Analysis Overview
SHA256
5ec5330a2e519adb7e667559c0c60a8a2509f3890b40a805d218b78d78eb74eb
Threat Level: Known bad
The file 2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Xmrig family
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 09:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 09:28
Reported
2024-05-30 09:31
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gpJqXxf.exe | N/A |
| N/A | N/A | C:\Windows\System\PpZJvrq.exe | N/A |
| N/A | N/A | C:\Windows\System\dbSfsaW.exe | N/A |
| N/A | N/A | C:\Windows\System\sDHkXIG.exe | N/A |
| N/A | N/A | C:\Windows\System\DMkpHwV.exe | N/A |
| N/A | N/A | C:\Windows\System\pZZTvBk.exe | N/A |
| N/A | N/A | C:\Windows\System\VFsbHxr.exe | N/A |
| N/A | N/A | C:\Windows\System\xhDBmgB.exe | N/A |
| N/A | N/A | C:\Windows\System\DtShMdw.exe | N/A |
| N/A | N/A | C:\Windows\System\RuFleJF.exe | N/A |
| N/A | N/A | C:\Windows\System\slzvHRa.exe | N/A |
| N/A | N/A | C:\Windows\System\zcYTtIB.exe | N/A |
| N/A | N/A | C:\Windows\System\LzfPTDE.exe | N/A |
| N/A | N/A | C:\Windows\System\XCDZDTO.exe | N/A |
| N/A | N/A | C:\Windows\System\FNbrfQY.exe | N/A |
| N/A | N/A | C:\Windows\System\zfnhZPK.exe | N/A |
| N/A | N/A | C:\Windows\System\ucGDUBt.exe | N/A |
| N/A | N/A | C:\Windows\System\DpgwpVh.exe | N/A |
| N/A | N/A | C:\Windows\System\eFweDFV.exe | N/A |
| N/A | N/A | C:\Windows\System\QxfpDCl.exe | N/A |
| N/A | N/A | C:\Windows\System\xGQbEMe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gpJqXxf.exe
C:\Windows\System\gpJqXxf.exe
C:\Windows\System\PpZJvrq.exe
C:\Windows\System\PpZJvrq.exe
C:\Windows\System\dbSfsaW.exe
C:\Windows\System\dbSfsaW.exe
C:\Windows\System\sDHkXIG.exe
C:\Windows\System\sDHkXIG.exe
C:\Windows\System\DMkpHwV.exe
C:\Windows\System\DMkpHwV.exe
C:\Windows\System\pZZTvBk.exe
C:\Windows\System\pZZTvBk.exe
C:\Windows\System\VFsbHxr.exe
C:\Windows\System\VFsbHxr.exe
C:\Windows\System\xhDBmgB.exe
C:\Windows\System\xhDBmgB.exe
C:\Windows\System\DtShMdw.exe
C:\Windows\System\DtShMdw.exe
C:\Windows\System\RuFleJF.exe
C:\Windows\System\RuFleJF.exe
C:\Windows\System\slzvHRa.exe
C:\Windows\System\slzvHRa.exe
C:\Windows\System\zcYTtIB.exe
C:\Windows\System\zcYTtIB.exe
C:\Windows\System\LzfPTDE.exe
C:\Windows\System\LzfPTDE.exe
C:\Windows\System\XCDZDTO.exe
C:\Windows\System\XCDZDTO.exe
C:\Windows\System\zfnhZPK.exe
C:\Windows\System\zfnhZPK.exe
C:\Windows\System\FNbrfQY.exe
C:\Windows\System\FNbrfQY.exe
C:\Windows\System\ucGDUBt.exe
C:\Windows\System\ucGDUBt.exe
C:\Windows\System\DpgwpVh.exe
C:\Windows\System\DpgwpVh.exe
C:\Windows\System\eFweDFV.exe
C:\Windows\System\eFweDFV.exe
C:\Windows\System\QxfpDCl.exe
C:\Windows\System\QxfpDCl.exe
C:\Windows\System\xGQbEMe.exe
C:\Windows\System\xGQbEMe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1424-0-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1424-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\gpJqXxf.exe
| MD5 | a01fcf5c60028ee275b4bf5c24a968fa |
| SHA1 | 41586f272a325fc810a62c619a730ece7d15701c |
| SHA256 | 53260a4c01efbaeaf371a15497e22339b3c32b1e50ec69efd9864085a665ec5d |
| SHA512 | 9c7cf1d80a3a8b3367bae092e63eb9965149a871aabf9fa47d8d203bbf0dde296e704b7741952edf08f6b2d97a1bceef0a1df4562ffa72aa8f357c27997b7057 |
memory/1424-6-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1992-8-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\PpZJvrq.exe
| MD5 | 7c34d59aa0b61d179e9727a800b79e81 |
