Analysis Overview
SHA256
27b9b2e874fd961244b9b951333a8f1a43c3e2e7b1bf5bdf6ef8f544ea758948
Threat Level: Known bad
The file 2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 06:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 06:50
Reported
2024-05-27 06:52
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YLwLodl.exe | N/A |
| N/A | N/A | C:\Windows\System\zyCYHuZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RLCNemZ.exe | N/A |
| N/A | N/A | C:\Windows\System\TzFLNTW.exe | N/A |
| N/A | N/A | C:\Windows\System\JHKcXgY.exe | N/A |
| N/A | N/A | C:\Windows\System\sKhddsH.exe | N/A |
| N/A | N/A | C:\Windows\System\WQDszuz.exe | N/A |
| N/A | N/A | C:\Windows\System\aEhwFfg.exe | N/A |
| N/A | N/A | C:\Windows\System\onouNdH.exe | N/A |
| N/A | N/A | C:\Windows\System\AXhWwbF.exe | N/A |
| N/A | N/A | C:\Windows\System\swmtOff.exe | N/A |
| N/A | N/A | C:\Windows\System\VRkbipI.exe | N/A |
| N/A | N/A | C:\Windows\System\mKdcbzP.exe | N/A |
| N/A | N/A | C:\Windows\System\ddAuABI.exe | N/A |
| N/A | N/A | C:\Windows\System\vcJNtLq.exe | N/A |
| N/A | N/A | C:\Windows\System\fqNwZua.exe | N/A |
| N/A | N/A | C:\Windows\System\AfSgWdV.exe | N/A |
| N/A | N/A | C:\Windows\System\LrtzQxF.exe | N/A |
| N/A | N/A | C:\Windows\System\vmkhKAk.exe | N/A |
| N/A | N/A | C:\Windows\System\Cvmkyym.exe | N/A |
| N/A | N/A | C:\Windows\System\dStkkYR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YLwLodl.exe
C:\Windows\System\YLwLodl.exe
C:\Windows\System\zyCYHuZ.exe
C:\Windows\System\zyCYHuZ.exe
C:\Windows\System\RLCNemZ.exe
C:\Windows\System\RLCNemZ.exe
C:\Windows\System\TzFLNTW.exe
C:\Windows\System\TzFLNTW.exe
C:\Windows\System\JHKcXgY.exe
C:\Windows\System\JHKcXgY.exe
C:\Windows\System\sKhddsH.exe
C:\Windows\System\sKhddsH.exe
C:\Windows\System\WQDszuz.exe
C:\Windows\System\WQDszuz.exe
C:\Windows\System\aEhwFfg.exe
C:\Windows\System\aEhwFfg.exe
C:\Windows\System\onouNdH.exe
C:\Windows\System\onouNdH.exe
C:\Windows\System\AXhWwbF.exe
C:\Windows\System\AXhWwbF.exe
C:\Windows\System\swmtOff.exe
C:\Windows\System\swmtOff.exe
C:\Windows\System\VRkbipI.exe
C:\Windows\System\VRkbipI.exe
C:\Windows\System\mKdcbzP.exe
C:\Windows\System\mKdcbzP.exe
C:\Windows\System\ddAuABI.exe
C:\Windows\System\ddAuABI.exe
C:\Windows\System\vcJNtLq.exe
C:\Windows\System\vcJNtLq.exe
C:\Windows\System\fqNwZua.exe
C:\Windows\System\fqNwZua.exe
C:\Windows\System\AfSgWdV.exe
C:\Windows\System\AfSgWdV.exe
C:\Windows\System\LrtzQxF.exe
C:\Windows\System\LrtzQxF.exe
C:\Windows\System\vmkhKAk.exe
C:\Windows\System\vmkhKAk.exe
C:\Windows\System\Cvmkyym.exe
C:\Windows\System\Cvmkyym.exe
C:\Windows\System\dStkkYR.exe
C:\Windows\System\dStkkYR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1964-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1964-1-0x0000000001BA0000-0x0000000001BB0000-memory.dmp
\Windows\system\YLwLodl.exe
| MD5 | dc5f5e05ff5b295b985e99cd8d995e73 |
| SHA1 | aa721ded31698b49ea1ee39e60f7516bfc846bf8 |
| SHA256 | 7b5af15a6515f2168abe5b41e9767c45d013183ff580a0963bc3448c4b5cecbf |
| SHA512 | 0a2d88936abd66a7cf9e9bf2f7230f4ab75696f0155e6d2e9cd80e2f2f74aeab5e6e72a852a3ded1d7b98a1d9187fcccc3ca5564ec7b424310864aaca2d3fb7c |
memory/1964-6-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1208-9-0x000000013F920000-0x000000013FC74000-memory.dmp
\Windows\system\zyCYHuZ.exe
