Analysis Overview
SHA256
062b9eec7c32d9aca2037dd9abd2a49b3b9e2ea41db61dd8adc273e0bc09448a
Threat Level: Known bad
The file 2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:46
Reported
2024-06-08 04:50
Platform
win7-20240221-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TDziMeI.exe | N/A |
| N/A | N/A | C:\Windows\System\lYlCXpF.exe | N/A |
| N/A | N/A | C:\Windows\System\VNErhJa.exe | N/A |
| N/A | N/A | C:\Windows\System\iwHJiRa.exe | N/A |
| N/A | N/A | C:\Windows\System\qVtieOw.exe | N/A |
| N/A | N/A | C:\Windows\System\jXVQTMa.exe | N/A |
| N/A | N/A | C:\Windows\System\iikeXEw.exe | N/A |
| N/A | N/A | C:\Windows\System\PuOCeKc.exe | N/A |
| N/A | N/A | C:\Windows\System\nLLfjxs.exe | N/A |
| N/A | N/A | C:\Windows\System\mpoCtjc.exe | N/A |
| N/A | N/A | C:\Windows\System\WlJHCpo.exe | N/A |
| N/A | N/A | C:\Windows\System\vHATgcy.exe | N/A |
| N/A | N/A | C:\Windows\System\ypnfRcr.exe | N/A |
| N/A | N/A | C:\Windows\System\llCpOdS.exe | N/A |
| N/A | N/A | C:\Windows\System\hTIlVGh.exe | N/A |
| N/A | N/A | C:\Windows\System\nJeRmPO.exe | N/A |
| N/A | N/A | C:\Windows\System\eKyXmiF.exe | N/A |
| N/A | N/A | C:\Windows\System\ftGLAuu.exe | N/A |
| N/A | N/A | C:\Windows\System\nWjckhO.exe | N/A |
| N/A | N/A | C:\Windows\System\VvzfVse.exe | N/A |
| N/A | N/A | C:\Windows\System\GPwKUFs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TDziMeI.exe
C:\Windows\System\TDziMeI.exe
C:\Windows\System\lYlCXpF.exe
C:\Windows\System\lYlCXpF.exe
C:\Windows\System\VNErhJa.exe
C:\Windows\System\VNErhJa.exe
C:\Windows\System\iwHJiRa.exe
C:\Windows\System\iwHJiRa.exe
C:\Windows\System\qVtieOw.exe
C:\Windows\System\qVtieOw.exe
C:\Windows\System\jXVQTMa.exe
C:\Windows\System\jXVQTMa.exe
C:\Windows\System\iikeXEw.exe
C:\Windows\System\iikeXEw.exe
C:\Windows\System\PuOCeKc.exe
C:\Windows\System\PuOCeKc.exe
C:\Windows\System\nLLfjxs.exe
C:\Windows\System\nLLfjxs.exe
C:\Windows\System\mpoCtjc.exe
C:\Windows\System\mpoCtjc.exe
C:\Windows\System\WlJHCpo.exe
C:\Windows\System\WlJHCpo.exe
C:\Windows\System\vHATgcy.exe
C:\Windows\System\vHATgcy.exe
C:\Windows\System\ypnfRcr.exe
C:\Windows\System\ypnfRcr.exe
C:\Windows\System\llCpOdS.exe
C:\Windows\System\llCpOdS.exe
C:\Windows\System\hTIlVGh.exe
C:\Windows\System\hTIlVGh.exe
C:\Windows\System\nJeRmPO.exe
C:\Windows\System\nJeRmPO.exe
C:\Windows\System\eKyXmiF.exe
C:\Windows\System\eKyXmiF.exe
C:\Windows\System\ftGLAuu.exe
C:\Windows\System\ftGLAuu.exe
C:\Windows\System\VvzfVse.exe
C:\Windows\System\VvzfVse.exe
C:\Windows\System\nWjckhO.exe
C:\Windows\System\nWjckhO.exe
C:\Windows\System\GPwKUFs.exe
C:\Windows\System\GPwKUFs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1908-1-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1908-0-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\TDziMeI.exe
| MD5 | 7a29d4b6d05e8b77fba2a27e622e1f39 |
| SHA1 | 3a022bf5936c140c4e2447c2c2fe0fb5d0f29819 |
| SHA256 | 53d8eb6960f4a90ec27ede041cc5dbc0c0cb7bbf5a03e5b82f778aa8b5036945 |
| SHA512 | b11c209ea6ffde31bd71fd115a659ad7ea5c52351667bcc541bbc1c0e42e9d68fb8a340d6ab28e2eb315807202fdaeafb1a39c26b70b2b1d940fa1727ef19a57 |
\Windows\system\lYlCXpF.exe
| MD5 | d630911ea221a1905b468280cd62ed0c |
| SHA1 | 1f08d285b55b49ba675ea1b2c43ba69afec3f5ed |
