Analysis Overview
SHA256
d1a7ac0157631e73b2916835d7ea7a6ef13bd8677ca695db237d2c73050a24a8
Threat Level: Known bad
The file 2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:52
Reported
2024-05-29 21:54
Platform
win7-20231129-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tfaYHmy.exe | N/A |
| N/A | N/A | C:\Windows\System\DxKfJZg.exe | N/A |
| N/A | N/A | C:\Windows\System\JKQrqiB.exe | N/A |
| N/A | N/A | C:\Windows\System\lPQndmR.exe | N/A |
| N/A | N/A | C:\Windows\System\jzCOtmv.exe | N/A |
| N/A | N/A | C:\Windows\System\UvEtTcG.exe | N/A |
| N/A | N/A | C:\Windows\System\qZyfyKW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwQZDZc.exe | N/A |
| N/A | N/A | C:\Windows\System\vwvWwIh.exe | N/A |
| N/A | N/A | C:\Windows\System\zvtySQl.exe | N/A |
| N/A | N/A | C:\Windows\System\gGekhkx.exe | N/A |
| N/A | N/A | C:\Windows\System\GVKwqLl.exe | N/A |
| N/A | N/A | C:\Windows\System\CCFqXTq.exe | N/A |
| N/A | N/A | C:\Windows\System\ddjafmx.exe | N/A |
| N/A | N/A | C:\Windows\System\tyXUpon.exe | N/A |
| N/A | N/A | C:\Windows\System\bALRoPx.exe | N/A |
| N/A | N/A | C:\Windows\System\jgmtlJe.exe | N/A |
| N/A | N/A | C:\Windows\System\qbodWhw.exe | N/A |
| N/A | N/A | C:\Windows\System\KElVvUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\eUoTROe.exe | N/A |
| N/A | N/A | C:\Windows\System\qUXALsq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tfaYHmy.exe
C:\Windows\System\tfaYHmy.exe
C:\Windows\System\DxKfJZg.exe
C:\Windows\System\DxKfJZg.exe
C:\Windows\System\JKQrqiB.exe
C:\Windows\System\JKQrqiB.exe
C:\Windows\System\lPQndmR.exe
C:\Windows\System\lPQndmR.exe
C:\Windows\System\jzCOtmv.exe
C:\Windows\System\jzCOtmv.exe
C:\Windows\System\UvEtTcG.exe
C:\Windows\System\UvEtTcG.exe
C:\Windows\System\qZyfyKW.exe
C:\Windows\System\qZyfyKW.exe
C:\Windows\System\ZwQZDZc.exe
C:\Windows\System\ZwQZDZc.exe
C:\Windows\System\vwvWwIh.exe
C:\Windows\System\vwvWwIh.exe
C:\Windows\System\zvtySQl.exe
C:\Windows\System\zvtySQl.exe
C:\Windows\System\gGekhkx.exe
C:\Windows\System\gGekhkx.exe
C:\Windows\System\GVKwqLl.exe
C:\Windows\System\GVKwqLl.exe
C:\Windows\System\CCFqXTq.exe
C:\Windows\System\CCFqXTq.exe
C:\Windows\System\ddjafmx.exe
C:\Windows\System\ddjafmx.exe
C:\Windows\System\qbodWhw.exe
C:\Windows\System\qbodWhw.exe
C:\Windows\System\tyXUpon.exe
C:\Windows\System\tyXUpon.exe
C:\Windows\System\KElVvUJ.exe
C:\Windows\System\KElVvUJ.exe
C:\Windows\System\bALRoPx.exe
C:\Windows\System\bALRoPx.exe
C:\Windows\System\eUoTROe.exe
C:\Windows\System\eUoTROe.exe
C:\Windows\System\jgmtlJe.exe
C:\Windows\System\jgmtlJe.exe
C:\Windows\System\qUXALsq.exe
C:\Windows\System\qUXALsq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2220-0-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2220-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\tfaYHmy.exe
| MD5 | f7a5a083dc9dfabdd08dfe0f0c05f178 |
| SHA1 | 56f6400079608a6f7097f8b655d71579b88b9029 |
| SHA256 | 74346a56177ff1d7b2d4e66cb59d85b8648d8e5888b8580fad54cdf682a044a4 |
| SHA512 | d73fadc07032ad14094c988c9cef024d416085a45e9b91778d5720b5ab4f8b502183dab0a561f80cc7d95b9e13c25cf46f15a2fc70bfcad8fdc9ab70bbf6d637 |
memory/1844-9-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2220-7-0x000000013F3B0000-0x000000013F701000-memory.dmp
\Windows\system\DxKfJZg.exe
| MD5 | 847c7ed3e5bcd1a8cd5f0964e5641c3c |
| SHA1 | edf6d8b8b049188c14759f8c5f8829bf1cca20e6 |
| SHA256 | 9ea3749033afc3751af0a552a4224954f36b81d2018dcb555f284b53bd47fee8 |
| SHA512 | 0fa84911b10ef8ce1de7899206efcdc856aae918f4def88dc91f509eb898ee30227b5a5006950de324076fc6a75c8d90583783594f2b103d06bd0dd57633615f |
