Analysis Overview
SHA256
bb7e98681e0fa5c70515989a29b492392c48c83e0cb41e505eccc6e71408d4b4
Threat Level: Known bad
The file 2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
Xmrig family
Cobaltstrike family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 22:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 22:22
Reported
2024-06-06 22:28
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZmpHGwy.exe | N/A |
| N/A | N/A | C:\Windows\System\tUVSrsK.exe | N/A |
| N/A | N/A | C:\Windows\System\hRgCHIi.exe | N/A |
| N/A | N/A | C:\Windows\System\dlBLvsy.exe | N/A |
| N/A | N/A | C:\Windows\System\phYEEAb.exe | N/A |
| N/A | N/A | C:\Windows\System\RqyeXLY.exe | N/A |
| N/A | N/A | C:\Windows\System\bRuPPpf.exe | N/A |
| N/A | N/A | C:\Windows\System\diBDrhz.exe | N/A |
| N/A | N/A | C:\Windows\System\iscjGGR.exe | N/A |
| N/A | N/A | C:\Windows\System\bvFXWpt.exe | N/A |
| N/A | N/A | C:\Windows\System\IsWCUGA.exe | N/A |
| N/A | N/A | C:\Windows\System\iDDcGHa.exe | N/A |
| N/A | N/A | C:\Windows\System\xCIkquB.exe | N/A |
| N/A | N/A | C:\Windows\System\ropVOqb.exe | N/A |
| N/A | N/A | C:\Windows\System\dplpwIn.exe | N/A |
| N/A | N/A | C:\Windows\System\sQPsBQz.exe | N/A |
| N/A | N/A | C:\Windows\System\LdJjERU.exe | N/A |
| N/A | N/A | C:\Windows\System\AtGKlQa.exe | N/A |
| N/A | N/A | C:\Windows\System\tgDTONA.exe | N/A |
| N/A | N/A | C:\Windows\System\fjzPiXT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYktjwb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZmpHGwy.exe
C:\Windows\System\ZmpHGwy.exe
C:\Windows\System\tUVSrsK.exe
C:\Windows\System\tUVSrsK.exe
C:\Windows\System\hRgCHIi.exe
C:\Windows\System\hRgCHIi.exe
C:\Windows\System\dlBLvsy.exe
C:\Windows\System\dlBLvsy.exe
C:\Windows\System\phYEEAb.exe
C:\Windows\System\phYEEAb.exe
C:\Windows\System\RqyeXLY.exe
C:\Windows\System\RqyeXLY.exe
C:\Windows\System\bRuPPpf.exe
C:\Windows\System\bRuPPpf.exe
C:\Windows\System\diBDrhz.exe
C:\Windows\System\diBDrhz.exe
C:\Windows\System\iscjGGR.exe
C:\Windows\System\iscjGGR.exe
C:\Windows\System\bvFXWpt.exe
C:\Windows\System\bvFXWpt.exe
C:\Windows\System\IsWCUGA.exe
C:\Windows\System\IsWCUGA.exe
C:\Windows\System\iDDcGHa.exe
C:\Windows\System\iDDcGHa.exe
C:\Windows\System\xCIkquB.exe
C:\Windows\System\xCIkquB.exe
C:\Windows\System\ropVOqb.exe
C:\Windows\System\ropVOqb.exe
C:\Windows\System\dplpwIn.exe
C:\Windows\System\dplpwIn.exe
C:\Windows\System\sQPsBQz.exe
C:\Windows\System\sQPsBQz.exe
C:\Windows\System\LdJjERU.exe
C:\Windows\System\LdJjERU.exe
C:\Windows\System\AtGKlQa.exe
C:\Windows\System\AtGKlQa.exe
C:\Windows\System\tgDTONA.exe
C:\Windows\System\tgDTONA.exe
C:\Windows\System\fjzPiXT.exe
C:\Windows\System\fjzPiXT.exe
C:\Windows\System\ZYktjwb.exe
C:\Windows\System\ZYktjwb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
memory/4476-0-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp
memory/4476-1-0x0000021B2A800000-0x0000021B2A810000-memory.dmp
C:\Windows\System\ZmpHGwy.exe
| MD5 | d3837ca3413f4d20dc77c300ad94bf7b |
| SHA1 | 5edb0290bb49eebe78382797deb751c35ada0f2e |
| SHA256 | b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322 |
| SHA512 | 0a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a |
memory/1788-7-0x00007FF796670000-0x00007FF7969C4000-memory.dmp
C:\Windows\System\ZmpHGwy.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/4376-14-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp
C:\Windows\System\hRgCHIi.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/468-20-0x00007FF655CD0000-0x00007FF656024000-memory.dmp
C:\Windows\System\hRgCHIi.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/4832-26-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp
C:\Windows\System\dlBLvsy.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\phYEEAb.exe
| MD5 | 3ed5a609fc99609f477b127cb1075f8e |
| SHA1 | efbe9eae011603d0818e0ea87d848f4505a8ca00 |
| SHA256 | f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939 |
| SHA512 | adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18 |
C:\Windows\System\tUVSrsK.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/1164-30-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp
C:\Windows\System\bvFXWpt.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
C:\Windows\System\iDDcGHa.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
C:\Windows\System\IsWCUGA.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
memory/1788-71-0x00007FF796670000-0x00007FF7969C4000-memory.dmp
memory/4836-76-0x00007FF684E40000-0x00007FF685194000-memory.dmp
memory/2512-74-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp
C:\Windows\System\iDDcGHa.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\System\xCIkquB.exe
| MD5 | d872631fef320bcfe95799f5b4c466cb |
| SHA1 | 451a1400f207f69d35ba907e243aed76879dcd2c |
| SHA256 | 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438 |
| SHA512 | 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d |
memory/4552-81-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp
memory/4996-65-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp
memory/4476-64-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp
memory/2588-59-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp
C:\Windows\System\iscjGGR.exe
| MD5 | 8b592ebc427ce6b4826fa180a69cff56 |
| SHA1 | acfc770de548ae9c41e951ebf8abf5982f9294d6 |
| SHA256 | 81a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd |
| SHA512 | 8643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8 |
C:\Windows\System\dplpwIn.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2212-101-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp
memory/3204-108-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp
memory/4280-107-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp
C:\Windows\System\AtGKlQa.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/2588-117-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp
memory/1316-121-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp
memory/1660-119-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
C:\Windows\System\ZYktjwb.exe
| MD5 | 743c7a20f2416269c3c8d975e4f19d3c |
| SHA1 | ec03184ed7d21e18ad8febd61a391967dd7c43fa |
| SHA256 | 5268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a |
| SHA512 | b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250 |
memory/1216-134-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp
memory/4128-129-0x00007FF710D30000-0x00007FF711084000-memory.dmp
C:\Windows\System\AtGKlQa.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
memory/2620-106-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp
memory/1476-102-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp
C:\Windows\System\sQPsBQz.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\sQPsBQz.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/1164-97-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp
memory/2008-87-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp
memory/4832-86-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp
memory/4540-52-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp
C:\Windows\System\diBDrhz.exe
| MD5 | b5d6c8b472f6137523570f20868f4041 |
| SHA1 | 61a520c4e5802e3278d223745c0d5b53798489c3 |
| SHA256 | df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324 |
| SHA512 | 310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229 |
C:\Windows\System\bRuPPpf.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
memory/4280-41-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp
C:\Windows\System\RqyeXLY.exe
| MD5 | fad07c7a375cc77c8bad2ea403df7368 |
| SHA1 | 8200f7b45ecaed3456453756d4786a31808f3cfd |
| SHA256 | 848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894 |
| SHA512 | d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6 |
memory/1476-36-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp
C:\Windows\System\tUVSrsK.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
memory/4552-135-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp
memory/2008-136-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp
memory/1660-138-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
memory/3204-137-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp
memory/1316-139-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp
memory/1216-140-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp
memory/4376-142-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp
memory/468-143-0x00007FF655CD0000-0x00007FF656024000-memory.dmp
memory/1788-141-0x00007FF796670000-0x00007FF7969C4000-memory.dmp
memory/4832-144-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp
memory/1164-145-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp
memory/4540-148-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp
memory/4280-147-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp
memory/1476-146-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp
memory/2588-149-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp
memory/4996-150-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp
memory/2512-151-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp
memory/4836-152-0x00007FF684E40000-0x00007FF685194000-memory.dmp
memory/4552-153-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp
memory/2008-154-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp
memory/2212-155-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp
memory/2620-156-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp
memory/3204-157-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp
memory/1660-158-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
memory/1316-159-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp
memory/4128-160-0x00007FF710D30000-0x00007FF711084000-memory.dmp
memory/1216-161-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 22:22
Reported
2024-06-06 22:28
Platform
win7-20240508-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZmpHGwy.exe | N/A |
| N/A | N/A | C:\Windows\System\tUVSrsK.exe | N/A |
| N/A | N/A | C:\Windows\System\hRgCHIi.exe | N/A |
| N/A | N/A | C:\Windows\System\dlBLvsy.exe | N/A |
| N/A | N/A | C:\Windows\System\phYEEAb.exe | N/A |
| N/A | N/A | C:\Windows\System\RqyeXLY.exe | N/A |
| N/A | N/A | C:\Windows\System\bRuPPpf.exe | N/A |
| N/A | N/A | C:\Windows\System\diBDrhz.exe | N/A |
| N/A | N/A | C:\Windows\System\iscjGGR.exe | N/A |
| N/A | N/A | C:\Windows\System\bvFXWpt.exe | N/A |
| N/A | N/A | C:\Windows\System\IsWCUGA.exe | N/A |
| N/A | N/A | C:\Windows\System\iDDcGHa.exe | N/A |
| N/A | N/A | C:\Windows\System\xCIkquB.exe | N/A |
| N/A | N/A | C:\Windows\System\ropVOqb.exe | N/A |
| N/A | N/A | C:\Windows\System\dplpwIn.exe | N/A |
| N/A | N/A | C:\Windows\System\sQPsBQz.exe | N/A |
| N/A | N/A | C:\Windows\System\LdJjERU.exe | N/A |
| N/A | N/A | C:\Windows\System\AtGKlQa.exe | N/A |
| N/A | N/A | C:\Windows\System\tgDTONA.exe | N/A |
| N/A | N/A | C:\Windows\System\fjzPiXT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYktjwb.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZmpHGwy.exe
C:\Windows\System\ZmpHGwy.exe
C:\Windows\System\tUVSrsK.exe
C:\Windows\System\tUVSrsK.exe
C:\Windows\System\hRgCHIi.exe
C:\Windows\System\hRgCHIi.exe
C:\Windows\System\dlBLvsy.exe
C:\Windows\System\dlBLvsy.exe
C:\Windows\System\phYEEAb.exe
C:\Windows\System\phYEEAb.exe
C:\Windows\System\RqyeXLY.exe
C:\Windows\System\RqyeXLY.exe
C:\Windows\System\bRuPPpf.exe
C:\Windows\System\bRuPPpf.exe
C:\Windows\System\diBDrhz.exe
C:\Windows\System\diBDrhz.exe
C:\Windows\System\iscjGGR.exe
C:\Windows\System\iscjGGR.exe
C:\Windows\System\bvFXWpt.exe
C:\Windows\System\bvFXWpt.exe
C:\Windows\System\IsWCUGA.exe
C:\Windows\System\IsWCUGA.exe
C:\Windows\System\iDDcGHa.exe
C:\Windows\System\iDDcGHa.exe
C:\Windows\System\xCIkquB.exe
C:\Windows\System\xCIkquB.exe
C:\Windows\System\ropVOqb.exe
C:\Windows\System\ropVOqb.exe
C:\Windows\System\dplpwIn.exe
C:\Windows\System\dplpwIn.exe
C:\Windows\System\sQPsBQz.exe
C:\Windows\System\sQPsBQz.exe
C:\Windows\System\LdJjERU.exe
C:\Windows\System\LdJjERU.exe
C:\Windows\System\AtGKlQa.exe
C:\Windows\System\AtGKlQa.exe
C:\Windows\System\tgDTONA.exe
C:\Windows\System\tgDTONA.exe
C:\Windows\System\fjzPiXT.exe
C:\Windows\System\fjzPiXT.exe
C:\Windows\System\ZYktjwb.exe
C:\Windows\System\ZYktjwb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2176-0-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2176-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\ZmpHGwy.exe
| MD5 | d3837ca3413f4d20dc77c300ad94bf7b |
| SHA1 | 5edb0290bb49eebe78382797deb751c35ada0f2e |
| SHA256 | b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322 |
| SHA512 | 0a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a |
memory/2176-6-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1780-12-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1704-15-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2176-14-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\tUVSrsK.exe
| MD5 | 7f137236dd2cc1e0ac3fb43e16d8232a |
| SHA1 | d5ec712c50813d1ee7fbadaaa492af94e0802c98 |
| SHA256 | cc672fa6f5ca39338d4d9a306502b6c69a9b7ee1fc20600ce8af1121304df47e |
| SHA512 | 4a10ea7be4dc0944456ecd29d17f5147ee57c2564b20bdd3030e880da74cea86c36edd64c09d19112b99f776aeed1f4811c2ca08a67dec8cd44bf608a382f287 |
C:\Windows\system\hRgCHIi.exe
| MD5 | 6382b8d80701be693179837316888184 |
| SHA1 | 4e81e1e65504fb9cb078830f42ca28222182ea10 |
| SHA256 | bc22484f396ed8e830eccdb571fc9d169571f489f06093a6a572b90a87a32ca0 |
| SHA512 | d46b0b3583ae584e29f68d0a3b60c4dcb9733abb60c5dae627864d03f3b3a9dbd9878d01d3746752c353e865573fcab5e13a8eabac9b76189a051a55b62ff54d |
\Windows\system\dlBLvsy.exe
| MD5 | 982deaa5f753f2aa854a6b24f6843ebd |
| SHA1 | c4357138a2a2e93c00b9f0122b640f5d62aa7d02 |
| SHA256 | 59f11b6174d1be66f957966490a9bb2e2cc152635550700b00af068e7c9687d9 |
| SHA512 | 204545fb205f71d818e8654fd1938da6c1befd083a54547bbb9bc1b0a192fd9c3323a38c4a2252ac1f9a85a52f34b4df689614fd18b1bd6eb5648737455dee3e |
memory/2868-29-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\RqyeXLY.exe
| MD5 | fad07c7a375cc77c8bad2ea403df7368 |
| SHA1 | 8200f7b45ecaed3456453756d4786a31808f3cfd |
| SHA256 | 848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894 |
| SHA512 | d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6 |
memory/3032-36-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/3024-42-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2176-55-0x000000013F030000-0x000000013F384000-memory.dmp
\Windows\system\iscjGGR.exe
| MD5 | 8b592ebc427ce6b4826fa180a69cff56 |
| SHA1 | acfc770de548ae9c41e951ebf8abf5982f9294d6 |
| SHA256 | 81a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd |
| SHA512 | 8643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8 |
C:\Windows\system\iDDcGHa.exe
| MD5 | 9360c7aa91d330680ed2ff744139e9c6 |
| SHA1 | a05cb03b5b5eef3e929e2247c7408ecd9cc37ccd |
| SHA256 | eb06f91068c3c0ad1116cf697a1f2a093d0fc53e89c7997503372fd56083c59c |
| SHA512 | e0bdebbe9746bafaa6ad958bf1d32123ddc51d063a4b47e9234a7044e34eda44ad7cc8938a1383d46800cfbd2be8ecd97d57c903beba9e1d1c7b019329163134 |
memory/1668-87-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2176-101-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2812-102-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\dplpwIn.exe
| MD5 | 40f2e1cbf0aaee4b63729f29181c69c9 |
| SHA1 | 98c1949489e6136a4076aad17b21d7a117fa8bb6 |
| SHA256 | 5960a9b38b19e11da49dd1684aaa8e5425df5cddb2f4cd960f0f061ba3637527 |
| SHA512 | 75ba53fe069f442d35bf37fbac92ebe6b57a72f2dac6ab1cd71a4d54018f61093d8d3918c835b142cd9f8ad2db837c43150b715f307027c3662597262d8a311b |
C:\Windows\system\sQPsBQz.exe
| MD5 | 0e4a4a3a1c884eb44bde038e9dba5c47 |
| SHA1 | dc9f41cb1f02dea88be3f46036b932d4ee6719c9 |
| SHA256 | acc75072333b77bc829b9863eab7d01c443d0a88906f738da547dacb54e5f19c |
| SHA512 | f98fa2534afde5372a4c90a8683f5bfc630305c910305b20c74eb84dd10c45141817d079660c9102aff7872676a1aa54cdcac760afc99e0eb89e0d76c716c2ff |
C:\Windows\system\fjzPiXT.exe
| MD5 | d49a317c0f13c8cc2482a44c071a728d |
| SHA1 | e65b30a32e2e0d31ea943b43de9dec0bd5d0b2b8 |
| SHA256 | a996f588f60b17ed209bb26f398d18d16fd5d4861b95819a72d8b6f9ea63c21c |
| SHA512 | f5d1d365b2deb9bab04465062453a363b70b75dd137dcfa8f9ede0d8b352d0bd1f2608f9c7c4fd2f7c0b1f7fd060be35fad579dd581fd5092aa8cc6310fca46f |
\Windows\system\ZYktjwb.exe
| MD5 | 743c7a20f2416269c3c8d975e4f19d3c |
| SHA1 | ec03184ed7d21e18ad8febd61a391967dd7c43fa |
| SHA256 | 5268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a |
| SHA512 | b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250 |
C:\Windows\system\tgDTONA.exe
| MD5 | 2640ca0daf45c349ec3ea1b5c8a09b62 |
| SHA1 | 010621664bb654656f91df9b0c62b87159fd2950 |
| SHA256 | 4a68470d740853dbba0cdfa3c3bf0fc165e3d11570707f075170bb53cf51de54 |
| SHA512 | 67ba07bd7f82ac1f072114a412f7e1f17313e88d74a281be4cfb47f4cd8d9d9752adf715acf34829709c496d7696507ffdb29a98426008e473a7e5f9e0ac84fe |
C:\Windows\system\LdJjERU.exe
| MD5 | dfb22040632befc536fb4b04910902d5 |
| SHA1 | 4ea6d476c6b0e142b11e9e79dd34d05453213d6a |
| SHA256 | 1edfd6e700302e26c236ff80db3648fcf56128e1b73645a45d3d54cc88975155 |
| SHA512 | 6a89a2952f3e2efaf24354c962b535264af510af0d953538d3ca0137ca22ab3cf9de14d7415c6c5c06fb9b75b3ebc08e210ef00dc727a8b2a1f621f9e155e9c7 |
C:\Windows\system\AtGKlQa.exe
| MD5 | f10f9781909f4c7a37617576f2ebaa69 |
| SHA1 | 821802e1bea0bc577d1d174fd88e688f1bcbb612 |
| SHA256 | 5d4610dd1f6569524a45a012370518f87aecc59c698bbbf5aaf0da35d80c889b |
| SHA512 | fe13574f419cc08cc1e3419928e42cf6595035861153c50acae727224ac9db07b3f86e92caa45e241c7ce16e5dbf0f8305b07ddf4d91cee2cee7c1f74ba59d77 |
memory/3024-108-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2560-95-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2176-94-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2868-93-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/3032-100-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\ropVOqb.exe
| MD5 | 49eac8a46ed93a4a81bb7ff95a186c47 |
| SHA1 | 55e40c0b686b1b1a715178ae90e6bce4e20cca6d |
| SHA256 | 9f9fbe481f3ba8a1a7d4e318e84b6d7b7714e50db7f0a040ef85a9db3a78a741 |
| SHA512 | 3ac6c36b1d5c9b1daecc547e7f7f776558fc9dda88ea1affd9b114cb65b42b43e6e3ea3f97ec9aea6908a087fef4cc8d2af03c7982550005d291ac9af9c3ebe4 |
C:\Windows\system\xCIkquB.exe
| MD5 | f2749639e9f6aa9d14ed594aaf791ffc |
| SHA1 | 78998bf19c8194dd06c821829f663f3d00872ed4 |
| SHA256 | cfda5bff0da088ffa8b3924936233207e04777eb1fc8d5b5ae2af274bef35303 |
| SHA512 | 3b6198a3d362fc2b1bda143d85b6f1f066040fdf56945c7052225ca58827f55ee0ecd72de8d0ff461575becefd447eef022f6947d0dc6ac1673d6a66a87b3bff |
memory/2176-86-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2756-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2940-79-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2176-78-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\IsWCUGA.exe
| MD5 | ec71120cbfc10f49093095afb1a71850 |
| SHA1 | 2e7b767cfdf5680daf1331945a680cb14ba5a0b8 |
| SHA256 | dcfec9b120f1f32a75fc814e267c70f7ca8b01b9f267d01d3f71cfbcffa5c41f |
| SHA512 | 27deb70c8a1b17af351ac9f62d1f7e48d755db1b84033e538510c4d9cb66084071c2aa44b8bf6c4920c791a5f7978f2855c839b4e29c91e956d232cec91b861f |
memory/2552-72-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2176-71-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\bvFXWpt.exe
| MD5 | 519d83a9330bf4ba505d6cef7e259d32 |
| SHA1 | aa1d27b13a1e3662f724940c177c64e658abf9f8 |
| SHA256 | 7c542484d7a766d139eb82df8ecea5614727e330f89544ea62dd33441271419f |
| SHA512 | 7f35379ae8bf1b0f7cf4d14f0337ebf20af490ab06033db2a035722da0c16a15310dd1db95b420094ff42e3711918aa754eb8d3356be17378c9e3be05141a8f8 |
memory/2228-66-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2176-65-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1704-64-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2756-51-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2176-50-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\bRuPPpf.exe
| MD5 | ec1a7c97e4c3824076d540df8370d463 |
| SHA1 | 9ec960dbb5806a59972d49b98b1c58ab6d05f01c |
| SHA256 | 29602631921766b0dee9a973fcea361b3f66055e96fad3f87a9474961e4f2ab9 |
| SHA512 | e37a1bf7b6029f2fa8be28c6e6bc3be6feb1097f920fc96a024da545a5264632ae2d727cfe955e42e9d23fbbde15a45f95471c6a267570d76dc4d64fd578a606 |
memory/1780-48-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2468-56-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\diBDrhz.exe
| MD5 | 20125ec96db5ec18235046e0dbbbe96e |
| SHA1 | 5282f4680dfb0e5699231115c94f970fff3e4b4e |
| SHA256 | 365d612cbbeaab6443093ee20a266e347c7087062e39e654176d646a434e8469 |
| SHA512 | 96106d81988fff93baee58964df68c706d693c4cce7463e438271d6fdfb5a9cd698e088093f2e0239794b513a5cd424d6ab9fa7ab37bab666adbfc8324b2086c |
memory/2176-35-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\phYEEAb.exe
| MD5 | 0902836f90a08627f4485ee213b45737 |
| SHA1 | 03a05adfd86b3f5b1b731698dcf17c48c12f88a0 |
| SHA256 | 8b8e14e9e2feacfb1186a1a678c36c51b7775f196673848c80ff25f5e81fd1d6 |
| SHA512 | 73ad38c2513db92afd7aa55d00043a1349f188d7a0f5c155c09a75801fe5ffff69a5fe14203e10b88b989f8425ec94d445aca6ece7b1d65d828232f2a289d631 |
memory/2176-41-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2176-25-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2648-23-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2176-19-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2468-141-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2176-142-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2228-143-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2176-144-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2552-145-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2940-146-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1668-148-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2176-147-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2560-149-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2812-150-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2176-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1780-152-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2648-154-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1704-153-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2868-155-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/3032-156-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/3024-157-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2756-159-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2468-158-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2228-160-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2552-161-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2940-162-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1668-163-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2560-165-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2812-164-0x000000013F2C0000-0x000000013F614000-memory.dmp