Analysis Overview
SHA256
87d52aecda249b0b73ffa720744ed84ba74e8538505d38dcd613566f084c1ee6
Threat Level: Known bad
The file 2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 09:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 09:46
Reported
2024-06-01 09:49
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fbbPzrH.exe | N/A |
| N/A | N/A | C:\Windows\System\oIwaDMe.exe | N/A |
| N/A | N/A | C:\Windows\System\zKezHyA.exe | N/A |
| N/A | N/A | C:\Windows\System\DcaJxEw.exe | N/A |
| N/A | N/A | C:\Windows\System\vLdAlRH.exe | N/A |
| N/A | N/A | C:\Windows\System\hmkyngT.exe | N/A |
| N/A | N/A | C:\Windows\System\jEEqBzN.exe | N/A |
| N/A | N/A | C:\Windows\System\CsZgtIx.exe | N/A |
| N/A | N/A | C:\Windows\System\xnaIpdU.exe | N/A |
| N/A | N/A | C:\Windows\System\jPnWsXf.exe | N/A |
| N/A | N/A | C:\Windows\System\KeWWFPE.exe | N/A |
| N/A | N/A | C:\Windows\System\jOqkASk.exe | N/A |
| N/A | N/A | C:\Windows\System\pXausMm.exe | N/A |
| N/A | N/A | C:\Windows\System\edGnHmu.exe | N/A |
| N/A | N/A | C:\Windows\System\EsPZzHu.exe | N/A |
| N/A | N/A | C:\Windows\System\OcgzbXo.exe | N/A |
| N/A | N/A | C:\Windows\System\eHPCekf.exe | N/A |
| N/A | N/A | C:\Windows\System\IsgUbGr.exe | N/A |
| N/A | N/A | C:\Windows\System\alLBjRm.exe | N/A |
| N/A | N/A | C:\Windows\System\suUIeeC.exe | N/A |
| N/A | N/A | C:\Windows\System\hxmEKED.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fbbPzrH.exe
C:\Windows\System\fbbPzrH.exe
C:\Windows\System\zKezHyA.exe
C:\Windows\System\zKezHyA.exe
C:\Windows\System\oIwaDMe.exe
C:\Windows\System\oIwaDMe.exe
C:\Windows\System\DcaJxEw.exe
C:\Windows\System\DcaJxEw.exe
C:\Windows\System\hmkyngT.exe
C:\Windows\System\hmkyngT.exe
C:\Windows\System\vLdAlRH.exe
C:\Windows\System\vLdAlRH.exe
C:\Windows\System\jPnWsXf.exe
C:\Windows\System\jPnWsXf.exe
C:\Windows\System\jEEqBzN.exe
C:\Windows\System\jEEqBzN.exe
C:\Windows\System\KeWWFPE.exe
C:\Windows\System\KeWWFPE.exe
C:\Windows\System\CsZgtIx.exe
C:\Windows\System\CsZgtIx.exe
C:\Windows\System\jOqkASk.exe
C:\Windows\System\jOqkASk.exe
C:\Windows\System\xnaIpdU.exe
C:\Windows\System\xnaIpdU.exe
C:\Windows\System\pXausMm.exe
C:\Windows\System\pXausMm.exe
C:\Windows\System\edGnHmu.exe
C:\Windows\System\edGnHmu.exe
C:\Windows\System\EsPZzHu.exe
C:\Windows\System\EsPZzHu.exe
C:\Windows\System\OcgzbXo.exe
C:\Windows\System\OcgzbXo.exe
C:\Windows\System\eHPCekf.exe
C:\Windows\System\eHPCekf.exe
C:\Windows\System\IsgUbGr.exe
C:\Windows\System\IsgUbGr.exe
C:\Windows\System\alLBjRm.exe
C:\Windows\System\alLBjRm.exe
C:\Windows\System\suUIeeC.exe
C:\Windows\System\suUIeeC.exe
C:\Windows\System\hxmEKED.exe
C:\Windows\System\hxmEKED.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2880-0-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2880-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\fbbPzrH.exe
| MD5 | fd6b38ffd9bcc5adf02693626cd5f4e9 |
| SHA1 | 0ab2d235156d0e5ef73327a9ae89222e0f373232 |
| SHA256 | 935df7219823a70e974cee68927c6b9eb90bc67add1b9652ab8b23a3a398d6ec |
| SHA512 | 466f915c844689a9cff385c2cae1a9792b65544cb19321444c5dcfb6b8e9dab137c23ff2c51d27034b142d2fd6df1ba29b27442bfca7bfa789d531b82bcf70f0 |
C:\Windows\system\oIwaDMe.exe
| MD5 | 2fc7e9e6ac44c054db34039deef1f4d9 |
| SHA1 | dd2d9a4149d38d0aadd050136155a81d43a39057 |
| SHA256 | 596af97970d2dbc815582d15d631143a8fdcbde500e4790f14b4194d9a3ac765 |
| SHA512 | 271e5d17ec51de5e772fcb724bf4da5fc1904179fa5bbc90529981a7a89b975cbb2426fae05c975e7a43cf1d32272efb0cacd99b49145583298bf455573c21ca |
memory/2880-14-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\jEEqBzN.exe
| MD5 | 8577e6bbbb0c9ddfe28de27fa1a2785d |
| SHA1 | 3c81931edaa22d39874dc031505a995b6eed46d2 |
| SHA256 | a053bc0e493f99a8bba2103e674980ea638e1cb418a3a0e452b1268b936a664f |
| SHA512 | d75e8ff0207bfefdd3b5f2a5f868ffbcd8ed2930eb8b12508974b1313760456bf1016187934d9e512cf4dc072293d379a6efe54e42857112ce32e5f3a0740cac |
memory/2880-55-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\xnaIpdU.exe
| MD5 | 1b05fd506611015ae90fa7e23f05ecca |
| SHA1 | b52d6303fc0cd0e56dcfd8420c0ab4ad0be8dd45 |
| SHA256 | 6f87d33f9d083a6cf2a248cec0bfac26ceb8cfaa898d90f4eff8b5f12a42a084 |
| SHA512 | ed4d824d406b91d8ef348fd58cab2733741e7cb89416ce5cc694d98aee1fa8c49bed9c3bf829ee5b9fd77c3fadd88703218d79e7c52c81edfd2e9c6da357c849 |
memory/2880-72-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\jPnWsXf.exe
| MD5 | 6e255a96bab3a451ce2fa63148150dac |
| SHA1 | 599fb0d2cc59b701572c2132aeb0a0a7bef8e0a8 |
| SHA256 | 16fdd8845ad226ca8e541e083fd2115bbd703f490f27f2d4a395ed0369dca84b |
| SHA512 | 3b383e1017f6f873b7f0dd63c88c05fd6c57e90c72174ccc452daaafbd9785602c34ec08dfb66537b5c4ee6f89e672e2094f4ea46480fc356358850b0c5eec57 |
C:\Windows\system\edGnHmu.exe
| MD5 | 0e5cb87ed290eda5383df82f16521066 |
| SHA1 | 82d721ab22a331ae2f7c2b123f747662eef82faa |
| SHA256 | 71b864cc94edbbf702620b7fa28c991085c824147821a3dbc498a2e884b96579 |
| SHA512 | d29ea69e6db6feae9b78a88ac02912caf3a0b3f11abd9fe190999b18b8e288e0a43b4e31a5e49af124f6001b2263f42b74ca05fbeb6e78c9492386afff538791 |
memory/2864-97-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\eHPCekf.exe
| MD5 | d636400ac9092854ee24c9d2490166c6 |
| SHA1 | 97405503f1f3c3f65384adf5c47f30774a7e7184 |
| SHA256 | c7d1d031c958d53582052f4188b101b510671e1103a85a102bd0597e6a6db8d3 |
| SHA512 | de3a36024c38903b5075b7e1a00185bece93df390752a6ee43630e74f4060766313f0bb45296e439777b8ce1a9884679af94a5df6f26707fca76eb38bf68d7fb |
\Windows\system\hxmEKED.exe
| MD5 | b6b14cb9b6f1eec9d27512ecfcd8395e |
| SHA1 | dcf855722576ebdf6206e55e0239ca14cff6cff3 |
| SHA256 | 0324ed94ffbe9656390cec5110dae8fb4b1840d5af826b28c70915942abd0826 |
| SHA512 | 9c54c6354ee9b3c9e783ed848d36da9fbbaf284cd1d004927f38beb14bfdab0c7a9dce38f727144cebd5613914d2b36bef4a81279d4818d9246dc3bf26f6d08d |
C:\Windows\system\suUIeeC.exe
| MD5 | 9b78fc9826730c437f77a4eb44135fba |
| SHA1 | 4866b0f617cae0ee73b404c093325be6d31b05e2 |
| SHA256 | 06151dfb5daadabfc11fd79c5dcf94fb6348ab3de244c7033a84a5e55bce6bb1 |
| SHA512 | 0783d65d48794b6081d52bae0bacc1084b64de0d0231dfd384ddd7fa1ffc26ac0108318d9ab376b4abbd44717e738870034b95b435d6aff01cfa7dc84078ec06 |
C:\Windows\system\alLBjRm.exe
| MD5 | a3eea8ed8f70dee6a4cfcd8fb5bd6125 |
| SHA1 | 360d1cfcf22049a12fe33cb50ed2287d81c45db5 |
| SHA256 | 240b4ef80a0e61f77095e385416b571320a911d5b91e7ce6fb45cd1ec9a9f484 |
| SHA512 | 8b2bf17d9b720e04f58469705b0c55ba37e33f9440982a7eafc63f722989eef19c64f4ab08ccbf8d8bdc6aeb967d3a0ba06903e70b248e6386fabfd57b974095 |
C:\Windows\system\IsgUbGr.exe
| MD5 | fe8a3c8c94edd1cd5ce4acd13b3c0bc4 |
| SHA1 | a2856e1b8f433796cfbbb6eaf8926843c0eed869 |
| SHA256 | e9b820bc11995444717cba25afbf441173181034b63f1f32f3b9a02b15807384 |
| SHA512 | bc58438cac143dafad1cb38da01755234b6d7ff250fe83f690d3e88fe9613eee93169c877f6824c061ca2f40c19dc435e3e3b18b4206268cf9990352122c610b |
C:\Windows\system\OcgzbXo.exe
| MD5 | acebf2e5c26b9a3df03014cd0f722972 |
| SHA1 | 0be0a2ed1a4be33b3972d637ed3a3b7a66af7903 |
| SHA256 | 43b1e741444aa3ce49dd9434e1fadaa00d4c5148285c973dd634d9c5ffb8fef1 |
| SHA512 | 143123798decad02f6c33a585a5f94e560e14af05dfb0b5053334ddbdb554296a49c8d2dea65d407e073da2d58899f4f801e75295c1f7094ec1b0acb5dde748f |
memory/2880-103-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\EsPZzHu.exe
| MD5 | 3a8a4e910f5788d9c5b79505d51b3e12 |
| SHA1 | 9fd43762d1aa85742cffb4acc77c88529434193f |
| SHA256 | e1ddb456094e9908bcf4f5a3453c895b1e38a3a5825303c4a251064786115cdc |
| SHA512 | fa20e04e688ca79498f2470c64e94ae3a139132e8364755a29125a3c3c418c909c84bb57c5c1080097e74d973b8c517b8aa19309d29baf01b20ceea3f4268886 |
memory/2880-96-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2984-90-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\pXausMm.exe
| MD5 | bf3055ff9a6cf99f37d992829fec0460 |
| SHA1 | cc6e684777311244f397b76eeb0f44be9a61688e |
| SHA256 | 50c8410fa0bfaf8d87a46e2542b6e66c2168be3542c21a970f5df96de62d671b |
| SHA512 | a32b3393c85fdd56d59ff92330d07fa10dac515feccd27e4a71b2c02df29332a79b5161121b8fd1ac142af2352f06035cd809609de679dfd5c04e1f1c292d0a4 |
memory/2484-84-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2588-83-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2880-82-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2576-81-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\jOqkASk.exe
| MD5 | 99c846bd86c596057446b5cd491488dc |
| SHA1 | 6d582f96a10857175fd729385de1d64717b72cbc |
| SHA256 | 66856f684f623ae77dc5ce0c5b24c9192bf03dc77ebcfdbe787f9fc0a52c0bd8 |
| SHA512 | 23cffef37e6c084e9c4fe0be5a9f2525f3071e50f3a28fab7ed2d466b6c850607fdf307963082e8254437f372fcbb0b9dc451f3253a9486100489b83f64ab858 |
C:\Windows\system\KeWWFPE.exe
| MD5 | a8fcb27ddde2f4a48c842f5f2846f6b1 |
| SHA1 | 40b841efbdac8032a8593b46a288c572905f6432 |
| SHA256 | 239ec2088471013d00bf28e69b5920941f05535d20d92db627281f2e73905c48 |
| SHA512 | fda97100133dd0b765b4f8777d0c1b252a2092898a816c81590b99c5e93f1d051bfc017ff46dddd7a398695ed7c22298a77d68c945ffba76eeee02ac8f10ade1 |
memory/2880-63-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2880-134-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2880-133-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\vLdAlRH.exe
| MD5 | b3eaa1f0154918085d530044c92a2a57 |
| SHA1 | 939c70a2ae4226677149401651fdf20bb5603285 |
| SHA256 | a34361f12b207f8655ea65c7650c0a8f95032e89a927c129fa8103856aa5f1e2 |
| SHA512 | 8bf274d6da281098defd29a52bf3ce9582f28e700f4e9ae84854a63a5b20a1d25bdba6d06fa559e2d95db4625b2c502fb32c570b0b0d02b323c2df78c5a0736e |
memory/2880-37-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2444-74-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2880-71-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2148-69-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2620-67-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2708-65-0x000000013F890000-0x000000013FBE4000-memory.dmp
C:\Windows\system\DcaJxEw.exe
| MD5 | 5bb938af0ad63919e6ce184cac39ff1c |
| SHA1 | 4ad74d630127590f6dc4c04743eb5081dac3ded0 |
| SHA256 | 9a4e456363641fa65a4f56fc6c1e7e16e1d652d1c4c573a2df4a1faf7493d48d |
| SHA512 | bf7eb6d223265b524b2747bb33c236844b20968cdcb4faf04463eea2ffa36d908e3b857bbba0e27e51bc5d10d2d02c6e411961310b837f4ef9e140bd17e97581 |
memory/2120-59-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2452-58-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2880-54-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\CsZgtIx.exe
| MD5 | ee64aa90c93de72e84362826a43aa8a7 |
| SHA1 | 945d6c4803ed3bd6a815da9367462d7be8a59cb2 |
| SHA256 | 5a140b5d57498415cbdf4ec9150b00462636d60ce8554fddcffb865e8a74ea22 |
| SHA512 | 718f67e83e19df99a071ef44258d412433192810cfdd1ca3fe35dc1d5400003a4e9a7bd8db3699d119ff3a06408b0c0dc8c7a0ad6879d3c8db8953f77541c06e |
C:\Windows\system\hmkyngT.exe
| MD5 | bccaddc298b5e01f375f5ef33e39fa6d |
| SHA1 | 649a3aa65e2aad207ad60a8ad7423e4456869d38 |
| SHA256 | 1fe838e9d796003fb080c7b7e3fec8da88678415defc03da15f03f7521062ea4 |
| SHA512 | d567dc0a5c80b7ca137ec42dcf7b76e6d2bee03fa042bf7142422a71ce507546dbcf88795fa3c48345c22dfba5e7e19134da62327e90bb0d7a570a572415b5a5 |
memory/2880-41-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2508-25-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2616-33-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/3044-30-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2880-135-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\zKezHyA.exe
| MD5 | 9412c9d37fc939e46a23eea206811123 |
| SHA1 | 1c06a009bf869ef5fbd8272db3daaa4d7b96e698 |
| SHA256 | 3a8ada854d2ed0092176023729aefc9fde4129ed153afe3d4c820581dc49b3ca |
| SHA512 | 06ce784370d2342d1a4cc36e20f4bd97babd25dad9b3cd1b7109ddb01e1df9d066fd798947090683612edf1e52f045b03a53005be80cd420dc71eff5f1933104 |
memory/2880-8-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2452-137-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2880-136-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2444-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2576-139-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2588-140-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2484-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/3044-142-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2616-144-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2508-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2120-145-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2708-146-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2620-147-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2452-148-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2148-149-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2444-150-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2484-152-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2588-151-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2576-154-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2984-153-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2864-155-0x000000013F570000-0x000000013F8C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 09:46
Reported
2024-06-01 09:49
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\loXhctk.exe | N/A |
| N/A | N/A | C:\Windows\System\gkRHMRe.exe | N/A |
| N/A | N/A | C:\Windows\System\ysGklhs.exe | N/A |
| N/A | N/A | C:\Windows\System\LjimnIb.exe | N/A |
| N/A | N/A | C:\Windows\System\VoWoeoI.exe | N/A |
| N/A | N/A | C:\Windows\System\zmmcNYg.exe | N/A |
| N/A | N/A | C:\Windows\System\DdiqcCp.exe | N/A |
| N/A | N/A | C:\Windows\System\UaaivLM.exe | N/A |
| N/A | N/A | C:\Windows\System\OrFARHA.exe | N/A |
| N/A | N/A | C:\Windows\System\iBHxLQD.exe | N/A |
| N/A | N/A | C:\Windows\System\bmCZaAa.exe | N/A |
| N/A | N/A | C:\Windows\System\woShJul.exe | N/A |
| N/A | N/A | C:\Windows\System\BfOSoXK.exe | N/A |
| N/A | N/A | C:\Windows\System\ioRxTwf.exe | N/A |
| N/A | N/A | C:\Windows\System\CwlMxcO.exe | N/A |
| N/A | N/A | C:\Windows\System\gfIHphm.exe | N/A |
| N/A | N/A | C:\Windows\System\MJjcdbp.exe | N/A |
| N/A | N/A | C:\Windows\System\ClibrvC.exe | N/A |
| N/A | N/A | C:\Windows\System\wALaYLV.exe | N/A |
| N/A | N/A | C:\Windows\System\WWkQXXM.exe | N/A |
| N/A | N/A | C:\Windows\System\EsBqSas.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\loXhctk.exe
C:\Windows\System\loXhctk.exe
C:\Windows\System\gkRHMRe.exe
C:\Windows\System\gkRHMRe.exe
C:\Windows\System\ysGklhs.exe
C:\Windows\System\ysGklhs.exe
C:\Windows\System\LjimnIb.exe
C:\Windows\System\LjimnIb.exe
C:\Windows\System\VoWoeoI.exe
C:\Windows\System\VoWoeoI.exe
C:\Windows\System\zmmcNYg.exe
C:\Windows\System\zmmcNYg.exe
C:\Windows\System\DdiqcCp.exe
C:\Windows\System\DdiqcCp.exe
C:\Windows\System\UaaivLM.exe
C:\Windows\System\UaaivLM.exe
C:\Windows\System\OrFARHA.exe
C:\Windows\System\OrFARHA.exe
C:\Windows\System\iBHxLQD.exe
C:\Windows\System\iBHxLQD.exe
C:\Windows\System\bmCZaAa.exe
C:\Windows\System\bmCZaAa.exe
C:\Windows\System\woShJul.exe
C:\Windows\System\woShJul.exe
C:\Windows\System\BfOSoXK.exe
C:\Windows\System\BfOSoXK.exe
C:\Windows\System\ioRxTwf.exe
C:\Windows\System\ioRxTwf.exe
C:\Windows\System\CwlMxcO.exe
C:\Windows\System\CwlMxcO.exe
C:\Windows\System\gfIHphm.exe
C:\Windows\System\gfIHphm.exe
C:\Windows\System\MJjcdbp.exe
C:\Windows\System\MJjcdbp.exe
C:\Windows\System\ClibrvC.exe
C:\Windows\System\ClibrvC.exe
C:\Windows\System\wALaYLV.exe
C:\Windows\System\wALaYLV.exe
C:\Windows\System\WWkQXXM.exe
C:\Windows\System\WWkQXXM.exe
C:\Windows\System\EsBqSas.exe
C:\Windows\System\EsBqSas.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2272-0-0x00007FF6FFF70000-0x00007FF7002C4000-memory.dmp
memory/2272-1-0x000001B1406B0000-0x000001B1406C0000-memory.dmp
memory/3096-7-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp
C:\Windows\System\ysGklhs.exe
| MD5 | afa1abd9c827fe9a048073c15cba9a11 |
| SHA1 | 4a44cc158549d890e0cdd44471557d7bd22e4b2c |
| SHA256 | 775223e108f7f73afef03f483d5208633d7e2fc9030b74a3507b5478d45c7014 |
| SHA512 | 7a16ffc74f98287f7b1a92db1a329bf8249b569178483e7f94c69942c2c93c235edf34233d4d99eb76fe1cf5bd935b3d125ee2f8c750e862abb0720fbc9bd3db |
C:\Windows\System\gkRHMRe.exe
| MD5 | 095c6de0d8b4be1001fcb97c2cd01606 |
| SHA1 | 22dd12ea0f7ca6b3c54098d85d30e1d071e91fd0 |
| SHA256 | 6953566d2176f70d7b62606a45a8be2720e82375655bb6ac91ae751fefbaf216 |
| SHA512 | 6335d5ca45d839d66aa467615c15f8ca7b352708364242f9ea8e6b7474f6a652d5cdf236142f6ca2694ce3d58f8ebb7cf10453149c3318d54af04aa86ebceba3 |
memory/1900-14-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp
C:\Windows\System\loXhctk.exe
| MD5 | 886a2d457d8c84986b8f8f7d11fa7278 |
| SHA1 | d867c7bc314043505c59f6d2fb41be061899dbaa |
| SHA256 | 7b5aa091c64a72b68c9a094fddfb6591aae4e498cae8a99439f0eb145ad8b85a |
| SHA512 | 4cab71f9f63ed41647e161bc32f4b7a88b19021bd64af851764777692ad353bc5467bec15281f0d74b34ebdb45e4c2fae5c08b587bac8ad9b81be4686e695be4 |
memory/3404-19-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp
C:\Windows\System\LjimnIb.exe
| MD5 | 8528d2b5efa45e013a6d2dfdf2fcd009 |
| SHA1 | 580a0f2b039ca7098179223baecb157ba6f3b46e |
| SHA256 | a349ea71a423fddf4fa7f2183293c991baf7536e60fefbca35b4a19c55916274 |
| SHA512 | b74c1afd0f28b212c7e2d973422d13a5f383467a008335f8de0803d2f4dd1c86446151ba3f0b32e7ee89b51ac5e64e92b94ac93cef8e871625eb986bd45de476 |
memory/960-29-0x00007FF778490000-0x00007FF7787E4000-memory.dmp
memory/3764-30-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp
C:\Windows\System\VoWoeoI.exe
| MD5 | f40ec010c81ee45a3dc1f4797702efe2 |
| SHA1 | a3c843696ec54ed56004bd34bdaa0fee2c155c99 |
| SHA256 | 13863399a8221ca82c59fed8e8800cc3f9eb004e153db1d9ef3bb320acb44225 |
| SHA512 | 786c4cee21cccc4979110b9f42cc6023fed8474b25859a3bf464bdbf2e22a07d9541a4e99475d7e436e00f28f7b8c12d76d9ec3a69a483ed0be4d113551201f0 |
C:\Windows\System\zmmcNYg.exe
| MD5 | 9d0a5104b38ef32e7345dd79014563dc |
| SHA1 | f05c61402280ac6ce40ab015f3404631aefd09f8 |
| SHA256 | 482077c23207d762580ed9819331281efc67ae74479b97198f3b695ecceae488 |
| SHA512 | 6107dddf882d15b4b33dc72ebd89c0fb06cb9ac65f6e743addf26d4415a3139b27ff66cd2fe590a654be63a90fc20c95af0c8efecca98944915102440edc1f5c |
memory/4452-38-0x00007FF7144A0000-0x00007FF7147F4000-memory.dmp
C:\Windows\System\DdiqcCp.exe
| MD5 | 7ab3f32de408a1b39385ab0d99e9fd19 |
| SHA1 | 8ff90caed40cbf3bc9a5708c5a99f737603d1e14 |
| SHA256 | be1fad3430f14435db155b50ab0aae4038513fff073da11c8250437d2b80f3fa |
| SHA512 | 2593e240ad48e3bf5370482eb3757f6ee4a6c6b4e05778bfefc3111d080cedb4d5430be42dc87211c674b2e2c9adb87aee7446deddda21ec272ff0561b89bb07 |
C:\Windows\System\UaaivLM.exe
| MD5 | 2a8ce3081584ed45a18411ccfbea9753 |
| SHA1 | 9fba70c734463034394b45dfbbdc6be59029d630 |
| SHA256 | 79dace9c2dc61a1e7e0c318f9d597d3b7cddef4f47c4f6000aa3804edd7485b6 |
| SHA512 | d288985306d6e7db482d11ef99a911e74558527f86b252b599bb0e5dfc799bf5e953376284fd73bf19ff1e25ec70d3bd26267283675fcf1191e11e0551412ac7 |
C:\Windows\System\OrFARHA.exe
| MD5 | 9fc1367aba04c3c63e22b289116619c4 |
| SHA1 | b7ba66dda342c8f815617ce42a452b73247b90e4 |
| SHA256 | 41754ffa8fbddf1c5659fa555096832cd7e1af54a133dcbd10203593c0a91482 |
| SHA512 | d8aca89f40a7e7857e3796c598f55a0e26ec84e0a924ddf7a48ca267fe3e7f3e321272ae93e53c8a1a11c5b11d8f4b3bc29a47fa3961c2336d881bca88e07024 |
memory/1964-54-0x00007FF638F10000-0x00007FF639264000-memory.dmp
memory/1384-52-0x00007FF695270000-0x00007FF6955C4000-memory.dmp
C:\Windows\System\iBHxLQD.exe
| MD5 | 7925cd127cb3bf263612f89dea4ce82b |
| SHA1 | e0e1bd382f3e552b4f3976c626f22e5e2d85a23e |
| SHA256 | c984ac65192a9281b14092346838418a7c56ac05219fe8a4aadd497ac121d748 |
| SHA512 | efff861d7fee2ce127fa1ae08a58f1971c4c2e66894123334eefea3073b4d7eda0527390bbe52492ae20c44c8e179adaf4242b7bd514b940b5e5fe19b1d632dd |
C:\Windows\System\bmCZaAa.exe
| MD5 | 2dd09cf538324dff44b91f379985303d |
| SHA1 | b00754bc689e5059adc5c4ab44ee7a85c7a03ee3 |
| SHA256 | 5994457233cba1352b639297a7c909aec0f19ddf8f88642a79f9c854df483461 |
| SHA512 | a497022374214de69e4dea25da1c7262655a20e09bfdc7d4c5b38c27b54f4ae434d72c81b32ef62b52e738b0bd452e169948e3ea66899a14fa676a8d2596fbdb |
memory/2272-68-0x00007FF6FFF70000-0x00007FF7002C4000-memory.dmp
C:\Windows\System\woShJul.exe
| MD5 | 43669dc6baddccb87419cdc6f899ef23 |
| SHA1 | ffc40cc2072f8704d98c4beee80a65bec586c406 |
| SHA256 | 0350219996b077cfdd5a8e254793bbcb4c549a23319a4c59ffabd61fcbe05525 |
| SHA512 | 64f610ed8fc3dd3e50deebd254c3522a0c726674079b2dc80b18178b35613932e5c73b0d1863d802f569d04f7ffde22e10a3764f9b4f9d510cd8d5140c96b125 |
C:\Windows\System\ioRxTwf.exe
| MD5 | 7186724f22f58a3f58f47ac62349c2f0 |
| SHA1 | e183c61cae538bb841ed7aff9856e014d9bfe00f |
| SHA256 | 17b02e6a51ba077ec044522fd276e684bb08e74060481b32e693c848b4851aff |
| SHA512 | cd2eb903826a204125e9ccc723d8369b1ab7e11e1f5addb7a9046a0986472d6185a8944e1b2fb8cffe92f0e6c61aaa750c572ec62ec496ed24affe3f7a00f322 |
memory/2444-88-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp
C:\Windows\System\CwlMxcO.exe
| MD5 | 5a7d3be1f92efc75a880d3e83edf179b |
| SHA1 | 8b2247a3ad3c873d1a08784875d953e4fabf929a |
| SHA256 | c4704ad20d7443c048b7c6948afe48eb10c90ce4fc6b83ed0379ca71a43b5391 |
| SHA512 | 044b4f046bceda8768d8d4a69871e68096dca1f38a0c7daa9bd3ecc0d5737cc258ecfe1772893d029a8ad42fe7872ac32b558aad6b3821c618f8293dba0e9276 |
C:\Windows\System\MJjcdbp.exe
| MD5 | 73c70c2f70f98881457bab6681792525 |
| SHA1 | 52b57d23b85df24e99c0f06067abcd1043808eb2 |
| SHA256 | 7c79c68bf8cf7477e756cc50851dba886e6748919cfc48c99fc454b74c217387 |
| SHA512 | bb64c007664fe925b3bf7fbc36c3879ecf0a4bd3859ae605d39f0926a477f044ef437e59627f77f16cf969016b8df728673cc0190fc741ba4959730295313767 |
memory/3388-114-0x00007FF7F95B0000-0x00007FF7F9904000-memory.dmp
C:\Windows\System\ClibrvC.exe
| MD5 | 5b2d99d139c2dbdbb5d5bb7b3e3eacd1 |
| SHA1 | bd9b1250fd33757233e6e5b2c714426cd096b29c |
| SHA256 | e85e72b733135ddbe7b0a7cda780159a2618a768e7b2d383cadd88ea252c722f |
| SHA512 | 7bfd2a1bed3c1d0067bb839e4ca301b355e0b8f6b0b296c2d22aa9f48cef3ca54294eeaea34e1ae1a5daf2bf85bab5bf0e68e93242dacce1e5a0bea29f913f6e |
C:\Windows\System\EsBqSas.exe
| MD5 | 58d932336afa4e5d324fff675db7e10c |
| SHA1 | a94ec144cad38fe189845d76d565a8a9a0d24f79 |
| SHA256 | 7327a7330eb5c9ccb946e101f18b9c42dd3f4eb20e76c3e5095d5959d7d2e72a |
| SHA512 | 6d58127b67725aaaeb9c906d48de569b4bf31ed2333844269978a64d4dd5ebb836642d7b0218d1af7758eeff638ea961671095d7393cd1792a4091487da10762 |
C:\Windows\System\WWkQXXM.exe
| MD5 | 42e7f11c6c0c640df8dc9f8636d0d554 |
| SHA1 | a10ded5b307cda772effb694d229e6086f78bae9 |
| SHA256 | a7e4e65c209d7fc493474b7712b35117b51e8231bc86ae13b26a4a76a9a01a2f |
| SHA512 | 5433e506faa4470460b176b99da65faf4f05d94d6e7d00a115780d0d39ac4bed67bcc75a820db095143bcd34f4909352308361ddc328d66758ea3514ad83a607 |
C:\Windows\System\wALaYLV.exe
| MD5 | 09569293d65357d74d0840b941ba079f |
| SHA1 | 64fae1f05c1320680971a5eaae769d1bf065b613 |
| SHA256 | fa252e6b1b6d2b895e01be663316942166b7e031877c1811870738e9c5d9800b |
| SHA512 | 135b9bcb3fdf6577940416adf2f6931f4e7c0659dc5ad44e43856154cda60ccd82e6d640c3155072d29328de6f791ec48186f485a37e4aed3fcd71afa7c7e3c1 |
memory/2412-120-0x00007FF648360000-0x00007FF6486B4000-memory.dmp
memory/856-116-0x00007FF786FC0000-0x00007FF787314000-memory.dmp
memory/4960-113-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp
memory/4536-107-0x00007FF671C80000-0x00007FF671FD4000-memory.dmp
memory/960-106-0x00007FF778490000-0x00007FF7787E4000-memory.dmp
memory/3404-105-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp
C:\Windows\System\gfIHphm.exe
| MD5 | a1fff3881cb7e7f6827503b244cb29b5 |
| SHA1 | 4b93185cce71b35f4b77f7f97954c9ac5267c2a4 |
| SHA256 | 5340a50d9c00690c5e6ad7df7acfd3733eb3e5a687820daf45eef8834ebf282e |
| SHA512 | 109d9622f350ef7f1be5e4ae4338d7e0341896fb0561a00bb0faa16753c38c969371dff6d5b15f659a34bb69f44cc2b29dc4c8f6384d69f818de2d6feee11d83 |
memory/1900-89-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp
C:\Windows\System\BfOSoXK.exe
| MD5 | 9a7798c6cd3f6748866a4d5f8eec8697 |
| SHA1 | 345d2a4c8201ba69d2d07852e6addd5184198027 |
| SHA256 | 676f731645d2085b74d60b6b5fc41cb7d7e4bbf8d45e14f556bb2cbcb2f3f53e |
| SHA512 | 4960ab4a7a39874a4e46685adbed6dd00a9d4d6bb585cfdcb0c98e6f990604353ae660fce73f691570de1c39e311a7eebb1fb0f06c5188a0481dbd0cdbad9510 |
memory/3752-83-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp
memory/3096-82-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp
memory/5004-79-0x00007FF797CD0000-0x00007FF798024000-memory.dmp
memory/2376-75-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp
memory/4512-74-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp
memory/4088-49-0x00007FF7C18E0000-0x00007FF7C1C34000-memory.dmp
memory/3764-131-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp
memory/3960-133-0x00007FF6297F0000-0x00007FF629B44000-memory.dmp
memory/912-132-0x00007FF682BA0000-0x00007FF682EF4000-memory.dmp
memory/1964-134-0x00007FF638F10000-0x00007FF639264000-memory.dmp
memory/2376-135-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp
memory/3752-136-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp
memory/2444-137-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp
memory/4960-138-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp
memory/856-139-0x00007FF786FC0000-0x00007FF787314000-memory.dmp
memory/2412-140-0x00007FF648360000-0x00007FF6486B4000-memory.dmp
memory/3096-141-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp
memory/1900-142-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp
memory/3404-143-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp
memory/960-144-0x00007FF778490000-0x00007FF7787E4000-memory.dmp
memory/3764-145-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp
memory/4452-146-0x00007FF7144A0000-0x00007FF7147F4000-memory.dmp
memory/4088-147-0x00007FF7C18E0000-0x00007FF7C1C34000-memory.dmp
memory/1384-148-0x00007FF695270000-0x00007FF6955C4000-memory.dmp
memory/1964-149-0x00007FF638F10000-0x00007FF639264000-memory.dmp
memory/4512-150-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp
memory/5004-151-0x00007FF797CD0000-0x00007FF798024000-memory.dmp
memory/2376-152-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp
memory/3752-153-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp
memory/2444-154-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp
memory/4536-155-0x00007FF671C80000-0x00007FF671FD4000-memory.dmp
memory/3388-156-0x00007FF7F95B0000-0x00007FF7F9904000-memory.dmp
memory/4960-157-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp
memory/856-158-0x00007FF786FC0000-0x00007FF787314000-memory.dmp
memory/2412-159-0x00007FF648360000-0x00007FF6486B4000-memory.dmp
memory/3960-160-0x00007FF6297F0000-0x00007FF629B44000-memory.dmp
memory/912-161-0x00007FF682BA0000-0x00007FF682EF4000-memory.dmp