memory/2220-14-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\JKQrqiB.exe
| MD5 | 7291e28569917f270ebb5d3a989d2b85 |
| SHA1 | 314281b7ae65bd0fbb448a573adbc81bf3f2f40c |
| SHA256 | 5e4fe2a8f86ea8dd6e18dfb4451450c0958055a710703274998ba7bfe0e8a775 |
| SHA512 | 9c27d7575e5d35c6d9fb72e79d023ae1c34270bc3fb8efc2b1bbc2743296296ede35e547cb2c56ab91165c6e8a713e7063e065aee224d65a0e795d513d26e889 |
memory/2220-24-0x000000013F5C0000-0x000000013F911000-memory.dmp
C:\Windows\system\lPQndmR.exe
| MD5 | c5b712572dc2142eaa2c54853d9f5acb |
| SHA1 | dde2267559724e8417aa373aac7f7c9f970a01c3 |
| SHA256 | 01af6ce8b9a7b5e8593e3b09f860564ced6d1bb9a59579a9afaa77054428fd3e |
| SHA512 | 7aa8d60a0b468e42cde997bcb33c899d2ceaf8547ee392a79aa386b76caf0daffb1c2c7ed6530820d0318f8a13266160ac46e4617ca6757b1eef89f5f60e7fae |
C:\Windows\system\jzCOtmv.exe
| MD5 | b18217c515313160d79494a3f9f81403 |
| SHA1 | d5bf94d9f468ea7afc0d6a0ec131b4d6d906d2e2 |
| SHA256 | ce41b45bac6d7d368b69fe3c2b71c7f16ae5212c8ddff576f8aff0c60ccdbeb7 |
| SHA512 | acbd71c6db62f84a0f79a010a1ae5734d4643c392982060ed68e8e7c5b23ee711e22a54694a3e6ef7030959b76a91088f5638ca276f9704b1226262fb9a125c7 |
memory/2676-36-0x000000013F450000-0x000000013F7A1000-memory.dmp
C:\Windows\system\UvEtTcG.exe
| MD5 | cb732310ffdcc1dda30ed46900de8793 |
| SHA1 | ef9fbeb4910d007c6dd53aa9ef3b28f3f634d95a |
| SHA256 | 76e95b5fb4041e4b4d028b526ef2720482baf8c7ebfc7fb1f515db7438bc8929 |
| SHA512 | 2a2d9cbeb0ff29eb211ff2cc360263d7e2d44f5e4e6bbae3d348a503ab0af0122ffa01b58207e11630ccabc50a7d41772da0fc4f1c27edb6fc5ee98f8f570132 |
memory/2772-42-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2220-41-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
\Windows\system\qZyfyKW.exe
| MD5 | 1b9db92e29696007d89dc1f5ad5c4191 |
| SHA1 | b307e9659853c0e911a71bbbfad571077814003c |
| SHA256 | 28b2e1d42c3a1f64f222119651bc910f149e94c95bbb545095a6dd16c643e0a2 |
| SHA512 | b4f217b9d1a7902e83ad8a9c69e1192a1160de28523bac1c223d13f5a45a6c491b0f71b99d573ae87ca85d5027b580605aff88455549f57ee4e762b285f4ed56 |
memory/2220-34-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2220-33-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2688-32-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2612-31-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2564-18-0x000000013FA50000-0x000000013FDA1000-memory.dmp
\Windows\system\ZwQZDZc.exe
| MD5 | 163cd014f9b5c492b7785879e2d7f161 |
| SHA1 | c7a3a90b1bfb05206b5ac5d92c5224bac2269007 |
| SHA256 | 2de5a6fd9c1ff288f125da1a6eb754df839cfea8bbf4aeca4d41f01c8576aa01 |
| SHA512 | fd7ad25f9fc07b877be4377f1d81abef52eb6ab098db9c4b7ac69d7090845721721f5339913369bb9d8e9b0cf6b4e8ec379bfdd7651b27ac98e7d8d095611b12 |
memory/2220-55-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2220-57-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2608-59-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2564-58-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2812-53-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1844-65-0x000000013F3B0000-0x000000013F701000-memory.dmp
C:\Windows\system\vwvWwIh.exe
| MD5 | 2a0d17124a6524e6bb0ff503fb32c686 |
| SHA1 | 0d557d9bf6a3e2594ac4440d7007af1303baa31c |
| SHA256 | 6af5b57465b971576d14b7f4f8ba1379069cc1bf8a55f53eec66c96ece4af64a |
| SHA512 | a0aa6f0e15791f997c23ef64fd4140766cdb27c9174ae5f412976897d8111616ec73c04edc1a3ea1afbd881981addd051bee86c9496dc6be4335ecf3ee92212d |
memory/2520-66-0x000000013FE40000-0x0000000140191000-memory.dmp
\Windows\system\zvtySQl.exe
| MD5 | efe8be7e006b534f172f863749fadf57 |
| SHA1 | b04bef57cc9a06fda5e0fdb5f57c448a7030b2d1 |
| SHA256 | 073198f3240186f884cc9ab68d4c98cae101d429c647369ffc49a5861d30c6b5 |
| SHA512 | aec8c53afe0dee66494d65ae4b75c32f9d61d45ca9a28aab726662d6f045ae8a130adb40bc864ef5962dd57ef57223c720e4def61cc8276e4074011dc0a3f24f |
memory/2220-71-0x000000013F5C0000-0x000000013F911000-memory.dmp
C:\Windows\system\gGekhkx.exe
| MD5 | 4948adbe19f47ed91ded0363c0edde34 |
| SHA1 | cec04d3a2b70238d9fcf452248ed74f2c14dcec7 |
| SHA256 | c24b25d39d604ac76985c7f570dd838ac541fdd4bceedd8acf140fc981d04819 |
| SHA512 | 010a36515da19b98feb06312c21c789d032eaa33ac89f84813f64421b1272a48c1ffa53f48b18884c926573eddacfe9038240a92b1eca57331d804a7179efcd1 |
C:\Windows\system\GVKwqLl.exe
| MD5 | fcd021b2b283209dcd365f3e6e372547 |
| SHA1 | a79ef71061c4f18fa799191eb9da03e918f3851c |
| SHA256 | 22bc0c40adfb944193006dd5a132051cab1d128097ff5aa0825c637b97160544 |
| SHA512 | 2d335b2f4efa536bfb281fa900101bd473ff3abea7ae5ed15ed42f67ec63b41860a3bf7d289cf04c2176d03eb9c590531aa4fd51ad053c9fad7d544d1d7bbcab |
C:\Windows\system\CCFqXTq.exe
| MD5 | 52c0398d1fb424b9d71435cf8f1bede8 |
| SHA1 | 84c4f093806cbb5ee0020c6a54abc58116ecca17 |
| SHA256 | ad9525b07b7006fbc9ebb1b618fd4405c6a2504d9b5b40a7a048f09669708090 |
| SHA512 | 69ffbf2ec35b22cd494d6f16275c836c871f7022180686e3cfce8e75695f8f6b150daff7f23ef8c712e496eff5c78a07d8bd7c9ffd9eea0a94221b677cf929c0 |
\Windows\system\jgmtlJe.exe
| MD5 | 6e56f2473df01bf782832a762dd58cf9 |
| SHA1 | 906934b13ff61f436907d2e03de462f1e4c0520c |
| SHA256 | 811a9ee28df57c546b2ee7a637f881577b282409e8b707b9fffb98059a50f74f |
| SHA512 | 9bb3468040400486faf1937ac33d6e74f7e065041a46523846f8bcdf05c827191d4136110bf979d11d13fa96d1403dde9ab46f2bba777800d2641dd489a3e5d1 |
memory/2220-130-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2220-135-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2220-138-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1236-137-0x000000013FC20000-0x000000013FF71000-memory.dmp
C:\Windows\system\qUXALsq.exe
| MD5 | 544b34bda44244708ec0b40b9843df7e |
| SHA1 | b17f322e2876bbe5f44478a33a3503b2e48a043b |
| SHA256 | 642c866f9c95eaa7e50e4bf2b84e781365e843f87897a351e3449413d3746876 |
| SHA512 | e9044ae6a2c834a7289fbf7170bb49413ba355bca65ef61ea045fa47cdccc106cd03716ac1840c7b7b28404bbd417852c4f361114cd8334a1da4c925352ae57c |
memory/956-132-0x000000013FB40000-0x000000013FE91000-memory.dmp
C:\Windows\system\eUoTROe.exe
| MD5 | e079a532debf2aa09ed43399f7482a78 |
| SHA1 | d64d769e3852c50693e4939ff3c40188d985ada3 |
| SHA256 | f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11 |
| SHA512 | 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e |
memory/1768-128-0x000000013FF10000-0x0000000140261000-memory.dmp
C:\Windows\system\KElVvUJ.exe
| MD5 | fb626791606e1958c28ae140a09b16b9 |
| SHA1 | 74e3651cba2c7c636d0acae0d77696a1386cad88 |
| SHA256 | 30fdb2de71f2c2f1f9cbf53d4510673fe28f05a44251feae920877a38654327c |
| SHA512 | 190f4b56a3fbb498d86c2a196db8e0be19bfe124e3c21065c224e5f26057fdf18d0910e3533d20bac313b0972bb830cdc105e0310745b073aea8e9c82cec2df6 |
memory/2220-125-0x000000013FF10000-0x0000000140261000-memory.dmp
C:\Windows\system\qbodWhw.exe
| MD5 | cf058a7cb5faa261068de48ef4791532 |
| SHA1 | 1972a36fc2d7803acdf8aab88d54c24b8442e18b |
| SHA256 | d7f2492661346e84512f9a03af3224f067be18c7f0ee0d2be7efd25136129e34 |
| SHA512 | 61968aa8cac56175fdd1751206be26a5cbd3a14f9bdc87770a0fa45953d6d0e412c52222e89958eed1ce09ef82209e183ba926a79c5018cc9c37b5d6886de312 |
C:\Windows\system\bALRoPx.exe
