Analysis Overview
SHA256
12c0ac6bdb93eeb72f99fb6422728326bf1aaef955c141e88018dd50fd7f70c6
Threat Level: Known bad
The file 2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:45
Reported
2024-06-11 12:48
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vcIFFpV.exe | N/A |
| N/A | N/A | C:\Windows\System\pEcfLds.exe | N/A |
| N/A | N/A | C:\Windows\System\aSmYrgL.exe | N/A |
| N/A | N/A | C:\Windows\System\ImUDTsY.exe | N/A |
| N/A | N/A | C:\Windows\System\yWvnMRB.exe | N/A |
| N/A | N/A | C:\Windows\System\zXHHIsO.exe | N/A |
| N/A | N/A | C:\Windows\System\aFfhoGU.exe | N/A |
| N/A | N/A | C:\Windows\System\nqyezdf.exe | N/A |
| N/A | N/A | C:\Windows\System\KDKrVIm.exe | N/A |
| N/A | N/A | C:\Windows\System\olNSvxY.exe | N/A |
| N/A | N/A | C:\Windows\System\fNeDOvN.exe | N/A |
| N/A | N/A | C:\Windows\System\SJFofyn.exe | N/A |
| N/A | N/A | C:\Windows\System\qXAYasL.exe | N/A |
| N/A | N/A | C:\Windows\System\gDPLRmx.exe | N/A |
| N/A | N/A | C:\Windows\System\CSgOMRN.exe | N/A |
| N/A | N/A | C:\Windows\System\mpkfSBW.exe | N/A |
| N/A | N/A | C:\Windows\System\mnyUEaI.exe | N/A |
| N/A | N/A | C:\Windows\System\XvXMOVE.exe | N/A |
| N/A | N/A | C:\Windows\System\NXKvCeB.exe | N/A |
| N/A | N/A | C:\Windows\System\iRUaRyn.exe | N/A |
| N/A | N/A | C:\Windows\System\PZQAoQJ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vcIFFpV.exe
C:\Windows\System\vcIFFpV.exe
C:\Windows\System\pEcfLds.exe
C:\Windows\System\pEcfLds.exe
C:\Windows\System\aSmYrgL.exe
C:\Windows\System\aSmYrgL.exe
C:\Windows\System\ImUDTsY.exe
C:\Windows\System\ImUDTsY.exe
C:\Windows\System\yWvnMRB.exe
C:\Windows\System\yWvnMRB.exe
C:\Windows\System\zXHHIsO.exe
C:\Windows\System\zXHHIsO.exe
C:\Windows\System\aFfhoGU.exe
C:\Windows\System\aFfhoGU.exe
C:\Windows\System\nqyezdf.exe
C:\Windows\System\nqyezdf.exe
C:\Windows\System\KDKrVIm.exe
C:\Windows\System\KDKrVIm.exe
C:\Windows\System\olNSvxY.exe
C:\Windows\System\olNSvxY.exe
C:\Windows\System\fNeDOvN.exe
C:\Windows\System\fNeDOvN.exe
C:\Windows\System\SJFofyn.exe
C:\Windows\System\SJFofyn.exe
C:\Windows\System\qXAYasL.exe
C:\Windows\System\qXAYasL.exe
C:\Windows\System\gDPLRmx.exe
C:\Windows\System\gDPLRmx.exe
C:\Windows\System\CSgOMRN.exe
C:\Windows\System\CSgOMRN.exe
C:\Windows\System\mpkfSBW.exe
C:\Windows\System\mpkfSBW.exe
C:\Windows\System\mnyUEaI.exe
C:\Windows\System\mnyUEaI.exe
C:\Windows\System\XvXMOVE.exe
C:\Windows\System\XvXMOVE.exe
C:\Windows\System\NXKvCeB.exe
C:\Windows\System\NXKvCeB.exe
C:\Windows\System\iRUaRyn.exe
C:\Windows\System\iRUaRyn.exe
C:\Windows\System\PZQAoQJ.exe
C:\Windows\System\PZQAoQJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3664-0-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp
memory/3664-1-0x0000023B727B0000-0x0000023B727C0000-memory.dmp
C:\Windows\System\vcIFFpV.exe
| MD5 | 02cb1d80691f528c9f2a8fc9b9395575 |
| SHA1 | 586ccb37f97a757dba2f38014adae50904f15528 |
| SHA256 | 59a244156863bd687c83b3238e4c243cdecaa83757d7be957558bf311d6ddc88 |
| SHA512 | 9e15a5486d9fbc920304b9d34f4788b51509f87bd60dbfccce01514aac40b34179e3737d9609826755785f4306399c1647d4bcdc0d119c325fb9da3378f8131b |
C:\Windows\System\pEcfLds.exe
| MD5 | 50d69650b5688989ac9fd2457d3a0bca |
| SHA1 | d4d18c8d93392caa423c9bca633a6fb13b631169 |
| SHA256 | ae0c5655978d36af69651695f1b306432a32b796a781dd4b48d577192659c2bf |
