Analysis Overview
SHA256
12bde61e9ca0a7cbd29b99924a31be0613fd98d044b1b0703cc01810a909d83d
Threat Level: Known bad
The file 2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:07
Reported
2024-05-29 21:10
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hhJvzwR.exe | N/A |
| N/A | N/A | C:\Windows\System\zNlcRNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\VCkAmos.exe | N/A |
| N/A | N/A | C:\Windows\System\knPzQxL.exe | N/A |
| N/A | N/A | C:\Windows\System\SDDORAT.exe | N/A |
| N/A | N/A | C:\Windows\System\BkhgABM.exe | N/A |
| N/A | N/A | C:\Windows\System\rgwHSMF.exe | N/A |
| N/A | N/A | C:\Windows\System\TvjhXFi.exe | N/A |
| N/A | N/A | C:\Windows\System\QLAluEd.exe | N/A |
| N/A | N/A | C:\Windows\System\KjoZrLj.exe | N/A |
| N/A | N/A | C:\Windows\System\nATmHie.exe | N/A |
| N/A | N/A | C:\Windows\System\NyOOUpe.exe | N/A |
| N/A | N/A | C:\Windows\System\XcjjfPW.exe | N/A |
| N/A | N/A | C:\Windows\System\SusteVJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zyMuWGk.exe | N/A |
| N/A | N/A | C:\Windows\System\BLWOWZr.exe | N/A |
| N/A | N/A | C:\Windows\System\IGuWhqW.exe | N/A |
| N/A | N/A | C:\Windows\System\jYCuEAB.exe | N/A |
| N/A | N/A | C:\Windows\System\SifaOgN.exe | N/A |
| N/A | N/A | C:\Windows\System\bPJTrxg.exe | N/A |
| N/A | N/A | C:\Windows\System\HDPlrpo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hhJvzwR.exe
C:\Windows\System\hhJvzwR.exe
C:\Windows\System\zNlcRNZ.exe
C:\Windows\System\zNlcRNZ.exe
C:\Windows\System\VCkAmos.exe
C:\Windows\System\VCkAmos.exe
C:\Windows\System\knPzQxL.exe
C:\Windows\System\knPzQxL.exe
C:\Windows\System\SDDORAT.exe
C:\Windows\System\SDDORAT.exe
C:\Windows\System\BkhgABM.exe
C:\Windows\System\BkhgABM.exe
C:\Windows\System\rgwHSMF.exe
C:\Windows\System\rgwHSMF.exe
C:\Windows\System\TvjhXFi.exe
C:\Windows\System\TvjhXFi.exe
C:\Windows\System\QLAluEd.exe
C:\Windows\System\QLAluEd.exe
C:\Windows\System\KjoZrLj.exe
C:\Windows\System\KjoZrLj.exe
C:\Windows\System\nATmHie.exe
C:\Windows\System\nATmHie.exe
C:\Windows\System\NyOOUpe.exe
C:\Windows\System\NyOOUpe.exe
C:\Windows\System\XcjjfPW.exe
C:\Windows\System\XcjjfPW.exe
C:\Windows\System\SusteVJ.exe
C:\Windows\System\SusteVJ.exe
C:\Windows\System\zyMuWGk.exe
C:\Windows\System\zyMuWGk.exe
C:\Windows\System\BLWOWZr.exe
C:\Windows\System\BLWOWZr.exe
C:\Windows\System\IGuWhqW.exe
C:\Windows\System\IGuWhqW.exe
C:\Windows\System\jYCuEAB.exe
C:\Windows\System\jYCuEAB.exe
C:\Windows\System\SifaOgN.exe
C:\Windows\System\SifaOgN.exe
C:\Windows\System\bPJTrxg.exe
C:\Windows\System\bPJTrxg.exe
C:\Windows\System\HDPlrpo.exe
C:\Windows\System\HDPlrpo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/1192-0-0x00007FF758880000-0x00007FF758BD1000-memory.dmp
memory/1192-1-0x00000249DB2D0000-0x00000249DB2E0000-memory.dmp
C:\Windows\System\hhJvzwR.exe
| MD5 | 8ccac03fd2c1803424dc7f8231e16221 |
| SHA1 | 37df042438cd796781773443d292f1a84e149401 |
| SHA256 | b7978177fc457f0a022d6ff1d8c47a2f8fb8b5462715368ede6a0b3d4fd76eb8 |
| SHA512 | 8d81de3f72515cbf6e6aa4683cf7bf2ed964a40f10b3aec227f55e9b9ed997efde21236ce5a4d0929f68a5dd524a4f322a96e0d89213ad801afd7dbae4676ebf |
memory/732-8-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp
C:\Windows\System\zNlcRNZ.exe
| MD5 | 686c51a3ce8cc19f0320f6ca4dc06be3 |
| SHA1 | a4eae3be1dce6ce0e1a75e2efc98924fe779255e |
| SHA256 | 7ea3340614eb893577313bb46ea4756bdaf37cb39d2e16c687be4fc1cc453b41 |
