Analysis Overview
SHA256
45e98c2c34c8af05def1fffcf0ebcb12c4fa5ce84a64ffb003335138f5402c2a
Threat Level: Known bad
The file 2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:03
Reported
2024-06-08 21:05
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JNXODcp.exe | N/A |
| N/A | N/A | C:\Windows\System\KTwtOpY.exe | N/A |
| N/A | N/A | C:\Windows\System\rUbePhq.exe | N/A |
| N/A | N/A | C:\Windows\System\mLdcpIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LAoadhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\hyiBngH.exe | N/A |
| N/A | N/A | C:\Windows\System\aXRFesW.exe | N/A |
| N/A | N/A | C:\Windows\System\ueytarp.exe | N/A |
| N/A | N/A | C:\Windows\System\HHwgJld.exe | N/A |
| N/A | N/A | C:\Windows\System\KgzuBYN.exe | N/A |
| N/A | N/A | C:\Windows\System\QBPDvrh.exe | N/A |
| N/A | N/A | C:\Windows\System\jHBQdfl.exe | N/A |
| N/A | N/A | C:\Windows\System\fcWjvHS.exe | N/A |
| N/A | N/A | C:\Windows\System\bZvABRk.exe | N/A |
| N/A | N/A | C:\Windows\System\mNrxWif.exe | N/A |
| N/A | N/A | C:\Windows\System\deRPzqz.exe | N/A |
| N/A | N/A | C:\Windows\System\UgJmSgK.exe | N/A |
| N/A | N/A | C:\Windows\System\niouaeY.exe | N/A |
| N/A | N/A | C:\Windows\System\DeORxyz.exe | N/A |
| N/A | N/A | C:\Windows\System\QNMVbYS.exe | N/A |
| N/A | N/A | C:\Windows\System\UmjdkJD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JNXODcp.exe
C:\Windows\System\JNXODcp.exe
C:\Windows\System\KTwtOpY.exe
C:\Windows\System\KTwtOpY.exe
C:\Windows\System\mLdcpIJ.exe
C:\Windows\System\mLdcpIJ.exe
C:\Windows\System\rUbePhq.exe
C:\Windows\System\rUbePhq.exe
C:\Windows\System\LAoadhJ.exe
C:\Windows\System\LAoadhJ.exe
C:\Windows\System\hyiBngH.exe
C:\Windows\System\hyiBngH.exe
C:\Windows\System\ueytarp.exe
C:\Windows\System\ueytarp.exe
C:\Windows\System\aXRFesW.exe
C:\Windows\System\aXRFesW.exe
C:\Windows\System\HHwgJld.exe
C:\Windows\System\HHwgJld.exe
C:\Windows\System\KgzuBYN.exe
C:\Windows\System\KgzuBYN.exe
C:\Windows\System\QBPDvrh.exe
C:\Windows\System\QBPDvrh.exe
C:\Windows\System\jHBQdfl.exe
C:\Windows\System\jHBQdfl.exe
C:\Windows\System\fcWjvHS.exe
C:\Windows\System\fcWjvHS.exe
C:\Windows\System\bZvABRk.exe
C:\Windows\System\bZvABRk.exe
C:\Windows\System\mNrxWif.exe
C:\Windows\System\mNrxWif.exe
C:\Windows\System\deRPzqz.exe
C:\Windows\System\deRPzqz.exe
C:\Windows\System\UgJmSgK.exe
C:\Windows\System\UgJmSgK.exe
C:\Windows\System\niouaeY.exe
C:\Windows\System\niouaeY.exe
C:\Windows\System\DeORxyz.exe
C:\Windows\System\DeORxyz.exe
C:\Windows\System\QNMVbYS.exe
C:\Windows\System\QNMVbYS.exe
C:\Windows\System\UmjdkJD.exe
C:\Windows\System\UmjdkJD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2056-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\JNXODcp.exe
| MD5 | 1e01e986b5a74f509ccfa43d2e065dd5 |
| SHA1 | d66e4dc02116b0ac307249bf542f953e6a7e043c |
| SHA256 | 18b7b5d358e277cb48a188b018fac1cc939b288ae8e1d1055a70845ee89f1b3a |
| SHA512 | 5a7f49531f1f8595ad102c543939a7f8a653b6be5aefd576f076f1aa46e8091cc52ee53e31ebfcf7366b7b82ba23ab8d9a3aae64b1e5f91d4a19b1ff5c95978d |
memory/2056-6-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\KTwtOpY.exe
| MD5 | 82a904061ce42678f874e1691a67ef89 |
| SHA1 | faf211bacda84ab6194b4e2d7d806d7cf467ff53 |
| SHA256 | 8445cc920e64c6c358b1d7774c2b6afbc0fc5af3ee4d39b1155b538a44b1c3a3 |
| SHA512 | 6d0d46720d749a5c806146be49e8968e86b453df9e6740ecddff03035ee5cde147959fbd537b16cc00758ea6ceb014224c463188eff8fd272ec5c41212b98f49 |
memory/2056-22-0x000000013F530000-0x000000013F884000-memory.dmp
\Windows\system\rUbePhq.exe
| MD5 | 3ed600bb30da6694987526e3f96e36d0 |
| SHA1 | 1c3a0dc0c2d04c0c019792f72fe19d5f58183346 |
| SHA256 | 22f4772f18d8ff9098f94188ff6651c43aaed2d8f5a37495d02c65e3b33b1382 |
| SHA512 | 9c378716db33181205499049d76b3eb614f3535830fabb70ff3f09ffc3ecb09a7c038a144aa4a43b2b71c71c114d31684e38b8419b79aa90fbf910d7a6517288 |
\Windows\system\mLdcpIJ.exe
| MD5 | aeb0a4030147f014e6340a9197e638cf |
| SHA1 | 30ff5fc52a53f6ce1f2eb641c7f6fc2bfd99d293 |
| SHA256 | 8c272f8277903f31a0014a77adc6ac399cdacc30f6d6e2bfc6cb9d0821d0dc48 |
| SHA512 | 9637bcb948f1c540b3e46c06374e05e2e171b6e8d3cbfe37f4a795752c4f6c7081b4c747abaccf28165de4658f5d309d6ec4bd0b516f656e597910ab0c9334f7 |
C:\Windows\system\hyiBngH.exe
| MD5 | 842e0385dd3799438811b7719fbd478a |
| SHA1 | 839532324e75eefb07a90d803e138c5bc02e0c29 |
| SHA256 | b007dc91233f5cc2b120a98c750ce267e76d7dca8429c2cd24d6bdef92bf8a9b |
| SHA512 | 96a65e7f7a4ac06d4d52ba5b225955ec1864770ddd75d7819cba7e5d0ffb99a3891b3addf259be964745ef3cb8560e301838c0943f98bf89f87381c45a9d18ab |
memory/2724-34-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\ueytarp.exe
| MD5 | 38d3e0ec7c0528b4c2db226a6f9c111e |
| SHA1 | 0bb676a5b46f5cb437e9d494703bdc71cbfbf447 |
| SHA256 | 5de426422e7ede7036e2408df34df4cd29eaf9c46bf1772a52501bef39ff9c13 |
| SHA512 | d80fe5732584a69f27f0f120c26941d875a9783a92e0c3d2e1424fcdc52ecaa35eed42049bbcde76ef0a0171ce0add8fb68278dbb2d2ec304687b1d5b518d05c |
memory/2056-42-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2620-39-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2580-33-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\LAoadhJ.exe
| MD5 | 94b64252c9878e2e414cd87cd912ea81 |
| SHA1 | 6831383efd7860e970faf73f33bc4735da74251f |
| SHA256 | fcb3999a3a33dd8e1c9dec4660f9b2cfa8aa6c410912473eba8704205d80cdec |
| SHA512 | 1ffd3c7efb15f3e10f7da08ddb3c825233b20c61c8ed785ae0b28bf8803b45acd441da89034f8ade5d276c5b546b13064d856ce8ffa5fd23c09715854438bd32 |
memory/2056-30-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2628-28-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2056-25-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2328-55-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2540-68-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\jHBQdfl.exe
| MD5 | de6d38f76eac5f78e248175378042581 |
| SHA1 | 07b99dd11b423b6baba8d20e0616036cab3cec16 |
| SHA256 | ab27a2cfa771639514bed1be3a633c8c6380ac7d24d8b4ff5d8e1fdab6cebb23 |
| SHA512 | 1b321013e34ffb7c00d075a042b391785e2d813bbda35d96eeb8918e0d13541c31d59178806a0de8be5ae0b8b3757b138344443b56790af2bb2215bed8488b28 |
C:\Windows\system\fcWjvHS.exe
| MD5 | 19f2c97773068ee2339a21886a73cda6 |
| SHA1 | ee8909040596826da32ceb36d28e7d3ce4f59184 |
| SHA256 | fe42f362ece28dcd3748fcf21c38106678b4d94652c41a4bc8e93fc81c2a3507 |
| SHA512 | c8f84cffc2f59e5282ecb246d01e4c40a92e3e6cc943e55771ca265fe6e5e0c421713aec0f27d1ea57cc14834cfb662bbc5855ca415666f58e33226b30efa91e |
C:\Windows\system\deRPzqz.exe
| MD5 | c814d6d804bff064fc4048fc858c1217 |
| SHA1 | c7988c6c51f9f3d8556f7b2df0959a60ed261870 |
| SHA256 | f9abb17b1a42693ad66e0292aa36a0000951990d1917be7da1222d09f28816f3 |
| SHA512 | f59df5d6e62354d2f5397196c3ff9490b25e41e002b479db0d74a9412192c7201458c600e73c5e569f665a812a97c9ee64f8870bff66380d47e87d0a332b7056 |
C:\Windows\system\niouaeY.exe
| MD5 | 27cc15827a0b602c385abc1b7d1bb9f7 |
| SHA1 | bcac81e15f92f907847fa8042df6ee0d7649a6bb |
| SHA256 | 020d3f09726e903b9f0e30278d9ceb3ded3351f096246329b52df249b492e35f |
| SHA512 | eaf6fb20a6f17a52b269211ed75e0f343e2efd19e4cfb72eca9467226b7015dfb418976558dc3d1dfab0968f3a42dc09cf5e3de42239900e50c34127fdb20928 |
C:\Windows\system\DeORxyz.exe
| MD5 | 9781a30e48f38ee6f0307efd2539fa41 |
| SHA1 | 860caad4b5813f598ab24cd9802a29d6097b944e |
| SHA256 | f26cf47968e1d7985f77cef37f4126b25c3d12f6492914cc2272e81e32616bd8 |
| SHA512 | 74fae357687d426f0146ce4da840073220c4a8fc306639e46eb5741fd2c1d8077404ac2a26f62fb30e49b9b5e8fb0f883bee83bbe6d456751e4398f145d1fdb1 |
\Windows\system\UmjdkJD.exe
| MD5 | 273bf88dcc25f20cbff5951ddb95484d |
| SHA1 | e4bf6bf4d51b0dd147b19bff9f05e1ab26c3c010 |
| SHA256 | a8034c07b8316ac6815d4a99b3e5a3dd9fbff396fea574c9609a420033ce7b8e |
| SHA512 | 66ddaf85a155d8d4dba7840cc58f391dfbf6bd00b1106e0e00607131a551b711e8477bb330ecbb7bfde08b58d96b2ae518ca0a9523b05939ce10484885d1008a |
C:\Windows\system\QNMVbYS.exe
| MD5 | 785e0f7cbb89d3475e0dfa8755c21ed9 |
| SHA1 | 3d6f4dccd02b8763be688234094bbc1d5864a8cd |
| SHA256 | cfb37ee3d90c6f3d887a46d8c4b8c396f17507cf1474d674548c1287f95f82ca |
| SHA512 | d6342e7faad6c2d2132bf949d17f47085f7254b56ee658b320159283704bc33552851f3932da195e2fcb75ad69d36ffb7299350d554f430d12e45d98770f50ee |
C:\Windows\system\UgJmSgK.exe
| MD5 | 0101db1d4f1f5ad2b9bd0fb0cd87c42b |
| SHA1 | 0bee9525241a51738f7ac82f8f96c5dfef73e268 |
| SHA256 | f8d7162981ec72dd6e21c311af535dd981c7524a1dc0d44aa241b64b5472b054 |
| SHA512 | 429de2d93aeedfbc082144e88c53729a221f3fa091f5e07897e05552cadab3993f8f524f09ea6c3f61804c8bc5a2a218c0cd0e09987562c0d14be35636f529c4 |
memory/2620-135-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\mNrxWif.exe
| MD5 | 32e0c88c69d963477a57f010273ad4ea |
| SHA1 | 81df78eada4ceeaaae268829b3feeea9a9f0973d |
| SHA256 | 88fba77e383d590154e5a7c55bcfdc5a188d016996fbc0e243869382bec2f03a |
| SHA512 | 6ea86e20b39acb78f3c11883c1739edcc1984e0b32512e0daf3a255acc78b4da7cf492b8c4d6bc2e65710ebe3b3980758c6efec8cc2943c8d5535051d881968e |
memory/2056-102-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2724-101-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/788-91-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2056-90-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2628-89-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2568-97-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2056-96-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\bZvABRk.exe
| MD5 | 283c24b82de1e0ae12fb89e5a34214b9 |
| SHA1 | 71cabf75dc4508c095a4b4653c61ff6b5c6d4922 |
| SHA256 | 30d620d8e048fb7c252e34122578a464f978ca391532b7576c69465c0ffaffd9 |
| SHA512 | 007663441b0306c8d75638208f9ca737f339f806a2f656e0ec92e6a12b0851331c04be9562f4c3b04eebd93ac57194b5539d1fc4ef7d4bb789bf598f52aa6087 |
memory/2916-76-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2940-82-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2056-81-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2952-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\QBPDvrh.exe
| MD5 | fe4fb3ea5c44befb78d8aa33bf9d6865 |
| SHA1 | d387ee6923aae513d1d81bbc04248619f03e003e |
| SHA256 | 859009dbb7eefc4c4711423d64aa0a3ca5b4ab23e2e29c50356a878388c6c85e |
| SHA512 | a355d20ac7775b068cb2978171c534a697ee289da472f8a237e92655b22e6243d3cdcdccd99d19bb3b37facd418105756049760eee59b08ea7a98b8c39c70f8d |
C:\Windows\system\KgzuBYN.exe
| MD5 | e73d5d39dd60687487b8085ed80fd263 |
| SHA1 | 842feb7d7faa9f1b0dae331533504c97352bd4da |
| SHA256 | c1d3d52efe27b468c9092cb2e1bd8c5628074a1be9a87561a59e615cf6e305b3 |
| SHA512 | 12e28e6f9938a6b36041c809d61f7f750712d959ddc1ced34435c08aa12199eeecad1be095848e9d71700873661d6cd2d0ecf3c633a87225c2916db456c55022 |
memory/2468-62-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2056-61-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\HHwgJld.exe
| MD5 | 2598c4d1ff4e4515e5c9ea0e99fa733f |
| SHA1 | 57b8bca1de2ccac93dd6f48d8ff7e1d8acc973ca |
| SHA256 | 348b4c43af7929f6b33e297cfb43324658721166db920ee4c044435f6132b125 |
| SHA512 | a229507e3d0d0d22d57a2ee7740641a537bb366105f316d21253cc8e7d6f4d701377f955b7540ec7f21bdf71076e809f0fd17d48d8f4df959137517df81a1640 |
memory/2492-54-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2056-53-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\aXRFesW.exe
| MD5 | 4ff0ef27f0bc674e3f4a0974360c3827 |
| SHA1 | 98414df9ee38755bea13dda0bb960e5230e466dc |
| SHA256 | 0c8236e080f55aec73e6fc0e4980e302ebc0ad236c6e0d48005a0d61dd042e89 |
| SHA512 | ac63b438dc263e0253b15bf118a4c6a1d928c07b70b3e18207439a749218ba4c0fbfb0941d8d6835813e46043c29fc667fd0337b0f5ac6f14aec306cf4ec8092 |
memory/2056-38-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2328-136-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2704-18-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2952-14-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2468-138-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2540-140-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2056-139-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2940-141-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2056-142-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2568-143-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2704-145-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2952-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2628-146-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2620-147-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2492-148-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2724-149-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2328-150-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2468-151-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2540-152-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2916-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2940-154-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/788-155-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2568-156-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2580-157-0x000000013F530000-0x000000013F884000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:03
Reported
2024-06-08 21:05
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TLvMzwL.exe | N/A |
| N/A | N/A | C:\Windows\System\LUdBUjr.exe | N/A |
| N/A | N/A | C:\Windows\System\fmORgnS.exe | N/A |
| N/A | N/A | C:\Windows\System\hUUSSMH.exe | N/A |
| N/A | N/A | C:\Windows\System\PtXLpVB.exe | N/A |
| N/A | N/A | C:\Windows\System\oqWQlcA.exe | N/A |
| N/A | N/A | C:\Windows\System\YVqpCwI.exe | N/A |
| N/A | N/A | C:\Windows\System\eBhtVOq.exe | N/A |
| N/A | N/A | C:\Windows\System\NEfaJvb.exe | N/A |
| N/A | N/A | C:\Windows\System\JQrccko.exe | N/A |
| N/A | N/A | C:\Windows\System\ftHRQUS.exe | N/A |
| N/A | N/A | C:\Windows\System\baogdes.exe | N/A |
| N/A | N/A | C:\Windows\System\zBbSLYk.exe | N/A |
| N/A | N/A | C:\Windows\System\IxLobyj.exe | N/A |
| N/A | N/A | C:\Windows\System\apqqXSS.exe | N/A |
| N/A | N/A | C:\Windows\System\MFibksA.exe | N/A |
| N/A | N/A | C:\Windows\System\SijvosA.exe | N/A |
| N/A | N/A | C:\Windows\System\fXcBGtx.exe | N/A |
| N/A | N/A | C:\Windows\System\LLGDcKH.exe | N/A |
| N/A | N/A | C:\Windows\System\JaKGINh.exe | N/A |
| N/A | N/A | C:\Windows\System\CTGmziJ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TLvMzwL.exe
C:\Windows\System\TLvMzwL.exe
C:\Windows\System\LUdBUjr.exe
C:\Windows\System\LUdBUjr.exe
C:\Windows\System\fmORgnS.exe
C:\Windows\System\fmORgnS.exe
C:\Windows\System\hUUSSMH.exe
C:\Windows\System\hUUSSMH.exe
C:\Windows\System\PtXLpVB.exe
C:\Windows\System\PtXLpVB.exe
C:\Windows\System\oqWQlcA.exe
C:\Windows\System\oqWQlcA.exe
C:\Windows\System\YVqpCwI.exe
C:\Windows\System\YVqpCwI.exe
C:\Windows\System\eBhtVOq.exe
C:\Windows\System\eBhtVOq.exe
C:\Windows\System\NEfaJvb.exe
C:\Windows\System\NEfaJvb.exe
C:\Windows\System\JQrccko.exe
C:\Windows\System\JQrccko.exe
C:\Windows\System\ftHRQUS.exe
C:\Windows\System\ftHRQUS.exe
C:\Windows\System\baogdes.exe
C:\Windows\System\baogdes.exe
C:\Windows\System\zBbSLYk.exe
C:\Windows\System\zBbSLYk.exe
C:\Windows\System\IxLobyj.exe
C:\Windows\System\IxLobyj.exe
C:\Windows\System\apqqXSS.exe
C:\Windows\System\apqqXSS.exe
C:\Windows\System\MFibksA.exe
C:\Windows\System\MFibksA.exe
C:\Windows\System\SijvosA.exe
C:\Windows\System\SijvosA.exe
C:\Windows\System\fXcBGtx.exe
C:\Windows\System\fXcBGtx.exe
C:\Windows\System\LLGDcKH.exe
C:\Windows\System\LLGDcKH.exe
C:\Windows\System\JaKGINh.exe
C:\Windows\System\JaKGINh.exe
C:\Windows\System\CTGmziJ.exe
C:\Windows\System\CTGmziJ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/396-0-0x00007FF608E70000-0x00007FF6091C4000-memory.dmp
memory/396-1-0x00000208C2E40000-0x00000208C2E50000-memory.dmp
C:\Windows\System\TLvMzwL.exe
| MD5 | 2aab6e4a4335207110cf0a8d886d13d0 |
| SHA1 | 02e07d86634cf5132d0821c9877865417883df9d |
| SHA256 | 87bb5e6dfc0a181818337060269aea9887dfc80c7be39a3203f6f673e7651e62 |
| SHA512 | a3f82488c7d32af963ce16f7c517e6ac6b41e40bcc18acdb36ef1ce48c52a94e56a364143cdb6043c445b104a9719fe7e37df517647371bd30e87346817f4feb |
C:\Windows\System\LUdBUjr.exe
| MD5 | 5074bfec4dd2c4c3ddbd8feb60a7578b |
| SHA1 | adf197d80add17e665a63c6d62fb8c01a0bac4f1 |
| SHA256 | d6f604134ca6ffae6315fc6ccc85a02a62d41b3e1abd339b979dd0bc8e9a1d79 |
| SHA512 | b28f00bb0a8119de5f250a9c5db6db17a401d2b902f7e946eb01d51ee8fd7c4847eb0267fe6535c2a622c19e47a2d44a98a8beffce2de5541427caa861da751d |
memory/2520-17-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp
C:\Windows\System\fmORgnS.exe
| MD5 | c4dfee9151d8b1b76eac9130e78440f2 |
| SHA1 | bd056932e344af7931a6a544f8ba381a8a167e48 |
| SHA256 | ba2821128ee18c82e0be2c6d3d777aa503857eed7de6b823e7a9c706c1571478 |
| SHA512 | 154f8298cd3ab66f8419265d36fa360fe5132ce31865cac7b4eab1ee559673f7a1bbaa66c96af0d1c2433a7727ad2498e39ee0cedac800f1227eacd4296869a4 |
C:\Windows\System\hUUSSMH.exe
| MD5 | b42bdfcc4baf6eaeec523869ff9b7ab8 |
| SHA1 | 73b4e42960fedfb40c3370403eab224f77048037 |
| SHA256 | f5afb8effbc8ff31b1bcd6e50282043f99481191c2417ad250788a78998dd59b |
| SHA512 | a8cafc9f4122fcac0b9aa92428244d5fedef2b3137433b29c4d01978ccb6c6a4fbe9138f1509e8fd4d2f280ac7af5f766114b9d16694b9984b9f01892b8e4c2c |
C:\Windows\System\PtXLpVB.exe
| MD5 | 82071b4a7b137d2500634fe92b040e2f |
| SHA1 | 1f9b6f97bf9c90582f464017acc9e3df51d2c6bc |
| SHA256 | 12fdd487694d8cc6213931967cc8dc801b1987c7aa9f06e3665894c477f23b73 |
| SHA512 | 102b9746fa0289a5d5c6080e1913d0730415afec3b777979ac1ef59664e930c3f66917680b9cf571fb936d6c3cb8e57e5d6fd3d8a9cc49429455ea612a7c23cd |
memory/3400-34-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp
C:\Windows\System\JQrccko.exe
| MD5 | 3b85f505ae48233a2f32df327021edb3 |
| SHA1 | f6f6bfcaa7212585756638d537efc3b5a4be25b2 |
| SHA256 | be59d9e0c8c904c6a694106e5efae8fb63f23c5aaaca54763a8639005a7135bf |
| SHA512 | 03df19ec78997bf2f22cbbfeeb18d737f210c518258652cce3de6ba5e43c9ebe76c76c9cca77b0782e5b3100bd94c0890133c218ca7445eec42f882ef1cb464c |
memory/4908-63-0x00007FF6CBBE0000-0x00007FF6CBF34000-memory.dmp
memory/1288-70-0x00007FF668170000-0x00007FF6684C4000-memory.dmp
memory/4936-74-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp
C:\Windows\System\baogdes.exe
| MD5 | 662815b58287536bcf1226ad6cdc48d0 |
| SHA1 | 25f61b369c1bba8dd3724887dc8d63362ac68d9c |
| SHA256 | bff45ad57714d2fa9ba09e2b92a9587f90787f3abaa131fb7d46c16cfbf43d91 |
| SHA512 | cedf1202c6cc67ba2003e03afcbf930638a463720c7ac24d0725fdfd2731e0dea304a2b7e31334d8d5aa357c007080343401bfd2290248768b400351e832fbd8 |
memory/1556-71-0x00007FF76D200000-0x00007FF76D554000-memory.dmp
C:\Windows\System\ftHRQUS.exe
| MD5 | d9f37335b24be2a10c2fd417f9241387 |
| SHA1 | a7760b49338f3882404c1023dd5ac8ce5d2f6de9 |
| SHA256 | 4dd9c1ce1a3bb6d04b34e374f5c58b2c16ad3aee10eafc5b2bdea3fd366b7f9e |
| SHA512 | 059ba8443517ac78bbf589f577e0436421186542ee38c33f56aa34a8524e7121656c86fa60f713d2b026eec035e5dfddcad88dfd2634e74b3303a84df9921b27 |
memory/3688-65-0x00007FF729940000-0x00007FF729C94000-memory.dmp
memory/1564-62-0x00007FF7B43C0000-0x00007FF7B4714000-memory.dmp
memory/3196-56-0x00007FF69DDE0000-0x00007FF69E134000-memory.dmp
C:\Windows\System\NEfaJvb.exe
| MD5 | 29a30345972e68a0eeca5be625863699 |
| SHA1 | ba150008a420cf9e480ee4650d849148981282ef |
| SHA256 | ccdd9a1d314648e8e0f06ffe0a5c58667d3353c5c64ffdf999cc96dcbd40e614 |
| SHA512 | 5c4205f12a714352854c4f2430db76f84479e547cd25bb0788b8b4cf94718afd94908c541c5671fb496d8d3d684869a9904091b36117bc9c50b0a8966e947f73 |
C:\Windows\System\eBhtVOq.exe
| MD5 | 7440e926f1642171b6a674c475a011cb |
| SHA1 | bbb66d7ddf0b7f813277743d1c2c1cb71db9c20e |
| SHA256 | 197d1ebedea272cc8124641b4e8069f0f05da31179924b2011a365d6197320a5 |
| SHA512 | 3222ea49b63d2ed280bc0ad39707cd5c4ca8e48cc8ab5e3aafcf63bf04e46ff97b2dce6103a3e944b35191c3dc2656aa6b0f36eb3db6f9a4f95ec0f129bfe9e4 |
memory/3564-46-0x00007FF6270D0000-0x00007FF627424000-memory.dmp
C:\Windows\System\YVqpCwI.exe
| MD5 | e0fed0080ad1e962968cd8b8c9427b6a |
| SHA1 | e217d67d9bec5275454ddd4e2a8868183b3e5406 |
| SHA256 | 7d3178d438b0f15c3780aa45fe8a43ce2872f9a555c9009d2f775a8d17249f01 |
| SHA512 | d6958e65a89903237966f32f35ae1f251f058ba43f823405eb9a332bd85a65a84e40c297c27d106e5c4b465523003a0b79dab51ec3ba7e0374ebd7ede39ac617 |
C:\Windows\System\oqWQlcA.exe
| MD5 | 0f4eb1463d36dc95af5eb784304e637e |
| SHA1 | 060392e0a80eb73acb7394bb044807de6123da33 |
| SHA256 | 0b9fb8bb58588053b9000073252cc1afba1f75e552737538db3c51b688b6c532 |
| SHA512 | bf0ff3022398542160695574d0e881aa987732d9ad431b346a66a798d50bc1d0e292e5b10f1b4e8cb030d0f51735f648a83a2d471aab6fe683ef3abc8f1e53b5 |
memory/1756-28-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp
memory/4852-8-0x00007FF759CE0000-0x00007FF75A034000-memory.dmp
C:\Windows\System\zBbSLYk.exe
| MD5 | 6199f575c52db5b2e40caca12778deb9 |
| SHA1 | 1f5bfe54465aa2a8dd5742a2baacc816481d5f3c |
| SHA256 | ac8cdb72f109fb154cf6442acf04dab97184c2d08d0808c95389d794aa3acbde |
| SHA512 | c7676d6e1e5b1a2e122e7e3fbb892a0d08dcf1dd6d37a9b40029c8f9f7a50c6f177405e5724b193f7099b52db9aca9765ce4c040d0d38ae24ed1cb4deeb2618c |
memory/2804-82-0x00007FF6F2E30000-0x00007FF6F3184000-memory.dmp
C:\Windows\System\IxLobyj.exe
| MD5 | 4bd44957f3f966117e64651ac26ccca4 |
| SHA1 | b93f754dd183d5443976915676d714d02593d015 |
| SHA256 | 9032f201e0a5656d2b2dc35de3a6d79f7d7d88f23a7ce652f19f6d4e933f4f1c |
| SHA512 | 8372e501dd7cabaf92f7e225f8e6bdf67b62b1f9fa8dae8bbdd3a1e53efd977636207d7a2e823d9ab014bccee7a4cf53cc170505d077c48e0499043707aa48e3 |
C:\Windows\System\apqqXSS.exe
| MD5 | 89f96f6acc0f9f1e31ba7593940d823f |
| SHA1 | bac9ba4d74eb5be355600bd4533093e15f826daa |
| SHA256 | cb3f48a9ee88de9f6d01e549956cd504c35e7deb3a09ef8f37ff4582dd27df77 |
| SHA512 | a8319330c5dc4e7f59207510025ecc89b7ff950150f1cb71251bfa8ef5af18dfcf492fbd76cc175eee490983524f1a984b3a5532624fa024e457b42d38bb5f3b |
memory/1184-90-0x00007FF791EB0000-0x00007FF792204000-memory.dmp
memory/4616-89-0x00007FF7965E0000-0x00007FF796934000-memory.dmp
C:\Windows\System\MFibksA.exe
| MD5 | defa01d8d6ee00e189434555a7a59fd5 |
| SHA1 | 790b3c3c8d5e816bcf17a55f02519570880d96c3 |
| SHA256 | 3d034ccc67dfcee07b2e8fde8b74fd6118e2a95782bd482f0c53558d0b9525e5 |
| SHA512 | 12628714b0c518177e3b2cf465425b752baf01cf1bbee4ddec33dbfcf52d26921f1e53059a82c39b39847243b8003f98643046dc3ddebff491ae0c035d1a38e4 |
C:\Windows\System\SijvosA.exe
| MD5 | fc069da56ae9ce76aa062adfc094c709 |
| SHA1 | cc8cba2e634756b7c8297cfe86bfa2afd0ab47bd |
| SHA256 | bdb4b116d7650a32e4bfcb251914e0481e258bceba336a55fe9fce992d3313a6 |
| SHA512 | 1574d46fcfe1fa139b0f9494ab237f4194863cd7c0f6ee4bab3e4b902af26dac47e22960c0007e5525b74cdbf5c03264408eeb011b812c1aeaed1bf24b1e6dc8 |
C:\Windows\System\fXcBGtx.exe
| MD5 | 3a5233c4c3faee6fe57b66fd6cf281f0 |
| SHA1 | 2b4a0a2b6c311a980d1ee497758fd4bfb92f63ee |
| SHA256 | 1413dd686cdd64a8ef12fe3c4166420dd16b460266137ffcf82676d1863c5ad8 |
| SHA512 | baa0b483e5667b9fd1099c6394446729c794c02a4987e0afff14f4ceb2216a104af29f04f643bfee52bd11a6a7a09a2a618da875375e02564577548bf7dc4bff |
memory/1540-117-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp
C:\Windows\System\LLGDcKH.exe
| MD5 | 3841e12428054f3d3d52282b0de14948 |
| SHA1 | 94374f319786636834256820c3e8426691246a9e |
| SHA256 | c2e5cd0ef0a6dd4885d05d15cee0cb274ba8e2d47ba65cc5fd4a8eb8a574a979 |
| SHA512 | d7af3bd6b070c0b76b2ba9211a2ac1264fa245ae0c661f5bcac52d42ed30bb0af86e5c851bc288a40b383e941dd9880f0f2304ea730b047e6bcfc0de9e2cfc30 |
memory/4820-110-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp
memory/396-108-0x00007FF608E70000-0x00007FF6091C4000-memory.dmp
memory/1476-102-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp
memory/828-97-0x00007FF69A330000-0x00007FF69A684000-memory.dmp
C:\Windows\System\JaKGINh.exe
| MD5 | 31ac35f616204b90950f0b1223638d24 |
| SHA1 | cecac49e661cdf0d33da7c5bc9b0378b9980479e |
| SHA256 | ce085ac962db7d9223657f0f214a154680cbb3ed9871628a584cea8d7790c9cd |
| SHA512 | 899c353fb75717d0a6f50ddc8247f070085ef9c14ad1990e53245e51178697f572b484f07e04d60c02b48addde9625d2214f1465a889ae3f88faecaf58ebc661 |
memory/1756-128-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp
C:\Windows\System\CTGmziJ.exe
| MD5 | dc2f3326a9c3aa53d6cb44779f3f3a18 |
| SHA1 | c6a2c0a6bae34ab034a1038f74fd8ddaa8c4586d |
| SHA256 | 83f665193a17bf75456e74104b15b2e157ba3751e6e25418aa14da1b197022f2 |
| SHA512 | 7c33ee076354e0042618ccf7834dd8c880322193412a41fdada9f4fdf0c3702e36d7443d4d4d821ea1fa8de25b2d7638bdc034dae70fd85a9fae67bb91e3d9f4 |
memory/2520-125-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp
memory/4612-130-0x00007FF752D60000-0x00007FF7530B4000-memory.dmp
memory/4376-129-0x00007FF7A7440000-0x00007FF7A7794000-memory.dmp
memory/3688-131-0x00007FF729940000-0x00007FF729C94000-memory.dmp
memory/4936-132-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp
memory/1184-133-0x00007FF791EB0000-0x00007FF792204000-memory.dmp
memory/828-134-0x00007FF69A330000-0x00007FF69A684000-memory.dmp
memory/1476-135-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp
memory/4820-136-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp
memory/1540-137-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp
memory/4852-138-0x00007FF759CE0000-0x00007FF75A034000-memory.dmp
memory/2520-139-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp
memory/3196-142-0x00007FF69DDE0000-0x00007FF69E134000-memory.dmp
memory/1564-143-0x00007FF7B43C0000-0x00007FF7B4714000-memory.dmp
memory/3564-144-0x00007FF6270D0000-0x00007FF627424000-memory.dmp
memory/1756-141-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp
memory/3400-140-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp
memory/4936-145-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp
memory/1288-148-0x00007FF668170000-0x00007FF6684C4000-memory.dmp
memory/4908-149-0x00007FF6CBBE0000-0x00007FF6CBF34000-memory.dmp
memory/1556-147-0x00007FF76D200000-0x00007FF76D554000-memory.dmp
memory/3688-146-0x00007FF729940000-0x00007FF729C94000-memory.dmp
memory/2804-150-0x00007FF6F2E30000-0x00007FF6F3184000-memory.dmp
memory/4616-151-0x00007FF7965E0000-0x00007FF796934000-memory.dmp
memory/1184-152-0x00007FF791EB0000-0x00007FF792204000-memory.dmp
memory/828-153-0x00007FF69A330000-0x00007FF69A684000-memory.dmp
memory/1476-154-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp
memory/4820-155-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp
memory/1540-156-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp
memory/4376-157-0x00007FF7A7440000-0x00007FF7A7794000-memory.dmp
memory/4612-158-0x00007FF752D60000-0x00007FF7530B4000-memory.dmp