| SHA1 | 20cb4b102a36d3b1f91c085ae56adbf039a9ca24 |
| SHA256 | 1b22e2522c4f64a403fef4bf52425ffbf9a0ac83df6b7d58f22b797916ef3ce8 |
| SHA512 | 18ce90c79309e0e1a8f25da669e13a53b95c69c70fb52b330c83a60a52492e0c760d2a5ce9cd96945601e93bece423bb118aa704dbeac4f891563d860509de2b |
memory/2704-16-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/1424-15-0x000000013F6B0000-0x000000013FA01000-memory.dmp
C:\Windows\system\dbSfsaW.exe
| MD5 | 36335d5014997ee3df7bb1a1aa52c3d9 |
| SHA1 | 23122907f3771b96d9661a66cb34c80cbe65f326 |
| SHA256 | 8ec36eed8e522da8f8502676c7f2f3febc051af1434c2a8a07cde506a5e03608 |
| SHA512 | 1136b055aec033bbbb116b0ca2941b5d22cfc86f08705171d330cfc1c6b9c1aab4ad3f642afbea3c9f16ce829de26fff5f05d3daacb5b958fce3bc750ea21b1f |
memory/3012-24-0x000000013FFA0000-0x00000001402F1000-memory.dmp
\Windows\system\sDHkXIG.exe
| MD5 | 1f39891c176f773555518807589c4401 |
| SHA1 | 0cda1a3dd5973e19ba0a5f32f429d844e2970fdf |
| SHA256 | 9f9cd7f5c598ac2730d642a196d662b9aea3927e96f12cba088dceebfcfbf86d |
| SHA512 | 6063a657af67eb4cf12f4e3856f1e61e81394983c5e37cd94c823942ac00d36d76b7fa05091365517d8e6e42c5c255bcb21a5e3218fcd774f0b597245bcb2110 |
memory/1424-22-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\DMkpHwV.exe
| MD5 | 77164abd07cade964c30e3f97dc23f3b |
| SHA1 | 30c13761ce405adc6f0024f1f11a81216f8a55b7 |
| SHA256 | fe220a1f0413a3fb38f3259b408f9d4f0298cb2f65baa84c58e58d82ff23f772 |
| SHA512 | 0d755c61965f01bbbedc1a4ba9a0580a9dc28c7d10d59788e425ba2b835a38f7415ab5d6ba7b97a40bfdda0db864be72f5fb6a2d616958725de25da029a4a552 |
memory/2736-34-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/3008-40-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1424-39-0x0000000002370000-0x00000000026C1000-memory.dmp
C:\Windows\system\pZZTvBk.exe
| MD5 | 579788dcf2ae3c7f93ada709d275a1d3 |
| SHA1 | 2fb10716298e4de0147b0511242e23986b305869 |
| SHA256 | f5e24d2b37d33af22d9aa0a3524effeacb45bc28ec99e06237edbaa890ea4050 |
| SHA512 | 76e07045ccf8e05118338146428f3542e1a8d6cd742fc287c239f53ab2bfec9d3fc8e074fcb74a26e73485bfe4c1e6b3879041e0736c14f5b47f6c6ee16e3664 |
memory/2668-32-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1424-28-0x000000013F320000-0x000000013F671000-memory.dmp
\Windows\system\VFsbHxr.exe
| MD5 | b5701497911d9499dae2392523ae80ce |
| SHA1 | 0f1ac9dace20b56e0b93e8d9870d904ee22b5c87 |
| SHA256 | d18f4adf3f5e711cbd2364708e068816f4beadfeb032b6707579146c982b3101 |
| SHA512 | 50cefc8edf66407698ae6deb469d0679fbbdb6def832c46aef84a2113c98e84f480c8c4bf4b938575a9d3b4a9d47bac0ce4d441a6c88785f7cade58b8e7c6ce8 |
memory/2636-50-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1424-49-0x000000013FC10000-0x000000013FF61000-memory.dmp
\Windows\system\xhDBmgB.exe
| MD5 | 74e689ff1e79dd4b4f2aad2b61388a4a |
| SHA1 | 9ced0d16c39c7f0c78e254c7d080910520cebc2e |
| SHA256 | 6abf6a62de1d17b2d7a12b60670a20fe705de9d54d7a66982c831a4639b19960 |
| SHA512 | 66972d01edbb5301c4cd300469af815cf5285154979eb73ce30c05d547bab13f99bec1fe85e43e3be5ae39c9d58e75afb6fea5a1ca72f6741bb59fb593de494c |
\Windows\system\DtShMdw.exe
| MD5 | e92004c01168e16b5d28f57c634fe004 |
| SHA1 | 5926f4e0587aa4ea0a19babe45a8c39463ae7a2a |
| SHA256 | c82e66b47ff307467397e1d530bba983194da52b7da212ee6c3e0ade952fd914 |
| SHA512 | 93bac31dc49bd2a85f370a884380728f8c7cfe4581b730efaa16354db1f74ed493683b6e83fd077a9a7feecf6074828d0ff8d7c2aedfdc643d93bf35072daaac |