| SHA256 | 34a5d7327cc5d4a81befed140db03cdcc7bf0e9bf03243aed55b60df3ce71058 |
| SHA512 | 42d4f702ce21911877afb823bace6f7a825b5249216a9139ece98891573a06b7493a78ccedae51af32dc39dfc286ec65db34438ebb629ebe505167919fa816e3 |
C:\Windows\system\VNErhJa.exe
| MD5 | dc8f59b5bc42a3d9b48244c8486bbc15 |
| SHA1 | 7d3830fdb98175094d26c195a6391cfa6e59dc5b |
| SHA256 | 168f18a7f73ec962ae0b5ccf001abfc1525d883d908e982190d59eb0060463d7 |
| SHA512 | 111a31b9d9bba52f60e053406c9e2b83a79bcc192c898e3386dfba357cecb6bae7ca7090aaca583edfdd98b8182fa060e8cf44b2fad0f4b799e4cc573ccd6c85 |
C:\Windows\system\VNErhJa.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\system\iwHJiRa.exe
| MD5 | 51eccd864d00b122bb18eb9b806de40b |
| SHA1 | b0ef9fa094656d9bdee8ac34ea81a442338601fb |
| SHA256 | d8d09b9fc5d2fd978b6cb32577b838c1fe5618439af5ce51f81469d84e9e32c8 |
| SHA512 | 19c3d71c1835c5c797f7d5d749cce0eabfcb00dea470af62d5fb7f9499c8176370f97229f1784a0723b6dda392b41e629d2bf1aa551b90d297ea5401fb2a599a |
memory/1856-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\jXVQTMa.exe
| MD5 | e7d77d2983e71657ab31358ee6d3b0a9 |
| SHA1 | 54aeddbcc480e166f76e1c45578c3fc026032221 |
| SHA256 | 2117e050d2a2705ca0752ddc7bc85de80ae14d27ad2da561e58692b9bc84599f |
| SHA512 | df0e052c426bb380abea93d7fa240cbfac493299ff931f61861dca63b38f151e1af799442bb4e886d22aa8af06fce3dbe3be6bf049f9e29ccd1ab0f50207712e |
C:\Windows\system\qVtieOw.exe
| MD5 | c7df83179461c6ab3b8382fd8c0b5612 |
| SHA1 | f9119cf287412461e319effabe883dff4144a473 |
| SHA256 | 52ee3e60f0c74ca30c976879408bc55a3ae87d7cf4add1eb9a9d0fb39bdcaf2a |
| SHA512 | f20ee8b0346eae76d9d8e7f5f0f9dea5038888aa81a5dbe053eaced9638ecf5f92252c8e3f7340442f6a98afde8fe03e7110adae01641755c40b89d95fe186e3 |
C:\Windows\system\iikeXEw.exe
| MD5 | 043488c0b2df2a3818b4e2f7b68af331 |
| SHA1 | 3bf1d2e9115d53e258f20e1dcf5130a73cb35de1 |
| SHA256 | 4cc5afff3906e7c6a1c3c6c9134d7e4f9fbf5207d351569709d8b0de36dc92f5 |
| SHA512 | 8aa42bb058a233ddf0c82aaf7426621254c566bf60f04b6ed8544dc574e8f3f945302483e2482b8efb292c65aebac7f2ae0bea1c72fa02f0ed0433e00af55bb6 |
C:\Windows\system\PuOCeKc.exe
| MD5 | 9309370fad700363a84007b54bb2036b |
| SHA1 | d135d09cfe894c6e767e3f25c948cffc6ed7e4d2 |
| SHA256 | 60e66eb9429eb69c4f1a9e94a272ec0f20322f5f4cb7ead2094d5f72efc79d54 |
| SHA512 | 3a40a811d15f02b4debaab9bc14401e98ed1a3e7778d5e21a426b28b2137a74a5b018e1cba082dc6767c9ef434138bb7edeae6cb812c4859dfc8f1112c2a56cf |
C:\Windows\system\nLLfjxs.exe
| MD5 | bc05e3fd66ca7363901b6c697be364e0 |
| SHA1 | b13192d1fa9c811ac4b29a6e2e28038b4f488d1a |
| SHA256 | bf95e0ae245ba2957eb61b9dbda7dbb5e9436bdc85e69bc7dd90d71f6b5d6011 |
| SHA512 | 5f554bf26b45be4e947ab2ea4824603ea41853c433e422e46c331bee065293887f08eaacd95a6af46b0791e4e92912e25309b21f8205288df5b09634f6767cb1 |
C:\Windows\system\WlJHCpo.exe
| MD5 | 2aa333f6013a3eb6cfd87644f2b2fb45 |
| SHA1 | 7da673346f6c1a40833181b7943327f511d3bd1c |
| SHA256 | 123f43e26a1c22d4ee8089a1413897432847742ad43ec232c1aa23bf2d604514 |
| SHA512 | 8593f31da16e4e9a404c717d2b71dfe55df710f170d123ef7c8c9d79da738bb8c01d7da6e97dbef969fd43f17dfc29b0e59205ac9bd92f828d16c0bdfd8ab6a6 |
C:\Windows\system\vHATgcy.exe
| MD5 | 64f312ef999d404f1bdd1b6666f62a48 |
| SHA1 | ba8cba11779f5b31cd38c06628deb4a481f10c98 |
| SHA256 | f716864b7a9e61f310d8a5460f8f49c1000b730859ad50a8835cb7e31396361d |