| MD5 | abebd0977b94c3dfe70eea300e8ae311 |
| SHA1 | 7ffd3b05f99cf4fdb522e6f652b369891401dbd0 |
| SHA256 | a0e8e1ca456e51d4e001777d0864d6f6da7e4269aae9e354b9d420a15a68339d |
| SHA512 | 97de7ad06b78cfffc921cc0a9f02265d2ed2d09bda987176a54e26533a45711f7891d6a48142f095ff203d59b54ab2e1f52cf276e2062f0f3d2245b137540a92 |
\Windows\system\eUoTROe.exe
| MD5 | 756183cd86ace87cc47a6e9c227b1680 |
| SHA1 | 98ad39c29d63141e99217336e79fe6675989159e |
| SHA256 | cc61c56478f544fd1c302de7eebff5808e2a0788c1f5adf49f3a868962048c32 |
| SHA512 | 1c3ef544907f2984036b25453cc2517367b50dcbdf8d0636dacb1cc49f61cf019d3aceceb60f7666194017d735939d4c37f28f0975ec56f32eebad9d647698ef |
memory/2712-119-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2220-106-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1924-105-0x000000013FC90000-0x000000013FFE1000-memory.dmp
C:\Windows\system\tyXUpon.exe
| MD5 | 657ab107cdab78ce658daf07a38fcd77 |
| SHA1 | 311770ff63e67ea5713667dbc3f36132e2173568 |
| SHA256 | b03bbbf55cf3aaf4bb5a8f62a24dd0bee85abb21879ae401072a67df59300500 |
| SHA512 | e0fe472fda567575fbc9ae93bc86d042db4bb7c672c1f99cadafd58ca41b0cd8f9854425707ce86b687f0f5eb256ba68211b228f8dc6d2246411b2b08ba07bed |
memory/2220-101-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2612-94-0x000000013F5C0000-0x000000013F911000-memory.dmp
C:\Windows\system\ddjafmx.exe
| MD5 | ff3ef7c39fdcaa422c63a3ca22d72ff4 |
| SHA1 | 0347a9f831b6db44f3dc7b05dcd1e417e33e34d9 |
| SHA256 | d92774233100e72c93c910bbe8e0c6465f5d15c99542e1b4007b053686b6baf1 |
| SHA512 | a7ffb84601a69ae9efc7df15379c6e10af8b3303506dea2fda946729a019dad0278188b038ce4530c7aecb4727d0d661709beeeec57b03fb9e6b647cce8aad20 |
memory/2220-139-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2676-140-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2772-142-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2220-141-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2220-143-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/1924-154-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1692-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2820-164-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2784-162-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1636-161-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2704-160-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2716-163-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1928-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2220-165-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/1844-218-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2564-220-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2612-224-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2688-222-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2812-228-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2772-227-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2676-230-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2608-232-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2520-234-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/1236-248-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2712-250-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1768-253-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/956-254-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/1924-257-0x000000013FC90000-0x000000013FFE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:52
Reported
2024-05-29 21:54
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tfaYHmy.exe | N/A |
