Analysis Overview
SHA256
48f9c7c7328b5b7f4db55a4559c819c6c30209b8ec673c11eb798dc08616d00d
Threat Level: Known bad
The file 2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:34
Reported
2024-06-06 13:36
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SECIIuI.exe | N/A |
| N/A | N/A | C:\Windows\System\tjmTybD.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYDQgEA.exe | N/A |
| N/A | N/A | C:\Windows\System\zVajnIx.exe | N/A |
| N/A | N/A | C:\Windows\System\UtNmLaV.exe | N/A |
| N/A | N/A | C:\Windows\System\IFJMhcB.exe | N/A |
| N/A | N/A | C:\Windows\System\fgrDkuW.exe | N/A |
| N/A | N/A | C:\Windows\System\lbXECBC.exe | N/A |
| N/A | N/A | C:\Windows\System\OpHyXUG.exe | N/A |
| N/A | N/A | C:\Windows\System\GjAtZjT.exe | N/A |
| N/A | N/A | C:\Windows\System\rccOsgR.exe | N/A |
| N/A | N/A | C:\Windows\System\yosOpjR.exe | N/A |
| N/A | N/A | C:\Windows\System\NmoLYog.exe | N/A |
| N/A | N/A | C:\Windows\System\oilxSba.exe | N/A |
| N/A | N/A | C:\Windows\System\DzhmvGS.exe | N/A |
| N/A | N/A | C:\Windows\System\iKgASBj.exe | N/A |
| N/A | N/A | C:\Windows\System\ATkSCgM.exe | N/A |
| N/A | N/A | C:\Windows\System\BHNlZMl.exe | N/A |
| N/A | N/A | C:\Windows\System\cUENkXI.exe | N/A |
| N/A | N/A | C:\Windows\System\AVbmrFo.exe | N/A |
| N/A | N/A | C:\Windows\System\UKpGQrO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SECIIuI.exe
C:\Windows\System\SECIIuI.exe
C:\Windows\System\tjmTybD.exe
C:\Windows\System\tjmTybD.exe
C:\Windows\System\ZYDQgEA.exe
C:\Windows\System\ZYDQgEA.exe
C:\Windows\System\zVajnIx.exe
C:\Windows\System\zVajnIx.exe
C:\Windows\System\UtNmLaV.exe
C:\Windows\System\UtNmLaV.exe
C:\Windows\System\lbXECBC.exe
C:\Windows\System\lbXECBC.exe
C:\Windows\System\IFJMhcB.exe
C:\Windows\System\IFJMhcB.exe
C:\Windows\System\rccOsgR.exe
C:\Windows\System\rccOsgR.exe
C:\Windows\System\fgrDkuW.exe
C:\Windows\System\fgrDkuW.exe
C:\Windows\System\yosOpjR.exe
C:\Windows\System\yosOpjR.exe
C:\Windows\System\OpHyXUG.exe
C:\Windows\System\OpHyXUG.exe
C:\Windows\System\NmoLYog.exe
C:\Windows\System\NmoLYog.exe
C:\Windows\System\GjAtZjT.exe
C:\Windows\System\GjAtZjT.exe
C:\Windows\System\oilxSba.exe
C:\Windows\System\oilxSba.exe
C:\Windows\System\DzhmvGS.exe
C:\Windows\System\DzhmvGS.exe
C:\Windows\System\iKgASBj.exe
C:\Windows\System\iKgASBj.exe
C:\Windows\System\ATkSCgM.exe
C:\Windows\System\ATkSCgM.exe
C:\Windows\System\cUENkXI.exe
C:\Windows\System\cUENkXI.exe
C:\Windows\System\BHNlZMl.exe
C:\Windows\System\BHNlZMl.exe
C:\Windows\System\UKpGQrO.exe
C:\Windows\System\UKpGQrO.exe
C:\Windows\System\AVbmrFo.exe
C:\Windows\System\AVbmrFo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1848-0-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/1848-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\SECIIuI.exe
| MD5 | fd22b4a86db914933c45697eb486e51c |
| SHA1 | 1d42e87eea424010a2d11451e28bd31f09e3b40b |
| SHA256 | 72b9c32fce6394d2be2601562b2ca8248b30b9cd5b6f8e94206ba1d9cf98b5e8 |
| SHA512 | 62f558d164093bb41fa93fb542e45dce3a255aeeab6eaff7c0f8f121e9c03af615b1d9b91fc94b5de1514555bb2255f6951ef84426dabcfe62e5040c3520d9e4 |
\Windows\system\tjmTybD.exe
| MD5 | 77efb587944df757ced4b8f9d5bb82de |
| SHA1 | f446d20060fe2a17b4c4c2b1b06f8276d028970d |
| SHA256 | 6c2939bb4b0ce78c9c47d185d9951955e431ae3feccded0bf0be66d398990537 |
| SHA512 | 077faf411b7f3d58a9f58f60a2dae8588cdf471ab91f2fc4eb0bec582ae2f90f377d684acaa4b66b7fe40edf4b063617ca5a8d9b6ff7cc0a7d4f1cf0d3062b1f |
\Windows\system\ZYDQgEA.exe
| MD5 | 70bf511a8f6eda6d62ad88e56e7d2ddb |
| SHA1 | 2106f74fa058f697f87f4b1c23b7f4122d6dd827 |
| SHA256 | 7e6c3083f05ee67ffb6638d6ff71e2b00b8eb6617f03f322d3e968eee8b23185 |
| SHA512 | aab2a4c7b92ad758d73892c7e39ae6e8a71acfa0a6bbaecbe2e73c1a60bed541371e536dcea5a5c94852e2460c01fd9b5edb7d197750df75f263ae3dbd7cf648 |
\Windows\system\zVajnIx.exe
| MD5 | 2f8e13ef5976aa110d5f6cdbe19a0d49 |
| SHA1 | 55f911e06a1beafaa89ca8f3cfbec392b0f13ce7 |
| SHA256 | 3bc913ff9f9ca2c74a48c37f5209c8884af97f859ec810ff234edb369ddb55cf |
| SHA512 | db75c5cbb8ad74628198e165fefa7444df54a96c2399fb25346d59f2bd7ae80d0cf578956beceefba3b2b5d14026582495eb80930738a29ff24e26c7cf5acf46 |
memory/1848-22-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2612-40-0x000000013FBE0000-0x000000013FF34000-memory.dmp
\Windows\system\IFJMhcB.exe
| MD5 | 3804321ebb73ac04e019c55fb1bfb3b4 |
| SHA1 | bda39ed644c796b73a95431633163355c5afa510 |
| SHA256 | 48c55ccfbfeb8e95544c8765be3f9be6567a61e28ea230dd0d8d1fd0c08b1a28 |
| SHA512 | b804032e6f1ed015efa2f0a07ad4deb21fc0b58990c07a9cd1261fa81569986f2e4d7fb4c4006bdeeaa2e7f41c1a0941b2604e5bc520d8eb2a0f983a332ae68f |
memory/1848-26-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2512-30-0x000000013FDA0000-0x00000001400F4000-memory.dmp
\Windows\system\UtNmLaV.exe
| MD5 | 4a005c85c717976baddd409c7aac64dd |
| SHA1 | 48670d96aa54abf420ca54cef675fd2f5abd0438 |
| SHA256 | 64e8f66f02b21ec4dce7ece79bb191bf68c1b813a4c6a79dd226d8ed6ce27517 |
| SHA512 | c446910f20b78db2fc8a77949bad201c51c40a5b2eda8f3f344fe8597747c83759a9a8a935862cce1d7eb7f358167fd473b6f34c88928d1e4db73c37ecfba4df |
memory/2936-25-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2924-24-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1252-85-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1244-92-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2248-97-0x000000013F5D0000-0x000000013F924000-memory.dmp
\Windows\system\ATkSCgM.exe
| MD5 | 8e240ad5477af4539f37e330640d8c6e |
| SHA1 | b0267ef8d7b6bb8c7e0422e4def6a8ea67dee678 |
| SHA256 | f190ee9538504f9701845c3dd70861f001bf09e2f2b5ff02337f23f1d3a37adf |
| SHA512 | b5ab36a7ef769d6416bd09543526cf3e667a3f68115a986ef5bbc4ca0bc0cc5c9173e09c53ffbe386e78497627c584ad4d7191147c09dce9bae48c70f959c2d3 |
\Windows\system\UKpGQrO.exe
| MD5 | b34253c9dd26f430646c2755377c81e0 |
| SHA1 | 9fa496c66481d3e91a229f067f9038e9ea3a82e9 |
| SHA256 | 77e653ab66830599fe307e3684b822b5536ba23c06882766739a514d436fd40b |
| SHA512 | 50e5abbdfbc0c85a7845a0510515ed27ae11649098d23640ed768c11109541591c637cc2000d812f66f9a7e0ebf3aafda98f5bca5d673a28538d676dc202f8d7 |
\Windows\system\cUENkXI.exe
| MD5 | 7dc21c9228d0b3b9e55de8ac36eaf669 |
| SHA1 | 9d7650b9eaff1b15df447c859d874bda3c8c31fd |
| SHA256 | 1ab9b35ac982a62a0466f83d700469e9fa7499f447fdece735cf34bf1b37ea50 |
| SHA512 | b9a8c5c7294ba043f61358c7199225d0f1ca1b722c1c6a86a5135b6b3f9981983242837d109bd5201998f752bbd58a0d641c83535e49fe9f7071e601eef74b99 |
C:\Windows\system\AVbmrFo.exe
| MD5 | f3ff30bbb308d7cbfd604960c3bf8bc2 |
| SHA1 | 3f172d4dca6c2098da1a9fae4054cea970bec8ed |
| SHA256 | c012b7fa599d45828ec9eafb800fd03fdb803632c410990e57d4e6f1a2773e84 |
| SHA512 | 14a149583fce96d2eb1dc766cdd5fdd04f00e5b8215c4b4d0dfef5907866717f57fc7a0f93083c2a09620bd73d95c12a6eb2b71755a6251aec6f2e579191f4fb |
C:\Windows\system\iKgASBj.exe
| MD5 | 731115c1ac9ceeec72224fc082ecbdbb |
| SHA1 | 413670dcfb95659938c0ef8ac7c37ec2d3e9f853 |
| SHA256 | 802192d5607affc7068567271f785e1cf85ffdb1b152c6015a0fb6c7adfe7fcd |
| SHA512 | df38a7bbcd22975a1600147665b29d6d064f5ea3e42ef1a9313564bbe3b4531d7a0bc7df8bdcc163e09dcce0cf01df312e09b9762d1187b5c3e612d4d23bb6ea |
C:\Windows\system\BHNlZMl.exe
| MD5 | 7e56d28eb8c378ed867f7f7a89b7b558 |
| SHA1 | b662dc34b0cb2f63aba8ba09da37d8a8584e4b88 |
| SHA256 | 88cea066bd71a5beb37e9a7d4e3047e51401e5f56dd61475ebfe5bd2d68f60d4 |
| SHA512 | 9e7854dad074581f4679c834ab7058d0e38d3a9e7c839426b699aab64c785cff20a07430d577a18ec740361be7db4e97bb25263c84d9916b5709bd722d2fd552 |
memory/1848-105-0x00000000024F0000-0x0000000002844000-memory.dmp
C:\Windows\system\DzhmvGS.exe
| MD5 | 3655a5e275f97aafc6f7869310160a66 |
| SHA1 | 331b2981975cd3c44a390580b0cf4e0194a5e7a7 |
| SHA256 | 1c8c5e889ffa6a0ac4afef2ac85334b13b2a791b2a0433a10dd5ad1717c21481 |
| SHA512 | 642a3efb5806f9473e08211c4ed14f6525bb60fda6749387211057edb906c9a810f08c8e89341745ebc2917aa0838a378913efbadc82859d9855a15af751a8ab |
memory/1848-96-0x00000000024F0000-0x0000000002844000-memory.dmp
C:\Windows\system\oilxSba.exe
| MD5 | 9a723c46b07a9a91766230be8f732601 |
| SHA1 | 84de56b3d710fc71aa88b66a08a7d6f3f68c75ac |
| SHA256 | 1656340c744cc0ccad98a71d0237351fd106ceb500ef84bd3054dcdead305dda |
| SHA512 | df3957e9e01e5c844e3b4660927fc4f4b852d4103b3c45bac336f7a627df27753fab9b50ee67d03d2ae06d2f9d405d39e2c6e1e21249e3973416d39ccf26e7fd |
memory/2420-91-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1848-70-0x000000013FD70000-0x00000001400C4000-memory.dmp
\Windows\system\NmoLYog.exe
| MD5 | 2a610f42730d9f675ae4013fc2a67f8e |
| SHA1 | de8236a4cf0f371adb76b5f05f76a34526864066 |
| SHA256 | 194fc4d944f9b90445de16658f6feaa0645c19e3f0976b3c2785e99739d139ec |
| SHA512 | 39d0325e50959e37fc9451b641a346742b2ca60b6e6639bbcaf6e547bc1c8bdcfd59cb0678e74da76f5bcd5be0a3c0495b8570981ae5ca8bcec5288963e720b6 |
memory/1848-61-0x000000013FC60000-0x000000013FFB4000-memory.dmp
\Windows\system\yosOpjR.exe
| MD5 | 8cee106cea82a65ac683533f21dcc015 |
| SHA1 | 170ff88d32f470f4a4e518af270bd6af30a7613e |
| SHA256 | 69f598dc3f293a870fa066effa12da735cc6eb0b539410ab097d577f9e5fbb5d |
| SHA512 | d8c1dc7be8607aa6c166339e201d3b2a07c8618769af4bd7e78525cea36e0dc153a4af6f550de27aeea32e89e57ce611276b247c96e010ca61357a0109b96e24 |
memory/2792-87-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1848-86-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2132-84-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1848-82-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1848-81-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2548-80-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\rccOsgR.exe
| MD5 | 5f308edb90aeb7583e85bb4f8ab245de |
| SHA1 | 8b63f30fe0e8428a514c70289dce82a946ec95c2 |
| SHA256 | ad67ea20d90e13d8faa09a21d688f74ab62b88374233052454835e8c267ede0f |
| SHA512 | efed47aabc72a22ea4e222b86f771b4ca9e4232a41c05a0043ffdf6bf2ce9a8cc93a97f54e085003d735e678d1b8a6da431f97393a1651c9642a562ddf7d5eb4 |
memory/2540-76-0x000000013F210000-0x000000013F564000-memory.dmp
C:\Windows\system\GjAtZjT.exe
| MD5 | 556a0d562ef719b230bedd60c13e7431 |
| SHA1 | 2621bb440cfe39be606f1751c93e931bc4f75157 |
| SHA256 | 8aed283aa566fc278723eae9ff7910a0babaa4efdf45111f10fc77473049d495 |
| SHA512 | 1fbccf04a1851c8c754dc623d1ebd61a3b4c8c9ff6fc53e9c3e6e30225919cf1b535fd408251d6be967d1ea7e06f5d466ae56de142649b63d2a236a4990514db |
C:\Windows\system\OpHyXUG.exe
| MD5 | 7fd8349d442c6b165a31f1e464a298f9 |
| SHA1 | 046ce3d96ae5ffab8370b33af07a6cbf4692f895 |
| SHA256 | fee1cdb0c9b8d6b5625deb44183edc8c4ef8a09af43a9289d1e5c55db6795173 |
| SHA512 | b3cd86e18e6e3b14e83ce9323df48ab3fa448bfd55be1f9805e18185703507cf9e17ba2dda383dfc1f822c282e4e252d830d0b49c36cee8ea54d7e04802a4ef8 |
memory/1848-65-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\lbXECBC.exe
| MD5 | d74bd71937f099f3cf88051daac0977d |
| SHA1 | 2c492ab902dc2c6d950d342838db289f20deb22e |
| SHA256 | 138312c485851fad1640182865670b6c4cd92a47dae13bbb780b6d1e30c516c1 |
| SHA512 | d962e171f9420717dcc7b0240b92f4f247dc39bb0259f4cfa389bbbfafc49d4fb45fa380c78558e0a69bbd25950298051158c5c1fe55ed8f529b1da254a2efd3 |
memory/1848-56-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1848-55-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1848-53-0x00000000024F0000-0x0000000002844000-memory.dmp
C:\Windows\system\fgrDkuW.exe
| MD5 | 291b5bcc64fc1f2f7d672a1adae46af3 |
| SHA1 | f73a2698781ab7d11db57296d24a7eb93b70fba5 |
| SHA256 | e9a5c80b5c29e2218aee87ff3f6381d3646d9fe8986fab02bbc55734eea19ebc |
| SHA512 | 0cd5417a33d4ad1c3f1557215511372c0702b0a1655bd8601d072c366bf724634ca5a624d753453aa1d964516cd4109d4da0ecbda431579c0c8253e7211d65b8 |
memory/1848-34-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2644-51-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1848-50-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2496-49-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1848-136-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/1848-137-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1848-138-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1848-139-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1848-140-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1848-141-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2420-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2248-143-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2924-144-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2512-146-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2936-145-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2612-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2496-148-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2644-149-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2540-150-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2548-151-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2132-153-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1252-152-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1244-155-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2792-154-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2248-156-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2420-157-0x000000013FD70000-0x00000001400C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:34
Reported
2024-06-06 13:36
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SECIIuI.exe | N/A |
| N/A | N/A | C:\Windows\System\tjmTybD.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYDQgEA.exe | N/A |
| N/A | N/A | C:\Windows\System\zVajnIx.exe | N/A |
| N/A | N/A | C:\Windows\System\UtNmLaV.exe | N/A |
| N/A | N/A | C:\Windows\System\lbXECBC.exe | N/A |
| N/A | N/A | C:\Windows\System\IFJMhcB.exe | N/A |
| N/A | N/A | C:\Windows\System\rccOsgR.exe | N/A |
| N/A | N/A | C:\Windows\System\fgrDkuW.exe | N/A |
| N/A | N/A | C:\Windows\System\yosOpjR.exe | N/A |
| N/A | N/A | C:\Windows\System\OpHyXUG.exe | N/A |
| N/A | N/A | C:\Windows\System\NmoLYog.exe | N/A |
| N/A | N/A | C:\Windows\System\GjAtZjT.exe | N/A |
| N/A | N/A | C:\Windows\System\oilxSba.exe | N/A |
| N/A | N/A | C:\Windows\System\DzhmvGS.exe | N/A |
| N/A | N/A | C:\Windows\System\iKgASBj.exe | N/A |
| N/A | N/A | C:\Windows\System\ATkSCgM.exe | N/A |
| N/A | N/A | C:\Windows\System\cUENkXI.exe | N/A |
| N/A | N/A | C:\Windows\System\BHNlZMl.exe | N/A |
| N/A | N/A | C:\Windows\System\UKpGQrO.exe | N/A |
| N/A | N/A | C:\Windows\System\AVbmrFo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SECIIuI.exe
C:\Windows\System\SECIIuI.exe
C:\Windows\System\tjmTybD.exe
C:\Windows\System\tjmTybD.exe
C:\Windows\System\ZYDQgEA.exe
C:\Windows\System\ZYDQgEA.exe
C:\Windows\System\zVajnIx.exe
C:\Windows\System\zVajnIx.exe
C:\Windows\System\UtNmLaV.exe
C:\Windows\System\UtNmLaV.exe
C:\Windows\System\lbXECBC.exe
C:\Windows\System\lbXECBC.exe
C:\Windows\System\IFJMhcB.exe
C:\Windows\System\IFJMhcB.exe
C:\Windows\System\rccOsgR.exe
C:\Windows\System\rccOsgR.exe
C:\Windows\System\fgrDkuW.exe
C:\Windows\System\fgrDkuW.exe
C:\Windows\System\yosOpjR.exe
C:\Windows\System\yosOpjR.exe
C:\Windows\System\OpHyXUG.exe
C:\Windows\System\OpHyXUG.exe
C:\Windows\System\NmoLYog.exe
C:\Windows\System\NmoLYog.exe
C:\Windows\System\GjAtZjT.exe
C:\Windows\System\GjAtZjT.exe
C:\Windows\System\oilxSba.exe
C:\Windows\System\oilxSba.exe
C:\Windows\System\DzhmvGS.exe
C:\Windows\System\DzhmvGS.exe
C:\Windows\System\iKgASBj.exe
C:\Windows\System\iKgASBj.exe
C:\Windows\System\ATkSCgM.exe
C:\Windows\System\ATkSCgM.exe
C:\Windows\System\cUENkXI.exe
C:\Windows\System\cUENkXI.exe
C:\Windows\System\BHNlZMl.exe
C:\Windows\System\BHNlZMl.exe
C:\Windows\System\UKpGQrO.exe
C:\Windows\System\UKpGQrO.exe
C:\Windows\System\AVbmrFo.exe
C:\Windows\System\AVbmrFo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 88.221.83.243:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 243.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/4676-0-0x00007FF63E3E0000-0x00007FF63E734000-memory.dmp
memory/4676-1-0x0000022D57DE0000-0x0000022D57DF0000-memory.dmp
C:\Windows\System\SECIIuI.exe
| MD5 | fd22b4a86db914933c45697eb486e51c |
| SHA1 | 1d42e87eea424010a2d11451e28bd31f09e3b40b |
| SHA256 | 72b9c32fce6394d2be2601562b2ca8248b30b9cd5b6f8e94206ba1d9cf98b5e8 |
| SHA512 | 62f558d164093bb41fa93fb542e45dce3a255aeeab6eaff7c0f8f121e9c03af615b1d9b91fc94b5de1514555bb2255f6951ef84426dabcfe62e5040c3520d9e4 |
memory/4544-6-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp
C:\Windows\System\ZYDQgEA.exe
| MD5 | 70bf511a8f6eda6d62ad88e56e7d2ddb |
| SHA1 | 2106f74fa058f697f87f4b1c23b7f4122d6dd827 |
| SHA256 | 7e6c3083f05ee67ffb6638d6ff71e2b00b8eb6617f03f322d3e968eee8b23185 |
| SHA512 | aab2a4c7b92ad758d73892c7e39ae6e8a71acfa0a6bbaecbe2e73c1a60bed541371e536dcea5a5c94852e2460c01fd9b5edb7d197750df75f263ae3dbd7cf648 |
memory/2064-14-0x00007FF666480000-0x00007FF6667D4000-memory.dmp
C:\Windows\System\tjmTybD.exe
| MD5 | 77efb587944df757ced4b8f9d5bb82de |
| SHA1 | f446d20060fe2a17b4c4c2b1b06f8276d028970d |
| SHA256 | 6c2939bb4b0ce78c9c47d185d9951955e431ae3feccded0bf0be66d398990537 |
| SHA512 | 077faf411b7f3d58a9f58f60a2dae8588cdf471ab91f2fc4eb0bec582ae2f90f377d684acaa4b66b7fe40edf4b063617ca5a8d9b6ff7cc0a7d4f1cf0d3062b1f |
C:\Windows\System\zVajnIx.exe
| MD5 | 2f8e13ef5976aa110d5f6cdbe19a0d49 |
| SHA1 | 55f911e06a1beafaa89ca8f3cfbec392b0f13ce7 |
| SHA256 | 3bc913ff9f9ca2c74a48c37f5209c8884af97f859ec810ff234edb369ddb55cf |
| SHA512 | db75c5cbb8ad74628198e165fefa7444df54a96c2399fb25346d59f2bd7ae80d0cf578956beceefba3b2b5d14026582495eb80930738a29ff24e26c7cf5acf46 |
C:\Windows\System\UtNmLaV.exe
| MD5 | 4a005c85c717976baddd409c7aac64dd |
| SHA1 | 48670d96aa54abf420ca54cef675fd2f5abd0438 |
| SHA256 | 64e8f66f02b21ec4dce7ece79bb191bf68c1b813a4c6a79dd226d8ed6ce27517 |
| SHA512 | c446910f20b78db2fc8a77949bad201c51c40a5b2eda8f3f344fe8597747c83759a9a8a935862cce1d7eb7f358167fd473b6f34c88928d1e4db73c37ecfba4df |
memory/1580-28-0x00007FF6BD420000-0x00007FF6BD774000-memory.dmp
memory/5024-20-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp
memory/4892-32-0x00007FF76D500000-0x00007FF76D854000-memory.dmp
C:\Windows\System\lbXECBC.exe
| MD5 | d74bd71937f099f3cf88051daac0977d |
| SHA1 | 2c492ab902dc2c6d950d342838db289f20deb22e |
| SHA256 | 138312c485851fad1640182865670b6c4cd92a47dae13bbb780b6d1e30c516c1 |
| SHA512 | d962e171f9420717dcc7b0240b92f4f247dc39bb0259f4cfa389bbbfafc49d4fb45fa380c78558e0a69bbd25950298051158c5c1fe55ed8f529b1da254a2efd3 |
memory/4384-38-0x00007FF6F0F80000-0x00007FF6F12D4000-memory.dmp
memory/1808-43-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp
C:\Windows\System\rccOsgR.exe
| MD5 | 5f308edb90aeb7583e85bb4f8ab245de |
| SHA1 | 8b63f30fe0e8428a514c70289dce82a946ec95c2 |
| SHA256 | ad67ea20d90e13d8faa09a21d688f74ab62b88374233052454835e8c267ede0f |
| SHA512 | efed47aabc72a22ea4e222b86f771b4ca9e4232a41c05a0043ffdf6bf2ce9a8cc93a97f54e085003d735e678d1b8a6da431f97393a1651c9642a562ddf7d5eb4 |
C:\Windows\System\IFJMhcB.exe
| MD5 | 3804321ebb73ac04e019c55fb1bfb3b4 |
| SHA1 | bda39ed644c796b73a95431633163355c5afa510 |
| SHA256 | 48c55ccfbfeb8e95544c8765be3f9be6567a61e28ea230dd0d8d1fd0c08b1a28 |
| SHA512 | b804032e6f1ed015efa2f0a07ad4deb21fc0b58990c07a9cd1261fa81569986f2e4d7fb4c4006bdeeaa2e7f41c1a0941b2604e5bc520d8eb2a0f983a332ae68f |
memory/2564-50-0x00007FF6E10D0000-0x00007FF6E1424000-memory.dmp
C:\Windows\System\fgrDkuW.exe
| MD5 | 291b5bcc64fc1f2f7d672a1adae46af3 |
| SHA1 | f73a2698781ab7d11db57296d24a7eb93b70fba5 |
| SHA256 | e9a5c80b5c29e2218aee87ff3f6381d3646d9fe8986fab02bbc55734eea19ebc |
| SHA512 | 0cd5417a33d4ad1c3f1557215511372c0702b0a1655bd8601d072c366bf724634ca5a624d753453aa1d964516cd4109d4da0ecbda431579c0c8253e7211d65b8 |
memory/4020-56-0x00007FF763EB0000-0x00007FF764204000-memory.dmp
C:\Windows\System\yosOpjR.exe
| MD5 | 8cee106cea82a65ac683533f21dcc015 |
| SHA1 | 170ff88d32f470f4a4e518af270bd6af30a7613e |
| SHA256 | 69f598dc3f293a870fa066effa12da735cc6eb0b539410ab097d577f9e5fbb5d |
| SHA512 | d8c1dc7be8607aa6c166339e201d3b2a07c8618769af4bd7e78525cea36e0dc153a4af6f550de27aeea32e89e57ce611276b247c96e010ca61357a0109b96e24 |
C:\Windows\System\OpHyXUG.exe
| MD5 | 7fd8349d442c6b165a31f1e464a298f9 |
| SHA1 | 046ce3d96ae5ffab8370b33af07a6cbf4692f895 |
| SHA256 | fee1cdb0c9b8d6b5625deb44183edc8c4ef8a09af43a9289d1e5c55db6795173 |
| SHA512 | b3cd86e18e6e3b14e83ce9323df48ab3fa448bfd55be1f9805e18185703507cf9e17ba2dda383dfc1f822c282e4e252d830d0b49c36cee8ea54d7e04802a4ef8 |
memory/3488-71-0x00007FF7D03F0000-0x00007FF7D0744000-memory.dmp
C:\Windows\System\NmoLYog.exe
| MD5 | 2a610f42730d9f675ae4013fc2a67f8e |
| SHA1 | de8236a4cf0f371adb76b5f05f76a34526864066 |
| SHA256 | 194fc4d944f9b90445de16658f6feaa0645c19e3f0976b3c2785e99739d139ec |
| SHA512 | 39d0325e50959e37fc9451b641a346742b2ca60b6e6639bbcaf6e547bc1c8bdcfd59cb0678e74da76f5bcd5be0a3c0495b8570981ae5ca8bcec5288963e720b6 |
memory/4544-69-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp
memory/4612-62-0x00007FF773FE0000-0x00007FF774334000-memory.dmp
memory/4676-61-0x00007FF63E3E0000-0x00007FF63E734000-memory.dmp
C:\Windows\System\GjAtZjT.exe
| MD5 | 556a0d562ef719b230bedd60c13e7431 |
| SHA1 | 2621bb440cfe39be606f1751c93e931bc4f75157 |
| SHA256 | 8aed283aa566fc278723eae9ff7910a0babaa4efdf45111f10fc77473049d495 |
| SHA512 | 1fbccf04a1851c8c754dc623d1ebd61a3b4c8c9ff6fc53e9c3e6e30225919cf1b535fd408251d6be967d1ea7e06f5d466ae56de142649b63d2a236a4990514db |
memory/4372-84-0x00007FF7E6E40000-0x00007FF7E7194000-memory.dmp
C:\Windows\System\oilxSba.exe
| MD5 | 9a723c46b07a9a91766230be8f732601 |
| SHA1 | 84de56b3d710fc71aa88b66a08a7d6f3f68c75ac |
| SHA256 | 1656340c744cc0ccad98a71d0237351fd106ceb500ef84bd3054dcdead305dda |
| SHA512 | df3957e9e01e5c844e3b4660927fc4f4b852d4103b3c45bac336f7a627df27753fab9b50ee67d03d2ae06d2f9d405d39e2c6e1e21249e3973416d39ccf26e7fd |
memory/3724-76-0x00007FF6BF150000-0x00007FF6BF4A4000-memory.dmp
memory/4416-88-0x00007FF625410000-0x00007FF625764000-memory.dmp
C:\Windows\System\DzhmvGS.exe
| MD5 | 3655a5e275f97aafc6f7869310160a66 |
| SHA1 | 331b2981975cd3c44a390580b0cf4e0194a5e7a7 |
| SHA256 | 1c8c5e889ffa6a0ac4afef2ac85334b13b2a791b2a0433a10dd5ad1717c21481 |
| SHA512 | 642a3efb5806f9473e08211c4ed14f6525bb60fda6749387211057edb906c9a810f08c8e89341745ebc2917aa0838a378913efbadc82859d9855a15af751a8ab |
memory/1868-94-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp
C:\Windows\System\iKgASBj.exe
| MD5 | 731115c1ac9ceeec72224fc082ecbdbb |
| SHA1 | 413670dcfb95659938c0ef8ac7c37ec2d3e9f853 |
| SHA256 | 802192d5607affc7068567271f785e1cf85ffdb1b152c6015a0fb6c7adfe7fcd |
| SHA512 | df38a7bbcd22975a1600147665b29d6d064f5ea3e42ef1a9313564bbe3b4531d7a0bc7df8bdcc163e09dcce0cf01df312e09b9762d1187b5c3e612d4d23bb6ea |
C:\Windows\System\ATkSCgM.exe
| MD5 | 8e240ad5477af4539f37e330640d8c6e |
| SHA1 | b0267ef8d7b6bb8c7e0422e4def6a8ea67dee678 |
| SHA256 | f190ee9538504f9701845c3dd70861f001bf09e2f2b5ff02337f23f1d3a37adf |
| SHA512 | b5ab36a7ef769d6416bd09543526cf3e667a3f68115a986ef5bbc4ca0bc0cc5c9173e09c53ffbe386e78497627c584ad4d7191147c09dce9bae48c70f959c2d3 |
memory/3308-105-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp
memory/1808-104-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp
memory/1948-100-0x00007FF6A62C0000-0x00007FF6A6614000-memory.dmp
C:\Windows\System\cUENkXI.exe
| MD5 | 7dc21c9228d0b3b9e55de8ac36eaf669 |
| SHA1 | 9d7650b9eaff1b15df447c859d874bda3c8c31fd |
| SHA256 | 1ab9b35ac982a62a0466f83d700469e9fa7499f447fdece735cf34bf1b37ea50 |
| SHA512 | b9a8c5c7294ba043f61358c7199225d0f1ca1b722c1c6a86a5135b6b3f9981983242837d109bd5201998f752bbd58a0d641c83535e49fe9f7071e601eef74b99 |
memory/4268-113-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp
C:\Windows\System\UKpGQrO.exe
| MD5 | b34253c9dd26f430646c2755377c81e0 |
| SHA1 | 9fa496c66481d3e91a229f067f9038e9ea3a82e9 |
| SHA256 | 77e653ab66830599fe307e3684b822b5536ba23c06882766739a514d436fd40b |
| SHA512 | 50e5abbdfbc0c85a7845a0510515ed27ae11649098d23640ed768c11109541591c637cc2000d812f66f9a7e0ebf3aafda98f5bca5d673a28538d676dc202f8d7 |
memory/1388-120-0x00007FF751B50000-0x00007FF751EA4000-memory.dmp
memory/4612-124-0x00007FF773FE0000-0x00007FF774334000-memory.dmp
C:\Windows\System\AVbmrFo.exe
| MD5 | f3ff30bbb308d7cbfd604960c3bf8bc2 |
| SHA1 | 3f172d4dca6c2098da1a9fae4054cea970bec8ed |
| SHA256 | c012b7fa599d45828ec9eafb800fd03fdb803632c410990e57d4e6f1a2773e84 |
| SHA512 | 14a149583fce96d2eb1dc766cdd5fdd04f00e5b8215c4b4d0dfef5907866717f57fc7a0f93083c2a09620bd73d95c12a6eb2b71755a6251aec6f2e579191f4fb |
memory/3624-127-0x00007FF6474E0000-0x00007FF647834000-memory.dmp
C:\Windows\System\BHNlZMl.exe
| MD5 | 7e56d28eb8c378ed867f7f7a89b7b558 |
| SHA1 | b662dc34b0cb2f63aba8ba09da37d8a8584e4b88 |
| SHA256 | 88cea066bd71a5beb37e9a7d4e3047e51401e5f56dd61475ebfe5bd2d68f60d4 |
| SHA512 | 9e7854dad074581f4679c834ab7058d0e38d3a9e7c839426b699aab64c785cff20a07430d577a18ec740361be7db4e97bb25263c84d9916b5709bd722d2fd552 |
memory/312-131-0x00007FF783320000-0x00007FF783674000-memory.dmp
memory/3308-132-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp
memory/4268-133-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp
memory/2064-135-0x00007FF666480000-0x00007FF6667D4000-memory.dmp
memory/4544-134-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp
memory/5024-136-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp
memory/1580-137-0x00007FF6BD420000-0x00007FF6BD774000-memory.dmp
memory/4892-138-0x00007FF76D500000-0x00007FF76D854000-memory.dmp
memory/4384-139-0x00007FF6F0F80000-0x00007FF6F12D4000-memory.dmp
memory/1808-140-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp
memory/2564-141-0x00007FF6E10D0000-0x00007FF6E1424000-memory.dmp
memory/4020-142-0x00007FF763EB0000-0x00007FF764204000-memory.dmp
memory/4612-143-0x00007FF773FE0000-0x00007FF774334000-memory.dmp
memory/3488-144-0x00007FF7D03F0000-0x00007FF7D0744000-memory.dmp
memory/3724-145-0x00007FF6BF150000-0x00007FF6BF4A4000-memory.dmp
memory/4372-146-0x00007FF7E6E40000-0x00007FF7E7194000-memory.dmp
memory/4416-147-0x00007FF625410000-0x00007FF625764000-memory.dmp
memory/1868-148-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp
memory/1948-149-0x00007FF6A62C0000-0x00007FF6A6614000-memory.dmp
memory/3308-150-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp
memory/1388-152-0x00007FF751B50000-0x00007FF751EA4000-memory.dmp
memory/4268-151-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp
memory/312-153-0x00007FF783320000-0x00007FF783674000-memory.dmp
memory/3624-154-0x00007FF6474E0000-0x00007FF647834000-memory.dmp