Analysis Overview
SHA256
be73d38918e9895dcffb6eb3b0029b556573695871bf59854ad5659d81a7120d
Threat Level: Known bad
The file 2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 22:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 22:26
Reported
2024-06-09 22:29
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZaRAumN.exe | N/A |
| N/A | N/A | C:\Windows\System\SqiGhJL.exe | N/A |
| N/A | N/A | C:\Windows\System\gbVZdcx.exe | N/A |
| N/A | N/A | C:\Windows\System\LyesjEd.exe | N/A |
| N/A | N/A | C:\Windows\System\LSpdlOp.exe | N/A |
| N/A | N/A | C:\Windows\System\SqMKUAx.exe | N/A |
| N/A | N/A | C:\Windows\System\kllPTPh.exe | N/A |
| N/A | N/A | C:\Windows\System\ovtDHUV.exe | N/A |
| N/A | N/A | C:\Windows\System\KKVvQcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nHjywUy.exe | N/A |
| N/A | N/A | C:\Windows\System\YDqFIOf.exe | N/A |
| N/A | N/A | C:\Windows\System\pndEHaX.exe | N/A |
| N/A | N/A | C:\Windows\System\rdMsPCe.exe | N/A |
| N/A | N/A | C:\Windows\System\MwUsMae.exe | N/A |
| N/A | N/A | C:\Windows\System\ciWwZFg.exe | N/A |
| N/A | N/A | C:\Windows\System\eEEIoFE.exe | N/A |
| N/A | N/A | C:\Windows\System\kERTOFH.exe | N/A |
| N/A | N/A | C:\Windows\System\HaFmuGI.exe | N/A |
| N/A | N/A | C:\Windows\System\AIAwYVK.exe | N/A |
| N/A | N/A | C:\Windows\System\OmWaZwW.exe | N/A |
| N/A | N/A | C:\Windows\System\vRuDKfB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZaRAumN.exe
C:\Windows\System\ZaRAumN.exe
C:\Windows\System\SqiGhJL.exe
C:\Windows\System\SqiGhJL.exe
C:\Windows\System\gbVZdcx.exe
C:\Windows\System\gbVZdcx.exe
C:\Windows\System\LyesjEd.exe
C:\Windows\System\LyesjEd.exe
C:\Windows\System\LSpdlOp.exe
C:\Windows\System\LSpdlOp.exe
C:\Windows\System\kllPTPh.exe
C:\Windows\System\kllPTPh.exe
C:\Windows\System\SqMKUAx.exe
C:\Windows\System\SqMKUAx.exe
C:\Windows\System\ovtDHUV.exe
C:\Windows\System\ovtDHUV.exe
C:\Windows\System\KKVvQcQ.exe
C:\Windows\System\KKVvQcQ.exe
C:\Windows\System\nHjywUy.exe
C:\Windows\System\nHjywUy.exe
C:\Windows\System\YDqFIOf.exe
C:\Windows\System\YDqFIOf.exe
C:\Windows\System\kERTOFH.exe
C:\Windows\System\kERTOFH.exe
C:\Windows\System\pndEHaX.exe
C:\Windows\System\pndEHaX.exe
C:\Windows\System\HaFmuGI.exe
C:\Windows\System\HaFmuGI.exe
C:\Windows\System\rdMsPCe.exe
C:\Windows\System\rdMsPCe.exe
C:\Windows\System\AIAwYVK.exe
C:\Windows\System\AIAwYVK.exe
C:\Windows\System\MwUsMae.exe
C:\Windows\System\MwUsMae.exe
C:\Windows\System\OmWaZwW.exe
C:\Windows\System\OmWaZwW.exe
C:\Windows\System\ciWwZFg.exe
C:\Windows\System\ciWwZFg.exe
C:\Windows\System\vRuDKfB.exe
C:\Windows\System\vRuDKfB.exe
C:\Windows\System\eEEIoFE.exe
C:\Windows\System\eEEIoFE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1684-2-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1684-0-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ZaRAumN.exe
| MD5 | 02cf513699583893fd20026f396c76ca |
| SHA1 | baf622cdcac5280f3ec3f7fcfa0656fe9b640ac6 |
| SHA256 | 77629e399a62026897d1766acf633047337d51d964136a3f0a97c97e1942d86b |
| SHA512 | 3db670d0f52995e8aba47eeeb146fe9be20daf974a1ea8c748cf27420be6722780402b2a980e2e1f459fd912b1dd491a29d5f326733960506d47f1f6fefb4c77 |
memory/1684-11-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\SqiGhJL.exe
| MD5 | e0e67234ade9219dd06d8e0f96bebc18 |
| SHA1 | 1cf2e6e5fb19c0d1c77d60f19abc7c0a95f60c9a |
| SHA256 | f85082e7f7bc3b720f7b206cc90c085583c38726fe3d5db3e66b9d8ba165bf5e |
| SHA512 | e3be8f9ac3f23e1e092a82b5094f50cdd8a3f330ce66374432e09debc11b8bb05b56c24ffc96a4771574f48f4fddf55af67e86a2875fcace48f974d2e8b5ebba |
memory/1684-16-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2140-15-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\gbVZdcx.exe
| MD5 | 461417bb928ba113ea6a368d31cc80ff |
| SHA1 | c46ce77bb37a26a9d9e0b7adb1e2c82ca44e3aea |
| SHA256 | c289c03a2fc401cbde1c1a6cad8916fabf48aeb87b65b80cd2a8dd0659a48f9b |
| SHA512 | cbafb3de61393f7229457ad80dce93bbc9ae6a9d2fe0e3b791838ac3f29020761536e55dcf3cdb627390ad058da6622faddf3604b74fa501d5b6b4587f8d8a95 |
memory/2712-23-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1684-21-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\LyesjEd.exe
| MD5 | 7784b1c00b0a4b4a28cc30b476e59231 |
| SHA1 | 79527fe0961a1f8f72bad548ed2c5188c56fda01 |
| SHA256 | fb8a56eeb42445999eb6ef10e346acce027d85c4be5fc6a4eeb73bc5bddc08a4 |
| SHA512 | bf2382f04631f091a9862d450e8eaeaff6f62c9349b1a91063834aea0ec177a393433b97c161b3ed2a427ca45f276ca1c834c44563537ba80c409094c1afd591 |
memory/1620-41-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1684-39-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\ovtDHUV.exe
| MD5 | 2d2d611c65d9358f7b5c5cd8ed2691ed |
| SHA1 | 292b70549a023bed0a6e49d4a01888e383ed4d2d |
| SHA256 | f583e30fe9e8685bd2546bafd3c4abb029c1b543c8756ca120d4e3629a7ada90 |
| SHA512 | 3eb5507e042eb99c4198371c8abf6c77f97d8fc1a58e1c31e6c2657060ba0411ac137fdb49daa039914a26077d9395f85cbb24da38c6f1e634e195fee897b1f7 |
memory/2512-60-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\nHjywUy.exe
| MD5 | 7721f3c510bf1bda8cc30e486c27d829 |
| SHA1 | 28e61a4a6b2247e2b1f627e469383a0427a9a447 |
| SHA256 | 3adcf7b8a05617a5a290416f6850ba8d61e289ef876f1c713b637310e3904d27 |
| SHA512 | 4ff0fc0c7d3c6a6a84bfd56f4751ffe2303c4330da77d6ca77f044c05aa5ef1ac948479a199e153dd770a8063c40eee52ffe08c4cc9d468f2a49848fca8b06a2 |
memory/1684-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\kERTOFH.exe
| MD5 | 9df09a6695fcdace1c8e332b6bccbbf9 |
| SHA1 | 2c98c6fe44057938b0dc66dd9d85500af93ec14e |
| SHA256 | 381e6a2354ef22392867dbd997655bf0e42f6dc5151513cb888a5a6596df54d2 |
| SHA512 | 37b94b526b78ff5fffa6665a0660f86967b4d1e2f754bb75ee4f1d380e842a54e8ddaee098418028b1cf89e52bcde1c2d2bd3b250deee26cb6efa7dbc0fcff71 |
\Windows\system\vRuDKfB.exe
| MD5 | 16b66f5f690e6719382ffbeff2f84e5e |
| SHA1 | b2f830043f5e6fc02d501a7938e1eafda8ee2a28 |
| SHA256 | c104a79e9323df436add9d1959db06dea4b1ad066e05cff1a25022af4c33d24e |
| SHA512 | a5cdd2c65de6ea2035533821b8d1ef379aa4c7fe769f2ca69ee350d28f53214603a77186657f8a9a017fa668bb04cc5d3bbf6539bd35e154cfa576a57a371865 |
memory/2660-102-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\OmWaZwW.exe
| MD5 | c857f9a51cc50fa3100d8bfcf1ceaac8 |
| SHA1 | 58ede2bc4c915455b109e89a6abb0e47ae5f4e75 |
| SHA256 | 56725645849fbefb0ebf826cec4f3db7b36b96b6dbf239ce72aa1453d011c9ba |
| SHA512 | 739f954d895d0de772ae9b27abd7cb169cdac5c599e6d1f5da4a2c9d1f7e00202cd68258c9c6b0416badec4969cf20d62df457da84ce4f411e7fa2fc2ffaadde |
memory/1684-94-0x0000000002330000-0x0000000002684000-memory.dmp
\Windows\system\AIAwYVK.exe
| MD5 | d4748c086462f04a91acc6a2397ee10c |
| SHA1 | ac9763687e10f15f83f8ee607e8458edbdcd57b0 |
| SHA256 | ca46bdf4e620a16a58ce20360e4848dd0933581f6355dc0e8bf4b841394a75c0 |
| SHA512 | cc7627739b3b8bbe4b11c2e654a93047918905726117612d7bc6832cbc7a5e11fccbd41388b2654e3aac5dd47e51ed9ac523faedb761ea5c4231746b9aa6d510 |
memory/2712-87-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1684-86-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1968-85-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1684-83-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\pndEHaX.exe
| MD5 | 7e17e50bd900922dab03b2a621218e76 |
| SHA1 | 50b697b40ae5372ade0c225477bcf5ba26ca6f56 |
| SHA256 | a987b1528b0fdf21890e9f7fa38167bcca414085bc377d50f4abcebd59b265c7 |
| SHA512 | 14e0c6ea79b89219b273d8c130fbe0aea587f6a4fe6cbb4bdb96eda9d7135806217c3dab92f3c9031b8dff5cb3516ad5250be3a5d15a337889bdafbd819412e5 |
\Windows\system\HaFmuGI.exe
| MD5 | 57be43e93a128e2e2325a63cc5f99312 |
| SHA1 | 2dd308a13036a9b7b7ae54a17fb0b70efac186d2 |
| SHA256 | b4e8ca6ad90a9f9fb1770b6a12a98083e7e465383fc688f704579c315ec79d17 |
| SHA512 | 892a057f0386930b1b842f5b40d7049823e14958425f7b07f0223824830077d5dd088bfc3a03ca13437b3319bebe3c45984b18454b605326f4ae5cd3e71e90f9 |
memory/2560-76-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\eEEIoFE.exe
| MD5 | 9360cdab4408441c83afb1b939114d09 |
| SHA1 | a270d822a49cf05a58de541c52a169ed2797aa70 |
| SHA256 | bb2a79089982fa7acdf087986b3b19ac6b446ac1d991d66785abd73314fe2cae |
| SHA512 | b16eec7ad76eb8216b786409698e1c982486e2a44d7bdda9cf97b838dc31157d769cda410195926e232a6a77babc2b75d36670a62c80359d1829f2daa08c4350 |
memory/2580-67-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1684-65-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1684-110-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1684-109-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1684-108-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\ciWwZFg.exe
| MD5 | a3ce65484acdf93a16b1eb10c4c89c36 |
| SHA1 | 3edf1a357736f24b1e52b6d72b0ea0edf66873f9 |
| SHA256 | 07ea14cf1abec5282a80b33013ad860ecbdf99e5692a7c75eebf15cca8935735 |
| SHA512 | b7f5bed628607b670536e37715959eedcf0fdf3fb404799604b7057e51d12d933b7773b4788749118675e639dc48b938257dcf5ff7ad6ef309b007366a66369f |
C:\Windows\system\MwUsMae.exe
| MD5 | 3de254f0ac421c4b6af8f10f9e568c06 |
| SHA1 | a62cd02903ffe6883966d0e27f2b4844fc53338c |
| SHA256 | 4843d79379691a2cc49cbdc048a8e3d1642bf705245e86e7b37c28f596245501 |
| SHA512 | ab90298dfa1a7d443290f114a075ba4c040d796310042f99ec91e53348510419112882dba6ffd0f1c81f4b0a7e5bc7f57e7f323662cd3b275013ebe11b0acf43 |
C:\Windows\system\rdMsPCe.exe
| MD5 | 9cc5ab81ecd2909dd54720f57f514afe |
| SHA1 | 8f58d8edfe17defd8938697265e93f19b3a6fc8a |
| SHA256 | c75fbc7ff5af3dc2afed341b58e428ee225e59bc2b8dc37d49f3245f51766c93 |
| SHA512 | c1e519b47fb691d63f6b7f7d44d45f395980b4f45c30720d97f333929086c5cb239a510a97d946d9cade0245dc6ab6adfc463371bc1b8c4b96e5a3bd67870e1e |
memory/2140-72-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\YDqFIOf.exe
| MD5 | 5b8ba86d187b726c09f1162edc46f648 |
| SHA1 | eab43843724c50d3e39aa7b6e7f412b44c2a3bcb |
| SHA256 | e463e67bf31baf20bfede14aea29ec2aaae4889498942805a89600101db20cb9 |
| SHA512 | 2057ce2a9a330d86f2eb1f8879aabbbca83b5861e908fa29ba2566f97f733c2edff43f40584e89aecdef41b1917019c1390d9075c82330e3844e73703b0c7c3f |
memory/1684-59-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2556-54-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\KKVvQcQ.exe
| MD5 | ab6530356ceb8e525e71493fc3069bb8 |
| SHA1 | 0b3b07fca4f32dc6845a540387455c974a187b2e |
| SHA256 | d3e7468ec0bfb7890e7d09540db9f62fc663292a6d2f99bd843ed3f1d1d42521 |
| SHA512 | 235b67312897a6fe5c67ee169a7128aad43252b274665bad1096790910fd80186f0639876cb0fcd77026a9d89ec51e6ef39481ab4fc3846b720b316282338dd9 |
memory/2696-49-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2976-48-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\kllPTPh.exe
| MD5 | 7350a33f0f43343f26960c97176e9843 |
| SHA1 | 6b3c44c0c4a11c02686a16b4b3e178a9817effc6 |
| SHA256 | d6b0dad5deaceedc28717d2dbcd05034e01e54c07c9aa9119a9204d49f3329d1 |
| SHA512 | 4d6337f4cdb1a5898a9c811e43fbd61a0b36bf5fdc4e2616f66b13a3c3776e9f8574ef9838a2d8247926021d342377c7821757213514d4ffb9dcf5508c901856 |
C:\Windows\system\SqMKUAx.exe
| MD5 | a66403867ad29559f8c1911600ca37c1 |
| SHA1 | 4cedc8501ed9fc6f4ab860a565c1d25570fcf928 |
| SHA256 | 94e9fa926cbf4b60819e4694c2f69f76fc127dba72f4a696b9b505e8d10dae6a |
| SHA512 | 4d2bf735d8dd789ba9e7341bbdb22274f6a62a0f6a499b83d9dd2a1ac77cfa6ca0e7a6ba8af5ae6b108bed43de93a741cff6cbf31209b8ad018c51d3fa90baee |
memory/1684-45-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1684-42-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\LSpdlOp.exe
| MD5 | 203599577a96c579487c42ecf0abdb9b |
| SHA1 | dff425450e4e309fa75ba8960bd42ef91c7c6308 |
| SHA256 | 40ab3ae54ac8651dd3a58263a702b770a2b07b5cd00483ee406ca75ff7b16e30 |
| SHA512 | e66a236ec37c524632ffde727050c2d5c9455210e404756c97403e0f3f3971c2b4abc5930cd3ba27a80695c7a15a576c2df798566cabeb81b925f05ac2a0852d |
memory/2660-29-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1684-28-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2980-13-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2696-139-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2976-138-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2556-140-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2512-141-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2580-142-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2560-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1684-144-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1968-145-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2980-146-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2140-147-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2712-148-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/1620-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2660-150-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2976-153-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2696-155-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2580-157-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2556-156-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1968-154-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2512-152-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2560-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 22:26
Reported
2024-06-09 22:29
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dLlgNNF.exe | N/A |
| N/A | N/A | C:\Windows\System\mZbGjsA.exe | N/A |
| N/A | N/A | C:\Windows\System\HSEEmnA.exe | N/A |
| N/A | N/A | C:\Windows\System\lyIDEfO.exe | N/A |
| N/A | N/A | C:\Windows\System\btmYHwk.exe | N/A |
| N/A | N/A | C:\Windows\System\mCPDhwt.exe | N/A |
| N/A | N/A | C:\Windows\System\cbBuEpy.exe | N/A |
| N/A | N/A | C:\Windows\System\GKmHEez.exe | N/A |
| N/A | N/A | C:\Windows\System\MuNLEuK.exe | N/A |
| N/A | N/A | C:\Windows\System\zqAHFZa.exe | N/A |
| N/A | N/A | C:\Windows\System\uPWevJa.exe | N/A |
| N/A | N/A | C:\Windows\System\keMBunp.exe | N/A |
| N/A | N/A | C:\Windows\System\vvtXbfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jfLQAmX.exe | N/A |
| N/A | N/A | C:\Windows\System\qJwqSJO.exe | N/A |
| N/A | N/A | C:\Windows\System\JooAfFM.exe | N/A |
| N/A | N/A | C:\Windows\System\dwabhDK.exe | N/A |
| N/A | N/A | C:\Windows\System\LjBahVc.exe | N/A |
| N/A | N/A | C:\Windows\System\NIXJYYx.exe | N/A |
| N/A | N/A | C:\Windows\System\KBbhHcG.exe | N/A |
| N/A | N/A | C:\Windows\System\qxMfvQV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dLlgNNF.exe
C:\Windows\System\dLlgNNF.exe
C:\Windows\System\mZbGjsA.exe
C:\Windows\System\mZbGjsA.exe
C:\Windows\System\HSEEmnA.exe
C:\Windows\System\HSEEmnA.exe
C:\Windows\System\lyIDEfO.exe
C:\Windows\System\lyIDEfO.exe
C:\Windows\System\btmYHwk.exe
C:\Windows\System\btmYHwk.exe
C:\Windows\System\mCPDhwt.exe
C:\Windows\System\mCPDhwt.exe
C:\Windows\System\cbBuEpy.exe
C:\Windows\System\cbBuEpy.exe
C:\Windows\System\GKmHEez.exe
C:\Windows\System\GKmHEez.exe
C:\Windows\System\MuNLEuK.exe
C:\Windows\System\MuNLEuK.exe
C:\Windows\System\zqAHFZa.exe
C:\Windows\System\zqAHFZa.exe
C:\Windows\System\uPWevJa.exe
C:\Windows\System\uPWevJa.exe
C:\Windows\System\keMBunp.exe
C:\Windows\System\keMBunp.exe
C:\Windows\System\vvtXbfJ.exe
C:\Windows\System\vvtXbfJ.exe
C:\Windows\System\jfLQAmX.exe
C:\Windows\System\jfLQAmX.exe
C:\Windows\System\qJwqSJO.exe
C:\Windows\System\qJwqSJO.exe
C:\Windows\System\JooAfFM.exe
C:\Windows\System\JooAfFM.exe
C:\Windows\System\dwabhDK.exe
C:\Windows\System\dwabhDK.exe
C:\Windows\System\LjBahVc.exe
C:\Windows\System\LjBahVc.exe
C:\Windows\System\NIXJYYx.exe
C:\Windows\System\NIXJYYx.exe
C:\Windows\System\KBbhHcG.exe
C:\Windows\System\KBbhHcG.exe
C:\Windows\System\qxMfvQV.exe
C:\Windows\System\qxMfvQV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2508-0-0x00007FF75BD00000-0x00007FF75C054000-memory.dmp
memory/2508-1-0x0000022FEC860000-0x0000022FEC870000-memory.dmp
C:\Windows\System\dLlgNNF.exe
| MD5 | e7e61f2daed3fa9fbd5981e2b302e75d |
| SHA1 | fa976d266c19f068741f7c7cec2ddc8df934a234 |
| SHA256 | e139b8d604ba3dbb2f22e8f9a99112ff476f0533ad189077c48f00265690f1c0 |
| SHA512 | ecff4a7c81c43210ad00156f3c33913b79faf44aabb264cdb34ed51c2debdcfbeafed6a7c2c4dd337fea9ce521a9ba4cd3cda9e146d45cb72fd12b6a31fbc61f |
memory/4220-8-0x00007FF694C00000-0x00007FF694F54000-memory.dmp
C:\Windows\System\mZbGjsA.exe
| MD5 | 36009080d69ef1e1c4f5d1a08492e635 |
| SHA1 | 7dd33d50d2b7d3f5081a5b329e25d451740d52aa |
| SHA256 | b9341827c6340bc5c88254718570ba815793ecc9ba873570b55abc84c05351c5 |
| SHA512 | 88ef701d1acfce4d522a59d85b5c0a9b0971e73ad60838ce42cb6ae169fc02686632d99098575acecf5539f89d39609e96437b328c1d3ae81a5d0485b809360f |
C:\Windows\System\HSEEmnA.exe
| MD5 | 0a0d91e88c85c9ca09f8095810e9aebc |
| SHA1 | c1cd241dc9ffbd7c76928898ac041f56d8ed1a9a |
| SHA256 | 775411b18750bd9e224cc0adf596acb129fc4d93cbec451707b3d370ed9d93d7 |
| SHA512 | 267e9fe36eb1611481fb63272d682e102fd0cce87d73c6b7256a9e84dab7eb2c2d8baf9bc4f574281373aa5f17223c3129e6dc2194b594953f934570487c8177 |
memory/2992-17-0x00007FF783140000-0x00007FF783494000-memory.dmp
memory/420-23-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp
C:\Windows\System\lyIDEfO.exe
| MD5 | f861eaf464b9bbc429da475ae8a4a9d2 |
| SHA1 | 6e08622a29fc3cb261ea3c8af279f6d7e01debef |
| SHA256 | d4af4c8a814f3368089e7acb255ebb701a995886c49d9e035f004bcf18f930e5 |
| SHA512 | a7e922b7c1ec243711cbe14313ecfdca74a899a39d3dc4b438c03aa37e9007924cbc1adf1584edc4ae6c8c4313ba546ac751ae93d9dfad3a0810d165b18d9eba |
C:\Windows\System\btmYHwk.exe
| MD5 | 07e7f14fdfc3a97e0179b83fa90a17c4 |
| SHA1 | 4df4c44d4f23629949f1b42f31a0f4df6e63cea5 |
| SHA256 | 629a3fc678a48f2589ae96291ce0012b7ce1d2d139f535873d83a69cea56657c |
| SHA512 | 516dac5fc8201752f50a78e9dd59bbe6ca7c6433fa8bc372859f5728445e84065f19ccbbba0d2df745ef24429978b209dcdeca4b402498e4025b39f3d986fa1b |
memory/4452-38-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp
C:\Windows\System\cbBuEpy.exe
| MD5 | 98d7920a11e2dcfd80af6c92023c8af8 |
| SHA1 | abb3f35f035e96078942e95ae8ad664ebf0be3c4 |
| SHA256 | fa7a70263a318ab1433ecc2d31e30b48a02dc2080a318a65c70e37ddc8ccaaf2 |
| SHA512 | 5f952292a96f087272eda9a3c82cddf3fb1514750fec16b7d6192bbf40e6efe2b147f3337ce1d0ed491412e6ec3332c841317fa31985bf20969c6b0886aea51e |
memory/3596-42-0x00007FF763010000-0x00007FF763364000-memory.dmp
C:\Windows\System\GKmHEez.exe
| MD5 | 9eb5cdcdbe4b1534a56499511d58b519 |
| SHA1 | 4e291d56e06ec9c90ff77b4c8b3c1a690c65feea |
| SHA256 | 0a4cbd71eb2ac5cbd576e2dc261fb227dcb3c48e46061d808a687a11b0920861 |
| SHA512 | 9344145e14dbaaec6ac83f60c87aabca49925e65affd938f7c547d8d845a49053e79044a8fb0f24bdad8a97275771fe17fb93e9a4de5aa5598ed78b67c7644ff |
C:\Windows\System\MuNLEuK.exe
| MD5 | 06d119694eaa6464bb8b930bd2ce9952 |
| SHA1 | 01cf0c0960666981a1ad632d4f1340fdc751e771 |
| SHA256 | 8dfb810564a75d82fe079a405a0ccd3eb668785dbb097551b702b8b894e41aea |
| SHA512 | 983c806d0aa33559c41ff1a016e788911eb04b7de8e609b58913b34de7c44095ea1de0b439a042f54c90686a57012f298514a224b351242eacaf48f05b6ed77c |
C:\Windows\System\zqAHFZa.exe
| MD5 | 6d6ac36a5e3b1b1ecf6d0812e1f48fec |
| SHA1 | 1c5c0fa2b0a8af3319b401e16e05b827eef049cb |
| SHA256 | 96f8433c17b993fdce4d0e80030b8b077016c3f5df74841e962c7707decf4ca9 |
| SHA512 | 75d2bf2b22ca8ffef4b4022a679bf830b109be0d0143abab2046a5d74e705f96a29b99039d74068ee9e6ff811f1e4962cf06c07faea80e253f6265ed90c6eea9 |
C:\Windows\System\uPWevJa.exe
| MD5 | e7b17a8512dcc169b3d028b66d3fe5fb |
| SHA1 | cd23e379e46d22041e55d8acc173388558f7b42d |
| SHA256 | b0dfacb9e3895c09839318f8f650efea1ca8e017de0e64d62b3b7dfaa5a8868c |
| SHA512 | bea1f1bb6fbe3941fb019055f9122dec0d2805cb64a482c9f9628cfc7e1fefce55b6c922825cefd8a8dd16b26195dc408bab22506c3db1780977393893e07359 |
C:\Windows\System\keMBunp.exe
| MD5 | 4176808fd14a5440223875a4bea2997c |
| SHA1 | aed1d2316a444142980a75223393f8d8a5d207c3 |
| SHA256 | 2efbdcee485c65aeaf0f472289ff844721e94655af6469d02f07606e979973dd |
| SHA512 | 514f4eec5326184fea527351538d61974c0f44fb2e06c3ae7f039a96f3748a3b31e0ececc8658830e9af768de461b447456d42f3fbe9a723b29f1914c02aea2d |
C:\Windows\System\JooAfFM.exe
| MD5 | e697dfd7d8edc5195950cc069172180c |
| SHA1 | ae402ddfb7e67afdf4f9b289536973a4611e6886 |
| SHA256 | 5ac639ff44a197d6396d2348db152bdcad4d44a253505e9c9b9d9e3f15d4c27f |
| SHA512 | 463f65db221ac45e3da3b2294207fc057a2c7832746ea77810a06aa0954f80172a1e86011a133feef3c4923544a9fd19f58001c489c9f3340c7fd0842d36ccf3 |
C:\Windows\System\NIXJYYx.exe
| MD5 | 6e77d7bc145efd0089a9874d680fad60 |
| SHA1 | 9c43e6fa1b008beaa79c795a72d9643cc81359bb |
| SHA256 | 414fc3ed1e54c23d902b6f4cf338acaebf9cccbd05d16a1d502b68d7610ef3b3 |
| SHA512 | e216889afbd47a9f4df11d07de87f43a6c011b724fedac42e219b624bdf5e0d3cf5c5576b54a7505ded59aac2ea693178565b0a19f0819c0f1f0e42e530af3ca |
C:\Windows\System\qxMfvQV.exe
| MD5 | 4e490385646b647ee7939b497e6a62a8 |
| SHA1 | 63a708aa41f8191b1838065bdcad8383e77ebdea |
| SHA256 | 5a7f72c6932bc2f1bf07bfd82e960c7a8359b31ef5dead53cdddbd37d7fa34fb |
| SHA512 | 256343c978502f587aaade4c79259d7d7d0670772499141097c85eabc1ebd6d24b245ee0f7751ae7e5b2e7310eaafa653ce88ff36d2ca889d9515cc656ea59e6 |
C:\Windows\System\KBbhHcG.exe
| MD5 | 70ace0a2372c871e1f24437c42310a83 |
| SHA1 | 9ee18c39043af2c4d7fb6683758c8927798be9dc |
| SHA256 | 8792b15d3841fa6eafc8b4688566a322ae07eacb31875acef88a60de1c6884a4 |
| SHA512 | c4964a638be0e94f42c7724ca259889fa1891aebb9df0e7f03e4d6afd277ac7adab3eba10b6a121a3e26f7a8331a7499f23b4356f3d0971f83131dc8fbf3675d |
C:\Windows\System\LjBahVc.exe
| MD5 | a19baf6c5d6502d2ccaeddaf3bba0c45 |
| SHA1 | 3c48aa7d55c64b396e0099f033f7c82f0aa62bb9 |
| SHA256 | 9991e53aae65f221991954d70ad9b2a47caebad1ffc13ff33c7635aa641394ec |
| SHA512 | 768f8167894b43d62e85cfb2cee6fe5fba6058de2f23e4b99617a3cfbb0b568ce5274c4932ca85b6d652be87ed9f692b828b266875ca7f803e495aa6614574be |
C:\Windows\System\dwabhDK.exe
| MD5 | 9ac5353d9127e91ed2d637cdfcc66174 |
| SHA1 | 1bce71898e076dfb4fe36fc79a900c0b5038bfba |
| SHA256 | f79e19c4dac344c9e1172a1f180c33c4ced441443e2db499132ac1a90ac93fd5 |
| SHA512 | 3bbd7fe08d9fd9d7abb00fc150ee317b16a3717f6fcb2f9deadf243bce9707f1da8ae593a89b24b138e6759a356aa9c2bbe0360afe921d9afad5369f816a2941 |
C:\Windows\System\qJwqSJO.exe
| MD5 | ccf2bb9d568dce7f70712850d0f29024 |
| SHA1 | 4811e5384d8aeefc53c34d63576f56164de771b6 |
| SHA256 | fbab05ba75d452917fffb2e1455a1ffa7847a403ca2d08e43e635b267cf950af |
| SHA512 | 6a817909530270b0ba92e31040502f79f85b7bfd9d50593982cdfd2e33686dd19d6da9bae2b07f1d3258cea70e6e31335f52e6441f85d11e481cec7d22ba5798 |
C:\Windows\System\jfLQAmX.exe
| MD5 | 9ba79c5041f7c003da3e336668130bd3 |
| SHA1 | 10ba009c8175c5f0cb0e26e6a2cf62b9385e0fe2 |
| SHA256 | 7ee67fe109e057703334916c3df7dd55005f699abc2dd2822965a081e478d632 |
| SHA512 | 454401207fa78c207e5b2784ad0b67549a44bada9d4d4f7ea9b5f716139702d5e38829e83dc99de82a9347a8733ce0074aae1ee5d4a9fd4f7b8a4288d7d55ab9 |
C:\Windows\System\vvtXbfJ.exe
| MD5 | 08a16b4920a3c37d36d648d0efd73d80 |
| SHA1 | e74c1f04592ff2645d4ef9c374f02f33873afc87 |
| SHA256 | b0621190653e7da20d8af1ba98aad0b6fbbbe5eb76d3de04e3e463f121f7e4f2 |
| SHA512 | 49df918a18571ab750b546ba9c9cfa226f2acd3731ef20f2c02b14d2088d30c5d69a0a0feff5be06627941a28fe268cec7da8579d0ead0748694b9fd69d140a5 |
memory/4244-53-0x00007FF782040000-0x00007FF782394000-memory.dmp
memory/3840-46-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp
memory/2568-43-0x00007FF6EB840000-0x00007FF6EBB94000-memory.dmp
C:\Windows\System\mCPDhwt.exe
| MD5 | e79c608a0a837beedd42caffddc178bb |
| SHA1 | 43c9008f642980859bf8b70dd350458b86942d3d |
| SHA256 | 57044da07165a1addc6765a7909ed583e5868af5b6e3fd7685ac528231d70c4b |
| SHA512 | d3541a7465c86a9fc3556225aa9b0ceab77ef552989f564c03cf4a96229796e44ddba337196e78a4a734ee7f02ad2176c5d0418ce04364778afc76d16cfaecce |
memory/472-29-0x00007FF744250000-0x00007FF7445A4000-memory.dmp
memory/4960-116-0x00007FF7078A0000-0x00007FF707BF4000-memory.dmp
memory/2796-117-0x00007FF60D790000-0x00007FF60DAE4000-memory.dmp
memory/3640-119-0x00007FF75C1F0000-0x00007FF75C544000-memory.dmp
memory/1680-118-0x00007FF693830000-0x00007FF693B84000-memory.dmp
memory/5076-120-0x00007FF748CD0000-0x00007FF749024000-memory.dmp
memory/2236-122-0x00007FF766290000-0x00007FF7665E4000-memory.dmp
memory/4984-121-0x00007FF7254E0000-0x00007FF725834000-memory.dmp
memory/4260-123-0x00007FF66F780000-0x00007FF66FAD4000-memory.dmp
memory/3752-124-0x00007FF6EAF70000-0x00007FF6EB2C4000-memory.dmp
memory/1720-125-0x00007FF728170000-0x00007FF7284C4000-memory.dmp
memory/1112-127-0x00007FF75FF60000-0x00007FF7602B4000-memory.dmp
memory/2260-126-0x00007FF666780000-0x00007FF666AD4000-memory.dmp
memory/2508-128-0x00007FF75BD00000-0x00007FF75C054000-memory.dmp
memory/4220-129-0x00007FF694C00000-0x00007FF694F54000-memory.dmp
memory/420-130-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp
memory/472-131-0x00007FF744250000-0x00007FF7445A4000-memory.dmp
memory/3596-132-0x00007FF763010000-0x00007FF763364000-memory.dmp
memory/3840-133-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp
memory/4244-134-0x00007FF782040000-0x00007FF782394000-memory.dmp
memory/4220-135-0x00007FF694C00000-0x00007FF694F54000-memory.dmp
memory/2992-136-0x00007FF783140000-0x00007FF783494000-memory.dmp
memory/420-137-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp
memory/472-138-0x00007FF744250000-0x00007FF7445A4000-memory.dmp
memory/4452-139-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp
memory/2568-140-0x00007FF6EB840000-0x00007FF6EBB94000-memory.dmp
memory/3596-141-0x00007FF763010000-0x00007FF763364000-memory.dmp
memory/3840-142-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp
memory/4244-143-0x00007FF782040000-0x00007FF782394000-memory.dmp
memory/2796-144-0x00007FF60D790000-0x00007FF60DAE4000-memory.dmp
memory/4960-145-0x00007FF7078A0000-0x00007FF707BF4000-memory.dmp
memory/1680-146-0x00007FF693830000-0x00007FF693B84000-memory.dmp
memory/3640-149-0x00007FF75C1F0000-0x00007FF75C544000-memory.dmp
memory/2236-150-0x00007FF766290000-0x00007FF7665E4000-memory.dmp
memory/4260-151-0x00007FF66F780000-0x00007FF66FAD4000-memory.dmp
memory/4984-148-0x00007FF7254E0000-0x00007FF725834000-memory.dmp
memory/5076-147-0x00007FF748CD0000-0x00007FF749024000-memory.dmp
memory/3752-154-0x00007FF6EAF70000-0x00007FF6EB2C4000-memory.dmp
memory/1112-153-0x00007FF75FF60000-0x00007FF7602B4000-memory.dmp
memory/2260-152-0x00007FF666780000-0x00007FF666AD4000-memory.dmp
memory/1720-155-0x00007FF728170000-0x00007FF7284C4000-memory.dmp