memory/2512-64-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2472-63-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1424-61-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1992-59-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\RuFleJF.exe
| MD5 | 47ce3a3d4b8272908d26cd92d78b4590 |
| SHA1 | 9e737a2841914d764fcd8b0378b2305d21d9ee81 |
| SHA256 | 5fd26cd0c55ca21d80249b7fa97e1f37ff7cd635d3af29229eb06002aca54975 |
| SHA512 | d2f432640c093e2a19f1e419864d36314de91285090b23573e8c926fe75602b8fdea4aaaccfe4224aebd0420044901f8639de165a348412598df4873b8cde000 |
memory/3040-71-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/1424-70-0x000000013FFE0000-0x0000000140331000-memory.dmp
\Windows\system\slzvHRa.exe
| MD5 | 203c9fda6cd40c683d4fbdda16268274 |
| SHA1 | 2378b94d762f9b5567a2e6246c237c84ed8f7068 |
| SHA256 | a67409819a4a583e538a438f368da4feeb92d0e557391b42f318425969d7d3fc |
| SHA512 | c135f9af1414da334c8b89ef01083494dd9f9c69cc5653e1b90410c57bff4aec458dc3cfa4c77c995dfd9bfbc0351444b1970d2110e85f47618df8f3d960eb60 |
memory/1040-77-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1424-75-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
\Windows\system\zcYTtIB.exe
| MD5 | f97d0c861f9ccbff0f36ea627b2810c9 |
| SHA1 | 5cb04e52cb7c21550136ecdfa17a4e2e47773602 |
| SHA256 | 5354d7b392b516ff8d592dc008bc0709b6a49704438ec034dc8f9d3c141ed560 |
| SHA512 | cd7e64e61e79535ecb63e906e237511534aef75d35d63c5679c5421b71bf884a8effbcb50b5e28804220141f12fd2b7e8eed09998ced7b8ecbc8b24e3a2d6dea |
\Windows\system\LzfPTDE.exe
| MD5 | 6f68a282c5d550ce4022c67f5f7278b3 |
| SHA1 | 6f3446b5439baaf869c3d256d743c7a3f3294b16 |
| SHA256 | 268b3216660af912e98673baec6a15acd42f0113897e9b3145bef213b6106f13 |
| SHA512 | 068dcd598c00c913dac2a5b7664f1ba5920f596c98acd92054d80bccc689224af9f350cfe0719e2af11650bb4d6a6f2c554d181d7ff7239320a8db0a8ed252f5 |
memory/2668-86-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2736-91-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1424-90-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2568-89-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1836-88-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1424-87-0x000000013F710000-0x000000013FA61000-memory.dmp
\Windows\system\zfnhZPK.exe
| MD5 | 38cb2b8aa4c6080a70815ee20c93f5b0 |
| SHA1 | 7a762b693ddad333351786a69ec286d69dc21ab4 |
| SHA256 | 4a03f13677a3f2d7812e5fdab9386fb44eb7f592764b0aed4a86af490b43085b |
| SHA512 | f50527beb23135e2ba99572a35019a2aefdcca90c9c49659a3dac58c921366f2ee1b28349eb7e0026f2c4b3554794541d11b8d3fe30ea41a08bd9042e1d9ac48 |
\Windows\system\ucGDUBt.exe
| MD5 | 4e848e50eba244aa6ebb72a4612d1666 |
| SHA1 | dc7bbc836002306c406efb23adc6e8fd6ee0bc6a |
| SHA256 | f0e916784b6dedc8f48ae7ea43b929860f1ad7e7ccf0c41c224561d564828e12 |
| SHA512 | 8085eba93731cc4e047f81129ceae0ae57cde97b3da894b72be01f4a97abe6523f6ea8cd8771d24743715d8f53f6728a28b70f1f41bd0a259ec6493454067224 |
\Windows\system\FNbrfQY.exe
| MD5 | 966b3a0bfb0f9bad789702bf22da6e25 |
| SHA1 | 7b15e64e96f01ce8cf0b25bc552e162747c86330 |
| SHA256 | 5bd484910beda81cbfb085176ae92ec882be7c8f44fe8c67fd01ae684aebbab0 |
| SHA512 | b703296c3720a78410743da2e769e94eef58b9c668a81ccb7fa55eedb425c96080419843426c57378abf4c015c50cb4660ff2ba9516447ad0c83020a87336a08 |
C:\Windows\system\DpgwpVh.exe
| MD5 | 8557b7317092182f4984bf35182d5633 |
| SHA1 | 07341ca893d7a9b1bab4343d1bc6db5fad4f131f |
| SHA256 | a1a391c853640edfc166e56fe6d73a0b12af34a1b8ddd878920c34cc8f82a2a3 |