| MD5 | dde3a75dc792c46a47c80a99405d7785 |
| SHA1 | 94c7ac5d7b8cac7003ffdad3570ec5d65800d2bb |
| SHA256 | 2a6e2800dd6f263555c59c3b6b543f7fb11d0255a2dc1d65302162c96a78c173 |
| SHA512 | fd6d80a51566bca495bdb2ac34f864cdf476320e961f228eeffb0509d076e6dd2a4268bb74cc3b8cd73a8e4026903a584a543756ed47a5a05ad3cecbbc6a0f84 |
memory/1964-17-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2692-22-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\RLCNemZ.exe
| MD5 | 94377345d4845bf09909e87cf9c2582f |
| SHA1 | b4e9adcda6654285ff038b5572da3261ce41bf98 |
| SHA256 | c5c0fda31b8cebdbc9322b628110d458855fa70b060491a32984007856579d2d |
| SHA512 | 345509cfd2b20a5037ec9024cf5cd7a0d92561ec483ce632aa4b3bcc1d5a91c26ab503db53966258b61a312b6b64b996d2260aded404787b3fa361536d97713c |
\Windows\system\TzFLNTW.exe
| MD5 | 587d3749f203355df5751643f673613a |
| SHA1 | 20a8fa2671541f74c3d304d7764aa0f670d4a38b |
| SHA256 | 15352dc43c70b73894ed29d2ba53244384ebfdcf83629a88fb47778c668965e5 |
| SHA512 | 65d38db2ed82c36d7f5ea3c950c90e0fdfb7937fa034fe69d6708404af73004c8fd08995c77adf25782050d494d0eda9db8e4082710fa44dfa52e8808a00f1dd |
memory/2656-36-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\JHKcXgY.exe
| MD5 | 43a63208272c93e0f5cd8c30acc77d4a |
| SHA1 | daeeeaa5fb7880d1e834f547f4d0fca7d6b8d5ac |
| SHA256 | 9d534c7fea73368cd5ccdc970d2e9c100eeef6c211ff2c3d803155ce6a59a4fc |
| SHA512 | 3035234a0fa2aa9ef4b931ca6476318be53d58708c629b372060162b6f48410d170edfef63efcdb272a4290c334673b5c7f744a66de5ac2e43b1db208c1a340f |
memory/2560-34-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1964-33-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1964-29-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1964-28-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2964-27-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\sKhddsH.exe
| MD5 | e3fe1ea1ad00bc3e2e45f548c4b0adae |
| SHA1 | b2025fb7357270d4a893faaec1887ae23c6629ed |
| SHA256 | ae4c71db9a5c07fcfa2fb330935e381291277df067be5b0042278a9149eb62bd |
| SHA512 | c7424af2c126b6633fbbb8ae50362d123b80a266d8c661a3e64e6c617236b365a564ec19c3087e13dfe17337196c1aa02e5bd5805f4c3f8aa040bbdf60cb3b69 |
memory/2664-49-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1964-47-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\WQDszuz.exe
| MD5 | d0bd2d997671baaab2c56a4810fe6b09 |
| SHA1 | bb371c2ad922a266506bfc9e223104b2e9b4e977 |
| SHA256 | d3013220b83369ddbccb65cec7e62f7128f13542595f86895efe74c1d33f5308 |
| SHA512 | 14e0e58fa03854c999cbfea10f214926ce716f7aede76c80bd525beb0f6cc2edf5af490efe2e1af8483239c8e79ab18c222345d9f5e6fd152145c3bc50c5be54 |
memory/1732-53-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2436-58-0x000000013F3E0000-0x000000013F734000-memory.dmp
\Windows\system\VRkbipI.exe
| MD5 | 68bc28b73e126f556b632a9afad0bb10 |
| SHA1 | dc98e68061beadec3970ad5d408a1909e15da72b |
| SHA256 | c035572b8ff0163a689c2a1dd9579f3ee901a081e859f19b37c9168ea8ffa7d3 |
| SHA512 | adc3abfb49f64fb33f2d8fde36416889f84b6b210a12f9f022c776bb2b80414562dadef412584803a0f15199ca278a053dde508e2e12825f176ad993dfded77a |
C:\Windows\system\AXhWwbF.exe
| MD5 | 818e45cdfb7626658ec36acb63e0561b |
| SHA1 | 0bb32383c782bd2bc54d8a718e0b9da0e4f50e42 |
| SHA256 | b33e64c9fa64ba9978776270f315c7559e8b0848b6b2c9699f3a9b0665460cb2 |
| SHA512 | 79ecca2ed9a077acb5f27cea4cb98cef55266097f6425e32606a1602614ec66abe8ce7dc37c929778f735843916711b75e2d08a5041c35be9e661d43fe6e91a8 |
\Windows\system\vcJNtLq.exe
| MD5 | b83725cfa56cb1ec6630bd6c0e4ec4da |
| SHA1 | c5249cdeff4f0085bb3a3319066c5ab4ad5ccc3e |
| SHA256 | b06cbc331e2fca2e0fa5c4ab22907eecf82fead6da3002d19c739c9ea3a47326 |
| SHA512 | fe30822db236eabcb43acc46c3bb448d4f07e16fce6d88719ca65f8c5eff112e5a654664ca311c77f9fd4ece6f64b71d0a7d3e02637a1b6f5882b67a8109a7e9 |
memory/1208-92-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1964-88-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2300-110-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1964-109-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/1964-108-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1464-107-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1488-104-0x000000013FC70000-0x000000013FFC4000-memory.dmp
C:\Windows\system\fqNwZua.exe
| MD5 | c1f2b438caaaf91a9eb6da5680abd211 |
| SHA1 | 23638d97aa4fc7d78d7c50a6d62ccbb6e0d487bd |
| SHA256 | 1dadc26c432854c09e8d7da27e8071770d29bed8d00d9e7eef2f44cda5587c0e |
| SHA512 | df85b1537d69dc57b30c741b9f2679694253e9dec1570209ee6df82925000bbbdcd933e42eacafa005ce839f1dded5fd7a16617a896df20e0388d2f2a6af0af1 |
C:\Windows\system\Cvmkyym.exe
| MD5 | 2ff59912340d99c45abac3063c48b7b4 |
| SHA1 | 106e9bd29c2b45ee1512dc25557e1e8ea1af52a2 |
| SHA256 | c5f394a8feb6b637d6d21e7397d673f97b4919de754893de143141d78186c925 |
| SHA512 | 0861635baaf5bd6b475af50104df6678807e9f1e0ffb4a605649d729916386b0668fc55de94b3eb1b86af4b84bae5b8e1a093f3612c30ed55f8912178c43d834 |
\Windows\system\dStkkYR.exe
| MD5 | a03b940ab7cfd4be3966b82af4bae80c |
| SHA1 | 1c5a467d8d46500cb81bb88c99a6e5da1349c090 |
| SHA256 | 0373a9a999301b0d7e286935029fa97ad4439696a77b0eaa4a4e38204659403b |
| SHA512 | de09f445cb3a40cfe4ac44b8584e6790da1e458cfa7022eb3977e79e6a97c656391efba5697cd2ff332787f320b9910ab4e3365e367a0263c314c8f7fff2e433 |
C:\Windows\system\vmkhKAk.exe
| MD5 | fa054d81764f8309949f17c84e866a95 |
| SHA1 | 5e78581a8f4471e21279a99c161c9a2af3ac17ff |
| SHA256 | 420dbc48bf10f0a0c365862f30e632d04f1d2df38a55ac9baa4330330927ee30 |
| SHA512 | fb771129d37317163f8592302739f8ec7a7c0e1bca20d26d53808087ded7ede4bd54f3f35513cc8548e985484597e8963db85a833ee0b51b5727963a87234e22 |
C:\Windows\system\LrtzQxF.exe
| MD5 | 5162f934a4832dab589ada9a5c5bff71 |
| SHA1 | 9d5e5710f9197c98ec17a7cdc948ca302ab03c16 |
| SHA256 | 8e97d09cf8d0646f9c2bf5caf2f7076319bab814fe7a6dc018c7deb36c56d18c |
| SHA512 | 52a5b0d837c0d17c24b60c9f5e60b5dc85613c7d07e462e0ae458772e815c44556f383fde462c5c3e30bcb3a39f14157fd6e35459f491717a462e1a5ab1facaa |
C:\Windows\system\AfSgWdV.exe
| MD5 | e1e66927609639d6ad65665acb756c29 |
| SHA1 | 5e3582bf3c6718fd1fcd70ad3308d1715027d7da |
| SHA256 | c328315ab780d0a8e1a0162241acc756aa8745795fc1df89c75b4623dcab6104 |
| SHA512 | d778c37da4df410d7661e266fb7a991c9ef680910de66f2533d22773347d4eb413e6c36e8debb97494e81721d6bacf5322e26ba308eca9635f31d40c9fa0da12 |
memory/1964-103-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1964-102-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2812-101-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2964-99-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2692-97-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\ddAuABI.exe
| MD5 | d7c9b1b2443c7cf2105e507c0c0eb327 |
| SHA1 | 73b85ec1206abf087327077c7fc276db6925680f |
| SHA256 | fe20a0759c9c063104599a65adfdc87bb187c67daa2d99d1ec26c0f7a6d3ea28 |
| SHA512 | 053a4caff4b9d819282c91c77f17ff7b0b3f716c32bae721ebadf10cefbb17d05ac099b3066f89c31b97790b93d44154cf3a5221a5edb4338990245e6a2f12f5 |
C:\Windows\system\mKdcbzP.exe
| MD5 | 9ef675cdca3b787190361d39bd209a6a |
| SHA1 | 832bfd648493b724145bc54966f92250cb30e800 |
| SHA256 | 5bfe68bb7b9db94227a8b02587e243f4516e25260e5dfb9e36d57ca29289b3ce |
| SHA512 | 28b7687d7d26bff4ca067d98296e0ff0b41212b73028c73d0c093acc351fc482ad10777ec90acf507652019f23348445445f91b2f9bcd049f679538ecd98f96c |
memory/1964-79-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\swmtOff.exe
| MD5 | d5d86128df161429d5424c3402c28d6f |
| SHA1 | 4211107e5f5df081fe6fc433dda40ad8759e1a37 |
| SHA256 | 00d42f52b69cef634937597445d390327210201dd4435535f2260a932b04b06d |
| SHA512 | e6c2721f1b9b571ab562b6aec42c2a97269ecbcab02f0439ffcc1e26e32104d82dec1d31a5876c047373c4d7fb8e29590f4862440ca76160fe565e3263af2b82 |
memory/1696-84-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2472-68-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1964-72-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1964-63-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\onouNdH.exe
| MD5 | ddd3f9009ff24c8e3c9f8fcb9fc4cbf1 |
| SHA1 | 063bd9aedc9f8b7b8368257b53c60df179b032e8 |
| SHA256 | 290c4f5033f3a9bfd3e4232a6ec4385e37e5e107d64c50e87f0d61a42af11d95 |
| SHA512 | fff42e5a7ab5dcdf70705807e4172d00bf8f6e370c7ad4cfb1d82cc4a29a3c3e03508ec098ea05048093c5336f069e4ae9c073a4e53c3ee3d3d8773a3e7e6883 |
memory/1964-57-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/1964-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\aEhwFfg.exe
| MD5 | d3ac4f169edf2c046cbb641f517964fa |
| SHA1 | 2d49350d962296e0ba1ba7fdb403a30351838787 |
| SHA256 | 7987df8710e5a0c876eb949ebdb1f45a9061e3d731a2fd81a7af4351b22ba765 |
| SHA512 | 3e7f4e8874e59f12f62612e0061118cda81bb08252b7d0cf8bc2edd7b7dec178a58384c445155e03885a88a51cc4a502e86b0ad3b677b3fafcce5b93ec854337 |
memory/1964-141-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2656-140-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2472-142-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1696-143-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1964-144-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1208-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2964-146-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2692-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2560-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2656-149-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2664-150-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1732-151-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2436-152-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2472-153-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2812-154-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1696-155-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2300-156-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1464-157-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1488-158-0x000000013FC70000-0x000000013FFC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 06:50
Reported
2024-05-27 06:52
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bvYzzDd.exe | N/A |
| N/A | N/A | C:\Windows\System\LhwYKVW.exe | N/A |
| N/A | N/A | C:\Windows\System\ACdsnwc.exe | N/A |
| N/A | N/A | C:\Windows\System\tHjWivQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aiHXtOT.exe | N/A |
| N/A | N/A | C:\Windows\System\ubLRzZT.exe | N/A |
| N/A | N/A | C:\Windows\System\gsBcrbI.exe | N/A |
| N/A | N/A | C:\Windows\System\sUTsCqB.exe | N/A |
| N/A | N/A | C:\Windows\System\qYfRuDJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UyyeFfh.exe | N/A |
| N/A | N/A | C:\Windows\System\XISSJaa.exe | N/A |
| N/A | N/A | C:\Windows\System\VrgROXq.exe | N/A |
| N/A | N/A | C:\Windows\System\sTtovNB.exe | N/A |
| N/A | N/A | C:\Windows\System\GiFZGgW.exe | N/A |
| N/A | N/A | C:\Windows\System\uIuKwaR.exe | N/A |
| N/A | N/A | C:\Windows\System\oWtAhed.exe | N/A |
| N/A | N/A | C:\Windows\System\QggPsyB.exe | N/A |
| N/A | N/A | C:\Windows\System\JnXzYOT.exe | N/A |
| N/A | N/A | C:\Windows\System\gMktBTB.exe | N/A |
| N/A | N/A | C:\Windows\System\RgTOuvr.exe | N/A |
| N/A | N/A | C:\Windows\System\pLAHrbi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_513efb4aab5bb7dbf13af5d8f62ea41f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bvYzzDd.exe
C:\Windows\System\bvYzzDd.exe
C:\Windows\System\LhwYKVW.exe
C:\Windows\System\LhwYKVW.exe
C:\Windows\System\ACdsnwc.exe
C:\Windows\System\ACdsnwc.exe
C:\Windows\System\tHjWivQ.exe
C:\Windows\System\tHjWivQ.exe
C:\Windows\System\aiHXtOT.exe
C:\Windows\System\aiHXtOT.exe
C:\Windows\System\ubLRzZT.exe
C:\Windows\System\ubLRzZT.exe
C:\Windows\System\gsBcrbI.exe
C:\Windows\System\gsBcrbI.exe
C:\Windows\System\sUTsCqB.exe
C:\Windows\System\sUTsCqB.exe
C:\Windows\System\qYfRuDJ.exe
C:\Windows\System\qYfRuDJ.exe
C:\Windows\System\UyyeFfh.exe
C:\Windows\System\UyyeFfh.exe
C:\Windows\System\XISSJaa.exe
C:\Windows\System\XISSJaa.exe
C:\Windows\System\VrgROXq.exe
C:\Windows\System\VrgROXq.exe
C:\Windows\System\sTtovNB.exe
C:\Windows\System\sTtovNB.exe
C:\Windows\System\GiFZGgW.exe
C:\Windows\System\GiFZGgW.exe
C:\Windows\System\uIuKwaR.exe
C:\Windows\System\uIuKwaR.exe
C:\Windows\System\oWtAhed.exe
C:\Windows\System\oWtAhed.exe
C:\Windows\System\QggPsyB.exe
C:\Windows\System\QggPsyB.exe
C:\Windows\System\JnXzYOT.exe
C:\Windows\System\JnXzYOT.exe
C:\Windows\System\gMktBTB.exe
C:\Windows\System\gMktBTB.exe
C:\Windows\System\RgTOuvr.exe
C:\Windows\System\RgTOuvr.exe
C:\Windows\System\pLAHrbi.exe
C:\Windows\System\pLAHrbi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3420-0-0x00007FF767D50000-0x00007FF7680A4000-memory.dmp
memory/3420-1-0x00000288C3B30000-0x00000288C3B40000-memory.dmp
C:\Windows\System\bvYzzDd.exe
| MD5 | 6368cb81c72ca10e60b7266def3e2d60 |
| SHA1 | 393181c70f72b248ad2598ff689074bc58fed23f |
| SHA256 | 292a9193c83095739cd24a616c42ee21f4ec15ce4daf6470184ecf0e2a221354 |
| SHA512 | 4e37ec8883414e25f4abb964249aa281717e2423ffb66c23529afcb63ad71ec1589810e29fb6151a8fc74a0e1ada3fd0fa6043c7e41b3702fdad74d91b9f0b8a |
memory/3644-8-0x00007FF6D34B0000-0x00007FF6D3804000-memory.dmp
C:\Windows\System\LhwYKVW.exe
| MD5 | 550535acb3911d45cbed5a1fead66f9a |
| SHA1 | 40ff778d0b7060a38c7b2875c9632e0be15b388d |
| SHA256 | 23cadfb8718e1c77b7f772efa5e0ad1bbb72caf3d683865a971dd7fb3cc1c3fc |
| SHA512 | 18c5d55eb18c800db44025607d9f0c2949b7fe6e434f5388e7b30497d864992a67bd2c2fbd21eb928b5180680aba8ed2ac34b75757fe78a32108c9964496ba8b |
C:\Windows\System\ACdsnwc.exe
| MD5 | d113f3848e08921585a4c7a755f2a4d3 |
| SHA1 | d7dcd5747a8b848a9aa67f42c4a2a3060dbfc389 |
| SHA256 | 058d3f71a350386114b10595e9618553de01ff80f119609a125052420072e8ad |
| SHA512 | d2eecb7449006f2d9ce166333d7ce4cb4ed9396d1d9a655a07357015714a66ff4eaccc35a460a419e9067657000796dc8802ab74a0a23dc5599477ec33b0ca86 |
memory/1836-14-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp
memory/988-20-0x00007FF75DE90000-0x00007FF75E1E4000-memory.dmp
C:\Windows\System\tHjWivQ.exe
| MD5 | 7ac4a81380ef18e35872ab47a48ed1f1 |
| SHA1 | 1661eea5a0661faf8bdaa27fda74219da593e2b9 |
| SHA256 | d2e7e59695f252e4f5e3b74d2448516ecb25c02b7c934920ade0fc2fd2b2873b |
| SHA512 | 83a55e1877bcb767d95d3cee0053526d65d8a9bd4d8d4dafb1f0dd92d6dd6458ff50d495890906ef50974b219bfedd03f15428ba4fc9a15a420e8be838ef549e |
C:\Windows\System\aiHXtOT.exe
| MD5 | 06e71c1e25e61966c9a6c2438748f2e0 |
| SHA1 | 55b91e065177540822fdb4fbd5a0bc726ab3a1b6 |
| SHA256 | b7e2f38a93381e6c21597a53f2bf4f00d7a83cf0cf6823f890c8b3096cdf2485 |
| SHA512 | 4841b9dc481d974aac2a68f7090c7599ddc6dbf48892255f7fe3c9e0a3801991ace7d78d4d1040f91967554e3bd611dfedbfe52732696d63ac5626a019161e59 |
memory/3496-29-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp
C:\Windows\System\ubLRzZT.exe
| MD5 | 1ea39ad11297edaef54f0e9b75e2a1cb |
| SHA1 | d17018327b0f81f52ebcf2ed8862b26a67415546 |
| SHA256 | c640cc098acfe5db06fdfe9b4acf114fbe76ca634615c04595656efe4c9f0182 |
| SHA512 | 2209c3109a521ca01feb744ec3cf0bc6c85bba3fcd8402135d76f0facec6e19bd97d9a7da573e2dc597dc5790013abc2188769c16a10ad4445aa7ce53af58830 |
memory/4056-36-0x00007FF6603F0000-0x00007FF660744000-memory.dmp
memory/3104-30-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp
C:\Windows\System\gsBcrbI.exe
| MD5 | 0badc40a2dd76376f0d761c06d2c68fe |
| SHA1 | 6748be8947a8f164271c6510fc770b693e86bdd3 |
| SHA256 | dfd5be27fadec2ae0c737124c199765bf23cbaeee4dbb0d279e90a16cf2aa1b3 |
| SHA512 | b516aa6ef2b0bec3a874f7726f5a0eee8b2ac0afcce394f353d32c6b569d23156266654ed8b76c3ddbe8f3b14506b74739fb9283a4452039fdcdc9b9452dc84e |
memory/1748-44-0x00007FF6F1F00000-0x00007FF6F2254000-memory.dmp
C:\Windows\System\sUTsCqB.exe
| MD5 | 818f7d330a6916e68066bd86cba75220 |
| SHA1 | 06ad4edf7a00347230676c74bd1fa8f792ee93e1 |
| SHA256 | 60be9605b0114566b6c18a01849c94333a11ec0caab2439493e128ec34672172 |
| SHA512 | 4c69616e59b335c27bae4838df32f98f22bf6dbb785bec165805a65fbfd6e71c1046365e4899e8825e3681ad344376cbadb0d8b68f0dbe2c5507a2070d40b760 |
memory/4436-52-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
C:\Windows\System\qYfRuDJ.exe
| MD5 | 40d0764ba1321defa97a46a64bf297ec |
| SHA1 | a92f3a50142d5ca5addd188795bb4ef457ff1815 |
| SHA256 | e8348ff7826bf1c4d1870f51c70de36a8855716ed544ff09bbe4003c190c101b |
| SHA512 | ab98b223f38e0c7a65bd49ded0074700232a20426737643da69a6ad6680b15a03dc745ae80125dfc73ae48d21396ab5cffef778a27aec39be157d43f9f3ae0d3 |
C:\Windows\System\UyyeFfh.exe
| MD5 | 87912c2fd3abb8c025b34afd6b26e6ed |
| SHA1 | 9d305e71b8fcf72dc6af7336aee48f3d577fb654 |
| SHA256 | 303b68b7b0c50a796c30e443a77024db39860bf921d7b329274a5ebf71391566 |
| SHA512 | f3a9ef5dfb0837f169b1cb89ed6301c82779f1194e72fdccc2ff879840b4998c98fc39643f3e668e0d25e49a80b88b25ce62e908ae99440f703b0efa7ce53e78 |
memory/3420-59-0x00007FF767D50000-0x00007FF7680A4000-memory.dmp
memory/4244-61-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp
memory/3564-57-0x00007FF67E1A0000-0x00007FF67E4F4000-memory.dmp
C:\Windows\System\XISSJaa.exe
| MD5 | 120be4a8a986d6d46637555085f354e4 |
| SHA1 | d368eaf8ac4124b7fbb11535cc6eb2724e84555a |
| SHA256 | 1983c3183aff6de1b724b6b9152de62f6db6265432364909a512693c24f16402 |
| SHA512 | 56aea2459ccfdfcdf731a386d6d11a0f1e901b20e495c57fbc46d19cd4c09da3147c5afe11afecc7258eca50d9e8e46ffd624fdff8aa4e09f6cb9f04325b2a55 |
memory/2160-67-0x00007FF62B200000-0x00007FF62B554000-memory.dmp
C:\Windows\System\VrgROXq.exe
| MD5 | 3c28774952ee1c6b58b85cf440a6ceeb |
| SHA1 | 86226158903614bc2f7bedef33f72aec10f5687b |
| SHA256 | 0126e150abae1d5874677583597e3ce0bba352be5a19f3fdd10843d80c576df8 |
| SHA512 | d9b0553eec094d3cb6ad0502b73a5b943da283f6c233359ae5ea3cf2b120b80cd526e5fe7bba696e3e8dce0fae861ad38724e44bba6fd3f044c09f9391e1a19a |
memory/5000-76-0x00007FF7A9630000-0x00007FF7A9984000-memory.dmp
memory/3496-80-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp
memory/1144-81-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp
C:\Windows\System\sTtovNB.exe
| MD5 | ad5072a9f45b9c872714e556d5554b38 |
| SHA1 | 6ecd1c5cbe58df5a0b5975f5dadb95fffdedf65e |
| SHA256 | e9beb6ba3bff81ed746ccd5b5241e04e520f16d3091dd6e69cad94d0335b3d55 |
| SHA512 | 0a56a6e1674375f06f48d0613dd549a8da8871a9cbed3a27089fb872fcf6a1c96c2943a8439c0a0219464f88d970e47fd66bf61bb9a9b23b5d490467b99e83aa |
memory/1836-75-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp
C:\Windows\System\GiFZGgW.exe
| MD5 | 2e4b29fc6ff77358609736c836032055 |
| SHA1 | 265ee787031bd0050fbe3aa3ddf1d212cf6447f3 |
| SHA256 | 3a5ce127104c175c38042d891348d8ed7597578d36692320a1dacf3ad9692d53 |
| SHA512 | ea308c3f6755639a39b56d73e8d49d4201800f3ddbf528175db23f621aec7b635f757000328a5686ea34b9e83bddff5f59774fd4e7086b71abbb74a4cfd78d4a |
memory/3104-95-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp
memory/1424-100-0x00007FF772C40000-0x00007FF772F94000-memory.dmp
C:\Windows\System\uIuKwaR.exe
| MD5 | f59403445df793bb7130bc33f24402b3 |
| SHA1 | 8e21d055437fd6c6da22ccbd90dd3af842f374ce |
| SHA256 | 906510c7bb7a24b93bf5fab2f2be724daa16ace98548b113d42f957a89196855 |
| SHA512 | 0df57016b8c9fe164a6d18d19df3bf4f4d1cd0d1a5a993cc9fc0ebc4713602313dab889a368bd5ff95e928a88f96ef116baa979b2df37a5288bcb6de76dc6f92 |
C:\Windows\System\JnXzYOT.exe
| MD5 | 2891c97a1e2a37c751d30ed360143a31 |
| SHA1 | de825466e54f3173f4ddbaccec35ad043cb5db79 |
| SHA256 | 910239011eadcd0688ba429b6a7b43e076ab7452fa6f26b8c64a960c09ad73cc |
| SHA512 | 445d4bdbef28af06847a1fc5d2623f54a1b9a656433de5e3f8cac330e4505ec44b96d92e9e97e6a50bf99b4454703052440f034c75ccb3654e41bdc6bb98adc1 |
C:\Windows\System\gMktBTB.exe
| MD5 | 48cafb59acca20c9bc4c4d9981d0832e |
| SHA1 | e6672331cedeb2a10e7883a84179a2a53a82747c |
| SHA256 | 5c12f3f9d77d59737548f7800d682feac3a57d57ddc907bc27c9057c2656d007 |
| SHA512 | 9f8b336a8a1e414cbbb882e3d1f02fa96e11528b42f196fd05bc29ce508ecc4db4a41fcfdf98258554cb617879cdde16d021e82ef2158964ef974e226717319e |
memory/528-121-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp
C:\Windows\System\RgTOuvr.exe
| MD5 | 60f7d02abe4ba4ac6a7b426dd9360886 |
| SHA1 | 35bb91a00864622fb0e53a1b0fa09dee44defe17 |
| SHA256 | d98587e39ed4cd4bdc2678ec0965375988b8d392a93490453d964ef1852b6304 |
| SHA512 | 93837ffbb39bcc369f9eab04c3a33a68060f4423d7a5a46bf01a10e6e80606fec1850ba73dc77ae402eac45b77fae59ac136568c718ffd34e8f307c40e726710 |
C:\Windows\System\pLAHrbi.exe
| MD5 | 8b4fe02e8d55098c73c9b72cf5f0060f |
| SHA1 | 135c556692984ec19738bbe3895fd2cb44f5b5d9 |
| SHA256 | 4c0d1c882515d1285d73e4401552beb06c2dcb92e5f0ca68a2fcc920b5d7041c |
| SHA512 | b9c1cf579455bd3fddd7902ea75f43cb43a42fcb6cc4d5552f7a225f277e02916c927a8d255aeb9674ed38ce7d257a7afdfb9b7828a13f1654331c937ee5cb5e |
memory/2128-123-0x00007FF6A2750000-0x00007FF6A2AA4000-memory.dmp
memory/2976-117-0x00007FF6C47B0000-0x00007FF6C4B04000-memory.dmp
C:\Windows\System\QggPsyB.exe
| MD5 | 2aadcef95ea02a86b41d893faa3c268e |
| SHA1 | b64c652c0afa8f8bfe8eff9da4b33d526926d45a |
| SHA256 | c9059e23c6e836c0669e712d48f8b1875455388d8744635d355550ef98af64a6 |
| SHA512 | 557ba844daa585f3181a27ec8460e37e25c5c6142d6022b0c73e265274bd77a0a7e83047f85933f138966101842e00cd72ef415a8856ba7004f34baae0dd4e02 |
memory/4056-102-0x00007FF6603F0000-0x00007FF660744000-memory.dmp
C:\Windows\System\oWtAhed.exe
| MD5 | eef3156b3487a6b69e5c6e051d5fd683 |
| SHA1 | da7cda9f19085498028db1bbfb854d9f0ff56853 |
| SHA256 | 074a8ec1d32137e5d912f681f409a86a3259f99796d2ec269cfdbb87de3601be |
| SHA512 | df37c765db8240de9e2980b04540652a169a1f2d4b3fc860b7db4e061d665df3041ac3a46adfe3d90419e5f6470d9bb26f22ad2e627343b9ca91e1c8ec85bea7 |
memory/748-89-0x00007FF712EB0000-0x00007FF713204000-memory.dmp
memory/3300-130-0x00007FF7B5390000-0x00007FF7B56E4000-memory.dmp
memory/4436-131-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/2928-132-0x00007FF675220000-0x00007FF675574000-memory.dmp
memory/4428-133-0x00007FF73CA70000-0x00007FF73CDC4000-memory.dmp
memory/4244-134-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp
memory/2160-135-0x00007FF62B200000-0x00007FF62B554000-memory.dmp
memory/1144-136-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp
memory/748-137-0x00007FF712EB0000-0x00007FF713204000-memory.dmp
memory/1424-138-0x00007FF772C40000-0x00007FF772F94000-memory.dmp
memory/528-139-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp
memory/3644-140-0x00007FF6D34B0000-0x00007FF6D3804000-memory.dmp
memory/1836-141-0x00007FF7DB690000-0x00007FF7DB9E4000-memory.dmp
memory/988-142-0x00007FF75DE90000-0x00007FF75E1E4000-memory.dmp
memory/3496-143-0x00007FF7BA400000-0x00007FF7BA754000-memory.dmp
memory/3104-144-0x00007FF6DFD30000-0x00007FF6E0084000-memory.dmp
memory/4056-145-0x00007FF6603F0000-0x00007FF660744000-memory.dmp
memory/1748-146-0x00007FF6F1F00000-0x00007FF6F2254000-memory.dmp
memory/4436-147-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/3564-148-0x00007FF67E1A0000-0x00007FF67E4F4000-memory.dmp
memory/4244-149-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp
memory/2160-150-0x00007FF62B200000-0x00007FF62B554000-memory.dmp
memory/5000-151-0x00007FF7A9630000-0x00007FF7A9984000-memory.dmp
memory/1144-152-0x00007FF6BE1A0000-0x00007FF6BE4F4000-memory.dmp
memory/748-153-0x00007FF712EB0000-0x00007FF713204000-memory.dmp
memory/2976-154-0x00007FF6C47B0000-0x00007FF6C4B04000-memory.dmp
memory/1424-155-0x00007FF772C40000-0x00007FF772F94000-memory.dmp
memory/3300-157-0x00007FF7B5390000-0x00007FF7B56E4000-memory.dmp
memory/2128-156-0x00007FF6A2750000-0x00007FF6A2AA4000-memory.dmp
memory/2928-159-0x00007FF675220000-0x00007FF675574000-memory.dmp
memory/528-158-0x00007FF73BE00000-0x00007FF73C154000-memory.dmp
memory/4428-160-0x00007FF73CA70000-0x00007FF73CDC4000-memory.dmp