| SHA512 | fd9e38b7c63f1056bf46e5369a13bfb820d7f202891e85632d926888390b00c3af6e73f530f859c3c959ea3b00fe5af6ed59631813ee02ec4ef826f8d9d5f87c |
C:\Windows\system\hTIlVGh.exe
| MD5 | 0365284bae939706f450bbd043f43641 |
| SHA1 | 1a36e18f1e6ce14d36b654a0ae263c0a73443a41 |
| SHA256 | c5bd53b58584caed38df0f9958dd54c7030f329de79fb9e67c7172a47215e326 |
| SHA512 | 876c3f08b2bd03589bf3b3c700f0bcdc8fbefa2b862aaef4b57c983983ddd18af89dc49e6978312a2bb96aea1bdb2c575a86eb7fd8fbae96d8dcc1ace55b5ac3 |
C:\Windows\system\nJeRmPO.exe
| MD5 | aac01b621603d3c4574fd9cb99dbf01f |
| SHA1 | 0f6a6b5ff406d6769dff2338d4762915fd2e8966 |
| SHA256 | 485e77a6d18b274ff27ee290de7d8a3861ef6b86d2d051785372f30fd5bdb9b4 |
| SHA512 | 7d01cb28b20f78cfe76f35164cb122d30a263a7c89b3d1b1662907c406f5218edf3e1414d0f7e722caf008e368bf68c2b0336168d992acf505ae3ef6effce264 |
C:\Windows\system\ftGLAuu.exe
| MD5 | 17a95a45e0f11480b3b56dc1279ac781 |
| SHA1 | 1cab077912da09316342f93756ff961d4de5b7d2 |
| SHA256 | c980d3c417674bd8181953996001da11bd1355eb0b057470deb8bdfca6580800 |
| SHA512 | f00bb6a153a70a048110533f97f9e9fc5b0a8757b66f3b9d85f8403706d3a3a6c143e86dbb30494cb84de3d69b2178a81a58df1abce1d38c77ef4f7c1107dcb5 |
\Windows\system\nWjckhO.exe
| MD5 | abb7b392290f7c6e41c9cf45fee16719 |
| SHA1 | 102645241e2835d59acf1226d14b00116f377b78 |
| SHA256 | 3f80574fc65431d50f35e0276c87483e4b108d3c5cd60c32aaf6f4642d6a1bf0 |
| SHA512 | 923eba44517b2f389bf186a96d6aa400ece859bbd1711e3545c06b9809035550a3b88e6aa9a9eaba0f7b8912bac6d466679558e54e59639af7df70a9479661dc |
memory/1908-105-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2644-108-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1908-111-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1908-115-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2004-121-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/1908-126-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1908-131-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2840-132-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2556-130-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1908-129-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2480-127-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2428-125-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\GPwKUFs.exe
| MD5 | 1d74ac33954447409a5455588a06e6e5 |
| SHA1 | 98458866e6d1afe294b39ece114e946222debe34 |
| SHA256 | 898f94bd465199db9b0cca099ef3aab1a58e505cf27d39cd1d72cb470b79f7a1 |
| SHA512 | 39886ebebcead150eedf164d74d45f0fe2eaaf022f80c447605ac3dd4b92d1a0bafbc4955802ae688f97455c7c1370656553af126e535092636b89fa07d1765d |
memory/1908-123-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2488-122-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1908-120-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2536-118-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2468-117-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\VvzfVse.exe
| MD5 | b58ab566573ce98bb99e225bd6eafeaf |
| SHA1 | ace0d5e77c0d32f963c3ef6c69cb8839fc340a4a |
| SHA256 | e301831b363c70311d009009a72d546729887524e2656a720eec68745462129d |
| SHA512 | bf78ef055b0ccca4e327dc429672a1d18c7ba59872409689ebaab61a3782659fcf875a49df34f36e66644b5082f70b9c48405a6bfa968ecb5b3a645857db430a |
memory/2764-114-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1908-113-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2560-112-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2628-110-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1908-109-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1908-107-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2564-106-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\eKyXmiF.exe
| MD5 | fc4198a13354a711bf554f09e8501953 |
| SHA1 | fbf3d0b760e0f8eb1aee3d66af38d3d05c582c33 |
| SHA256 | 33408f7519f2b390d3ac76c80ae5d2358cd284d03cfead130e61efaff29d7825 |
| SHA512 | daba66aee3be6094e47f2b1b3a84fe72ec16760b2ca59aaea9b20048008fe3a521e88a3fe8773d5ca5762eea381b727ac8df65f88d399f9c5a2facb7416163e7 |
C:\Windows\system\llCpOdS.exe
| MD5 | 0f59315f8a951a767258a4d6b4e14a6b |
| SHA1 | a36c26b02235e7ad87e0207fa163fdebd07c1955 |
| SHA256 | 5262a12f071a25560b66fe8286a751cf2880fb7880db938d9566b8ad07077cc1 |
| SHA512 | 5995967eb7436d6d17c92799edaabaf4c2087ef13538e96a9c0d4e515fd4649c040a6d9309fc1f93a7cb5a5395429756df918602434b81e605835902f92d0d97 |
C:\Windows\system\ypnfRcr.exe
| MD5 | de50b019cf2591e88efafaea3b18f822 |
| SHA1 | ee4818fc2cb417123a251c76ff0a5e142ce07c4a |
| SHA256 | b86d7d868b62091ccbf22fe3524fddd89484729681582d6165b83c37f6c16631 |
| SHA512 | 27697fd48787842737b216bdfb71db893a863c94fb25701bf2fb394c2a2a45b9e99bc853e8241879983cdc4dbdd3ab0ca990b253d461f294da727c5bf05654ff |
C:\Windows\system\mpoCtjc.exe
| MD5 | 3709f78ca1130bd178913a043c4220c6 |
| SHA1 | 82a2b502e9b727d8a00a03208c5dfec808523468 |
| SHA256 | 4529ec99725ad8ac98ae69de874bcb31d331cf8642f94f7ed08b7ff5077829d2 |
| SHA512 | c3367d518aec495a258de168284dd65f1e8a5ebb4cc453c728cd16a484fb801bad25c4053f391dd1ee251fd8a82cd806ad4cb29db376626ca64f55ba73512667 |
\Windows\system\nLLfjxs.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
memory/1908-11-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1908-133-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1908-134-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1908-135-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1908-136-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1856-137-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2840-138-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2628-144-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2488-148-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2428-150-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2556-149-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2560-147-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2468-146-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2004-145-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2480-143-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2764-142-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2536-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2644-140-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2564-139-0x000000013F1C0000-0x000000013F514000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:46
Reported
2024-06-08 04:50
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TDziMeI.exe | N/A |
| N/A | N/A | C:\Windows\System\lYlCXpF.exe | N/A |
| N/A | N/A | C:\Windows\System\VNErhJa.exe | N/A |
| N/A | N/A | C:\Windows\System\iwHJiRa.exe | N/A |
| N/A | N/A | C:\Windows\System\qVtieOw.exe | N/A |
| N/A | N/A | C:\Windows\System\jXVQTMa.exe | N/A |
| N/A | N/A | C:\Windows\System\iikeXEw.exe | N/A |
| N/A | N/A | C:\Windows\System\PuOCeKc.exe | N/A |
| N/A | N/A | C:\Windows\System\nLLfjxs.exe | N/A |
| N/A | N/A | C:\Windows\System\mpoCtjc.exe | N/A |
| N/A | N/A | C:\Windows\System\WlJHCpo.exe | N/A |
| N/A | N/A | C:\Windows\System\vHATgcy.exe | N/A |
| N/A | N/A | C:\Windows\System\ypnfRcr.exe | N/A |
| N/A | N/A | C:\Windows\System\llCpOdS.exe | N/A |
| N/A | N/A | C:\Windows\System\hTIlVGh.exe | N/A |
| N/A | N/A | C:\Windows\System\nJeRmPO.exe | N/A |
| N/A | N/A | C:\Windows\System\eKyXmiF.exe | N/A |
| N/A | N/A | C:\Windows\System\ftGLAuu.exe | N/A |
| N/A | N/A | C:\Windows\System\VvzfVse.exe | N/A |
| N/A | N/A | C:\Windows\System\nWjckhO.exe | N/A |
| N/A | N/A | C:\Windows\System\GPwKUFs.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7a58fba7c2231a655c7e93378386ee6e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TDziMeI.exe
C:\Windows\System\TDziMeI.exe
C:\Windows\System\lYlCXpF.exe
C:\Windows\System\lYlCXpF.exe
C:\Windows\System\VNErhJa.exe
C:\Windows\System\VNErhJa.exe
C:\Windows\System\iwHJiRa.exe
C:\Windows\System\iwHJiRa.exe
C:\Windows\System\qVtieOw.exe
C:\Windows\System\qVtieOw.exe
C:\Windows\System\jXVQTMa.exe
C:\Windows\System\jXVQTMa.exe
C:\Windows\System\iikeXEw.exe
C:\Windows\System\iikeXEw.exe
C:\Windows\System\PuOCeKc.exe
C:\Windows\System\PuOCeKc.exe
C:\Windows\System\nLLfjxs.exe
C:\Windows\System\nLLfjxs.exe
C:\Windows\System\mpoCtjc.exe
C:\Windows\System\mpoCtjc.exe
C:\Windows\System\WlJHCpo.exe
C:\Windows\System\WlJHCpo.exe
C:\Windows\System\vHATgcy.exe
C:\Windows\System\vHATgcy.exe
C:\Windows\System\ypnfRcr.exe
C:\Windows\System\ypnfRcr.exe
C:\Windows\System\llCpOdS.exe
C:\Windows\System\llCpOdS.exe
C:\Windows\System\hTIlVGh.exe
C:\Windows\System\hTIlVGh.exe
C:\Windows\System\nJeRmPO.exe
C:\Windows\System\nJeRmPO.exe
C:\Windows\System\eKyXmiF.exe
C:\Windows\System\eKyXmiF.exe
C:\Windows\System\ftGLAuu.exe
C:\Windows\System\ftGLAuu.exe
C:\Windows\System\VvzfVse.exe
C:\Windows\System\VvzfVse.exe
C:\Windows\System\nWjckhO.exe
C:\Windows\System\nWjckhO.exe
C:\Windows\System\GPwKUFs.exe
C:\Windows\System\GPwKUFs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/560-0-0x00007FF681BF0000-0x00007FF681F44000-memory.dmp
memory/560-1-0x000001A88BD30000-0x000001A88BD40000-memory.dmp
C:\Windows\System\TDziMeI.exe
| MD5 | 7a29d4b6d05e8b77fba2a27e622e1f39 |
| SHA1 | 3a022bf5936c140c4e2447c2c2fe0fb5d0f29819 |
| SHA256 | 53d8eb6960f4a90ec27ede041cc5dbc0c0cb7bbf5a03e5b82f778aa8b5036945 |
| SHA512 | b11c209ea6ffde31bd71fd115a659ad7ea5c52351667bcc541bbc1c0e42e9d68fb8a340d6ab28e2eb315807202fdaeafb1a39c26b70b2b1d940fa1727ef19a57 |
C:\Windows\System\VNErhJa.exe
| MD5 | dc8f59b5bc42a3d9b48244c8486bbc15 |
| SHA1 | 7d3830fdb98175094d26c195a6391cfa6e59dc5b |
| SHA256 | 168f18a7f73ec962ae0b5ccf001abfc1525d883d908e982190d59eb0060463d7 |
| SHA512 | 111a31b9d9bba52f60e053406c9e2b83a79bcc192c898e3386dfba357cecb6bae7ca7090aaca583edfdd98b8182fa060e8cf44b2fad0f4b799e4cc573ccd6c85 |
C:\Windows\System\lYlCXpF.exe
| MD5 | d630911ea221a1905b468280cd62ed0c |
| SHA1 | 1f08d285b55b49ba675ea1b2c43ba69afec3f5ed |
| SHA256 | 34a5d7327cc5d4a81befed140db03cdcc7bf0e9bf03243aed55b60df3ce71058 |
| SHA512 | 42d4f702ce21911877afb823bace6f7a825b5249216a9139ece98891573a06b7493a78ccedae51af32dc39dfc286ec65db34438ebb629ebe505167919fa816e3 |
C:\Windows\System\iwHJiRa.exe
| MD5 | 51eccd864d00b122bb18eb9b806de40b |
| SHA1 | b0ef9fa094656d9bdee8ac34ea81a442338601fb |
| SHA256 | d8d09b9fc5d2fd978b6cb32577b838c1fe5618439af5ce51f81469d84e9e32c8 |
| SHA512 | 19c3d71c1835c5c797f7d5d749cce0eabfcb00dea470af62d5fb7f9499c8176370f97229f1784a0723b6dda392b41e629d2bf1aa551b90d297ea5401fb2a599a |
memory/4148-22-0x00007FF6CF960000-0x00007FF6CFCB4000-memory.dmp
memory/2564-14-0x00007FF6DE180000-0x00007FF6DE4D4000-memory.dmp
memory/4300-7-0x00007FF65AB30000-0x00007FF65AE84000-memory.dmp
memory/2520-26-0x00007FF691470000-0x00007FF6917C4000-memory.dmp
C:\Windows\System\qVtieOw.exe
| MD5 | c7df83179461c6ab3b8382fd8c0b5612 |
| SHA1 | f9119cf287412461e319effabe883dff4144a473 |
| SHA256 | 52ee3e60f0c74ca30c976879408bc55a3ae87d7cf4add1eb9a9d0fb39bdcaf2a |
| SHA512 | f20ee8b0346eae76d9d8e7f5f0f9dea5038888aa81a5dbe053eaced9638ecf5f92252c8e3f7340442f6a98afde8fe03e7110adae01641755c40b89d95fe186e3 |
memory/3100-32-0x00007FF7C0D90000-0x00007FF7C10E4000-memory.dmp
C:\Windows\System\jXVQTMa.exe
| MD5 | e7d77d2983e71657ab31358ee6d3b0a9 |
| SHA1 | 54aeddbcc480e166f76e1c45578c3fc026032221 |
| SHA256 | 2117e050d2a2705ca0752ddc7bc85de80ae14d27ad2da561e58692b9bc84599f |
| SHA512 | df0e052c426bb380abea93d7fa240cbfac493299ff931f61861dca63b38f151e1af799442bb4e886d22aa8af06fce3dbe3be6bf049f9e29ccd1ab0f50207712e |
C:\Windows\System\iikeXEw.exe
| MD5 | 043488c0b2df2a3818b4e2f7b68af331 |
| SHA1 | 3bf1d2e9115d53e258f20e1dcf5130a73cb35de1 |
| SHA256 | 4cc5afff3906e7c6a1c3c6c9134d7e4f9fbf5207d351569709d8b0de36dc92f5 |
| SHA512 | 8aa42bb058a233ddf0c82aaf7426621254c566bf60f04b6ed8544dc574e8f3f945302483e2482b8efb292c65aebac7f2ae0bea1c72fa02f0ed0433e00af55bb6 |
memory/2856-44-0x00007FF66E670000-0x00007FF66E9C4000-memory.dmp
memory/3748-38-0x00007FF6C5730000-0x00007FF6C5A84000-memory.dmp
C:\Windows\System\PuOCeKc.exe
| MD5 | 9309370fad700363a84007b54bb2036b |
| SHA1 | d135d09cfe894c6e767e3f25c948cffc6ed7e4d2 |
| SHA256 | 60e66eb9429eb69c4f1a9e94a272ec0f20322f5f4cb7ead2094d5f72efc79d54 |
| SHA512 | 3a40a811d15f02b4debaab9bc14401e98ed1a3e7778d5e21a426b28b2137a74a5b018e1cba082dc6767c9ef434138bb7edeae6cb812c4859dfc8f1112c2a56cf |
C:\Windows\System\nLLfjxs.exe
| MD5 | bc05e3fd66ca7363901b6c697be364e0 |
| SHA1 | b13192d1fa9c811ac4b29a6e2e28038b4f488d1a |
| SHA256 | bf95e0ae245ba2957eb61b9dbda7dbb5e9436bdc85e69bc7dd90d71f6b5d6011 |
| SHA512 | 5f554bf26b45be4e947ab2ea4824603ea41853c433e422e46c331bee065293887f08eaacd95a6af46b0791e4e92912e25309b21f8205288df5b09634f6767cb1 |
C:\Windows\System\mpoCtjc.exe
| MD5 | 3709f78ca1130bd178913a043c4220c6 |
| SHA1 | 82a2b502e9b727d8a00a03208c5dfec808523468 |
| SHA256 | 4529ec99725ad8ac98ae69de874bcb31d331cf8642f94f7ed08b7ff5077829d2 |
| SHA512 | c3367d518aec495a258de168284dd65f1e8a5ebb4cc453c728cd16a484fb801bad25c4053f391dd1ee251fd8a82cd806ad4cb29db376626ca64f55ba73512667 |
memory/5068-55-0x00007FF6CC4B0000-0x00007FF6CC804000-memory.dmp
memory/5092-51-0x00007FF6A9AE0000-0x00007FF6A9E34000-memory.dmp
memory/560-62-0x00007FF681BF0000-0x00007FF681F44000-memory.dmp
C:\Windows\System\WlJHCpo.exe
| MD5 | 2aa333f6013a3eb6cfd87644f2b2fb45 |
| SHA1 | 7da673346f6c1a40833181b7943327f511d3bd1c |
| SHA256 | 123f43e26a1c22d4ee8089a1413897432847742ad43ec232c1aa23bf2d604514 |
| SHA512 | 8593f31da16e4e9a404c717d2b71dfe55df710f170d123ef7c8c9d79da738bb8c01d7da6e97dbef969fd43f17dfc29b0e59205ac9bd92f828d16c0bdfd8ab6a6 |
memory/4300-72-0x00007FF65AB30000-0x00007FF65AE84000-memory.dmp
memory/4436-73-0x00007FF713720000-0x00007FF713A74000-memory.dmp
C:\Windows\System\vHATgcy.exe
| MD5 | 64f312ef999d404f1bdd1b6666f62a48 |
| SHA1 | ba8cba11779f5b31cd38c06628deb4a481f10c98 |
| SHA256 | f716864b7a9e61f310d8a5460f8f49c1000b730859ad50a8835cb7e31396361d |
| SHA512 | fd9e38b7c63f1056bf46e5369a13bfb820d7f202891e85632d926888390b00c3af6e73f530f859c3c959ea3b00fe5af6ed59631813ee02ec4ef826f8d9d5f87c |
memory/1196-74-0x00007FF60E8C0000-0x00007FF60EC14000-memory.dmp
memory/4544-63-0x00007FF77C390000-0x00007FF77C6E4000-memory.dmp
memory/2564-81-0x00007FF6DE180000-0x00007FF6DE4D4000-memory.dmp
memory/4148-85-0x00007FF6CF960000-0x00007FF6CFCB4000-memory.dmp
C:\Windows\System\hTIlVGh.exe
| MD5 | 0365284bae939706f450bbd043f43641 |
| SHA1 | 1a36e18f1e6ce14d36b654a0ae263c0a73443a41 |
| SHA256 | c5bd53b58584caed38df0f9958dd54c7030f329de79fb9e67c7172a47215e326 |
| SHA512 | 876c3f08b2bd03589bf3b3c700f0bcdc8fbefa2b862aaef4b57c983983ddd18af89dc49e6978312a2bb96aea1bdb2c575a86eb7fd8fbae96d8dcc1ace55b5ac3 |
memory/4668-98-0x00007FF620FC0000-0x00007FF621314000-memory.dmp
memory/1656-110-0x00007FF6997D0000-0x00007FF699B24000-memory.dmp
C:\Windows\System\ftGLAuu.exe
| MD5 | 17a95a45e0f11480b3b56dc1279ac781 |
| SHA1 | 1cab077912da09316342f93756ff961d4de5b7d2 |
| SHA256 | c980d3c417674bd8181953996001da11bd1355eb0b057470deb8bdfca6580800 |
| SHA512 | f00bb6a153a70a048110533f97f9e9fc5b0a8757b66f3b9d85f8403706d3a3a6c143e86dbb30494cb84de3d69b2178a81a58df1abce1d38c77ef4f7c1107dcb5 |
memory/5096-112-0x00007FF65F920000-0x00007FF65FC74000-memory.dmp
C:\Windows\System\nJeRmPO.exe
| MD5 | aac01b621603d3c4574fd9cb99dbf01f |
| SHA1 | 0f6a6b5ff406d6769dff2338d4762915fd2e8966 |
| SHA256 | 485e77a6d18b274ff27ee290de7d8a3861ef6b86d2d051785372f30fd5bdb9b4 |
| SHA512 | 7d01cb28b20f78cfe76f35164cb122d30a263a7c89b3d1b1662907c406f5218edf3e1414d0f7e722caf008e368bf68c2b0336168d992acf505ae3ef6effce264 |
memory/3656-103-0x00007FF6FDB20000-0x00007FF6FDE74000-memory.dmp
C:\Windows\System\eKyXmiF.exe
| MD5 | fc4198a13354a711bf554f09e8501953 |
| SHA1 | fbf3d0b760e0f8eb1aee3d66af38d3d05c582c33 |
| SHA256 | 33408f7519f2b390d3ac76c80ae5d2358cd284d03cfead130e61efaff29d7825 |
| SHA512 | daba66aee3be6094e47f2b1b3a84fe72ec16760b2ca59aaea9b20048008fe3a521e88a3fe8773d5ca5762eea381b727ac8df65f88d399f9c5a2facb7416163e7 |
C:\Windows\System\llCpOdS.exe
| MD5 | 0f59315f8a951a767258a4d6b4e14a6b |
| SHA1 | a36c26b02235e7ad87e0207fa163fdebd07c1955 |
| SHA256 | 5262a12f071a25560b66fe8286a751cf2880fb7880db938d9566b8ad07077cc1 |
| SHA512 | 5995967eb7436d6d17c92799edaabaf4c2087ef13538e96a9c0d4e515fd4649c040a6d9309fc1f93a7cb5a5395429756df918602434b81e605835902f92d0d97 |
memory/5084-89-0x00007FF644AD0000-0x00007FF644E24000-memory.dmp
memory/4900-84-0x00007FF795130000-0x00007FF795484000-memory.dmp
C:\Windows\System\ypnfRcr.exe
| MD5 | de50b019cf2591e88efafaea3b18f822 |
| SHA1 | ee4818fc2cb417123a251c76ff0a5e142ce07c4a |
| SHA256 | b86d7d868b62091ccbf22fe3524fddd89484729681582d6165b83c37f6c16631 |
| SHA512 | 27697fd48787842737b216bdfb71db893a863c94fb25701bf2fb394c2a2a45b9e99bc853e8241879983cdc4dbdd3ab0ca990b253d461f294da727c5bf05654ff |
C:\Windows\System\VvzfVse.exe
| MD5 | b58ab566573ce98bb99e225bd6eafeaf |
| SHA1 | ace0d5e77c0d32f963c3ef6c69cb8839fc340a4a |
| SHA256 | e301831b363c70311d009009a72d546729887524e2656a720eec68745462129d |
| SHA512 | bf78ef055b0ccca4e327dc429672a1d18c7ba59872409689ebaab61a3782659fcf875a49df34f36e66644b5082f70b9c48405a6bfa968ecb5b3a645857db430a |
memory/4888-120-0x00007FF67A980000-0x00007FF67ACD4000-memory.dmp
C:\Windows\System\nWjckhO.exe
| MD5 | abb7b392290f7c6e41c9cf45fee16719 |
| SHA1 | 102645241e2835d59acf1226d14b00116f377b78 |
| SHA256 | 3f80574fc65431d50f35e0276c87483e4b108d3c5cd60c32aaf6f4642d6a1bf0 |
| SHA512 | 923eba44517b2f389bf186a96d6aa400ece859bbd1711e3545c06b9809035550a3b88e6aa9a9eaba0f7b8912bac6d466679558e54e59639af7df70a9479661dc |
C:\Windows\System\GPwKUFs.exe
| MD5 | 1d74ac33954447409a5455588a06e6e5 |
| SHA1 | 98458866e6d1afe294b39ece114e946222debe34 |
| SHA256 | 898f94bd465199db9b0cca099ef3aab1a58e505cf27d39cd1d72cb470b79f7a1 |
| SHA512 | 39886ebebcead150eedf164d74d45f0fe2eaaf022f80c447605ac3dd4b92d1a0bafbc4955802ae688f97455c7c1370656553af126e535092636b89fa07d1765d |
memory/3092-130-0x00007FF7A9EB0000-0x00007FF7AA204000-memory.dmp
memory/5068-131-0x00007FF6CC4B0000-0x00007FF6CC804000-memory.dmp
memory/3352-132-0x00007FF7613C0000-0x00007FF761714000-memory.dmp
memory/1196-133-0x00007FF60E8C0000-0x00007FF60EC14000-memory.dmp
memory/4900-134-0x00007FF795130000-0x00007FF795484000-memory.dmp
memory/5084-135-0x00007FF644AD0000-0x00007FF644E24000-memory.dmp
memory/3656-136-0x00007FF6FDB20000-0x00007FF6FDE74000-memory.dmp
memory/4668-137-0x00007FF620FC0000-0x00007FF621314000-memory.dmp
memory/5096-138-0x00007FF65F920000-0x00007FF65FC74000-memory.dmp
memory/4300-139-0x00007FF65AB30000-0x00007FF65AE84000-memory.dmp
memory/2564-140-0x00007FF6DE180000-0x00007FF6DE4D4000-memory.dmp
memory/4148-141-0x00007FF6CF960000-0x00007FF6CFCB4000-memory.dmp
memory/2520-142-0x00007FF691470000-0x00007FF6917C4000-memory.dmp
memory/3100-143-0x00007FF7C0D90000-0x00007FF7C10E4000-memory.dmp
memory/3748-144-0x00007FF6C5730000-0x00007FF6C5A84000-memory.dmp
memory/2856-145-0x00007FF66E670000-0x00007FF66E9C4000-memory.dmp
memory/5092-146-0x00007FF6A9AE0000-0x00007FF6A9E34000-memory.dmp
memory/4544-148-0x00007FF77C390000-0x00007FF77C6E4000-memory.dmp
memory/5068-147-0x00007FF6CC4B0000-0x00007FF6CC804000-memory.dmp
memory/4436-149-0x00007FF713720000-0x00007FF713A74000-memory.dmp
memory/1196-150-0x00007FF60E8C0000-0x00007FF60EC14000-memory.dmp
memory/5084-152-0x00007FF644AD0000-0x00007FF644E24000-memory.dmp
memory/4900-151-0x00007FF795130000-0x00007FF795484000-memory.dmp
memory/4668-154-0x00007FF620FC0000-0x00007FF621314000-memory.dmp
memory/3656-155-0x00007FF6FDB20000-0x00007FF6FDE74000-memory.dmp
memory/5096-156-0x00007FF65F920000-0x00007FF65FC74000-memory.dmp
memory/1656-153-0x00007FF6997D0000-0x00007FF699B24000-memory.dmp
memory/4888-157-0x00007FF67A980000-0x00007FF67ACD4000-memory.dmp
memory/3092-158-0x00007FF7A9EB0000-0x00007FF7AA204000-memory.dmp
memory/3352-159-0x00007FF7613C0000-0x00007FF761714000-memory.dmp