| SHA512 | 221c7e12ebfbfd33cb3020071fbf052d35aae5c5b8836e17dabc21ceba2ee38cb7fecb8bb8b9878a2d157710fcd5d01e2ef634fb03f04c623f313b26bdeff57c |
memory/1424-116-0x000000013F1B0000-0x000000013F501000-memory.dmp
C:\Windows\system\QxfpDCl.exe
| MD5 | 5098ed8c77b87389b332b6a14de1c5ee |
| SHA1 | aad5af09671891b5cd7592c3e9e667fd031ac5c6 |
| SHA256 | de3ae99a97f80f0eba3ae6dbce358a98580236921900809dc79b679b36009fe6 |
| SHA512 | 82fae88b366f2033d4386587fedd4c5a880cbbd3fedf7dfd759081e3efb4c4390f1d8bdfeb0b14287fd145fb8c608527afacf6921e001b7dc00216d54ab96e17 |
\Windows\system\xGQbEMe.exe
| MD5 | 30f276394ce2d364011302eca64c65bd |
| SHA1 | 0f5c2aedebc3e1ddb4e112834cd09ecd24079070 |
| SHA256 | 709ac17295a8fa90afa3445d8bcbd84e8fbd23600ac4527ade3f54c5a479dc19 |
| SHA512 | 3e50a5897f28f61ba0056f90667d9ccbee871c3b063036a5252dbbefcfa0d0d2b139d2f2eeaa32e6ce9acfbb794d7c847b738a015068490700a610bc993aa112 |
C:\Windows\system\eFweDFV.exe
| MD5 | 17c0a240ce686540952db88c34858874 |
| SHA1 | 78abbd7a6c57aa4972faf7926bd9178df6dffafe |
| SHA256 | 18272ae5221da88fc44b8fc895c3f660a795d000711f30fca9cba60d6e43cfac |
| SHA512 | 36bc43ec8ce87da53001fce9107eb3d03ca4058011535c5a94b58ba8c32ab1ce3af6f4d63d89270976ea2e8badddd93122db873de7af8b227b69aabe87d5f5ae |
memory/1064-114-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1424-111-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/3008-109-0x000000013FB30000-0x000000013FE81000-memory.dmp
C:\Windows\system\XCDZDTO.exe
| MD5 | 45c41504d3f8bad7aa299deb2bab86a4 |
| SHA1 | 89d482af99db5083cf3663832058b54965b575b2 |
| SHA256 | 57ee8a149df8a76b5aba73c1edbcf384ae225c1731dfade6e41df59b4716f265 |
| SHA512 | 6eb55372baf492d279f3acd85fa2b41855dd4a5e48d6f85cf3069b0ab8d90650888644e25d6f4d8863ff86161b855c634ff2ce45127355b175cbb5398204f214 |
memory/1424-138-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1424-146-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1040-150-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2568-152-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1836-151-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1424-153-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2908-155-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1188-159-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/556-160-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/1424-162-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/332-161-0x000000013F130000-0x000000013F481000-memory.dmp
memory/1208-158-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2028-157-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2016-156-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1424-163-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1424-171-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1424-186-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1992-212-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2704-214-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/3012-216-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2668-218-0x000000013F320000-0x000000013F671000-memory.dmp
memory/3008-220-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2736-222-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2636-224-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2472-226-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2512-230-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/3040-232-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/1040-243-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1836-245-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1064-248-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2568-249-0x000000013F0C0000-0x000000013F411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 09:28
