Analysis Overview
SHA256
2f4f6dd3562c3dc6b5e75ae49e619be7bf558b1fe64e6258ab4810319a0fd68b
Threat Level: Known bad
The file 2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Xmrig family
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 17:19
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 17:19
Reported
2024-06-08 17:22
Platform
win7-20240221-en
Max time kernel
124s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JxxkXhC.exe | N/A |
| N/A | N/A | C:\Windows\System\GCPddTT.exe | N/A |
| N/A | N/A | C:\Windows\System\steCAUd.exe | N/A |
| N/A | N/A | C:\Windows\System\HKZxiyt.exe | N/A |
| N/A | N/A | C:\Windows\System\TwjJDMe.exe | N/A |
| N/A | N/A | C:\Windows\System\IatcuOi.exe | N/A |
| N/A | N/A | C:\Windows\System\kVKSbCw.exe | N/A |
| N/A | N/A | C:\Windows\System\vjSIfsf.exe | N/A |
| N/A | N/A | C:\Windows\System\hjLNfvk.exe | N/A |
| N/A | N/A | C:\Windows\System\SwwqPay.exe | N/A |
| N/A | N/A | C:\Windows\System\zfJyEmn.exe | N/A |
| N/A | N/A | C:\Windows\System\SdUOaNj.exe | N/A |
| N/A | N/A | C:\Windows\System\ThejKho.exe | N/A |
| N/A | N/A | C:\Windows\System\APQNKBB.exe | N/A |
| N/A | N/A | C:\Windows\System\dcvkBjN.exe | N/A |
| N/A | N/A | C:\Windows\System\VAhTfdB.exe | N/A |
| N/A | N/A | C:\Windows\System\GUsjEKl.exe | N/A |
| N/A | N/A | C:\Windows\System\lWRYWQj.exe | N/A |
| N/A | N/A | C:\Windows\System\smFJGuR.exe | N/A |
| N/A | N/A | C:\Windows\System\oDGIUFH.exe | N/A |
| N/A | N/A | C:\Windows\System\gMAsYZQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JxxkXhC.exe
C:\Windows\System\JxxkXhC.exe
C:\Windows\System\GCPddTT.exe
C:\Windows\System\GCPddTT.exe
C:\Windows\System\steCAUd.exe
C:\Windows\System\steCAUd.exe
C:\Windows\System\TwjJDMe.exe
C:\Windows\System\TwjJDMe.exe
C:\Windows\System\HKZxiyt.exe
C:\Windows\System\HKZxiyt.exe
C:\Windows\System\vjSIfsf.exe
C:\Windows\System\vjSIfsf.exe
C:\Windows\System\IatcuOi.exe
C:\Windows\System\IatcuOi.exe
C:\Windows\System\dcvkBjN.exe
C:\Windows\System\dcvkBjN.exe
C:\Windows\System\kVKSbCw.exe
C:\Windows\System\kVKSbCw.exe
C:\Windows\System\VAhTfdB.exe
C:\Windows\System\VAhTfdB.exe
C:\Windows\System\hjLNfvk.exe
C:\Windows\System\hjLNfvk.exe
C:\Windows\System\GUsjEKl.exe
C:\Windows\System\GUsjEKl.exe
C:\Windows\System\SwwqPay.exe
C:\Windows\System\SwwqPay.exe
C:\Windows\System\lWRYWQj.exe
C:\Windows\System\lWRYWQj.exe
C:\Windows\System\zfJyEmn.exe
C:\Windows\System\zfJyEmn.exe
C:\Windows\System\smFJGuR.exe
C:\Windows\System\smFJGuR.exe
C:\Windows\System\SdUOaNj.exe
C:\Windows\System\SdUOaNj.exe
C:\Windows\System\oDGIUFH.exe
C:\Windows\System\oDGIUFH.exe
C:\Windows\System\ThejKho.exe
C:\Windows\System\ThejKho.exe
C:\Windows\System\gMAsYZQ.exe
C:\Windows\System\gMAsYZQ.exe
C:\Windows\System\APQNKBB.exe
C:\Windows\System\APQNKBB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1760-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\JxxkXhC.exe
| MD5 | eeaeaa3c895bb1bc2723bf941047be75 |
| SHA1 | da02f9b560861f5f02892e2d03529cf41cc5e06c |
| SHA256 | c2ef6aa8a585a223046e6e5d7cca94571fad78f3ad2f317948029856f88e7f1b |
| SHA512 | 0eb9dfed9e642e8db82e402df27205d10f4a9bc797bc051ed0633a95735a3a5ab5699adbc9a160d095e01c7c21e511cf8b331f32092f4df450828d3eb6c51c21 |
memory/1760-28-0x00000000023D0000-0x0000000002724000-memory.dmp
\Windows\system\HKZxiyt.exe
| MD5 | b26cd31e9cd4910e5b4a6baf47cf4c00 |
| SHA1 | d01f2a63107e39e61b69f1a9c8178f43c0622be0 |
| SHA256 | 038873bbfc953d00a5477aeff064cd3b5d373cc987321b2a2dab86d12cae58e4 |
| SHA512 | 15db3aae8242067942ccb7e403921a92711c9cea399a4875fe8dd53c735acdcc26c88e86ca2d335fb1b2526f574284d4734f388be8635e9ff9237b3a2e1be177 |
\Windows\system\TwjJDMe.exe
| MD5 | 8f616e185368d9f802944f23c98383c4 |
| SHA1 | 59aad23d22d70c9a8e294740a7050f755c22d8bd |
| SHA256 | 4869bcb6f16a661097a90b81f7d97a100c73145f0c7ff876926cf2a6a32db241 |
| SHA512 | 42ddaa8b03893de621e8c3362ddaed6b2ffaa70e5475ea1ed1d02cdfb033b95492385b3a153111aac12d54914f4532b7635937cd9fa9163110f6dbb63a2b543b |
memory/2736-24-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1760-113-0x000000013FBF0000-0x000000013FF44000-memory.dmp
\Windows\system\VAhTfdB.exe
| MD5 | 74bd532e4a7184aaa03201bb5f203bc1 |
| SHA1 | f689e161c8658e600fffa2954f1ff695f5c262ce |
| SHA256 | c8cbcb1ca0640ac153d7b0ed75e5e27f24182c9e7a340c2574c25ba3e3f616b6 |
| SHA512 | f9ab4de3f750d779f2387b14602c1ed9affbfd7573dc47becb9d4b731d72a5cd4bc8a8eecb20180edb0808673a7babc19d21e8a50316617d6aa0f9bf1d64ae3f |
\Windows\system\gMAsYZQ.exe
| MD5 | 11fedb464da19adec2a5ec1f48e1e89b |
| SHA1 | b4b8a4082ddba542cf209663f0fe27620a5f28e8 |
| SHA256 | fc13e306b797f7061685609c289eb8945c8aac884037b27f320e66c10fff47ae |
| SHA512 | f20b79d9ae31d1acfeb0f33629a3fdcc12f3593649b6672812e916d19063f58332cab6d2fbe5bf99bffbda8c97768bbebee24d56dcbf8462e331f95d3463a075 |
\Windows\system\oDGIUFH.exe
| MD5 | d46cbdfc501390865f7cd30251ddd05b |
| SHA1 | 8bda62291d9e296d053a3087f647b86819a1bea9 |
| SHA256 | 11620997d63c6c4653cb14594f25b8ae489867d81d9f42e495c6a240eaf7dfe9 |
| SHA512 | 7ad53e90b183c68c0bab42f69c501bdf0d283c9d38e992eebdc3d0957a5393d70762089612c37911cd811daa02fa35a78dfa79c145a8710cdffbc45b8d694ff1 |
memory/1760-84-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\zfJyEmn.exe
| MD5 | 44835a899cfd7aa813e0c0a033ea36a4 |
| SHA1 | 3741ba5fb2f9fce412403bf0fc01104a2d8ada84 |
| SHA256 | d68160aacd7946b7362c8e0cf2641a8c39fa50a2aa1cd3fbadd2442735b692d3 |
| SHA512 | d1b4cf03010ad70db7554292c09558ac51c9b5bc369ebb63f03b6339b794fbf5f2cee081fb7946da30556c94e9035423944db10c14239592c7b9bc4a354a2174 |
\Windows\system\smFJGuR.exe
| MD5 | ac196fd439bb1dc01c79755cad3cb4a8 |
| SHA1 | 76b8aceeb8b45117d54a9d97cdd02df6886647e1 |
| SHA256 | e62a61d912938d3378cc418538d34b7dc260c5604a14a048ccb84bc32268144d |
| SHA512 | a470acbf56805dd021d957f9977a6ce5900f184a75b730545b374ff3c403f4c8d583dddff6b65a6191ecd781ab81d160490901f5b7b76d3e8fc997a61bd67750 |
memory/2972-76-0x000000013F3B0000-0x000000013F704000-memory.dmp
\Windows\system\lWRYWQj.exe
| MD5 | 73c013a8add2d6d9b5509c98e9ea38e9 |
| SHA1 | 0a2cc5d613fd325b8aebcbc22c41b0c1c67238c3 |
| SHA256 | 0aac8db62022fa4dcc760ab5898ff158ae64cfeaf8c6906087ed97f3bd8c0d2a |
| SHA512 | 8f404ae2217a5f4e866b0d8be679a58c389ffcaea0921d3f396e9e049e07015a1d8df049fd644736025a6b98f65a2f2b0bc89a40f470f525e3a375853bb3fe68 |
C:\Windows\system\hjLNfvk.exe
| MD5 | 3273953f9acdbfdbde40e7232ae5dcbd |
| SHA1 | 4688e9960464412434508ff8a22ce503ac25fbf0 |
| SHA256 | 9bcb361e03aa1e1c0e204b9800b8e1fe6ee741d127b633fca03d9cf416912336 |
| SHA512 | 8b49938b8b2cf8260f16235c86a9d3e01f30dc301c39486166e1511861cc5bdaffead435105969f6062325744d8525808aebea8d2cee2f6b552e6c3f798f4c81 |
\Windows\system\GUsjEKl.exe
| MD5 | 8a8e97ea6f4b3e5962f4f92aaa74bff0 |
| SHA1 | b329e923b21759e79acf3feb087497636bbcfa2c |
| SHA256 | cbdf42abf52317c52158a9e099f198e5b35e7cfc50d1743ef76ce0b9d258c7e6 |
| SHA512 | a3e506984276c4db2c6d4b71b9e060cbc18bfada44ab8092fc91b951f451a014318631da9afe6df669cbdca5e7a1a87f1a9f330bac9cacfc6589d4854e549e59 |
\Windows\system\dcvkBjN.exe
| MD5 | ef87ad866abd0c53d26cddbc36b69110 |
| SHA1 | 03541e1c65f16be4465f3ea833aea91e2534fd92 |
| SHA256 | 34c98a22103d814e6158413f90f0e9bb91579235f41c3d263971ac65e845f409 |
| SHA512 | 246ec00eb5b3f89d8d67dba374bc9d6ac249f3d31e8e7965d6120f25d0b94e68e051321f1c4626c862c1fee63a3d8e8225d2c290f02b0a8b5d7625fa035254eb |
memory/1772-112-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1760-111-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1760-110-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/1760-109-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/1760-108-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/820-107-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\APQNKBB.exe
| MD5 | a65fd2eb933f7b685c1072afb7dd03de |
| SHA1 | 840b36b9b94f506290f5c627aa034732fa9a85da |
| SHA256 | 447d44e7dfef660a915e073af6ffc0210b47562b10fea5232d3d6eb63691cbcb |
| SHA512 | 7b1a54ad8870cf7b3c64a9d3ac7536f3ee62dd8b6da7cbef0b5ff17fef0e51b42054c883178f0ed47f7bc348e299d807bbd2821caf0c48e36ba6d2636a74ab2c |
memory/1760-100-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2588-99-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\ThejKho.exe
| MD5 | f1ce0c206fb6d947e2a9b8cff92a2012 |
| SHA1 | c952ba14ce8663ab862c19cb27a029a5912a2135 |
| SHA256 | 564871e63ba0364b04cbc8504fbb7ae605a37e26cf4d7dea736004b7281d9afc |
| SHA512 | dcd905dd5bda5e425b640800d0596d971e8f0267e7b33f1e7cec81b95c877cbdbe2e6904885f35dbe25f59f648f63477574ec6f52831cc24476cc0e678d98f2f |
memory/1760-91-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\SdUOaNj.exe
| MD5 | f55336611c76b65fdad8281a240817a4 |
| SHA1 | c1059b32269ef6b38d060fc20c524bde40456cc3 |
| SHA256 | a5ed90ff165ed63ff136204d325ff12cc96f08adbded0e4755daea939a5b2706 |
| SHA512 | a7411698b180504b6ea1fcfb7ae9b2fe392f723400b5fd04008ad864b2f53184c3ea1599bb608ea08ed7bdff58f323ae702e08cd082066e19b29fd1750fd734d |
memory/1708-89-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2748-80-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2568-134-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1760-72-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1760-71-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\SwwqPay.exe
| MD5 | 404e0031629426315f722c64bd2f900c |
| SHA1 | 83679d0becd6169c0b53f73826df66ab6c0e7b70 |
| SHA256 | f4c6821e60ef607837202e4557d1386069b717b2266c5578bdb866e4e7aa55f4 |
| SHA512 | e8d248e609bcb462164482d8271bd4e52afc6d48badc7deab1924c54b6302c162f547d1834783a92da2e683a98ba3952d5fcd126689fafc80206c9c508690ad7 |
memory/2440-68-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1760-59-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\vjSIfsf.exe
| MD5 | 6315c61fb8ba81a9c4b2396022a98d0b |
| SHA1 | ab5f08e2d185f861cbc83370277d80c5f1c14522 |
| SHA256 | 0cfcc6dda6d47bbb2ee0ba9f231447e40a0624568a4c2572b6554f1b17b8a58b |
| SHA512 | 761994a69f7cf6dbfb3936f9715086fed39339b68d768fa7114c648de20933d8fedb66ecd0731fa3bb48e51e955d5ff1739945080b4b4d6c0b70753ee7e13314 |
C:\Windows\system\kVKSbCw.exe
| MD5 | 763e5aafed9d5cc400dbe5773d288c09 |
| SHA1 | 4420910ab01d6844c256cc406df8890f6cdb34f6 |
| SHA256 | 634015d68c2a5890eb60cb2702b5d653be29056b44a50871dee717b3830fb425 |
| SHA512 | 989e0d3c0779baa937a2233153b464f082e2c9ea877a071809614934132dc320859d7d627d7a133eebde18d0f37097a45e723e07d12b3195b7ae3a9a4d23a2f8 |
C:\Windows\system\IatcuOi.exe
| MD5 | 0fa58b4758eb1d2fc113fd16931077ca |
| SHA1 | d86e2af24c1de05a49d3271c7efe72853f95e022 |
| SHA256 | de1cea97e1e361d561f0e60e84817a780ab5167b7730d5bafe509cf8f7e6813f |
| SHA512 | 07ca363509ef5a2a4cdc83bc3e1bc9e5a5f051fae1b5742c42ce57b38e7bce320240246fe3bc9fda8bec4690f41966577eda11d8bf4a17ceae0fac6173e119bb |
memory/2552-35-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/3060-34-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1760-31-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/1760-30-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/3012-11-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2568-19-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\steCAUd.exe
| MD5 | 4f2391cf1a6d7608dd093637350f4731 |
| SHA1 | 712ab4d2780ca9c52ab8d2dff93052884e0a4fe1 |
| SHA256 | 7e955e3e033d7465478dda4d2b12db03196c810733c9109655c6b471a8116c97 |
| SHA512 | 739629853ddb73d4dcceb3b4e74bf501a61f24e6b8404e73896f5736c215e058ba2cf121582c761302a32cf1eb1477b456082ab9fe1c4576f4903bf67c709727 |
C:\Windows\system\GCPddTT.exe
| MD5 | 236e1761d4044ac2da57bd62f280f168 |
| SHA1 | e06d909dde4c9d462aaf99be93c4981eac566697 |
| SHA256 | 9fbe34b04c31088341b70ee66a50b0f31b2c72b419e374f9f5f94385031d82a3 |
| SHA512 | a75be2fbdb8c384e528f4f29b6a05c9773a7324962872190a8fd7afcf7f1f73913012cf953390923c1d9cea5da962e0bb868f3c1a0afd4ac0202e4a5ae0574e8 |
memory/1760-15-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3060-135-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2552-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1760-137-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/1708-140-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2748-139-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2972-138-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1772-141-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/3012-142-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2736-143-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2568-144-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3060-145-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2440-146-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2552-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/820-149-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2588-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1772-152-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1708-151-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2748-150-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2972-153-0x000000013F3B0000-0x000000013F704000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 17:19
Reported
2024-06-08 17:22
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zAYmbFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\FCiVWZA.exe | N/A |
| N/A | N/A | C:\Windows\System\zalNJoM.exe | N/A |
| N/A | N/A | C:\Windows\System\kpqVthO.exe | N/A |
| N/A | N/A | C:\Windows\System\CZiMWRB.exe | N/A |
| N/A | N/A | C:\Windows\System\oqethvv.exe | N/A |
| N/A | N/A | C:\Windows\System\nbJgaBO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZznoJNt.exe | N/A |
| N/A | N/A | C:\Windows\System\eYbYaky.exe | N/A |
| N/A | N/A | C:\Windows\System\dQpmMQS.exe | N/A |
| N/A | N/A | C:\Windows\System\SrTGSSz.exe | N/A |
| N/A | N/A | C:\Windows\System\HBNUwTd.exe | N/A |
| N/A | N/A | C:\Windows\System\zWsyzKg.exe | N/A |
| N/A | N/A | C:\Windows\System\FyBkEbj.exe | N/A |
| N/A | N/A | C:\Windows\System\KDLNLCs.exe | N/A |
| N/A | N/A | C:\Windows\System\RLwocsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UTmFEtt.exe | N/A |
| N/A | N/A | C:\Windows\System\oGZBnri.exe | N/A |
| N/A | N/A | C:\Windows\System\LsmxWVh.exe | N/A |
| N/A | N/A | C:\Windows\System\uzCGrjJ.exe | N/A |
| N/A | N/A | C:\Windows\System\RatEvcv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zAYmbFZ.exe
C:\Windows\System\zAYmbFZ.exe
C:\Windows\System\FCiVWZA.exe
C:\Windows\System\FCiVWZA.exe
C:\Windows\System\zalNJoM.exe
C:\Windows\System\zalNJoM.exe
C:\Windows\System\kpqVthO.exe
C:\Windows\System\kpqVthO.exe
C:\Windows\System\CZiMWRB.exe
C:\Windows\System\CZiMWRB.exe
C:\Windows\System\oqethvv.exe
C:\Windows\System\oqethvv.exe
C:\Windows\System\nbJgaBO.exe
C:\Windows\System\nbJgaBO.exe
C:\Windows\System\ZznoJNt.exe
C:\Windows\System\ZznoJNt.exe
C:\Windows\System\eYbYaky.exe
C:\Windows\System\eYbYaky.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
C:\Windows\System\dQpmMQS.exe
C:\Windows\System\dQpmMQS.exe
C:\Windows\System\SrTGSSz.exe
C:\Windows\System\SrTGSSz.exe
C:\Windows\System\HBNUwTd.exe
C:\Windows\System\HBNUwTd.exe
C:\Windows\System\zWsyzKg.exe
C:\Windows\System\zWsyzKg.exe
C:\Windows\System\FyBkEbj.exe
C:\Windows\System\FyBkEbj.exe
C:\Windows\System\KDLNLCs.exe
C:\Windows\System\KDLNLCs.exe
C:\Windows\System\RLwocsQ.exe
C:\Windows\System\RLwocsQ.exe
C:\Windows\System\UTmFEtt.exe
C:\Windows\System\UTmFEtt.exe
C:\Windows\System\oGZBnri.exe
C:\Windows\System\oGZBnri.exe
C:\Windows\System\LsmxWVh.exe
C:\Windows\System\LsmxWVh.exe
C:\Windows\System\uzCGrjJ.exe
C:\Windows\System\uzCGrjJ.exe
C:\Windows\System\RatEvcv.exe
C:\Windows\System\RatEvcv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4500-0-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp
memory/4500-1-0x0000012C59A80000-0x0000012C59A90000-memory.dmp
C:\Windows\System\zAYmbFZ.exe
| MD5 | 635e826ae75eac11044007357e79e51f |
| SHA1 | 4803dbfb09c7c489b397cc342ff737eb7e28850b |
| SHA256 | 6ee05d83ac982607c99c3ae6fab1db71c5da2a97f657e6455f49bca0e567603e |
| SHA512 | 695927a216cce82c405c1ebd7ba04e85a69689462cf1a4c8788586ef5658f0b8ab20c2a2dc31188c903d76339a24ea1570cb54bcb45373c384fb6f081b11c784 |
memory/4704-7-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp
C:\Windows\System\FCiVWZA.exe
| MD5 | f0bc9650d4e9f0de1f214dfc73462501 |
| SHA1 | eee6243ef03d61e70a3d68858c7f33ac665a3841 |
| SHA256 | f1738d292a58c8a86fd7e410468feb23c7812f3824b9e0bf78ba11d6874bb2a5 |
| SHA512 | 2651ecc991a29758288cd4933c4bb0ff8244eb709652695d4fb76eb2364a8af20c3d71d1475bb9e4410787852e587dd5604ae4857472540ef1419df7ed4be0d0 |
C:\Windows\System\zalNJoM.exe
| MD5 | bdce45a8cda523daaa784432df49ebdd |
| SHA1 | 3cabffd8ea52325cd12e59703f67490072a3b9f0 |
| SHA256 | a302baf435547eddc760baa3bc45dec02ea6ea7ff688ad8c98657a2f671e7cd8 |
| SHA512 | df8c93cf3be2d970e69c6743227a5bf807a31086074b8bd9ab0cbf1a9cdaca7db86824983a90ce005f0388937b3d1e85206ae24a8909dc369dd1489b8f1ce82a |
C:\Windows\System\kpqVthO.exe
| MD5 | 1c6fca9242c978da926b8da0d74ea57f |
| SHA1 | d0e4d7613d63cc8f2663339572e9cc6156bd75a1 |
| SHA256 | 323ddf5286379ed8fe5d62d07c7d1bfed3c46251025028cce3d78f19731f1022 |
| SHA512 | d3af89146f13251fe11cb6799a5e91c3acb9d5db4c5898d02134cc93296c9700b863f74e265fa0046205b2e018a6ee41e45692f681b4d5dd4b448956d84c7bca |
memory/2216-29-0x00007FF7811A0000-0x00007FF7814F4000-memory.dmp
memory/2016-32-0x00007FF620DA0000-0x00007FF6210F4000-memory.dmp
C:\Windows\System\CZiMWRB.exe
| MD5 | 445c6ede51731cf5d9f18c69b01456f5 |
| SHA1 | 021165970c19e378f76ac17803eacfda16dd4477 |
| SHA256 | 765f92afe4bf88d078b6d9840d0769d9cefcf348a8fce0cd1e37425fd79115e8 |
| SHA512 | 3ee2b0e4037d1c1ebf4ca21a68812836c05c5815eef385ccbf439a56431b74b2ddc4ae61cac85196c0d14cc6880d8afb1a0bcf30e4f2febb8e1a2c5477c1e92f |
memory/2820-20-0x00007FF762D80000-0x00007FF7630D4000-memory.dmp
memory/4592-14-0x00007FF73A7B0000-0x00007FF73AB04000-memory.dmp
C:\Windows\System\oqethvv.exe
| MD5 | 3794c4c7c072f273e3727c607c5a97c7 |
| SHA1 | 36a12a303a6e19c5358530a22509359e94ceb764 |
| SHA256 | e0f82288e97ffae6f8458cb2136bdc8c9c00cf6fa366f1ef5514adebe103d862 |
| SHA512 | 8f7b0f56904db4244fa86ca5d27885c9b915de99017ff6efc3deb460a16451c4a39969d6d48b3ef896a322a7475c294541a0e9d12802c53622b8853336a0a768 |
memory/4956-39-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp
C:\Windows\System\nbJgaBO.exe
| MD5 | cbd7a20926c867b45e9019290040c65e |
| SHA1 | 1e5fd635be913ef9a20911a7ef1990d7273d70c5 |
| SHA256 | 86a5e366d67a6f035d7d0a34c86a49bad45802e6d65ba02b8be33b3cef85b309 |
| SHA512 | 88dfd1e76b64c9ce656d9419b4ef78db39a830822a8c514dcc8ff6ec87eabffc2a9f54427141d89e0ae6ff4b4d230492dc473fec0e5b29a7b2dfbde79f3e642c |
C:\Windows\System\ZznoJNt.exe
| MD5 | d624f53b0b4c92294ec670ce7898301d |
| SHA1 | 3fa44372c3ab5c40acd822e6d49b3f484c61e3bf |
| SHA256 | 2b4cbeae2a0214c1f8d244f9417706a47e298efc6204a595d44c27b26429cd82 |
| SHA512 | 8634a75bdc43fbe800bffef8a3fee3859b113ce9139ff16beb61dbccffe0b7b2ebd3bcbf42f15bffe205217edd220a75f747a309407cbad6843262260620f8f4 |
memory/2336-49-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp
memory/4468-43-0x00007FF782600000-0x00007FF782954000-memory.dmp
C:\Windows\System\eYbYaky.exe
| MD5 | c5f3274ea6d18af90087e3120434a84c |
| SHA1 | 65a64acc6e06217e847460c1ec73b56cf43c6d9c |
| SHA256 | f3c98854ddeada1279124d8ad9566668b1564fdb74abecbd04e5ee291dd7cd6c |
| SHA512 | 9dd10bb3d72cd562e8a1a554b4eae19b5a4b34c910630c41bb246e8c7ef852fcf45fd1336594bcb5ab7ac3933f3f970efd9b92f29dac9e6f0f55783490bca9fd |
memory/1180-58-0x00007FF60D510000-0x00007FF60D864000-memory.dmp
C:\Windows\System\dQpmMQS.exe
| MD5 | 71681b4658c2470864b5e78135029502 |
| SHA1 | b6c97ab0b19bc4f7c6b4a7862c3784f49c514432 |
| SHA256 | a864ba8aef32052780921ad8edb523ef8b4ea70cd6215c4ea11f2e9c735c41a6 |
| SHA512 | aae59e0f1c38136871c2bdcd4ead63fefb0aa44a97ae2455e32dfc6654d01e039579766f8309b3ca78d06a112e4dfd1e3bba813ad2fbb396f017ee258f2efe06 |
memory/4704-67-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp
memory/1300-71-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/2844-72-0x00007FF763ED0000-0x00007FF764224000-memory.dmp
C:\Windows\System\HBNUwTd.exe
| MD5 | 4c3c3507b278cf3ca94c8c9e76eefbc1 |
| SHA1 | 27839cc39562c55adbd5054f89e810ecc48f5f28 |
| SHA256 | 1c60fb3d686aa957459c9e08b2c7227f09011ba0631ac3088f35e870faa0aac6 |
| SHA512 | ab3f70d562dba3e54f5c6b154e22209d58601e6ef8c1b886426ce91a7d9b041782031cd2976f02a80975818aa92236437f9c348397f85233c303fa94c8e75ab6 |
C:\Windows\System\SrTGSSz.exe
| MD5 | 4522326e1d4208f55e7bcd0c4f6c119d |
| SHA1 | 2a65a8c788770a7a49aa191612947a147dcd9962 |
| SHA256 | cc321046fd2a6dc1c5c4d4924e8a1811926deb047f8a8eafc6121e721b32dcf5 |
| SHA512 | c22facd86e96e6aa62c46f42fc9947bc82797067027ba700e6513bdb09db6c8d4a86453b2de902e60d2d1409dec6e4d2f5252eac6b143976c97a9fc2542326dc |
memory/1948-66-0x00007FF7D0E30000-0x00007FF7D1184000-memory.dmp
memory/4500-62-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp
C:\Windows\System\zWsyzKg.exe
| MD5 | 5af569789bbf437428d287d4494db1b1 |
| SHA1 | acc3ef08bad2e63eeab737ed440d69d6b4697c09 |
| SHA256 | b0614abf891b79fd9d5321594b83690cf6fe953e868168bccf716a2c7005e099 |
| SHA512 | 3f6e83796ad67fddccb30ad3409231d6e4dedf241392a81e4144d69a6b34c081a3e54a7fa49f7efe29433a7394db43d36bb6b76cafc7a0e07d0175c85224e035 |
memory/1480-86-0x00007FF784880000-0x00007FF784BD4000-memory.dmp
C:\Windows\System\KDLNLCs.exe
| MD5 | 5adabeca09f8f23964db172477e6e3ab |
| SHA1 | aaeb8ad14c9a0aa74e1b981626e62a17ad3006ae |
| SHA256 | f957fe19da2b1671d354f4cf57eea0f4b96c0216d5b8bde0fd76bf741bbd7ac2 |
| SHA512 | 380f72232f6b3fc72cac1136140a3961564b86458e92e8c51bbf546baa968e8ec62a3164f36b4e0a3668dc31a979ead46e21ee320af4886f5f1bfa4235f0fa02 |
C:\Windows\System\FyBkEbj.exe
| MD5 | 021532c7659f84e64676dd56909bbc7a |
| SHA1 | 2c60f33402f1470d988e3424cc988f6c9ecbbb3a |
| SHA256 | d5d1fbfe1636ca61d2d2adbf9a474285fc0c95c4c689a3bce58c719014e58db6 |
| SHA512 | 4f7eb32fec7ac30fe49bc5070645533edb423af3e6ad6521df7e446f99792d589971ae97310c2272b47c554c1b912104e1798fa78e6ea285ead0fdc7f47e66b0 |
memory/1224-89-0x00007FF723140000-0x00007FF723494000-memory.dmp
C:\Windows\System\RLwocsQ.exe
| MD5 | f7aa800091cdb6a116cdd7ea10c4abc8 |
| SHA1 | 46bb671ab11bbbee128294f5f744efb7969bd64f |
| SHA256 | d0cd88c31c7a41af5d476df8290d3349a98db25cae07b43d56520ec9096a33d1 |
| SHA512 | fc342f2e7f40ae6f299540b7d7aaef3bf37b0f5b65a787dbf380af63d844793582fe5bda678bfa331e97e583ba784cd5cf177a8755803d4df5a0ff45759923e0 |
C:\Windows\System\UTmFEtt.exe
| MD5 | 2ef1f88e2208cc2e0e84bb00cdd42dda |
| SHA1 | 005152410212e2ab7b9635e9a1075addc71e595a |
| SHA256 | d196c6a1d00ff1c8a4bd6d2848ddda1d8fc71a613ef66830e66ff1d6695164e1 |
| SHA512 | 3858ed41860192e40fa7dab7e5935778fc1d5a4c836f4a6e8df3ac6362f95211b3a4882e2113d273fd9f7054acb39c1c714d9961ae50daca487b6ff51df7440f |
memory/4072-93-0x00007FF7800F0000-0x00007FF780444000-memory.dmp
C:\Windows\System\RatEvcv.exe
| MD5 | e70ac13a61e6b05b42c26770502c43cd |
| SHA1 | 33fd26f1e3a2cc9a33ca493a106322f8605ca14a |
| SHA256 | 57928d42bac6bc41b3b8239d1b3d6caac942a80028c84ba149d59aa2f8a522c4 |
| SHA512 | 624430b730bf053245e318439f4ae7b68cf7a44d6a67d15b895b730062ff29aae44367a282b2c2f41af812e8c70f0b0f351b57396f4141128f4fa73e68a859b1 |
C:\Windows\System\uzCGrjJ.exe
| MD5 | 67241e86bd6bc24ae734bb1d6200c8aa |
| SHA1 | dc5e6ec4723c2bd0f776fec49db1c178f14a8f90 |
| SHA256 | a8807c042b88ace4201a19cf4c907a8a49ab4f4d1b449158175fcb5fd482841e |
| SHA512 | 25d4857356cab2034964feb81b38547bcd54f4442b797aac0affad829655eda296da80f5f2b90345e98a1b3e2199cdba0d08b5dd344b174af0bdcdc6db3dc7d6 |
C:\Windows\System\LsmxWVh.exe
| MD5 | b39f81109bdeba5f84e8ada205a24828 |
| SHA1 | 1cd9ff7b8a95e6ea869a4995645465a8e6e5cc5c |
| SHA256 | 5389df696f566fcf3027531edc30ddeeb95ac2af38b71a691ced38ca047fa3a2 |
| SHA512 | 391313a881d401fc5bd3bfb15df9108c93eae52596b8a55b4d7c2ce5ec18948ce88608f12bf01700e40c807ee0d667705f14a4fd2093de1c291f0621bb3333b6 |
C:\Windows\System\oGZBnri.exe
| MD5 | 5717b923b2bc112c44d79e9a04326601 |
| SHA1 | fd034e9087351393639cbc3f202a921469a70046 |
| SHA256 | a793e5ba885f7519466b8266b85129be746285388b6f41adace10e601a09e566 |
| SHA512 | 8d5b58eb53979a830c726b25e40b43033f273b009b7ab2f76932531d53f1950a248ed695790e1e778c5cbec4a5b7f522ad85db5b782fbf9f99f5607ae5700d13 |
memory/3528-107-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp
memory/3980-103-0x00007FF66B0B0000-0x00007FF66B404000-memory.dmp
memory/4956-100-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp
memory/4468-127-0x00007FF782600000-0x00007FF782954000-memory.dmp
memory/2284-128-0x00007FF65CF60000-0x00007FF65D2B4000-memory.dmp
memory/3656-129-0x00007FF7CFA00000-0x00007FF7CFD54000-memory.dmp
memory/876-130-0x00007FF7F71E0000-0x00007FF7F7534000-memory.dmp
memory/216-131-0x00007FF612010000-0x00007FF612364000-memory.dmp
memory/2336-132-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp
memory/1180-133-0x00007FF60D510000-0x00007FF60D864000-memory.dmp
memory/1300-134-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/2844-135-0x00007FF763ED0000-0x00007FF764224000-memory.dmp
memory/1224-136-0x00007FF723140000-0x00007FF723494000-memory.dmp
memory/4072-137-0x00007FF7800F0000-0x00007FF780444000-memory.dmp
memory/3528-138-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp
memory/4704-139-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp
memory/4592-140-0x00007FF73A7B0000-0x00007FF73AB04000-memory.dmp
memory/2820-141-0x00007FF762D80000-0x00007FF7630D4000-memory.dmp
memory/2216-142-0x00007FF7811A0000-0x00007FF7814F4000-memory.dmp
memory/2016-143-0x00007FF620DA0000-0x00007FF6210F4000-memory.dmp
memory/4468-144-0x00007FF782600000-0x00007FF782954000-memory.dmp
memory/4956-145-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp
memory/2336-146-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp
memory/1180-147-0x00007FF60D510000-0x00007FF60D864000-memory.dmp
memory/1948-148-0x00007FF7D0E30000-0x00007FF7D1184000-memory.dmp
memory/1300-149-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/2844-150-0x00007FF763ED0000-0x00007FF764224000-memory.dmp
memory/1480-151-0x00007FF784880000-0x00007FF784BD4000-memory.dmp
memory/1224-152-0x00007FF723140000-0x00007FF723494000-memory.dmp
memory/4072-153-0x00007FF7800F0000-0x00007FF780444000-memory.dmp
memory/3980-154-0x00007FF66B0B0000-0x00007FF66B404000-memory.dmp
memory/2284-155-0x00007FF65CF60000-0x00007FF65D2B4000-memory.dmp
memory/3528-156-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp
memory/216-157-0x00007FF612010000-0x00007FF612364000-memory.dmp
memory/876-158-0x00007FF7F71E0000-0x00007FF7F7534000-memory.dmp
memory/3656-159-0x00007FF7CFA00000-0x00007FF7CFD54000-memory.dmp