Analysis Overview
SHA256
bd8c7877224b585e66e2cb0cdf55d7562d9847bf41767ec4500f6f8eaf589576
Threat Level: Known bad
The file 2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 08:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 08:23
Reported
2024-06-10 08:26
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZDCqkHs.exe | N/A |
| N/A | N/A | C:\Windows\System\toZedmN.exe | N/A |
| N/A | N/A | C:\Windows\System\xPAjsnm.exe | N/A |
| N/A | N/A | C:\Windows\System\bCRPXHn.exe | N/A |
| N/A | N/A | C:\Windows\System\zlJXJUm.exe | N/A |
| N/A | N/A | C:\Windows\System\BcdTfEO.exe | N/A |
| N/A | N/A | C:\Windows\System\XmAwidc.exe | N/A |
| N/A | N/A | C:\Windows\System\WrpmSjO.exe | N/A |
| N/A | N/A | C:\Windows\System\lASRLwn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxObbYL.exe | N/A |
| N/A | N/A | C:\Windows\System\bnNpwUL.exe | N/A |
| N/A | N/A | C:\Windows\System\lzQWZBn.exe | N/A |
| N/A | N/A | C:\Windows\System\NpBzSRE.exe | N/A |
| N/A | N/A | C:\Windows\System\qOXPnVM.exe | N/A |
| N/A | N/A | C:\Windows\System\kutllKY.exe | N/A |
| N/A | N/A | C:\Windows\System\kmzjGYV.exe | N/A |
| N/A | N/A | C:\Windows\System\jPAOIyZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PtCPHPC.exe | N/A |
| N/A | N/A | C:\Windows\System\vKeGpvH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWSwfty.exe | N/A |
| N/A | N/A | C:\Windows\System\dRghsfi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZDCqkHs.exe
C:\Windows\System\ZDCqkHs.exe
C:\Windows\System\toZedmN.exe
C:\Windows\System\toZedmN.exe
C:\Windows\System\bCRPXHn.exe
C:\Windows\System\bCRPXHn.exe
C:\Windows\System\xPAjsnm.exe
C:\Windows\System\xPAjsnm.exe
C:\Windows\System\zlJXJUm.exe
C:\Windows\System\zlJXJUm.exe
C:\Windows\System\BcdTfEO.exe
C:\Windows\System\BcdTfEO.exe
C:\Windows\System\XmAwidc.exe
C:\Windows\System\XmAwidc.exe
C:\Windows\System\WrpmSjO.exe
C:\Windows\System\WrpmSjO.exe
C:\Windows\System\lASRLwn.exe
C:\Windows\System\lASRLwn.exe
C:\Windows\System\ZxObbYL.exe
C:\Windows\System\ZxObbYL.exe
C:\Windows\System\bnNpwUL.exe
C:\Windows\System\bnNpwUL.exe
C:\Windows\System\lzQWZBn.exe
C:\Windows\System\lzQWZBn.exe
C:\Windows\System\NpBzSRE.exe
C:\Windows\System\NpBzSRE.exe
C:\Windows\System\qOXPnVM.exe
C:\Windows\System\qOXPnVM.exe
C:\Windows\System\kutllKY.exe
C:\Windows\System\kutllKY.exe
C:\Windows\System\kmzjGYV.exe
C:\Windows\System\kmzjGYV.exe
C:\Windows\System\jPAOIyZ.exe
C:\Windows\System\jPAOIyZ.exe
C:\Windows\System\PtCPHPC.exe
C:\Windows\System\PtCPHPC.exe
C:\Windows\System\vKeGpvH.exe
C:\Windows\System\vKeGpvH.exe
C:\Windows\System\ZWSwfty.exe
C:\Windows\System\ZWSwfty.exe
C:\Windows\System\dRghsfi.exe
C:\Windows\System\dRghsfi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2716-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2716-0-0x000000013FA80000-0x000000013FDD4000-memory.dmp
\Windows\system\ZDCqkHs.exe
| MD5 | 734bb38bbf57a2755696ec1d38533d4c |
| SHA1 | edfafb39d282389861d8375a2a54a09e64b4752c |
| SHA256 | f7c8f2a3d2ae25d3193265e3ee4147fbaeb3768ab634b73eb2186b190995ecb0 |
| SHA512 | 12c41d9b63d0c7c158f3f98bf42bf7c1f07fcef1d073fdbeaee30d9c247b5a299404e649b67ad43fd99c377abf0b6dc2e5914ef640fef7340f11a27eeb25c9a9 |
memory/2716-6-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\toZedmN.exe
| MD5 | c8606bf143d495f0bb1135d5e674c528 |
| SHA1 | db83e48c391954953e9b784de05862029782f3ae |