Reported
2024-05-30 09:31
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zjyePtl.exe | N/A |
| N/A | N/A | C:\Windows\System\SynZQfc.exe | N/A |
| N/A | N/A | C:\Windows\System\PdyJatp.exe | N/A |
| N/A | N/A | C:\Windows\System\RSmLkao.exe | N/A |
| N/A | N/A | C:\Windows\System\EqKLXRF.exe | N/A |
| N/A | N/A | C:\Windows\System\LCByrmN.exe | N/A |
| N/A | N/A | C:\Windows\System\cvUVMQf.exe | N/A |
| N/A | N/A | C:\Windows\System\NoatkZp.exe | N/A |
| N/A | N/A | C:\Windows\System\HnkcGxA.exe | N/A |
| N/A | N/A | C:\Windows\System\IOxsYiX.exe | N/A |
| N/A | N/A | C:\Windows\System\dUrYxPw.exe | N/A |
| N/A | N/A | C:\Windows\System\qVqytqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qxgqsko.exe | N/A |
| N/A | N/A | C:\Windows\System\dysBoqV.exe | N/A |
| N/A | N/A | C:\Windows\System\cssLUrB.exe | N/A |
| N/A | N/A | C:\Windows\System\PPuXvEY.exe | N/A |
| N/A | N/A | C:\Windows\System\qxFdDhg.exe | N/A |
| N/A | N/A | C:\Windows\System\vbBDmGf.exe | N/A |
| N/A | N/A | C:\Windows\System\IbpuPVk.exe | N/A |
| N/A | N/A | C:\Windows\System\vXaMShG.exe | N/A |
| N/A | N/A | C:\Windows\System\OcLliKr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1ae3a42dff9637f036b1655ce4b201ef_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zjyePtl.exe
C:\Windows\System\zjyePtl.exe
C:\Windows\System\SynZQfc.exe
C:\Windows\System\SynZQfc.exe
C:\Windows\System\PdyJatp.exe
C:\Windows\System\PdyJatp.exe
C:\Windows\System\RSmLkao.exe
C:\Windows\System\RSmLkao.exe
C:\Windows\System\EqKLXRF.exe
C:\Windows\System\EqKLXRF.exe
C:\Windows\System\LCByrmN.exe
C:\Windows\System\LCByrmN.exe
C:\Windows\System\cvUVMQf.exe
C:\Windows\System\cvUVMQf.exe
C:\Windows\System\NoatkZp.exe
C:\Windows\System\NoatkZp.exe
C:\Windows\System\HnkcGxA.exe
C:\Windows\System\HnkcGxA.exe
C:\Windows\System\IOxsYiX.exe
C:\Windows\System\IOxsYiX.exe
C:\Windows\System\dUrYxPw.exe
C:\Windows\System\dUrYxPw.exe
C:\Windows\System\qVqytqJ.exe
C:\Windows\System\qVqytqJ.exe
C:\Windows\System\qxgqsko.exe
C:\Windows\System\qxgqsko.exe
C:\Windows\System\dysBoqV.exe
C:\Windows\System\dysBoqV.exe
C:\Windows\System\cssLUrB.exe
C:\Windows\System\cssLUrB.exe
C:\Windows\System\PPuXvEY.exe
C:\Windows\System\PPuXvEY.exe
C:\Windows\System\qxFdDhg.exe
C:\Windows\System\qxFdDhg.exe
C:\Windows\System\vbBDmGf.exe
C:\Windows\System\vbBDmGf.exe
C:\Windows\System\IbpuPVk.exe
C:\Windows\System\IbpuPVk.exe
C:\Windows\System\vXaMShG.exe
C:\Windows\System\vXaMShG.exe
C:\Windows\System\OcLliKr.exe
C:\Windows\System\OcLliKr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3516-0-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp
memory/3516-1-0x000001ABD29B0000-0x000001ABD29C0000-memory.dmp
C:\Windows\System\zjyePtl.exe
| MD5 | ae7175485e084a14213384128d261fe4 |
| SHA1 | 13e24759552088091b348a2e08ed44b0e7bfba6a |
| SHA256 | 90988b080980d6847ed513ca0d5da1f70f056238eb6c3dc45b2b3cf264997da1 |
| SHA512 | 30cacb1622b52189d7c03549ceabb6341e0ca1d0fa163f302963aac1bc7538165803df04d6a1eccb6b6cc8f8496559627f4fe765a50d6d5fa525ccd9e55f4873 |
memory/3728-10-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp
C:\Windows\System\SynZQfc.exe
| MD5 | 9ae268093febc9b4433451e2faabb891 |
| SHA1 | 50ac839e684b50cb4260f7c32db46222fdee7af6 |
| SHA256 | d9e43f4b7565eebd4e0c2a939ed6ff663690132f2d5d27924138ffed54ed23ec |
| SHA512 | 8fd2893f8c5d71cb590f9bdb1963f30e3666d0a71cbf7c21352aadaff566a5e66052bb8a3aeda1dd0182d0d6df084d82d9951d1a253d268fde617cd78ee3694d |
C:\Windows\System\PdyJatp.exe
| MD5 | d178095bf4ee8481416e3c33d708298c |
| SHA1 | b25107e937a89b5164048cb609a5b412a1cc9e23 |
| SHA256 | 707d59916782e9e093d2b9f9d0e8457ac1342e2f125dd980f5970f9239e46af0 |
| SHA512 | 14a00af5957672bce14baf4cb3d3968cc705941e0e0f9449ecd8d00a414896a8741c1c8b1b28eed2838523dc966e0300c933320e8b593be8f34e112e444013cb |
memory/2016-14-0x00007FF735600000-0x00007FF735951000-memory.dmp
C:\Windows\System\RSmLkao.exe
| MD5 | 73e71873ce368b6c9eee625e9c9ff044 |
| SHA1 | fd184b4b46c0f0ecd3872601714741caa25a7793 |
| SHA256 | bbb8491c6d17c1f83cc36b3a7cd44ec9eb0e2cd592943778bae70751eb0133cb |
| SHA512 | 046e6411728f8b8dfffa377e8f8f6d51075e30fe3fba79bc90434b12016a6f2f972e7f9b39b8682c9255085dda1690ca3edf566ad05a767cc147fa7f4180a4e3 |
memory/4972-24-0x00007FF629890000-0x00007FF629BE1000-memory.dmp
C:\Windows\System\EqKLXRF.exe
| MD5 | 32660a866c2f43fff59e6018a21edb41 |
| SHA1 | c6f71bda97831d496253340171100e0b2328c3e9 |
| SHA256 | d16bffae81c9bfd3b98570f26a0d9f1afba96140d6ca892d103341590986858e |
| SHA512 | 6ab71a007d12ada955991aa78cf1b77e5e9dfdd89d544c5558e3a07af5db678abe5f36c09cae62182b10cf44101dc6af9475d66178786ef78ad19e280f869b45 |
memory/8-32-0x00007FF6E7160000-0x00007FF6E74B1000-memory.dmp
C:\Windows\System\LCByrmN.exe
| MD5 | 6fd098e82181fa98bdd93a53a4839a3b |
| SHA1 | 9fb2d6579e453d49ad23d591280a11848c991f27 |
| SHA256 | e8f078baff39aa668a7bef2228ed3698e0af46a91ffd63407570f325d0b6fd5c |
| SHA512 | 2f90d7f22e6d851818cf2f49cd11f97eb15790d82372bc3dbde8ffcc64b1c756b5ac9960666cf0b86d7dc87328a42fd76f3d012b2120560423dd53561e034ed7 |
C:\Windows\System\cvUVMQf.exe
| MD5 | df6788882542be53e0655efbef4e92f6 |
| SHA1 | 1a4657a5312e2f1ab9db90fd3dfe7de41c4160fe |
| SHA256 | 46b9bfcf8ce68953e736dfc5c3c5046549fbaa1f430617d6e5fc48026f79c842 |
| SHA512 | 29754c18b6884f980c47d3bf1be147ac25de35b86579818bcd2d2c56fd54241351ba28fffe37f5a2c2525c9dd3665be53bbe8916a6277e62d253ba60be591426 |
C:\Windows\System\IOxsYiX.exe
| MD5 | 10de483b8ff3e92b280359913a8a1e7a |
| SHA1 | 075a0d46ef33f201f50b295234ed469aea730ecd |
| SHA256 | 2b63acde7b6819e97f4eb24d1da0d2b8340f61181ab7e05e7749a6c608f54633 |
| SHA512 | 9a69cf18e89c37ac43dd23ef12dd5ae2d4128291987dd2fb9895b3972c88db1dea57413e15bf591798da1f24672e8e3bef0c836c5a691698c2f9c4dcf9e02400 |
C:\Windows\System\qxgqsko.exe
| MD5 | 4163d8612af99f7ca639ac1694edc4b6 |
| SHA1 | 8742c09c580582fd13bc07c01800bc6ecfffe2e5 |
| SHA256 | 1252440a72358e540ed11b4db88acf68a3e168730a4c2f46286e7a48381a912a |
| SHA512 | 26f8262cbe730a23dcf2ac60aac5826b3a0b93abd372d86f368090b400ef164446b6544f3f37e8017735982695c6799fe9a5717369167bd5ad31686be6615a6b |
memory/3328-86-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp
C:\Windows\System\vbBDmGf.exe
| MD5 | a0ae75aa178e6577a66c82239414be70 |
| SHA1 | 7eb0ef4c88f2bb7a582ee4518615d8a16ec715fd |
| SHA256 | bd17064470e4d4061237212d01a69b8fad542092f0c6822b53171c730d4d6bf2 |
| SHA512 | 12079765a840677419689a7147ea4b92fcf009ecf7497439cb255ee5c6f61b7ac0a6eb6aa411c4bd6255b9930f3b7f29aa58209beb11a11d869b48d51b848454 |
C:\Windows\System\PPuXvEY.exe
| MD5 | 63af2fc5c10565fe46dc348f8146edb3 |
