Analysis Overview
SHA256
b53e744188b53ef6158c9c543d739155cf618f05e276d9286c3f4af740d6e50c
Threat Level: Known bad
The file 2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:12
Reported
2024-06-08 04:16
Platform
win7-20240221-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xrvuozV.exe | N/A |
| N/A | N/A | C:\Windows\System\pUASgdb.exe | N/A |
| N/A | N/A | C:\Windows\System\GvOksbN.exe | N/A |
| N/A | N/A | C:\Windows\System\OidjXlw.exe | N/A |
| N/A | N/A | C:\Windows\System\OQZkZzL.exe | N/A |
| N/A | N/A | C:\Windows\System\dVVjRNP.exe | N/A |
| N/A | N/A | C:\Windows\System\EjLmkis.exe | N/A |
| N/A | N/A | C:\Windows\System\Cpqzhww.exe | N/A |
| N/A | N/A | C:\Windows\System\SScRjrn.exe | N/A |
| N/A | N/A | C:\Windows\System\AlNhrog.exe | N/A |
| N/A | N/A | C:\Windows\System\pYfRthh.exe | N/A |
| N/A | N/A | C:\Windows\System\CLcPTVa.exe | N/A |
| N/A | N/A | C:\Windows\System\mTgDOEv.exe | N/A |
| N/A | N/A | C:\Windows\System\TAbAtWi.exe | N/A |
| N/A | N/A | C:\Windows\System\pQOaDiD.exe | N/A |
| N/A | N/A | C:\Windows\System\IppVTKm.exe | N/A |
| N/A | N/A | C:\Windows\System\EUdMUYG.exe | N/A |
| N/A | N/A | C:\Windows\System\pSnGpfS.exe | N/A |
| N/A | N/A | C:\Windows\System\HSDdDvI.exe | N/A |
| N/A | N/A | C:\Windows\System\rwDMPNJ.exe | N/A |
| N/A | N/A | C:\Windows\System\oeoIbsP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xrvuozV.exe
C:\Windows\System\xrvuozV.exe
C:\Windows\System\pUASgdb.exe
C:\Windows\System\pUASgdb.exe
C:\Windows\System\GvOksbN.exe
C:\Windows\System\GvOksbN.exe
C:\Windows\System\OidjXlw.exe
C:\Windows\System\OidjXlw.exe
C:\Windows\System\OQZkZzL.exe
C:\Windows\System\OQZkZzL.exe
C:\Windows\System\dVVjRNP.exe
C:\Windows\System\dVVjRNP.exe
C:\Windows\System\AlNhrog.exe
C:\Windows\System\AlNhrog.exe
C:\Windows\System\EjLmkis.exe
C:\Windows\System\EjLmkis.exe
C:\Windows\System\CLcPTVa.exe
C:\Windows\System\CLcPTVa.exe
C:\Windows\System\Cpqzhww.exe
C:\Windows\System\Cpqzhww.exe
C:\Windows\System\TAbAtWi.exe
C:\Windows\System\TAbAtWi.exe
C:\Windows\System\SScRjrn.exe
C:\Windows\System\SScRjrn.exe
C:\Windows\System\pQOaDiD.exe
C:\Windows\System\pQOaDiD.exe
C:\Windows\System\pYfRthh.exe
C:\Windows\System\pYfRthh.exe
C:\Windows\System\EUdMUYG.exe
C:\Windows\System\EUdMUYG.exe
C:\Windows\System\mTgDOEv.exe
C:\Windows\System\mTgDOEv.exe
C:\Windows\System\pSnGpfS.exe
C:\Windows\System\pSnGpfS.exe
C:\Windows\System\IppVTKm.exe
C:\Windows\System\IppVTKm.exe
C:\Windows\System\rwDMPNJ.exe
C:\Windows\System\rwDMPNJ.exe
C:\Windows\System\HSDdDvI.exe
C:\Windows\System\HSDdDvI.exe
C:\Windows\System\oeoIbsP.exe
C:\Windows\System\oeoIbsP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1284-0-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1284-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\xrvuozV.exe
| MD5 | 00d0c92e805809aa0cc96203fd656736 |
| SHA1 | e789b7d661eeae07bad84bef4f8d938bd5c2086f |
| SHA256 | a3152773f8f61acbe3bd49f8966d401adfbd00eb7473dccde59f481bbb09b1e7 |
| SHA512 | 148084e8f270a743e2550bd024e9e7d3d8b1ffc1ec60adc9bfb41ec060cb5c05ae6eb99edb2f455db4120628a96880f5cf7841b5f9f0d28e8c8ae00775780e27 |
\Windows\system\pUASgdb.exe
| MD5 | 7411c355dd7ba052d9267c9c73b7e453 |
| SHA1 | e69703558416bead1df649d541f8a4382364db70 |
| SHA256 | 5e84329449eb7106ee1535e663ac48c0951252627a0af4c6af841668dd5f81c4 |
| SHA512 | 5e486d669844fa2a07d99dce14ba7d04656a32f3c24e2419910dae7357618b0b484f40bbcbcd895f1cc085088c2a623f6b63284b1add360664640a21078179c2 |
memory/112-9-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2156-15-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\GvOksbN.exe
| MD5 | 2ac86b9a717833c6ea85485204ee9f6d |
| SHA1 | 1adf06cb577a6dbdf9a0348ed40af724e4ba947f |
| SHA256 | f21523f792233bc85c3d29bf2604c4474dff830df343eef3942f5e842b57ff12 |
| SHA512 | 5afa4aa96abea68fc71a1f4e00b51e1b57ca85455e255b3cb67fce1a5d7a5bfb7b103a6649606d628ee4f889b28e1caf92f046ad767f2d52a35da85dffe893b9 |
memory/1284-14-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1284-8-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2684-22-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1284-20-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\OidjXlw.exe
| MD5 | 32b6bb397f556e14f1e7f3f19c4cc18b |
| SHA1 | 8b844e7e6cb5ef8dbc24787418fd7af908d26cf4 |
| SHA256 | bff17795f7a97412ee64f483f38963850c0c2b6ab326d403da990848280ad8b6 |
| SHA512 | 7837acfb30df7734545561be1b110cd6a406a19db4965b32e70ddcaddbd64f2b5c675056dedfb69ec25237104477a2fe40bb698d27d303a4d5e4d6bdeb450ec7 |
memory/2776-33-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2708-35-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\OQZkZzL.exe
| MD5 | c930f57c7cbddb2f6e654a7d0afce154 |
| SHA1 | d0aff8ce2b7f25449561a37e5d382de83959b85c |
| SHA256 | a153064eb16b72e6bec8c0598e11adcf2588d1b922ca60c3b3add46508904242 |
| SHA512 | 883763592925c2fa1f9528fa2a69de332895a798fee774f9a87f8f3db43b0e3a341506d3899d20e9c9a9f849bfe631513b30d2d331088404d6c3bfcfc0a3619c |
memory/1284-36-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\dVVjRNP.exe
| MD5 | ce0a542bf31a6578e926a5f54e2edb7c |
| SHA1 | 69bd578f492a63dc17c699ec555cdb8d262515ed |
| SHA256 | 1372d1de01c5b9329c066f46a664cdcede6491e82d3f9762d4c9d3fe5d17185b |
| SHA512 | 58d3cf15ea7867bbfb37e659eece62d9223cbc918cdcd3bc5cc98b227fa354afd06179502bfc5994a9d253793379fdcd141dd9632345d1e1ec716a13f10163b9 |
\Windows\system\EjLmkis.exe
| MD5 | c83b629797e9d27783285d3088040064 |
| SHA1 | 4bfc47cf52476d2a83df7e0ac1b1c3a7ba8024b0 |
| SHA256 | a637516c62f49fc3d7bdd440101132ba0d82f6b9a32bc07396d8f7a4f9d1a5e1 |
| SHA512 | 12aecbb81d86457f8bd48ee0652aecf1276a967ea8527c33fb102aab4da9a665730acae589b3aadf7f9c58ddb39e8f1a74c9bff8368faa8078bc3e3d932e20d6 |
\Windows\system\Cpqzhww.exe
| MD5 | 11b3ac72d4712705aae5c9a31af60c36 |
| SHA1 | 56e28f966588eb8cc9cbf51203ebe3693a60a1c3 |
| SHA256 | 9d8fe48e3934c40c5b1331295ea4f2018bcee5815ebad3dd6eec50ecf10436cd |
| SHA512 | 0d865c87678df3f9f2ce845252f14756b8c9928247b0554cf985772ca1f9a0c1640e577c9833e5a3d9d25dd033c66cffd22a72c422d84ef62196f8177c9d55fe |
memory/1284-58-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\SScRjrn.exe
| MD5 | f4ae7050b53d8f2cd83d5e778989e036 |
| SHA1 | a738d8f695e42604ad23db37d792ba880e5257d3 |
| SHA256 | e1bc726e41c9c020724299fdb4f520f43bd5bae2b52367ba14002bdf01f4852a |
| SHA512 | 056ca7fe9e7822a03e6be2baade937d17a626bc415a88dc6e64cfe0d499ce13d6bceba582031e439152099c6de916530dce4c635a9e93fef3a4697fe2d3a02b3 |
memory/1284-72-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1284-70-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\AlNhrog.exe