| SHA512 | c45a1238bfd22088c5e027860d8a4114e2b01130770247e0f9d975137a25577ad8543a8f957c09a28468fd4ccecbfb4e26305a93e511ade3955e53f44bcddcff |
C:\Windows\System\ImUDTsY.exe
| MD5 | 8da72d7ce1959bec520771766a3fc681 |
| SHA1 | 4aeb88019d6aaecf02cb5c39a35623e80d49143a |
| SHA256 | 90838bd58ab6a1e9e5ed70580574c06e3531c69fd489a81187a8af99dfbe8e67 |
| SHA512 | 69f519c5debe2bb72c74aff3ddbc1a0c4f667864dc7387e6427ac5df682e3bb01ea43bc8369117ec5a15405d8f4b1af4d9fcb7d32d070d8bbc6b376051b6d78f |
memory/1012-26-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp
C:\Windows\System\yWvnMRB.exe
| MD5 | 52813bcfeacfef3ad71f3ff8d8422758 |
| SHA1 | 7cc05b8b4c75a9801c5ae334e64cc5e28baf15a7 |
| SHA256 | d0352dd5c6f707c926f259a5a958305f6274f5e9699bf5bdd675ed188a2de58b |
| SHA512 | d5dcadfe71dde49413cadc5881afdc33399854c15f56733320e399c0591c2d25b713b1ccf6884835b9a9f1b1ca2db5ef4204ef893145ed9db21c75fd07716d2d |
C:\Windows\System\zXHHIsO.exe
| MD5 | 762c2f62c078b646869b5a9250792e48 |
| SHA1 | a85cd28d0d5b7bf408b01fbd19b94b5e316d8c41 |
| SHA256 | d4abd9ec373779f52485518ea6869067a515d3c671567733026f6713fdcf3989 |
| SHA512 | ffb99fe7e1491fb69b49880df9c70f70d8e43ccddcebbe81b6bb8e50f84bb226f70549de3873ff8d54544233e92a54ed724089b9d4d4b6f21590fa314dcd6358 |
C:\Windows\System\KDKrVIm.exe
| MD5 | 43e05b9e6df3016c65fb67f98a07b4b4 |
| SHA1 | 87cd7381121d81ca3ae64bc1221c16c4675e5e21 |
| SHA256 | 4e5971169f2f52bb7d07c75ff30fc9c2636bebb5f478d7aa042cfd03a6b81bc9 |
| SHA512 | ae174aae41e46936b50081a95c5bc7b04df0e8a6a08f23435b16d9d636897f30bfc5d062d3df863737d888914495261183ae685be025cea58eebcf3c95b795dc |
C:\Windows\System\aFfhoGU.exe
| MD5 | bb20639688c5e62bded9d941fd05ff90 |
| SHA1 | 237715522bb71b0f02a60b83a82025c7bdacf127 |
| SHA256 | 8b1d4ab87806ec95447b6a5645a47b4aebab27647a27575803f61268ff8352b8 |
| SHA512 | f038f66361a1552110c29155e6b86a630e4cf860d2bf53caeb7f13aca76694b63b9730bd12a82788c7e4a6e0afb225267697df8b537e527e62b275d3af879808 |
memory/436-58-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp
memory/2724-64-0x00007FF770350000-0x00007FF7706A4000-memory.dmp
C:\Windows\System\fNeDOvN.exe
| MD5 | 432840a64e8b6895a88a34b2e4864b4b |
| SHA1 | 5e4ac773cfdb3bc12c5b2583f900d8a873c73bdf |
| SHA256 | 61e3b13aa58a2b2ba5c732408508aa210b58c33235aacfae13c19946c7342d4e |
| SHA512 | f3a736a9cb6a923cbdda3c301a791a148ee0fe7b6f527682147450c491f39c151cea510a5d040c4c3910260a2a7c31de108183b5999d6eb1254ce800060464b0 |
memory/3668-65-0x00007FF765140000-0x00007FF765494000-memory.dmp
C:\Windows\System\olNSvxY.exe
| MD5 | 29b9dce3ede3d3238aad5e2975c89b20 |
| SHA1 | cf00b4f18073a118172a9075598c7b51044c0781 |
| SHA256 | 097dd6056232e9bd03076a68db164af390d5e72dfbcf82fe2a72bd817cc61b80 |
| SHA512 | bbe394c3d2da35ab55e14033a2b5eb03e4deb039cea06b904762d35b9bfd736b61ad6e86dfb541403146c2163b22dedfa18bca0acc176cf2dd747c9374e20ee7 |
memory/3016-54-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp
C:\Windows\System\nqyezdf.exe
| MD5 | 3881e5062beb8caa0b24f6d382d18f34 |
| SHA1 | ba263c6041f517fbc7e597aecd19f8e5aec081d6 |
| SHA256 | 8798d87739983e3e24b7eb4965f819c01b7262c2a6288048f29dda78c76b43fe |
| SHA512 | 46283020c8aca9951a4ee3e10cc73f1e50df903265401165dc1b0e57d0bcc91107dfc3572c6a2307a6dbe33f83c6a51dc346194a879d49c0887d29df50da2ecb |