| SHA1 | 22385b180bee4873be06912b298d6e5617dbab47 |
| SHA256 | db7f640cb31d536adb927aed0e22b347a151e927bea53752c27890945dad6a94 |
| SHA512 | 29c307378d04f6d5fb2b5ed4ce45c3f437934797d9efebe331923a56215feaffdf58a91331d5de4da187ae125a8543f9b55d46f9c39a4d080a9761287f76e4c8 |
C:\Windows\System\vXaMShG.exe
| MD5 | 90365d665ede52dc9d5b176d68d13e4e |
| SHA1 | 7ee58865834beb33a46bf24fbee6beab4835820a |
| SHA256 | b2483be6b38009451871f25ea48302f9cce714065906fa58efb4f9e45bde7a6b |
| SHA512 | f1478f82729b57c80326e89e0c0cc609c8dec066ac3d80971b4f64b85c89f022735b4b7e90d0c8d20ea74a54c6e3d5433d99faccc444a7d8560b4b6dd3de2749 |
C:\Windows\System\OcLliKr.exe
| MD5 | 657ad0b9269fff6a52380d5d7a34862f |
| SHA1 | 8afab1c1a42afa26713a4602630e98d2b51cdef5 |
| SHA256 | 412d29fdb3a8f40e509946a0025ff20eb1e4deeee23b135a3e5a122d84ad60fa |
| SHA512 | e295b90a81a4863cf045b86fbcba52c71ac953eab91ef41837721cbd2b47d2ac2a8f60178b866ef79755f7cad653087ee09c2ac8ea061bcdadb84448e111c402 |
C:\Windows\System\IbpuPVk.exe
| MD5 | 6ad1f9c68a77289468ec99192cd2d944 |
| SHA1 | d2cc16f5aed12dae17a92ddcc3167eb5bde5efe0 |
| SHA256 | 93754af5b8ad75ce057953a6a7d2c2241f6991195c78421bb0bf1b7eb8ff7efe |
| SHA512 | 463b737801095a9df021620a0181cf24635d61b784e5d606cb8ce9a7d38945dba3ff6db8f69311ce5116dd238a937793f0ce46692b4323d97293a17fe6fbd9d1 |
memory/3032-110-0x00007FF751270000-0x00007FF7515C1000-memory.dmp
C:\Windows\System\qxFdDhg.exe
| MD5 | 64045befb200449711d5e3c982f94f1f |
| SHA1 | ddb9f5ac419a190072c96e136917ffcde7571052 |
| SHA256 | 1b5b3b86eb908d6b4453393273d27e14c7420e48165fe400e8fea930f1b4a2f6 |
| SHA512 | d240d20fbdc341350bdcd320bf5e3047e267074deae22548824124a0c5787b6ab51f60b0d1dd33acb489e1cb7e146743542ebae6e4efa14cc4db33905eda56c9 |
C:\Windows\System\cssLUrB.exe
| MD5 | ab393c4510080e7198874418ce8ac60f |
| SHA1 | 5678028e7f7434799cca90673532e08f4354189c |
| SHA256 | 5895aeb3cda52e03929b4b6c1684a2aaeb966ee6ac615cd58e472a5bd7a073df |
| SHA512 | ba67015577e0410bda7f4cffb18cae2ae14ba6351fef8f96283b62587f701dc9514fb62db8e9f49d6bc50fdbdc2d0418765ded6d51477ade60e4dc6ddb7ee37f |
memory/3824-97-0x00007FF71DAD0000-0x00007FF71DE21000-memory.dmp
C:\Windows\System\dUrYxPw.exe
| MD5 | 2c0775bff2466ad2676ca30e6df1675f |
| SHA1 | 0014975bc1584e090abd6aff2b3024941d61f3ce |
| SHA256 | 94b46502c1b032d62c831141b66a95a1ef4fcbb88aad2e0c6fc06f9a1fa7266e |
| SHA512 | aabbc5c3f7ca1c6383b91ef586c12d786e8a203870ab4393c31d78c613200880bcc7a5841debe0131902f183385ac140f507913b514f277d3f94f4bdd3784883 |
C:\Windows\System\qVqytqJ.exe
| MD5 | 17269c702879368f697d0f82d7c175ac |
| SHA1 | 7789601057b95e86cb66179bcdc5dc6dc044d96b |
| SHA256 | a3247d3b58dfd566d2a7a8c634fc37a9ad0840e52719b9e57e75598724e4d891 |
| SHA512 | a3bbb40586d2c296e5a52fe4abf9e42653b0b706c09b85ea514f28f43d9e80f75ed17a88f3060b83bdbc14cad24aacc149abc9a62566bef326121e854487097b |
memory/2924-87-0x00007FF723890000-0x00007FF723BE1000-memory.dmp
C:\Windows\System\dysBoqV.exe
| MD5 | 9959f4067357d89f5255d80e1f2c835f |
| SHA1 | e5b35d98c15c73773a08d6dddbf98c7153da4aee |
| SHA256 | 7d81e4c36ba071bac8306d76b21c690521c81fcd3cce40cc62036d36c24487d6 |
| SHA512 | 5ad62e97b2a0cf2912a646d58a04cdd493cd28c5794cb88b724a7f56ace1eb11161b7867e69b7bbd91f779440f917a6f3904c3e891f9aa5c15f61562a0cdd141 |
memory/4008-78-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp
memory/2944-70-0x00007FF6C71A0000-0x00007FF6C74F1000-memory.dmp
memory/1808-67-0x00007FF625BC0000-0x00007FF625F11000-memory.dmp