| MD5 | e333276683ead5f19e71f1b786d3fab3 |
| SHA1 | e6eaa5e1af92eead8ea4cdfb559ded0567d4a6ac |
| SHA256 | 10e94d0c0c2ea7fc62ec8c493014af52bdb0b8f9457564bc3121e90176fd49c6 |
| SHA512 | dccd5b489342094016fc8d6e7af2d86c3cd4772c1d3713e1547a8f64126970a6780c54dcf91cc41999be90204a92d9406a3e086ad1b60ce52c3e5a1099b40cbb |
C:\Windows\system\pYfRthh.exe
| MD5 | a75064e8efbfce6ff0a33d7cd89a0cc9 |
| SHA1 | 50de5d0beda26d290f0ed4e8b49d571588c625f4 |
| SHA256 | d2c4283f85694e3f0190492f4aa19d76af271678c039b178b9485aa527576ba4 |
| SHA512 | 1c05422bee67e7181f83aeb48038904a83ad1cc0e987687d76c20ad0ab5ecc47b6bbbe7945b043970346e0e7df928d0931ca9969bd73c09efaa225edc7f8fd4c |
memory/1284-45-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2756-88-0x000000013FAB0000-0x000000013FE04000-memory.dmp
\Windows\system\CLcPTVa.exe
| MD5 | 3d0044c5441dd3e44712d25d7fa9a3cd |
| SHA1 | c2776ddbb6fcf1824f4fc654526e4ace2c76f789 |
| SHA256 | a37828b4655a1b77e5fa59eb067813661fd2917e7342a5aad3ae00f3cd69d882 |
| SHA512 | 3b93996d9b4566adad3e5578ba7ffbdb96129f0676b8a93dd3a2031f715d9ccfc627ff1a762c9e28c8054399f363e6f5baf9c1c7a32065359649e12042826ec4 |
memory/1284-99-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1732-102-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2716-54-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\pSnGpfS.exe
| MD5 | 6a695d0186d13eac346bb2db2b45b425 |
| SHA1 | a23ee9a67c8718ee03cb357b6926bded895797c6 |
| SHA256 | 9b40339d6125f8fa522f1c52587585e86758d97944f5c8478c8afa39943dbf9d |
| SHA512 | ad1989a84a4caa9097be04e43c96a71b55af56f977e923d23c7e2ceb1364be6588f5566e238bd45d7ea6aaa614e5c91db626afd2aa9aff3255b1e200439c3e2f |
\Windows\system\oeoIbsP.exe
| MD5 | cdbe912c18104e37c56e4dc61cfb256a |
| SHA1 | 48423c0b5e68f2e52f2ba71574de72b6626a4115 |
| SHA256 | 7f310618c7244bb4b5b450828ad268c8b52a237f4e1d4acf103ec759f0404fdb |
| SHA512 | 70552b096ac7bf631a2d4e0d66289694227ec99a3ecd23f1bb254018018e5e895da623a185dd41bbd8f8b2e1c787b6b84218d213dcf19a5acc5755f56a0cb3bb |
\Windows\system\rwDMPNJ.exe
| MD5 | 356fdbf0718bf879123053cbb15293c8 |
| SHA1 | 90162e96fc5ce66d23429d439cde741d4657f699 |
| SHA256 | 742b639dac4cf2f7cfb4715113e027092dd6737e39137fa5f9b4128645f09b03 |
| SHA512 | 17f665ba6d0926021f7a6739d51c58d75673e6109cec8471c1b886ef9e4ad21a8bfd59f892b161f24ec18af79b45f586eeeb1c5384882e19e81afef16f15f2bd |
C:\Windows\system\pQOaDiD.exe
| MD5 | 7b8011f75e5abd9a5d0a62b27afa1331 |
| SHA1 | f9e88c15d496ac88019b8416457d07cb2150e3e5 |
| SHA256 | 0125e4c043eecba52a8245b63fecea48c1d11044a19289ae37250f27f990d783 |
| SHA512 | 5d7bc817d72b163c3e56546a24344efe872f78c9e524c623c807a066401c9020b13b3fad831bbe22841e03889ad7e3b8402059c22ba3fab275b27d477b3f561b |
C:\Windows\system\TAbAtWi.exe
| MD5 | 75539c83b3bc8c30138e3c93c9f2e140 |
| SHA1 | 90acc173ccffcf69ad51ae43807b2487111b7b23 |
| SHA256 | 8261656d283afa98ce41ca223464ad30ab61026e76634691510073ea26e152a8 |
| SHA512 | 69617fb38811052163bb9890bb368ce2f7cc9810c53ddc9c8e83c94e3c6999a1165b8def918c4d0f85b6d3d2094b89c7382a49c6e0f02562cbd17156373b8ee0 |
\Windows\system\EUdMUYG.exe
| MD5 | 952af55d4847d0bc445c38172cb510b7 |
| SHA1 | 4a0669c59cf4e34dbc71c742694baf8866d75eac |
| SHA256 | 91becdcd2e30361394e4bbb189a4fd22de5f9151d000ce6d8cd08ab800f8e9ea |
| SHA512 | eab5c9b1d274c1d38ce8b71802773a0c46dde4bca450e34752b82c8f67dfa58975b5eb7814f2df1d270aba99adf576a260d877fd0917ed09cf52c78200520d41 |
C:\Windows\system\HSDdDvI.exe
| MD5 | c558800d0781d0c4599ea8378bc7becd |
| SHA1 | d65197ee1583ab4437d333c92f7204722a76e138 |
| SHA256 | 1cb0a3dcd1783adec922cb1e732cc8d17aa4f426e0f3f6ee27fe81cbbdc35698 |
| SHA512 | b9e482349cb8af58376ede7df5403572b2a299fee543ccefb055f5686c25d0856b9ecfa9bf49717774bb0d73867388d61196954ed7d30408f88870249902c560 |
memory/3040-80-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1284-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2456-78-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1284-74-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1284-64-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2592-61-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\IppVTKm.exe
| MD5 | 40b5fc56d92fa25d6e0d1db0d029245e |
| SHA1 | f25cb81f0b7662426a4a962e2a28ec224d6d7cf8 |
| SHA256 | a1b59e5d4d010bcec8276b9961da0a00de1661e17baace8d11a409e9f708f2f9 |
| SHA512 | 688d5b37074674fe4065ed97386f3f01b788cd3ae8f0b4a81e535d6845a167809e1cd3dd54adc9934499c993f62bd4b8cf45adc1a4b1fe0d58f14a68ed9ae158 |
memory/2684-103-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1284-101-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2536-100-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\mTgDOEv.exe
| MD5 | 346c8494edeb259af1bce3f1acd5bcd4 |
| SHA1 | bb1f4a1b65a13d0923f2bb3868d0c2a84a027956 |
| SHA256 | 9deb8f12edc5c7b61013f3c967864116a203101fdf48771fc37af39781f05153 |
| SHA512 | 9ea1d84e158ba2e10acd62573505f9c80ad8b8fc0193fdd0737ad73e4aa37f0aaa3e2fa4a32f45907c25ced853a7a39b156752d0365da96c30c35a8135e0ac62 |
memory/2156-97-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1560-87-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1284-85-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2708-136-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1284-137-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1560-138-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2756-139-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1284-140-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2536-141-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1732-142-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/112-143-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2156-144-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2684-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2776-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2708-147-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2716-148-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2592-149-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2456-150-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/3040-151-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1560-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2756-153-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2536-154-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1732-155-0x000000013FE50000-0x00000001401A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:12
Reported
2024-06-08 04:16
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rezbDyk.exe | N/A |
| N/A | N/A | C:\Windows\System\ICNKbLx.exe | N/A |
| N/A | N/A | C:\Windows\System\oMMaSGG.exe | N/A |
| N/A | N/A | C:\Windows\System\FaOOhZR.exe | N/A |
| N/A | N/A | C:\Windows\System\iGnuqsO.exe | N/A |
| N/A | N/A | C:\Windows\System\YuMHpyr.exe | N/A |
| N/A | N/A | C:\Windows\System\gXTVHQW.exe | N/A |
| N/A | N/A | C:\Windows\System\SNomiOt.exe | N/A |
| N/A | N/A | C:\Windows\System\FylkGdW.exe | N/A |
| N/A | N/A | C:\Windows\System\WoIaPnq.exe | N/A |
| N/A | N/A | C:\Windows\System\SUPKLoA.exe | N/A |
| N/A | N/A | C:\Windows\System\SSklPbO.exe | N/A |
| N/A | N/A | C:\Windows\System\czaDPPX.exe | N/A |
| N/A | N/A | C:\Windows\System\kNUIZXw.exe | N/A |
| N/A | N/A | C:\Windows\System\PQIRVDv.exe | N/A |
| N/A | N/A | C:\Windows\System\UPMvsly.exe | N/A |
| N/A | N/A | C:\Windows\System\IJUopgH.exe | N/A |
| N/A | N/A | C:\Windows\System\GwoNuVb.exe | N/A |
| N/A | N/A | C:\Windows\System\VpCmacb.exe | N/A |
| N/A | N/A | C:\Windows\System\dxgWSCz.exe | N/A |
| N/A | N/A | C:\Windows\System\RrhOMWi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rezbDyk.exe
C:\Windows\System\rezbDyk.exe
C:\Windows\System\ICNKbLx.exe
C:\Windows\System\ICNKbLx.exe
C:\Windows\System\oMMaSGG.exe
C:\Windows\System\oMMaSGG.exe
C:\Windows\System\FaOOhZR.exe
C:\Windows\System\FaOOhZR.exe
C:\Windows\System\iGnuqsO.exe
C:\Windows\System\iGnuqsO.exe
C:\Windows\System\YuMHpyr.exe
C:\Windows\System\YuMHpyr.exe
C:\Windows\System\gXTVHQW.exe
C:\Windows\System\gXTVHQW.exe
C:\Windows\System\SNomiOt.exe
C:\Windows\System\SNomiOt.exe
C:\Windows\System\FylkGdW.exe
C:\Windows\System\FylkGdW.exe
C:\Windows\System\WoIaPnq.exe
C:\Windows\System\WoIaPnq.exe
C:\Windows\System\SUPKLoA.exe
C:\Windows\System\SUPKLoA.exe
C:\Windows\System\SSklPbO.exe
C:\Windows\System\SSklPbO.exe
C:\Windows\System\czaDPPX.exe
C:\Windows\System\czaDPPX.exe
C:\Windows\System\kNUIZXw.exe
C:\Windows\System\kNUIZXw.exe
C:\Windows\System\PQIRVDv.exe
C:\Windows\System\PQIRVDv.exe
C:\Windows\System\UPMvsly.exe
C:\Windows\System\UPMvsly.exe
C:\Windows\System\IJUopgH.exe
C:\Windows\System\IJUopgH.exe
C:\Windows\System\GwoNuVb.exe
C:\Windows\System\GwoNuVb.exe
C:\Windows\System\VpCmacb.exe
C:\Windows\System\VpCmacb.exe
C:\Windows\System\dxgWSCz.exe
C:\Windows\System\dxgWSCz.exe
C:\Windows\System\RrhOMWi.exe
C:\Windows\System\RrhOMWi.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x00007FF6C1570000-0x00007FF6C18C4000-memory.dmp
memory/2124-1-0x00000220F3550000-0x00000220F3560000-memory.dmp
C:\Windows\System\rezbDyk.exe
| MD5 | 5e7e9bda2c53928f36556e0361e2b192 |
| SHA1 | d08c5a46c985bab7f7fcc78a1092ffdac39e0d51 |
| SHA256 | 83606993f2a5c005a4cbdfeb5175a59ce573722665f29934c511f2942723085b |
| SHA512 | dddb376b4e6b0f6c3f875fb9cb62aaab8d7de5a07e7c653fe6039e24863146e96b9f94caabd5a6c469320dff5419069fc37208d9c3234981d41275c242602c04 |
memory/4020-8-0x00007FF64DB00000-0x00007FF64DE54000-memory.dmp
memory/3976-14-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp
C:\Windows\System\oMMaSGG.exe
| MD5 | e04200b80a537efd39c58668175e0f93 |
| SHA1 | a4a6e0ac3fc5a4c935ff65f12a951d18ca5a6096 |
| SHA256 | 11efe6ef54669cb540ad07aba1706cb37a4288536dd2df03bb815bdda105e015 |
| SHA512 | bf6ec8fdd1b2de612b8adb6ca528b12f54b9bc2919e49f5e18b6a1ef78175d35203868b340d49b334052e171a7a77a08e6f30638bee1ff60c9eb2f7acd5264b8 |
memory/4052-19-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp
C:\Windows\System\FaOOhZR.exe
| MD5 | 1e8f4fd9bc2763341626c33a6bfae62b |
| SHA1 | 3c49f54a38be8f401bfe31e691730946efb07f6e |
| SHA256 | 5645ba9c683af2541d08ccaccda1c83de384ca3268642abf2a26c935d7113fd8 |
| SHA512 | 622bdc40634619c00afe91c5e58aa410e3d9a7a525b90c866c3b549575005db02dbeab4cef0069caec3967012933e5a4b9fa981b442331ec9373032e15e667a4 |
memory/3932-24-0x00007FF662DE0000-0x00007FF663134000-memory.dmp
C:\Windows\System\YuMHpyr.exe
| MD5 | a830c25b464fc28372a67cc0747605fd |
| SHA1 | 90c914dcd61c7d5116d22527df7a66da131e2804 |
| SHA256 | 07d67984091f5812cff04430d18bb37664c9be7ecb0e767f6793e3d73382ddac |
| SHA512 | 92d7aa77858d85511d117b2ec25bf2eff1b1f80c9c462d47c1496eedffa9a3538657661c378b0fd7b646259c1a982a4bef0e71a0526ccb45a673455b1fdfdb95 |
C:\Windows\System\gXTVHQW.exe
| MD5 | cd345ac3f378c924ca24f47c7a0cfbd5 |
| SHA1 | 55c9ae6f9f04e85a78b865cf75eec83a024bbacf |
| SHA256 | 3314db24bc471c7c2b896afbc40080a1ef181e50182ea4b4fb46eb00a5cb2e61 |
| SHA512 | a5e71d42c531c6b31337753626a62dc1efffcfeb420fb334e1e03c34a7c9d4d7c61cf43035c3e411d9d00db669c1e765c379ef256c6b5718d7098529ad9aad83 |
memory/844-41-0x00007FF71E6B0000-0x00007FF71EA04000-memory.dmp
memory/4808-42-0x00007FF677E30000-0x00007FF678184000-memory.dmp
memory/4716-39-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp
C:\Windows\System\iGnuqsO.exe
| MD5 | 29e6a9c84cb0622c51821b292d216b97 |
| SHA1 | 1c61a13081b4be8a7bfa9bc0f055c614363c96b5 |
| SHA256 | d68dbdf8470385cb845f7a4daa01e734b30babafb5d0ebe9d9fa3c2dbaaacddd |
| SHA512 | 628cdb47a053a8b8e50c99626df93fa2b63f9bb875a442d64a1a091f6b2210a33c56ebd406fdd1502869041938e26cc17a4ee8709d7b0bcc3aab9be521391c4f |
C:\Windows\System\ICNKbLx.exe
| MD5 | 4c550832f096464e035df25e40ab567f |
| SHA1 | db80231d39e531b279000661b48d1179c91ae89e |
| SHA256 | 1e5e5a975a5db274f187ce46a29b41b674f750aca78fcec902d7ac1728606728 |
| SHA512 | 51d66c9d1c972b3db080c27cd53b5ad5ed47f27f484cffd42eafe99032266b393ab6510bd6340c33c59735ea9c292bb3d7f1b03ca3f0a39da77c27002850b48e |
C:\Windows\System\SNomiOt.exe
| MD5 | aab21b7d65623cd35593db2e7b874869 |
| SHA1 | e6773e8429e6af4cde98b2a5a53d8aa15d8c9447 |
| SHA256 | ff11870aba6b62e9db16aa133b4427b0a9b23c7d2a10c03cac01bda0ab1f1659 |
| SHA512 | 72ee712f4d7a71b9e023a67c610ebf73c5da0ea27ddd16b913323fdf6afaa25ed6aae9ebe7270e5d5b46160e8d2ffc00060d477430dfdfd1e739b8d8ac6a5f7c |
memory/4956-50-0x00007FF7FABE0000-0x00007FF7FAF34000-memory.dmp
C:\Windows\System\FylkGdW.exe
| MD5 | 81a818e966a6e81ddf9305428f1a1a87 |
| SHA1 | b5447cf75b765318096bc7ec9fc4e87dea3ae1dc |
| SHA256 | cde3db972bcf4e46b3c8f87bbc11bdeb984624a3b5f07c073632bc18de1dd5fe |
| SHA512 | a758d4c03d9b57046031f5cb87b0fd97cafa2b25b651e4236bf2ffc70af9d0f14494f625cf0adb34b98309a2b686749e9a20678ee2203982231a73fd9a51ee65 |
memory/2600-56-0x00007FF60F990000-0x00007FF60FCE4000-memory.dmp
C:\Windows\System\WoIaPnq.exe
| MD5 | 048fc865d99a179ee43c40e472a0a004 |
| SHA1 | cbf597e58b0e959c7c9b468a77058b65438b983b |
| SHA256 | 98ad1858258aa29f7c46075ba1829e5e08ff1f80a095ea6b5e1c162069d0f798 |
| SHA512 | 4baea6ed0b88536021f8c72d1b6e6d9e4dcb3d20d37638ffe23449bcaaa5a5faa936a5966f44d23cf2f516bcf7d6ad601972973890c5f13a6073c94c11cca7a8 |
C:\Windows\System\SUPKLoA.exe
| MD5 | ff629ff2ee4958b40dc85ac1bb7e292d |
| SHA1 | b8d339d81d0f391e0b02fb6e079ea2f2ef8c6a1c |
| SHA256 | c0a81651d9bc2a23973f997aadbb63b53caa61ec65c95e7be0a88d947754ea9e |
| SHA512 | aadc07cf8c405a7534afa2da57aaeba11658700a8d1f43049e9064ceb8711b3f96def18d99b18ce1a74c234b10d3335c7e97a20a754af176a3efb65ad13d7d42 |
memory/2124-62-0x00007FF6C1570000-0x00007FF6C18C4000-memory.dmp
memory/4880-66-0x00007FF68C720000-0x00007FF68CA74000-memory.dmp
C:\Windows\System\SSklPbO.exe
| MD5 | 2537f8b26adcff3ebe9023385088831c |
| SHA1 | 6d38fa9914a0605a86bb249cb6b7c3b7c89a4cc0 |
| SHA256 | 087a7b0c5ddd7098c8d43fb77428c55013479598fbcb76fdad209ca3eca588fe |
| SHA512 | 667efdbc77fd2bfa6e3ca2f3570fb591920e6c36952498f54322856eb26765577ac15029e2b678081ef9109355116a0c4671b5debe7d19c101f41013ce08875d |
memory/1116-71-0x00007FF66D530000-0x00007FF66D884000-memory.dmp
memory/1100-75-0x00007FF6A96D0000-0x00007FF6A9A24000-memory.dmp
C:\Windows\System\czaDPPX.exe
| MD5 | 72bb6b5c8aaa98c3500e8b7ca20e8153 |
| SHA1 | 972726d66ef2eca5659536569bbd07fd2381e8ee |
| SHA256 | 30940356ff74d7ac3e7968cd11d9671444d3a0d2064d8e2abe0515b3ed1d258d |
| SHA512 | b5d22d862adca178ca553109cc13f4ece1a85182004d77a09989e826a79d47a00b520bf2191de29b461e09f5ba8de579841905b2445c35135342effff8b72817 |
memory/4052-80-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp
memory/400-81-0x00007FF660F00000-0x00007FF661254000-memory.dmp
memory/4716-89-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp
C:\Windows\System\UPMvsly.exe
| MD5 | d2136e2a0fb1e23b29df8799e959583d |
| SHA1 | 321b1a23610e535449c142f1d3a9e1e7f39120b6 |
| SHA256 | 56173f4e1457b7bcea78c1e4467fbafd9f8959d55e24759b4db4719f8accc933 |
| SHA512 | 2e2efed77d686d38d9f2a29a86a59b90d2db5f4fdbbeff34960d2149cf90e3e2b30448f5e9b77e2da59d957063d138deecd0a307c29517878f9ebb3de4097f01 |
C:\Windows\System\IJUopgH.exe
| MD5 | b87ba3a4fe621fdb57d912354e430e46 |
| SHA1 | bd9fe72b508e0595c0fd2a5f4d481d9d97e3ed9d |
| SHA256 | 4b539c004d825ddb9b71229fa9b2ff28c5bf4a04f5dc9a55299dec174dab0cf6 |
| SHA512 | 3eb62de2d11d8af1af2c373c2bef50c5233ca92ee06f46bdcd84829f3c7e96bceb49cacbf5b59f0951ffa96eda645056d6766493acebd4e96a98b09af131b5d6 |
memory/1224-106-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp
memory/3788-104-0x00007FF68CA70000-0x00007FF68CDC4000-memory.dmp
C:\Windows\System\kNUIZXw.exe
| MD5 | d00cec7d06298d2a7170f84f97dab3a0 |
| SHA1 | 6c4729ef7c59eb2e276970069cd71740b18eb278 |
| SHA256 | 9f8a268e3ae855d849665866041d0a0c99b0ae2a45d7df60b9ed07dd5c262fec |
| SHA512 | a262aceb4f620c15d3ecb5568209572937dc466ec923953bd0a161f1b74f1ad368b54deee80688912f9cc4d8414273854d963fd78a872f7160f354571445698c |
C:\Windows\System\PQIRVDv.exe
| MD5 | 24a8760281dca8e51bfbaaf59d53e022 |
| SHA1 | 0fbd8847f6ffeeb19b6b2814f5669decc7c2da53 |
| SHA256 | 6c78f42ffa52876e47cdbe48fae72e0f770c0e7582a9be81c392cf3308d948cb |
| SHA512 | 272efe14b06753b9b63fa3aac8c698b6563308c4e184f658acc13abc155d301948a28d59876a937b000a35fade5dd6c25d3074617db92588b9a62fd151f78e25 |
memory/2100-94-0x00007FF688200000-0x00007FF688554000-memory.dmp
memory/1768-93-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp
memory/3932-88-0x00007FF662DE0000-0x00007FF663134000-memory.dmp
memory/4436-115-0x00007FF6AAAA0000-0x00007FF6AADF4000-memory.dmp
memory/4808-114-0x00007FF677E30000-0x00007FF678184000-memory.dmp
C:\Windows\System\VpCmacb.exe
| MD5 | 1256ae5ff2e440f86404a0118b08a315 |
| SHA1 | 083d7d117ed0371781704680fe0763a7111d0ed1 |
| SHA256 | afca597a6f7330d84d48011ce5f9971c3d9bbc1256d2385a3cf4423a835eaad6 |
| SHA512 | 38e16bd970879c612324d86165161c6d680623f97f1375aab933cdc58e32c7c04f4635a83ec454eda35c10b4c0960e8184bacf96b66de4bd886136e07c2805d3 |
C:\Windows\System\dxgWSCz.exe
| MD5 | 69684c269d4b117890dc6a30f5d8dbbe |
| SHA1 | 204bee195c72af86eb198ecae8f9344b0769da3a |
| SHA256 | 6a0d0224f1ac2e9a7d1ba8e791021e8ceff1e761f08a76c057b7b232417bb1e2 |
| SHA512 | 8f7c0675fa94aa1a35c3715ea8cae6f80c0e7b24c933116230ca04504d059196f6c56acd479c3590ab309fb3b0e8397cfd5e96466fa56c51c76b968be79a41c7 |
memory/4440-121-0x00007FF7EC0F0000-0x00007FF7EC444000-memory.dmp
C:\Windows\System\GwoNuVb.exe
| MD5 | a8095c514c1bec1de02357135d548b60 |
| SHA1 | c8fdca17f4e4d6d715548fc4807da69e8f1f50b0 |
| SHA256 | eb282dded4dab25bea8c10becec49f43c260617c5752dac1277f5012475b5b62 |
| SHA512 | cad516fceb0849c3c0c153fde8496f2e5ce1f259c9336b1df9a56f8a151141ff551db800e10a92ba635220a4a9f1be7d2262d7c621710114b0228d0bc48aa897 |
C:\Windows\System\RrhOMWi.exe
| MD5 | 85b3c3af41eb064eeae851ebce4ba093 |
| SHA1 | 050a6690b98a74f5f969a2772716330813abf35f |
| SHA256 | 39d1ecef2738be8c26eca38dda6e9fa7d7c175f7055e3f512205474dd55b010b |
| SHA512 | a4f6bd8b066918a88a8562ba3dc58b885362740d0e28dc663f92d18d712bb03335315cef017f466857af6356c6528650421021be6348fb4b68839d916048864a |
memory/4216-130-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp
memory/1340-129-0x00007FF6C9220000-0x00007FF6C9574000-memory.dmp
memory/1116-133-0x00007FF66D530000-0x00007FF66D884000-memory.dmp
memory/1768-134-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp
memory/2100-135-0x00007FF688200000-0x00007FF688554000-memory.dmp
memory/1224-136-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp
memory/4216-137-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp
memory/4020-138-0x00007FF64DB00000-0x00007FF64DE54000-memory.dmp
memory/3976-139-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp
memory/4052-140-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp
memory/3932-141-0x00007FF662DE0000-0x00007FF663134000-memory.dmp
memory/844-143-0x00007FF71E6B0000-0x00007FF71EA04000-memory.dmp
memory/4716-142-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp
memory/4808-144-0x00007FF677E30000-0x00007FF678184000-memory.dmp
memory/4956-145-0x00007FF7FABE0000-0x00007FF7FAF34000-memory.dmp
memory/2600-146-0x00007FF60F990000-0x00007FF60FCE4000-memory.dmp
memory/4880-147-0x00007FF68C720000-0x00007FF68CA74000-memory.dmp
memory/1100-149-0x00007FF6A96D0000-0x00007FF6A9A24000-memory.dmp
memory/1116-148-0x00007FF66D530000-0x00007FF66D884000-memory.dmp
memory/400-150-0x00007FF660F00000-0x00007FF661254000-memory.dmp
memory/1224-154-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp
memory/2100-153-0x00007FF688200000-0x00007FF688554000-memory.dmp
memory/3788-152-0x00007FF68CA70000-0x00007FF68CDC4000-memory.dmp
memory/1768-151-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp
memory/4436-155-0x00007FF6AAAA0000-0x00007FF6AADF4000-memory.dmp
memory/4440-156-0x00007FF7EC0F0000-0x00007FF7EC444000-memory.dmp
memory/1340-157-0x00007FF6C9220000-0x00007FF6C9574000-memory.dmp
memory/4216-158-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp