Analysis Overview
SHA256
3f25f73a4c48f9825d762994fe8ecd3f4c803830a3cfbde063f3cbbef39a866f
Threat Level: Known bad
The file 2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:12
Reported
2024-06-01 11:15
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eIkmxjq.exe | N/A |
| N/A | N/A | C:\Windows\System\KHEDNGB.exe | N/A |
| N/A | N/A | C:\Windows\System\gXKslNa.exe | N/A |
| N/A | N/A | C:\Windows\System\FXZCOSx.exe | N/A |
| N/A | N/A | C:\Windows\System\khexOof.exe | N/A |
| N/A | N/A | C:\Windows\System\xgeBjpr.exe | N/A |
| N/A | N/A | C:\Windows\System\IgoyBHj.exe | N/A |
| N/A | N/A | C:\Windows\System\YtQSPkB.exe | N/A |
| N/A | N/A | C:\Windows\System\CoUyJVx.exe | N/A |
| N/A | N/A | C:\Windows\System\JZKgtPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uxyLhAy.exe | N/A |
| N/A | N/A | C:\Windows\System\Znmjsve.exe | N/A |
| N/A | N/A | C:\Windows\System\PXVwgMI.exe | N/A |
| N/A | N/A | C:\Windows\System\xpxltbS.exe | N/A |
| N/A | N/A | C:\Windows\System\UcynNQz.exe | N/A |
| N/A | N/A | C:\Windows\System\sdpYFct.exe | N/A |
| N/A | N/A | C:\Windows\System\qYMAPAK.exe | N/A |
| N/A | N/A | C:\Windows\System\XgfxncT.exe | N/A |
| N/A | N/A | C:\Windows\System\TBAFYFj.exe | N/A |
| N/A | N/A | C:\Windows\System\fkDNByv.exe | N/A |
| N/A | N/A | C:\Windows\System\gssVMJC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eIkmxjq.exe
C:\Windows\System\eIkmxjq.exe
C:\Windows\System\KHEDNGB.exe
C:\Windows\System\KHEDNGB.exe
C:\Windows\System\gXKslNa.exe
C:\Windows\System\gXKslNa.exe
C:\Windows\System\FXZCOSx.exe
C:\Windows\System\FXZCOSx.exe
C:\Windows\System\khexOof.exe
C:\Windows\System\khexOof.exe
C:\Windows\System\xgeBjpr.exe
C:\Windows\System\xgeBjpr.exe
C:\Windows\System\IgoyBHj.exe
C:\Windows\System\IgoyBHj.exe
C:\Windows\System\YtQSPkB.exe
C:\Windows\System\YtQSPkB.exe
C:\Windows\System\CoUyJVx.exe
C:\Windows\System\CoUyJVx.exe
C:\Windows\System\JZKgtPQ.exe
C:\Windows\System\JZKgtPQ.exe
C:\Windows\System\uxyLhAy.exe
C:\Windows\System\uxyLhAy.exe
C:\Windows\System\Znmjsve.exe
C:\Windows\System\Znmjsve.exe
C:\Windows\System\PXVwgMI.exe
C:\Windows\System\PXVwgMI.exe
C:\Windows\System\xpxltbS.exe
C:\Windows\System\xpxltbS.exe
C:\Windows\System\UcynNQz.exe
C:\Windows\System\UcynNQz.exe
C:\Windows\System\sdpYFct.exe
C:\Windows\System\sdpYFct.exe
C:\Windows\System\qYMAPAK.exe
C:\Windows\System\qYMAPAK.exe
C:\Windows\System\XgfxncT.exe
C:\Windows\System\XgfxncT.exe
C:\Windows\System\TBAFYFj.exe
C:\Windows\System\TBAFYFj.exe
C:\Windows\System\fkDNByv.exe
C:\Windows\System\fkDNByv.exe
C:\Windows\System\gssVMJC.exe
C:\Windows\System\gssVMJC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/2860-0-0x00007FF656320000-0x00007FF656674000-memory.dmp
memory/2860-1-0x0000025A59FA0000-0x0000025A59FB0000-memory.dmp
C:\Windows\System\eIkmxjq.exe
| MD5 | c6df3ce96432920c90342581acee21ec |
| SHA1 | 05736d4114b634b52503ac1b5bc54a1c45b576cc |
| SHA256 | bc95dd5c8e904e0d2a95fe984a9ab6d73b54f9733046372e6b9d4babc774b24b |
| SHA512 | cda857e691587881796ea33f07bee120f95dcb145ad72a9ad6854069ca89078a05bd26dd9df99469891e866733055d2f0250b55910d2f8516b0bbfd22b0daf5d |
memory/1724-8-0x00007FF7375B0000-0x00007FF737904000-memory.dmp
C:\Windows\System\gXKslNa.exe
| MD5 | c2aa23466f2a8af4f0cb06d12962a990 |
| SHA1 | 94b34659eeec1c4aa433620a8533228aa0295046 |
| SHA256 | bf388145b7f1b6b23673958d997af3d05e7def84ab1d791e8ac31c544dfaccc6 |
| SHA512 | 3cb2aa4805f2f7df208d91730c64190740e8f28d77b6a92506533f22d49bd020b65157341f39026a16cee0bd37378e5df222f5700b438187229b0d9e47fb4075 |
C:\Windows\System\KHEDNGB.exe
| MD5 | b6f4f7de9d58de7a4d887ecabc1d476d |
| SHA1 | bede74d7c5b3b9468d585496dd8ed9781c5463d4 |
| SHA256 | e527e88a113aac0a7228ac62654729fcb4f8d884fe348adc2c7f6f0d1ebab845 |
| SHA512 | 1ae8202c5a91669bc5dd68650d1e9de0156f77ae06551423724c3d2a739301129c99e1400dfe60e9b51fbb77e8f180bfdaf8285b548711730efc98bbf7a35df8 |
memory/4428-12-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp
C:\Windows\System\FXZCOSx.exe
| MD5 | 86a02c02e962ad73ce47cd4b7e69edcf |
| SHA1 | d6d311f8948dabdf9c56d8a0b2cf837a7c77e645 |
| SHA256 | 76762c9d889e930eb6fb33db4d265a6f3c7712954cadadaecf3e4c3f9df6f3be |
| SHA512 | 99ff59f02160da33e26029e5cd0b350eb31880b3638e6d886929c1b40ba04e88bf809ee2bb98e28ccf9895b67d87c801124151e8a244cf64410fb29553940b4c |
memory/4060-18-0x00007FF6300F0000-0x00007FF630444000-memory.dmp
memory/1468-29-0x00007FF76AB00000-0x00007FF76AE54000-memory.dmp
C:\Windows\System\xgeBjpr.exe
| MD5 | aabd5246a56605a3104b2a39520440a7 |
| SHA1 | 7e8f7d90f2018516c966a22b3c9a73d2380c0314 |
| SHA256 | 0bddb0ab7d9a6e1ae230d6c7bf6169661256108acfcaefc855568c687a2cd1ba |
| SHA512 | 14b44055ee47721e0c6feb6a4fb90679044206ded9ee76ad0f9740a528803668a0d987a57d9856089c1a08dce3014efea35314b7b0eb49abb161c994a5f568ac |
C:\Windows\System\IgoyBHj.exe
| MD5 | 88cf33c5c33cef7eb46326fcc5b5a86b |
| SHA1 | e5988feb464da3fb12f2cd94ce3872ebf6d04980 |
| SHA256 | 87f166dd7327cd0f8b72387afbe1f50040ef62580d78a5ecfa36b163ff79660b |
| SHA512 | 08a54cc44267281fb1544639361e6656487cf9c2c7a2a15f8a8abb80bce35466e410bc02d0baae2bda77ef63ac596c661cc3e5ad25f89d6c638f046010adc25a |
memory/2920-38-0x00007FF79E140000-0x00007FF79E494000-memory.dmp
C:\Windows\System\khexOof.exe
| MD5 | 803e6c77347161f32acc10368eb042c8 |
| SHA1 | d5476c1c6b74fab22536c90cbc487b2f3c2242f7 |
| SHA256 | 1542f5af36ee9da3e0ff2e6312b5f33750f4494cc396e6dd691b62d37ace3c22 |
| SHA512 | 69f5d93eba25b2c95d4152b9fd4dd78108ab542d7444aeccd6d0632c8e13ab5f235a4d1988da3976f945519ad4d97c83b8b6d23ebd930283f1b04efb94b78e66 |
memory/3828-32-0x00007FF797010000-0x00007FF797364000-memory.dmp
C:\Windows\System\YtQSPkB.exe
| MD5 | 7a9d72b0a719c0e9a26603736fe609c4 |
| SHA1 | bf9383a0cb803d26ae323c94320e703182137fcb |
| SHA256 | 8ec517d8f8b280bef40459fdba2815e2f1df93b8ae65f6b14c66e81219bed783 |
| SHA512 | d26388a2d4577501756d606ec9710cb913a014b9f035ae1f0315f4132e25ec629c6a5ed4029d7d1337a86ba1332fb08f28cba60d138bcae21533109a0b760f0d |
memory/3056-46-0x00007FF6A1D90000-0x00007FF6A20E4000-memory.dmp
memory/3952-52-0x00007FF7D15B0000-0x00007FF7D1904000-memory.dmp
C:\Windows\System\CoUyJVx.exe
| MD5 | 4cd91475398a4f8c163917b665613ee7 |
| SHA1 | f122b058d95702737fb871a9dc19942e7a3e79e3 |
| SHA256 | 42583780d393e857f4837a0c2bc51c878d35c800f708ab5e587ef787c0ba1c12 |
| SHA512 | ffe35f981f4bcaba5b5f61c1b3a3872610a049d9364a8345c0326bf0c5b08affb4e18ff7027c6d40d36ee6340282f30c3fe0af1f94b58fc4ba0d4b3b23359030 |
C:\Windows\System\JZKgtPQ.exe
| MD5 | ad8fbfde5b721279838a645daaea73ae |
| SHA1 | dd9117b972228617c26d37d5f45cb258fdc36db6 |
| SHA256 | 98937d236ec4e27da51b7b7718e6f7864df3a7445240826663351fa6f8a5e361 |
| SHA512 | e082d29c8a1030033633c15e36c8bbc1dcc33fc6edf310337c39e9aff705901d76b163c885806613580f40a7ddc05a48fffaf0c876b8b0d83a767395e5705924 |
memory/2708-56-0x00007FF7D3FB0000-0x00007FF7D4304000-memory.dmp
memory/2860-62-0x00007FF656320000-0x00007FF656674000-memory.dmp
memory/2168-65-0x00007FF6B1C60000-0x00007FF6B1FB4000-memory.dmp
C:\Windows\System\uxyLhAy.exe
| MD5 | 87ae549097a6d4283cd4ec712f89472f |
| SHA1 | 9e6d5d57e9a87abd924c3b7a833378f5ef49fa25 |
| SHA256 | fc24999f0e4bf272d2f536d5f6ed3b00feba055a61730651553e04f8a4fa1380 |
| SHA512 | c03c152e245c643d2b159671b1ca84ea98319b67e18d8ba4935329d5042a4e91e5fd3615fde24a7910a7cd431409b5961265c65426aa6156577d7e17e18cd10b |
C:\Windows\System\Znmjsve.exe
| MD5 | 4f305ac1c5411d4043d51dcee06604c3 |
| SHA1 | 6576f89d8bfc7f0692332de49b7956d965d47724 |
| SHA256 | 71470032ba92c62e2235b2af392bfb1375b0cb94c8e0df172f648004f90a75a9 |
| SHA512 | 60cc5cea0172632a94e9e1ac96201b423a0cf4d63067e41deafb0ac48b6d39a193477e522e4a917bc3449729f4f1620599ad1f28147ee62c053f1852a250f80f |
memory/3624-70-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp
memory/1724-69-0x00007FF7375B0000-0x00007FF737904000-memory.dmp
memory/2360-79-0x00007FF766020000-0x00007FF766374000-memory.dmp
C:\Windows\System\PXVwgMI.exe
| MD5 | 0548aaab15c7dad1b27d48e68a5de9d1 |
| SHA1 | 77636d9bb085ea59b1667d9fc8cfc535aac15fac |
| SHA256 | 4c03f9f4870c12a48da40138a55b889b3e0a121ce0bca6948a6ef66e221334f4 |
| SHA512 | 14694c35fa58262aa86e8bb7f2b1ffabe30e25d892ae6fd07dc80d062a08d8164b2f3e446908e50f465d5e95b91ce8d333ab3090e725c79dd54810a31eec8af1 |
memory/4428-76-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp
memory/4832-93-0x00007FF7BD650000-0x00007FF7BD9A4000-memory.dmp
memory/3828-102-0x00007FF797010000-0x00007FF797364000-memory.dmp
memory/3372-106-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp
C:\Windows\System\qYMAPAK.exe
| MD5 | b9eab6a14aa8c4b9a63c2fff8e4e9856 |
| SHA1 | 6fdedbec213a43a19124969338ac5707f5453fed |
| SHA256 | af610408aa18a1e97948a7ee605b5432ac0995bb95b7f27a12e74947a9a4977c |
| SHA512 | b88770041e594a098eb3a4ef164f466711843940cf3eecb0ed21f4f244bcefba1778d3ca55677cc77d93be426f0f68e50572e0b3671a201257b933e6055db4ef |
C:\Windows\System\sdpYFct.exe
| MD5 | d6c99769c44bbef77062c6a5d4994edf |
| SHA1 | 1d5518eff7f22594d1a9cdbea2d5575c23cfdcea |
| SHA256 | 69a0a50612e6805b46f7c79535d86b67937442d17d8afb820baf294134934bc2 |
| SHA512 | 45b723de85925c06e26ab6da6c4e9430e7112a059495f890c9dcd0c1d450d158418877dbb554d8f6249dc6a62b49d7d715f7f333afcd7cd11bc5f57e3a5e6bbd |
memory/2920-105-0x00007FF79E140000-0x00007FF79E494000-memory.dmp
memory/2244-117-0x00007FF752DF0000-0x00007FF753144000-memory.dmp
C:\Windows\System\gssVMJC.exe
| MD5 | a129efe608badf863044882920d73e52 |
| SHA1 | 816e15f1174df5770e9b0a8cc9124155bfc2efd1 |
| SHA256 | d60479bacf4429fada985bb45763197cc0fccc64ac65f3188cd44d200efeb32d |
| SHA512 | 0a6c325a3ce6c0da2d686bed23406ddc321565bdb383a4de9035da4bca8f44196d4452137032329ff8062fedf23f43df8d1f74965a81fd481b2583ac01909be5 |
C:\Windows\System\fkDNByv.exe
| MD5 | 291558a0407dd6aa5416cbb213eda16e |
| SHA1 | 5bf9d87a2162b1abb06ec39c5a01a43842f624bb |
| SHA256 | 46efd810ac25cae0505f340d120be9b2e38df7956a85f69685bbaec6202c5237 |
| SHA512 | 6cd66f407573adf275a0a6916812c4eaff8c7b0f854216b19b62fc1c0f8b7cbb8beed480be09f1a432460fc9b5ede24cb39bf0007cdc3a7edfb6df7b5b3cc6f2 |
C:\Windows\System\TBAFYFj.exe
| MD5 | 4a7f77520b349c3d82815193e6c419ce |
| SHA1 | 4ac10f24ee842254318e1184ba05418aadb6afa4 |
| SHA256 | 23975415352b05ceb8b522cd02b00fa4fb715fe183765167979363b3bc405f1b |
| SHA512 | d84bc6f5d8f1947296528b33adcd7d5cb6774fcd576d7548dd389af585f17e3fc717ce5c4b42f005826c8c4baa2e8fa78c9a290a0f601dd308011fb79470e96b |
C:\Windows\System\XgfxncT.exe
| MD5 | 5a1c2f6b55015d5419029d5fb0d54855 |
| SHA1 | 8c5cb588e6ac3da0129d9becaa615486d1470f10 |
| SHA256 | c48a287b09273c4dd28db61d05979e74d51b6c00cc83b318f61dd74470a8c14b |
| SHA512 | 0cc46155071cc663adc211fc46d8cbddcf2ff58c2b88b0ff65cd3803975b7c6eabe9cb9aff3ee71e6aee389408c6d6e1439d4fb14f8e33857948c31463111a84 |
memory/4728-121-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp
memory/372-103-0x00007FF790500000-0x00007FF790854000-memory.dmp
C:\Windows\System\UcynNQz.exe
| MD5 | 17aed9b1a39770d79fd6217b28c07a77 |
| SHA1 | 8eae64350eef847f068088a551626a76af0b2eaa |
| SHA256 | 4d1c2748bce0fe2b15cfb04bb686424c1fed3bea280b088957f5887b774887cf |
| SHA512 | 5fd4d0c80676b29f79c4a843a0b9b6e7ba2dbd834d820575838362894dfd333ff526690ca8cd33d382400423d1ce91239c2e588bc08f106a6ea50a83bd6b9a02 |
memory/1512-96-0x00007FF666340000-0x00007FF666694000-memory.dmp
C:\Windows\System\xpxltbS.exe
| MD5 | 65c4469b314e9f3e368e6be86380452c |
| SHA1 | 3224ca883367356380507866c6de7ba995297318 |
| SHA256 | 9148191fa8a93e0d65cdfeadd794b1a258550d03351891b2eeba81db280b8b16 |
| SHA512 | 504fbfeb95e6797bf3c9edf5a7966fdf0a4fe624f8f69b929793042915e3e5d22f57a5b1b09c2b484c346900d7cb7b542e4f0c6cbad232f8d808832b5b8f95e4 |
memory/2240-132-0x00007FF7DD1A0000-0x00007FF7DD4F4000-memory.dmp
memory/4704-84-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp
memory/4060-83-0x00007FF6300F0000-0x00007FF630444000-memory.dmp
memory/744-133-0x00007FF696330000-0x00007FF696684000-memory.dmp
memory/3624-134-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp
memory/4704-135-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp
memory/1512-136-0x00007FF666340000-0x00007FF666694000-memory.dmp
memory/372-137-0x00007FF790500000-0x00007FF790854000-memory.dmp
memory/3372-138-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp
memory/2244-139-0x00007FF752DF0000-0x00007FF753144000-memory.dmp
memory/4728-140-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp
memory/1724-141-0x00007FF7375B0000-0x00007FF737904000-memory.dmp
memory/4428-142-0x00007FF6A1960000-0x00007FF6A1CB4000-memory.dmp
memory/4060-143-0x00007FF6300F0000-0x00007FF630444000-memory.dmp
memory/1468-144-0x00007FF76AB00000-0x00007FF76AE54000-memory.dmp
memory/3828-145-0x00007FF797010000-0x00007FF797364000-memory.dmp
memory/3056-146-0x00007FF6A1D90000-0x00007FF6A20E4000-memory.dmp
memory/2920-147-0x00007FF79E140000-0x00007FF79E494000-memory.dmp
memory/3952-148-0x00007FF7D15B0000-0x00007FF7D1904000-memory.dmp
memory/2708-149-0x00007FF7D3FB0000-0x00007FF7D4304000-memory.dmp
memory/2168-150-0x00007FF6B1C60000-0x00007FF6B1FB4000-memory.dmp
memory/2360-151-0x00007FF766020000-0x00007FF766374000-memory.dmp
memory/3624-152-0x00007FF6E0470000-0x00007FF6E07C4000-memory.dmp
memory/4832-153-0x00007FF7BD650000-0x00007FF7BD9A4000-memory.dmp
memory/4704-154-0x00007FF653BB0000-0x00007FF653F04000-memory.dmp
memory/1512-155-0x00007FF666340000-0x00007FF666694000-memory.dmp
memory/372-156-0x00007FF790500000-0x00007FF790854000-memory.dmp
memory/3372-157-0x00007FF7CF840000-0x00007FF7CFB94000-memory.dmp
memory/2244-158-0x00007FF752DF0000-0x00007FF753144000-memory.dmp
memory/4728-160-0x00007FF60DBE0000-0x00007FF60DF34000-memory.dmp
memory/2240-159-0x00007FF7DD1A0000-0x00007FF7DD4F4000-memory.dmp
memory/744-161-0x00007FF696330000-0x00007FF696684000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:12
Reported
2024-06-01 11:15
Platform
win7-20240221-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gFIksDL.exe | N/A |
| N/A | N/A | C:\Windows\System\LIlLTAU.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzEhdAk.exe | N/A |
| N/A | N/A | C:\Windows\System\nfKhZFO.exe | N/A |
| N/A | N/A | C:\Windows\System\gSNiadX.exe | N/A |
| N/A | N/A | C:\Windows\System\efgveUD.exe | N/A |
| N/A | N/A | C:\Windows\System\AlDAJfD.exe | N/A |
| N/A | N/A | C:\Windows\System\JpqaDVj.exe | N/A |
| N/A | N/A | C:\Windows\System\MQSRhlc.exe | N/A |
| N/A | N/A | C:\Windows\System\iwZnwka.exe | N/A |
| N/A | N/A | C:\Windows\System\cXfOOHV.exe | N/A |
| N/A | N/A | C:\Windows\System\RMFYHAv.exe | N/A |
| N/A | N/A | C:\Windows\System\oilJlUI.exe | N/A |
| N/A | N/A | C:\Windows\System\jitrMRq.exe | N/A |
| N/A | N/A | C:\Windows\System\PhPWjqI.exe | N/A |
| N/A | N/A | C:\Windows\System\AJCNVcz.exe | N/A |
| N/A | N/A | C:\Windows\System\QOZysll.exe | N/A |
| N/A | N/A | C:\Windows\System\dNWZLQR.exe | N/A |
| N/A | N/A | C:\Windows\System\bMysjWt.exe | N/A |
| N/A | N/A | C:\Windows\System\XVTwTzt.exe | N/A |
| N/A | N/A | C:\Windows\System\QxAriwK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5964ee1eb702629e2f24449fe68dd44e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gFIksDL.exe
C:\Windows\System\gFIksDL.exe
C:\Windows\System\LIlLTAU.exe
C:\Windows\System\LIlLTAU.exe
C:\Windows\System\ZzEhdAk.exe
C:\Windows\System\ZzEhdAk.exe
C:\Windows\System\nfKhZFO.exe
C:\Windows\System\nfKhZFO.exe
C:\Windows\System\gSNiadX.exe
C:\Windows\System\gSNiadX.exe
C:\Windows\System\MQSRhlc.exe
C:\Windows\System\MQSRhlc.exe
C:\Windows\System\efgveUD.exe
C:\Windows\System\efgveUD.exe
C:\Windows\System\cXfOOHV.exe
C:\Windows\System\cXfOOHV.exe
C:\Windows\System\AlDAJfD.exe
C:\Windows\System\AlDAJfD.exe
C:\Windows\System\AJCNVcz.exe
C:\Windows\System\AJCNVcz.exe
C:\Windows\System\JpqaDVj.exe
C:\Windows\System\JpqaDVj.exe
C:\Windows\System\QOZysll.exe
C:\Windows\System\QOZysll.exe
C:\Windows\System\iwZnwka.exe
C:\Windows\System\iwZnwka.exe
C:\Windows\System\dNWZLQR.exe
C:\Windows\System\dNWZLQR.exe
C:\Windows\System\RMFYHAv.exe
C:\Windows\System\RMFYHAv.exe
C:\Windows\System\bMysjWt.exe
C:\Windows\System\bMysjWt.exe
C:\Windows\System\oilJlUI.exe
C:\Windows\System\oilJlUI.exe
C:\Windows\System\XVTwTzt.exe
C:\Windows\System\XVTwTzt.exe
C:\Windows\System\jitrMRq.exe
C:\Windows\System\jitrMRq.exe
C:\Windows\System\QxAriwK.exe
C:\Windows\System\QxAriwK.exe
C:\Windows\System\PhPWjqI.exe
C:\Windows\System\PhPWjqI.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1704-0-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/1704-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\gFIksDL.exe
| MD5 | a5d177ba88b830aa38f33b936a2b2268 |
| SHA1 | 16e773fb1918d761167e08f16c8be922e19deedc |
| SHA256 | 6fd9d3ec98412ebd5db399393a5c6c5b2a467ca5ed2999da576971381bd43adc |
| SHA512 | 273dd5f50ff2ac0f21d6b33b08b9169e5562170927c33196c15a8a9a90cbf2a010a9729f1ec6e0e9f6146f060f70b404a849d1278f42024a463a61a88a4e701e |
\Windows\system\LIlLTAU.exe
| MD5 | 85927ce66af07da8675b3152baf47c4d |
| SHA1 | e1145b0cd257885d7471f55c4f06c85319b3af35 |
| SHA256 | c28a7a57c43002daa7f208cea7a6f956c12284c74c81c119ba331dfb9e52953d |
| SHA512 | 50eada528d19e70c2e802d386536f3e7b4d44aeb6b08680cc326d154bea093cb7f3a3bd4e220e958f1f239b90d10765e4653c7f2542a8a7a59f36651540b01a9 |
\Windows\system\nfKhZFO.exe
| MD5 | 1f69550bbbc0fd815162003b54ccfeaa |
| SHA1 | 8255dc311f5224029c75cba11b5b62fae41b5ed3 |
| SHA256 | 95a39d79b5408ac9d3e63d2a1362457b86e435ba63996fec5141aba4cd8f0b00 |
| SHA512 | 9c7db8305738ac6bc563e3e0c83761615975539cddc09e6d57bd7bc23a4c6f0046102744d141d854f92b6f99c7cd0a3a0a9c5bee771f5d8c0a99e11c6cb14abe |
memory/2264-23-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1704-25-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1704-17-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2652-26-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2528-27-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\gSNiadX.exe
| MD5 | 703619a00a6a7030c0788b330aa62ba6 |
| SHA1 | 9c135489067277cf0f2981d481d050468e34d85d |
| SHA256 | 151606723dd707396d842cf999429b6c9ef38907020b2ae9ea002df4368f6034 |
| SHA512 | 38c725237aba7add2d535d5e11cc858b07cadaf7af9514b29454e4ce9e6b518822af76ea4b03ab2a3456acfe75b7ce235fc47ed16de25370724d1e4b1cf9036b |
memory/2584-38-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\MQSRhlc.exe
| MD5 | 13c48bdbec9bb28d68f618bdfae6e162 |
| SHA1 | 93a1e761e3ea93ed3cc1958ea0cc61813b71c6ff |
| SHA256 | a08dd86019a0cdb94602b4cbad0b3a9f10b13deadb6d2e7fd164bc4a951232dc |
| SHA512 | 72a56e9286c01aa2f37e1947844045e7a96b12ebcf5bccd6661028d8ff23f8c98d87bbf780fa13fed04c78bc4ed47d4d13431a301e03f90abcc477dc4084b869 |
C:\Windows\system\QOZysll.exe
| MD5 | 72df18a48fbf6afdc8626b50dfcaef30 |
| SHA1 | b0b992b2abc23b04fd0279fe44726b9e720462bf |
| SHA256 | 0687a25b78398e928e63f64ee20acb281f2bc6bcad3bbec015715520a42d63d2 |
| SHA512 | 2eede05f208c0ca04ca181c84b86af39d2f690e45d6a6192225f2330767d34f7b7dd1ba821d883c5a0a90cba1a3e915566a70d4edc6a53de4ce8bd7467fca647 |
C:\Windows\system\dNWZLQR.exe
| MD5 | 3845bedea022eda06b36564c0d4d2ce2 |
| SHA1 | 944ee8e46a2f5d21e935a87058b8c0790f46a03d |
| SHA256 | 695dac841efe00c1e1bff31d85047c403d438770d50bb5a82ed69f05ed69ba2b |
| SHA512 | c490bb97c69dc2b149f9400fda3e0bcef0de4276fa73970e64dd4028e3b228a8211d262d497a568b4598a45e5efcca8012261736659cd6417f86708ede607509 |
C:\Windows\system\jitrMRq.exe
| MD5 | ff62dd306a1bd0301a78a7023fa25163 |
| SHA1 | d5c720e8e8fba9699cc180be3b579ed3d71fb274 |
| SHA256 | 724a6445e366a940162700f3f7732b79a83a5b9fc9f687df75ca06c66d64149c |
| SHA512 | a2a8430dfc84d759c68eef8998060355503092de6bcbb7e5a131a875fea2c63b163fc7652ea6388e705771c247f7f2453e08634c325b14f8b99256e08fb8899e |
\Windows\system\QxAriwK.exe
| MD5 | b26e20e0a43d9b25a40c053fdfa6544f |
| SHA1 | 9bdf1a0f4dc9fd4d3b23a9a5b6aa6a6dac7a4722 |
| SHA256 | 4349ea039e42c48b2affaf511727b5e08068c3d396434424267c1cde7e6fca41 |
| SHA512 | 257656adde2b4f28f0a9e124b0709982641c15a828a89f4129d02173ee85ef3f612d8a5b21410bcb8c37bf6510e4678ec84c2a577471f57543410bf23a7b263c |
memory/2448-101-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
\Windows\system\XVTwTzt.exe
| MD5 | 56c16071d227591219c621c73057992f |
| SHA1 | 0b125cc64351ff533baa3976b8dabd5b4f9acb73 |
| SHA256 | 9a1a995e66d286b3f0aa462fc61e9ac07d2167c443d954c87460b32e8129e80a |
| SHA512 | faf1cf417b3428820175d22c77e762b28cd0c8451e451f857a7a716fce7121fe86cc48349a275889f8ff8cc9ee9f3f746e16118f969547274dec6567ceece665 |
memory/1704-92-0x0000000002410000-0x0000000002764000-memory.dmp
\Windows\system\bMysjWt.exe
| MD5 | 45eeb6a1253f9db8a9b9e84956862bd8 |
| SHA1 | 3484e0d59bccd82a0571180b9ab9d39ae4f16282 |
| SHA256 | 96e3ac302c6f8aa7740694e33ef1d38cee6d959a513c4430378660bbfacc7200 |
| SHA512 | 0096adc6b332bb1871393dcb15e8ef09bd16046063143d68b61fc9e012e5a5f65d2c029f84c0af7659e17d1669c4eb44dbb1cb8e117216aeec95e7031f887501 |
memory/532-79-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1704-77-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2420-67-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1704-54-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\AlDAJfD.exe
| MD5 | 308c2da785288e2d7b63f6c2f6443307 |
| SHA1 | fd32e18ce58e72dd0bb90b850381abffd6db12e2 |
| SHA256 | cfeebe4351f09372b3a180a6c26e00415f59f1c22b5288efb4fb299a4bfed86f |
| SHA512 | 00ec30fa7eb532fd6208ed3ad142043d194fc9aa474763977f0f3e89743b115afb182674ed5c327366a5c2555a5d9f4c0af84e85ff98f9d1712d6266589633a0 |
C:\Windows\system\efgveUD.exe
| MD5 | 1505ff001f7872e00a987b4fb67f3dc2 |
| SHA1 | ff2dd72e3a08164fa66a9260b36863a63df89fcb |
| SHA256 | e518ae590b84b6985a73fd188540c2e3a78a4ed614ea4a4425051da79bf6b933 |
| SHA512 | f8f5dacc977192d8399c4ea5ca56e557517a7805abd7e75853f9f7911aabf137599797ec26338eb4e6dd4d1ff335257b5882da7ae5304e6e7183bbf5cfcf8a74 |
\Windows\system\AJCNVcz.exe
| MD5 | 3503ecfa2572f368eb7b38cb854bd071 |
| SHA1 | db264c09a3ce4ff20e7ec011569572c5c605530a |
| SHA256 | 145381ea9d8033760e56709d3f1e7443f1f381962deb30a384aa13716ef3a603 |
| SHA512 | a130e208374ccf7f077c1db6df9028c854e1155bb6d7cf198bbde274cf215ae536150d0fcf9b66936ca8a61e3f77b038d0c716d2c16481fd727f82614b71ca5c |
memory/1704-118-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1704-117-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2468-116-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1704-115-0x0000000002410000-0x0000000002764000-memory.dmp
memory/1956-114-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\PhPWjqI.exe
| MD5 | 7ecbef52eabead9450d532cbde805c71 |
| SHA1 | 523786acf228f1b157d0c1af038d89584c9e9be3 |
| SHA256 | 14531445e20e5da02e24289fcddf08f47c62d232938b99f656f85bd4ccbe84ab |
| SHA512 | fdd7a3b6d4425de843071b94382d8feef2552e75ede57749538cceb0890ad497457015d69ee403d5561ead9043f347d6b4827b4a59b49e84e85c6f2baf4f0495 |
memory/1704-106-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1704-105-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\oilJlUI.exe
| MD5 | 4d32222696effb95d6d21102b91864cd |
| SHA1 | 74f7437f3772162f9041eb09ee50985031c92d98 |
| SHA256 | d2ced64b106cc5563082146eb0b861ffea7ffe64e38057bb05a3bd08187d226e |
| SHA512 | c8ef116c66aa035dbbedc9ee02ec50ffa085100be1299244d1f2281a025f7220b4d4eaaef15786a689dd896d44767ef5b0d97d994c4d50611fa077fd0aace159 |
memory/1704-94-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1704-88-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\RMFYHAv.exe
| MD5 | 1034d610f4f433727d955cd0cd1491ad |
| SHA1 | d707d5228d1263ab1cbcebaa0222494bf2c449e4 |
| SHA256 | f0f2e31749611ae794da6976e5bdb6ed525cffce067609439218a2accee66bfc |
| SHA512 | eff4e8f8aed7b616b4f188ebcffe41aa12b0e7e4d773bfe2eb5037bc9b9404d0207d8ec0c551f35518c4893b8f8acafd239e6534105b2068b506edea417a636b |
C:\Windows\system\cXfOOHV.exe
| MD5 | ab3468985890aec886680110a3b2fc2e |
| SHA1 | b74f5e9a76baea9adde7e8c3e6da79e9b9f9b2be |
| SHA256 | 62a6d4f4e53724e3e89df2890becd9644071121f0a834e044512e97ad9a2e639 |
| SHA512 | 78d03fd0cbdba91992f463dfabe3e8632e26f00c245fcdae9052b7f8e56f7168c95b0b4798d43f832a44293ad46861d6dc628a704c18bcb42ef7091244c3e460 |
memory/1704-81-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2944-73-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\iwZnwka.exe
| MD5 | e6794ed851b267afd1712fdf7e729e0c |
| SHA1 | 325a996eb2050d8a5b44d4763d3116ebfd0db88d |
| SHA256 | cab36c48b61951f1128b29c4561913846c125b5b6c69ced9ca6005f1bbb82e0a |
| SHA512 | 0a5eff8171e37ce988e2a3b426154b811537cdead261eb72b9e718c0526b34c074299e01f9b5be14a749fc7cea7728ad3e46b8249a0f2d64911389188cd7a530 |
memory/2464-59-0x000000013F060000-0x000000013F3B4000-memory.dmp
C:\Windows\system\JpqaDVj.exe
| MD5 | 8567dbbd5676d3964a006e165efa825f |
| SHA1 | 959fc9ed48db4aa275e4c3ed1843134314d3e5ac |
| SHA256 | 14f07777deb44a3ce3ed2466e148dcf3f4ba1fb3a9a9d52257bce8adf930833e |
| SHA512 | 811574d76bc1e32f06dc4fa7fa009d177c8724639806739ee6df54100f1541dbe7194824b20294e3a6cd07e6916ffaae23bc70bbc64ec57c847c4f156470e38d |
memory/1704-34-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1704-29-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2032-28-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1704-134-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\ZzEhdAk.exe
| MD5 | faf0263a2de49d475683c100c8cbf0e4 |
| SHA1 | 3878642ff67c6317c1758e6927e9b7454794cdee |
| SHA256 | 750651b12c51ea5812f226ac10f8758ee9859f0847934056d87e5e7c1f6d49aa |
| SHA512 | 848db99798bc0536217ac8e392ac46a9ffb1eebdf4df979ab5197f76a74a7817dde05560eab7e691d784f2bb94cc2401a2903114e9c50f795c1a87d2452bf97f |
memory/2584-135-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2464-136-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2420-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2032-138-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2264-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2652-140-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2528-141-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2584-142-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2944-145-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2420-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2464-143-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2448-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/532-147-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1956-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2468-149-0x000000013F730000-0x000000013FA84000-memory.dmp