148-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2112-149-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2596-150-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2476-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2492-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2348-153-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2480-154-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2732-155-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2800-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2964-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/816-158-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2820-159-0x000000013FA10000-0x000000013FD64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 11:55
Reported
2024-06-11 11:58
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XVfEehU.exe | N/A |
| N/A | N/A | C:\Windows\System\yHokHxg.exe | N/A |
| N/A | N/A | C:\Windows\System\zoNEHkd.exe | N/A |
| N/A | N/A | C:\Windows\System\AvuzRdY.exe | N/A |
| N/A | N/A | C:\Windows\System\LrjhqZo.exe | N/A |
| N/A | N/A | C:\Windows\System\RJLfPyd.exe | N/A |
| N/A | N/A | C:\Windows\System\qfuGVti.exe | N/A |
| N/A | N/A | C:\Windows\System\TGGchbA.exe | N/A |
| N/A | N/A | C:\Windows\System\prwmgkR.exe | N/A |
| N/A | N/A | C:\Windows\System\gtKanGC.exe | N/A |
| N/A | N/A | C:\Windows\System\GHhORDj.exe | N/A |
| N/A | N/A | C:\Windows\System\QdlpGDi.exe | N/A |
| N/A | N/A | C:\Windows\System\gGfgfuO.exe | N/A |
| N/A | N/A | C:\Windows\System\AmnILYh.exe | N/A |
| N/A | N/A | C:\Windows\System\nhaErco.exe | N/A |
| N/A | N/A | C:\Windows\System\snHHmwj.exe | N/A |
| N/A | N/A | C:\Windows\System\NODsGXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LDDzABz.exe | N/A |
| N/A | N/A | C:\Windows\System\qvfAARq.exe | N/A |
| N/A | N/A | C:\Windows\System\nfPnaWc.exe | N/A |
| N/A | N/A | C:\Windows\System\oMSKiom.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XVfEehU.exe
C:\Windows\System\XVfEehU.exe
C:\Windows\System\yHokHxg.exe
C:\Windows\System\yHokHxg.exe
C:\Windows\System\zoNEHkd.exe
C:\Windows\System\zoNEHkd.exe
C:\Windows\System\AvuzRdY.exe
C:\Windows\System\AvuzRdY.exe
C:\Windows\System\LrjhqZo.exe
C:\Windows\System\LrjhqZo.exe
C:\Windows\System\RJLfPyd.exe
C:\Windows\System\RJLfPyd.exe
C:\Windows\System\qfuGVti.exe
C:\Windows\System\qfuGVti.exe
C:\Windows\System\TGGchbA.exe
C:\Windows\System\TGGchbA.exe
C:\Windows\System\prwmgkR.exe
C:\Windows\System\prwmgkR.exe
C:\Windows\System\gtKanGC.exe
C:\Windows\System\gtKanGC.exe
C:\Windows\System\GHhORDj.exe
C:\Windows\System\GHhORDj.exe
C:\Windows\System\QdlpGDi.exe
C:\Windows\System\QdlpGDi.exe
C:\Windows\System\gGfgfuO.exe
C:\Windows\System\gGfgfuO.exe
C:\Windows\System\AmnILYh.exe
C:\Windows\System\AmnILYh.exe
C:\Windows\System\nhaErco.exe
C:\Windows\System\nhaErco.exe
C:\Windows\System\snHHmwj.exe
C:\Windows\System\snHHmwj.exe
C:\Windows\System\NODsGXJ.exe
C:\Windows\System\NODsGXJ.exe
C:\Windows\System\LDDzABz.exe
C:\Windows\System\LDDzABz.exe
C:\Windows\System\qvfAARq.exe
C:\Windows\System\qvfAARq.exe
C:\Windows\System\nfPnaWc.exe
C:\Windows\System\nfPnaWc.exe
C:\Windows\System\oMSKiom.exe
C:\Windows\System\oMSKiom.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4344-0-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp
memory/4344-1-0x000001C0CC3E0000-0x000001C0CC3F0000-memory.dmp
C:\Windows\System\XVfEehU.exe
| MD5 | 6bd2662a2f5a1766cf4a38df163b8a9d |
| SHA1 | 1f4a46620852ea3f92c327fdba4c91245a36db85 |
| SHA256 | 6798aa712d62f44e11d9d692f25714f68178118a22959a9eefcf8bd207d479fd |
| SHA512 | 7c0eaca0adac708fe58c5c8676ac2e0d5e31b265f67c05083477d025f786b3d81b364b7b2429537d5f52d8fdf8acb20417f8f658753ca82335637a21aabaf27f |
C:\Windows\System\zoNEHkd.exe
| MD5 | 0b008ab6fb5478cdd4383da6536d2ab2 |
| SHA1 | 875c9556a0a2b4e90791646aa4712a427f91783c |
| SHA256 | 3640ac621019811d953db0ee22acfda543c0e397523849185887c1baee45f95f |
| SHA512 | 8e25625491bc6186eaf8124a68338a94163ea3115f345e3395dce420e84792cef5087cebdb695b7686ee5047471d874fc836e395577ba98843c8ba4b9a69a94c |
C:\Windows\System\yHokHxg.exe
| MD5 | a340edff876aff761c4db36a2e56d692 |
| SHA1 | a0c1f01e0ee45b7d2d8b0d458b4c65c30000e830 |
| SHA256 | 339fc9e42a2b6f122e216674bd2e200eee894ef0d68b1af9019229c8409f90f7 |
| SHA512 | 64fea51b5dfd719b9470667e0e0daa2b1f49a51c83dbffe2bf744fdd15b0b709fcbe225f41f8ce38048eedcfb169eef818694a120abd1735d103ffe640b201b7 |
C:\Windows\System\AvuzRdY.exe
| MD5 | 9c115f0a22af05a820601cfd13f18c14 |
| SHA1 | 503547baffb5ea3b2818f4227d819d6d25b4f6b6 |
| SHA256 | b5678d1796257990158a3499d48fa592bcc5538ec7e1f621206ad31f56b04d0d |
| SHA512 | d81e962ff067b8ff36155b8cc95dea5c6508c9f6b83c20975bb925a82c718b629433daa6ba72c89127ca70c59c8eca9f56bcfb00eab7eb0b8a05d493f3f6ab0e |
memory/3492-24-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp
C:\Windows\System\LrjhqZo.exe
| MD5 | d3c2bc2698c4fab9999d0645995bab75 |
| SHA1 | 7762c03cf4fc3078132318ca593758891c762f84 |
| SHA256 | d74b18bd40ced2e17c6e88dc60386e6bee85f0d711d5f7409e06966269399cc2 |
| SHA512 | ae4bb449643584186ad9aa329cde0c35d4e155c65cd3b178f3c5e28d1be66560e096988dc8fa8e206897270a9eaf9b8e7b8900914d5a69885bc27c412693bedf |
memory/3304-31-0x00007FF620190000-0x00007FF6204E4000-memory.dmp
memory/1908-29-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp
memory/3680-25-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp
memory/1656-7-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp
C:\Windows\System\RJLfPyd.exe
| MD5 | 1edc6b0d6036bdd17228aaec6be962f8 |
| SHA1 | 3d4d6b5bb64d21f6fc964655147d2591849873c6 |
| SHA256 | 0fafe36c93bfd647a340d3e15d674fb49b6782a2ab962d69ad1870b11d93f6e9 |
| SHA512 | 89c2bd40d47f940f6a69fc02776f28c6966c53b916195dfd468904fda5d2446b1e2264dbb1d624bd7f1bb445962374fc791c0f667c0ed53ee14aeacc030595ac |
memory/3312-38-0x00007FF738A20000-0x00007FF738D74000-memory.dmp
C:\Windows\System\qfuGVti.exe
| MD5 | dc48dc4634d98c096a86a09244fa7a6a |
| SHA1 | a0ed11b303508abe241d2e19d7168bb19e335441 |
| SHA256 | f3cb372793eb4b390a4fc6b5643637dc20ec269404adec9fe554902adf9d710f |
| SHA512 | ee5ec49255f96bf96a3b1f5a84254230dc5938322cc426da355911f5fee25293bd4dd2a50d499e86678949150f41cec20fe8f8ca79c9c9c36a524a2cb80d3d14 |
C:\Windows\System\TGGchbA.exe
| MD5 | d1a9e428534c4616fd893a6ad2fe6757 |
| SHA1 | 65ddcf925fc1af60f63e5c476e2b3f2b85b3b82c |
| SHA256 | 0a0e623c2234006a47a4e3828c9d6ce44988a9797581ed77535081533e0887fa |
| SHA512 | f2df4744d4e112fc430b485f94b39ccb5622100fed5c8094b919765f3d0a21e28f52bfbad77323d243137bfca5a9c6ce93a457278f89cd5f30f027d28db332d6 |
memory/3024-44-0x00007FF706A10000-0x00007FF706D64000-memory.dmp
C:\Windows\System\gtKanGC.exe
| MD5 | ab0a84e9c6a42e18388a6097cd72510b |
| SHA1 | c1722cc9a5a8da0711293afb846a7a31ea7964e4 |
| SHA256 | 66f2fa6979ffae98350edf04bff530689458bb0e46b3479a9a81304a43a2f0b5 |
| SHA512 | 6a4293e371d2076e29f80068c8aeef973ae29528870f1fd18b970c77c42a600841f0170208af39ebb9ec7880fa8ac93ddf3fec610e77a53c30596f892f6ae2b4 |
memory/2900-64-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp
C:\Windows\System\gGfgfuO.exe
| MD5 | 8e87f973ebe77062c5b653f81038813e |
| SHA1 | 85fd6adad0d73f6fe8713e8487ac71f8adc4dddb |
| SHA256 | cbe6317a8534e66439f0169defef4061d77ec3dadda795974d734685d245352f |
| SHA512 | 3183654055cadb23b497a2c85634ea411530ae5d7ab0feabf36ca2da57832ac27c8ce76f2892d3a73d12f4118d0b64a509748a623aef1576959e4a25ed9ffcf1 |
C:\Windows\System\AmnILYh.exe
| MD5 | b33fac21a0b9395deb3d61331258fcaa |
| SHA1 | b3fc84730ee7eb1fa6f89d9dfc4ccf5501f3c7e9 |
| SHA256 | c5219f94d98ca8d8cd4dd6c930197818f08b0e6cf0822662525e599628228e50 |
| SHA512 | 8b6f0642fc71913620915b39f10ed17e9bd075f9ebbe2d721b19051b487e1794cee1cc385b25d6cf58a75df32d62195375b1664ee452d2c2a2177c1795862eb1 |
C:\Windows\System\nhaErco.exe
| MD5 | 76dbadfae219793bf4e3ae030ce1727a |
| SHA1 | 3c07f401d52160e0d0ca8bb27623e827664cae2c |
| SHA256 | a5ac865f8fb26234c79adb0366ee09d20d8daaf576f162ba71236091b149130d |
| SHA512 | 678e12e5d247f77bf3658e937c93566c53682b292e335f96e786b26856642cf46fca39cf862d01bb852809892578461007933bdc927f0b21b265ae668d95d597 |
memory/4092-94-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp
C:\Windows\System\NODsGXJ.exe
| MD5 | 90ec29556591b20b9e82a29806974524 |
| SHA1 | a8bb755a1348aab611808e507a4b4af793f6a591 |
| SHA256 | 1f433fd32ff9eb0d8115d43a29ec449bc9884952327913bfe9e87a94fb295a00 |
| SHA512 | 9f9e51cb8effa268740593909399a6757d58509645b4d1edd65cc930bff51593326d4a9c07ade22cb00de8d383609bb516cc5e11fdfa98a99495d1caad36cdba |
memory/1380-102-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp
memory/1972-104-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp
memory/3736-103-0x00007FF79D020000-0x00007FF79D374000-memory.dmp
memory/4392-101-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp
memory/4836-98-0x00007FF676140000-0x00007FF676494000-memory.dmp
memory/3388-97-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp
C:\Windows\System\snHHmwj.exe
| MD5 | 4ffc7f43aa5aec32dd7b652606018e1c |
| SHA1 | 091be94cd3dcac2cc0728826233570ffa7ae3772 |
| SHA256 | 1470c854ad6b9c79da9ec5b02f7c83407a20f0636a8427744cee039ef50dba1b |
| SHA512 | d2ab4a7f53977e156a2fa83bf1a17d9f7fcb55d0c492372e664109ec2df043b0351c4945ee8fbbeac9c6316d6c6568c577e01ef07afe2d93d34e5b3f838d3ccb |
memory/4540-91-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp
C:\Windows\System\QdlpGDi.exe
| MD5 | 063ef9873608385e5bcb88648b170f28 |
| SHA1 | 75429ec0a6e5e04d1b872ffe6fc52076ef6c5e96 |
| SHA256 | f8db64652c081ef1ed0c7f319d17fc2ad592c38dbb70e0b1380058e8885a1ba7 |
| SHA512 | 25cf8b9cde1a72e6a26c18f218c31d3479edf88f973fac92f2552c2098b4e17a0d747277fd47e885f7279e238b336450e9e567c3fb99eb62c5a1d9ae7d025a65 |
C:\Windows\System\GHhORDj.exe
| MD5 | 3317922965b9608171d0c6c13d4955ac |
| SHA1 | 9fc6bfdf03e36f95a31f79d072a8fde80e51dcec |
| SHA256 | 594980922683c46ef9acca9e3f3b3c754266f0f0fe83acb47a6c3ce94e1b6f42 |
| SHA512 | 05ddfaaf1bf45d6bae51726f8bc14d2996316c5a64e24f44a8c80152a798b008297ca037221166cb296376d9b28e918ec1751d99d6892ee50681fa2ff95704fc |
C:\Windows\System\prwmgkR.exe
| MD5 | 7ee027c7927194b2a356db665f5956ce |
| SHA1 | b047f100c7256624f3585427057f5533fcd2c5d9 |
| SHA256 | 330550dd1b486719354529c14582ce3e24fd983656df8c3fc37a40d9a709b7f5 |
| SHA512 | b5a309aee80927800f138726fabd67a1ea9bc549cbf530f12a31a2f956386387b57706e93d9a154f78e5ffea3ac00bf45f8b0b6b692cd132960e75636b67220b |
memory/1360-52-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp
C:\Windows\System\LDDzABz.exe
| MD5 | 3f515a4268c5fbb1c169bb6e4e02efb7 |
| SHA1 | b3459aa93e84fc38ae913795d4b79d18e05b9aab |
| SHA256 | 898e75b46969e49e0c5ec16cb6f07294ec287d2012d1f41af35e582c947cd690 |
| SHA512 | 8622e0f2d494056ee61b012f0ac0c3aa0d426b8ba834cb77272072746d489e42d1c0c2d124fdb2146c3a507d2d79633e8f3e47aa1cb816a6d629bf7cd7d07067 |
memory/3088-110-0x00007FF682660000-0x00007FF6829B4000-memory.dmp
C:\Windows\System\qvfAARq.exe
| MD5 | 09eb7e1c1c78d47bf0c7a5086fbbeb0c |
| SHA1 | d82b8b036ddfe4c862e4d1258ac0bb607596e57c |
| SHA256 | 855ff5ab768c46a25f954bb573f306fc3090d95e096ff61fd3e776f8c9d06c72 |
| SHA512 | 6436667ee13fbbaa7ddb73298d564a061f568a985dba9fcaa80742adceda10e9393e8fd06a488587bec1f07c670b5380bef5507841ae7e70ae86b15585688ce3 |
memory/2796-116-0x00007FF68D610000-0x00007FF68D964000-memory.dmp
memory/4344-115-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp
memory/3492-124-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp
memory/4848-125-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp
memory/1656-123-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp
C:\Windows\System\nfPnaWc.exe
| MD5 | c17bfe34bcb4903d48de921c04289cdf |
| SHA1 | 16958bc58c33ee0e4b6741f54720167237d0b85e |
| SHA256 | 6e3aeb321d8fdb418d2ff3ce9d179b96e5c098ee8a5b84fae4cb013df2f910bd |
| SHA512 | 61487c9a26bda6141609effbc5a67fe2828ca0b8cf4922e6a92156534cf1bc0c4c4f4b7f168099f746a90bc07056e3deab50cc8ee9c7fc80f666405e1a765b3a |
C:\Windows\System\oMSKiom.exe
| MD5 | a318f22f33c4a8af70b842590c3432dc |
| SHA1 | ab88485cfd44e9475f059d307ff5971ee658f811 |
| SHA256 | 1431f7c6f4777e06ba58ab7542f5a624580d9abae663a1836ad7de5251f7c015 |
| SHA512 | a22e2af5b55ce2e5622adc1025b104a6642ae6376877d5eb5d0044813c0f3a898fa8176218d6098a0e2a311a9c25650b298ff1fef08b7c6f844bffcd607505e9 |
memory/4712-130-0x00007FF665930000-0x00007FF665C84000-memory.dmp
memory/3304-131-0x00007FF620190000-0x00007FF6204E4000-memory.dmp
memory/3024-132-0x00007FF706A10000-0x00007FF706D64000-memory.dmp
memory/2900-133-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp
memory/4540-134-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp
memory/2796-135-0x00007FF68D610000-0x00007FF68D964000-memory.dmp
memory/1656-136-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp
memory/3492-137-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp
memory/1908-138-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp
memory/3680-139-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp
memory/3304-140-0x00007FF620190000-0x00007FF6204E4000-memory.dmp
memory/3312-141-0x00007FF738A20000-0x00007FF738D74000-memory.dmp
memory/3024-142-0x00007FF706A10000-0x00007FF706D64000-memory.dmp
memory/1360-143-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp
memory/2900-144-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp
memory/3736-145-0x00007FF79D020000-0x00007FF79D374000-memory.dmp
memory/4540-146-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp
memory/1972-147-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp
memory/3388-148-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp
memory/4092-149-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp
memory/4836-151-0x00007FF676140000-0x00007FF676494000-memory.dmp
memory/1380-152-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp
memory/4392-150-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp
memory/3088-153-0x00007FF682660000-0x00007FF6829B4000-memory.dmp
memory/2796-154-0x00007FF68D610000-0x00007FF68D964000-memory.dmp
memory/4848-155-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp
memory/4712-156-0x00007FF665930000-0x00007FF665C84000-memory.dmp