memory/3228-42-0x00007FF700500000-0x00007FF700854000-memory.dmp
memory/3524-39-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp
memory/744-32-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp
memory/1124-30-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp
C:\Windows\System\aSmYrgL.exe
| MD5 | 9cb54538a9c33e5c587d79830182e724 |
| SHA1 | 69da5dbff0e773c935422c8588386f20bc523c48 |
| SHA256 | 734ee854e5cd7c6a9185c62b4f57784b84303b7492f9022783d277193069969b |
| SHA512 | 02934b16e6d442450c927c225423fdd08fd7e2976aebcfd2356c2e846f51e18b4d5cf05c8565e1df8fcd2e5c0fc647083bf55865bc67a0ce415a5ac8b5d9a207 |
memory/1420-20-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp
memory/3648-13-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp
C:\Windows\System\SJFofyn.exe
| MD5 | c1aba502875b21583f3ed901aa490c64 |
| SHA1 | 7af0140bb4a2b671a2a9f899ffdc9a1456a164a8 |
| SHA256 | 6b66bcb735071a7c6558e6d2e88a0f5087a94ffb3e36d3ab3d4ae8105a037c76 |
| SHA512 | 574baabf91e2c1004a566cc93f513e2ddfbaa451d7930210a872f1b2d9566aeef9a6b7b445fb647723ba31a0f7d0ad06da55aa4e1841ec6f39de8ad5b8ecaf8d |
memory/3664-72-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp
C:\Windows\System\qXAYasL.exe
| MD5 | 753b8900edaf15a9e0952de1b76d6261 |
| SHA1 | 8097f9bc6557181e31f0f4eb1a1be7f25461c4d1 |
| SHA256 | ee5e40131b53f5196ba1ac7b92b045fef8e08c517b912741d3377e3abf1da399 |
| SHA512 | 929a1b5f58df781f4ae52d026977f8d9d027c905c8d52b330f0e5054ff73aa4b8ca5d60557307509e6e7d3af1fb857f2152ba27eca932910bfd0698040854a49 |
memory/4584-76-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp
C:\Windows\System\gDPLRmx.exe
| MD5 | ba72b20c65ac48e8066868935e0523c6 |
| SHA1 | 781111dd4a1f28bcdea43ed4b804ee221d5b8714 |
| SHA256 | 45675789f19a00865304c244b30436b8573a34f11a11af3721f2ec216c4073c2 |
| SHA512 | 86c737add84dc200003dfc85ce1be8fd4d727842430289d8d999e731900aa0d7db14c6ef290d49762e110789c6fb15d3654efdfa24da14fc3562afa4e7e11f1b |
C:\Windows\System\CSgOMRN.exe
| MD5 | 090e71160130a24963516da1e8cceb65 |
| SHA1 | 32ff7be73b58c0dec1d00bcb4fa9396180845f89 |
| SHA256 | c577c83ca599d10020fcc8ab0e57c735f438d7dcf3052c834aabe45681c0526d |
| SHA512 | 83cfc9a6e02d2032dca05df20695582468f7770950fe61b5b6e16d22a5d4c2ccceec8b939b6581e30f4f32771d8a788fde1492283ced1572b12deb5982784583 |
memory/3764-93-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp
memory/1012-90-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp
memory/2940-99-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp
memory/3524-105-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp
C:\Windows\System\mnyUEaI.exe
| MD5 | a18090e220ff5cd34ed274ede9f49548 |
| SHA1 | 9c6667b4523be2092a7941ff5aa2608bcde39d99 |
| SHA256 | be63d9a6e7e04c2ceef384983550f6ef605e7e4796449ac66f2b807262793b3f |
| SHA512 | 79f5613194b704f56803ffdace78420cb32dcafc8b002b51d319f3a48c3c8d08c69c975fb41e899fdd273d1bcf976dffa6879774b3c6868797115ee6cceb9bd3 |
memory/2052-106-0x00007FF619640000-0x00007FF619994000-memory.dmp
memory/2432-104-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp
C:\Windows\System\mpkfSBW.exe
| MD5 | 3a4218d8d196658788cc577d9c04c497 |
| SHA1 | d7d114e8c07da28e46f2e2202ab8c7b09eb51f8d |
| SHA256 | 0e12b0861b43e3007f44d5be867758dbb5deea0617d3df43ce3cb96dabfef10f |
| SHA512 | a59785ca9ed9cb78df1353863474b79bd649c56022217342b125d81657820daa0aa6c292c728f4d72ececf4812af985f213ceb8ffb19457477306bb7aea708e9 |
memory/744-100-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp
memory/1964-81-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp
C:\Windows\System\XvXMOVE.exe
| MD5 | f13952d53a5265f4eadc52422240f31b |
| SHA1 | 6e340532d28787ad336b68db3844b673ce733c36 |
| SHA256 | 3f9aeed6e8ee52f954cee72990a7130b12aa8314da92877ff9c612e9491197d1 |
| SHA512 | 47d174d716a083f2b5532bdf3fa38e40653718a241ec171fb8aff7d82bbb619e4f6135933867efec60f66fa2694d3ff1c52651a4bad20d439197d944d6a4aa1f |
memory/3228-114-0x00007FF700500000-0x00007FF700854000-memory.dmp
C:\Windows\System\NXKvCeB.exe
| MD5 | f00ec59fd42859124739e0a99b02019e |
| SHA1 | fe8abd1c103d15de7232b7fa762fa079b4ecf064 |
| SHA256 | 6707fae2f5a188509cc0c4bb46b752da8eb0be15f3b73f9539b0d7b1d2d75ba3 |
| SHA512 | dc1dbcaeb5dc2821390b40c8e93d975fe7e3c7b84ad1e77a3810cfb90a51398ae218565bdf7defd8133f2129033abf1790329de1184669bd884915d41472229e |
C:\Windows\System\PZQAoQJ.exe
| MD5 | 608c7868c9d946be6a4fa3ad12aa94f5 |
| SHA1 | 929c9cd520e87adc774bcd3ee9ee551ee44f3ad1 |
| SHA256 | f42a7985c4ff852912fe78ef5cea5d2a99072f72912606802b58ac115300d8a5 |
| SHA512 | da2a80b2c01442535bcd705a69397cdafa8797ae9607a72cf94b20f5cdc0e531903d4c6eb2e50018ba4f676a9ad1a7bcb570d0d882d6a5df3071e4eadc091505 |
C:\Windows\System\iRUaRyn.exe
| MD5 | 070f3c0bc4b719d188b739ca3fd5e9ff |
| SHA1 | 6d6890cc0412beeff2121666c0bb7919373c013f |
| SHA256 | c449a6e604d6351b392c87be765ed75d6d39b41747db294384517c27b8cd3f9d |
| SHA512 | c26af03c51d7ef896aef9ccacbe1a0c012f70780da512250fba5fc99bfba5c586fd00348a14854d6ac4628c598edb677aeae8af0c55dd8f0620dfe9c2aaeb7b7 |
memory/4620-121-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp
memory/436-118-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp
memory/4132-119-0x00007FF633220000-0x00007FF633574000-memory.dmp
memory/3636-133-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp
memory/3180-134-0x00007FF692FB0000-0x00007FF693304000-memory.dmp
memory/2724-132-0x00007FF770350000-0x00007FF7706A4000-memory.dmp
memory/3668-135-0x00007FF765140000-0x00007FF765494000-memory.dmp
memory/4584-136-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp
memory/2052-137-0x00007FF619640000-0x00007FF619994000-memory.dmp
memory/4620-138-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp
memory/3648-139-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp
memory/1420-140-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp
memory/1124-141-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp
memory/1012-142-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp
memory/744-143-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp
memory/3016-144-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp
memory/3228-145-0x00007FF700500000-0x00007FF700854000-memory.dmp
memory/3524-146-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp
memory/436-147-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp
memory/2724-148-0x00007FF770350000-0x00007FF7706A4000-memory.dmp
memory/3668-149-0x00007FF765140000-0x00007FF765494000-memory.dmp
memory/4584-150-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp
memory/1964-151-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp
memory/3764-152-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp
memory/2940-153-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp
memory/2432-154-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp
memory/2052-155-0x00007FF619640000-0x00007FF619994000-memory.dmp
memory/4132-156-0x00007FF633220000-0x00007FF633574000-memory.dmp
memory/4620-157-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp
memory/3180-158-0x00007FF692FB0000-0x00007FF693304000-memory.dmp
memory/3636-159-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:45
Reported
2024-06-11 12:48
Platform
win7-20240221-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\srganOc.exe | N/A |
| N/A | N/A | C:\Windows\System\VVjfJtD.exe | N/A |
| N/A | N/A | C:\Windows\System\rbDtaVI.exe | N/A |
| N/A | N/A | C:\Windows\System\afqtyQf.exe | N/A |
| N/A | N/A | C:\Windows\System\ivysrkH.exe | N/A |
| N/A | N/A | C:\Windows\System\wNcTuKC.exe | N/A |
| N/A | N/A | C:\Windows\System\QUhxwYT.exe | N/A |
| N/A | N/A | C:\Windows\System\UjMaCbB.exe | N/A |
| N/A | N/A | C:\Windows\System\ITScoqs.exe | N/A |
| N/A | N/A | C:\Windows\System\cKEKutv.exe | N/A |
| N/A | N/A | C:\Windows\System\JtyebIS.exe | N/A |
| N/A | N/A | C:\Windows\System\SjJxzQE.exe | N/A |
| N/A | N/A | C:\Windows\System\jPkMGmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EqKhLHi.exe | N/A |
| N/A | N/A | C:\Windows\System\DuvQRCl.exe | N/A |
| N/A | N/A | C:\Windows\System\dJEbCZT.exe | N/A |
| N/A | N/A | C:\Windows\System\VnlciFd.exe | N/A |
| N/A | N/A | C:\Windows\System\aytMGwr.exe | N/A |
| N/A | N/A | C:\Windows\System\cqSiMLk.exe | N/A |
| N/A | N/A | C:\Windows\System\TgmwUBi.exe | N/A |
| N/A | N/A | C:\Windows\System\EgJlgFs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\srganOc.exe
C:\Windows\System\srganOc.exe
C:\Windows\System\VVjfJtD.exe
C:\Windows\System\VVjfJtD.exe
C:\Windows\System\rbDtaVI.exe
C:\Windows\System\rbDtaVI.exe
C:\Windows\System\afqtyQf.exe
C:\Windows\System\afqtyQf.exe
C:\Windows\System\ivysrkH.exe
C:\Windows\System\ivysrkH.exe
C:\Windows\System\wNcTuKC.exe
C:\Windows\System\wNcTuKC.exe
C:\Windows\System\QUhxwYT.exe
C:\Windows\System\QUhxwYT.exe
C:\Windows\System\UjMaCbB.exe
C:\Windows\System\UjMaCbB.exe
C:\Windows\System\ITScoqs.exe
C:\Windows\System\ITScoqs.exe
C:\Windows\System\cKEKutv.exe
C:\Windows\System\cKEKutv.exe
C:\Windows\System\JtyebIS.exe
C:\Windows\System\JtyebIS.exe
C:\Windows\System\SjJxzQE.exe
C:\Windows\System\SjJxzQE.exe
C:\Windows\System\jPkMGmZ.exe
C:\Windows\System\jPkMGmZ.exe
C:\Windows\System\EqKhLHi.exe
C:\Windows\System\EqKhLHi.exe
C:\Windows\System\DuvQRCl.exe
C:\Windows\System\DuvQRCl.exe
C:\Windows\System\dJEbCZT.exe
C:\Windows\System\dJEbCZT.exe
C:\Windows\System\VnlciFd.exe
C:\Windows\System\VnlciFd.exe
C:\Windows\System\aytMGwr.exe
C:\Windows\System\aytMGwr.exe
C:\Windows\System\cqSiMLk.exe
C:\Windows\System\cqSiMLk.exe
C:\Windows\System\TgmwUBi.exe
C:\Windows\System\TgmwUBi.exe
C:\Windows\System\EgJlgFs.exe
C:\Windows\System\EgJlgFs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1964-1-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1964-0-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\srganOc.exe
| MD5 | 8a7d5c8953c8ddbe106dab1a5061173f |
| SHA1 | 164ac1e588213ea8489ffe60ddc07adfb03dc9a2 |
| SHA256 | 0565fb40214117d6fbe5157fb2bf95d182c00d0f2fa7798d32da6e1f02bff9e7 |
| SHA512 | bc7017e0ae8897dad754832bb8eda07a9eaf3c819350c52cd66ab7c6ade483bf2c58eae7a563f16bff58cd8212a65584442d2ab160a16f906c827671921cebc4 |
memory/1208-9-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1964-8-0x000000013F1C0000-0x000000013F514000-memory.dmp
\Windows\system\VVjfJtD.exe
| MD5 | 223d1eb5060ae1ec8d6b0cb01a254a58 |
| SHA1 | d7e6a5b0a1557e8749d9ea94556e3ef38b62439f |
| SHA256 | abbf5169a4e7b2f807e6f3550fe3f7553f1da9320a2a27363cbe17ad1a820d22 |
| SHA512 | b64a3c5b05d21b1b12323b90cbd5b28d1cb5ba032bc86ff9b3611974a29aeecd1524593077fbf707cf00bbdafe59fa8c2f16c981691318d98add71c9c7d6f287 |
memory/2692-17-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\rbDtaVI.exe
| MD5 | beb91594675200147799ddd2bf6b6f19 |
| SHA1 | cff8e6c41895eb20b8b40a5830dc364505b0ad9a |
| SHA256 | bdf7e05b335b823d3eea185153a673a6bd9be152a85c727ac7b94554738b863b |
| SHA512 | 50aa852f1644c51a6445cc78a1ea534e8e0d09866bde7486a082f09c3a82de792773aa13844d3993ddfe25639f1d9e2c94323c08bd9a0b2e651258711ff336f7 |
memory/2540-28-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2620-27-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\afqtyQf.exe
| MD5 | 8aa0489eaf2b2801e635f5d990faee5a |
| SHA1 | 04c7933b14d7bce775963f54fee2dbeff05edb6c |
| SHA256 | 250bf55e42f40dd4d2292e24bed143d3afbe32e96d3111a9cae8ad7b1af85784 |
| SHA512 | 88498ee668d322d725176b2b4ac3a9bd730a52e337d7025545a6473f7c58de9d25180e758888245fc791b375d8abc1e7b53f8b8137b39927a6b6f72129f8d466 |
memory/1964-14-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\ivysrkH.exe
| MD5 | 9789e929e5683ef7df7cba0810df1f43 |
| SHA1 | 124e9e6d267104d227b341c8ac9a9d54e64ebb3e |
| SHA256 | 211242102fa25d3f0ecabc68d67aaa7c60b07c787e04f25b2ebe635c4cbf57d4 |
| SHA512 | 21e4f3d2fa507c21d632b29c991752eb4d629249fe66dc7c9e97b24788bc0e1420c6e441e675e9b206c593760da401b3d911154465a4fe0977290ebf5b7f611e |
memory/2568-34-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\wNcTuKC.exe
| MD5 | 10d2a8724aa2717effbc51e5c53aed23 |
| SHA1 | ad0a1ae3a9a365d126097457d602940aaf8533fb |
| SHA256 | b524f3363b5c3e994eb9602ab7c18ff3245fee91bcb4775246ca07bd7c69fdb6 |
| SHA512 | 5bbe48566468e1ee1f085a8aa91ea0da7622f464c0e2b926e68036e0e73aa356aa7a3ee7068855683e430a5e8f8702db1dd88734829f5ac8abd2a0a19e187713 |
memory/2444-41-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1964-40-0x000000013FA20000-0x000000013FD74000-memory.dmp
\Windows\system\QUhxwYT.exe
| MD5 | 60303537569407be2b95f1a10a17c55d |
| SHA1 | dd0023195ec7a1a471486020b6c49a7bbb650282 |
| SHA256 | 1aff7422ca868bea773869cdd63d9934a339b684df3b1caca3dccaaf2051d3b4 |
| SHA512 | 1d6d9ef26dbd2c4606ea480847abc91bce4b48966bdf0f9cb205cdd29e550bc5b2a08229240bd0355f3c95a4b8714f4b8ba3627c10eafc1f3926fc9b9159c073 |
memory/2860-48-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2660-53-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1964-47-0x000000013FE50000-0x00000001401A4000-memory.dmp
\Windows\system\ITScoqs.exe
| MD5 | 1c288fdb000b8f79a481d3ec6e81e8fc |
| SHA1 | 6261ae4b3c5d7956d5470dac698957e2c1649eb2 |
| SHA256 | 372a7baf6437d87a98198e1231d72470c7aeac860cdeea2b6d6c31108081220d |
| SHA512 | f5bb192ccc34461727d23e36502064e5ae756379f04720580d49b7182f0fbb9201b0d2677383750a77f81d68ab628b5cc5d4b4086685e4e98a033084fadbb7d1 |
C:\Windows\system\cKEKutv.exe
| MD5 | a8f2ad0392b8b5059d5c2811fc465785 |
| SHA1 | ef9589ab5a60ee19d0452965ee07383331175dac |
| SHA256 | e37d8c7a88926f94a3bc779406f0807eb5f16d009e3f700aa187c239b7724af1 |
| SHA512 | 16188700261254a91575a46c783a2576fa7f357358fb09e0ae62c3d395d1148c4e05549cbd969df98b2746a3025c6e6d3e0ce9fa034c6c05bcf7c5c9909065a8 |
memory/1656-69-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2424-61-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1964-60-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2692-59-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1964-68-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\SjJxzQE.exe
| MD5 | c73be2511eef0d59d52432251cc34632 |
| SHA1 | a712e48535049f1aefe199161e7640c598d4ea2d |
| SHA256 | 4f60ba1136d203a97cbfb9e999448e64a113b49a2165db8c51f81723e3491b68 |
| SHA512 | c9d721bf90ca43bcf41ed371e4e5d122763259dccf3b1cc328e946021fa9d966ee590ea908d51895de7e4fcbd2f0753ae5f24dac652484b6f7b0df262420e534 |
memory/1964-80-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\EqKhLHi.exe
| MD5 | f99f66dcb5fb3f98e7cdbe6908a9d38c |
| SHA1 | 6674aee8955142f8ce4a409dc4866505c1230087 |
| SHA256 | 51ee64e80b16e18d599398089f48e73872e258c6d277eb72ad442a8f9e5d9269 |
| SHA512 | 3f360848dee998cd8f7241ea9dd82c78c68206465b17ecf0b92988d4f19236e366000c0e4abec85b5e6de2144d34a8dca9546ef62438528dc9073eb45e911fe1 |
memory/1964-90-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\jPkMGmZ.exe
| MD5 | c476d7a7d9dbd2fa3e65777e9fe64aaf |
| SHA1 | 38bb358c44e206c55f7da418ddf45fc181798577 |
| SHA256 | 3b3b2948125abbfa00b0116afda520a49e4c2062d2b9f1fe92db302c0670aba1 |
| SHA512 | e4020bdac54fb642a753028d8075dd90c39b0343dca4825350a553792b307db46dd0e18908656b868a095b5e17e89eb9d4518f0ab3484d46c953656b0694c1f7 |
memory/1464-98-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2568-96-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\EgJlgFs.exe
| MD5 | 12e0e079e79baf0316598766177380c9 |
| SHA1 | e69bd328be9fc7697710fe0dce396173f3ffb441 |
| SHA256 | 0e2d0a38b3ba1e1bb4c891dd3342dbbc6982b3d1adf170220a23e1ea5c7102ce |
| SHA512 | e5a04569aebd71c456b5e3a36c15e0a1b066944ca1083620d1ea6421e91891c2f775c940d5026cba560fa80525d05fdd82ed848d0effe275346e58e44919752e |
C:\Windows\system\TgmwUBi.exe
| MD5 | 5648baa143995dbf30f3f1db37a5ead4 |
| SHA1 | 793bd1c0a240b74cc1bfc028f588781586368a0a |
| SHA256 | 470ca6be5f8f8aa9cd072bfeb4de3508ad2d63cef1f827f49841bd68c70ea981 |
| SHA512 | 1e97df5a510170fd59f91e0286c41d9ae502dd293708bb68a914032368d1f1e22c0c8b61387fc31d095d7cfcfde987d813b7f5691910027b9beb18f74f2348dc |
C:\Windows\system\cqSiMLk.exe
| MD5 | 190913fa2f8da4038d088b0d98e106aa |
| SHA1 | 5433534535efd68c5e7b44ab9e24307b0ffbd07b |
| SHA256 | 1bda427b3a540cf711efd4137df55d93d4f48d2ac07cfeb9e2c7b82a830e3be9 |
| SHA512 | be0cc9c3bc16f33cdf5c641fb617c27e677628390dfd2c4e849e8ab3d98ff9f964a22271844636180218640611c07585617126ef7221386fae52bade35740a3e |
C:\Windows\system\aytMGwr.exe
| MD5 | 87da63e98df8286963c895e5565fbcf7 |
| SHA1 | 590fa9f7349dae81baaa0fe7cffc0f8f232bea6f |
| SHA256 | 3d3e7f8a9a0ccea904d923c4d9d17df51e2d9990997a8c783caf39ddc35ab093 |
| SHA512 | 01c9b94b114dddc49031cc950220f0b50b8b02b19b30a7a361dc187ecad5370f7f4d6fa4ea4dfbadec3a309cc0c5d399be0e837243fda51e6339eb6763a7aa7d |
C:\Windows\system\VnlciFd.exe
| MD5 | e8402c12857b11c4696e43685d0bbfb8 |
| SHA1 | 1d8e688ac58f04c2d6a8b8fb99ea543582f057c6 |
| SHA256 | 702556fdc57db5f306c687c96bbcdb5dee8066409025759361b6e51b37500f19 |
| SHA512 | f6d7de3368dbf2fee87f56c03c59ec8535100fe0794d3adde5f38eeb83beaa31ce6bbc750068f5e60a48f5cc5e2975620bb10d15f271b47e707adb2e2b6c0204 |
C:\Windows\system\dJEbCZT.exe
| MD5 | 01ca9b7bf57400b9102adb8f2bb5541d |
| SHA1 | 822e07470d8d51a6b4ef1957b355a8db223544c1 |
| SHA256 | 9e1eff739b0e2c486b314c268f7b16fff1d5d128b8dade4e6508db95201a44f3 |
| SHA512 | 48143c2bfbfe26d65e5cd3a6c8cf9d2efc0779d71366ce8b069b8f0c22b709696ed892443568574c434225819b01d8382cf49cda1da81d4e994c26bf6c54113d |
C:\Windows\system\DuvQRCl.exe
| MD5 | c7819c9bc12f73983aa1c3bc225e705e |
| SHA1 | 5b1c820ce57615b8c4ea2dc196337ecd620025a1 |
| SHA256 | 2c7f43bc0f2412747a9ad90e760a17e317023d1c9d732401c8ecbedfa6044a97 |
| SHA512 | e32454f3d5e87b50d5ed6c817f3e4feaba4d66b63bcbfc2141d7d2bb8e0d54ebff216fd88ef8a2f56e6b87afe74fb50a8baf185cc035f716e6be71701707d7f9 |
memory/1964-85-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1488-89-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2272-75-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1964-74-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1576-81-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\JtyebIS.exe
| MD5 | 731c977c8ed9574bd7421eb65f20f556 |
| SHA1 | eec0d5ce1e9dc1b898e80cff7d62c9052cdc40a9 |
| SHA256 | 250c13590dafcdebe625be6241b8840760167aaf96e26489d343dbd299e3ba23 |
| SHA512 | 64b70ae481259e18316baf57197e1372581ac6ab01fb2ca7c19ac43bcad0df78fd05c64ae8d0f0d9ffdf7d326bf743b38b6d44aaccc533ffecb9c911ba8e0863 |
C:\Windows\system\UjMaCbB.exe
| MD5 | 157b486c85e3a97b23355e192ae8a431 |
| SHA1 | 267355182adcdbe8e6e368261642703b1372140b |
| SHA256 | 9f23b995c13224d6fe6ba73095049db634780f201dd4ac9acc495f47baf4d5f3 |
| SHA512 | 7aad7ac5695b9885e52671f03853cfbee817e6cb6092bfbaed2a2c69098536653865c15b6faacb6007a438fb703ff260323cfd8b75762f0696e904073f12d351 |
memory/2660-133-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1964-134-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2424-135-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1964-136-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2272-137-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1576-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1964-139-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1488-140-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1208-141-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2692-142-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2620-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2540-144-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2568-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2444-146-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2860-147-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2660-148-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2424-149-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1656-150-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/1576-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1464-153-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2272-152-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1488-154-0x000000013F590000-0x000000013F8E4000-memory.dmp