| SHA256 | aa67d8192e6f998c3a2292d50d6288a5e4081a0378cf70072a528cc697446014 |
| SHA512 | 664bc2343c8257d3a90f6ef38094d5c05337e32b0e651f7e381a8a6666055212a22935487ebbbd2d0ecc91ca95f3062dacb7c78151c0e74aa95ff6ee4ef88f5f |
memory/2716-15-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2716-24-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\bCRPXHn.exe
| MD5 | e09638ece4891709706109e7e67928e5 |
| SHA1 | b897457acb30076af8b4df64d06274ea492385a6 |
| SHA256 | 3a24148eea7bd1ef1d384c55e7ec9d3936b2721bbe826abf42b4cdf6ce899ccc |
| SHA512 | a097ee5f6bc779c6b6900f97a7a1d770d35c0762bc7e342229d64ca7be863d425fb55d53da7d6dc5279e8818d62aac884b56cd65b1fb8968c801d8078f4f6b3b |
memory/1940-19-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/3048-29-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2664-27-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\xPAjsnm.exe
| MD5 | 67a1a99611dfccc6b3d285458d7de9d5 |
| SHA1 | 7dd80e6a7cd44b6472454fc5d4443aaddfe7c1c4 |
| SHA256 | 80451e546a2993f36b9ac3959876dcbd9b79a25ba993b10fce493c1b4e721008 |
| SHA512 | 8593d9f1a0df8d34662d669d3c3a8f71f74e77fa8e6e0c48623de183e0cd515389d9a87385fe9188287fb970b571f032aa3173b11ca649f106c018bebec25858 |
memory/2716-22-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3028-14-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2724-37-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2784-43-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\WrpmSjO.exe
| MD5 | 3ebe48212063a709ce8f1eefc0989bd8 |
| SHA1 | c6322ccb56586974b6d831009b15dce5355a0819 |
| SHA256 | 7478c787adb47ead174371bab51fa32b416d6aee6de86ec051413d20f8213cd9 |
| SHA512 | f7add36bef00e933614332588c7fd5bb9f784ac29df8663a51baa1fe9feaf79eaeea53fdd3399bc96dc0a6a00d182b1174d59cc2e7dcf0a80041cd67294d523f |
memory/2824-57-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
\Windows\system\lzQWZBn.exe
| MD5 | a803fea0149c70dfd8022c3efed39ebe |
| SHA1 | 0346eacec2034dbd83cb1001ecbac00241639bc1 |
| SHA256 | b4d32a177429abca7ea957c9235ce949234b693d956e20f8e29710dc6028356e |
| SHA512 | fd7ef2a06e3c50cb5ec698e8d10e9a0566a1299f097d9719688130ddaced76ffd2f35531cd5c9e6dc85c70a06440b6a4b38171bf25e016a2f7bca92814a8a27f |
memory/2116-84-0x000000013F420000-0x000000013F774000-memory.dmp
memory/3048-98-0x000000013F440000-0x000000013F794000-memory.dmp
\Windows\system\ZWSwfty.exe
| MD5 | a759025ee088c4e14dd684f2239bb79f |
| SHA1 | dab0d1faced76fb0ff68374f23402965d102a179 |
| SHA256 | 29e94724d75f9eb61e88ce6a6d16006325b435519de0747e34df2273025c2697 |
| SHA512 | 5fc4c1004d4c12102a0cd6dfb0f014776cf2dcf43e108c145ba87ce31016b39b76da2001f20a999fc633a28e31aa417fdb3c220506aac97fde5300537eeb680a |
\Windows\system\dRghsfi.exe
| MD5 | 304486771d7bb8ad5e24c8624094cd8e |
| SHA1 | e0f057658120c3c092b8147256438e7b4834bc23 |
| SHA256 | 2ffc41917a32797bd39fcf6e5475d2ab40d6521639f46ac2372a284f9bf72489 |
| SHA512 | 6ed2ee43a1446ce8f1bee4a8a8f2e8f150b32464c3b056bbd2703ce8964cbb75e06300875d3889102d8a5c08dfbf20b2ae853e907f155da27f4a925b2e843ca9 |
C:\Windows\system\vKeGpvH.exe
| MD5 | 273aac35e5784e46ae4a5212964ad565 |
| SHA1 | 6727c2397ade71aedaeea4cfbd692f71a8d36b48 |
| SHA256 | 9f29ddb81c569411530531e1c213189b33b777fdaa496f31546c832c0473b1aa |
| SHA512 | 60ffb26bbda48a2b77a018bc739986d12b14eb67a7f996accf361eee83fe999c57c550c63393f9040e35cd05fbc7294968ac5a1dbb36efe54ef05ffd73b26f80 |
C:\Windows\system\PtCPHPC.exe
| MD5 | 1cb769ec16e581ef3071e76e79285e87 |
| SHA1 | f74a4edda3cf499403d8287c2f9f200232f8f550 |
| SHA256 | 2214a36f9132193697278305022c7e2b55d2694fc4b05bf6b5662bd63a0ceec5 |
| SHA512 | 8f5fda696c280b463e47bd706aeaadaaca19d26b146df77e0e57a373596404ea3ca6df9cb4a1832deecbd2862eed40ef6eef92019dd1c4e4307a1968aa3b32bf |
C:\Windows\system\jPAOIyZ.exe
| MD5 | b16a9b018a80579b240e57386ed25aff |
| SHA1 | 1a4b82f96aa9aee47760d33e2aa7aebd253da7db |
| SHA256 | a3b2396acb0b65cd51d374665f0a3efc4c405589660bd438c984323da73f82ee |
| SHA512 | b059fa3be6f139514e97d084640dbdc323305e3be893c31e7b538e0054fa3b7afa0799c09db0e7f93abdef6df16dac32c8b589a9e26dc2ccc3b0eef898f0c255 |
memory/2716-106-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\kmzjGYV.exe
| MD5 | d2c4b065696ad60e51dd29d28b2712cf |
| SHA1 | c0e1a3072aaf82ba0cfcf4d76c95209d33602a44 |
| SHA256 | cb90692e733521fe64d120a4e9006c4f2f76442854be3323f1c571cc89f504dc |
| SHA512 | 4048375d41b865663e361ffb9b1e69d1956927f2966d142dc29c1d3bc1591e874952870a951df2336b19d01a71d987c875b461c22582c1ac32ceeb1845cede0d |
C:\Windows\system\kutllKY.exe
| MD5 | 1481d33cbd302ea855d6631e75019024 |
| SHA1 | 71800ab9c4475f048b810bba15f5819bde105256 |
| SHA256 | a50d1f19608c8c8e1a2b007ca81e21fb62dc6da7a5593d930fb004f0b7f5384c |
| SHA512 | b46236b07ee22d5cf874fe97e648a1d17219426bc29f7ae34272cf93826ac8063eab03217bf9987d47fb8796f70871ee36e939fa864b7a305fc2e03c977ad7a3 |
memory/2784-137-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1412-92-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2716-91-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2772-100-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2716-99-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2664-97-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\NpBzSRE.exe
| MD5 | 3f402fddd7a62725bbce1dfcbc8f3aba |
| SHA1 | d9a37f0843cfa5a45cc754082c5dff1ed35d46da |
| SHA256 | df3ac8efb67d541984a7d2925e93c0d846da3bbfea44b2b6ba3c31d38a9d5348 |
| SHA512 | 499c0889bad576546606b8e9fdd5429b89bc4253c6f636ae9bf0bb114c09e870f1617e5c730d1a7216b8db157381771a8f0cb6943371e513f17d6e189a2180a3 |
memory/2200-77-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\qOXPnVM.exe
| MD5 | 039a189bcbed8ad7d8b44acb04cd9ed2 |
| SHA1 | e52b50dd0a59d0f3719a05330af188a8b605336f |
| SHA256 | b1ccb108a72073d65fd902b0365fffee5c535459278f04165c15f44e7d385924 |
| SHA512 | 43cc512ddc78478fb411c045bd5bc9d9e156fe6d11a487f11d7c5fabe49f7e67883f94ad1b487336f34fa1be6233a1b072eba4bcaabfe1019ffa396e4807e58b |
memory/2716-83-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2636-138-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3028-76-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\bnNpwUL.exe
| MD5 | e3a39ee3d9330b0e1dbf94f6466c4fa0 |
| SHA1 | 8e289dff2daaaeee2d6881b21657e57be624c66a |
| SHA256 | bc59ce9dff1c12cb07ac53e9dcc8029fd371f5d7e2e89c0b38db4855da1bda04 |
| SHA512 | c9d80cbce424c86afce01d547970e7a8e346d245ac830a68e92cd1b71cd2a722ec96e115fb53a0c1abb32c209a8d27831c65821478fe1457ab16c63830160698 |
memory/2208-64-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2716-63-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\lASRLwn.exe
| MD5 | 09ddb9ab34c6b6989863d370c3167416 |
| SHA1 | 81061641bc4862142f6273b01d9a35839c7b8df8 |
| SHA256 | 895158c21cc83f0060a9291e578478ecdbe16d7cabded6d563922b3d4fc144b6 |
| SHA512 | f8b8d4159a4b358da4cb0d15b2f3d338aead229534c1337e456e28760a02c363495e300928c2e1e350837eba3051b1dce9350e69676cefbf0127131d877a2c69 |
memory/2540-69-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\ZxObbYL.exe
| MD5 | 8f2dd76701bee85b2a07e227b259009b |
| SHA1 | 072431b2cbb9be78e80e93d759536790391fb21d |
| SHA256 | a0a4108c1344ba45a3d1286b1a3a76001c50992b78caa473a948c969e0d40151 |
| SHA512 | 6423961cf0d816d1c08cd930c11ea4721319d4ee010a5b914e92db666e8efed68c345e7a152d835f31e1b7d43eacd94052ef404cea44d134b540c0dfb80de0cb |
memory/2716-56-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2636-50-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2716-49-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\XmAwidc.exe
| MD5 | abd2b05a420d6d8b197112dd11343834 |
| SHA1 | db71c5e3b545dfae83f7bdae827d99dace13dca3 |
| SHA256 | eb7b25263150080461d22dbef474d7b932eb98432229a342516079cb71929f50 |
| SHA512 | d1d2e3b103a99ce4d16c538f16ec7e3c2479870d66dede2d511639fc6cbdf386b371ee8ef6a46d0186eb2e421a6026d2172696d61a1f0e55a36b30af0bbc6127 |
memory/2716-41-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2716-36-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\BcdTfEO.exe
| MD5 | d5e693936bc6d7279a9b698d3d110fec |
| SHA1 | 55ef7ae0ca58754623d34850a1222e5357d19956 |
| SHA256 | d11b7cc957037d8554bc965327bf7a876bd5237975ff3d783f8a21415a7c6923 |
| SHA512 | af2897a467e5c01080b22332d683b382614a6dc7015467d58b7f05502c32752dd6135630787e280fb6a26270d0b267cb9768f0e09a0cd2e55b5c92c1bba1d008 |
C:\Windows\system\zlJXJUm.exe
| MD5 | 41034e978f1307739c7c39272fcf4b86 |
| SHA1 | 3310abc65792ee327f3b208f668d20085eae8539 |
| SHA256 | 102e3d112d0122849f7083ebad9695ad21addb36d2c3865eb68c9924eb1d8de0 |
| SHA512 | 9084fcbd072b5a5972d3b09312829131a745470a9f08ca7bd5924e7122de692336cb396f85c41c0250a9995910503609069b9ee6c714c766a418fa3f873aedca |
memory/2208-139-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2540-140-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2200-141-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2116-142-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2716-143-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2716-144-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2772-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2716-146-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/3028-147-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1940-148-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2664-149-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/3048-150-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2724-151-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2784-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2824-153-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2636-154-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2208-156-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2540-155-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2200-157-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2116-158-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1412-159-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2772-160-0x000000013FA70000-0x000000013FDC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 08:23
Reported
2024-06-10 08:26
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gPyJVBd.exe | N/A |
| N/A | N/A | C:\Windows\System\aOMehxr.exe | N/A |
| N/A | N/A | C:\Windows\System\lmcZFcB.exe | N/A |
| N/A | N/A | C:\Windows\System\FXHEaqR.exe | N/A |
| N/A | N/A | C:\Windows\System\fvDFAbj.exe | N/A |
| N/A | N/A | C:\Windows\System\GDmvPUm.exe | N/A |
| N/A | N/A | C:\Windows\System\rAuQTAv.exe | N/A |
| N/A | N/A | C:\Windows\System\HOMeNvN.exe | N/A |
| N/A | N/A | C:\Windows\System\hNJDgoj.exe | N/A |
| N/A | N/A | C:\Windows\System\FyxsthR.exe | N/A |
| N/A | N/A | C:\Windows\System\TKZfWCA.exe | N/A |
| N/A | N/A | C:\Windows\System\dzHDtKM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZGpXOkk.exe | N/A |
| N/A | N/A | C:\Windows\System\uhiYHgx.exe | N/A |
| N/A | N/A | C:\Windows\System\iyOgkfk.exe | N/A |
| N/A | N/A | C:\Windows\System\KqUsdia.exe | N/A |
| N/A | N/A | C:\Windows\System\QQToAos.exe | N/A |
| N/A | N/A | C:\Windows\System\JmLOXNV.exe | N/A |
| N/A | N/A | C:\Windows\System\aRfgfgy.exe | N/A |
| N/A | N/A | C:\Windows\System\vrhEQmA.exe | N/A |
| N/A | N/A | C:\Windows\System\AEnbAtQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_099d5b62e8a9f6b3991ce02f39f2f046_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gPyJVBd.exe
C:\Windows\System\gPyJVBd.exe
C:\Windows\System\aOMehxr.exe
C:\Windows\System\aOMehxr.exe
C:\Windows\System\lmcZFcB.exe
C:\Windows\System\lmcZFcB.exe
C:\Windows\System\FXHEaqR.exe
C:\Windows\System\FXHEaqR.exe
C:\Windows\System\fvDFAbj.exe
C:\Windows\System\fvDFAbj.exe
C:\Windows\System\GDmvPUm.exe
C:\Windows\System\GDmvPUm.exe
C:\Windows\System\rAuQTAv.exe
C:\Windows\System\rAuQTAv.exe
C:\Windows\System\HOMeNvN.exe
C:\Windows\System\HOMeNvN.exe
C:\Windows\System\hNJDgoj.exe
C:\Windows\System\hNJDgoj.exe
C:\Windows\System\FyxsthR.exe
C:\Windows\System\FyxsthR.exe
C:\Windows\System\TKZfWCA.exe
C:\Windows\System\TKZfWCA.exe
C:\Windows\System\dzHDtKM.exe
C:\Windows\System\dzHDtKM.exe
C:\Windows\System\ZGpXOkk.exe
C:\Windows\System\ZGpXOkk.exe
C:\Windows\System\uhiYHgx.exe
C:\Windows\System\uhiYHgx.exe
C:\Windows\System\iyOgkfk.exe
C:\Windows\System\iyOgkfk.exe
C:\Windows\System\KqUsdia.exe
C:\Windows\System\KqUsdia.exe
C:\Windows\System\QQToAos.exe
C:\Windows\System\QQToAos.exe
C:\Windows\System\JmLOXNV.exe
C:\Windows\System\JmLOXNV.exe
C:\Windows\System\aRfgfgy.exe
C:\Windows\System\aRfgfgy.exe
C:\Windows\System\vrhEQmA.exe
C:\Windows\System\vrhEQmA.exe
C:\Windows\System\AEnbAtQ.exe
C:\Windows\System\AEnbAtQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5808-0-0x00007FF735620000-0x00007FF735974000-memory.dmp
memory/5808-1-0x00000211C94F0000-0x00000211C9500000-memory.dmp
memory/2956-8-0x00007FF64B8E0000-0x00007FF64BC34000-memory.dmp
C:\Windows\System\gPyJVBd.exe
| MD5 | a359d6caa893a42f0dad25f894ebe35a |
| SHA1 | de35a310e45e646988eb6f9b6ff4c7cb0efd0efa |
| SHA256 | 874b38edcf8ec97a85cd6375e376242eadbdcaa060abd549967b4fd02be537e0 |
| SHA512 | 7e7f7c9498c3e104e939450ba1f5a628b3571ec66008a85331e86e7be1470b4536119f14ed82d91ad42d39e7f886b3fcf83d63d6578ab90605a4d2ef6e88dc07 |
C:\Windows\System\lmcZFcB.exe
| MD5 | 9c8c73f4fe8fac0a2878b6afa8372aee |
| SHA1 | 20b1f5e16630f351e020c7659f6ef89bbb6ec4b9 |
| SHA256 | 18fe9e17dcc8912ff6d868751bc1f787c12a54d3d6d39a7717e8d48b83b80c77 |
| SHA512 | b37c5b87c039b67b4b9cbfb4415b36fe11d1d6db5eb4ced93c410725857ca5ad251962e7329bdd77696d511bda8ffd37900d532aed8e90a9d3485d75f7741f60 |
memory/2916-13-0x00007FF7AF190000-0x00007FF7AF4E4000-memory.dmp
C:\Windows\System\aOMehxr.exe
| MD5 | 982dfe13f3932fbaf4b76e5611b6b165 |
| SHA1 | dd5b797c40b3314494701fdb39a5778b9fe87177 |
| SHA256 | 3ae30f8778c1eb73ec6861fa9aea1618c1a2b71753956273764fa6d328837b31 |
| SHA512 | 2d21202743bbfce758ff9540efe6e59729e2c0ef79b810a619a1f9221292257347e5c105c1694d48d26b5c6fed686f98cf6232b770b53c80fd8dc79d5d2a97cf |
memory/2860-20-0x00007FF714BE0000-0x00007FF714F34000-memory.dmp
C:\Windows\System\FXHEaqR.exe
| MD5 | dd8293f6dee0619e415564eeb937f670 |
| SHA1 | 01d2aaf7d0d5df1254ad40fa73f8daed9082c0e2 |
| SHA256 | ab6b43025a32cd193c480a544275079a083fc89ac3b8a76013dacb8ecf2c125c |
| SHA512 | 8035a53cb7a50c79b125503ebda9de820b5dd2aa31e272af89ceadff74a59edcae76b057955f1ace5d2dac19599ebf5bf6c16b14bfcfd72f9c3fbe1fca8a7600 |
memory/3076-26-0x00007FF6CC190000-0x00007FF6CC4E4000-memory.dmp
C:\Windows\System\fvDFAbj.exe
| MD5 | a9c9972259d081dff09436ecb1a6ac78 |
| SHA1 | e2d20b773ce4b8fb75cf87c3fab958217c89421a |
| SHA256 | c5fbf92a899305f6e6e9424255d6bb32b7f0653978409a93e9ee2be734f5f866 |
| SHA512 | 5da515c1b494dfe6042acf3da4d78c7a65655bcd81b2c14d6b0a857c44079c3b921faecd57ff71717507619aad546eaa01d8eda7ec365c3f0e389b102bf79ab1 |
memory/5132-32-0x00007FF6436A0000-0x00007FF6439F4000-memory.dmp
memory/3560-37-0x00007FF715260000-0x00007FF7155B4000-memory.dmp
C:\Windows\System\rAuQTAv.exe
| MD5 | 7eab528e0be0e47f799e8f7b2c2d0fa6 |
| SHA1 | e2499963a2e043a92d59119e4b733fddecd69b4a |
| SHA256 | bd5ee154b194731b5101049982f0d99f9d631d58e32ec49fc9bf9f7e007269d5 |
| SHA512 | f09d1fa4f1fefb9818fda05848d4fd306fc8dc710a18c39c6ea50b2532ac4578b7ce4dffaab779635c905104ad8fe2c5bebeecee3130959056b4ae4d753f76ce |
C:\Windows\System\HOMeNvN.exe
| MD5 | 13db4883370536a4ae0de2038f89607b |
| SHA1 | 2f70e2727f2bf38e13083c5214518d4326c59064 |
| SHA256 | efe5df8c091e91c2e32df94b07ce133d700076de24aa933fa8c225338708100f |
| SHA512 | 69e55a021d7e8606411b78d808f3e382affb15fa3147a59dc52d0da7c0c92a527792c48ba51ad855bfe9a68e4c6b898aeb73634736cc99c2bd032f6ac0455229 |
memory/924-47-0x00007FF671990000-0x00007FF671CE4000-memory.dmp
memory/3020-50-0x00007FF7856E0000-0x00007FF785A34000-memory.dmp
C:\Windows\System\GDmvPUm.exe
| MD5 | 8268049c6353a96c6135e7c72a5b4ef5 |
| SHA1 | 16ad613aa9b6f120b0ed7bb56b26fb0b419fdd11 |
| SHA256 | 4b82a3bb2f98b0990b39da83df0c90d4f7a36487e83d302176fd89b4fa840325 |
| SHA512 | df94a9280115c394d5d81e0785e11de500e0930c9473b47f3e5dcf1041c475d4f3577edc78c1d5e6911a38157d5bdd8d5de95eb863e828cd34cf29309837e65a |
C:\Windows\System\hNJDgoj.exe
| MD5 | 769235502f28f0358c592a7a2694afd6 |
| SHA1 | 76e05b74d4a888b027f484b09b0bdf5bb3ab9c1c |
| SHA256 | 5f9035ca84641a36a2df025c6ca8203fc6ffeac843eaf413dc8dfdd23047c28d |
| SHA512 | a7919db9a9fe80c10f88979c2fcf28fe17830a49f28fd69e97fa091f0e3c101d9173d170bf7961acb6e46b9f682b5651f83381a1285c199197a0e9adfe265123 |
memory/4368-75-0x00007FF6DB3E0000-0x00007FF6DB734000-memory.dmp
C:\Windows\System\ZGpXOkk.exe
| MD5 | 356cb23b746ba1a1c261c90e0cf421aa |
| SHA1 | 880f193339902f3c45b42f0c2b9d82eb4d3641ba |
| SHA256 | 8d7be161b31dab1eae7ce1cfbae906da8802c6c2680d8f41c11f346123a6c9d0 |
| SHA512 | 1fe016598f959ff6c0083aa0b5c23228f041b18db02255d03c0f25804c87a9b98876137699ef123fd928c23e0a9abcd6d982a3ea24bed5c8d332df8b44dd0154 |
C:\Windows\System\uhiYHgx.exe
| MD5 | b3d9f75908a75f9680c550502ecda6cd |
| SHA1 | 268d0604f00f277cd8d8dcb423c06767ff89198a |
| SHA256 | 613e3e31fc00a87efac407cd0a6f94400d291b0d3865a23e6228f7dbe59d3d60 |
| SHA512 | 4f46ae8ada64ad801d890a1025a4c66c9218839dd0bece34d0dccaaa5d2a05c0c2c3ed982fb92b9b135210b79c9090d71b63a7440d0cf7e95431237342dba0d4 |
C:\Windows\System\KqUsdia.exe
| MD5 | 4bc9fb58baffc3b7757e08d516a0beb2 |
| SHA1 | 278dbb840a4b96b0d45be6ed5e6549914e368c4e |
| SHA256 | 84158405171e5aca97418cb2b0405d98c06fbc193e3b12d6149a2925216e8e56 |
| SHA512 | fee0eb6d1f99f967231d22bc48bac7a91e7bcf7abebf1a198566795011bd63d1b1cd2126040746da50f8d4194ba80f20c0031edcdeb284fbe4a801cb43b361fd |
memory/2916-121-0x00007FF7AF190000-0x00007FF7AF4E4000-memory.dmp
C:\Windows\System\AEnbAtQ.exe
| MD5 | f508853d44146e249e26604b4e2229a1 |
| SHA1 | 752d83c404cfa3e816bdb5f627b60b5e83c938b7 |
| SHA256 | 59e292354c41f34637fc0b5a3c444fe113ce9bdad91efa2f8513647bb82aab7b |
| SHA512 | 21fbe44c9a0fd77657b55650b34e3276e1e6d7768aec45d2eea296de4503d64403fbd516fcd189241b3039fa202770916f319dfbc4df3f23f215e8d79dda0321 |
C:\Windows\System\aRfgfgy.exe
| MD5 | 07aefd1a0746845583532711727a8c97 |
| SHA1 | b66799cc2614a831b1d9568fda0305083036d2f9 |
| SHA256 | b087f28782bb3f5ee2aaa17d5f3f58f93436dbfbd826c0ad8b3b601f8490e62b |
| SHA512 | 22fb7cfd9d668d9b63e31075e7bb5b1d3efb85877fa7b646aae7b7994d50606408256a1ec0ef1a6c0e02cbb55a019131bfb1897abebb39e9eb9db0f178e054b9 |
C:\Windows\System\JmLOXNV.exe
| MD5 | 9efcb56eafcc256f1a7676b60ff438b6 |
| SHA1 | c6d4db5b42edad381bbac1c823dd3c930b5fbab9 |
| SHA256 | 383b8ec11866b804e6ead59d589ea595a789a21cca2aea3e912fe1c9e3595dd1 |
| SHA512 | 7c0655dc786bb51c6d5c80f147ee7e29f656021b128824edf1108f533584f8648da18087da18f902fe0a155cedfc46341f9851b4b5641cd6d26c6df7d3b6fc2e |
C:\Windows\System\vrhEQmA.exe
| MD5 | 2150075cb1dc9783d7ca771fe4299ea8 |
| SHA1 | 6748aa0fe51fc2aac389f87d6bd96371764928f1 |
| SHA256 | c7f98a4ae97df0cc7046d108c1bc40805a82f476be4977e6fc3b1e55a6865897 |
| SHA512 | df82549263b4e37d8c0baadceda89558cd893d12a6ded2e7d236118f40211d2aa1c0c078223f3f41ef605265b7b5d356ea24ffce6d3de081b2e2b1321b37a5b1 |
memory/2404-115-0x00007FF7ACF80000-0x00007FF7AD2D4000-memory.dmp
memory/2756-114-0x00007FF766FB0000-0x00007FF767304000-memory.dmp
C:\Windows\System\QQToAos.exe
| MD5 | ad4aeef9e51c3700e067b3281ab42b7f |
| SHA1 | 59761ef516693fbcb7b8890f6691c61216c09260 |
| SHA256 | 5834bbaa2353273884c91bc2925d28b5dfd22d7b7c2ad8bfc29d744d85659dcc |
| SHA512 | 50a4db054a5972e7565ff7c1ce7f8baa8eae8e3e6d3bf530c6b44477f2b4ad12beb8b18f21444117f8b43cf8e45c2946f3ace025b938a7535b3c6f4a12205e5d |
memory/2216-104-0x00007FF79C0B0000-0x00007FF79C404000-memory.dmp
memory/2956-93-0x00007FF64B8E0000-0x00007FF64BC34000-memory.dmp
memory/1600-92-0x00007FF79D260000-0x00007FF79D5B4000-memory.dmp
memory/5752-85-0x00007FF6B7950000-0x00007FF6B7CA4000-memory.dmp
C:\Windows\System\iyOgkfk.exe
| MD5 | 1451f39bc825ef0cb58c9ccd1d000334 |
| SHA1 | 58ad8093e73579987ac0765613a4e3d60cd1b775 |
| SHA256 | 85d4947618175d689038a452be6907e7e3a030eb08587c7aaa71b85d9adacaac |
| SHA512 | b848b0c888d1f705f18a57c56c529678bfa8ba072ad5b09a8f21d50f387e7973026be5879fc9da623c9af806056ba6018446ded5d0808d75c95a0fca123f4850 |
memory/1304-82-0x00007FF7C7DE0000-0x00007FF7C8134000-memory.dmp
memory/1112-80-0x00007FF6671A0000-0x00007FF6674F4000-memory.dmp
C:\Windows\System\TKZfWCA.exe
| MD5 | 416b65230bec1ed1d2e108f25bd61416 |
| SHA1 | 8fc34b8514b4f637192bdcfc8c525f79f83aa31d |
| SHA256 | 99b1e2f5d02849101b2222ccbde52493c63559a1a30370184629e17fc885e129 |
| SHA512 | 48d426450f8c445cb9367caf2a8e24eec7f82fbd8eb7fc472899185737f80ee0c7bcf5131d19425ed17255c8dd8d3ca098f75c7a40d3f8cf70274f062d5e31b3 |
memory/5808-74-0x00007FF735620000-0x00007FF735974000-memory.dmp
C:\Windows\System\dzHDtKM.exe
| MD5 | 9c212a1b2082ec560dfa689ec19a7a85 |
| SHA1 | 129a9580302ace3efff2fd5eae4ba42bfdc02d43 |
| SHA256 | 0ef284cc44f2172b3e3a10048673676b4f34f06e11fa69510d9ba240117ecf5b |
| SHA512 | 4744dd5b415243af3d87a02a8c2731881e8446a32f3dd97c6c17002296bde1e58c383c712af70634939693962a1ecbaeaae2dcd8f40b26e0a2877f02af6e514e |
C:\Windows\System\FyxsthR.exe
| MD5 | 82856592505bec38c209e5504b043742 |
| SHA1 | 2eb34527fd5121dc331a12875396078655bfea5d |
| SHA256 | 76e1b37cf071f378e861112be28f8ba24a845bd0cc0482fb0e6e9ae866bea81e |
| SHA512 | 9da847f01284a61010894c12c1e88902a543b32ff44df7299047ed3f1dce778bb3a17b1c819d3af9267ed0346a43568adae62133dfbe656f245b149029e684ab |
memory/1144-56-0x00007FF6945E0000-0x00007FF694934000-memory.dmp
memory/5232-129-0x00007FF634E90000-0x00007FF6351E4000-memory.dmp
memory/2860-131-0x00007FF714BE0000-0x00007FF714F34000-memory.dmp
memory/4968-130-0x00007FF673C70000-0x00007FF673FC4000-memory.dmp
memory/5300-128-0x00007FF611510000-0x00007FF611864000-memory.dmp
memory/2232-127-0x00007FF6758D0000-0x00007FF675C24000-memory.dmp
memory/924-133-0x00007FF671990000-0x00007FF671CE4000-memory.dmp
memory/3560-132-0x00007FF715260000-0x00007FF7155B4000-memory.dmp
memory/3020-134-0x00007FF7856E0000-0x00007FF785A34000-memory.dmp
memory/1144-135-0x00007FF6945E0000-0x00007FF694934000-memory.dmp
memory/1304-136-0x00007FF7C7DE0000-0x00007FF7C8134000-memory.dmp
memory/5752-137-0x00007FF6B7950000-0x00007FF6B7CA4000-memory.dmp
memory/2756-139-0x00007FF766FB0000-0x00007FF767304000-memory.dmp
memory/2216-138-0x00007FF79C0B0000-0x00007FF79C404000-memory.dmp
memory/2404-140-0x00007FF7ACF80000-0x00007FF7AD2D4000-memory.dmp
memory/2956-141-0x00007FF64B8E0000-0x00007FF64BC34000-memory.dmp
memory/2916-142-0x00007FF7AF190000-0x00007FF7AF4E4000-memory.dmp
memory/2860-143-0x00007FF714BE0000-0x00007FF714F34000-memory.dmp
memory/3076-144-0x00007FF6CC190000-0x00007FF6CC4E4000-memory.dmp
memory/5132-145-0x00007FF6436A0000-0x00007FF6439F4000-memory.dmp
memory/924-147-0x00007FF671990000-0x00007FF671CE4000-memory.dmp
memory/3020-148-0x00007FF7856E0000-0x00007FF785A34000-memory.dmp
memory/3560-146-0x00007FF715260000-0x00007FF7155B4000-memory.dmp
memory/1144-149-0x00007FF6945E0000-0x00007FF694934000-memory.dmp
memory/4368-150-0x00007FF6DB3E0000-0x00007FF6DB734000-memory.dmp
memory/1112-151-0x00007FF6671A0000-0x00007FF6674F4000-memory.dmp
memory/1600-152-0x00007FF79D260000-0x00007FF79D5B4000-memory.dmp
memory/2216-153-0x00007FF79C0B0000-0x00007FF79C404000-memory.dmp
memory/2756-157-0x00007FF766FB0000-0x00007FF767304000-memory.dmp
memory/2404-158-0x00007FF7ACF80000-0x00007FF7AD2D4000-memory.dmp
memory/1304-156-0x00007FF7C7DE0000-0x00007FF7C8134000-memory.dmp
memory/4968-161-0x00007FF673C70000-0x00007FF673FC4000-memory.dmp
memory/5232-160-0x00007FF634E90000-0x00007FF6351E4000-memory.dmp
memory/5300-159-0x00007FF611510000-0x00007FF611864000-memory.dmp
memory/2232-155-0x00007FF6758D0000-0x00007FF675C24000-memory.dmp
memory/5752-154-0x00007FF6B7950000-0x00007FF6B7CA4000-memory.dmp