Analysis Overview
SHA256
e78f269aacfd41d19366b0b673c153bb5a407cf64a5f4b7ef30bdf9a7e92ccdd
Threat Level: Known bad
The file 2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 05:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 05:42
Reported
2024-06-01 05:44
Platform
win7-20240508-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wvsXQnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\dRWUbLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jgnDNPK.exe | N/A |
| N/A | N/A | C:\Windows\System\QhzFXpg.exe | N/A |
| N/A | N/A | C:\Windows\System\BMJEOVo.exe | N/A |
| N/A | N/A | C:\Windows\System\bouTRxB.exe | N/A |
| N/A | N/A | C:\Windows\System\QdHzZQM.exe | N/A |
| N/A | N/A | C:\Windows\System\jAxiQZy.exe | N/A |
| N/A | N/A | C:\Windows\System\bOIpfoZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RaqoLcE.exe | N/A |
| N/A | N/A | C:\Windows\System\FgLkXJT.exe | N/A |
| N/A | N/A | C:\Windows\System\YFcIdsm.exe | N/A |
| N/A | N/A | C:\Windows\System\kqtalqA.exe | N/A |
| N/A | N/A | C:\Windows\System\LWtaTyR.exe | N/A |
| N/A | N/A | C:\Windows\System\OfRLWpz.exe | N/A |
| N/A | N/A | C:\Windows\System\toaARPI.exe | N/A |
| N/A | N/A | C:\Windows\System\hSuDBoe.exe | N/A |
| N/A | N/A | C:\Windows\System\aiULmuH.exe | N/A |
| N/A | N/A | C:\Windows\System\vtFkrkP.exe | N/A |
| N/A | N/A | C:\Windows\System\iBHDbbQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HFRVakf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wvsXQnZ.exe
C:\Windows\System\wvsXQnZ.exe
C:\Windows\System\dRWUbLZ.exe
C:\Windows\System\dRWUbLZ.exe
C:\Windows\System\BMJEOVo.exe
C:\Windows\System\BMJEOVo.exe
C:\Windows\System\jgnDNPK.exe
C:\Windows\System\jgnDNPK.exe
C:\Windows\System\QdHzZQM.exe
C:\Windows\System\QdHzZQM.exe
C:\Windows\System\QhzFXpg.exe
C:\Windows\System\QhzFXpg.exe
C:\Windows\System\bOIpfoZ.exe
C:\Windows\System\bOIpfoZ.exe
C:\Windows\System\bouTRxB.exe
C:\Windows\System\bouTRxB.exe
C:\Windows\System\RaqoLcE.exe
C:\Windows\System\RaqoLcE.exe
C:\Windows\System\jAxiQZy.exe
C:\Windows\System\jAxiQZy.exe
C:\Windows\System\FgLkXJT.exe
C:\Windows\System\FgLkXJT.exe
C:\Windows\System\YFcIdsm.exe
C:\Windows\System\YFcIdsm.exe
C:\Windows\System\LWtaTyR.exe
C:\Windows\System\LWtaTyR.exe
C:\Windows\System\kqtalqA.exe
C:\Windows\System\kqtalqA.exe
C:\Windows\System\OfRLWpz.exe
C:\Windows\System\OfRLWpz.exe
C:\Windows\System\toaARPI.exe
C:\Windows\System\toaARPI.exe
C:\Windows\System\hSuDBoe.exe
C:\Windows\System\hSuDBoe.exe
C:\Windows\System\aiULmuH.exe
C:\Windows\System\aiULmuH.exe
C:\Windows\System\vtFkrkP.exe
C:\Windows\System\vtFkrkP.exe
C:\Windows\System\iBHDbbQ.exe
C:\Windows\System\iBHDbbQ.exe
C:\Windows\System\HFRVakf.exe
C:\Windows\System\HFRVakf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/848-0-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/848-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\wvsXQnZ.exe
| MD5 | ef74d75d398cb4aedfbf13a04495bcca |
| SHA1 | c1f29bc03ad56968d1689166d9694678c8db1b63 |
| SHA256 | 604e9726dc6590f67e30e3d63580bf8f946b48984eae6db2f4ffed0e06b35e53 |
| SHA512 | e8fed4b78a439ec8bd31347efb5275219505ac6c4793fd34ab984ccc2f324f009ffb024cf75d2e3b15e6e5d7bb40b9c60fd831e3cbff71bc679168a61dbb08eb |
memory/848-21-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\QhzFXpg.exe
| MD5 | c007bce2da0ecd940c4b6d35021179e9 |