| N/A | N/A | C:\Windows\System\DxKfJZg.exe | N/A |
| N/A | N/A | C:\Windows\System\JKQrqiB.exe | N/A |
| N/A | N/A | C:\Windows\System\lPQndmR.exe | N/A |
| N/A | N/A | C:\Windows\System\jzCOtmv.exe | N/A |
| N/A | N/A | C:\Windows\System\UvEtTcG.exe | N/A |
| N/A | N/A | C:\Windows\System\qZyfyKW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwQZDZc.exe | N/A |
| N/A | N/A | C:\Windows\System\vwvWwIh.exe | N/A |
| N/A | N/A | C:\Windows\System\zvtySQl.exe | N/A |
| N/A | N/A | C:\Windows\System\gGekhkx.exe | N/A |
| N/A | N/A | C:\Windows\System\CCFqXTq.exe | N/A |
| N/A | N/A | C:\Windows\System\GVKwqLl.exe | N/A |
| N/A | N/A | C:\Windows\System\ddjafmx.exe | N/A |
| N/A | N/A | C:\Windows\System\qbodWhw.exe | N/A |
| N/A | N/A | C:\Windows\System\tyXUpon.exe | N/A |
| N/A | N/A | C:\Windows\System\KElVvUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bALRoPx.exe | N/A |
| N/A | N/A | C:\Windows\System\eUoTROe.exe | N/A |
| N/A | N/A | C:\Windows\System\jgmtlJe.exe | N/A |
| N/A | N/A | C:\Windows\System\qUXALsq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3289db52e6c72741494fe0d15af301e4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tfaYHmy.exe
C:\Windows\System\tfaYHmy.exe
C:\Windows\System\DxKfJZg.exe
C:\Windows\System\DxKfJZg.exe
C:\Windows\System\JKQrqiB.exe
C:\Windows\System\JKQrqiB.exe
C:\Windows\System\lPQndmR.exe
C:\Windows\System\lPQndmR.exe
C:\Windows\System\jzCOtmv.exe
C:\Windows\System\jzCOtmv.exe
C:\Windows\System\UvEtTcG.exe
C:\Windows\System\UvEtTcG.exe
C:\Windows\System\qZyfyKW.exe
C:\Windows\System\qZyfyKW.exe
C:\Windows\System\ZwQZDZc.exe
C:\Windows\System\ZwQZDZc.exe
C:\Windows\System\vwvWwIh.exe
C:\Windows\System\vwvWwIh.exe
C:\Windows\System\zvtySQl.exe
C:\Windows\System\zvtySQl.exe
C:\Windows\System\gGekhkx.exe
C:\Windows\System\gGekhkx.exe
C:\Windows\System\GVKwqLl.exe
C:\Windows\System\GVKwqLl.exe
C:\Windows\System\CCFqXTq.exe
C:\Windows\System\CCFqXTq.exe
C:\Windows\System\ddjafmx.exe
C:\Windows\System\ddjafmx.exe
C:\Windows\System\qbodWhw.exe
C:\Windows\System\qbodWhw.exe
C:\Windows\System\tyXUpon.exe
C:\Windows\System\tyXUpon.exe
C:\Windows\System\KElVvUJ.exe
C:\Windows\System\KElVvUJ.exe
C:\Windows\System\bALRoPx.exe
C:\Windows\System\bALRoPx.exe
C:\Windows\System\eUoTROe.exe
C:\Windows\System\eUoTROe.exe
C:\Windows\System\jgmtlJe.exe
C:\Windows\System\jgmtlJe.exe
C:\Windows\System\qUXALsq.exe
C:\Windows\System\qUXALsq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1740-0-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp
memory/1740-1-0x000002204A890000-0x000002204A8A0000-memory.dmp
C:\Windows\System\tfaYHmy.exe
| MD5 | f7a5a083dc9dfabdd08dfe0f0c05f178 |
| SHA1 | 56f6400079608a6f7097f8b655d71579b88b9029 |
| SHA256 | 74346a56177ff1d7b2d4e66cb59d85b8648d8e5888b8580fad54cdf682a044a4 |
| SHA512 | d73fadc07032ad14094c988c9cef024d416085a45e9b91778d5720b5ab4f8b502183dab0a561f80cc7d95b9e13c25cf46f15a2fc70bfcad8fdc9ab70bbf6d637 |
memory/3772-8-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp
C:\Windows\System\JKQrqiB.exe
| MD5 | 7291e28569917f270ebb5d3a989d2b85 |
| SHA1 | 314281b7ae65bd0fbb448a573adbc81bf3f2f40c |
| SHA256 | 5e4fe2a8f86ea8dd6e18dfb4451450c0958055a710703274998ba7bfe0e8a775 |
| SHA512 | 9c27d7575e5d35c6d9fb72e79d023ae1c34270bc3fb8efc2b1bbc2743296296ede35e547cb2c56ab91165c6e8a713e7063e065aee224d65a0e795d513d26e889 |
C:\Windows\System\DxKfJZg.exe
| MD5 | 847c7ed3e5bcd1a8cd5f0964e5641c3c |
| SHA1 | edf6d8b8b049188c14759f8c5f8829bf1cca20e6 |
| SHA256 | 9ea3749033afc3751af0a552a4224954f36b81d2018dcb555f284b53bd47fee8 |
| SHA512 | 0fa84911b10ef8ce1de7899206efcdc856aae918f4def88dc91f509eb898ee30227b5a5006950de324076fc6a75c8d90583783594f2b103d06bd0dd57633615f |
memory/1956-18-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp
C:\Windows\System\lPQndmR.exe
| MD5 | c5b712572dc2142eaa2c54853d9f5acb |
| SHA1 | dde2267559724e8417aa373aac7f7c9f970a01c3 |
| SHA256 | 01af6ce8b9a7b5e8593e3b09f860564ced6d1bb9a59579a9afaa77054428fd3e |
| SHA512 | 7aa8d60a0b468e42cde997bcb33c899d2ceaf8547ee392a79aa386b76caf0daffb1c2c7ed6530820d0318f8a13266160ac46e4617ca6757b1eef89f5f60e7fae |
memory/5104-26-0x00007FF7B6AF0000-0x00007FF7B6E41000-memory.dmp
memory/392-22-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp
C:\Windows\System\jzCOtmv.exe
| MD5 | b18217c515313160d79494a3f9f81403 |
| SHA1 | d5bf94d9f468ea7afc0d6a0ec131b4d6d906d2e2 |
| SHA256 | ce41b45bac6d7d368b69fe3c2b71c7f16ae5212c8ddff576f8aff0c60ccdbeb7 |
| SHA512 | acbd71c6db62f84a0f79a010a1ae5734d4643c392982060ed68e8e7c5b23ee711e22a54694a3e6ef7030959b76a91088f5638ca276f9704b1226262fb9a125c7 |
C:\Windows\System\UvEtTcG.exe
| MD5 | cb732310ffdcc1dda30ed46900de8793 |
| SHA1 | ef9fbeb4910d007c6dd53aa9ef3b28f3f634d95a |
| SHA256 | 76e95b5fb4041e4b4d028b526ef2720482baf8c7ebfc7fb1f515db7438bc8929 |
| SHA512 | 2a2d9cbeb0ff29eb211ff2cc360263d7e2d44f5e4e6bbae3d348a503ab0af0122ffa01b58207e11630ccabc50a7d41772da0fc4f1c27edb6fc5ee98f8f570132 |
C:\Windows\System\ZwQZDZc.exe
| MD5 | 163cd014f9b5c492b7785879e2d7f161 |
| SHA1 | c7a3a90b1bfb05206b5ac5d92c5224bac2269007 |
| SHA256 | 2de5a6fd9c1ff288f125da1a6eb754df839cfea8bbf4aeca4d41f01c8576aa01 |
| SHA512 | fd7ad25f9fc07b877be4377f1d81abef52eb6ab098db9c4b7ac69d7090845721721f5339913369bb9d8e9b0cf6b4e8ec379bfdd7651b27ac98e7d8d095611b12 |
memory/3788-45-0x00007FF629480000-0x00007FF6297D1000-memory.dmp
C:\Windows\System\vwvWwIh.exe
| MD5 | 2a0d17124a6524e6bb0ff503fb32c686 |
| SHA1 | 0d557d9bf6a3e2594ac4440d7007af1303baa31c |
| SHA256 | 6af5b57465b971576d14b7f4f8ba1379069cc1bf8a55f53eec66c96ece4af64a |
| SHA512 | a0aa6f0e15791f997c23ef64fd4140766cdb27c9174ae5f412976897d8111616ec73c04edc1a3ea1afbd881981addd051bee86c9496dc6be4335ecf3ee92212d |
memory/852-55-0x00007FF6AD4A0000-0x00007FF6AD7F1000-memory.dmp
memory/1580-67-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp
memory/1396-74-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp
C:\Windows\System\GVKwqLl.exe
| MD5 | fcd021b2b283209dcd365f3e6e372547 |
| SHA1 | a79ef71061c4f18fa799191eb9da03e918f3851c |
| SHA256 | 22bc0c40adfb944193006dd5a132051cab1d128097ff5aa0825c637b97160544 |
| SHA512 | 2d335b2f4efa536bfb281fa900101bd473ff3abea7ae5ed15ed42f67ec63b41860a3bf7d289cf04c2176d03eb9c590531aa4fd51ad053c9fad7d544d1d7bbcab |
memory/4908-81-0x00007FF6D2040000-0x00007FF6D2391000-memory.dmp
C:\Windows\System\CCFqXTq.exe
| MD5 | 52c0398d1fb424b9d71435cf8f1bede8 |
| SHA1 | 84c4f093806cbb5ee0020c6a54abc58116ecca17 |
| SHA256 | ad9525b07b7006fbc9ebb1b618fd4405c6a2504d9b5b40a7a048f09669708090 |
| SHA512 | 69ffbf2ec35b22cd494d6f16275c836c871f7022180686e3cfce8e75695f8f6b150daff7f23ef8c712e496eff5c78a07d8bd7c9ffd9eea0a94221b677cf929c0 |
memory/1956-78-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp
memory/3772-77-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp
memory/3892-76-0x00007FF646010000-0x00007FF646361000-memory.dmp
C:\Windows\System\gGekhkx.exe
| MD5 | 4948adbe19f47ed91ded0363c0edde34 |
| SHA1 | cec04d3a2b70238d9fcf452248ed74f2c14dcec7 |
| SHA256 | c24b25d39d604ac76985c7f570dd838ac541fdd4bceedd8acf140fc981d04819 |
| SHA512 | 010a36515da19b98feb06312c21c789d032eaa33ac89f84813f64421b1272a48c1ffa53f48b18884c926573eddacfe9038240a92b1eca57331d804a7179efcd1 |
C:\Windows\System\zvtySQl.exe
| MD5 | efe8be7e006b534f172f863749fadf57 |
| SHA1 | b04bef57cc9a06fda5e0fdb5f57c448a7030b2d1 |
| SHA256 | 073198f3240186f884cc9ab68d4c98cae101d429c647369ffc49a5861d30c6b5 |
| SHA512 | aec8c53afe0dee66494d65ae4b75c32f9d61d45ca9a28aab726662d6f045ae8a130adb40bc864ef5962dd57ef57223c720e4def61cc8276e4074011dc0a3f24f |
memory/1740-63-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp
memory/1236-60-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp
C:\Windows\System\ddjafmx.exe
| MD5 | ff3ef7c39fdcaa422c63a3ca22d72ff4 |
| SHA1 | 0347a9f831b6db44f3dc7b05dcd1e417e33e34d9 |
| SHA256 | d92774233100e72c93c910bbe8e0c6465f5d15c99542e1b4007b053686b6baf1 |
| SHA512 | a7ffb84601a69ae9efc7df15379c6e10af8b3303506dea2fda946729a019dad0278188b038ce4530c7aecb4727d0d661709beeeec57b03fb9e6b647cce8aad20 |
memory/4640-88-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp
C:\Windows\System\tyXUpon.exe
| MD5 | 657ab107cdab78ce658daf07a38fcd77 |
| SHA1 | 311770ff63e67ea5713667dbc3f36132e2173568 |
| SHA256 | b03bbbf55cf3aaf4bb5a8f62a24dd0bee85abb21879ae401072a67df59300500 |
| SHA512 | e0fe472fda567575fbc9ae93bc86d042db4bb7c672c1f99cadafd58ca41b0cd8f9854425707ce86b687f0f5eb256ba68211b228f8dc6d2246411b2b08ba07bed |
memory/392-96-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp
C:\Windows\System\KElVvUJ.exe
| MD5 | fb626791606e1958c28ae140a09b16b9 |
| SHA1 | 74e3651cba2c7c636d0acae0d77696a1386cad88 |
| SHA256 | 30fdb2de71f2c2f1f9cbf53d4510673fe28f05a44251feae920877a38654327c |
| SHA512 | 190f4b56a3fbb498d86c2a196db8e0be19bfe124e3c21065c224e5f26057fdf18d0910e3533d20bac313b0972bb830cdc105e0310745b073aea8e9c82cec2df6 |
C:\Windows\System\bALRoPx.exe
| MD5 | abebd0977b94c3dfe70eea300e8ae311 |
| SHA1 | 7ffd3b05f99cf4fdb522e6f652b369891401dbd0 |
| SHA256 | a0e8e1ca456e51d4e001777d0864d6f6da7e4269aae9e354b9d420a15a68339d |
| SHA512 | 97de7ad06b78cfffc921cc0a9f02265d2ed2d09bda987176a54e26533a45711f7891d6a48142f095ff203d59b54ab2e1f52cf276e2062f0f3d2245b137540a92 |
C:\Windows\System\eUoTROe.exe
| MD5 | 756183cd86ace87cc47a6e9c227b1680 |
| SHA1 | 98ad39c29d63141e99217336e79fe6675989159e |
| SHA256 | cc61c56478f544fd1c302de7eebff5808e2a0788c1f5adf49f3a868962048c32 |
| SHA512 | 1c3ef544907f2984036b25453cc2517367b50dcbdf8d0636dacb1cc49f61cf019d3aceceb60f7666194017d735939d4c37f28f0975ec56f32eebad9d647698ef |
C:\Windows\System\jgmtlJe.exe
| MD5 | 6e56f2473df01bf782832a762dd58cf9 |
| SHA1 | 906934b13ff61f436907d2e03de462f1e4c0520c |
| SHA256 | 811a9ee28df57c546b2ee7a637f881577b282409e8b707b9fffb98059a50f74f |
| SHA512 | 9bb3468040400486faf1937ac33d6e74f7e065041a46523846f8bcdf05c827191d4136110bf979d11d13fa96d1403dde9ab46f2bba777800d2641dd489a3e5d1 |
memory/4376-127-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp
memory/3788-134-0x00007FF629480000-0x00007FF6297D1000-memory.dmp
memory/536-132-0x00007FF7113E0000-0x00007FF711731000-memory.dmp
memory/760-131-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp
C:\Windows\System\qUXALsq.exe
| MD5 | 544b34bda44244708ec0b40b9843df7e |
| SHA1 | b17f322e2876bbe5f44478a33a3503b2e48a043b |
| SHA256 | 642c866f9c95eaa7e50e4bf2b84e781365e843f87897a351e3449413d3746876 |
| SHA512 | e9044ae6a2c834a7289fbf7170bb49413ba355bca65ef61ea045fa47cdccc106cd03716ac1840c7b7b28404bbd417852c4f361114cd8334a1da4c925352ae57c |
memory/1980-126-0x00007FF749C20000-0x00007FF749F71000-memory.dmp
memory/1468-125-0x00007FF707090000-0x00007FF7073E1000-memory.dmp
memory/1892-121-0x00007FF7369E0000-0x00007FF736D31000-memory.dmp
memory/4360-114-0x00007FF67E220000-0x00007FF67E571000-memory.dmp
memory/3136-105-0x00007FF72F4E0000-0x00007FF72F831000-memory.dmp
C:\Windows\System\qbodWhw.exe
| MD5 | e54abc4bb4a619d0b59c102af28ad855 |
| SHA1 | a686c2a1ea36f14e152869153fa8e67afdf87d77 |
| SHA256 | fb0acc81330626d6fbac29e4b559ffeaf44c8dd43745051f8f38c404941fb2c9 |
| SHA512 | cbb8424a57b505cd9caf314303b8d7dbf2347dc6135f6d7dcf5ba65c2a90aba4a51b64e83505f4c0659e7af6aa7a1ff2e232a11002d4103ecde048bbb0c78f25 |
memory/1960-99-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp
C:\Windows\System\qbodWhw.exe
| MD5 | cf058a7cb5faa261068de48ef4791532 |
| SHA1 | 1972a36fc2d7803acdf8aab88d54c24b8442e18b |
| SHA256 | d7f2492661346e84512f9a03af3224f067be18c7f0ee0d2be7efd25136129e34 |
| SHA512 | 61968aa8cac56175fdd1751206be26a5cbd3a14f9bdc87770a0fa45953d6d0e412c52222e89958eed1ce09ef82209e183ba926a79c5018cc9c37b5d6886de312 |
C:\Windows\System\qZyfyKW.exe
| MD5 | 1b9db92e29696007d89dc1f5ad5c4191 |
| SHA1 | b307e9659853c0e911a71bbbfad571077814003c |
| SHA256 | 28b2e1d42c3a1f64f222119651bc910f149e94c95bbb545095a6dd16c643e0a2 |
| SHA512 | b4f217b9d1a7902e83ad8a9c69e1192a1160de28523bac1c223d13f5a45a6c491b0f71b99d573ae87ca85d5027b580605aff88455549f57ee4e762b285f4ed56 |
memory/536-39-0x00007FF7113E0000-0x00007FF711731000-memory.dmp
memory/4360-31-0x00007FF67E220000-0x00007FF67E571000-memory.dmp
memory/1236-139-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp
memory/1740-135-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp
memory/1396-147-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp
memory/760-156-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp
memory/4640-150-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp
memory/4376-157-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp
memory/1960-151-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp
memory/3892-148-0x00007FF646010000-0x00007FF646361000-memory.dmp
memory/1580-146-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp
memory/1740-158-0x00007FF6E1A50000-0x00007FF6E1DA1000-memory.dmp
memory/3772-203-0x00007FF7AA120000-0x00007FF7AA471000-memory.dmp
memory/5104-222-0x00007FF7B6AF0000-0x00007FF7B6E41000-memory.dmp
memory/392-223-0x00007FF7BA8F0000-0x00007FF7BAC41000-memory.dmp
memory/1956-219-0x00007FF7A9D70000-0x00007FF7AA0C1000-memory.dmp
memory/4360-225-0x00007FF67E220000-0x00007FF67E571000-memory.dmp
memory/536-227-0x00007FF7113E0000-0x00007FF711731000-memory.dmp
memory/3788-230-0x00007FF629480000-0x00007FF6297D1000-memory.dmp
memory/852-231-0x00007FF6AD4A0000-0x00007FF6AD7F1000-memory.dmp
memory/1236-233-0x00007FF61C3B0000-0x00007FF61C701000-memory.dmp
memory/1580-235-0x00007FF7AEC30000-0x00007FF7AEF81000-memory.dmp
memory/1396-237-0x00007FF7A11E0000-0x00007FF7A1531000-memory.dmp
memory/3892-241-0x00007FF646010000-0x00007FF646361000-memory.dmp
memory/4908-239-0x00007FF6D2040000-0x00007FF6D2391000-memory.dmp
memory/4640-243-0x00007FF71F1C0000-0x00007FF71F511000-memory.dmp
memory/3136-245-0x00007FF72F4E0000-0x00007FF72F831000-memory.dmp
memory/1960-247-0x00007FF7989D0000-0x00007FF798D21000-memory.dmp
memory/1892-249-0x00007FF7369E0000-0x00007FF736D31000-memory.dmp
memory/1468-251-0x00007FF707090000-0x00007FF7073E1000-memory.dmp
memory/1980-253-0x00007FF749C20000-0x00007FF749F71000-memory.dmp
memory/4376-257-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp
memory/760-255-0x00007FF71A4F0000-0x00007FF71A841000-memory.dmp