Analysis Overview
SHA256
9d56348bdcd2464b28f6a502b35a26b771d5aa28c68a886dd315520d274b4461
Threat Level: Known bad
The file 2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:07
Reported
2024-06-01 17:10
Platform
win7-20240215-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dRiMpUK.exe | N/A |
| N/A | N/A | C:\Windows\System\pRpjGvA.exe | N/A |
| N/A | N/A | C:\Windows\System\NGTBPqh.exe | N/A |
| N/A | N/A | C:\Windows\System\kkjObmV.exe | N/A |
| N/A | N/A | C:\Windows\System\rKWMeYy.exe | N/A |
| N/A | N/A | C:\Windows\System\sZHkIoL.exe | N/A |
| N/A | N/A | C:\Windows\System\oQRxfqK.exe | N/A |
| N/A | N/A | C:\Windows\System\UxHViVY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnppEvk.exe | N/A |
| N/A | N/A | C:\Windows\System\QDRMrzY.exe | N/A |
| N/A | N/A | C:\Windows\System\KZvaguD.exe | N/A |
| N/A | N/A | C:\Windows\System\ahUPYzu.exe | N/A |
| N/A | N/A | C:\Windows\System\NGHvmBL.exe | N/A |
| N/A | N/A | C:\Windows\System\WySemUP.exe | N/A |
| N/A | N/A | C:\Windows\System\VlkMpLT.exe | N/A |
| N/A | N/A | C:\Windows\System\iGkBrvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JYlKVlz.exe | N/A |
| N/A | N/A | C:\Windows\System\EEVLiRa.exe | N/A |
| N/A | N/A | C:\Windows\System\vclGVma.exe | N/A |
| N/A | N/A | C:\Windows\System\cjGVNtC.exe | N/A |
| N/A | N/A | C:\Windows\System\KEKDjKT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dRiMpUK.exe
C:\Windows\System\dRiMpUK.exe
C:\Windows\System\pRpjGvA.exe
C:\Windows\System\pRpjGvA.exe
C:\Windows\System\kkjObmV.exe
C:\Windows\System\kkjObmV.exe
C:\Windows\System\NGTBPqh.exe
C:\Windows\System\NGTBPqh.exe
C:\Windows\System\sZHkIoL.exe
C:\Windows\System\sZHkIoL.exe
C:\Windows\System\rKWMeYy.exe
C:\Windows\System\rKWMeYy.exe
C:\Windows\System\oQRxfqK.exe
C:\Windows\System\oQRxfqK.exe
C:\Windows\System\UxHViVY.exe
C:\Windows\System\UxHViVY.exe
C:\Windows\System\ZnppEvk.exe
C:\Windows\System\ZnppEvk.exe
C:\Windows\System\QDRMrzY.exe
C:\Windows\System\QDRMrzY.exe
C:\Windows\System\KZvaguD.exe
C:\Windows\System\KZvaguD.exe
C:\Windows\System\ahUPYzu.exe
C:\Windows\System\ahUPYzu.exe
C:\Windows\System\WySemUP.exe
C:\Windows\System\WySemUP.exe
C:\Windows\System\NGHvmBL.exe
C:\Windows\System\NGHvmBL.exe
C:\Windows\System\VlkMpLT.exe
C:\Windows\System\VlkMpLT.exe
C:\Windows\System\iGkBrvQ.exe
C:\Windows\System\iGkBrvQ.exe
C:\Windows\System\JYlKVlz.exe
C:\Windows\System\JYlKVlz.exe
C:\Windows\System\EEVLiRa.exe
C:\Windows\System\EEVLiRa.exe
C:\Windows\System\vclGVma.exe
C:\Windows\System\vclGVma.exe
C:\Windows\System\cjGVNtC.exe
C:\Windows\System\cjGVNtC.exe
C:\Windows\System\KEKDjKT.exe
C:\Windows\System\KEKDjKT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1204-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1204-1-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\dRiMpUK.exe
| MD5 | a42d96dc1468f86e087c32e479dc1eb4 |
| SHA1 | ef3c3e568f4f228361a1fd8f1d9ab90d8d540a85 |
| SHA256 | 0ff32cd68b4a67ccd07c92d0798511c5d6ecc38b11ee1e8968c6a17031e1451d |
| SHA512 | 833b3d1f4da5be81548b9e0e30025d9b4a33051fea43af2f046426a5132714fd2b12ebe1ab173b30069115185d313af6695f268aa7a41b00cd3236c14f16d68a |
C:\Windows\system\NGTBPqh.exe
| MD5 | 42febb108c0b303a55b9ef73945acd06 |
| SHA1 | bb534131d7a9ea7d95f28419a43fbcaa5e173bb2 |
| SHA256 | 6672c69f35f4d7ad3af7019d18498b283d24011751dde40ff90a0b0ecfe8112b |
| SHA512 | 599b914ffd21dfa6520fa3a643ff0e19f86c710f3a08f7b755507281d58eb47b5f1d4038ea32424a24f64c3e548835edcbd35e56e202a30a601171469bc25939 |
memory/1780-15-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\rKWMeYy.exe
| MD5 | b2cc1e9ab728d54a1e62c501713fcf48 |
| SHA1 | 1b557f0d7e2513253bef1fb4e016c62bc4c0b231 |
| SHA256 | 904f71119e307a6d831b9b5e3358fd806cbe811836de8a418d1f976bc6560c73 |
| SHA512 | fd4945c0ccf50d36b8aecadec0f8292cc0b22edc59e5aaf4acc1680c14c10a1d455d1bf866577a37507db1db70d10559c65aecaa20924b6dc7d921ec2f0cbd85 |
memory/2644-38-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\UxHViVY.exe
| MD5 | 127ff931912f551b1dbcf3e8ffb2288c |
| SHA1 | 9620e88a02e0b3709bd6141fd5dc1623db07cdf5 |
| SHA256 | 36dfe80613dc717afa341343c5b9d1da63b8961d2b1d5cecf91f9b645f7693bc |
| SHA512 | 9914768adf15c1d86eb45199808f01dda62f337d2914ace60ea3595005411d7e09c957959c80647a5e0c387e0842948c0de552b8785a1ed6237e4f3d8dc89c9d |
memory/2604-46-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2460-56-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1204-55-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\oQRxfqK.exe
| MD5 | 61de9526d1e7cc7028037b243a636449 |
| SHA1 | 4cd63a9658d015d3e460c1f060e8dd624765d157 |
| SHA256 | 580257b539cbded534816cd068228ad2631e7851a68374a0ad44e806f110ecb2 |
| SHA512 | 4dc6e5f1d7bf9f6870b6f6ee8777e01108514bda10300a2435ae25c2284847a0e220448690d2b177f8259664ca084e44ac04908d916830edbd38853c6a9ec7e3 |
memory/2592-40-0x000000013F750000-0x000000013FAA4000-memory.dmp
\Windows\system\sZHkIoL.exe
| MD5 | cf9c8d605b076b84d4770a75793d3484 |
| SHA1 | 28fe1494763f6151e5ee70771083724c599663d0 |
| SHA256 | cd11af6dfef581fb2ba1732263cd45807026d8122bdc5b8a3460b3a47fd6f745 |
| SHA512 | 388df1d7839e2be08cc03a11338613efe4ec5a9742de9ec5995d6cbb33284bd991e7fc89abb7fdca3eaa8fed47b5641d00b436ef25311c2762d39b6a4b3dfbe2 |
memory/1204-36-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1836-27-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\kkjObmV.exe
| MD5 | f5f682d317af1f488ef7b31dfc6f7bf3 |
| SHA1 | f8bbd3c6ecd2155d8db47d377d46a547c8de7887 |
| SHA256 | b21a93322d497c7653a3a66035819bc313e74b498e6771b7ba9408c7fe7a5722 |
| SHA512 | 74723114305e597bc3c16fc5c38f128c7410d9e0dd08222ec0540f09f8ee21503eeaa0cac0583df3b457396161713483447a63bc651618c606812e5e266c249b |
C:\Windows\system\QDRMrzY.exe
| MD5 | 547dcf2541ac079cbf49a1c412cbee3c |
| SHA1 | 9ab572b642212fd401331ba71dbfbafb47de1e07 |
| SHA256 | 3f33b0d8a7d794e942af610be885bae0770b41b8369a79280192900e02452224 |
| SHA512 | a2124674fe4108751813c15b0b6ccd444a492494df740b7d2d72fa068dcb42c3a27ef14f63588cb75289b0afef484c7c3e6236c01950a821c2446bfad2864356 |
\Windows\system\ZnppEvk.exe
| MD5 | a3e4dd8eb994edda294a8af79da735a0 |
| SHA1 | 89f53f97e4298dc1cf1d96bcbe13fad4f6d8c973 |
| SHA256 | 0f96732c0e54bd39c21da2549d20e55a60fdc93bb1f2b50cbacae8b131592ab5 |
| SHA512 | 1e048e1760cc5f80392971926f65c7b9f1cdfde89327892ba20db1910912d682ccd9198582352a02cb11b190e963c874d28a98e2d7ed9ab63e8e754129c3a21d |
memory/812-76-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/1204-75-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\KZvaguD.exe
| MD5 | 95e13e11260900f3867779e07997a23a |
| SHA1 | e93696a2721c0855ea906af180eee47a851c2abf |
| SHA256 | 83a274d7cf98404d3f31de373579735f14fd19a6d5988928ce96399737fd0000 |