| SHA512 | 23e2ec6b26c6e60f37bdf065bb083c2f3ff388681a3ac32315141ea0b303761bba10c62a5d88a4fe61cbc5fdf819a75d841526e8f4d5e3055739a6a25242b35f |
C:\Windows\System\VCkAmos.exe
| MD5 | 64da065fc0f4e9b296dca75cd5a9792b |
| SHA1 | d2626305d3e03d8a0359b48e5002dff995e7b0dd |
| SHA256 | 910886b9143b2aa9d261f72fe4d9effd9bba9b38240ff084d000d86f36228bf3 |
| SHA512 | 346915feb3eaa79da876f57432252b6530c53eefc2082656c7d1029341002e328033efeae384eae11adfba85fcf12b6a322ade4bb5d48af9418a5ef5c261a7bf |
memory/2848-16-0x00007FF77B4C0000-0x00007FF77B811000-memory.dmp
C:\Windows\System\knPzQxL.exe
| MD5 | 1af25cc1b2aa54220ab89b3b675b9fc5 |
| SHA1 | 20d3c30c981645a4b9b6005172d23d6e2f4d3691 |
| SHA256 | 769617bf693fb7e1099b8bd1b163506044ab80a0272babd2a09842589dca12b4 |
| SHA512 | 039382778a18c17cdbc0ca759f0226dc145d23e7a26b126367966bf7d535ca6c4fadd295102e789b184bce4e2ac4b438e0e2631d06297e78221b0a4f0f1849e4 |
memory/3432-20-0x00007FF7C1C20000-0x00007FF7C1F71000-memory.dmp
C:\Windows\System\SDDORAT.exe
| MD5 | 0ece59447b9eeb3f827f52ad4796e831 |
| SHA1 | f7793cb9ce7596f4ebd3f0fcb6dda75e98ed73ee |
| SHA256 | 7a560e91dad00e38aecf44c6a5ca83f61092c7487e34b24a7c0078c787688a47 |
| SHA512 | 223e3de9ad4123bb6a65554403c5c6458e148b44139092c8d364bf4a595bfea1946bbdd1041dd01caaae277f7ad49befc37fdb70a8643186956a9cec1685667f |
memory/3864-28-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp
memory/1824-30-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp
C:\Windows\System\BkhgABM.exe
| MD5 | ea837a2effdf598ca670808c1db20a1a |
| SHA1 | c405a5219eff171e5e93cb9738ab423da1299036 |
| SHA256 | ca2e7a7eae94c67b69042c7ef0655ab2898d4799bf63121f40e20ea8fb78f9d4 |
| SHA512 | 2d5fbdf66e614e8e0314ae0fa6faed9d4f745b7cfc97988d92ca6d81c3a98d64ab619c75fa07088c5f912ba08fe1fe85b3888db1ecbcd4299c251bdff3d2a682 |
C:\Windows\System\rgwHSMF.exe
| MD5 | 0b46aa6fd706ee83875774f75117d1a9 |
| SHA1 | 29fa4ffdf2aa42bc39e6e4335b8110df46d5025b |
| SHA256 | d4c6ef7d384d34200d528ed7a88fe92109b041cb26bd1e5e9d8a495cdaf92db7 |
| SHA512 | 8634e85aac9604a5169d43ea94d88fc6c57ddb2c85965925a46533619b60f816ae63c50c2436c510d9a8678a6a3b80df4164a49f6ae1ec3a1cd869952d2a5871 |
C:\Windows\System\TvjhXFi.exe
| MD5 | 290ae6165e93e8d03c2da75f41b8fc9a |
| SHA1 | 5818de01a1d78d5d1edb0aeae71513fc169d1541 |
| SHA256 | afb5d6c8a170e304f42b7df9eca303daa1fec2cf320eb3de4f58367afcbd7c8e |
| SHA512 | 9ff5c90da13c6d8603d52a19856e22c05a72c64357b4ba59fb88134c24fc76fc9d664fc28100911f0326a53ce1522f8d954143b07917a30a630b07f1c3ffe215 |
memory/2860-47-0x00007FF6328D0000-0x00007FF632C21000-memory.dmp
C:\Windows\System\QLAluEd.exe
| MD5 | 4402f7a28a21a1d504fd12c93388842f |
| SHA1 | 8cac19c08751d91e13795b5ad3e750a4fb445a9e |
| SHA256 | 70d0453f93b9ee78242f2a0d657dbbfe88d3f1b94a78adbc42d04802a04822b7 |
| SHA512 | 9aee062d09ff192dcc1a96328d6a3be84515d656a71eab034e54a8b9e393e35a177851eb79d47ba8fceb3ece7318e14adddd4b5ca152322b00492234193181f7 |
C:\Windows\System\KjoZrLj.exe
| MD5 | ae0f95e73ea92262413bce028b0ba46f |
| SHA1 | e524c5f9b0cf461a0b045e62cd5e4b30a2e4ae45 |
| SHA256 | c8a692b25d1850f173a962ade94ff7699b35b4022660cc215566f1f6e5b0197b |
| SHA512 | 3aa0784a7b7d6d9d993bef32a848944bf555fa3036fc91cd2153f7edc7ca80eca90b48adbf8c3c8d1cc876f4196fd5e1d109ee26f86cbc418505e72ea7ac55fb |
C:\Windows\System\nATmHie.exe
| MD5 | 9414c4510296359fb0e26ebb5a7f0a2f |
| SHA1 | 14d20a63bb4532764866193ab312e4ab229eb35a |
| SHA256 | 5367b648023ed64793e3a1eb464603781ec82e4e6854c8becda3d8b54295457d |
| SHA512 | 599db02574f1a23c0982e5d2204e504c059bb50cbeb1ff8c642e549c972272f3a1e3840453c33fe603f9a99976879ad50c823917da8f54f7193184f67e83eaf8 |
C:\Windows\System\XcjjfPW.exe
| MD5 | de5b228fb1f0dea70b2ad77976450325 |
| SHA1 | 5c4f9125d6e71fdceac51cd0a8da9b102d892dd0 |
| SHA256 | f241de43a107e7104bcda5f354699e477854753b8347ba006a139133c76a1320 |
| SHA512 | bbea47f5ce328fccdbf54aa022c1848358be0bbdd9125107cc57225a50fcd109245acab9df4ca6e5a73f0f94b83d79329f6804c36cd8c18f0976948d0a4de1a7 |
C:\Windows\System\zyMuWGk.exe
| MD5 | 5e486b8b680e288f42eae5ef70799416 |
| SHA1 | 4311218eb7e68720913e93c50ec8bf673544fa29 |
| SHA256 | e7bde4a07007133bf4c1ae821f629ff04d93c5aafc8ba6264bf7d0b1193b8373 |
| SHA512 | 0a973310dbfbc4915cb036d3fe27d8de41cdf40440828fdaa025cf833ea33cf30a143dd7a1b8f4ac6490ba5a4729c57289c2d2b3278475182b26d34b6d7ebea9 |
C:\Windows\System\BLWOWZr.exe
| MD5 | dd4f0ea6e741976e0453f59850da3ac5 |
| SHA1 | aabb76b6a640555143b308cf2d9bc9be0449b160 |
| SHA256 | 8edbe49d8e0ef7a9d51867982ddf70a85fffddb90e11e23401e0dd1daa8800f0 |
| SHA512 | 0e13255ff7563d4437953a57673e2791935dabc06a2e341ee8ced891f2d42a96eaeda4b54de48934189b1826230b929e17534f50a948f308b8921a166f5220e0 |
C:\Windows\System\jYCuEAB.exe
| MD5 | 28ad2be5eac0f79ee0f060ce69227a88 |
| SHA1 | 49caf21f07aba1358dd4a3fba64b487b7065fc38 |
| SHA256 | 461cf3b19e0ad3e68d83638432bb5f5e8f5b9bad101106af0fb275d353b6e2db |
| SHA512 | 1ab10eca8b894ed614fa1bc921cb8a1a45c97ceeaad9469a9a110e33991c23d2b786e3fc280e2c5f5ddbae1ee33f2ffc13e0aca0099c8904a4bb2df8f5e05221 |
C:\Windows\System\IGuWhqW.exe
| MD5 | 5db8a4b3e809c144ad62f7e02a719bf1 |
| SHA1 | 5abec9498e68369e66dd4b2a57d0a27018e3aa56 |
| SHA256 | aca2ec8976b6b1bdb87f32ca3229b0b0080e6d207e5163de50a85a1dac581105 |
| SHA512 | 894ba9a356219064429f94b853281331adc092bbc65543249a03e8e8926efe0270f436c764d2e5fd33e36982aac0ae5a6fd99c3183a5417e1d3063c66ce4c9d5 |
C:\Windows\System\SusteVJ.exe
| MD5 | 23b14758e77d837a87973be7ddafb69a |
| SHA1 | 64af4610e2fa631a5543a6dcbc70594d4cd86e01 |
| SHA256 | bf41dc22e912f52f157f4ce00a9c3eaecc396d1eef8f37136ab622ff874e07a2 |
| SHA512 | 12e90ad277b2f36fcf461ddc73481dc7d4d2835472230bdffb38a6566b2669670ce7fab201d28972246e700ec81c76b6d91b4208b4c18ad22b496cf9d4472559 |
C:\Windows\System\bPJTrxg.exe
| MD5 | 8839d819b8d657a3299bd849493bf092 |
| SHA1 | 96186cc875ccf0d163b01a45797df2207de42ca5 |
| SHA256 | ec465aa3fec8eeb3cb966d7ce375512e6e3f5c9759e3e339aa9a3c017bdb4b67 |
| SHA512 | 1e5bd519124d8c8e583f2fdb1e0acebf6b823a9f8aa6e4be72b8371290c609eb315ca697dcf71c6543a1ae37eb4da31a45595441ddfcf659dc980e0cf015202b |
C:\Windows\System\HDPlrpo.exe
| MD5 | 740a51714bfd99a224ef6b24701d5bbc |
| SHA1 | f9aef7cec8eb90204e59a0bab7a28ff29e87dfe1 |
| SHA256 | 52e00ee0338dd67c544cd1abd913bfccc9f84420a2d4c8221e6fb8ad863f450d |
| SHA512 | 38e3576146c9288d2b8c35d90fe00afcd18cf342c4aa14d1324c1fa41b5b61851ef1b3b471f17d8330c67019a443d020c67e7f92eba3dbd262df527c939cc06d |
C:\Windows\System\SifaOgN.exe
| MD5 | 3562e25fa6235ed65cb06a8291725947 |
| SHA1 | 6ff66db358f784d11963a4addb3d49c52013d7a0 |
| SHA256 | c4742c69a1a9ba231b0bffa02993a76059a48e071baa7e5bb40ee01afe26cd30 |
| SHA512 | 73bf61336a78a5baecd0b85b0d2f53e58b998e03d3f5073a9ac5da7a83cfc2fd46bf83d24c8daf09a8e9db6261b5727c782214cf99772bed88ea3175e41fc6bf |
C:\Windows\System\NyOOUpe.exe
| MD5 | 401cd6877b8062dd7ad0f5ac22837c64 |
| SHA1 | 43d53c604ca46db702ad68dcdbf4f1af8a83057a |
| SHA256 | 26328276dde8c8b1ab172643075067a63ac72308ca7d855a55ac4d8552546b1a |
| SHA512 | eead477b3b4c0f0d57f01c706711c38150d1994043701033162eb4f82ff51fd8f9ee24b9bffb419281cbce777082879d43a2b8164d00c3d261857757e4891db9 |
memory/4520-48-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp
memory/1984-46-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp
memory/3404-115-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp
memory/1192-116-0x00007FF758880000-0x00007FF758BD1000-memory.dmp
memory/732-117-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp
memory/1616-121-0x00007FF7AF1F0000-0x00007FF7AF541000-memory.dmp
memory/2136-122-0x00007FF70AA30000-0x00007FF70AD81000-memory.dmp
memory/548-124-0x00007FF7C32C0000-0x00007FF7C3611000-memory.dmp
memory/3684-123-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp
memory/3456-125-0x00007FF7C5010000-0x00007FF7C5361000-memory.dmp
memory/3644-126-0x00007FF69DAF0000-0x00007FF69DE41000-memory.dmp
memory/3408-127-0x00007FF758DF0000-0x00007FF759141000-memory.dmp
memory/1824-129-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp
memory/552-128-0x00007FF6E0F70000-0x00007FF6E12C1000-memory.dmp
memory/4068-131-0x00007FF7B3C10000-0x00007FF7B3F61000-memory.dmp
memory/2472-133-0x00007FF7914D0000-0x00007FF791821000-memory.dmp
memory/3240-134-0x00007FF70A7A0000-0x00007FF70AAF1000-memory.dmp
memory/4688-132-0x00007FF66DF40000-0x00007FF66E291000-memory.dmp
memory/3404-137-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp
memory/4520-136-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp
memory/1192-150-0x00007FF758880000-0x00007FF758BD1000-memory.dmp
memory/1192-151-0x00007FF758880000-0x00007FF758BD1000-memory.dmp
memory/732-196-0x00007FF6E0540000-0x00007FF6E0891000-memory.dmp
memory/2848-204-0x00007FF77B4C0000-0x00007FF77B811000-memory.dmp
memory/3432-206-0x00007FF7C1C20000-0x00007FF7C1F71000-memory.dmp
memory/3864-208-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp
memory/1824-210-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp
memory/1984-212-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp
memory/2860-214-0x00007FF6328D0000-0x00007FF632C21000-memory.dmp
memory/4520-216-0x00007FF6D2190000-0x00007FF6D24E1000-memory.dmp
memory/3240-231-0x00007FF70A7A0000-0x00007FF70AAF1000-memory.dmp
memory/3404-230-0x00007FF670DA0000-0x00007FF6710F1000-memory.dmp
memory/1616-234-0x00007FF7AF1F0000-0x00007FF7AF541000-memory.dmp
memory/2136-235-0x00007FF70AA30000-0x00007FF70AD81000-memory.dmp
memory/3644-238-0x00007FF69DAF0000-0x00007FF69DE41000-memory.dmp
memory/3408-245-0x00007FF758DF0000-0x00007FF759141000-memory.dmp
memory/552-247-0x00007FF6E0F70000-0x00007FF6E12C1000-memory.dmp
memory/3684-243-0x00007FF76B0C0000-0x00007FF76B411000-memory.dmp
memory/3456-241-0x00007FF7C5010000-0x00007FF7C5361000-memory.dmp
memory/548-239-0x00007FF7C32C0000-0x00007FF7C3611000-memory.dmp
memory/4068-249-0x00007FF7B3C10000-0x00007FF7B3F61000-memory.dmp
memory/2472-251-0x00007FF7914D0000-0x00007FF791821000-memory.dmp
memory/4688-253-0x00007FF66DF40000-0x00007FF66E291000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:07
Reported
2024-05-29 21:10
Platform
win7-20240508-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hhJvzwR.exe | N/A |
| N/A | N/A | C:\Windows\System\zNlcRNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\VCkAmos.exe | N/A |
| N/A | N/A | C:\Windows\System\SDDORAT.exe | N/A |
| N/A | N/A | C:\Windows\System\knPzQxL.exe | N/A |
| N/A | N/A | C:\Windows\System\BkhgABM.exe | N/A |
| N/A | N/A | C:\Windows\System\rgwHSMF.exe | N/A |
| N/A | N/A | C:\Windows\System\TvjhXFi.exe | N/A |
| N/A | N/A | C:\Windows\System\QLAluEd.exe | N/A |
| N/A | N/A | C:\Windows\System\KjoZrLj.exe | N/A |
| N/A | N/A | C:\Windows\System\nATmHie.exe | N/A |
| N/A | N/A | C:\Windows\System\XcjjfPW.exe | N/A |
| N/A | N/A | C:\Windows\System\zyMuWGk.exe | N/A |
| N/A | N/A | C:\Windows\System\IGuWhqW.exe | N/A |
| N/A | N/A | C:\Windows\System\NyOOUpe.exe | N/A |
| N/A | N/A | C:\Windows\System\SusteVJ.exe | N/A |
| N/A | N/A | C:\Windows\System\BLWOWZr.exe | N/A |
| N/A | N/A | C:\Windows\System\jYCuEAB.exe | N/A |
| N/A | N/A | C:\Windows\System\SifaOgN.exe | N/A |
| N/A | N/A | C:\Windows\System\bPJTrxg.exe | N/A |
| N/A | N/A | C:\Windows\System\HDPlrpo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e50ceb4368be130239e15fc8cba107ee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hhJvzwR.exe
C:\Windows\System\hhJvzwR.exe
C:\Windows\System\zNlcRNZ.exe
C:\Windows\System\zNlcRNZ.exe
C:\Windows\System\VCkAmos.exe
C:\Windows\System\VCkAmos.exe
C:\Windows\System\knPzQxL.exe
C:\Windows\System\knPzQxL.exe
C:\Windows\System\SDDORAT.exe
C:\Windows\System\SDDORAT.exe
C:\Windows\System\BkhgABM.exe
C:\Windows\System\BkhgABM.exe
C:\Windows\System\rgwHSMF.exe
C:\Windows\System\rgwHSMF.exe
C:\Windows\System\TvjhXFi.exe
C:\Windows\System\TvjhXFi.exe
C:\Windows\System\QLAluEd.exe
C:\Windows\System\QLAluEd.exe
C:\Windows\System\KjoZrLj.exe
C:\Windows\System\KjoZrLj.exe
C:\Windows\System\nATmHie.exe
C:\Windows\System\nATmHie.exe
C:\Windows\System\NyOOUpe.exe
C:\Windows\System\NyOOUpe.exe
C:\Windows\System\XcjjfPW.exe
C:\Windows\System\XcjjfPW.exe
C:\Windows\System\SusteVJ.exe
C:\Windows\System\SusteVJ.exe
C:\Windows\System\zyMuWGk.exe
C:\Windows\System\zyMuWGk.exe
C:\Windows\System\BLWOWZr.exe
C:\Windows\System\BLWOWZr.exe
C:\Windows\System\IGuWhqW.exe
C:\Windows\System\IGuWhqW.exe
C:\Windows\System\jYCuEAB.exe
C:\Windows\System\jYCuEAB.exe
C:\Windows\System\SifaOgN.exe
C:\Windows\System\SifaOgN.exe
C:\Windows\System\bPJTrxg.exe
C:\Windows\System\bPJTrxg.exe
C:\Windows\System\HDPlrpo.exe
C:\Windows\System\HDPlrpo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2244-0-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2244-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\hhJvzwR.exe
| MD5 | 8ccac03fd2c1803424dc7f8231e16221 |
| SHA1 | 37df042438cd796781773443d292f1a84e149401 |
| SHA256 | b7978177fc457f0a022d6ff1d8c47a2f8fb8b5462715368ede6a0b3d4fd76eb8 |
| SHA512 | 8d81de3f72515cbf6e6aa4683cf7bf2ed964a40f10b3aec227f55e9b9ed997efde21236ce5a4d0929f68a5dd524a4f322a96e0d89213ad801afd7dbae4676ebf |
memory/1708-13-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
C:\Windows\system\zNlcRNZ.exe
| MD5 | 686c51a3ce8cc19f0320f6ca4dc06be3 |
| SHA1 | a4eae3be1dce6ce0e1a75e2efc98924fe779255e |
| SHA256 | 7ea3340614eb893577313bb46ea4756bdaf37cb39d2e16c687be4fc1cc453b41 |
| SHA512 | 23e2ec6b26c6e60f37bdf065bb083c2f3ff388681a3ac32315141ea0b303761bba10c62a5d88a4fe61cbc5fdf819a75d841526e8f4d5e3055739a6a25242b35f |
memory/2244-7-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2064-23-0x000000013FE00000-0x0000000140151000-memory.dmp
\Windows\system\SDDORAT.exe
| MD5 | 0ece59447b9eeb3f827f52ad4796e831 |
| SHA1 | f7793cb9ce7596f4ebd3f0fcb6dda75e98ed73ee |
| SHA256 | 7a560e91dad00e38aecf44c6a5ca83f61092c7487e34b24a7c0078c787688a47 |
| SHA512 | 223e3de9ad4123bb6a65554403c5c6458e148b44139092c8d364bf4a595bfea1946bbdd1041dd01caaae277f7ad49befc37fdb70a8643186956a9cec1685667f |
C:\Windows\system\knPzQxL.exe
| MD5 | 1af25cc1b2aa54220ab89b3b675b9fc5 |
| SHA1 | 20d3c30c981645a4b9b6005172d23d6e2f4d3691 |
| SHA256 | 769617bf693fb7e1099b8bd1b163506044ab80a0272babd2a09842589dca12b4 |
| SHA512 | 039382778a18c17cdbc0ca759f0226dc145d23e7a26b126367966bf7d535ca6c4fadd295102e789b184bce4e2ac4b438e0e2631d06297e78221b0a4f0f1849e4 |
\Windows\system\VCkAmos.exe
| MD5 | 64da065fc0f4e9b296dca75cd5a9792b |
| SHA1 | d2626305d3e03d8a0359b48e5002dff995e7b0dd |
| SHA256 | 910886b9143b2aa9d261f72fe4d9effd9bba9b38240ff084d000d86f36228bf3 |
| SHA512 | 346915feb3eaa79da876f57432252b6530c53eefc2082656c7d1029341002e328033efeae384eae11adfba85fcf12b6a322ade4bb5d48af9418a5ef5c261a7bf |
C:\Windows\system\rgwHSMF.exe
| MD5 | 0b46aa6fd706ee83875774f75117d1a9 |
| SHA1 | 29fa4ffdf2aa42bc39e6e4335b8110df46d5025b |
| SHA256 | d4c6ef7d384d34200d528ed7a88fe92109b041cb26bd1e5e9d8a495cdaf92db7 |
| SHA512 | 8634e85aac9604a5169d43ea94d88fc6c57ddb2c85965925a46533619b60f816ae63c50c2436c510d9a8678a6a3b80df4164a49f6ae1ec3a1cd869952d2a5871 |
\Windows\system\TvjhXFi.exe
| MD5 | 290ae6165e93e8d03c2da75f41b8fc9a |
| SHA1 | 5818de01a1d78d5d1edb0aeae71513fc169d1541 |
| SHA256 | afb5d6c8a170e304f42b7df9eca303daa1fec2cf320eb3de4f58367afcbd7c8e |
| SHA512 | 9ff5c90da13c6d8603d52a19856e22c05a72c64357b4ba59fb88134c24fc76fc9d664fc28100911f0326a53ce1522f8d954143b07917a30a630b07f1c3ffe215 |
memory/2684-65-0x000000013FCC0000-0x0000000140011000-memory.dmp
C:\Windows\system\KjoZrLj.exe
| MD5 | ae0f95e73ea92262413bce028b0ba46f |
| SHA1 | e524c5f9b0cf461a0b045e62cd5e4b30a2e4ae45 |
| SHA256 | c8a692b25d1850f173a962ade94ff7699b35b4022660cc215566f1f6e5b0197b |
| SHA512 | 3aa0784a7b7d6d9d993bef32a848944bf555fa3036fc91cd2153f7edc7ca80eca90b48adbf8c3c8d1cc876f4196fd5e1d109ee26f86cbc418505e72ea7ac55fb |
memory/2244-71-0x00000000023B0000-0x0000000002701000-memory.dmp
\Windows\system\NyOOUpe.exe
| MD5 | 401cd6877b8062dd7ad0f5ac22837c64 |
| SHA1 | 43d53c604ca46db702ad68dcdbf4f1af8a83057a |
| SHA256 | 26328276dde8c8b1ab172643075067a63ac72308ca7d855a55ac4d8552546b1a |
| SHA512 | eead477b3b4c0f0d57f01c706711c38150d1994043701033162eb4f82ff51fd8f9ee24b9bffb419281cbce777082879d43a2b8164d00c3d261857757e4891db9 |
C:\Windows\system\bPJTrxg.exe
| MD5 | 8839d819b8d657a3299bd849493bf092 |
| SHA1 | 96186cc875ccf0d163b01a45797df2207de42ca5 |
| SHA256 | ec465aa3fec8eeb3cb966d7ce375512e6e3f5c9759e3e339aa9a3c017bdb4b67 |
| SHA512 | 1e5bd519124d8c8e583f2fdb1e0acebf6b823a9f8aa6e4be72b8371290c609eb315ca697dcf71c6543a1ae37eb4da31a45595441ddfcf659dc980e0cf015202b |
C:\Windows\system\HDPlrpo.exe
| MD5 | 740a51714bfd99a224ef6b24701d5bbc |
| SHA1 | f9aef7cec8eb90204e59a0bab7a28ff29e87dfe1 |
| SHA256 | 52e00ee0338dd67c544cd1abd913bfccc9f84420a2d4c8221e6fb8ad863f450d |
| SHA512 | 38e3576146c9288d2b8c35d90fe00afcd18cf342c4aa14d1324c1fa41b5b61851ef1b3b471f17d8330c67019a443d020c67e7f92eba3dbd262df527c939cc06d |
C:\Windows\system\SifaOgN.exe
| MD5 | 3562e25fa6235ed65cb06a8291725947 |
| SHA1 | 6ff66db358f784d11963a4addb3d49c52013d7a0 |
| SHA256 | c4742c69a1a9ba231b0bffa02993a76059a48e071baa7e5bb40ee01afe26cd30 |
| SHA512 | 73bf61336a78a5baecd0b85b0d2f53e58b998e03d3f5073a9ac5da7a83cfc2fd46bf83d24c8daf09a8e9db6261b5727c782214cf99772bed88ea3175e41fc6bf |
C:\Windows\system\jYCuEAB.exe
| MD5 | 28ad2be5eac0f79ee0f060ce69227a88 |
| SHA1 | 49caf21f07aba1358dd4a3fba64b487b7065fc38 |
| SHA256 | 461cf3b19e0ad3e68d83638432bb5f5e8f5b9bad101106af0fb275d353b6e2db |
| SHA512 | 1ab10eca8b894ed614fa1bc921cb8a1a45c97ceeaad9469a9a110e33991c23d2b786e3fc280e2c5f5ddbae1ee33f2ffc13e0aca0099c8904a4bb2df8f5e05221 |
memory/2244-97-0x00000000023B0000-0x0000000002701000-memory.dmp
\Windows\system\BLWOWZr.exe
| MD5 | dd4f0ea6e741976e0453f59850da3ac5 |
| SHA1 | aabb76b6a640555143b308cf2d9bc9be0449b160 |
| SHA256 | 8edbe49d8e0ef7a9d51867982ddf70a85fffddb90e11e23401e0dd1daa8800f0 |
| SHA512 | 0e13255ff7563d4437953a57673e2791935dabc06a2e341ee8ced891f2d42a96eaeda4b54de48934189b1826230b929e17534f50a948f308b8921a166f5220e0 |
C:\Windows\system\XcjjfPW.exe
| MD5 | de5b228fb1f0dea70b2ad77976450325 |
| SHA1 | 5c4f9125d6e71fdceac51cd0a8da9b102d892dd0 |
| SHA256 | f241de43a107e7104bcda5f354699e477854753b8347ba006a139133c76a1320 |
| SHA512 | bbea47f5ce328fccdbf54aa022c1848358be0bbdd9125107cc57225a50fcd109245acab9df4ca6e5a73f0f94b83d79329f6804c36cd8c18f0976948d0a4de1a7 |
memory/2064-88-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2004-137-0x000000013FF60000-0x00000001402B1000-memory.dmp
\Windows\system\SusteVJ.exe
| MD5 | 23b14758e77d837a87973be7ddafb69a |
| SHA1 | 64af4610e2fa631a5543a6dcbc70594d4cd86e01 |
| SHA256 | bf41dc22e912f52f157f4ce00a9c3eaecc396d1eef8f37136ab622ff874e07a2 |
| SHA512 | 12e90ad277b2f36fcf461ddc73481dc7d4d2835472230bdffb38a6566b2669670ce7fab201d28972246e700ec81c76b6d91b4208b4c18ad22b496cf9d4472559 |
memory/2244-81-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2244-108-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2244-107-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2244-106-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2244-105-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2528-72-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2244-104-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2560-103-0x000000013FBB0000-0x000000013FF01000-memory.dmp
C:\Windows\system\IGuWhqW.exe
| MD5 | 5db8a4b3e809c144ad62f7e02a719bf1 |
| SHA1 | 5abec9498e68369e66dd4b2a57d0a27018e3aa56 |
| SHA256 | aca2ec8976b6b1bdb87f32ca3229b0b0080e6d207e5163de50a85a1dac581105 |
| SHA512 | 894ba9a356219064429f94b853281331adc092bbc65543249a03e8e8926efe0270f436c764d2e5fd33e36982aac0ae5a6fd99c3183a5417e1d3063c66ce4c9d5 |
C:\Windows\system\zyMuWGk.exe
| MD5 | 5e486b8b680e288f42eae5ef70799416 |
| SHA1 | 4311218eb7e68720913e93c50ec8bf673544fa29 |
| SHA256 | e7bde4a07007133bf4c1ae821f629ff04d93c5aafc8ba6264bf7d0b1193b8373 |
| SHA512 | 0a973310dbfbc4915cb036d3fe27d8de41cdf40440828fdaa025cf833ea33cf30a143dd7a1b8f4ac6490ba5a4729c57289c2d2b3278475182b26d34b6d7ebea9 |
memory/1684-93-0x000000013F170000-0x000000013F4C1000-memory.dmp
C:\Windows\system\nATmHie.exe
| MD5 | 9414c4510296359fb0e26ebb5a7f0a2f |
| SHA1 | 14d20a63bb4532764866193ab312e4ab229eb35a |
| SHA256 | 5367b648023ed64793e3a1eb464603781ec82e4e6854c8becda3d8b54295457d |
| SHA512 | 599db02574f1a23c0982e5d2204e504c059bb50cbeb1ff8c642e549c972272f3a1e3840453c33fe603f9a99976879ad50c823917da8f54f7193184f67e83eaf8 |
memory/2664-138-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2244-64-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2696-58-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2244-54-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2784-53-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2244-52-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\QLAluEd.exe
| MD5 | 4402f7a28a21a1d504fd12c93388842f |
| SHA1 | 8cac19c08751d91e13795b5ad3e750a4fb445a9e |
| SHA256 | 70d0453f93b9ee78242f2a0d657dbbfe88d3f1b94a78adbc42d04802a04822b7 |
| SHA512 | 9aee062d09ff192dcc1a96328d6a3be84515d656a71eab034e54a8b9e393e35a177851eb79d47ba8fceb3ece7318e14adddd4b5ca152322b00492234193181f7 |
memory/2664-43-0x000000013FB20000-0x000000013FE71000-memory.dmp
C:\Windows\system\BkhgABM.exe
| MD5 | ea837a2effdf598ca670808c1db20a1a |
| SHA1 | c405a5219eff171e5e93cb9738ab423da1299036 |
| SHA256 | ca2e7a7eae94c67b69042c7ef0655ab2898d4799bf63121f40e20ea8fb78f9d4 |
| SHA512 | 2d5fbdf66e614e8e0314ae0fa6faed9d4f745b7cfc97988d92ca6d81c3a98d64ab619c75fa07088c5f912ba08fe1fe85b3888db1ecbcd4299c251bdff3d2a682 |
memory/2244-39-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2004-38-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2352-37-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2244-35-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1828-153-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2576-156-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/1640-155-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2176-154-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2560-152-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2008-151-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2244-139-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2244-32-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2656-31-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2244-30-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2244-29-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2184-160-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2168-159-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1976-158-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2492-157-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2244-161-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2244-162-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2244-184-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2244-185-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2244-186-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1708-210-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2656-216-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2352-215-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2064-213-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2784-218-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2664-222-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2004-221-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2696-224-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2684-226-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2528-228-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1684-230-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2560-232-0x000000013FBB0000-0x000000013FF01000-memory.dmp