Analysis Overview
SHA256
bffe0d0033affa8b9fefb8cddfff8c584f623ac69597e557fef47330bafb7e21
Threat Level: Known bad
The file 2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:11
Reported
2024-06-08 21:13
Platform
win7-20240508-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KoVieRR.exe | N/A |
| N/A | N/A | C:\Windows\System\NMBhHSX.exe | N/A |
| N/A | N/A | C:\Windows\System\XGpZfJa.exe | N/A |
| N/A | N/A | C:\Windows\System\nwTsWhd.exe | N/A |
| N/A | N/A | C:\Windows\System\zTaXyFq.exe | N/A |
| N/A | N/A | C:\Windows\System\HBldljh.exe | N/A |
| N/A | N/A | C:\Windows\System\iHoLgRe.exe | N/A |
| N/A | N/A | C:\Windows\System\KzTFBBp.exe | N/A |
| N/A | N/A | C:\Windows\System\qsBqJiE.exe | N/A |
| N/A | N/A | C:\Windows\System\GIrYDho.exe | N/A |
| N/A | N/A | C:\Windows\System\gIaNfOj.exe | N/A |
| N/A | N/A | C:\Windows\System\RzpaiWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bLIGWjW.exe | N/A |
| N/A | N/A | C:\Windows\System\ccxSoQR.exe | N/A |
| N/A | N/A | C:\Windows\System\zXmEfPg.exe | N/A |
| N/A | N/A | C:\Windows\System\YjXmvdg.exe | N/A |
| N/A | N/A | C:\Windows\System\RfwcEFM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZafYWrv.exe | N/A |
| N/A | N/A | C:\Windows\System\YbbkImW.exe | N/A |
| N/A | N/A | C:\Windows\System\KywSLQB.exe | N/A |
| N/A | N/A | C:\Windows\System\gNHxpzh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KoVieRR.exe
C:\Windows\System\KoVieRR.exe
C:\Windows\System\NMBhHSX.exe
C:\Windows\System\NMBhHSX.exe
C:\Windows\System\XGpZfJa.exe
C:\Windows\System\XGpZfJa.exe
C:\Windows\System\nwTsWhd.exe
C:\Windows\System\nwTsWhd.exe
C:\Windows\System\zTaXyFq.exe
C:\Windows\System\zTaXyFq.exe
C:\Windows\System\HBldljh.exe
C:\Windows\System\HBldljh.exe
C:\Windows\System\iHoLgRe.exe
C:\Windows\System\iHoLgRe.exe
C:\Windows\System\KzTFBBp.exe
C:\Windows\System\KzTFBBp.exe
C:\Windows\System\qsBqJiE.exe
C:\Windows\System\qsBqJiE.exe
C:\Windows\System\GIrYDho.exe
C:\Windows\System\GIrYDho.exe
C:\Windows\System\gIaNfOj.exe
C:\Windows\System\gIaNfOj.exe
C:\Windows\System\RzpaiWZ.exe
C:\Windows\System\RzpaiWZ.exe
C:\Windows\System\bLIGWjW.exe
C:\Windows\System\bLIGWjW.exe
C:\Windows\System\ccxSoQR.exe
C:\Windows\System\ccxSoQR.exe
C:\Windows\System\zXmEfPg.exe
C:\Windows\System\zXmEfPg.exe
C:\Windows\System\YjXmvdg.exe
C:\Windows\System\YjXmvdg.exe
C:\Windows\System\RfwcEFM.exe
C:\Windows\System\RfwcEFM.exe
C:\Windows\System\ZafYWrv.exe
C:\Windows\System\ZafYWrv.exe
C:\Windows\System\YbbkImW.exe
C:\Windows\System\YbbkImW.exe
C:\Windows\System\KywSLQB.exe
C:\Windows\System\KywSLQB.exe
C:\Windows\System\gNHxpzh.exe
C:\Windows\System\gNHxpzh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2244-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2244-1-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\KoVieRR.exe
| MD5 | d4f08cb5676f33946def8a3cb2c1f11e |
| SHA1 | fe0d63c6121be7e9293e42084dd42326aa9f481e |
| SHA256 | 7cabd834b53def0d7da99293c746a5b83a89d0a0545cfecf0079c265aba3c09d |
| SHA512 | 0db79afeedf58d67ba22ea02cbaa44b67c306cb9656018f277a9ac2c60ed0a95d1fba30292de98e0ab5c6c983070caae6ec044433bcf9d9c8d6e04c51c2a7788 |
memory/2032-9-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2244-8-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\XGpZfJa.exe
| MD5 | 0ebbed5fd07b5d7d7fabb4d2d2d38f32 |
| SHA1 | 596d84dc122768a983084d89bf472731834c1110 |
| SHA256 | 6a13ef42b10d278c1bc5dcd0ae82d278b5c7794b55cbaa491792e35e2509ed64 |
| SHA512 | 4ee7b5b9d46904fa3abc523998d36cb80f6d27857ba3dd6c7b88a31075b684afc9daf4ca2634b6d5fb5f43365ff8bc24c0aa250d40f1e122e7543f18b8ec2911 |
memory/2244-23-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2344-22-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\nwTsWhd.exe
| MD5 | 97889ed4405b3174b08caa283ae7a88e |
| SHA1 | b25c82293d7ab6d957accc74890133dc065e20c8 |
| SHA256 | bc62d38734f83dbed9d2aa1ce46548f9fc2a93221487cd7e8c8da5c1831edc59 |
| SHA512 | 261c97785d044f7aa724d6ce9487784253d76b33090460c6050d7892800912ecd0113c4d5d3f76e9a06ad7ab9fdc141931a0bd876a71cd0482cbaface5259f32 |
memory/2944-20-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2740-29-0x000000013FAF0000-0x000000013FE44000-memory.dmp
\Windows\system\HBldljh.exe
| MD5 | a1d3c4b06c72b2422f143951d131c70c |
| SHA1 | 465847a66bbc7fb1fae277e9b2c628e5090252af |
| SHA256 | dc733fcc8f5d59baf7445266d2a13af5f46770e309a843445ee62b674c31cb0d |
| SHA512 | 2487db08a3ad52507af86782bc8217ca598b08673fee61b77445dc23812944f000bf49c73dc2cbd91e4f7662063a3c28b1d354c781e33182467b3e8dfb100bdd |
memory/2244-40-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2828-41-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2636-36-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2812-49-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2540-56-0x000000013FD40000-0x0000000140094000-memory.dmp
\Windows\system\qsBqJiE.exe
| MD5 | d88b0dec704f9b8e9ac13e1baff7bdad |
| SHA1 | 3a32cc11fdfa653ba902f25f48d6a9ebbcc2579b |
| SHA256 | adf4b08d0e188edd0d9db8e93e51e1281034c490604af70f2b9c7cdd112023b4 |
| SHA512 | f53e2c445d7519e74a72f88af1413efa63f6ac345fda0e75fb988697ed4d27c5fc97574ff1889c0651cfa6ad05fadc920a631e2525dafd2d72a6bc79b5eb6253 |
memory/2244-55-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\iHoLgRe.exe
| MD5 | ba497662ea53caaa170a0f7abae93680 |
| SHA1 | d3b87d24ea929a4d2f578852d7efd2c826489994 |
| SHA256 | dce9439019ee9e0557c4ebb065dbb75f8dbd9b9d5b2430cad4cda8768563bea5 |
| SHA512 | c4cfdb7699011972da8e9a2b44aa373e99e3c229bca77e9d71d7ec19da96b65300005df1d31e5c004a336e07db5cd0fd44e104730e1f0e8a10304985e59cccb2 |
C:\Windows\system\KzTFBBp.exe
| MD5 | 6b1a6d104d6884aa66fc2339207d9faf |
| SHA1 | be6fd92d38d1c5ea27525da0448a2891f499b6d4 |
| SHA256 | 888e52847aade3abd6488ecbad52f83a86532a5c9807fe7de483ec52b305d79d |
| SHA512 | 7c4c6251c1312fd76a6bd6574f6f27d7d354744627b022eb829f20c75117b2ea8ae356b212d33014ba53e7800ad9f56ae05de3c2b3067d765091e2ddb1d521f3 |
memory/2244-35-0x00000000021C0000-0x0000000002514000-memory.dmp
C:\Windows\system\zTaXyFq.exe
| MD5 | 5c06a655cadd3fea21c895ae52da19d8 |
| SHA1 | 68f78f8cd9f2be1b7fcf5a1e5a1a8a8eed46defa |
| SHA256 | b6b09749dec0d0d9c1ecc4042a560d044b85bfb355394943b47e3de6e41ba312 |
| SHA512 | 34c1b0c83b87976d93842a73cbb945549d0f3bc26f1b287d3dc5373bb947b570849fda1163b6c7a29416ef9720f81387bc1c96d0a1c0d57d8ce71c168a5a9b8c |
memory/2244-27-0x00000000021C0000-0x0000000002514000-memory.dmp
memory/2244-15-0x00000000021C0000-0x0000000002514000-memory.dmp
C:\Windows\system\NMBhHSX.exe
| MD5 | e1ecf135664855090085c5e826c372a5 |
| SHA1 | bcb92ba9cf5fc97a48d38a8730e00697d8b4bf57 |
| SHA256 | 642d2a150685694c9f1abae5b85172118eddba981f44489c1a89713d975bb5b9 |
| SHA512 | ccf72253b7f2f9760a0a82061eb7bd876193fd193b32f13b3488b8183c9f411986d2660419154342e4f888248e7117193278c7eb8e609f57a21169fd8a064535 |
\Windows\system\GIrYDho.exe
| MD5 | f0c7c309c7786de596e580f7b41df7e2 |
| SHA1 | b053b9c69bb76d406f178f88a2abb5a5fa54f4c9 |
| SHA256 | dcb37d858dc268c54e5ef4c344bb30e390750e3482757c5efa2368e197817fbd |
| SHA512 | 0d54f3565e540a915d6cd283639952284ef2f5ec3fe93ccb47182753b99f68793d2b37205b2906e8077dd3161ba171c5da37e079eb8d3d538db16288eff2f0c0 |
memory/2560-63-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2124-71-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2344-62-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2244-69-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\RzpaiWZ.exe
| MD5 | a7480fed1b4dfb8dcd37376ccdef5958 |
| SHA1 | 484e87050fc9638601ed614219f9f31f2aab6c77 |
| SHA256 | 167ff2a293a14ece725f910e43c3783ba813642b290199232a0d674f7b168600 |
| SHA512 | 8ad814d7473ae3822dc6bad3600de77300f61855244bf911c8ae27b1eb4fa432b2ac08042425a6736496057900f6d50a62385711601bcf7502999f490b4fefaf |
memory/3052-85-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2244-84-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2740-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2884-82-0x000000013F130000-0x000000013F484000-memory.dmp
\Windows\system\gIaNfOj.exe
| MD5 | d9c104222f1cc6b51e7b17cc1cd0d4cf |
| SHA1 | 4c1e5dfcb0449151a62f70bc0adf6e3fe6e5b93d |
| SHA256 | 11a118757edc28eae58d7902976c541ca71f82403f9d8db91e26e15ebde63d0a |
| SHA512 | a4fad3d54be86e65615205f3be780c4c9c0fa60b7e71be95fc54269ef58d153c8380a19fa00a8d44f6dd8bcd29b0d83c5f5d31504cac046544d193d6f85c20a2 |
\Windows\system\bLIGWjW.exe
| MD5 | e51bee921aae0c6834f63c8b7e777ce3 |
| SHA1 | 0dab489238b10be481466ad3faea42575705de9b |
| SHA256 | 0e606ec40887a46ac131d24961e9f5bcbeedabd95dc0d21873832f8874e78679 |
| SHA512 | 7690278588512c4587e532020e3ef2afa799ba6c366434de3ca4d75424f9bee69f947722d69587ab39bfe3a1a9de6b1b2c76790830b636320606853d885613cc |
memory/2828-92-0x000000013F320000-0x000000013F674000-memory.dmp
memory/468-94-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2244-93-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2636-91-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\ccxSoQR.exe
| MD5 | d4249d4134fe175403fd4c9cb2fe3157 |
| SHA1 | 8aa7aa2e662d0f68cc33bd20cbd4038fe3c724e7 |
| SHA256 | 3455729ce60cf6f3a19b851d3481eea86312d832582d1de27830f4c581fac163 |
| SHA512 | 1063aaec5589be71f05aa92c67c22dc604abbceeb00509886a2d8389273d1988e05461a34c0d7028ef83efc842694800c144a3f6eef1fe23857693db0b29a570 |
memory/2876-100-0x000000013F870000-0x000000013FBC4000-memory.dmp
\Windows\system\zXmEfPg.exe
| MD5 | ebf457a7eafd1af1f6f33d18ba5cdb81 |
| SHA1 | f443e1517bcedede6e531ff228d365589a4408ff |
| SHA256 | 737f722b324770c8e6a794da7852542adc0d4f04352265361cb3c8193fb4c8b8 |
| SHA512 | 4cf1317f3fbd2a06b6f3f3f4a23c399c31acac4825a71141f62c8189521d86a1f58e3259b7f63368dd505a757f27615e2c6ed35fb0ddd65e9a85683575ea6f20 |
memory/2244-106-0x000000013FA10000-0x000000013FD64000-memory.dmp
\Windows\system\YjXmvdg.exe
| MD5 | 3f6ee24927197ec1badf76701d1c8dfa |
| SHA1 | d6285a47b001c0ed5070734054c84c07fa56b95e |
| SHA256 | 7b4135d764f40fa75dc60862c98ece6e8d7ad4760712bfb76ae2df85f321e8b5 |
| SHA512 | 9ed3808ee164052ca0ecf698a7d0157bab0a42863462d350a68e7778aa26302720dab21d1495134909faa4fda26d8499ec656d19d2f79dd3a4f16e3b62295e4d |
C:\Windows\system\ZafYWrv.exe
| MD5 | d2cef7c3461c0b97729a64921dfff5c4 |
| SHA1 | 5759b29a12c19d2ec86a6015300784241b46cc94 |
| SHA256 | 90cc766b65c63e117423505a2c7693653411fd204ec4ce424853fbaeb14db4c1 |
| SHA512 | 5922ab57af39fb5933883cdc3737696c66999429377bbd6b00a4dfafff5ef02f305393d0f1b3dcfea5a7edf653765a2e564c94c285963fe512f9f68f3450039b |
\Windows\system\gNHxpzh.exe
| MD5 | 71c97ef2cf07622e705142e8a0dd6e72 |
| SHA1 | 0722d9e07f4a65422cda06650d07624081ba1ef3 |
| SHA256 | 77db6d123d07dff414a9772aa8e9e560a9eb13557bebf0aa53083f9864327f52 |
| SHA512 | d3c538d6bc122ecadaf492baabbb790b503a9649c89fe888208ccc78aba852b56820055e1c2fa7e8232b8d898e8fde89b1034ba4a66000b71fc88141bbe8f13b |
C:\Windows\system\KywSLQB.exe
| MD5 | 4e6a6329377f516ba6ed58049a0ef691 |
| SHA1 | 29040546cfb6e8290625cf685463c74d92989277 |
| SHA256 | f819121978728f2d76bb573cb7dae2d7faf6fc213ea169cbbc2450afc18aa0ab |
| SHA512 | 4c12769ad36b2aba3160f12f6ec1cf13521e21affc20b2c8b15aa312d122b5f13ab14e550a704d10a46937937a4ca73c3d02a8d6be67df460d27ed44d6c11a42 |
C:\Windows\system\YbbkImW.exe
| MD5 | 504d39256ff464a28de4fa97dd9bf472 |
| SHA1 | 6d1537d69b7ba7bf30cc1903003d63bc17d7f3fe |
| SHA256 | af1bb418fadc69dc2d805e3316cc11f155804cd03e164ccffa1490ba1e797849 |
| SHA512 | 00db7a8bee97077f751a46a1cef0a2c918126575941caf37d489f40a0221c4a8cbd9802e999a99ccb832f9228b4109acf237d2d32b305977b6743a968cd6609a |
C:\Windows\system\RfwcEFM.exe
| MD5 | 8535d030b5c1751b797a699be93655e2 |
| SHA1 | d3559f2bdd13a337116dcff123c414706c2315aa |
| SHA256 | 14e5bb83d5fb462c692e1c448aa003bfccdc2de2a9ce3720bb073730ca25141b |
| SHA512 | 777502b044d3c723f41242fd2ecbf639b1a9dbca9eead438ee2eb933f82162bd42b1537fa872169e98c7dafc4912078c3e3a4328dd3be4989d2044797fed74ab |
memory/2812-136-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2560-137-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2244-139-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2244-138-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2244-140-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2244-141-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2244-142-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2244-143-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2032-144-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2944-145-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2344-146-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2740-147-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2540-150-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2636-149-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2828-148-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2812-151-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2560-152-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2124-153-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2884-154-0x000000013F130000-0x000000013F484000-memory.dmp
memory/3052-155-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/468-156-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2876-157-0x000000013F870000-0x000000013FBC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:11
Reported
2024-06-08 21:13
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KoVieRR.exe | N/A |
| N/A | N/A | C:\Windows\System\NMBhHSX.exe | N/A |
| N/A | N/A | C:\Windows\System\XGpZfJa.exe | N/A |
| N/A | N/A | C:\Windows\System\nwTsWhd.exe | N/A |
| N/A | N/A | C:\Windows\System\zTaXyFq.exe | N/A |
| N/A | N/A | C:\Windows\System\HBldljh.exe | N/A |
| N/A | N/A | C:\Windows\System\iHoLgRe.exe | N/A |
| N/A | N/A | C:\Windows\System\KzTFBBp.exe | N/A |
| N/A | N/A | C:\Windows\System\qsBqJiE.exe | N/A |
| N/A | N/A | C:\Windows\System\GIrYDho.exe | N/A |
| N/A | N/A | C:\Windows\System\gIaNfOj.exe | N/A |
| N/A | N/A | C:\Windows\System\RzpaiWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bLIGWjW.exe | N/A |
| N/A | N/A | C:\Windows\System\ccxSoQR.exe | N/A |
| N/A | N/A | C:\Windows\System\zXmEfPg.exe | N/A |
| N/A | N/A | C:\Windows\System\YjXmvdg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZafYWrv.exe | N/A |
| N/A | N/A | C:\Windows\System\RfwcEFM.exe | N/A |
| N/A | N/A | C:\Windows\System\YbbkImW.exe | N/A |
| N/A | N/A | C:\Windows\System\KywSLQB.exe | N/A |
| N/A | N/A | C:\Windows\System\gNHxpzh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KoVieRR.exe
C:\Windows\System\KoVieRR.exe
C:\Windows\System\NMBhHSX.exe
C:\Windows\System\NMBhHSX.exe
C:\Windows\System\XGpZfJa.exe
C:\Windows\System\XGpZfJa.exe
C:\Windows\System\nwTsWhd.exe
C:\Windows\System\nwTsWhd.exe
C:\Windows\System\zTaXyFq.exe
C:\Windows\System\zTaXyFq.exe
C:\Windows\System\HBldljh.exe
C:\Windows\System\HBldljh.exe
C:\Windows\System\iHoLgRe.exe
C:\Windows\System\iHoLgRe.exe
C:\Windows\System\KzTFBBp.exe
C:\Windows\System\KzTFBBp.exe
C:\Windows\System\qsBqJiE.exe
C:\Windows\System\qsBqJiE.exe
C:\Windows\System\GIrYDho.exe
C:\Windows\System\GIrYDho.exe
C:\Windows\System\gIaNfOj.exe
C:\Windows\System\gIaNfOj.exe
C:\Windows\System\RzpaiWZ.exe
C:\Windows\System\RzpaiWZ.exe
C:\Windows\System\bLIGWjW.exe
C:\Windows\System\bLIGWjW.exe
C:\Windows\System\ccxSoQR.exe
C:\Windows\System\ccxSoQR.exe
C:\Windows\System\zXmEfPg.exe
C:\Windows\System\zXmEfPg.exe
C:\Windows\System\YjXmvdg.exe
C:\Windows\System\YjXmvdg.exe
C:\Windows\System\RfwcEFM.exe
C:\Windows\System\RfwcEFM.exe
C:\Windows\System\ZafYWrv.exe
C:\Windows\System\ZafYWrv.exe
C:\Windows\System\YbbkImW.exe
C:\Windows\System\YbbkImW.exe
C:\Windows\System\KywSLQB.exe
C:\Windows\System\KywSLQB.exe
C:\Windows\System\gNHxpzh.exe
C:\Windows\System\gNHxpzh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4772-0-0x00007FF74BC90000-0x00007FF74BFE4000-memory.dmp
memory/4772-1-0x0000028004960000-0x0000028004970000-memory.dmp
C:\Windows\System\KoVieRR.exe
| MD5 | d4f08cb5676f33946def8a3cb2c1f11e |
| SHA1 | fe0d63c6121be7e9293e42084dd42326aa9f481e |
| SHA256 | 7cabd834b53def0d7da99293c746a5b83a89d0a0545cfecf0079c265aba3c09d |
| SHA512 | 0db79afeedf58d67ba22ea02cbaa44b67c306cb9656018f277a9ac2c60ed0a95d1fba30292de98e0ab5c6c983070caae6ec044433bcf9d9c8d6e04c51c2a7788 |
memory/4232-8-0x00007FF763D70000-0x00007FF7640C4000-memory.dmp
C:\Windows\System\NMBhHSX.exe
| MD5 | e1ecf135664855090085c5e826c372a5 |
| SHA1 | bcb92ba9cf5fc97a48d38a8730e00697d8b4bf57 |
| SHA256 | 642d2a150685694c9f1abae5b85172118eddba981f44489c1a89713d975bb5b9 |
| SHA512 | ccf72253b7f2f9760a0a82061eb7bd876193fd193b32f13b3488b8183c9f411986d2660419154342e4f888248e7117193278c7eb8e609f57a21169fd8a064535 |
C:\Windows\System\XGpZfJa.exe
| MD5 | 0ebbed5fd07b5d7d7fabb4d2d2d38f32 |
| SHA1 | 596d84dc122768a983084d89bf472731834c1110 |
| SHA256 | 6a13ef42b10d278c1bc5dcd0ae82d278b5c7794b55cbaa491792e35e2509ed64 |
| SHA512 | 4ee7b5b9d46904fa3abc523998d36cb80f6d27857ba3dd6c7b88a31075b684afc9daf4ca2634b6d5fb5f43365ff8bc24c0aa250d40f1e122e7543f18b8ec2911 |
memory/2944-14-0x00007FF67D470000-0x00007FF67D7C4000-memory.dmp
C:\Windows\System\nwTsWhd.exe
| MD5 | 97889ed4405b3174b08caa283ae7a88e |
| SHA1 | b25c82293d7ab6d957accc74890133dc065e20c8 |
| SHA256 | bc62d38734f83dbed9d2aa1ce46548f9fc2a93221487cd7e8c8da5c1831edc59 |
| SHA512 | 261c97785d044f7aa724d6ce9487784253d76b33090460c6050d7892800912ecd0113c4d5d3f76e9a06ad7ab9fdc141931a0bd876a71cd0482cbaface5259f32 |
C:\Windows\System\zTaXyFq.exe
| MD5 | 5c06a655cadd3fea21c895ae52da19d8 |
| SHA1 | 68f78f8cd9f2be1b7fcf5a1e5a1a8a8eed46defa |
| SHA256 | b6b09749dec0d0d9c1ecc4042a560d044b85bfb355394943b47e3de6e41ba312 |
| SHA512 | 34c1b0c83b87976d93842a73cbb945549d0f3bc26f1b287d3dc5373bb947b570849fda1163b6c7a29416ef9720f81387bc1c96d0a1c0d57d8ce71c168a5a9b8c |
memory/628-27-0x00007FF6A8510000-0x00007FF6A8864000-memory.dmp
memory/3552-18-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp
memory/440-32-0x00007FF7A8830000-0x00007FF7A8B84000-memory.dmp
C:\Windows\System\HBldljh.exe
| MD5 | a1d3c4b06c72b2422f143951d131c70c |
| SHA1 | 465847a66bbc7fb1fae277e9b2c628e5090252af |
| SHA256 | dc733fcc8f5d59baf7445266d2a13af5f46770e309a843445ee62b674c31cb0d |
| SHA512 | 2487db08a3ad52507af86782bc8217ca598b08673fee61b77445dc23812944f000bf49c73dc2cbd91e4f7662063a3c28b1d354c781e33182467b3e8dfb100bdd |
C:\Windows\System\iHoLgRe.exe
| MD5 | ba497662ea53caaa170a0f7abae93680 |
| SHA1 | d3b87d24ea929a4d2f578852d7efd2c826489994 |
| SHA256 | dce9439019ee9e0557c4ebb065dbb75f8dbd9b9d5b2430cad4cda8768563bea5 |
| SHA512 | c4cfdb7699011972da8e9a2b44aa373e99e3c229bca77e9d71d7ec19da96b65300005df1d31e5c004a336e07db5cd0fd44e104730e1f0e8a10304985e59cccb2 |
memory/2204-37-0x00007FF72A040000-0x00007FF72A394000-memory.dmp
memory/5112-41-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp
C:\Windows\System\KzTFBBp.exe
| MD5 | 6b1a6d104d6884aa66fc2339207d9faf |
| SHA1 | be6fd92d38d1c5ea27525da0448a2891f499b6d4 |
| SHA256 | 888e52847aade3abd6488ecbad52f83a86532a5c9807fe7de483ec52b305d79d |
| SHA512 | 7c4c6251c1312fd76a6bd6574f6f27d7d354744627b022eb829f20c75117b2ea8ae356b212d33014ba53e7800ad9f56ae05de3c2b3067d765091e2ddb1d521f3 |
memory/4976-50-0x00007FF63B190000-0x00007FF63B4E4000-memory.dmp
C:\Windows\System\qsBqJiE.exe
| MD5 | d88b0dec704f9b8e9ac13e1baff7bdad |
| SHA1 | 3a32cc11fdfa653ba902f25f48d6a9ebbcc2579b |
| SHA256 | adf4b08d0e188edd0d9db8e93e51e1281034c490604af70f2b9c7cdd112023b4 |
| SHA512 | f53e2c445d7519e74a72f88af1413efa63f6ac345fda0e75fb988697ed4d27c5fc97574ff1889c0651cfa6ad05fadc920a631e2525dafd2d72a6bc79b5eb6253 |
memory/4864-56-0x00007FF79B330000-0x00007FF79B684000-memory.dmp
C:\Windows\System\gIaNfOj.exe
| MD5 | d9c104222f1cc6b51e7b17cc1cd0d4cf |
| SHA1 | 4c1e5dfcb0449151a62f70bc0adf6e3fe6e5b93d |
| SHA256 | 11a118757edc28eae58d7902976c541ca71f82403f9d8db91e26e15ebde63d0a |
| SHA512 | a4fad3d54be86e65615205f3be780c4c9c0fa60b7e71be95fc54269ef58d153c8380a19fa00a8d44f6dd8bcd29b0d83c5f5d31504cac046544d193d6f85c20a2 |
memory/1020-69-0x00007FF7093C0000-0x00007FF709714000-memory.dmp
C:\Windows\System\RzpaiWZ.exe
| MD5 | a7480fed1b4dfb8dcd37376ccdef5958 |
| SHA1 | 484e87050fc9638601ed614219f9f31f2aab6c77 |
| SHA256 | 167ff2a293a14ece725f910e43c3783ba813642b290199232a0d674f7b168600 |
| SHA512 | 8ad814d7473ae3822dc6bad3600de77300f61855244bf911c8ae27b1eb4fa432b2ac08042425a6736496057900f6d50a62385711601bcf7502999f490b4fefaf |
memory/3552-77-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp
C:\Windows\System\bLIGWjW.exe
| MD5 | e51bee921aae0c6834f63c8b7e777ce3 |
| SHA1 | 0dab489238b10be481466ad3faea42575705de9b |
| SHA256 | 0e606ec40887a46ac131d24961e9f5bcbeedabd95dc0d21873832f8874e78679 |
| SHA512 | 7690278588512c4587e532020e3ef2afa799ba6c366434de3ca4d75424f9bee69f947722d69587ab39bfe3a1a9de6b1b2c76790830b636320606853d885613cc |
memory/4528-78-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp
memory/3880-75-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp
C:\Windows\System\GIrYDho.exe
| MD5 | f0c7c309c7786de596e580f7b41df7e2 |
| SHA1 | b053b9c69bb76d406f178f88a2abb5a5fa54f4c9 |
| SHA256 | dcb37d858dc268c54e5ef4c344bb30e390750e3482757c5efa2368e197817fbd |
| SHA512 | 0d54f3565e540a915d6cd283639952284ef2f5ec3fe93ccb47182753b99f68793d2b37205b2906e8077dd3161ba171c5da37e079eb8d3d538db16288eff2f0c0 |
memory/2076-64-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp
memory/4772-63-0x00007FF74BC90000-0x00007FF74BFE4000-memory.dmp
C:\Windows\System\ccxSoQR.exe
| MD5 | d4249d4134fe175403fd4c9cb2fe3157 |
| SHA1 | 8aa7aa2e662d0f68cc33bd20cbd4038fe3c724e7 |
| SHA256 | 3455729ce60cf6f3a19b851d3481eea86312d832582d1de27830f4c581fac163 |
| SHA512 | 1063aaec5589be71f05aa92c67c22dc604abbceeb00509886a2d8389273d1988e05461a34c0d7028ef83efc842694800c144a3f6eef1fe23857693db0b29a570 |
C:\Windows\System\RfwcEFM.exe
| MD5 | 8535d030b5c1751b797a699be93655e2 |
| SHA1 | d3559f2bdd13a337116dcff123c414706c2315aa |
| SHA256 | 14e5bb83d5fb462c692e1c448aa003bfccdc2de2a9ce3720bb073730ca25141b |
| SHA512 | 777502b044d3c723f41242fd2ecbf639b1a9dbca9eead438ee2eb933f82162bd42b1537fa872169e98c7dafc4912078c3e3a4328dd3be4989d2044797fed74ab |
C:\Windows\System\ZafYWrv.exe
| MD5 | d2cef7c3461c0b97729a64921dfff5c4 |
| SHA1 | 5759b29a12c19d2ec86a6015300784241b46cc94 |
| SHA256 | 90cc766b65c63e117423505a2c7693653411fd204ec4ce424853fbaeb14db4c1 |
| SHA512 | 5922ab57af39fb5933883cdc3737696c66999429377bbd6b00a4dfafff5ef02f305393d0f1b3dcfea5a7edf653765a2e564c94c285963fe512f9f68f3450039b |
memory/4620-104-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp
memory/2204-102-0x00007FF72A040000-0x00007FF72A394000-memory.dmp
C:\Windows\System\YjXmvdg.exe
| MD5 | 3f6ee24927197ec1badf76701d1c8dfa |
| SHA1 | d6285a47b001c0ed5070734054c84c07fa56b95e |
| SHA256 | 7b4135d764f40fa75dc60862c98ece6e8d7ad4760712bfb76ae2df85f321e8b5 |
| SHA512 | 9ed3808ee164052ca0ecf698a7d0157bab0a42863462d350a68e7778aa26302720dab21d1495134909faa4fda26d8499ec656d19d2f79dd3a4f16e3b62295e4d |
memory/1344-96-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp
C:\Windows\System\zXmEfPg.exe
| MD5 | ebf457a7eafd1af1f6f33d18ba5cdb81 |
| SHA1 | f443e1517bcedede6e531ff228d365589a4408ff |
| SHA256 | 737f722b324770c8e6a794da7852542adc0d4f04352265361cb3c8193fb4c8b8 |
| SHA512 | 4cf1317f3fbd2a06b6f3f3f4a23c399c31acac4825a71141f62c8189521d86a1f58e3259b7f63368dd505a757f27615e2c6ed35fb0ddd65e9a85683575ea6f20 |
memory/5092-86-0x00007FF709220000-0x00007FF709574000-memory.dmp
memory/3912-115-0x00007FF785AC0000-0x00007FF785E14000-memory.dmp
C:\Windows\System\YbbkImW.exe
| MD5 | 504d39256ff464a28de4fa97dd9bf472 |
| SHA1 | 6d1537d69b7ba7bf30cc1903003d63bc17d7f3fe |
| SHA256 | af1bb418fadc69dc2d805e3316cc11f155804cd03e164ccffa1490ba1e797849 |
| SHA512 | 00db7a8bee97077f751a46a1cef0a2c918126575941caf37d489f40a0221c4a8cbd9802e999a99ccb832f9228b4109acf237d2d32b305977b6743a968cd6609a |
memory/4920-118-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp
memory/5060-113-0x00007FF665F10000-0x00007FF666264000-memory.dmp
memory/5112-112-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp
C:\Windows\System\KywSLQB.exe
| MD5 | 4e6a6329377f516ba6ed58049a0ef691 |
| SHA1 | 29040546cfb6e8290625cf685463c74d92989277 |
| SHA256 | f819121978728f2d76bb573cb7dae2d7faf6fc213ea169cbbc2450afc18aa0ab |
| SHA512 | 4c12769ad36b2aba3160f12f6ec1cf13521e21affc20b2c8b15aa312d122b5f13ab14e550a704d10a46937937a4ca73c3d02a8d6be67df460d27ed44d6c11a42 |
C:\Windows\System\gNHxpzh.exe
| MD5 | 71c97ef2cf07622e705142e8a0dd6e72 |
| SHA1 | 0722d9e07f4a65422cda06650d07624081ba1ef3 |
| SHA256 | 77db6d123d07dff414a9772aa8e9e560a9eb13557bebf0aa53083f9864327f52 |
| SHA512 | d3c538d6bc122ecadaf492baabbb790b503a9649c89fe888208ccc78aba852b56820055e1c2fa7e8232b8d898e8fde89b1034ba4a66000b71fc88141bbe8f13b |
memory/4940-125-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp
memory/2076-131-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp
memory/3416-132-0x00007FF707B90000-0x00007FF707EE4000-memory.dmp
memory/3880-133-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp
memory/4528-134-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp
memory/5092-135-0x00007FF709220000-0x00007FF709574000-memory.dmp
memory/4920-136-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp
memory/4940-137-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp
memory/4232-138-0x00007FF763D70000-0x00007FF7640C4000-memory.dmp
memory/2944-139-0x00007FF67D470000-0x00007FF67D7C4000-memory.dmp
memory/440-142-0x00007FF7A8830000-0x00007FF7A8B84000-memory.dmp
memory/3552-141-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp
memory/628-140-0x00007FF6A8510000-0x00007FF6A8864000-memory.dmp
memory/2204-143-0x00007FF72A040000-0x00007FF72A394000-memory.dmp
memory/5112-144-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp
memory/4976-145-0x00007FF63B190000-0x00007FF63B4E4000-memory.dmp
memory/4864-146-0x00007FF79B330000-0x00007FF79B684000-memory.dmp
memory/2076-148-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp
memory/1020-147-0x00007FF7093C0000-0x00007FF709714000-memory.dmp
memory/4528-150-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp
memory/3880-149-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp
memory/5092-151-0x00007FF709220000-0x00007FF709574000-memory.dmp
memory/1344-152-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp
memory/4620-153-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp
memory/3912-154-0x00007FF785AC0000-0x00007FF785E14000-memory.dmp
memory/5060-155-0x00007FF665F10000-0x00007FF666264000-memory.dmp
memory/4920-156-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp
memory/3416-157-0x00007FF707B90000-0x00007FF707EE4000-memory.dmp
memory/4940-158-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp