Analysis Overview
SHA256
05d842f4c9d7b00ce8c1fc17eb6f92ea6f8ef732d8d918dff1f1e6672457d48a
Threat Level: Known bad
The file 2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 01:39
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 01:38
Reported
2024-06-10 01:41
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ugLpLxS.exe | N/A |
| N/A | N/A | C:\Windows\System\SvBdyZX.exe | N/A |
| N/A | N/A | C:\Windows\System\tbVkEyw.exe | N/A |
| N/A | N/A | C:\Windows\System\kNlZLir.exe | N/A |
| N/A | N/A | C:\Windows\System\nBoAcBG.exe | N/A |
| N/A | N/A | C:\Windows\System\rxoPrfM.exe | N/A |
| N/A | N/A | C:\Windows\System\nGdQVYO.exe | N/A |
| N/A | N/A | C:\Windows\System\uRGNDDe.exe | N/A |
| N/A | N/A | C:\Windows\System\LoErQCg.exe | N/A |
| N/A | N/A | C:\Windows\System\qJZdNby.exe | N/A |
| N/A | N/A | C:\Windows\System\LFUHVVN.exe | N/A |
| N/A | N/A | C:\Windows\System\jZZVnes.exe | N/A |
| N/A | N/A | C:\Windows\System\UYzKvUK.exe | N/A |
| N/A | N/A | C:\Windows\System\hmlwyKM.exe | N/A |
| N/A | N/A | C:\Windows\System\hYnZHEU.exe | N/A |
| N/A | N/A | C:\Windows\System\JutyFTL.exe | N/A |
| N/A | N/A | C:\Windows\System\pZAFoLC.exe | N/A |
| N/A | N/A | C:\Windows\System\gpkvmJA.exe | N/A |
| N/A | N/A | C:\Windows\System\CiPAHPK.exe | N/A |
| N/A | N/A | C:\Windows\System\JpBEIdc.exe | N/A |
| N/A | N/A | C:\Windows\System\CJSQZmp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ugLpLxS.exe
C:\Windows\System\ugLpLxS.exe
C:\Windows\System\SvBdyZX.exe
C:\Windows\System\SvBdyZX.exe
C:\Windows\System\tbVkEyw.exe
C:\Windows\System\tbVkEyw.exe
C:\Windows\System\kNlZLir.exe
C:\Windows\System\kNlZLir.exe
C:\Windows\System\nBoAcBG.exe
C:\Windows\System\nBoAcBG.exe
C:\Windows\System\rxoPrfM.exe
C:\Windows\System\rxoPrfM.exe
C:\Windows\System\nGdQVYO.exe
C:\Windows\System\nGdQVYO.exe
C:\Windows\System\uRGNDDe.exe
C:\Windows\System\uRGNDDe.exe
C:\Windows\System\LoErQCg.exe
C:\Windows\System\LoErQCg.exe
C:\Windows\System\qJZdNby.exe
C:\Windows\System\qJZdNby.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Windows\System\LFUHVVN.exe
C:\Windows\System\LFUHVVN.exe
C:\Windows\System\jZZVnes.exe
C:\Windows\System\jZZVnes.exe
C:\Windows\System\UYzKvUK.exe
C:\Windows\System\UYzKvUK.exe
C:\Windows\System\hmlwyKM.exe
C:\Windows\System\hmlwyKM.exe
C:\Windows\System\hYnZHEU.exe
C:\Windows\System\hYnZHEU.exe
C:\Windows\System\JutyFTL.exe
C:\Windows\System\JutyFTL.exe
C:\Windows\System\pZAFoLC.exe
C:\Windows\System\pZAFoLC.exe
C:\Windows\System\gpkvmJA.exe
C:\Windows\System\gpkvmJA.exe
C:\Windows\System\CiPAHPK.exe
C:\Windows\System\CiPAHPK.exe
C:\Windows\System\JpBEIdc.exe
C:\Windows\System\JpBEIdc.exe
C:\Windows\System\CJSQZmp.exe
C:\Windows\System\CJSQZmp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4764-0-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp
memory/4764-1-0x000002381D9E0000-0x000002381D9F0000-memory.dmp
C:\Windows\System\ugLpLxS.exe
| MD5 | a4e78cdd162fe5cfa369b4e80416eb9d |
| SHA1 | b6f880421542c1c66903bfdb29e235208a105646 |
| SHA256 | 80eee1cdfe044d33a97841db2eb13134b3f2f8e5d6ad0bb7ffd55e8bcac1a20a |
| SHA512 | 08ddcab13fc2b6aabb19383bfab78c6083b59f4edf7f9ca26550354b88b6b25767abc2935547b8bd2c4d7a998e6ade1d5d7021920dd2477f67438c81ab0ece13 |
memory/4996-8-0x00007FF726670000-0x00007FF7269C4000-memory.dmp
C:\Windows\System\tbVkEyw.exe
| MD5 | bc420ae3ce972dd078a101adf40f8aa2 |
| SHA1 | b87fb43f5fba2ad04d23ad54b9102d760e5c190a |
| SHA256 | b1ae3de994fb71382c91296c2c75bda221d6343483d110e74df804d67a557840 |
| SHA512 | 1b7bbba91690036bc66cb4d6580a836a4ed545f16a9d7a8c6875850275774240af8b45889da6418a64aed6254a108bc68531ec54afb2d6e02ba965122697bd3f |
C:\Windows\System\SvBdyZX.exe
| MD5 | 69a7a53b9624898afea42f7f25e5a801 |
| SHA1 | 01904a2b788be6f2559e3e1bc6672274263b5f13 |
| SHA256 | d53117ba84ed16306d747169a6a0963c266515798744fcbc54f8205fbc66c168 |
| SHA512 | ffe052c07d612cf185080fb741d350c55b422b00a79cd436d82ede5e77a37195dab57bf19026627e08cab09dc5cd56fc14ef9ff1be69ddef299ca6b3e5a15f77 |
memory/4768-14-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp
memory/2832-21-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp
memory/1932-23-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp
C:\Windows\System\nBoAcBG.exe
| MD5 | 3ab0520253a3e6344a13361d92ca442b |
| SHA1 | 29c72f87474cb9e58e21ce582bba277ba6cd25cf |
| SHA256 | a627e529b564d31f82b623950d65ea53bdcaa9980c7615a9b46f6db71bc2476d |
| SHA512 | ca36eafe31c431c1779833c4fbf515647efa80591eecbfb58cc12f8e23b0db9629b76904d58dba877dc4c074c5a3c9867b2eef5a7daf37cf061b01bcd7b88d34 |
C:\Windows\System\kNlZLir.exe
| MD5 | aa14b2a38e5492ebefac4658c3b8288e |
| SHA1 | 2b571264d20e42cfce6620f1e2d29c0ad5022a73 |
| SHA256 | 01c325aea2ea342df63a183a3b038dd1a4918ae745c29dbbb6f07de7e0f23a4a |
| SHA512 | a0a81ae276fce96669c8c4ff6be80fcfbf5eda614066b1e4c5611f003e570d521fa107adee5b8dd18e9e0f9deff884dcfd72b9ae750b2f1ad49735f38b487db6 |
memory/3344-32-0x00007FF6DC570000-0x00007FF6DC8C4000-memory.dmp
C:\Windows\System\rxoPrfM.exe
| MD5 | 83d189ccf7877bc215a7edef5dfaddf8 |
| SHA1 | 90e9b40f66236cf1fa7863e43507f531368681cf |
| SHA256 | 5463af9dded1221331300996148c25676ecbccf8c9f3bf2855da1b8fa5562fe9 |
| SHA512 | 1f6a564113b594217dd61fad7ef80b96354d608d5dc87290b10c7be889261785f7f0e8b46442b0d8b5d8e84b2061bef37e751b6fb0a70a9ce20aa33ac8edb4c4 |
memory/3688-38-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp
C:\Windows\System\nGdQVYO.exe
| MD5 | 62bf12c0e4c2897a7bcd4961e5169f33 |
| SHA1 | 0b5530a1fd97600443d97b13c13d48786b677983 |
| SHA256 | 95ce733c769c87c91ddaea32047e56e0a4bd67003e0d83e513094580d31fc4c3 |
| SHA512 | cfab9827e87bf90d022d9c822a70730cee96b3a487123364514f6882fa3b46dd43f982ebbd3f428b1fe9e4d695e066377c3579fec8f3db4c2219e76a37ddd52b |
C:\Windows\System\uRGNDDe.exe
| MD5 | bdcc37fc6277d449522cc8968351f0d8 |
| SHA1 | 0be7923ac564168b15eb5dabde1a3621c053f80a |
| SHA256 | ed2d19715ea544fd9e0ec4a82bf00a601d9b355e8c0c8559c98872b3f8649eeb |
| SHA512 | a350f4c77383775466b9ae10a7588bbdd55fcaff682f253beba35f7562b16129bfac68f0808003f71f22648f996003ddaae07c0133907c8c6297dbc25a476a01 |
memory/968-48-0x00007FF797960000-0x00007FF797CB4000-memory.dmp
C:\Windows\System\LoErQCg.exe
| MD5 | 93038be59a956187ac8629138c4e55aa |
| SHA1 | f02538b5d8a2427d5617642d5c556b4fd19878cc |
| SHA256 | 8a44b23036415658c9d04ddf51f3d5e390035c384a442c96429e7a8403dbf35e |
| SHA512 | 3f1e902b1d4e393d870593fa83d1b02fe0f423a45543495ab2ef59a156cb600df6eee9c87ee30f0d5a32221d370806ed19954875a501fb4bd3c9214968045be8 |
memory/4312-45-0x00007FF617C40000-0x00007FF617F94000-memory.dmp
memory/4572-56-0x00007FF7B00A0000-0x00007FF7B03F4000-memory.dmp
C:\Windows\System\qJZdNby.exe
| MD5 | 5511501316d4ba406846a522d6ce8803 |
| SHA1 | fefc41fde5a0732dd355e209403c84fcf1bb8048 |
| SHA256 | 1198bf0e899d7bc4059bdb8f136fafbb2984a779019fee24e1a51f871afb3e6f |
| SHA512 | 369c9279bcdbb779057ec16b8e865dad32120c8c3853d037dae90e1785402b3223016fabf41f820817fc1e2e666fe83dfc7fffce11ff365bd7fa531b909034a3 |
memory/1108-70-0x00007FF673160000-0x00007FF6734B4000-memory.dmp
C:\Windows\System\jZZVnes.exe
| MD5 | 02e3ca95778bb1a6acfbf84c69b62d97 |
| SHA1 | 230d9e4f44c37b8eeaa8c95237859eaa5b2291ae |
| SHA256 | cda3dcae630f81df6c9fcde2af9267d99cb71a1804a1ffda480173c2a99a9edf |
| SHA512 | e61d4eb0abe878de732b5976d289f633fe1be527a0e605b7d0aeffef1e58477f96d7ce4532916e69a2a6fc35dd5540ac9bb423462e3febe3f2d315f877c82951 |
C:\Windows\System\UYzKvUK.exe
| MD5 | 996204e5890c9ffc67471e47d207b85c |
| SHA1 | d647be7feb6701c1c86e79212c142c15ac0837f0 |
| SHA256 | e46804689167eb8676016452a9f24312b6b3eb6c5e133c252c6f8314567e99e6 |
| SHA512 | d349221b135bb3b64746152e80f1f78ef0107b1e976cf4af925bd4b70b5a78d026510da8eb87bfa25519d1fefa5b62cd27755a11df9b9171253b2732e2766d26 |
C:\Windows\System\hmlwyKM.exe
| MD5 | bbfb472c8c8b26332c065ab842c68661 |
| SHA1 | 04440089cbe264c8a55945c722eb8d5333b1965b |
| SHA256 | b76f584f42045ee403eea15e5de72b72a9ca766cf4c28dfdd2c4e04fcb53c3c0 |
| SHA512 | 3451eb0c679c478d15ba721290218d6d726b417dedabf3569595fb0632012eec2d1cec5ac5781c9b9abef71d27415dc6662f2030d6fed29b964e7f747e77e8cd |
memory/4660-82-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp
memory/4580-86-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp
memory/4768-83-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp
memory/1284-81-0x00007FF733470000-0x00007FF7337C4000-memory.dmp
C:\Windows\System\LFUHVVN.exe
| MD5 | e7041aee17ef514918d8984ea0a0f68c |
| SHA1 | f43fe038475cbb240263b611da76faffa98fe163 |
| SHA256 | cd73abb338cb07df993cdba6e469ddda5afd30d270e1a34caee447f4e0baed9b |
| SHA512 | 66d5359de6b0dfbb04d99f6fbd468a12ce0eb9af8662697945f892dd07fbc8e8adfa84a5ad0b74f76b990cd34949e3411d2b097ada565e5b1d9d1ae836601206 |
memory/4764-68-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp
memory/4376-60-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp
C:\Windows\System\hYnZHEU.exe
| MD5 | ab85d786f8647e25f7d6a5b5e83ba5fa |
| SHA1 | c17495067edcba9978e519dcf6caed5a3fdb98cb |
| SHA256 | b682c75d023dc49ce95d9220f91eaac4a403818c008e8fed664358c8c7ce98a0 |
| SHA512 | 9b6b2d644e23f4a5cfd98a7874a58a260b6b294b34e347806a5660470617633f8cd86d10760de826e896f65fca5a5152d56975b03b5aaf9fc1eaa83ab17cb3e5 |
memory/2832-93-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp
C:\Windows\System\JutyFTL.exe
| MD5 | f995a8fbe74a280b323fb0fca76d50b0 |
| SHA1 | 1d73fbf2abee66496963faccd48b05ff473544e1 |
| SHA256 | b7492ec4d25c2a9e8505b1f686490dffaab324e65adbe72bc3704e75b614b003 |
| SHA512 | f125185d6f2cd5a48b0305283cf472478838c9005e901cac8204149ec7e30f68d847c03c86511385548b0ef4f1550490f8f8df76ef9933ea40211f1b5ec7c844 |
C:\Windows\System\pZAFoLC.exe
| MD5 | 63798d64e7824655ed8053dd3ddd30f5 |
| SHA1 | b62d16656f1a0147c2f6bbdf938b0dfd720fb8e8 |
| SHA256 | 07b31418a337335095a1c6a44409b6c120610810c1c04bf5bf4d9fbdd60ba0f2 |
| SHA512 | 55ab9f24e9c768415da6b34c6cf0f0bbb591f2851483c07b1712230485a2bc1e68368f80f6883bd98c67bac3c4c42ed52cc57f7bccdbd1e474f3d3ed5cafa583 |
memory/3688-111-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp
C:\Windows\System\CiPAHPK.exe
| MD5 | cae9279ffaf7f0a33f3833d6bea101b9 |
| SHA1 | ec1f6f4e00eccb370676b2f0dc293e25165c7bcd |
| SHA256 | c0b516f3cc7a653bf8c74b9a368c61e3f96c3bd22d0b5b799943a7479aea42b0 |
| SHA512 | da0bfa48aa86ce6665fc2164cd89eefd8de360af6667c8eb99904c6a12ace3f336ed792ac20d6020f9fbcd805a529b31274bde09fc9a1b6ddbbe72fe62196ae5 |
C:\Windows\System\gpkvmJA.exe
| MD5 | 172f547dfae036cf7cbee18a44eed717 |
| SHA1 | 267889c8c399449c12f13fe1787cf67b212803fc |
| SHA256 | 7736fc1a168aefc46eca7fe57a722ce57561d5ca5a13d58a4a974f4649ba86c9 |
| SHA512 | 48acc7650c8a0190234cbbf15d0feb5e926b723e7dbc8cb51cdff527217465756a35d60f3ad9944ad7605cec2d96213c68094bf16dae94f6570a6e371d97cfe8 |
memory/4308-105-0x00007FF6B86E0000-0x00007FF6B8A34000-memory.dmp
memory/4392-101-0x00007FF7656B0000-0x00007FF765A04000-memory.dmp
memory/1932-96-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp
memory/1080-119-0x00007FF77CC50000-0x00007FF77CFA4000-memory.dmp
memory/4844-124-0x00007FF70F9D0000-0x00007FF70FD24000-memory.dmp
memory/1984-129-0x00007FF675810000-0x00007FF675B64000-memory.dmp
C:\Windows\System\JpBEIdc.exe
| MD5 | 258d3fd84bee986440e9739775e579df |
| SHA1 | ab6c6903f06c69d4349206ad21d0c005cec5babd |
| SHA256 | d2b8722d496ae48ab69b8c468041ccfad4f6350ffe4b4fb3bf0b14c3bbcea7fb |
| SHA512 | 07f637b50be6c8c683858b55e7c9e9f89295e35050fcf443ec2ce7da2907836f19ea4ce040d400119c861a50aab61e6f15092c24729b8674053d5e8a40803aee |
C:\Windows\System\CJSQZmp.exe
| MD5 | 6532831afc59b8b8fa9188bcf37e1e57 |
| SHA1 | 501d9b07dca60e9f3b671696e30e54630637be49 |
| SHA256 | 0bd4e88b51938d85c763c02dd00ee4dc6130ea6bc7dedfb092d6e3d423038589 |
| SHA512 | 0f8de1af61063c48043e2a77fa8f6dc70343cfa4b0b52554d01a79995055e1f933bde98404ef521d0c23cb2b120293e636e8b18644cba884bffc7fc986baa332 |
memory/968-125-0x00007FF797960000-0x00007FF797CB4000-memory.dmp
memory/4760-121-0x00007FF60BD50000-0x00007FF60C0A4000-memory.dmp
memory/4788-133-0x00007FF7CE1B0000-0x00007FF7CE504000-memory.dmp
memory/4376-134-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp
memory/1108-135-0x00007FF673160000-0x00007FF6734B4000-memory.dmp
memory/4660-136-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp
memory/4580-137-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp
memory/1984-138-0x00007FF675810000-0x00007FF675B64000-memory.dmp
memory/4996-139-0x00007FF726670000-0x00007FF7269C4000-memory.dmp
memory/4768-140-0x00007FF6A8570000-0x00007FF6A88C4000-memory.dmp
memory/2832-141-0x00007FF6D67A0000-0x00007FF6D6AF4000-memory.dmp
memory/3344-143-0x00007FF6DC570000-0x00007FF6DC8C4000-memory.dmp
memory/1932-142-0x00007FF7E54C0000-0x00007FF7E5814000-memory.dmp
memory/3688-144-0x00007FF7766D0000-0x00007FF776A24000-memory.dmp
memory/4312-145-0x00007FF617C40000-0x00007FF617F94000-memory.dmp
memory/4572-147-0x00007FF7B00A0000-0x00007FF7B03F4000-memory.dmp
memory/968-146-0x00007FF797960000-0x00007FF797CB4000-memory.dmp
memory/4376-148-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp
memory/1284-150-0x00007FF733470000-0x00007FF7337C4000-memory.dmp
memory/1108-149-0x00007FF673160000-0x00007FF6734B4000-memory.dmp
memory/4580-151-0x00007FF7E6910000-0x00007FF7E6C64000-memory.dmp
memory/4660-152-0x00007FF7EA130000-0x00007FF7EA484000-memory.dmp
memory/4392-154-0x00007FF7656B0000-0x00007FF765A04000-memory.dmp
memory/4308-153-0x00007FF6B86E0000-0x00007FF6B8A34000-memory.dmp
memory/1080-155-0x00007FF77CC50000-0x00007FF77CFA4000-memory.dmp
memory/4844-157-0x00007FF70F9D0000-0x00007FF70FD24000-memory.dmp
memory/4760-156-0x00007FF60BD50000-0x00007FF60C0A4000-memory.dmp
memory/4788-158-0x00007FF7CE1B0000-0x00007FF7CE504000-memory.dmp
memory/1984-159-0x00007FF675810000-0x00007FF675B64000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 01:38
Reported
2024-06-10 01:41
Platform
win7-20240221-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HGESRAf.exe | N/A |
| N/A | N/A | C:\Windows\System\onblGCn.exe | N/A |
| N/A | N/A | C:\Windows\System\VuqEMwQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BVIXqxB.exe | N/A |
| N/A | N/A | C:\Windows\System\zNUYKPt.exe | N/A |
| N/A | N/A | C:\Windows\System\JzGTDKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\biRxhbj.exe | N/A |
| N/A | N/A | C:\Windows\System\LNfIxmf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBzFzcU.exe | N/A |
| N/A | N/A | C:\Windows\System\FQtmdlt.exe | N/A |
| N/A | N/A | C:\Windows\System\BUiTyAK.exe | N/A |
| N/A | N/A | C:\Windows\System\myTFoyO.exe | N/A |
| N/A | N/A | C:\Windows\System\UhXHwCz.exe | N/A |
| N/A | N/A | C:\Windows\System\DjfFgAX.exe | N/A |
| N/A | N/A | C:\Windows\System\CEIrmuj.exe | N/A |
| N/A | N/A | C:\Windows\System\bRIbTDi.exe | N/A |
| N/A | N/A | C:\Windows\System\iPPPfeh.exe | N/A |
| N/A | N/A | C:\Windows\System\wjxooWM.exe | N/A |
| N/A | N/A | C:\Windows\System\BBjXywO.exe | N/A |
| N/A | N/A | C:\Windows\System\djvCTwf.exe | N/A |
| N/A | N/A | C:\Windows\System\JmgTmOn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_134e5e0ecfc381991eea55fe017ccfdd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HGESRAf.exe
C:\Windows\System\HGESRAf.exe
C:\Windows\System\onblGCn.exe
C:\Windows\System\onblGCn.exe
C:\Windows\System\VuqEMwQ.exe
C:\Windows\System\VuqEMwQ.exe
C:\Windows\System\BVIXqxB.exe
C:\Windows\System\BVIXqxB.exe
C:\Windows\System\zNUYKPt.exe
C:\Windows\System\zNUYKPt.exe
C:\Windows\System\JzGTDKJ.exe
C:\Windows\System\JzGTDKJ.exe
C:\Windows\System\biRxhbj.exe
C:\Windows\System\biRxhbj.exe
C:\Windows\System\ZBzFzcU.exe
C:\Windows\System\ZBzFzcU.exe
C:\Windows\System\LNfIxmf.exe
C:\Windows\System\LNfIxmf.exe
C:\Windows\System\BUiTyAK.exe
C:\Windows\System\BUiTyAK.exe
C:\Windows\System\FQtmdlt.exe
C:\Windows\System\FQtmdlt.exe
C:\Windows\System\bRIbTDi.exe
C:\Windows\System\bRIbTDi.exe
C:\Windows\System\myTFoyO.exe
C:\Windows\System\myTFoyO.exe
C:\Windows\System\iPPPfeh.exe
C:\Windows\System\iPPPfeh.exe
C:\Windows\System\UhXHwCz.exe
C:\Windows\System\UhXHwCz.exe
C:\Windows\System\BBjXywO.exe
C:\Windows\System\BBjXywO.exe
C:\Windows\System\DjfFgAX.exe
C:\Windows\System\DjfFgAX.exe
C:\Windows\System\djvCTwf.exe
C:\Windows\System\djvCTwf.exe
C:\Windows\System\CEIrmuj.exe
C:\Windows\System\CEIrmuj.exe
C:\Windows\System\JmgTmOn.exe
C:\Windows\System\JmgTmOn.exe
C:\Windows\System\wjxooWM.exe
C:\Windows\System\wjxooWM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2904-0-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2904-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\HGESRAf.exe
| MD5 | 58f2cd684f152333a60b0d34bcdaa4fd |
| SHA1 | 773a78e11e0b1830514f363f74def1474c14fed6 |
| SHA256 | b1eff3967f2ebd97ead74bb29d8b81c5c912dd458f130541d4281db00b841828 |
| SHA512 | d61fbaf8b1ada272a39e84ad9ce1b65f2eba158f5e0ce5cefc71fff244dfa4db1eb1e8d8d69f289fcca5b02f25f9f0fead892c90e882d8c1c9e309d5058cd82e |
\Windows\system\onblGCn.exe
| MD5 | d99d174b84b1bd8a4effe2536623325f |
| SHA1 | b5d9afc557a1832a5fa097adac8a2ed0d0678980 |
| SHA256 | f1b183d9fd83a9baeb5c41803d03640a80493abf835f30d084774e1ffe0cc32e |
| SHA512 | 8f7f87c7760cf41cfedf8afc715c8da1a674f9a654d4ef52aef570b7c5973a85ef581bd6860d49219ba92e4b9a6b789564a77a0dc30046283069a691351d2541 |
memory/2904-21-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2904-15-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\BVIXqxB.exe
| MD5 | f9bcdfd233d4aedd7f75fb26c432e09f |
| SHA1 | b23a19323f92ce1c8b26d9d908d4501adbce2edf |
| SHA256 | 81329595d59f692828ec79f1e9fff7da24418a0afb77c3e7083e949b89abad2f |
| SHA512 | 5b80f8809e5bceb8e2848ba9bf152dc0f34ccf2398d1981f5b416148345cbb3c6003c21ded246c8dda4253cb5d3f7d60e22d697771df858b8ec27aea08dceca4 |
\Windows\system\zNUYKPt.exe
| MD5 | 25624ca23221c712770d77d9aecfc94d |
| SHA1 | 2f1ba1bb3ec7a853e3089c7e3b40e8716cfdafa4 |
| SHA256 | 93478d6b4a7045328552dedcc300cb146a601268adad7f5bc258bf37b5a62ca8 |
| SHA512 | 9e6214f6435c9ed69c677dd914349da5d7e4eb4372cc78afaf841cf7cf270e0721aadbc2b77d9d0e5d174b63a8964ff76600bc78776f67d273028e5a91b53055 |
memory/2904-30-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2520-28-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2904-26-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2640-25-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2960-13-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\VuqEMwQ.exe
| MD5 | f83b915e1e24894e4d3d6badf76c47d1 |
| SHA1 | 639c212cca7d57e38589f7176dd1b1684b027f34 |
| SHA256 | 003d6c46a45b2c2a3f02d6ff375f0ce7adb960b06af52108c8f583c24842c483 |
| SHA512 | 559cc7ccdc244dbc405cafd3e3c24d81d83c51446b9bbdc682e31af712e6a9f90a4771acb8e4ac7ebf04ef45e8f76092aa7748bcdd5a364c465609b860a1c4be |
memory/2864-12-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\ZBzFzcU.exe
| MD5 | b61663c6e5c95c90005a10818ad04dde |
| SHA1 | f9bbccb29c439cfcffe8e91170b4fc45b4024dfa |
| SHA256 | 558cdadc51ed56d63b32eac80d12b48792b36ea84f445131529f591571f30e7d |
| SHA512 | 7c9df3915f5bc3a7985ff999c3c57c600bd68734f0e0d0a2fe3d230654050463ac18a3d8ef000f1c7df1ff4bc503f3c2f8bdc0030cb37cf95005510d76948641 |
C:\Windows\system\LNfIxmf.exe
| MD5 | 9f42f719982f19bde99dcc643d34c2a4 |
| SHA1 | c7d53d9dcec6101d1dd0eac20abdc6079d466d51 |
| SHA256 | 60aa864e65ac78c9139aea380343dd93aec0a097a3c91f81a49e799f3fe35293 |
| SHA512 | c65f40122ec75ca9aee0ddc5cba6a68a62600c0fc2ee0661d5b67858ba2fdf1a8bec9eb657a03870ffe6395e76348ed5f3101e3065b87cb59d5b1a0172396085 |
memory/2904-122-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\myTFoyO.exe
| MD5 | 480ebb265c8c8b31e34aaf4b48405911 |
| SHA1 | 2f1ba29f911a292f1a8b91cc21420981a7c49368 |
| SHA256 | 0ba6d0a6a3d9e9f2d1152cbf7372b55b9e3f06772462f81ff283dbcd6fa8f092 |
| SHA512 | 4e5462056291bda68a2d1cc99b20cd136f6788347593491da2d48e7030b9a272263f157a3c5b14ee7637153a4b0b3ad8d0d699451a628e6d7e540753c7d7879f |
memory/1388-109-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2384-108-0x000000013F910000-0x000000013FC64000-memory.dmp
\Windows\system\JmgTmOn.exe
| MD5 | 0a57b43f3f20ac327599a2b9c2503c28 |
| SHA1 | 8ab2add71368c26c891e200e8dc58579b9aa3e43 |
| SHA256 | e19c89c8f0d04527d0bf5437900875516a6d2070821c5d0fa12cec0a9a589173 |
| SHA512 | afcc391efe83ba7d9345d2027193033f31fb3be646e5f48d0e269480d2fd3b40a8b418e75cca4b3b351c8a4632e09e10f7393d1b54fabbff00fa57188401544f |
C:\Windows\system\DjfFgAX.exe
| MD5 | e86b8b7355c66f281211091a937ed308 |
| SHA1 | 395f57e0cffd55c60806fd90d9a52ea09879d8ff |
| SHA256 | 0aeec469527cf0b56136684d576f8c5f7cd9c06f4eccc32f8a2144e22fa662d0 |
| SHA512 | 0ea7b1f4ad8c5b07e7f1f59a20d3d788e9bda9e716c569bc73ea7db4d3de273b95c45b5c16b3800233f9086a0b1faaef8d54d3403142d4a62b3776ee5e269275 |
\Windows\system\djvCTwf.exe
| MD5 | 075020d56bc0f832b761d608596458bc |
| SHA1 | ba73dc48417bfc62ff94951855fe8d385bfb6d3c |
| SHA256 | 4e88384bdb900ac11a4c06f83765519317db35e3feba5113583e230559938865 |
| SHA512 | 27026925d349c44c314672d97e29fc0cc1b6a2d82223c0be4a9fbf2e39d8dc7a68a10ad817b3f5460b13e0365d932dc5cf5a5287c65dbc013634cc453891ca47 |
\Windows\system\BBjXywO.exe
| MD5 | cf56e59a5f56b2fc8b96de897c5bdeff |
| SHA1 | cd370916373c5ea321aece4ccef7401056274eef |
| SHA256 | f58eff14a79fe847a1c8ded7b03eb4797721735757c22f102cf5440d60f262c2 |
| SHA512 | a9d4628dbc39ac29a42b07c306444752684a3c33713e8386c4ecdce595480dfe663829232daa8b0b8adf93bd75086abfc466781b38fa784bce142b78d1562b1d |
memory/2904-125-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2904-124-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2904-123-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2400-121-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2904-120-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2904-119-0x0000000002210000-0x0000000002564000-memory.dmp
memory/572-118-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\wjxooWM.exe
| MD5 | c3c16666b8f8e771bc5500a2d8a0795b |
| SHA1 | 54f350edb236d9163a8c8a5eda4ebad7c7a1b25d |
| SHA256 | 7687e4886a5071cb8cbe7e68ff474ea9cce46ad33dcc5b8eadabe162878a1422 |
| SHA512 | 54b4e4fe23404d8590b3ae0b5634b0bb72afd6ad6d320981fd040852b210897e36652bc473fb3ea7ec893e216bbce791ac297221c8f6d5d3066fbade850a5d46 |
C:\Windows\system\iPPPfeh.exe
| MD5 | 32e348e02d7e1f5471d82301b4184938 |
| SHA1 | e9fb09eea2b57372899629b528ee6c4742c0611a |
| SHA256 | 4c30baee276bba20ea2a95dc065a6d72fb0ec1eea23b696a09867fc9675f09c9 |
| SHA512 | 9589fd82d6743432b10f276bca0e66902c3d5e4cf1e18eae946b406daba55448439928374332677a71c06fa66a7819b3893c129e43222b5ecce5162991190348 |
C:\Windows\system\bRIbTDi.exe
| MD5 | bf752aec4f56bce0e395f498286a7b4f |
| SHA1 | 9d490f85f292aca86419cc780ebab8520ae5c96c |
| SHA256 | 9ba40dfe7c716b1f984e8a7dd2559e09ea5d9f283c902bb37c2b51507e7a09d2 |
| SHA512 | 594796219057a7fac050b358e28e3eaa69b7e2e00d22ddf117ac38cf25a1fac7b8ad4ace0cd294015af7c2e35214a99fb2adf75725629ace38189219587de436 |
C:\Windows\system\BUiTyAK.exe
| MD5 | 06f88b4045f17aecfa49dc4a45394b9a |
| SHA1 | 187c39207534481017933fba62f096038fc8184f |
| SHA256 | a846d3eb311a2a6f96d96af73b267e856e8dc7a1731c5c4ac1901dbddda5da57 |
| SHA512 | 828418cb322fb328e9d8759dac2d5a0d99ecdae0f369aba4ed23c840c01768abb1d6eddba1200dfb8b7d03137483a6aee44179b4448d17371f37fcb9023f207b |
memory/2904-106-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2904-133-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\CEIrmuj.exe
| MD5 | e8e4860a21df1e8298371708c3eea0fb |
| SHA1 | 675696560bab9c3e53c4359db9ee86f486445364 |
| SHA256 | 229b4e9159d75d2fda6910156ab33dc3991218ec91361df42a8f8e772b81af92 |
| SHA512 | 781c4d310b62655725e3e06b9e20c21d91e161ba778426abbd054e1377ff3198934b3b9df4f7c0160e97954fcb3c48078c287a10d33b1058a7505f94571260a4 |
memory/2876-103-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2420-102-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2364-93-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\UhXHwCz.exe
| MD5 | 7b505a7d9ce4a65639e1965adbc5ccd6 |
| SHA1 | b2e65982da875e1fa2216218d672d76c0e5700cf |
| SHA256 | 65d2191d2004bcebabdf4908ae64385f280eab4a9d2bae44eafc891a800a8abb |
| SHA512 | 96940180aa105e2a1d5f74527bfe84b51087ce1475bc90d718d087b049b967b4395862c6c079d89758aa0e840f2c2fcc3d73e4e284a09179507d590712f1e6c5 |
memory/2904-75-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2904-58-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2904-64-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2960-134-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2716-63-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\FQtmdlt.exe
| MD5 | 71308f16bf2b568db09e60ae402425f8 |
| SHA1 | ee80b99258375cc84108dc998496e27997657978 |
| SHA256 | 59fbc0482758c07fb84fd989289a80b550fa3a2d67ef5968768a173e60bd405f |
| SHA512 | 9ad8ce1188d84327081c181c99ccbf277eada12671d3621b9c5942f4feac178d91a05e68cfbfd8aa800bed33d0fc0e4048a404d66511fb761e517b6f98c29455 |
memory/2672-46-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\biRxhbj.exe
| MD5 | 02040d8978e84f9d3d2de1f3786cf4e8 |
| SHA1 | a29ef10ea67042718f313fa5e5745f788a66b515 |
| SHA256 | 356258f570bf70d6745c0fcf4ca36c0d5cfc4224109aa8efcbd05700072f6c57 |
| SHA512 | 338e6e76b0cf543f076c87f860381ed3d89a64c04b3666b7d68a7389e0eebbd1f2f766eda563afc0004e9a0bd645d175626d602d2b0142c034cb311a61ea1f23 |
C:\Windows\system\JzGTDKJ.exe
| MD5 | 5ccfc0abd734e4b5d863c560fa80f704 |
| SHA1 | a49b44e48cdaa76c8d04b139fe06206f3fc3828e |
| SHA256 | e2485aa6c745f3b644adf324c3b35e38914103588bd2d6bda95d60306b734a4a |
| SHA512 | 7da9aeb73320d5c91b277aef2e0b7fb91eb22f602541b994647b6e722efa37384b6c2d07f3799a68abadbeed772c558690b93379d4c5874d4f7293982793cedc |
memory/2904-136-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2520-137-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2672-138-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2864-139-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2960-140-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2640-141-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2520-142-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2400-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2716-143-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2364-148-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2876-147-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/572-151-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1388-150-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2384-149-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2420-146-0x000000013F7D0000-0x000000013FB24000-memory.dmp