Analysis Overview
SHA256
4105b92740cadfe5fd32b5ec6a3e60657866dbdeb37e435b4e1131fe39e0ef77
Threat Level: Known bad
The file 2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 11:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 11:46
Reported
2024-06-08 11:49
Platform
win7-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nEmgDWy.exe | N/A |
| N/A | N/A | C:\Windows\System\YALPepz.exe | N/A |
| N/A | N/A | C:\Windows\System\HKpZmvG.exe | N/A |
| N/A | N/A | C:\Windows\System\ENKqZwX.exe | N/A |
| N/A | N/A | C:\Windows\System\xYPvAcd.exe | N/A |
| N/A | N/A | C:\Windows\System\fEJhSwf.exe | N/A |
| N/A | N/A | C:\Windows\System\pTlqmPv.exe | N/A |
| N/A | N/A | C:\Windows\System\kucIuBg.exe | N/A |
| N/A | N/A | C:\Windows\System\kmgJXkx.exe | N/A |
| N/A | N/A | C:\Windows\System\QpnDeVx.exe | N/A |
| N/A | N/A | C:\Windows\System\YDPMtEU.exe | N/A |
| N/A | N/A | C:\Windows\System\HllWRzS.exe | N/A |
| N/A | N/A | C:\Windows\System\QJYtFxs.exe | N/A |
| N/A | N/A | C:\Windows\System\EQkMxPM.exe | N/A |
| N/A | N/A | C:\Windows\System\qguPOBv.exe | N/A |
| N/A | N/A | C:\Windows\System\TEdRDLP.exe | N/A |
| N/A | N/A | C:\Windows\System\uTDnJmr.exe | N/A |
| N/A | N/A | C:\Windows\System\UyfBiBv.exe | N/A |
| N/A | N/A | C:\Windows\System\DdzpJxE.exe | N/A |
| N/A | N/A | C:\Windows\System\XhbnuLS.exe | N/A |
| N/A | N/A | C:\Windows\System\xlqrnOm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nEmgDWy.exe
C:\Windows\System\nEmgDWy.exe
C:\Windows\System\YALPepz.exe
C:\Windows\System\YALPepz.exe
C:\Windows\System\HKpZmvG.exe
C:\Windows\System\HKpZmvG.exe
C:\Windows\System\ENKqZwX.exe
C:\Windows\System\ENKqZwX.exe
C:\Windows\System\xYPvAcd.exe
C:\Windows\System\xYPvAcd.exe
C:\Windows\System\fEJhSwf.exe
C:\Windows\System\fEJhSwf.exe
C:\Windows\System\pTlqmPv.exe
C:\Windows\System\pTlqmPv.exe
C:\Windows\System\kucIuBg.exe
C:\Windows\System\kucIuBg.exe
C:\Windows\System\kmgJXkx.exe
C:\Windows\System\kmgJXkx.exe
C:\Windows\System\QpnDeVx.exe
C:\Windows\System\QpnDeVx.exe
C:\Windows\System\qguPOBv.exe
C:\Windows\System\qguPOBv.exe
C:\Windows\System\YDPMtEU.exe
C:\Windows\System\YDPMtEU.exe
C:\Windows\System\TEdRDLP.exe
C:\Windows\System\TEdRDLP.exe
C:\Windows\System\HllWRzS.exe
C:\Windows\System\HllWRzS.exe
C:\Windows\System\uTDnJmr.exe
C:\Windows\System\uTDnJmr.exe
C:\Windows\System\QJYtFxs.exe
C:\Windows\System\QJYtFxs.exe
C:\Windows\System\UyfBiBv.exe
C:\Windows\System\UyfBiBv.exe
C:\Windows\System\EQkMxPM.exe
C:\Windows\System\EQkMxPM.exe
C:\Windows\System\DdzpJxE.exe
C:\Windows\System\DdzpJxE.exe
C:\Windows\System\XhbnuLS.exe
C:\Windows\System\XhbnuLS.exe
C:\Windows\System\xlqrnOm.exe
C:\Windows\System\xlqrnOm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2952-0-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2952-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\nEmgDWy.exe
| MD5 | d9e14003c87d696c667c9766d9e05557 |
| SHA1 | aecd060ba0ee97c9fc8c45946ad4772acf64a430 |
| SHA256 | 172449f0de4057066062a723f425e3e7942eb19369ed92fed869bc7e4fae6490 |
| SHA512 | 922353791c1a11253d7c1bd7a43b447e05d7c494080f7a2e4a0cb5c7b504843cc351ccd28adbd300c702500f0b25a878deeefc2adb228daa7522a5c943a81065 |
memory/2952-6-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2476-9-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\YALPepz.exe
| MD5 | 1d7326579af738e5dd3ad4aaeebb6817 |
| SHA1 | 5ab957d6bcc18ae02f5e7fcb0f993ffe394886ff |
| SHA256 | 7b7cf8d4b4e3e29f2cb88faa31d2a3913e419f600820be9f1cf19be7fc7c2e76 |
| SHA512 | 905ab2b800170f2e687a883451178b5f7af5972c5594ed2cd5e57cfe570f809a956c7a15302e0f3b34dd68ca221628b7dc87419e1f28cca8de2e18f6cab178a6 |
memory/2128-14-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\HKpZmvG.exe
| MD5 | e9a4aaf1cb53d32f234770f1445ed676 |
| SHA1 | 0d5089e1efbf083a4a620ba13ad6a116efe030cc |
| SHA256 | 336103cc8deadc474973f27e73cf446b4079f42debcc3fc2e36287f05ff8c7e1 |
| SHA512 | 0081d8363c9b7f917a665f980aa7bd44bfceeaea7300f4a273f9c8d458b36cbbe6b75b416f0afeb380abf42d317391c375d554028d24011820479d153cbb5d49 |
\Windows\system\ENKqZwX.exe
| MD5 | 228815067a226e1207434d3d519bd5f2 |
| SHA1 | 5984e3d5525a408de388df8f8641464e0c71222b |
| SHA256 | dfd3b8c282f214c2d0794bd4e73cc6aee95ddc364f01d4300de0f78b4054ce28 |
| SHA512 | 2c937bacd53bf17484ad40ab5fcce058044399da6d31be3c10bd81f235700d2a157bf74dfcd5e03019705459076497cbd407bc0bd34e37b7642da65a23c5ab74 |
memory/2952-19-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2632-29-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2952-28-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2372-27-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\xYPvAcd.exe
| MD5 | ea3fee1ef9e7045d08e481b5ae1a760a |
| SHA1 | d89759746b78f94f86a2c7a96ca7df5ce5e56526 |
| SHA256 | f44cbe7a3dcf8b12d7b3c650b154cd15c9b2f8e3ca57c934349ca2c06d76af70 |
| SHA512 | 564d0e7ed2a0ac800c42d31cfd27d8acb4505a46bcfe70c161953a3c2c09558eb15f23ed88294b7d9b4d57b0b8d630ad89d2b18258ae53cfbe07a9f922a8e504 |
memory/2096-35-0x000000013FAB0000-0x000000013FE04000-memory.dmp
\Windows\system\fEJhSwf.exe
| MD5 | 14234ae3d4d313e7faeea7b590c40030 |
| SHA1 | 691fe545c234827055818878c9397b796c7656e7 |
| SHA256 | 4a5a7961c0454d413c4a1b5742cbe858947a625b6f9520beed7b60e0e699de56 |
| SHA512 | 40427f9557a88487a1db896f982b1ea91b7a60d3af685a5f5c379647476dfd1483c65cf718de197ed1970df5f3d7b8a9ecb704c0fd66d77af32793463418e5f9 |
memory/2788-42-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2952-40-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\pTlqmPv.exe
| MD5 | 698908fa998bfa287e55779777cb068c |
| SHA1 | 14dcdff184778a807f5e2827e04b68d06e7c842b |
| SHA256 | e6d49822475bf5073e1c3248910e20e473864dc4a54d747626394c6d45dbdd49 |
| SHA512 | 195cedcd7cc189d540570eae687c436d4bb25f53e17f223c6fef42b8c69bd9b145f8ba8acc25165b9426fa20028bfe8ae9d2fab73e59933ba0df3f528107adb1 |
C:\Windows\system\kucIuBg.exe
| MD5 | 00c853582444007c73312046456d18ba |
| SHA1 | 8e0e5412094e25963efb147076ee34fa4bc7a082 |
| SHA256 | 1960a9cdbd541c0a63b893cf5edf6bc9b3172ea277e3a02ab031776ea42a2429 |
| SHA512 | 0a558659f5e2fc62619bd437dff4364e1b661579ac117ca5f0d189957621907721d98a69baa1965884a2947f362e8ab40f265bf16618ed86a2fbffc5973d45d4 |
memory/2476-51-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2784-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2688-54-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\kmgJXkx.exe
| MD5 | cad131e4ee29d5e06ab62b160ead46c6 |
| SHA1 | ed7fe8f00332640283513c5a3b392c2a52755125 |
| SHA256 | e6438eaa44981bf022a06c30c5a97192e422054822f4be9167bc5fd483e5df90 |
| SHA512 | b9512c1ca5e46f3252cbbdbf27f5446afc05808d126bdb7636668c59f1e8ef5c42752cd604937dd2f65448f4af6b4b1772031062b7a6f024aefd15e7a3fa6d16 |
memory/2536-61-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2952-59-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2128-57-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2372-62-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\QpnDeVx.exe
| MD5 | 7252a10b864f326c3f29a1ba0e882bc5 |
| SHA1 | c6e043af6dff9bb129b9f08876e2ac20e969fcc0 |
| SHA256 | 5cacbaf77b5a6bfa86d09058d6322dd3d5afd50300b02e324a974d9ab0faaada |
| SHA512 | 1dde1973bcca03f306e74a24444b9f49d62f2400cd725462249d316db9c5fda667b0c00e074d247fc4708d9a4abd95e713f46313e6e8c777eac6880c9ef7d9d2 |
\Windows\system\YDPMtEU.exe
| MD5 | 71c4e41f95003b42a17daf8b776afae0 |
| SHA1 | fa72241a4b92d4ea030a3fb616d2577f966e599a |
| SHA256 | b7a7dc1322b8e76cb0b51540c0657fa06f84c43b5a1d71bcc57ab29efaa7e2d7 |
| SHA512 | d032fa4180fae0ea1d95aed58698e9ac4179b15a0f5c41c242f307b412b191eca0403009475d0df0750afd342b880cea2c56609874483a4d32c98af3c65afade |
\Windows\system\QJYtFxs.exe
| MD5 | 0963fab59afcdf2b59f2cefc4cccd654 |
| SHA1 | 1897b31be452ced36abd4d7d45a6010b6a7db553 |
| SHA256 | a281ee5158f1e1ca7fabcbbc46af6134ba1a454cfdbb4743cec047162d563e05 |
| SHA512 | 2fe8eba8abb156d0dad5f4f809b5f404ddbb0dd2fc862bbda79202117b8cd6caf2eacacee96e50ca166a8eb4ddfee4e792db783eb2eb40ba363142c4197efc4f |
C:\Windows\system\EQkMxPM.exe
| MD5 | c35887cd42805e73e956a60537a2d925 |
| SHA1 | efe1a35dd3b3184cd9cad64241c3f6d06df71e69 |
| SHA256 | ffb584e029b5e8fb636bf33d87a5c114d9bc4fac83a38090db8a9b9654503f0b |
| SHA512 | 7ea28d25e0683e1026dd54c0c47c0ab160d485223bfd5dea7450a65afc40e89694e84702f5b7b30fdc1dd549594ca37c42ff0cd29d0d86f36234ab4043d7d285 |
memory/3064-110-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\TEdRDLP.exe
| MD5 | 4c6d7ef80dde89da8f05b10f9502bab2 |
| SHA1 | 04773605a4a3a9388eb90ccc286204f8b832a4f4 |
| SHA256 | dad328323f743014993a1f9ac6b15563e88d2fb8beba9300c760c426dc2bc6fe |
| SHA512 | 1d326145185d9c42d3b7a0be9f9561c5a28447a054e5d7fcd5a5cb2ba0aad493905bcb0d11815ea00ee189db39b47e5f0221789020ac9be0a6fea439e4e2cc70 |
C:\Windows\system\UyfBiBv.exe
| MD5 | 07586515ef6f483dddadd12a2efe7429 |
| SHA1 | 4b932a37f193e096bc08d2df5b47b008ae169921 |
| SHA256 | 2601f1c8799fb47a2970c0d271e3685dceeb9c067c4733d625c37a964632584d |
| SHA512 | 0eabcadf11b8d05f039e75804632e826718fe0ff1f75edc8003c3369d15374ed95d01f483b35b6b1a2f999882184cfea21a317d2a366242c96a5f1b9622498f8 |
memory/2952-95-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2708-94-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2832-92-0x000000013FB40000-0x000000013FE94000-memory.dmp
C:\Windows\system\HllWRzS.exe
| MD5 | a11b4946cf46b89a022aef3a20b3c5d6 |
| SHA1 | 846d187ae29d3f98da46dde35c4deb3036e3dfa3 |
| SHA256 | 840a20a45f804658b842e1cc7ab493e98d8b41737f5c1e2732a9382f97d26c53 |
| SHA512 | 7e0da2608a6a2b2f649f8c588d955925c618362390cd8c14a38bea0774706f475df625842337d91be83ac04fff7d10352d4c3b13b32f9986fd12db53c7caecea |
\Windows\system\uTDnJmr.exe
| MD5 | 9784d0b21d42b071c723ec5a65e2442d |
| SHA1 | f22913a033c5f08cd8b133a26e8e6f4648927dcc |
| SHA256 | 49e26e47a07b243449b77a73261144e2454c2019aec923d1d16d5871a9a406cb |
| SHA512 | c8568def626367b3102eeee1cfdc144b7111e332a47d53f3553b02fc7e3d4dc5ba062c5122b121169c422fb46e7c0f8473a9caf81a796b7ebba7f3a33be8b97c |
memory/2952-83-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1360-74-0x000000013FC70000-0x000000013FFC4000-memory.dmp
\Windows\system\qguPOBv.exe
| MD5 | 7fa7c7a7d4087848bfcb2738f78cdae1 |
| SHA1 | c4b529f260f01b0e6a2cfb1532d0d78799925e41 |
| SHA256 | f02cf6b971bf385e3a6821954f21af290b3b37041ae5e31acb5f4bc0804367c3 |
| SHA512 | 5243a3d8e5ea00b219a07a8ee3a443e6ad626794ceb2352bc72b2495628305647f51c73fe1dad0db8784b30020f444fc1c2ea0db283b8ed55d8705f29e2131a3 |
memory/2952-109-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2952-107-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2788-87-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2952-78-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2952-69-0x000000013FC70000-0x000000013FFC4000-memory.dmp
\Windows\system\DdzpJxE.exe
| MD5 | b332bac768f5efbf4b8ddcb2adc39872 |
| SHA1 | 8e1d14340dc6381935e3b755ae83a0f910f4e22f |
| SHA256 | 84bd5d37aa483d4a3570e327d4ffa89818790d69436fc5d3355d831813bbddbe |
| SHA512 | 6b1702416658978590f29de8d0fc28fb49516878e770eab1cdb1743027e1cd965ed3db1ac40cd5a146c9334893ecc49977825ddbb196e471e445755d3b08bd24 |
C:\Windows\system\XhbnuLS.exe
| MD5 | aad6cd8fcc3b31aec54f5a34b6a13c2a |
| SHA1 | b7a3fcb0401bc98715d725c686428768f0d30da1 |
| SHA256 | cfe5dd0488a94f9079937fb594deebd7411373f2d289910e5a84abf5a720c301 |
| SHA512 | 02e9de3bc455b680dce3bc39648c46abf111f53c1e15c29e5f627f9e34be35a5dae356919aa4bf1774063eab65eb1ca8291a62c17524e753d85f5cb07de980f7 |
\Windows\system\xlqrnOm.exe
| MD5 | 83f25c324aad80e6d0341b768a04908c |
| SHA1 | 4c7138ac87d0bb2550190733296b4c503640f3da |
| SHA256 | 9814515eaf74b54e9f6d07c68053a374bf9007860d74b346a6f4c3eb6e7c09b3 |
| SHA512 | 399553d29373259eab1669ccb1a5cb1fdda84ee2248ece9b17a4ff5d8f3a52828ffda0c8a9b660a66a0e3b168c2814c524fc2746b83368927a8ac7adc722a56c |
memory/2952-135-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2536-136-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2952-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2832-138-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2952-139-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2708-140-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/3064-141-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2476-142-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2128-143-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2632-144-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2372-145-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2096-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2788-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2784-148-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2688-149-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2536-150-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1360-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2832-152-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2708-153-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/3064-154-0x000000013F110000-0x000000013F464000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 11:46
Reported
2024-06-08 11:49
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uZizoXj.exe | N/A |
| N/A | N/A | C:\Windows\System\NSyPjId.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmzjUQN.exe | N/A |
| N/A | N/A | C:\Windows\System\MNaTPAC.exe | N/A |
| N/A | N/A | C:\Windows\System\diJlrja.exe | N/A |
| N/A | N/A | C:\Windows\System\kfSJuDL.exe | N/A |
| N/A | N/A | C:\Windows\System\AhYCWmN.exe | N/A |
| N/A | N/A | C:\Windows\System\WRyIoOf.exe | N/A |
| N/A | N/A | C:\Windows\System\gHYwkcs.exe | N/A |
| N/A | N/A | C:\Windows\System\vrNcwdD.exe | N/A |
| N/A | N/A | C:\Windows\System\iMHEwjl.exe | N/A |
| N/A | N/A | C:\Windows\System\YvGlNNl.exe | N/A |
| N/A | N/A | C:\Windows\System\YUJxzWn.exe | N/A |
| N/A | N/A | C:\Windows\System\EwEfmJC.exe | N/A |
| N/A | N/A | C:\Windows\System\sXRaHPD.exe | N/A |
| N/A | N/A | C:\Windows\System\qNBJbIq.exe | N/A |
| N/A | N/A | C:\Windows\System\BIzbhrF.exe | N/A |
| N/A | N/A | C:\Windows\System\GQmUNEY.exe | N/A |
| N/A | N/A | C:\Windows\System\hkrPyqm.exe | N/A |
| N/A | N/A | C:\Windows\System\BCrvnEU.exe | N/A |
| N/A | N/A | C:\Windows\System\UYFdvcb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_36ba5fe81c4fe4653201f9b80c9ff6a3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uZizoXj.exe
C:\Windows\System\uZizoXj.exe
C:\Windows\System\NSyPjId.exe
C:\Windows\System\NSyPjId.exe
C:\Windows\System\ZmzjUQN.exe
C:\Windows\System\ZmzjUQN.exe
C:\Windows\System\MNaTPAC.exe
C:\Windows\System\MNaTPAC.exe
C:\Windows\System\diJlrja.exe
C:\Windows\System\diJlrja.exe
C:\Windows\System\kfSJuDL.exe
C:\Windows\System\kfSJuDL.exe
C:\Windows\System\AhYCWmN.exe
C:\Windows\System\AhYCWmN.exe
C:\Windows\System\WRyIoOf.exe
C:\Windows\System\WRyIoOf.exe
C:\Windows\System\gHYwkcs.exe
C:\Windows\System\gHYwkcs.exe
C:\Windows\System\vrNcwdD.exe
C:\Windows\System\vrNcwdD.exe
C:\Windows\System\iMHEwjl.exe
C:\Windows\System\iMHEwjl.exe
C:\Windows\System\YvGlNNl.exe
C:\Windows\System\YvGlNNl.exe
C:\Windows\System\YUJxzWn.exe
C:\Windows\System\YUJxzWn.exe
C:\Windows\System\EwEfmJC.exe
C:\Windows\System\EwEfmJC.exe
C:\Windows\System\sXRaHPD.exe
C:\Windows\System\sXRaHPD.exe
C:\Windows\System\qNBJbIq.exe
C:\Windows\System\qNBJbIq.exe
C:\Windows\System\BIzbhrF.exe
C:\Windows\System\BIzbhrF.exe
C:\Windows\System\GQmUNEY.exe
C:\Windows\System\GQmUNEY.exe
C:\Windows\System\hkrPyqm.exe
C:\Windows\System\hkrPyqm.exe
C:\Windows\System\BCrvnEU.exe
C:\Windows\System\BCrvnEU.exe
C:\Windows\System\UYFdvcb.exe
C:\Windows\System\UYFdvcb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3388-0-0x00007FF7819C0000-0x00007FF781D14000-memory.dmp
memory/3388-1-0x000002756FC30000-0x000002756FC40000-memory.dmp
C:\Windows\System\uZizoXj.exe
| MD5 | 9d1b1cc261b7601f29ef59a92cfef3af |
| SHA1 | d81b4b29a8ad7ba137e76af52098da25bf997e42 |
| SHA256 | c23a7277be36c6dd2f09109fee4af1c2532065471b9b2afbf33c9d1d82a638a3 |
| SHA512 | d72d53c27ef503491055322ee3301537aae95835f21c3b9d4fe829281a7ebe37e3c46593d1b0dd95021483c0bb127cb9f6ad1fd3321978ff5bc21f1f31d6f468 |
C:\Windows\System\NSyPjId.exe
| MD5 | a37c2967a7d2ce3bd1ac8e08f56bbe0b |
| SHA1 | 8e9737443f55fa4ca778b748058c15d4ceb2f903 |
| SHA256 | c5e301901fef459a3e38e9d11926aa3820ff0373c6a2eeb6b1db58891f4913da |
| SHA512 | 1da0d21b95e89e19f2f951a1d9fa0101f7e40753441feab20c544966301425e8257ec10ecf1ac5ceed59c5bdb6fa6c2383197d9cdb8d2c5dcc6ed400331dc7c8 |
C:\Windows\System\ZmzjUQN.exe
| MD5 | 0fbabe34efec1dee9567e5add3ca394b |
| SHA1 | e128b339bf3dc1307130234f88f04d4923505b41 |
| SHA256 | 1babbde42790bee296b5cca26223e33777ccaf33f5a4ce8adba903e79180807a |
| SHA512 | 1c65ccd047e9c334f88615e2c3ebe3d8e2f5c3212f4789d357b6b9197e9fac61a4d5def27b3abf0939587a003359da55ecfc0104b52371f8d3947635704e2892 |
memory/4932-13-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp
memory/4892-20-0x00007FF6A4900000-0x00007FF6A4C54000-memory.dmp
memory/1496-7-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp
C:\Windows\System\MNaTPAC.exe
| MD5 | af0f8cb1db8f64a1476a5667117f3853 |
| SHA1 | 73009e133dc891d38ebbd6ed843d3b8097c302f7 |
| SHA256 | 388863ed3dcc6e44691f1fa4d42d8986f3b44ea80e36cc2a1ef9d6a053acc489 |
| SHA512 | 14c415a48b693fef47ff5067f7e3e9353517ffe08d73fe4eaab3277345eaa6ae131051a7e6667d976c57a1587702eb6dbaeb568a71a2a6773c09bbebc645f04c |
memory/4028-26-0x00007FF70A260000-0x00007FF70A5B4000-memory.dmp
C:\Windows\System\diJlrja.exe
| MD5 | 93509993b22e50b4caab0729a043be35 |
| SHA1 | cd017009ebd86e30711e9eed452c3463f5efde13 |
| SHA256 | 513c27e93d5e500710789935f3c491373730467df22e27385eeeca0fb2e3a03e |
| SHA512 | 0fffd5e128ab78adc62c8eed224e0f5a27308dcaec132c9f1b5098fb476a30170d9f8d336933932c9fec40325f3b6f7d389adb8d82daff3cc2bf782f8e3dbd15 |
memory/3704-32-0x00007FF6B7180000-0x00007FF6B74D4000-memory.dmp
C:\Windows\System\kfSJuDL.exe
| MD5 | 460039d22a6d9c490abd1f309743385a |
| SHA1 | 57d6ecaee8eeed4f2bc026bcd167053130c882cb |
| SHA256 | 29822257afbd85dddec4c90aaad056350b71fea490d15c342b0cbb4528cffd31 |
| SHA512 | d28609c1510db8d20f430d2e8f9d914ad46b454d43350a12a3c105678d1c9ce5351c4c55145799b7241448ba968d49cdc34ef771ee7d14f9fc4612a7188d7ccb |
C:\Windows\System\AhYCWmN.exe
| MD5 | 862e900c1b25636012ad2f78bdd3f4b2 |
| SHA1 | 15e1b8fd3eeec0cdb4fca8b845302c7b75c2ea0b |
| SHA256 | b90ac0b33cb787199292aa4a9d32dee3e58ce7fb533811ed2531311abc4939c7 |
| SHA512 | 844c640e8118f33c64aa16a0acecedb53861542aa35fbcc1ae2eaab0656b947e4e187d55442913d0867875ccdeafc4ee092223d61f6936e31358d84e9c742210 |
C:\Windows\System\WRyIoOf.exe
| MD5 | afca3b8f3ac6b70a3848bae1d30fe686 |
| SHA1 | 3ef1156a5b4e4538c921e5d49cbfa1375831dc8d |
| SHA256 | deb173df6f9b3d9349f960d8aa12b382753fd83e7366e1a638fb796947cdf2b9 |
| SHA512 | 483bb08378548f42d3951567a49ef3170b1706713db60b660276eefdeae7de5c95c906f58c99ade10f62b1e9b98d92ce0608bd3edee65216743b59ea9b4d42a9 |
memory/3448-48-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/2612-44-0x00007FF640020000-0x00007FF640374000-memory.dmp
memory/4124-38-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp
C:\Windows\System\gHYwkcs.exe
| MD5 | 3240607bf7051aa5a8fcd8496f9c0edc |
| SHA1 | 7ddae819ee5952518dac95819ccbb5fedb94da1b |
| SHA256 | 37ab1e475277750d1eff958c0fa745cb674a605e12d9fd2c7c19c514a42080e8 |
| SHA512 | 36ce0af50fca08012fb6210ea9e6fb6f3072dd75a9d0d81d1b082192d8f636fbddca88daaab084e12b01aa8eb9cf273e7c0ae8e23c6699826e75d6da1666d5ed |
memory/4876-56-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp
C:\Windows\System\vrNcwdD.exe
| MD5 | f84823b82906de4ca097edf2bd56411a |
| SHA1 | 4d4784d62973c34de96b0c1ff998821006efea3f |
| SHA256 | 44bccf162fa5ec2f4eac833d5a46d6bc2dd6821f85e15762f92e5235952e6579 |
| SHA512 | 9a9505d1ce5fac35eb357be36ade91d64d92ec16d00c9f6c4c4e7b7a1d979872054d382c29fbe767957ae66706b86c630f589f2b8740d13130526cd77842f397 |
C:\Windows\System\YvGlNNl.exe
| MD5 | 0d11dcc71760da48c47bca361144d845 |
| SHA1 | b15a9bb5d1bba9cc578c2fe7e2aba06af3b17423 |
| SHA256 | 52cef66977bf2a272350698c94837999a27788731f802a3b1f298812110eecff |
| SHA512 | 9a7d59adbf4cd8364e7d5759b840c2fb01de0fa9d769c4ebc1068dd02a76fa5d7283e0459812d2ff6d05432a3be4bb2ee7da8dc9b7013bce23f89363c79f259a |
C:\Windows\System\iMHEwjl.exe
| MD5 | cfec44d5ee31cf5c97cefbe85689ae6a |
| SHA1 | ee71c812ec515d8fda43215d1188fc89c94ac891 |
| SHA256 | 78160966092484ba9f79b29989b5fa34a0a8e447f569293a08ec499da802bd28 |
| SHA512 | bc56437be1639ee9c4eb1d4cd941f5dce08a8392a84f3d002391d0eedf5bc00bcf3ccb073d3c529cb25bec6e6b72cea9e6f1a461c7dea209cc2369644fc87cc6 |
memory/3992-68-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp
memory/1496-67-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp
memory/3388-62-0x00007FF7819C0000-0x00007FF781D14000-memory.dmp
memory/5040-77-0x00007FF64F4B0000-0x00007FF64F804000-memory.dmp
C:\Windows\System\YUJxzWn.exe
| MD5 | 332e01084ef898d0ccb067f8ac432b03 |
| SHA1 | 542e0f649f215fbc8765411fd095f0d8d0ed6988 |
| SHA256 | 6418f46b400c850322f62fb8224a07a175944ee4e301a022a79e8dbf3040b363 |
| SHA512 | 981d7e55192fc4e59d803a86d7571c092bdc1c7aba1a1b06aaffaf2d9f0755f6a46d71622dcf040d1c8032c3effe07c7fdad247f176ecddd0ae1c68ed1f1e5ec |
memory/4932-76-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp
memory/2864-63-0x00007FF632AB0000-0x00007FF632E04000-memory.dmp
memory/4388-82-0x00007FF6F4B50000-0x00007FF6F4EA4000-memory.dmp
C:\Windows\System\qNBJbIq.exe
| MD5 | b170053a4e16cfef96cc526361357739 |
| SHA1 | 2e7cc3ffb9c0634a4e6532cc00cfaf8a29b5f07a |
| SHA256 | c77b791f653352022be8a578ca31ea37bfe54f4d483d8cd1df8b92ddd9b345f9 |
| SHA512 | 79ed8431eb5955ebf2bb593c8c8527a4f03972f3eb00d91de7b15abbe77f38ce742dd295406a072a30549a3488a9bf1eab6f9cced04d905832aa42237aeb1c5d |
C:\Windows\System\BIzbhrF.exe
| MD5 | d79bd3df55034f117054e5a1579e6bba |
| SHA1 | 7069e44868fe664f10fb971e0f7f3aa6046d66ec |
| SHA256 | f61a3bd365a723c05605ffd422a82efdf9a35a7715b4b43d1cb60e908cf22db8 |
| SHA512 | 99c113cdec8d63503853b29d438ceedc361ff5c7b781aa86985d89ef19bdab59443e5400c2d5779f47cd76ce8a776572e9f68f68d0e6caf3046adda2504b110e |
memory/3828-104-0x00007FF712F20000-0x00007FF713274000-memory.dmp
memory/4136-100-0x00007FF6730E0000-0x00007FF673434000-memory.dmp
C:\Windows\System\sXRaHPD.exe
| MD5 | b529c52c19e12f4e35cc12a4d5d456b9 |
| SHA1 | b4e1242dfa6833ce68ba9c5950476db329db85bf |
| SHA256 | 1206d382af42db2b287ac5ffd040c538dd4ee01abcc39e84c3953447da852594 |
| SHA512 | befd024869a3cde24e6b99759686614e3b3469a8432cf1e81300493438f2408b41d4fbe28c2982528211d56d340ddd350e53d9a874e4a5577ea70517f5d4bf3f |
C:\Windows\System\hkrPyqm.exe
| MD5 | 520b0cfc122abf5f624572205764b011 |
| SHA1 | f60fd9ce2084c23801d962ffc70732b1870367ae |
| SHA256 | 28649351f0a114b1d999ccb7b7d5924e0a0c7780349f7b09682c5a8c34c0dcb4 |
| SHA512 | f293e44361e23f77b256e90ecdfe2f53459f5efe1e51e86c4dc990a76ab3c0a9c57dae23038e8bfcdd821738253f00bb1713d688019936bebf5790920acae96a |
C:\Windows\System\BCrvnEU.exe
| MD5 | 253023b8ee22aee07c6a1da63033f034 |
| SHA1 | 6471d6d1cba8f498fb76e9f4f5ebd926c77c68c0 |
| SHA256 | 0f7bcb05651d652e21144d28225396b7cda8146ccac7f43910bc5b363f10c2e6 |
| SHA512 | 2e67b6687a26458f25494cb0e2318040cdb7932b65c22fe7ba4683360b226b4bb235caa7fc5d177893bb0ad95aa2dc7e065ccdd57f793dffec818561fe9b0267 |
memory/4060-121-0x00007FF679840000-0x00007FF679B94000-memory.dmp
C:\Windows\System\UYFdvcb.exe
| MD5 | b602318434e96a3ab281cb4492d18afd |
| SHA1 | a025ebef5696e7c4e7cbd5f9d58b22ed08cb3ad8 |
| SHA256 | 6f8df4e28cffd02b38f83100dec72d26cce27765b297f9f83e04cc8ce266ddee |
| SHA512 | 4ac7390c12bea8c9050165917cddebd7376dcfc8836d9ea1a56dd7e25fab5b60a7a0c1f708bfb011767317a40c229a76ea3ccd3ad71a90955aad0b4761b7f05a |
memory/3448-131-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/2128-128-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp
memory/1404-127-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp
memory/2612-126-0x00007FF640020000-0x00007FF640374000-memory.dmp
memory/4052-124-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp
memory/3804-123-0x00007FF71B5D0000-0x00007FF71B924000-memory.dmp
memory/4124-119-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp
C:\Windows\System\GQmUNEY.exe
| MD5 | 1910449748cc316d3ab047730477b85c |
| SHA1 | 99fedeee40a0c0cf7b4caaa5c25c7999dedefa0c |
| SHA256 | c32d37f4eee64afa4c9cb33f8272d838024fb799485cc01aed47b1804f93b860 |
| SHA512 | 09be8a0597633a9d30ac35899ed01072c8e42695ecf614cea8c9e410b086f621d537cc2eb8c9593871ca5af21a2fc046d8c9368a8eeea73e30e0931cfcb03c3e |
memory/2212-88-0x00007FF613A00000-0x00007FF613D54000-memory.dmp
C:\Windows\System\EwEfmJC.exe
| MD5 | 1e60a0fab43313e8121fb8925585a6c7 |
| SHA1 | 5880c4da16333a1508a4fc7d8a7958869ace5b27 |
| SHA256 | 17e9fe3b03e045d46045d8bc451d91915628eda24326ec2e68165544eaaf17e2 |
| SHA512 | 97c443c409a381339624a978d29854d5ad96cc1fdd5364365929aee0f376fddbf74446df62061322870e4b407ecf39efcdd75b861485e5456ff908616aaf402b |
memory/4876-134-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp
memory/3992-135-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp
memory/2212-136-0x00007FF613A00000-0x00007FF613D54000-memory.dmp
memory/1404-137-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp
memory/2128-138-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp
memory/1496-139-0x00007FF6F5240000-0x00007FF6F5594000-memory.dmp
memory/4932-140-0x00007FF6EEAB0000-0x00007FF6EEE04000-memory.dmp
memory/4892-141-0x00007FF6A4900000-0x00007FF6A4C54000-memory.dmp
memory/4028-142-0x00007FF70A260000-0x00007FF70A5B4000-memory.dmp
memory/3704-143-0x00007FF6B7180000-0x00007FF6B74D4000-memory.dmp
memory/4124-144-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp
memory/2612-145-0x00007FF640020000-0x00007FF640374000-memory.dmp
memory/3448-146-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/4876-147-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp
memory/2864-148-0x00007FF632AB0000-0x00007FF632E04000-memory.dmp
memory/5040-149-0x00007FF64F4B0000-0x00007FF64F804000-memory.dmp
memory/3992-150-0x00007FF6697A0000-0x00007FF669AF4000-memory.dmp
memory/4388-151-0x00007FF6F4B50000-0x00007FF6F4EA4000-memory.dmp
memory/2212-152-0x00007FF613A00000-0x00007FF613D54000-memory.dmp
memory/4136-153-0x00007FF6730E0000-0x00007FF673434000-memory.dmp
memory/3828-154-0x00007FF712F20000-0x00007FF713274000-memory.dmp
memory/3804-155-0x00007FF71B5D0000-0x00007FF71B924000-memory.dmp
memory/4052-156-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp
memory/4060-157-0x00007FF679840000-0x00007FF679B94000-memory.dmp
memory/1404-158-0x00007FF66F590000-0x00007FF66F8E4000-memory.dmp
memory/2128-159-0x00007FF7B82A0000-0x00007FF7B85F4000-memory.dmp