Analysis Overview
SHA256
ee6d2d8e826267e6bacc43b5da4ab6b1cd1be632c69fc88c4ca9623bf32c6a20
Threat Level: Known bad
The file 2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:29
Reported
2024-06-01 11:31
Platform
win7-20231129-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VCSDccy.exe | N/A |
| N/A | N/A | C:\Windows\System\goXhwHX.exe | N/A |
| N/A | N/A | C:\Windows\System\HRNfXdV.exe | N/A |
| N/A | N/A | C:\Windows\System\OQwOOGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PMlvBBh.exe | N/A |
| N/A | N/A | C:\Windows\System\wnmpLFD.exe | N/A |
| N/A | N/A | C:\Windows\System\ovnwmNv.exe | N/A |
| N/A | N/A | C:\Windows\System\JRLuLGb.exe | N/A |
| N/A | N/A | C:\Windows\System\sGMBoCL.exe | N/A |
| N/A | N/A | C:\Windows\System\AXbfgJC.exe | N/A |
| N/A | N/A | C:\Windows\System\aHhpnTW.exe | N/A |
| N/A | N/A | C:\Windows\System\BVFLQHY.exe | N/A |
| N/A | N/A | C:\Windows\System\SrSHhLh.exe | N/A |
| N/A | N/A | C:\Windows\System\sfqfijk.exe | N/A |
| N/A | N/A | C:\Windows\System\VAThEmC.exe | N/A |
| N/A | N/A | C:\Windows\System\lvyCOdD.exe | N/A |
| N/A | N/A | C:\Windows\System\InDEufA.exe | N/A |
| N/A | N/A | C:\Windows\System\iroZAyF.exe | N/A |
| N/A | N/A | C:\Windows\System\XgrufiE.exe | N/A |
| N/A | N/A | C:\Windows\System\GjtjuFQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PlBBjFa.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VCSDccy.exe
C:\Windows\System\VCSDccy.exe
C:\Windows\System\goXhwHX.exe
C:\Windows\System\goXhwHX.exe
C:\Windows\System\HRNfXdV.exe
C:\Windows\System\HRNfXdV.exe
C:\Windows\System\OQwOOGQ.exe
C:\Windows\System\OQwOOGQ.exe
C:\Windows\System\PMlvBBh.exe
C:\Windows\System\PMlvBBh.exe
C:\Windows\System\wnmpLFD.exe
C:\Windows\System\wnmpLFD.exe
C:\Windows\System\ovnwmNv.exe
C:\Windows\System\ovnwmNv.exe
C:\Windows\System\JRLuLGb.exe
C:\Windows\System\JRLuLGb.exe
C:\Windows\System\sGMBoCL.exe
C:\Windows\System\sGMBoCL.exe
C:\Windows\System\AXbfgJC.exe
C:\Windows\System\AXbfgJC.exe
C:\Windows\System\aHhpnTW.exe
C:\Windows\System\aHhpnTW.exe
C:\Windows\System\BVFLQHY.exe
C:\Windows\System\BVFLQHY.exe
C:\Windows\System\SrSHhLh.exe
C:\Windows\System\SrSHhLh.exe
C:\Windows\System\sfqfijk.exe
C:\Windows\System\sfqfijk.exe
C:\Windows\System\VAThEmC.exe
C:\Windows\System\VAThEmC.exe
C:\Windows\System\lvyCOdD.exe
C:\Windows\System\lvyCOdD.exe
C:\Windows\System\InDEufA.exe
C:\Windows\System\InDEufA.exe
C:\Windows\System\iroZAyF.exe
C:\Windows\System\iroZAyF.exe
C:\Windows\System\XgrufiE.exe
C:\Windows\System\XgrufiE.exe
C:\Windows\System\GjtjuFQ.exe
C:\Windows\System\GjtjuFQ.exe
C:\Windows\System\PlBBjFa.exe
C:\Windows\System\PlBBjFa.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2304-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2304-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\VCSDccy.exe
| MD5 | 2b13cb728dd4929a0f8d07aaf468a82b |
| SHA1 | 4924870dfad12c25ac6560f222f956d43989cb0d |
| SHA256 | 76081b30e9f680f492e1220ca461c773798ac5b57182609c2cbe84bcecc8d887 |
| SHA512 | 28a66912a5e7bca570aa98cd8c3b8a7846f3fd8d72821ecc92e791f091aaa7ce24ccab95019d15a07d165afa4fc80dd3e22551ec6d74ea4534f8ccbc6d779a08 |
memory/2304-8-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\goXhwHX.exe
| MD5 | 1260e6ebe6829a80dc0d9ec57c3ae2c7 |
| SHA1 | d6f8dbdd79c6ae5f697db18ff41d4f68ebb047bd |
| SHA256 | e03e4f5015a5f987a521f330c45883ff04315e486e85927b33cfae22cfb3be4d |
| SHA512 | 6de1cfa2ec3c44a12b04f44c5b9ea4ebf8cb96cae68257b17cd402e6ae7992b7c387ffe1fafe04b09a90e25726d53f7f0385c40de8e8836bf1ecc5a18fce4f7f |
memory/1624-16-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2304-15-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2864-12-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\HRNfXdV.exe
| MD5 | 3f9bc771f04eba27b896ae4493c7ed81 |
| SHA1 | 184fcc289d63cdf1a4d345d9c637a19636affdab |
| SHA256 | 2b42a3ef4910007aa5229daf1e93a3e8cf9d46f89ea287300fcf746cc301e0ad |
| SHA512 | b8931ae7bc5c74b2434f9879d58ec43c1ea0600083b85035fa94a6c7d116aaecaf3575415a727778f8a5c8aa897b0af18ec44a1e3e86f8033342bde0e1ddb322 |
memory/2304-22-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\OQwOOGQ.exe
| MD5 | 809ca98fa1838a0ff48b9fb8149f2934 |
| SHA1 | 853a75744205c8eb3c4f345b26e4a2e8308d53a8 |
| SHA256 | 100c1685fa0a01f068394555a77821a2d0f2eab351d95f858065b86d55e48a79 |
| SHA512 | 3d6319143a23844d9e35d39bdcf1e7e109656f0c3eb82bc60f0c4713c78a4b15249cbf54324b1d767d55d7d4164ee10dc018d98bcb229926fc053a37433c4254 |
memory/1428-30-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2304-28-0x000000013F240000-0x000000013F594000-memory.dmp
memory/3028-26-0x000000013F640000-0x000000013F994000-memory.dmp
\Windows\system\PMlvBBh.exe
| MD5 | a035267395cd76a2d570e8ec13e211fd |
| SHA1 | aaa92ba226609705272cdbd625f7d88ea3ae216a |
| SHA256 | 784d87c0da8a40df8bbec1e1c860ab65fb2abc949c389afdf68c6cbe2ff7bf47 |
| SHA512 | c7d9f0ece9ea959656a69fd30971fcded97d7e2e2af1edd5ddc5a75c4498bd80c524d427a7dbee33b15d796869f2eb151d0f4ee285a859daef7a98c74acb026c |
memory/2304-41-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\wnmpLFD.exe
| MD5 | e3b4e7ec022fb3dc440b5689309deeb9 |
| SHA1 | 3c41c84e6d51403a25f60e3f2c22a533074277d4 |
| SHA256 | 983adeb2ebb99f42b7a8afeb5a7953df1246060abbdd45ea42f4f83acda1d6c5 |
| SHA512 | 019d6d3679561ae845fa89caac2dbac2f96fb4cad34c415e46d2c1361c827af983344defd8e86c11ae7fc811b6d26841a73339a8e89ba87e759a51f53ed74745 |
memory/2540-39-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2304-49-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\ovnwmNv.exe
| MD5 | 2c129992490d7303b9d86120a5811461 |
| SHA1 | 16e09b115096fca9114c7f5f6367dc12a732c9db |
| SHA256 | 4c5526f5350f8730175e0f4075b1feae25cbc9a65268d8311a9601b1f2e60c1e |
| SHA512 | 39dd1c28c410150c70125026cdecdaf4d396d5f335fd6936d46ad06dab7dfeb7dff01fbf4b4e96105f0919e1957ef9f8fdf43dbc880891caa0bab8d456aface0 |
memory/2592-50-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2648-46-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2304-60-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1184-63-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2304-62-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2304-65-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2684-64-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\sGMBoCL.exe
| MD5 | f06dde0bec409460e1be771c09db1a1d |
| SHA1 | 8939c2195dbf7199301dc767f13c768c9f9725bb |
| SHA256 | 7139ccf55eeacf3fd97692b2bcca76376aea0617418ab7dcf82cbe33952a38bb |
| SHA512 | 2e0c6c74ea80a216726ea16a26e960d4d367b42fa551f97e917457ed0e1d113737c351389c9132a3df33fbc757659961012d4cf9dad7ee42b80be116df56a555 |
C:\Windows\system\JRLuLGb.exe
| MD5 | 152b37feb954cfce6c6cba00bdc1bb24 |
| SHA1 | f86ffd36c9e546af9a4af30a8826ee92967cd11f |
| SHA256 | 734c71b90c33210451cf7807a95db5778b7f90f0250ae23dddd4ebcdd3c1e984 |
| SHA512 | a46970bf5e16325eb4d19516af366725b35438e8e06db784e8d16c50e7da08f840b2ec0a416c0e9982703a9473ff0f0ab973d3c62cba10c54c587fc797a5d84c |
\Windows\system\AXbfgJC.exe
| MD5 | a05fdba0448c38e2d178c426b7d64ebf |
| SHA1 | e22308d62790826a2fa1e2c1a95c3dabd031b8f4 |
| SHA256 | ca68029b085435dc90d3f98ad068881e6ec98a62178e89ec7a136a21a190bedd |
| SHA512 | e77026ad7a6bcb0bdfda92c2ebbe91e3d1d2298c899ff9794aae0011ff0b0a77d9271e17f2f199b3b83f6e48876f25ddabbcf98d1e97dbcafe27e8f5345b484b |
memory/2304-71-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2468-73-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2304-72-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\aHhpnTW.exe
| MD5 | 67f728a10245902b42f681468fe797af |
| SHA1 | a4536f0b946ff48cb8b19063bd9fd8f699c80819 |
| SHA256 | 1a1894253e47bc74280bd8fb2935d4bc9df0296dfac1743a0cab31af9278741d |
| SHA512 | a4bf2cb31e82961f23c201ac913b11ca48f28059bc5833d469a945bfdd51221657fa00c2fb52853d98d58a398c850482fe66935860e79768db7cc0308b0d2bb3 |
memory/2304-79-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2700-80-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\BVFLQHY.exe
| MD5 | 16491b2668904c19ad71f06c6d27bbeb |
| SHA1 | 890d84a7a4df2bc6008d3d3c67ecbae282100e0c |
| SHA256 | d8cc3789cc37b6f065b8d530af7ecc513784870b0e057fd3672ebc2bdd69b078 |
| SHA512 | 27a0ab4c9bfb8551421f22dcb9da783e37f492f9e8605e98524e9614355318d7e8c8ccd0f34af870973918c39605a5b147483e253e569e7e9fd17f2a2ecd0138 |
C:\Windows\system\SrSHhLh.exe
| MD5 | 38ec69bd1e3ebd0ebc8143f38e1c882f |
| SHA1 | 79f3cf9bc6206e841770d9018d8f7ba481319120 |
| SHA256 | 6ba7ac6aa6217d964f3fead71586375bc636428a454b9e10235696702650c16e |
| SHA512 | a88990c9f195e01362bf88c395968bb4d684accd0930637b86c0e84a38fc9d831bf4696c8ce550f67afa030e55cc72798a0439d67e0b18f9ab0003448b2f75e9 |
memory/1616-100-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2304-104-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1428-105-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2304-107-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\iroZAyF.exe
| MD5 | 987dbe647ce54850d5991baed1ade27b |
| SHA1 | 2cb5ca126a66733f0a60d99a57e70d4afd4bbd6a |
| SHA256 | a6e9afce7cfa981af086cb5f35c59602b0fb55f80b4f27cdc25f6b8bb8512dea |
| SHA512 | b919cd99db37b42a74a90bf58e6a558b84c061921c209859e3e7a41c9e1ba0e5ee0392af000b4897c0308ca2857a91f6029d5bd6cb0d33e126cab280625be9b8 |
C:\Windows\system\InDEufA.exe
| MD5 | 3d65f2a68c79321d022b7b0c67e64481 |
| SHA1 | bd8d954449fa0c64f0362f77f3b52922f3c931d7 |
| SHA256 | 7fd28d146d6084b2699e114374201f695772a4ad4ec0d056479464cb3980fb62 |
| SHA512 | a6afeffe972283e406848b9982d09ecd03a7aa8089a2150005e0f2f55e5853492f2c8e6fd24e3527c66314963b48fd331d39e083b210ec75725e9a9d9cd6055b |
C:\Windows\system\PlBBjFa.exe
| MD5 | 019dbe37e755798af1e5d6f8127bdbd8 |
| SHA1 | c6f78a365b43c517bb2842b1cc117e7635816957 |
| SHA256 | 61adf8f7c1f0a842ea476977ce3e11b8b370cad38901bdb56205a64c3f7b27eb |
| SHA512 | 720899c6808b339be74898828d80f7ab6123e098e29876ac88f62deaedb3132fc6a94bbc3352e14bba0b30af8d6d07bc4d5b17930e95b4b52e7f2c6367f925a9 |
C:\Windows\system\XgrufiE.exe
| MD5 | b929e809c46378577e3ba0272d27d914 |
| SHA1 | 7310664e0b8f47caa3aa7661a31612dad2272b56 |
| SHA256 | b32cc0c9cc7dce6067d8eaeeb6a30bbaaede482ce4ba8c03e9d5f56ca0077bac |
| SHA512 | 11fcbda48eb364b3f8dd98312793d4c8caad36638eeb7bb15512d597c3f9115da09d6d26cff945f9cfe7f9db1591d07fd284379e6b0a7577b6e0dd697061a491 |
C:\Windows\system\GjtjuFQ.exe
| MD5 | c8f178fe08f0a9e6fce78b0bf7adcbb7 |
| SHA1 | 16d499f5fbc5428aa3eccc333708ce5bd50f5d70 |
| SHA256 | 0d033221d9e535d51297cb564731ce3218fe4ba79f7290bcc7f947499584aaf4 |
| SHA512 | d71d7c6a38d7765d5bda69a46f56d56ca35bf4c33afdc08cfc8b7e1ad3cbc744b23832e0dece1a4c6c073ba4e56afebc98c27d6c5df3fdfff6f45ad1a763014f |
\Windows\system\VAThEmC.exe
| MD5 | bc870bc7d7cf0ecce574b4f0a49aaa47 |
| SHA1 | c5bcfceb382e251f24f283c49617bedae26bab0d |
| SHA256 | 920df8e4a9eda059a7837076f7e71f07afb49a5b0392a648e5218fa0dd841f8d |
| SHA512 | 4cd3a3fc14180b136cde503204668314b43e0fca6953cac8a0f3b8426212f0bfa0f799cffc8d6a3d43cec17bcca830521c917d510710b5f6c6ea024256da325e |
C:\Windows\system\lvyCOdD.exe
| MD5 | e86a5a115c6574fdb937af60cfe4226a |
| SHA1 | 9a8ccb4921f57289595cd7fb2a5550e69edb697f |
| SHA256 | 5cf8765e091a6fd4183b04529f73348b74bee41c0b246f6f2e38c347acf3ecf2 |
| SHA512 | 5ca49247ab1da890825e89e614883df7fa4ad0a8424e58a51d5622d5ce8483f57d1922407c8133e9e80d8aa70cc3752e747a109aa7a43443a0cac178d1240fbb |
memory/2304-108-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2540-106-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2304-103-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\sfqfijk.exe
| MD5 | ded062077eea747f0fb4eba56f41c89b |
| SHA1 | 286b1c8aa55a0542fe820f75f28d727bada8c83c |
| SHA256 | b592c695bbdc293881e457161acaeaa505cdf59f01faccdc661698e75e128279 |
| SHA512 | 9c588ceed710311f413ea8bc6375c945bebcee6e116305a9d297c3ed8b596baca7865705970cbae3c7126b6c5c2c9847bdac981536e83b63a67ac18276d7988b |
memory/2232-93-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2304-86-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2648-139-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2304-140-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2304-141-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2304-142-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1616-143-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2304-144-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2304-145-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2304-146-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2864-147-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1624-148-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3028-149-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1428-150-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2540-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2648-152-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2592-153-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1184-154-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2684-155-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2468-156-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2700-157-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2232-158-0x000000013F120000-0x000000013F474000-memory.dmp
memory/1616-159-0x000000013F250000-0x000000013F5A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:29
Reported
2024-06-01 11:32
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cXPWNej.exe | N/A |
| N/A | N/A | C:\Windows\System\VGLpBRB.exe | N/A |
| N/A | N/A | C:\Windows\System\RAYpxGc.exe | N/A |
| N/A | N/A | C:\Windows\System\WQDrwSn.exe | N/A |
| N/A | N/A | C:\Windows\System\DWflrQe.exe | N/A |
| N/A | N/A | C:\Windows\System\BOvRnUc.exe | N/A |
| N/A | N/A | C:\Windows\System\ARZQWkF.exe | N/A |
| N/A | N/A | C:\Windows\System\vnpmNSa.exe | N/A |
| N/A | N/A | C:\Windows\System\wbDnAmH.exe | N/A |
| N/A | N/A | C:\Windows\System\YgBEySI.exe | N/A |
| N/A | N/A | C:\Windows\System\SnteVBM.exe | N/A |
| N/A | N/A | C:\Windows\System\BOwkkQq.exe | N/A |
| N/A | N/A | C:\Windows\System\fIHfdeM.exe | N/A |
| N/A | N/A | C:\Windows\System\pyBoulU.exe | N/A |
| N/A | N/A | C:\Windows\System\TEhUDIO.exe | N/A |
| N/A | N/A | C:\Windows\System\LybKloA.exe | N/A |
| N/A | N/A | C:\Windows\System\hpXWmWK.exe | N/A |
| N/A | N/A | C:\Windows\System\ckyhQoZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CnsUUUm.exe | N/A |
| N/A | N/A | C:\Windows\System\dMIrnyS.exe | N/A |
| N/A | N/A | C:\Windows\System\mgJvrbQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5bd8957839cfd9b8e59ec42284640d20_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cXPWNej.exe
C:\Windows\System\cXPWNej.exe
C:\Windows\System\VGLpBRB.exe
C:\Windows\System\VGLpBRB.exe
C:\Windows\System\RAYpxGc.exe
C:\Windows\System\RAYpxGc.exe
C:\Windows\System\WQDrwSn.exe
C:\Windows\System\WQDrwSn.exe
C:\Windows\System\DWflrQe.exe
C:\Windows\System\DWflrQe.exe
C:\Windows\System\BOvRnUc.exe
C:\Windows\System\BOvRnUc.exe
C:\Windows\System\ARZQWkF.exe
C:\Windows\System\ARZQWkF.exe
C:\Windows\System\vnpmNSa.exe
C:\Windows\System\vnpmNSa.exe
C:\Windows\System\wbDnAmH.exe
C:\Windows\System\wbDnAmH.exe
C:\Windows\System\YgBEySI.exe
C:\Windows\System\YgBEySI.exe
C:\Windows\System\SnteVBM.exe
C:\Windows\System\SnteVBM.exe
C:\Windows\System\BOwkkQq.exe
C:\Windows\System\BOwkkQq.exe
C:\Windows\System\fIHfdeM.exe
C:\Windows\System\fIHfdeM.exe
C:\Windows\System\pyBoulU.exe
C:\Windows\System\pyBoulU.exe
C:\Windows\System\TEhUDIO.exe
C:\Windows\System\TEhUDIO.exe
C:\Windows\System\LybKloA.exe
C:\Windows\System\LybKloA.exe
C:\Windows\System\hpXWmWK.exe
C:\Windows\System\hpXWmWK.exe
C:\Windows\System\ckyhQoZ.exe
C:\Windows\System\ckyhQoZ.exe
C:\Windows\System\CnsUUUm.exe
C:\Windows\System\CnsUUUm.exe
C:\Windows\System\dMIrnyS.exe
C:\Windows\System\dMIrnyS.exe
C:\Windows\System\mgJvrbQ.exe
C:\Windows\System\mgJvrbQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4540-0-0x00007FF7C2080000-0x00007FF7C23D4000-memory.dmp
memory/4540-1-0x0000024CDF0F0000-0x0000024CDF100000-memory.dmp
C:\Windows\System\cXPWNej.exe
| MD5 | 016c3e23ed5fd0d700f0240da7d55ae7 |
| SHA1 | 423a623c6cd9bac68a7dc7c8bb5e8a0c0e81b2da |
| SHA256 | c2986c0c87745594676b557c9c7e4abb6a3c0fcf5aac4b185e7ca561ec2bc584 |
| SHA512 | c4dede92432552a58449d000374eb0d6131a2af3481984c5d54b5d35b9753c497cca26cac92377527e3beb7062a9ff0d83e7f1df9dcb54df9dbfff1fe9d9cd2f |
memory/3932-7-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp
C:\Windows\System\VGLpBRB.exe
| MD5 | c8532159048eea9719a24a0ae75fa1a4 |
| SHA1 | 92995717b6cd3d0f3d103d6d46ad2a03af2ac73f |
| SHA256 | 022c969f96cd853dd3e642a42ea616af82a0e322380359624b027b388276bb04 |
| SHA512 | 0218cff5f4cbcb2f01e322a6999dcb8f6ac4167bb336bb3b11901fc4e5619a967477d249d9b59b571953bbff28a0ea53b0c91a60d68f545b4711f93e5c60fb56 |
C:\Windows\System\RAYpxGc.exe
| MD5 | 1fc9db9e6613eb6ee860e440016bf269 |
| SHA1 | 9a530a923b279fb0c3d8c2710da83fdc35df481e |
| SHA256 | b3c5c016fec4b482c529ce213815a864ad42f95a38baf792927b86c8444791a7 |
| SHA512 | 2b1090933cf5c0006e2d86d2d2820f29f361711a722f902ec853b1fac3dde8465f6b804e42a25da87a1cc5d974d8397cb187973e25f3e55f18f3ce981a3555ae |
memory/3192-14-0x00007FF629330000-0x00007FF629684000-memory.dmp
C:\Windows\System\DWflrQe.exe
| MD5 | d7a5ad7d01b5279d798bfc265a2f023d |
| SHA1 | 75c23f0bc5f20574508ce4b700c4640fe35ef393 |
| SHA256 | df4741cca1fafe22fca67fd896b33dee2acdeb093005940a499febbecaed3053 |
| SHA512 | 228a4bd15af822c60bbbe31ef5604a0cc0ea8782fe2e898a0bd729f70a6f2781d0cf917645381bdace468a5eaff1d581b8bba6be16f2a4478a501c39b7ea3c09 |
C:\Windows\System\WQDrwSn.exe
| MD5 | f71687e40964327c518b0d4fc2236c48 |
| SHA1 | 8709041877d5e601a320bdb1e12d61d433360962 |
| SHA256 | f1135f993447cd2c60d02e6f44c6523736cbc8ceb4448d8e149f754749e9a8cd |
| SHA512 | 561925220f694fe35260e274386bf9c7a609765deeb29db89603aa3856b901d98ccdd5222045d29fa2958b8db16ec733de06fe2ada4b62725d1f72a588a445db |
C:\Windows\System\vnpmNSa.exe
| MD5 | 003ab4fa184558c26d7e27df66826d25 |
| SHA1 | 1e36b3cba1afed688ccd4140054e571ce8cf3fe2 |
| SHA256 | 2d865a067b0830db2123a1833025c84b336d8f8a1e42bf54f1094f85324285cb |
| SHA512 | 713859661ca7c899eda8c961cbc8c3ad84e69fdf598bfffa1d381d59b3f36a6e1129918d479535b97e2a96e6344cba448a30b3ee60988d9f12e26823b2bea6b7 |
C:\Windows\System\wbDnAmH.exe
| MD5 | e827e1e706f5424ceaecaa2786aff564 |
| SHA1 | abe4f1fcb09262f7fb69670665db5ca33e671d26 |
| SHA256 | 0dcc8b5589354b9bace52e0430f01b45dfbc91240492e2c349d55c7692df3234 |
| SHA512 | a4b4783ea3d174a9ea23635842cddda59805c11afcb3b808d990af9aed06cfd07cfde2a5f7721db0eb59f7b70b2434a2d5aed4b2d32e6eea8ca4f4c18b130aec |
C:\Windows\System\YgBEySI.exe
| MD5 | 4eb74d70799acec6bc2f70d4022767f2 |
| SHA1 | 96e1a237b71d9dbe6b647bdafb30240b214d2df5 |
| SHA256 | e72d9a8b2c291cebf588547da6636fc1e3c267a60762881657f0411ebeb2c8a8 |
| SHA512 | 2fa7b3676eff823ed30b066c9b5fc9867402254e63db8119ceee5f1e7abc2af42cbc7b1d5ce015a613938a08324e80ec8020ab41d13f37efe03e2457f9ea8bc5 |
C:\Windows\System\SnteVBM.exe
| MD5 | 3e96c6c22c0fc5ffc130d9b9c8f747c6 |
| SHA1 | 74439c8b78841fda462b76c97c4538ac31dd5d44 |
| SHA256 | e5116bccce5f1df270ca6409b7142e93813c3808b6bf288a3bf230b72b76bc6f |
| SHA512 | 70967c015be15f24172f558335f45860ec1fd3dade35f4e314f7cf921966a245c1b6dde30aa3efd69a4efabe95dc809897c5a93245703f601c4c4b4562d7c3d0 |
memory/4896-66-0x00007FF627A50000-0x00007FF627DA4000-memory.dmp
C:\Windows\System\BOwkkQq.exe
| MD5 | b9a4c5bf1bcee9c5e61f15c76a6cfdb6 |
| SHA1 | 62953b5f81be8b8dc3a2eb90fbc024de60da6919 |
| SHA256 | 2ab83ca2c98522aa8a68e30b5ea028ad34c376026836ed8611cc39c8eb607402 |
| SHA512 | 2061e0ab803e41f842b0143546349a5c060c3b4117ae1367915bd9520a7a30cc8c0816b61b8eb815e0a281e713763b352baf8a43fc2a0da91b256b191ba7ac36 |
C:\Windows\System\pyBoulU.exe
| MD5 | 416a344380434558c0db7ee7403ec560 |
| SHA1 | 97544c62555c50ef9a4f8ba12ac6e60f4135a226 |
| SHA256 | 8e2df8d9223aeb4e9c1d02a4b54c202ce474af83ba290e72746440ff5372051d |
| SHA512 | 08ae1189c01182f5c91d7f6d410892830856644ba8c863f5b11d6884d435b8d52a1d8b2972af9cc0a72a9d4f3affa931f764dd5ce225bd800cbd8e8e5b2de143 |
C:\Windows\System\hpXWmWK.exe
| MD5 | 92421ba251c83cabe76c2088ec3b0c1a |
| SHA1 | a62df7817f8e75f04cff61008bb15ed07ed9ef8a |
| SHA256 | d6b262ecbd6476a8a7a9ce0679df8ec69fbd670a1d35a6c8cb97368f26299f7e |
| SHA512 | e321f597c8070e3caff0a025dd808055e41ebd755881da17d0e77dc401c3818286c5ae41a7a047c6a62aa021b72503bf6d399ccb469382800ab7f46ef077613e |
C:\Windows\System\CnsUUUm.exe
| MD5 | 07972a00cb98adf54aee59b31dbf88b6 |
| SHA1 | e40e19b3a7d79a8574a26910b72df70184ab3975 |
| SHA256 | f38cd7f0fd3b71daad7325635e4db5c0fdb8dbce7836d81c8961d4189060b247 |
| SHA512 | 5e7472fde135c6b22d45bb6ce6bb7625d59ccaea26900e67e9b9996c04a7568ec0ec0e36a8d26f49f04e1d3c1389aa97cf8feca4f959cfec27eaac64981f6bdb |
C:\Windows\System\mgJvrbQ.exe
| MD5 | b6356aafb3ee531f1f2b4bff5c69f27f |
| SHA1 | 85e74246d9ffba2cf84b69e6123a66b15757d5fb |
| SHA256 | 17da2b5c18f3c2cdb6e8fb6855196aaffb199b732b7cdd77efb538ed9f9f38e8 |
| SHA512 | ff5c2bb264841833e00757e069de8f1174b3e232504662b4094abcb6af8443cf924ff0418a443734cc980f5e9131c13438ed679ed078a639dded9b98eca12fca |
C:\Windows\System\dMIrnyS.exe
| MD5 | 535bf32142e6b920efc0c1456e62102f |
| SHA1 | eb0925f00513fdaaad620506d4a675ae1c2f5f85 |
| SHA256 | cbdf434c40ee32fc71b1aac687a2740c486b0727c9e0f410f4504d08f0668363 |
| SHA512 | d122c7fd47976fb0c6254a30b91aeba64bdbc9e4ee2185f4dacd95df72ab377efa2a7a25c85957f9f90fefc38afd0ab5124c8329ce91791990d3907c42196a3a |
C:\Windows\System\ckyhQoZ.exe
| MD5 | 11aede532e6ea058ace9f7050a6e4ad6 |
| SHA1 | 22173599d020bd1035c4815b71dffd4f502add7a |
| SHA256 | d57b163879037714c7214a51b0ac09620165d6764b43c59a8c75c237c99fdf8d |
| SHA512 | f63ac451650eb7d77256d66d1fb74745d4839864957eae032d39f4fc6930e7ee334b5fa0740fb5d2228615a6fd9be6d9f5b30f1773730c90d23158b7c1ba4582 |
C:\Windows\System\LybKloA.exe
| MD5 | 2751bd774f9215e4e612acc30fb547cf |
| SHA1 | b89611e687c813ee85aa5a0231ad1f86e4e449be |
| SHA256 | 8fab97db14885d429e1e5848f4dc99f40b8f5a72035f5f20ae5d6628b96d1a19 |
| SHA512 | 08cf42d5488c13b1c874b5a730c49b80fcee7b67c96c019e715f3aa7e73bc8acccaa49d5e8e6e28056d27c87105e2f87b26bb6ab6b455809a44635972b030639 |
C:\Windows\System\TEhUDIO.exe
| MD5 | ad0c462554b806763991ab65ad474eb0 |
| SHA1 | 43aed7b16194603a0b42779fdaccf95abc59b76f |
| SHA256 | d4e0a35783ffdeeb8ea903efdd5dc3dc551abaa15452b20162f079f67286e8f7 |
| SHA512 | ea3b61ec0b43949e5a0305f714f7b6a11d65cac7cb0dd848e7807bddbaced82c738b8a48d2cb219ebda4573623c3c989c38ec1dbc0ec6f607cd39089b68360a8 |
C:\Windows\System\fIHfdeM.exe
| MD5 | e73078f4af07dcadbe2e9dd48f1aeba7 |
| SHA1 | b476ea97caf1e464ace08d91b51c7f708b73d6fe |
| SHA256 | 019721a714444453944716bc17e9755f9f95cf2b05e8a7f3777a1daefa439338 |
| SHA512 | ff9693e6f2753a92029ef31b16d8b7c5a221fcade49c67332b6073a84b5dc1938e9348e20fb3f4c695361ed92061b17f11c5b1e683e6ad3277ed948208989f2a |
memory/4804-72-0x00007FF670330000-0x00007FF670684000-memory.dmp
memory/3936-67-0x00007FF601DC0000-0x00007FF602114000-memory.dmp
memory/1528-63-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp
memory/5044-60-0x00007FF7F5FB0000-0x00007FF7F6304000-memory.dmp
memory/3224-52-0x00007FF6E8470000-0x00007FF6E87C4000-memory.dmp
memory/4204-47-0x00007FF6899C0000-0x00007FF689D14000-memory.dmp
C:\Windows\System\ARZQWkF.exe
| MD5 | 71246efeea70c79cbac6c53ac79f06a5 |
| SHA1 | 7a34566d581fd8420d38ca529b76031343a946a4 |
| SHA256 | eb53204c5375ea853b9b265953fd65509867f7594e72a7c914f22f0ee756c7e1 |
| SHA512 | 9bd83c552ae67f8c7076565563bef9d815826ff8ba2ec78852af1c67dd87294fb4bbe6d2e72271ba938c4859a0b08e2ca2ab97c740bc2f94fd73d766ae8a3d64 |
C:\Windows\System\BOvRnUc.exe
| MD5 | 4229af1f5667f9577c32c87158ac562f |
| SHA1 | 240c3360f55bb8b26cf3f6a5d376d7279ed52f9d |
| SHA256 | f4010374de160d23ad16a89edd967be60f5f04fa5c4d8253a8cf8517892426eb |
| SHA512 | 95316f18264ac5b1e940b32a6559377aa89b236c6594be3bb9c0e08cd32e2e7af4fc15ac8ae1ef5e7a3d0fd82267af7ec96a54bff20b50568c4ca733a833cea3 |
memory/920-28-0x00007FF68A400000-0x00007FF68A754000-memory.dmp
memory/4948-27-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp
memory/2452-20-0x00007FF757FB0000-0x00007FF758304000-memory.dmp
memory/5060-119-0x00007FF739670000-0x00007FF7399C4000-memory.dmp
memory/4552-120-0x00007FF7C0B70000-0x00007FF7C0EC4000-memory.dmp
memory/1756-121-0x00007FF630520000-0x00007FF630874000-memory.dmp
memory/2268-122-0x00007FF6C1340000-0x00007FF6C1694000-memory.dmp
memory/1436-124-0x00007FF74FA60000-0x00007FF74FDB4000-memory.dmp
memory/2904-126-0x00007FF6D1890000-0x00007FF6D1BE4000-memory.dmp
memory/628-127-0x00007FF79A340000-0x00007FF79A694000-memory.dmp
memory/5000-125-0x00007FF75BCD0000-0x00007FF75C024000-memory.dmp
memory/3332-123-0x00007FF79C130000-0x00007FF79C484000-memory.dmp
memory/4540-128-0x00007FF7C2080000-0x00007FF7C23D4000-memory.dmp
memory/3932-129-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp
memory/3192-130-0x00007FF629330000-0x00007FF629684000-memory.dmp
memory/4948-131-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp
memory/920-132-0x00007FF68A400000-0x00007FF68A754000-memory.dmp
memory/1528-133-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp
memory/3936-134-0x00007FF601DC0000-0x00007FF602114000-memory.dmp
memory/4804-135-0x00007FF670330000-0x00007FF670684000-memory.dmp
memory/3932-136-0x00007FF7A2E80000-0x00007FF7A31D4000-memory.dmp
memory/3192-137-0x00007FF629330000-0x00007FF629684000-memory.dmp
memory/2452-138-0x00007FF757FB0000-0x00007FF758304000-memory.dmp
memory/4948-139-0x00007FF7E5830000-0x00007FF7E5B84000-memory.dmp
memory/920-140-0x00007FF68A400000-0x00007FF68A754000-memory.dmp
memory/4204-141-0x00007FF6899C0000-0x00007FF689D14000-memory.dmp
memory/3224-142-0x00007FF6E8470000-0x00007FF6E87C4000-memory.dmp
memory/5044-143-0x00007FF7F5FB0000-0x00007FF7F6304000-memory.dmp
memory/4896-144-0x00007FF627A50000-0x00007FF627DA4000-memory.dmp
memory/4804-145-0x00007FF670330000-0x00007FF670684000-memory.dmp
memory/1528-146-0x00007FF6A00D0000-0x00007FF6A0424000-memory.dmp
memory/4552-150-0x00007FF7C0B70000-0x00007FF7C0EC4000-memory.dmp
memory/5060-151-0x00007FF739670000-0x00007FF7399C4000-memory.dmp
memory/1436-153-0x00007FF74FA60000-0x00007FF74FDB4000-memory.dmp
memory/3332-152-0x00007FF79C130000-0x00007FF79C484000-memory.dmp
memory/1756-149-0x00007FF630520000-0x00007FF630874000-memory.dmp
memory/2268-148-0x00007FF6C1340000-0x00007FF6C1694000-memory.dmp
memory/3936-147-0x00007FF601DC0000-0x00007FF602114000-memory.dmp
memory/628-155-0x00007FF79A340000-0x00007FF79A694000-memory.dmp
memory/5000-154-0x00007FF75BCD0000-0x00007FF75C024000-memory.dmp
memory/2904-156-0x00007FF6D1890000-0x00007FF6D1BE4000-memory.dmp