C:\Windows\System\HnkcGxA.exe
| MD5 | 83283b23465da68e74f41376e3efa1e7 |
| SHA1 | cd61b03492c98fa953556958737b451b2af9f583 |
| SHA256 | f37f5284762809c04e308fb0fea6525d16ea09dfe9043639759353a17376bd3b |
| SHA512 | bc5417ecdeb218dfb3baeeb51b1b9ac2c201eebb7656f916ef1a9a6b7d07f104b69aa7b3fb03b45f52df10356848847673cb6332e6e49fb35922507e6524c8f5 |
C:\Windows\System\NoatkZp.exe
| MD5 | cf348731ffd92b0993e9785f48b9757d |
| SHA1 | 0ec740eca29ed3f4499eac0a57d4d0269ab02285 |
| SHA256 | d3151f7831d0b90bff1ff2c3e34a3b9dcca5917ed4cdaef25399dc97bc5aa92c |
| SHA512 | e9be688d5c6018feeddaafbeee7f64b90eccbccb19d334287fb5a691d15e93f1b4d777848dbff07d954640cbaa87a02a0875a90ebfd04915cf4de9b9a0d8972a |
memory/1412-48-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp
memory/4712-44-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp
memory/4832-41-0x00007FF7AD130000-0x00007FF7AD481000-memory.dmp
memory/1816-22-0x00007FF76C730000-0x00007FF76CA81000-memory.dmp
memory/1996-124-0x00007FF64C780000-0x00007FF64CAD1000-memory.dmp
memory/3404-126-0x00007FF6CE670000-0x00007FF6CE9C1000-memory.dmp
memory/4848-127-0x00007FF7D2F30000-0x00007FF7D3281000-memory.dmp
memory/4168-125-0x00007FF718F60000-0x00007FF7192B1000-memory.dmp
memory/3764-123-0x00007FF769C50000-0x00007FF769FA1000-memory.dmp
memory/1220-122-0x00007FF6164A0000-0x00007FF6167F1000-memory.dmp
memory/3728-130-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp
memory/3516-129-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp
memory/3516-128-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp
memory/4972-134-0x00007FF629890000-0x00007FF629BE1000-memory.dmp
memory/1412-138-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp
memory/2924-146-0x00007FF723890000-0x00007FF723BE1000-memory.dmp
memory/4712-137-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp
memory/3328-144-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp
memory/4008-142-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp
memory/3516-152-0x00007FF7316D0000-0x00007FF731A21000-memory.dmp
memory/3728-197-0x00007FF74A1E0000-0x00007FF74A531000-memory.dmp
memory/2016-199-0x00007FF735600000-0x00007FF735951000-memory.dmp
memory/1816-201-0x00007FF76C730000-0x00007FF76CA81000-memory.dmp
memory/4972-205-0x00007FF629890000-0x00007FF629BE1000-memory.dmp
memory/8-225-0x00007FF6E7160000-0x00007FF6E74B1000-memory.dmp
memory/4832-226-0x00007FF7AD130000-0x00007FF7AD481000-memory.dmp
memory/1808-228-0x00007FF625BC0000-0x00007FF625F11000-memory.dmp
memory/1412-230-0x00007FF6D2F60000-0x00007FF6D32B1000-memory.dmp
memory/2944-232-0x00007FF6C71A0000-0x00007FF6C74F1000-memory.dmp
memory/4712-234-0x00007FF68FC90000-0x00007FF68FFE1000-memory.dmp
memory/3032-237-0x00007FF751270000-0x00007FF7515C1000-memory.dmp
memory/4008-238-0x00007FF66CA00000-0x00007FF66CD51000-memory.dmp
memory/1220-246-0x00007FF6164A0000-0x00007FF6167F1000-memory.dmp
memory/4168-248-0x00007FF718F60000-0x00007FF7192B1000-memory.dmp
memory/3328-244-0x00007FF77EBD0000-0x00007FF77EF21000-memory.dmp
memory/3824-242-0x00007FF71DAD0000-0x00007FF71DE21000-memory.dmp
memory/2924-241-0x00007FF723890000-0x00007FF723BE1000-memory.dmp
memory/1996-251-0x00007FF64C780000-0x00007FF64CAD1000-memory.dmp
memory/4848-256-0x00007FF7D2F30000-0x00007FF7D3281000-memory.dmp
memory/3764-254-0x00007FF769C50000-0x00007FF769FA1000-memory.dmp
memory/3404-253-0x00007FF6CE670000-0x00007FF6CE9C1000-memory.dmp