| SHA512 | aea71f43c22e7e53313eb9d9ed54d8b2c47c0e8e064229dc34dd25f718e2d7ac6316dc05b374dd4108b9575fe14927a8cc28d5bdf2463053800cd982a79f9c70 |
memory/2756-62-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\ahUPYzu.exe
| MD5 | b38c223467ccc23e95d03ee22f152ad5 |
| SHA1 | 49bf6012213d9b095eda7087d0c189424e049c27 |
| SHA256 | 7ae2fd228b75f7ae05448c3f57c00d8ba06755be39d96c8b606b21bab952e31b |
| SHA512 | aacd39e1c527e3d2516173d3c218b95841b3444b7f8e8af2deaab776af1ef07f6f204ae4d4c92efb5669e81f9f093a666223067ed910d431180a3aa28bb58ccc |
memory/1836-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\WySemUP.exe
| MD5 | f9687c886bfc2b6f9c314963b546dc5c |
| SHA1 | d4aa5541bfe44c06f3e9d60e7353d55d3872bc72 |
| SHA256 | 2a4d05ca3a51ed940e86494354e769fa22e861ea47c21efc66239455cbafaa1f |
| SHA512 | 405bb71ec2bec1e875a42e5376411bae69ae96500f28ff362565d3cb9721c0fa3e74d7f4081764d54bdf29621928a9649af4c221c19dccaba967991d3ecbaf94 |
memory/2852-96-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2892-99-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2592-98-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2644-97-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2604-104-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1204-105-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\VlkMpLT.exe
| MD5 | 6c0a08c224d5e09296cb34a9f5393d59 |
| SHA1 | 02e9617b340a692b0fe63c2291a355b524cb1ec6 |
| SHA256 | bc2b4d84540239f98b618bdb0ea1464ca808664b3113a43634eb7ea82a54675e |
| SHA512 | 53abf1882d051d4f27c8c36c7e815b811125be706dc16a7deb395e826ecc6d7e7f0299e45e92824b45671c82abfd432323ac2798614d63a1324a012b6612bff5 |
memory/1204-95-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\NGHvmBL.exe
| MD5 | 98b8b09aba94d80522e52585efef6414 |
| SHA1 | f8e06143fbfdd3e797284d2c800db43d6a02fd39 |
| SHA256 | e77ae855e62856d47e5e35431438b1e66dfbe984ccad8e65397a70860a51a929 |
| SHA512 | fe515083c3f585578ca7844c55a7b550c59ca7527256d90ca8814063cf69e7d20b99385fdb6b6d6766f38a67bb4fb1439a0f21763861d11808c941cce5e0133c |
memory/1204-92-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2472-86-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/1204-85-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\iGkBrvQ.exe
| MD5 | 322c38567a040cf54276e898e8dc8068 |
| SHA1 | 48d6d3cf5cb8ed71f2363befbf95c330fe26e551 |
| SHA256 | cdd5e213ffe4023bc991107462c5cb02cfbb421f00282a920c2b598f525bca64 |
| SHA512 | 1aec332278e04cc254b0d3de34f2e4cd76e342d22524d8f4723cb3e7f0e210c7cffb8add4eede18130ad9d7a573f9bf5d7530be866c8d559c97e4d6c20e7ebff |
C:\Windows\system\cjGVNtC.exe
| MD5 | cf9dff787da5f1e409bd364c2a6ff9e1 |
| SHA1 | c9b716ef4b3c55e1ba629fed462af5c095a83672 |
| SHA256 | e62ab6be9ab272129255c4045a5cf247ca5957c80df503ecbb7c0505d955ff4b |
| SHA512 | 9e34fb179e36762054e1f278805675ae652a18dce117fc59e282882aa788804e9b3246e73826f711d69f293f21ce20080f788786d76557c6449ab2b7b0eb2167 |
\Windows\system\KEKDjKT.exe
| MD5 | afc1ad0d24f53b1a9c6de9fc5d059fd8 |
| SHA1 | ed8a177c1bf4d92f4ff3edd8dafeb09fdcc3e777 |
| SHA256 | 9807b2e156b3bab16dce1c1fc29aedf659c332e85314d318ad024fa3796b8ca8 |
| SHA512 | dca3a1dbf73158bd0e1f8917f5404149bb3121c010a6669bc11830df600ee1ff9cd506d6054a0888e98bd5d7957c79aefa729ba1569fac016583c3e7d60c8766 |
C:\Windows\system\vclGVma.exe
| MD5 | dd5938e5b8ca9bb708e222cdb7cb1cb0 |
| SHA1 | f5c6b423866a499de422c95fa8b7a243361d1f92 |
| SHA256 | ca338f7a97a4c1583e9b1a8d730f200d51cf682d9ed4d9611575d32cb94fed0c |
| SHA512 | 0093ba74d92649843239d9c6f781245c3f6091a90050cfdd470204114b165a7079921aaee1a6918a2eedec9cafc5f250b09dd452184895e87d728d4de453e801 |
C:\Windows\system\JYlKVlz.exe
| MD5 | 9f57293c8f5df179e01ffa5df0892292 |
| SHA1 | c78b0eba394fad8618877bc81df3ae05e96bfa68 |
| SHA256 | 3d62b5c2833e6e327a41d9304da1382dfa6f064ba2842518029afebeeb7f2ff3 |
| SHA512 | 6a698f4867eae383c2c5178dd6ad75518a4a0d38d0db84d5db0098a33cb783a621fef83da8f8b9597f8dbda97c45f72a9fa1ce3e980daf5071b27ba92aacdddf |
C:\Windows\system\EEVLiRa.exe
| MD5 | 07a44fedee58448febc0a3c3d2d0717c |
| SHA1 | bbba974271136eec0f505ce446028cc260ba3b86 |
| SHA256 | d83b0993c858f9e14ece998f9a7c9aaed34b20ec21b5976535c84e0754c9ca01 |
| SHA512 | ed669fb6c4335ebf9fc442a5886c77e6d54c52bae8835c2e200abe3462c4726f7e881656b84a7728eb51e4d9b34453070882cc5aee8e30a571e95aae4ec4920e |
memory/548-83-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2228-81-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2476-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1204-67-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/548-24-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2228-23-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\pRpjGvA.exe
| MD5 | 71301a3ad7093cb752c31bef2a58595d |
| SHA1 | 7680b9d31e8e00e85c582d98feaebdfea087820b |
| SHA256 | c0dc152bddcc45ba6024509367775a98dad3a598257d743cc2244bd433a0bca4 |
| SHA512 | cfc3b7c254f7a9670c56e40b089eb5292a9e2e126cfcb577746ea59016b2ed4cba04df917f56d8a9619c4cab248d69a71bd58bbe08244ce4a176826bd592ca95 |
memory/1204-20-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1204-19-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1204-18-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1204-8-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2476-139-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1204-140-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2892-142-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2852-141-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1780-143-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/548-144-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1836-145-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2228-146-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2604-148-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2592-149-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2644-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2460-150-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2756-151-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2476-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/812-153-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2472-154-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2852-155-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2892-156-0x000000013F130000-0x000000013F484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:07
Reported
2024-06-01 17:10
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nOzKlpo.exe | N/A |
| N/A | N/A | C:\Windows\System\rSWrMpT.exe | N/A |
| N/A | N/A | C:\Windows\System\dLVDSSf.exe | N/A |
| N/A | N/A | C:\Windows\System\vOEoaVx.exe | N/A |
| N/A | N/A | C:\Windows\System\wKqVUdD.exe | N/A |
| N/A | N/A | C:\Windows\System\GvBbcNj.exe | N/A |
| N/A | N/A | C:\Windows\System\JHACHve.exe | N/A |
| N/A | N/A | C:\Windows\System\gbXRhrs.exe | N/A |
| N/A | N/A | C:\Windows\System\XkYqxFh.exe | N/A |
| N/A | N/A | C:\Windows\System\QmRuKLG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQnotPo.exe | N/A |
| N/A | N/A | C:\Windows\System\aHHfYqC.exe | N/A |
| N/A | N/A | C:\Windows\System\hXXNClh.exe | N/A |
| N/A | N/A | C:\Windows\System\ueYjEjK.exe | N/A |
| N/A | N/A | C:\Windows\System\KOqxqvO.exe | N/A |
| N/A | N/A | C:\Windows\System\SptVUpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HaLTrxo.exe | N/A |
| N/A | N/A | C:\Windows\System\ECCSOgz.exe | N/A |
| N/A | N/A | C:\Windows\System\KRdsBqi.exe | N/A |
| N/A | N/A | C:\Windows\System\NELHuqR.exe | N/A |
| N/A | N/A | C:\Windows\System\slZMyrZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d762e27e982c63dae7d8b4861ae7c0cf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nOzKlpo.exe
C:\Windows\System\nOzKlpo.exe
C:\Windows\System\rSWrMpT.exe
C:\Windows\System\rSWrMpT.exe
C:\Windows\System\dLVDSSf.exe
C:\Windows\System\dLVDSSf.exe
C:\Windows\System\vOEoaVx.exe
C:\Windows\System\vOEoaVx.exe
C:\Windows\System\wKqVUdD.exe
C:\Windows\System\wKqVUdD.exe
C:\Windows\System\GvBbcNj.exe
C:\Windows\System\GvBbcNj.exe
C:\Windows\System\JHACHve.exe
C:\Windows\System\JHACHve.exe
C:\Windows\System\gbXRhrs.exe
C:\Windows\System\gbXRhrs.exe
C:\Windows\System\XkYqxFh.exe
C:\Windows\System\XkYqxFh.exe
C:\Windows\System\QmRuKLG.exe
C:\Windows\System\QmRuKLG.exe
C:\Windows\System\ZQnotPo.exe
C:\Windows\System\ZQnotPo.exe
C:\Windows\System\aHHfYqC.exe
C:\Windows\System\aHHfYqC.exe
C:\Windows\System\hXXNClh.exe
C:\Windows\System\hXXNClh.exe
C:\Windows\System\ueYjEjK.exe
C:\Windows\System\ueYjEjK.exe
C:\Windows\System\KOqxqvO.exe
C:\Windows\System\KOqxqvO.exe
C:\Windows\System\SptVUpQ.exe
C:\Windows\System\SptVUpQ.exe
C:\Windows\System\HaLTrxo.exe
C:\Windows\System\HaLTrxo.exe
C:\Windows\System\ECCSOgz.exe
C:\Windows\System\ECCSOgz.exe
C:\Windows\System\KRdsBqi.exe
C:\Windows\System\KRdsBqi.exe
C:\Windows\System\NELHuqR.exe
C:\Windows\System\NELHuqR.exe
C:\Windows\System\slZMyrZ.exe
C:\Windows\System\slZMyrZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2044-0-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp
memory/2044-1-0x000001FF62340000-0x000001FF62350000-memory.dmp
C:\Windows\System\nOzKlpo.exe
| MD5 | d4f0d35b51f18915d6a97986473bb36a |
| SHA1 | 64fab789c2564d941d183a614087fdf7c974ec2d |
| SHA256 | 3698dd44f234e0bd631604ca236deb920a9804a560104747b31e164ef4bbf422 |
| SHA512 | f89a94f510f9c6f10fb3ed1a7bccaf7a80814dd92e7e1743f164f3ba1f36eb153cd3cf24a34ea237a96a4485199a6c1be35748d474eb0f9a76a46649dc5ff906 |
C:\Windows\System\rSWrMpT.exe
| MD5 | ef221b9e4e740f02efffa624b3123391 |
| SHA1 | 8d33bd3c7a8b3b3fc36c818d0e7d11dc5e749707 |
| SHA256 | 85abcb22ffc7505a580cbfcd3cd592a1e777192b0696e10f008152ba998849a6 |
| SHA512 | 2c8f530054ee1647f287da9dcbcd78fc18a52fec5ff6528be5612e98ebe4e34ddb7142fb393968df1519fdc212f10239ae699c126c2159c87d46d21161b59051 |
memory/3088-13-0x00007FF7472A0000-0x00007FF7475F4000-memory.dmp
memory/536-16-0x00007FF6F0700000-0x00007FF6F0A54000-memory.dmp
C:\Windows\System\dLVDSSf.exe
| MD5 | 988410f92ee48af197544106cacddb72 |
| SHA1 | ae275f6ee35f2d485ec24dd83b0d6d499dd2a453 |
| SHA256 | a95bfff88eb66676242816ff5c4889498d51850db872bc7edbed530847f6a8ff |
| SHA512 | 27a7ccf2d6ac392e20653c0fecca667c1e2c5455f4d6c2b44c32daf33005d305f2d5f700e784c69186f3f19c1366239e1054dcc3f89972a7bafaca3fc2a6c867 |
memory/3612-20-0x00007FF6F2660000-0x00007FF6F29B4000-memory.dmp
C:\Windows\System\vOEoaVx.exe
| MD5 | 75934adc8f9e6d3f19afe0a1e14b2784 |
| SHA1 | 7087e1846452b3d9b8c58b57368df0d2b4d48d23 |
| SHA256 | 68c7460cda5b728b775309146bf8fe4f6da58dc297bb5332553ef455a2e6e450 |
| SHA512 | 6a3e16bdeeb7288a5789cc1454e84656253b59dfe8fd8278e3ebb3ea8a66ec95c53044f2849a932d6ebab5072fd9555650c87a5a736a17c37d315ba4f57ff08e |
memory/4768-38-0x00007FF6D7EF0000-0x00007FF6D8244000-memory.dmp
C:\Windows\System\GvBbcNj.exe
| MD5 | 272ba9ecb2a53f8e0a4f4aa00da21b7a |
| SHA1 | 79dafa886353cf558f5c0eb7dad0702a38c4ea4b |
| SHA256 | 35b9d8899e215a824f7ec44fdc686cec4d12ec65d47d144381b850aa564841d5 |
| SHA512 | 5e822e2efb8b60ef1a5a77ada4b624309e9f93bc1e97bb5b6d2f126ca4d4e22d27fb56748b32dc6a0b9113009b56d9ea979eed6d7e995f4e78d7f972582afc53 |
C:\Windows\System\JHACHve.exe
| MD5 | 0c3d603e7f15c713e07110f3593f08e2 |
| SHA1 | bfa9a9814ac87a166b5e0c706be5a8db3426f41b |
| SHA256 | 0171a1dffb17655a0e2245a509bf5de617b6edb63a0e2a9b9080c93f5a304e13 |
| SHA512 | 93159260adfa72a6c10df52f8583160f3059a6bf09c93da1303e639afefb57d2d0a4fca993d276d604dfa03bf8dcc9ea6f6595ac63506a8051e03dea761dd6e2 |
C:\Windows\System\gbXRhrs.exe
| MD5 | 5d1b47800f7770201506c453eb15fa5a |
| SHA1 | 63dcef97222ce53da1039cfd7f3f19458dbbe9ef |
| SHA256 | 6ec22ccb088eca2db22675088a2bc43e84f237dc95cbfb284405f8b7d8deb916 |
| SHA512 | 1af54cc925b145ec3defe821380acbca242bc7ea9864f7c20c07965db02cee09944742756975912857058b3a7e0e96990dee99efce886278c798f83dbd4ddd83 |
memory/1484-48-0x00007FF7220D0000-0x00007FF722424000-memory.dmp
C:\Windows\System\XkYqxFh.exe
| MD5 | 9a78c08c5a5fb78da63ede1845d93907 |
| SHA1 | 3acb8af01eb1e55361cf83f81d8c8b4e0c1b7bbf |
| SHA256 | 9c08fcd6316362bfd9654c36d8e42c852b8b9d09f89b737d169b57ac6064cef2 |
| SHA512 | 89633602d85b24723bd2e3d5859da83110056e023ca78451abd2cec2d33222923e974874f9f9d732af7576bef77e297c21a5ed138c60b5c2d86fb40854876a0a |
memory/3560-56-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp
memory/2044-60-0x00007FF7C4640000-0x00007FF7C4994000-memory.dmp
memory/4772-66-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp
memory/3624-69-0x00007FF6E8380000-0x00007FF6E86D4000-memory.dmp
C:\Windows\System\ZQnotPo.exe
| MD5 | e0e41279f9efa48cc30b509cfcaf1635 |
| SHA1 | 2ccd4183f74e478ed18da742112546ffa060ea92 |
| SHA256 | fd267c9bb3892aa1717a413be1bce36077e481b947b3b4d079e0c33a71df2cd0 |
| SHA512 | 0348d57aa7610c9958d02a8caba2ae9407bdd49b55934efd11254ce45022a16685eb67f063d4d4cf335fdb438059f09a5a52e7f628f897e12f9d244b69b88d07 |
C:\Windows\System\QmRuKLG.exe
| MD5 | eb7b74d3419837b044514e9a8ac9d1c6 |
| SHA1 | e0797cd3f2fd681396cbf5505c8047f6b4a9aa8b |
| SHA256 | a3d37df72afe3e64139e61522ac1dc8ebb77ac7543f1eface82149cb246d06a1 |
| SHA512 | c0f5ed334c26ee6300f30118cce5629d51c5061ddee5ad1b7c0ddeb49d6f213e969e5237f869eb530d60a1e7d52113d95f10dfdc411e878ed558d4681300aee7 |
memory/4804-50-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp
memory/1992-32-0x00007FF7C7070000-0x00007FF7C73C4000-memory.dmp
C:\Windows\System\wKqVUdD.exe
| MD5 | b2fb8a17efd39a76bb7054fe458f13ac |
| SHA1 | f3b1a7ae261b7e2d585a7fdaafd3ea20b90e7b42 |
| SHA256 | 8ffbc970dd0ffad7df246a47c550cec563474cbfa7cbd29021e36183dc35a43f |
| SHA512 | c211e3f841f530772dd58451f9ca60111b4ffda2c8f34db5520f114b36220f6e090be93ffde360ba40008b5d0c7ecd8f706a05d64ec3dc65da264eb54e32cacd |
memory/1780-26-0x00007FF66D100000-0x00007FF66D454000-memory.dmp
C:\Windows\System\aHHfYqC.exe
| MD5 | 893a8246b42948b9a06ed20b33532b6a |
| SHA1 | 83c7716ce6a516bdd98c1394f4e33de1321d4ee6 |
| SHA256 | 609559dc4cc9b9f08d60672e18aa2edacd783fda0566a975e97ebec94e47653f |
| SHA512 | 63e7c864c0ba703f394f53d61ca1301cce445459c2e10e7d22ec6497a2a52b36565430b776b09bdd039d96cef79339cc53395ece680c9d90d9bcdec2ace0b24f |
memory/2932-75-0x00007FF7FB430000-0x00007FF7FB784000-memory.dmp
C:\Windows\System\hXXNClh.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
C:\Windows\System\hXXNClh.exe
| MD5 | b77891e873582e56e92ba138083e54dd |
| SHA1 | 5249858c2cd1f406c4aa21158719fe4fb1a3afe7 |
| SHA256 | f7a21a253281e0ffe6edeff1956075d5dced7eb1e32518485c5783883ea97a3e |
| SHA512 | 844d7ca22700b9189a784ead4b81a1826972a11dcee9474e73f4eb700d75f470f5f0bb3b99b7ca029133f05a8bcf921bef7a4ca5286d269ae68232fc94f3b446 |
memory/1780-84-0x00007FF66D100000-0x00007FF66D454000-memory.dmp
memory/408-86-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp
C:\Windows\System\KOqxqvO.exe
| MD5 | 83a55d92f31b981dee72b791cad44b73 |
| SHA1 | cbef31ba3a609f71036845bea3d6fe61a71c6f89 |
| SHA256 | dee6baf23f56f8e251cad8e8df6bc8194e23057c34498a57d780dad76c9315f1 |
| SHA512 | d6cd301af96f32e97c411011be4862ea0df21608598cb1c9ac19548caa5e2c05059a6f6601fe35fc7432feb199661f76a3d893f915b7510e1ad7c7e3e998cda6 |
C:\Windows\System\ECCSOgz.exe
| MD5 | 3c030f65ac0110f2ddfd22c37b06327c |
| SHA1 | 7946878ae67e185d07cff467c562e8b018317884 |
| SHA256 | b17b80144698f354492515de6229d2541083ee80a03e7a523891ef44f62e485a |
| SHA512 | 586c510e75f2983df383fe8606a835266272623d675bcb6c01d769b43bd5ce0094dbd71a3028fa7e658ccc6e82dc1b6c7e391d222acf4cc497a74912830e781f |
C:\Windows\System\KRdsBqi.exe
| MD5 | 8bf5a28ac2a5e84400108e6a32281116 |
| SHA1 | a54baa009569c921e6c189c76dcdcc1843c1545e |
| SHA256 | bd846b8d154725a2b29a7d43fd888bec99377cc00201b3cb449da0e2022f234e |
| SHA512 | 684ac88c8b306781c9a2d191c4bd41a529fd2b9d02eadce648ae8403388c3a4c757f3a65500ad584b348cc4741a108822bc32b37b87a6fe12515433fc6fe3ab7 |
C:\Windows\System\NELHuqR.exe
| MD5 | 04d51d193560bd7cbe3c1aa4176588ed |
| SHA1 | 50c403f2cdd24613871102930823a4077a309a84 |
| SHA256 | d2f2e6f71c7392c54365bfeba96646f1b48bfc2b35cee99399fabe8555745a79 |
| SHA512 | 16c84370d3456e4b479306cb1207e32853b3b3dacdc34ee2c06bac6f00e0ed99d27f6c49bc2894052479d03d45c8d3898044a71ee9425a44f4f5a31a42b6918a |
C:\Windows\System\slZMyrZ.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\System\slZMyrZ.exe
| MD5 | 0d5b011114595b7d7d9094d27d093553 |
| SHA1 | 987525dc27a5cc5a41b4fe4bb89ab58e8a13c765 |
| SHA256 | 1ea25a87f1c224a8af145c82285fa057e0153c8de738ed19b5c3fe5d1143000b |
| SHA512 | 975e8b1a83c3703fd3b61e4ccf69fbbe89341a863dd837d0bb056446a13e9572f46eb7b89abae4ae13e9121d8f156e1b514a1eb13b14117b28f3b4e729cbdcc0 |
memory/5080-125-0x00007FF70BD70000-0x00007FF70C0C4000-memory.dmp
memory/4804-124-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp
memory/4788-121-0x00007FF674AE0000-0x00007FF674E34000-memory.dmp
memory/4412-120-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp
C:\Windows\System\NELHuqR.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/4140-116-0x00007FF717400000-0x00007FF717754000-memory.dmp
memory/2396-106-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp
C:\Windows\System\HaLTrxo.exe
| MD5 | f030e73d61b0a6ca7ac30a89910fcdc5 |
| SHA1 | 313d78a16de68238937bf81741c9dbec6c0c1401 |
| SHA256 | ae06c1352f3beda74b9b86089e9b5b6bdd216e2196e2a0303b964f930c31c0ed |
| SHA512 | a62a267ff4e60e3ba56149f72172514e71c063cfc2de0fab721af28a92aece7ce6d3bf01545a2abaa9e86dc19213f998270bdde5fbd91922382d7dcaa773f865 |
C:\Windows\System\SptVUpQ.exe
| MD5 | a26702a3a1f517e4a78ac0feb8a2e9f6 |
| SHA1 | 8eb22016e172bf16b1c7d6e4aa9d64506372339c |
| SHA256 | da4691fd0024db5ba759ae9c47d1b0a18f0bdfc9d575fa30b14aab3f9e506740 |
| SHA512 | 366fe15ba4b58988d8acec69e218a93e7b800c7a3f4eb5fb2b98efa2818d4a2bfd4cf5c56485f6cf705724f100738e3b1c7338a80df7ba0350207edae8d15033 |
memory/3384-99-0x00007FF760340000-0x00007FF760694000-memory.dmp
C:\Windows\System\ueYjEjK.exe
| MD5 | cf26e0d9bd7a2d965883d0f1d159c45f |
| SHA1 | b849d7d4f3d2d8072543ed7154069361d0c67e92 |
| SHA256 | 7c98bf851775d40674541d1fe6d5d27a4faf48221d2ac15896c95daf459dbdba |
| SHA512 | b98cbe03180fa5d6512490041a501e4ccc11c2019f9abc670b643db7545dad83c94ca89efb8a62f73f40fbe63edf29412523659921df7ef641af9c5acf6b5bc7 |
memory/4840-83-0x00007FF636A70000-0x00007FF636DC4000-memory.dmp
C:\Windows\System\ueYjEjK.exe
| MD5 | 4b7216d89e20f49e9c16c0253cc47511 |
| SHA1 | 2897390157f4ddd1aa5b6b0434e8fd2685151896 |
| SHA256 | 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f |
| SHA512 | f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84 |
memory/1568-131-0x00007FF7D9510000-0x00007FF7D9864000-memory.dmp
memory/3560-130-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp
memory/4772-132-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp
memory/408-133-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp
memory/2396-135-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp
memory/3384-134-0x00007FF760340000-0x00007FF760694000-memory.dmp
memory/3088-136-0x00007FF7472A0000-0x00007FF7475F4000-memory.dmp
memory/536-137-0x00007FF6F0700000-0x00007FF6F0A54000-memory.dmp
memory/3612-138-0x00007FF6F2660000-0x00007FF6F29B4000-memory.dmp
memory/1780-139-0x00007FF66D100000-0x00007FF66D454000-memory.dmp
memory/1992-140-0x00007FF7C7070000-0x00007FF7C73C4000-memory.dmp
memory/4768-141-0x00007FF6D7EF0000-0x00007FF6D8244000-memory.dmp
memory/1484-142-0x00007FF7220D0000-0x00007FF722424000-memory.dmp
memory/4804-143-0x00007FF7298D0000-0x00007FF729C24000-memory.dmp
memory/3560-144-0x00007FF7C96D0000-0x00007FF7C9A24000-memory.dmp
memory/4772-145-0x00007FF6CD860000-0x00007FF6CDBB4000-memory.dmp
memory/3624-146-0x00007FF6E8380000-0x00007FF6E86D4000-memory.dmp
memory/2932-147-0x00007FF7FB430000-0x00007FF7FB784000-memory.dmp
memory/4840-148-0x00007FF636A70000-0x00007FF636DC4000-memory.dmp
memory/408-149-0x00007FF6D9140000-0x00007FF6D9494000-memory.dmp
memory/4140-150-0x00007FF717400000-0x00007FF717754000-memory.dmp
memory/2396-151-0x00007FF67D360000-0x00007FF67D6B4000-memory.dmp
memory/3384-152-0x00007FF760340000-0x00007FF760694000-memory.dmp
memory/4788-153-0x00007FF674AE0000-0x00007FF674E34000-memory.dmp
memory/4412-154-0x00007FF78C5C0000-0x00007FF78C914000-memory.dmp
memory/5080-155-0x00007FF70BD70000-0x00007FF70C0C4000-memory.dmp
memory/1568-156-0x00007FF7D9510000-0x00007FF7D9864000-memory.dmp