| SHA1 | 073c77ef4ca7ddac425792da2930516bace46b06 |
| SHA256 | fab4e1cdeaa545d79f93d4ddd00340ae53a99d3591c33f1e07c305238e485796 |
| SHA512 | 08f6bdc51f5008d88e287e92f61f17060b8ee81ec2a39152cf1fd99d96d5f1083e74e312858dd75a59bd5cdaccb430691c4acf6dcf6fdb16dac650eb5340c816 |
memory/848-33-0x000000013F0E0000-0x000000013F434000-memory.dmp
\Windows\system\bouTRxB.exe
| MD5 | f0e3428f536fbf48cc3ad57e57ece3f8 |
| SHA1 | 0c3fc48e13f13b69dd796817563edd47a4531a04 |
| SHA256 | 4249bca4fa50aa71b1f346d4896463ee19a340a875e46223d16c46692de5b761 |
| SHA512 | fc027c4aa4d909ef34c78fc599678609aa39605f976614701bb92881a67ed20ea068db9af144e0bcf65720375db75731758fe86c81d884039e7ea15473580ba0 |
memory/848-47-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2288-48-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\jAxiQZy.exe
| MD5 | 83beb9aeda03179ca5919e27c5909f49 |
| SHA1 | b094200707b180d02b2f8e10a691473a52d1f201 |
| SHA256 | 9603b79e9d7c5a498300bfcc4c86cb1d8d1d46ebd0bf4e13c8e2cefec502128d |
| SHA512 | 55cae28ff944a6e7f4046511ed816b9cb3db5153591ff76049e68a8683251f7a56fcf0a2c7433ecbc60ec92df75a552f42ece488657a9719718c802f28ec5739 |
memory/2468-62-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\bOIpfoZ.exe
| MD5 | 8336f70c2704bc4e435f4e65ff5a12f8 |
| SHA1 | 3c3b4c7a07b95833237903c259a8453964dbd01d |
| SHA256 | 260d2f9ce617c78e8ce30a1b386658db0a6b95120c556822f0227a1ee5a66af2 |
| SHA512 | e4ee00151f7e4215d0518c8eddd1c4c6a84be919efe84272249f8ffbe36e9dccd643f9ce55d49315024b358dd563bba62a72fe9eb0440645b4dfeade0cb82593 |
C:\Windows\system\BMJEOVo.exe
| MD5 | 9a9b256415a686a85949651b5dccc904 |
| SHA1 | a2c457e562386480ba2327c9c1027f6806fcdd86 |
| SHA256 | e5c98090d083dc83017eb6a0bb3630bb6373c60da4c7066c1ed7d02bbac4f21a |
| SHA512 | 2cbd26a60361197cd96f84965fff27f00bb25f3ca78338f1ffb03ae2dfc8ad8822093dfa13f558cef88559228ae0cb4bf46bb714866489076a7cb9d83b602e91 |
C:\Windows\system\FgLkXJT.exe
| MD5 | 95d3d0116cec8e85c52b7f4fc0ac5f15 |
| SHA1 | 864657810259a3060595ecae69f7d9a2a98a3731 |
| SHA256 | 89d50fad24b289d26d6fc84c75673a644fbcbdaea4c6bc113046ad4a07b9ee88 |
| SHA512 | 29b930fa9a896772424751f53fb549ee494246d4319944572b3f10a5e3135f6cc5efbc83707f40b584d370bd4175b9fb6bffed5850c60977845cb3d546dde92e |
memory/2564-76-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/848-75-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2088-74-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2528-72-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2384-71-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/848-70-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\RaqoLcE.exe
| MD5 | faa417b647836f9845725fc87a31700d |
| SHA1 | 0bcde030d2cfcfed54c220cf2b6cad5395e6d1a2 |
| SHA256 | 07140ba44aa7e249115274f709d8a3069fda1f8c8a155e0f9bd0f234736fb4a6 |
| SHA512 | cd2c85e61bff1b3c95118e3b04f39ac6e771ea04499dd0263602a5e3081130f9d3a8babca22a30f7cf801777a118f769c8a2be5de42a6827454a6d034e7e6dfa |
memory/2684-56-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\QdHzZQM.exe
| MD5 | ac5e132f7304fbe20e5b954152f71e18 |
| SHA1 | cb6e0be56bc85b87f7851b22fa5937da51257944 |
| SHA256 | a8f65d1c1595ebd8984df5f0d9201a2ca3e11c88d9f0d1bd215d6cc23e8138a3 |
| SHA512 | 924bf2439ec35bf92a5f57ccccb65c42a0e6515b78a3049f1875977d7421b5ebd76f20c59fba2d30d48ed8d743eb15a108a8eb1af0f019c92896f7dee009d54e |
memory/848-51-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/848-40-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2728-39-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\jgnDNPK.exe
| MD5 | 33886c1cacf357fbf0264034826a727b |
| SHA1 | bbc8c4f4c99964c8ad93b9fde3b2158d8e517211 |
| SHA256 | 5981d7d14f3fb9b384cfadaae189335db8c01fe739c74a180bbc3236cc003d4f |
| SHA512 | fd156835a10706cbab269173989ec283eb6398fe332c53470a29c7a748bcb51bfb36e5f99008b4123f3a87b89e7105b52e8bc7302abf62371b6026d84c20de29 |
C:\Windows\system\dRWUbLZ.exe
| MD5 | 1863680ece376303086cb77e7ec63c3d |
| SHA1 | 908a49a011e0c12a16fff607e040da7e83f22912 |
| SHA256 | df672cbade32ab76fe20cd753d31a1be3063fd37e0f2ca6e3c8fbe04f87863bc |
| SHA512 | 2879134065a49936fcdf77f39c245386daf0c0059fef4cea6b76a0d2f10b187a370333ebb8d3870e6341548d68e0aefab9bc8e15d5c32378dda746ac7449c93d |
memory/848-61-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2948-46-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2608-35-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1828-30-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/848-28-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/848-19-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2088-10-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\YFcIdsm.exe
| MD5 | 842cb76f3d5c63fa13a105b94bcf77e1 |
| SHA1 | 9b0525324d2ac094dc845da57c70663fecae03f3 |
| SHA256 | dc751a74b2f1fe3c9c32aaecbde453c0ecec6ab018af613f2d13629cfe44af42 |
| SHA512 | 8c0909a3fa5d16bb315a3a15e1bd4ff050133720d28d86506029ce323a493bc6048817548b94081459c7ede37596a6e776bef6389b2976fc6d4b51cc1c2249e3 |
\Windows\system\LWtaTyR.exe
| MD5 | b4747c70a27f4a9af8b443dd33a69e81 |
| SHA1 | 0ad93574f24dfa71c32cb8333c2eb29de41640fa |
| SHA256 | 66b71488cca08b31fda2f450b8847946061e38a20e76e092ea1116177a4ea4d5 |
| SHA512 | 9f00f41048ceead988b8a1d315974b9e8d71315717cbb7d7b4aaa2eb4d077a5ee21f2afd0609b0724859e0bcf085b028c79544b96e33f5d40e6ecc79b37c04d7 |
\Windows\system\kqtalqA.exe
| MD5 | 99c6f634e9928057ea2f6e856b0c5a91 |
| SHA1 | 3f384809e56f1f01423437e4edea9360fbee3e0d |
| SHA256 | fb0e4dfd7aa6b78e580c59aecccfc0eed61785b84b1beec6384bb056066d210f |
| SHA512 | a82815754a5d84cf681fece95bf8a7921d73b0cb21faaffd7d696c4f331a0746523efdd92d099ea55822ce45ab4e076edab958e9d52f1a6ea2100fc0dd76eeeb |
\Windows\system\toaARPI.exe
| MD5 | ff76ad2e74a15993fe2654656c1d5407 |
| SHA1 | ca54b40baae7aabd40014cd5b48ce1b2d6045155 |
| SHA256 | a96bb44d30cac2836ab48f78262f78a79a694f3b8a15724d67d7257f1baa7bed |
| SHA512 | 0f9abe95bda7360746daf3a285730ef4879c30ba2b8d7a9889e6563f3dd1e9223bad2a9d67524621ec0036326a5f6ed4caf500bc32bf535d6e65d3fd6e33b900 |
memory/876-100-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\OfRLWpz.exe
| MD5 | 308a3dbab7df890d93475904983a0afb |
| SHA1 | 7d2cbf7f75be3d3f8a231b5c5c0f9a2de7e95fe6 |
| SHA256 | a540dd13a4ebbf757b51b542091239663c9da797e5ca252dccd160ec7772f8aa |
| SHA512 | f57d97a04808b836e12677a1372b5b562c4872eff4d637ee205807591f7a8475e163fe8a1abba92e58c11defaebbcb4557467a105065b6b053b69a5c859991a5 |
C:\Windows\system\hSuDBoe.exe
| MD5 | 8480e8c508096f59a707df7123856bc5 |
| SHA1 | 79db26dc121cb7ce3d9dbc1d4bf62f5410032700 |
| SHA256 | a63dc86bcf101d996e335d811b1934b15d352f900d5491ebb0fa7a6973033795 |
| SHA512 | 2c61745790cdb6bc0b5b3ae44a4f8141041d628ba90532d79ca926cf7906fd8f233c8eb7d8ae461eca6e99f9debd748b1ab35c01d017bf8a512003206cac7b63 |
C:\Windows\system\aiULmuH.exe
| MD5 | c763858301406391865da913373e9921 |
| SHA1 | a402d35f89c7625e162365c024b5368e37ba0e40 |
| SHA256 | ede90a13cde488c6540d32c677f6b1904f5a26b03ffa9cd2bcb4740f0e491618 |
| SHA512 | d62b04bdb1a234c7fc2192182dfd87426ad0ff105e8a7898f9269cd27186feaa7029d3270b1371b155b5b4296fb70f04b320706ed4406cc6603187a43d4dee7c |
C:\Windows\system\iBHDbbQ.exe
| MD5 | b4322c71b4e69571e90ab35642d987b5 |
| SHA1 | 3332652dec3ec850ce60e9a60cbf9193c98a6c47 |
| SHA256 | abe2c915dd687408af43fb1acb21d349c71a5876d4f57e396ce80c9d8e1a2ce9 |
| SHA512 | 5b0738d14ca089fb89e0f8178d9091e6a386718c9ab4c60ae41850587748eaee9cb5dd1a8965a51b4155a4e29bd758a5a91b44d4abc5cb9f4589916435ec1d0a |
\Windows\system\HFRVakf.exe
| MD5 | cbb471720866e28a55b46272b0e7d75d |
| SHA1 | 0735f3f3f9d7cd29725df9c1dc4913f6c95dc534 |
| SHA256 | c77aaad4048652a766bfa96d942b3d3e29bffbed47f93edb760e6f60adeb0524 |
| SHA512 | 9cf33c002e915e02d08772eef42fd7b6b1fd5775d115cd5fadfc41c890164916b690af1be78e4493e7de3ef0b07bee2129dfd5b0022e7c6da401b2992f5157cb |
C:\Windows\system\vtFkrkP.exe
| MD5 | 02a6c080a83246926a0e99297792db04 |
| SHA1 | 86af7de87d084eb552ab4fc5f00cb8daf50e5f82 |
| SHA256 | 388ac74c5e93c29c96b000d2afdf8b6df7a125910ddee8f240f4872d14d21ec5 |
| SHA512 | 4082d273a7f514b28f10c68e6d5344d5128dddaab0c54d3d63f4ea3b3d029eed5cd3aec2afed51633ea43c5d6cbe0d8131e80dc326634ce7f34f7daf9896835a |
memory/1512-105-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/848-104-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/848-103-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2288-102-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2948-101-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/848-98-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1300-93-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2684-137-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2468-138-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2528-139-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2564-140-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/848-141-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2088-142-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1828-143-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2608-144-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2728-145-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2288-146-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2948-147-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2468-148-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2684-149-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2384-150-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2528-151-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2564-152-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1300-153-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/876-154-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1512-155-0x000000013F6C0000-0x000000013FA14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 05:42
Reported
2024-06-01 05:44
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zfMCiOS.exe | N/A |
| N/A | N/A | C:\Windows\System\pAQUduO.exe | N/A |
| N/A | N/A | C:\Windows\System\kwkjfnz.exe | N/A |
| N/A | N/A | C:\Windows\System\RgZOiqw.exe | N/A |
| N/A | N/A | C:\Windows\System\gMEtuyH.exe | N/A |
| N/A | N/A | C:\Windows\System\lzFZPWa.exe | N/A |
| N/A | N/A | C:\Windows\System\azetlPA.exe | N/A |
| N/A | N/A | C:\Windows\System\uwfPOHe.exe | N/A |
| N/A | N/A | C:\Windows\System\LLhDruG.exe | N/A |
| N/A | N/A | C:\Windows\System\vbOrZlb.exe | N/A |
| N/A | N/A | C:\Windows\System\bsrJKEO.exe | N/A |
| N/A | N/A | C:\Windows\System\QfYzJad.exe | N/A |
| N/A | N/A | C:\Windows\System\KfJlnDL.exe | N/A |
| N/A | N/A | C:\Windows\System\MvzFzVW.exe | N/A |
| N/A | N/A | C:\Windows\System\MLBJREb.exe | N/A |
| N/A | N/A | C:\Windows\System\CMOFZzK.exe | N/A |
| N/A | N/A | C:\Windows\System\ySAmXKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\XerLDTN.exe | N/A |
| N/A | N/A | C:\Windows\System\gTFwhDg.exe | N/A |
| N/A | N/A | C:\Windows\System\xlphQXV.exe | N/A |
| N/A | N/A | C:\Windows\System\SyZsavw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zfMCiOS.exe
C:\Windows\System\zfMCiOS.exe
C:\Windows\System\pAQUduO.exe
C:\Windows\System\pAQUduO.exe
C:\Windows\System\kwkjfnz.exe
C:\Windows\System\kwkjfnz.exe
C:\Windows\System\RgZOiqw.exe
C:\Windows\System\RgZOiqw.exe
C:\Windows\System\gMEtuyH.exe
C:\Windows\System\gMEtuyH.exe
C:\Windows\System\azetlPA.exe
C:\Windows\System\azetlPA.exe
C:\Windows\System\lzFZPWa.exe
C:\Windows\System\lzFZPWa.exe
C:\Windows\System\uwfPOHe.exe
C:\Windows\System\uwfPOHe.exe
C:\Windows\System\LLhDruG.exe
C:\Windows\System\LLhDruG.exe
C:\Windows\System\vbOrZlb.exe
C:\Windows\System\vbOrZlb.exe
C:\Windows\System\bsrJKEO.exe
C:\Windows\System\bsrJKEO.exe
C:\Windows\System\QfYzJad.exe
C:\Windows\System\QfYzJad.exe
C:\Windows\System\KfJlnDL.exe
C:\Windows\System\KfJlnDL.exe
C:\Windows\System\MvzFzVW.exe
C:\Windows\System\MvzFzVW.exe
C:\Windows\System\MLBJREb.exe
C:\Windows\System\MLBJREb.exe
C:\Windows\System\CMOFZzK.exe
C:\Windows\System\CMOFZzK.exe
C:\Windows\System\ySAmXKJ.exe
C:\Windows\System\ySAmXKJ.exe
C:\Windows\System\XerLDTN.exe
C:\Windows\System\XerLDTN.exe
C:\Windows\System\gTFwhDg.exe
C:\Windows\System\gTFwhDg.exe
C:\Windows\System\xlphQXV.exe
C:\Windows\System\xlphQXV.exe
C:\Windows\System\SyZsavw.exe
C:\Windows\System\SyZsavw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1832-0-0x00007FF74C310000-0x00007FF74C664000-memory.dmp
memory/1832-1-0x00000109126B0000-0x00000109126C0000-memory.dmp
C:\Windows\System\zfMCiOS.exe
| MD5 | 48457e0ec6bd1d514690ab079946e182 |
| SHA1 | 20fa07c83ea7a46f03d9399c624aa49fde0b6ca3 |
| SHA256 | 1bc04ee4ca4e440b0fc528472f47d1b35597f7a6bd7f4f61c1ec89b0b02ccf4b |
| SHA512 | ebe16fdbfade1a4278d5bf0117dd2f6ecd35c57a9d481ceed1c2cc2540715c55290981dcf8a8a44b557f7e8d6222cbbc894339bc7b8b32f82d1aaa8e7caebc3f |
memory/840-8-0x00007FF6EE3C0000-0x00007FF6EE714000-memory.dmp
C:\Windows\System\pAQUduO.exe
| MD5 | 5e9d477e060d6572b5f9748b210eee40 |
| SHA1 | 499d4f86db774b573d9080f979b025654d3be1c9 |
| SHA256 | 2e02458fda4a64d7e91e12262320b11913b1928994cfdc38de66bf37493564d7 |
| SHA512 | dec66204844642edc041539f3a10caffe3cf4363e3144f6e5163537207e952db182351c86018cac8a2ffae8b3a2b5f8ffa7a1a9225a0e243a5668465d08acdd6 |
C:\Windows\System\RgZOiqw.exe
| MD5 | 07b5028030476080bc900f1e1c88e0d8 |
| SHA1 | f5570b97bdf694bc027543757d078075e68c986d |
| SHA256 | 8a26d6f041513e300fbf517844d762e409baed5a2a431532ec0b0808045fde27 |
| SHA512 | 16247e6dfb1c3ce1051239cb6f357caac2f8ba1406cb52c8637bbae6b2a6faccfcf85a538272b57b8f79cbb3cbde22dc1ad12b94f8a3534d86cd121f7383273b |
C:\Windows\System\gMEtuyH.exe
| MD5 | a1ce74b3982589c97c25f7fbbfc25f4d |
| SHA1 | 2baab373a54c3fdeca8c98d7aaeac88b65744bbb |
| SHA256 | 524b22bde7f62065cd99b491c4ed20467abc1a4ecc183563c74db9f5ddf87719 |
| SHA512 | 7126b830b1a5b094bb97f33754ba297391bd4d99511beac08566a0e251c731fd00b46131b87175dbd1cde4b311db059abc68281e4b378d6a3856f5102308cd6d |
C:\Windows\System\lzFZPWa.exe
| MD5 | 742eb4ab3e4c660a98063867700c8637 |
| SHA1 | b47ed6f6a7abb547477f1f242d2f150582cd9caf |
| SHA256 | 29f06375f6e4a0f60d1a3270ff8d7390b2afa6c70cd70607df92dede45da3255 |
| SHA512 | 5a6c28cccf8fdbd460868ba0f309274c8ec2bbf90644742997c4c42f3beed634bd7b328913d902039eae21433ab005e1ec3b067ab066cbca496e5dfd43c0e877 |
C:\Windows\System\uwfPOHe.exe
| MD5 | 6f8d61be84580f7a2e6afa341d308287 |
| SHA1 | 5f3f4d4f2a981dd36bd66e1d3f5d444f889aed2d |
| SHA256 | 14800241f97e8d213fc51f4734d7428a06eb4152fd25300481baeabf3b226352 |
| SHA512 | 79acd31692bff26cea5c6cc332e2e24df6d16efa5e0e199a2f327356c666be792f4eefdc784e8424902caaaa28ecfe6a86230131382f18b194a5ffa3098fdb3f |
C:\Windows\System\LLhDruG.exe
| MD5 | 8311c1e9cc0d5d12dca5b506a79cf227 |
| SHA1 | 81913b23359b46dd6bccd642a12082033d2102fe |
| SHA256 | 8afe09f403ae14aef57d54018209b0d7b493aff0afe9107367517103944b349c |
| SHA512 | 269c779e1e99299eb57c14c6e12f24b9da36510f606ad1110c38f2256669a7ca962cec62d98b6af1c17ecba16ed7853e42d8cc2143a80eb3328fcdb7a47c9661 |
C:\Windows\System\vbOrZlb.exe
| MD5 | 815e264b5d59ef520ae52c400ff3e7e6 |
| SHA1 | 56d0b0367a70e51d69879e3b823a490bad8fc968 |
| SHA256 | 7932427364911cf8dcfb9bf9348f980ed93322b2e9a39bce97d9a35e085189bc |
| SHA512 | 5356d35b4eb0bcdf3cd9260eab1b0d12d05aede188ae876699772da44361be91923100006554631ce210fbfadd873b054060e35dc09f0e0699e7c3b92d6ad1bf |
C:\Windows\System\QfYzJad.exe
| MD5 | 302ca07acb7c8c2d3e82bb401bec810e |
| SHA1 | 32627b87d7d1bd68c78426172d4fd04e02f6e940 |
| SHA256 | 3a8b9d2cb0218cdd65c5c2541eebf050f78a17a6bb7b2484c73d2d257643166e |
| SHA512 | 8c80c6ee0f383c025de497dac5f08e3c387555eb970261020f354db8647052c5eadc10ed00e9e1c267cfc10b6c7ce7d6187c09549b0d5b3773ad29a205e18af7 |
memory/4292-69-0x00007FF783CD0000-0x00007FF784024000-memory.dmp
C:\Windows\System\KfJlnDL.exe
| MD5 | 916b18538c87fa3e548adce17308fcb3 |
| SHA1 | 2747449a299a9a6bc5cc400f25dc29bf0e9bd7ec |
| SHA256 | fb2ce77cfab59717546f51892dc6ba8a8c659be4b6bc4648800f7c96bc9d033d |
| SHA512 | 29b463a6c5a61c24633244afd4c6b8f0885324e2caa6f6504d93fb395e4efdf92fd29b5897dd5bf40b84d21f1e80f7d63aacac020499c5a12344eac664c2d7e3 |
C:\Windows\System\MvzFzVW.exe
| MD5 | 3b568614723a6c9bc311a309d687f541 |
| SHA1 | 5674bdadd15265d35e76fe066f8c17f15b29f1fb |
| SHA256 | aa5bc5a8a2ae0ed1834f77759cb6663bf6d3f0d468d7fd0e42c7964ca067cd1c |
| SHA512 | d2089628df3dc70f234413da6ff35c1c3babb7388e60e9a4dcb40efdad8406437c00fdccd6a6f125e290d1996f9c929d2d144c713596844494736b7ee85ed95f |
C:\Windows\System\CMOFZzK.exe
| MD5 | 0657586b1c150e31116c39296933b764 |
| SHA1 | e4387ea64091a0e0396e79be626224d3d78f16ba |
| SHA256 | 5f671a5613a4ba0fcda41ed380f0964b5e13d472a373606e7a5df46fdf8bc946 |
| SHA512 | 08e546e315d721386a5584c849a778edee3cde3663871208bbbb49dfcbab6e34e6d252276c7ad14c13dfd213b2764bd05438097867faabcf0437ef0ceb40c258 |
C:\Windows\System\MLBJREb.exe
| MD5 | 60d36932999bf86cfc3945c09fa0bc30 |
| SHA1 | 67257ca55419bbf6bdd0feab2153e3b759b47ede |
| SHA256 | 58161a0012e735c7a33b6ab7eb82fa5718cedb1587632b3e553ba58bab67a6cf |
| SHA512 | 30278882f519014e780e32fbaaba9aedb64787225cbcc820a165adc08efba614bc1379a01f762f09d67f4067cab6c47a5101f7f77c8f703e6c63fec0fe764a41 |
memory/3600-95-0x00007FF688140000-0x00007FF688494000-memory.dmp
memory/4924-92-0x00007FF692F10000-0x00007FF693264000-memory.dmp
memory/2196-90-0x00007FF7B57E0000-0x00007FF7B5B34000-memory.dmp
memory/2456-78-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp
memory/1904-77-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp
memory/3564-72-0x00007FF73F2A0000-0x00007FF73F5F4000-memory.dmp
C:\Windows\System\bsrJKEO.exe
| MD5 | 72dbf2736a1dc1ff013ae91c3e432e5f |
| SHA1 | e3732d3744cac9dc0cb18c985605650efd567af4 |
| SHA256 | 6bfb73d6ea894da134ceb3df253871df7e4d4790a407d2fa2465d926b9f414c2 |
| SHA512 | 84d8107a6ad3450a53100028447c6726988569a1b4011d3472e69217a6c655a95fe5450e3b0bcb11242d6704454b088c4e03e652e8dc6bef4ed0f6f828e65d33 |
memory/1392-62-0x00007FF66CFE0000-0x00007FF66D334000-memory.dmp
memory/2080-59-0x00007FF63A310000-0x00007FF63A664000-memory.dmp
memory/3636-55-0x00007FF7E37E0000-0x00007FF7E3B34000-memory.dmp
C:\Windows\System\azetlPA.exe
| MD5 | b26d966cb2b20004e1e4c2f04c401a93 |
| SHA1 | 075f459d5dfa5b098ccd7f9ab50be75ca0540ab7 |
| SHA256 | 3fe505a1b4530d4dd87ad2e6532d5af852fb0a96228d12cdbd1495678a0b2dd1 |
| SHA512 | 67ea80ceaff3131ab8ab63ec2e5fbd64117cdd0431f79f163418e6cae43f01b4ca11fa897dcef47dbad1489982632a089985a9fe0dd288c7660603c917fd747f |
memory/1104-50-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp
memory/5036-42-0x00007FF642C20000-0x00007FF642F74000-memory.dmp
memory/3616-31-0x00007FF6BFEC0000-0x00007FF6C0214000-memory.dmp
memory/4024-23-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp
memory/3900-20-0x00007FF765880000-0x00007FF765BD4000-memory.dmp
C:\Windows\System\kwkjfnz.exe
| MD5 | 17ad842dbb0ae95fa0b3995a67b809f2 |
| SHA1 | 74b05ce1b8cb3d8cce9a34ee60bb8ba2da932e4f |
| SHA256 | 68ef9bca686fc635495fc28c92edee15789ed5a53d2b724a3f4ea46abf9f13ea |
| SHA512 | 79a47fa18b30d99bc7a92373d5d802edd1e26fe5a7e576774b249a3338d930831aade8839b1287078a2eb23c50babe4d20651f9edac1b9bc85e8a42ccf3936ea |
memory/3836-107-0x00007FF713750000-0x00007FF713AA4000-memory.dmp
C:\Windows\System\XerLDTN.exe
| MD5 | 3480adb9a28fc9e8d3a2e042ab6eaab3 |
| SHA1 | b5dc5e13bc024232b0ea25fe6d581de26bbeee32 |
| SHA256 | 7d8883731981f36f196699a88f7be66827d4569834617cc09947a2e13414bac5 |
| SHA512 | ffcfb930c159dac0e9a71a0aa43d09d4fe6013d4a45d6630a4f9671c0fce53f31e22adf851fb28c65b64208f89764772e4675b475ea937b029daadc0bf598811 |
C:\Windows\System\gTFwhDg.exe
| MD5 | f0c2234dad13b3a4b531ea8c5813a8cd |
| SHA1 | 71a68575774b8626c9aeb3d7fa735adc18c9a6c7 |
| SHA256 | 02b9fd39e1503a65d2b22e26835c2c7e8688f2905a9386399af3523b411b1d44 |
| SHA512 | 33a2f040b1208db337631a53423fc27e68ddad27bdfe7402cf62035070149b0ab5c61d639fc5f26152aa791b32885758b3ab89abe01c0fea61cdfd68981871af |
memory/3968-118-0x00007FF7ECB10000-0x00007FF7ECE64000-memory.dmp
memory/4024-122-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp
C:\Windows\System\xlphQXV.exe
| MD5 | ec543f36696ad0f20cdbf51c9455eed8 |
| SHA1 | 3a608f12131ace0ed46fa806cb542148627d15f3 |
| SHA256 | 0b1bb0e061e685acb31b62a35dfda8f8e15d4fe1c9b8cdfcc7db9444f66d9fdf |
| SHA512 | 72aa7ab1d71a0f3508e090bf840622fada6d2fa20711713a2519449f00a56945285022f279079cf083b2bc66a78199bf218c1b6090c6d2e3290fed327c324c05 |
memory/5036-128-0x00007FF642C20000-0x00007FF642F74000-memory.dmp
memory/2080-129-0x00007FF63A310000-0x00007FF63A664000-memory.dmp
C:\Windows\System\SyZsavw.exe
| MD5 | df0552d4e5dc04b34189769589a3b225 |
| SHA1 | d1df0c2daa7da9f574adb34d3fc224d4f63c07a6 |
| SHA256 | aa8e5fa71c9a40d8003a70154ed90e2676b6ef020d0d64e6381378a9b98c49ff |
| SHA512 | 1961320b918c18a2160e63387e5d573e55f2ce99c591cfb0bff8f8702b2fc4cf26992b90a3cfa314782fba7191ed3f3d07237b01dcfdcd7402a99b3b4403ac58 |
memory/2428-130-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp
memory/2604-127-0x00007FF6EC970000-0x00007FF6ECCC4000-memory.dmp
memory/2888-125-0x00007FF6CD9A0000-0x00007FF6CDCF4000-memory.dmp
memory/3900-113-0x00007FF765880000-0x00007FF765BD4000-memory.dmp
memory/1832-104-0x00007FF74C310000-0x00007FF74C664000-memory.dmp
C:\Windows\System\ySAmXKJ.exe
| MD5 | b8062ba386019a17cfbab81e5b25dc4c |
| SHA1 | ec20909f65c64c45babd5da6de9595d4d9489616 |
| SHA256 | f0877cf334855e788ae2b763c0b8579a0def3074c4ca567d99226ec7efc52477 |
| SHA512 | d2c766a77275f8dca79c5fa82c3bf5089df0134101a32bc866fe1d1740afd531c0685b40af3df5acd9646b0e4e10f8a14df2c7af7ae2430beea6cb5462962e17 |
memory/1104-133-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp
memory/4292-134-0x00007FF783CD0000-0x00007FF784024000-memory.dmp
memory/1904-135-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp
memory/2456-136-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp
memory/4924-137-0x00007FF692F10000-0x00007FF693264000-memory.dmp
memory/3600-138-0x00007FF688140000-0x00007FF688494000-memory.dmp
memory/2428-139-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp
memory/840-140-0x00007FF6EE3C0000-0x00007FF6EE714000-memory.dmp
memory/3900-141-0x00007FF765880000-0x00007FF765BD4000-memory.dmp
memory/3616-142-0x00007FF6BFEC0000-0x00007FF6C0214000-memory.dmp
memory/4024-143-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp
memory/5036-144-0x00007FF642C20000-0x00007FF642F74000-memory.dmp
memory/3636-145-0x00007FF7E37E0000-0x00007FF7E3B34000-memory.dmp
memory/1392-146-0x00007FF66CFE0000-0x00007FF66D334000-memory.dmp
memory/1104-147-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp
memory/2080-148-0x00007FF63A310000-0x00007FF63A664000-memory.dmp
memory/3564-149-0x00007FF73F2A0000-0x00007FF73F5F4000-memory.dmp
memory/1904-151-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp
memory/4292-150-0x00007FF783CD0000-0x00007FF784024000-memory.dmp
memory/2456-152-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp
memory/2196-153-0x00007FF7B57E0000-0x00007FF7B5B34000-memory.dmp
memory/4924-155-0x00007FF692F10000-0x00007FF693264000-memory.dmp
memory/3600-154-0x00007FF688140000-0x00007FF688494000-memory.dmp
memory/3836-156-0x00007FF713750000-0x00007FF713AA4000-memory.dmp
memory/3968-157-0x00007FF7ECB10000-0x00007FF7ECE64000-memory.dmp
memory/2888-158-0x00007FF6CD9A0000-0x00007FF6CDCF4000-memory.dmp
memory/2604-159-0x00007FF6EC970000-0x00007FF6ECCC4000-memory.dmp
memory/2428-160-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp