Analysis Overview
SHA256
7010336db647bb2fce57b79a02cccab506ef8579067b694d141bbe36727c7114
Threat Level: Known bad
The file 2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:42
Reported
2024-06-11 20:45
Platform
win7-20240215-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RlMgCXu.exe | N/A |
| N/A | N/A | C:\Windows\System\CImliPC.exe | N/A |
| N/A | N/A | C:\Windows\System\OXIvQYk.exe | N/A |
| N/A | N/A | C:\Windows\System\gkTZQRA.exe | N/A |
| N/A | N/A | C:\Windows\System\EMGqwBw.exe | N/A |
| N/A | N/A | C:\Windows\System\gnfQELk.exe | N/A |
| N/A | N/A | C:\Windows\System\HEkyFMG.exe | N/A |
| N/A | N/A | C:\Windows\System\gaoUvlv.exe | N/A |
| N/A | N/A | C:\Windows\System\mVUDjZw.exe | N/A |
| N/A | N/A | C:\Windows\System\uNesDdg.exe | N/A |
| N/A | N/A | C:\Windows\System\FSNvKyx.exe | N/A |
| N/A | N/A | C:\Windows\System\vSDiYLW.exe | N/A |
| N/A | N/A | C:\Windows\System\HMQRvEF.exe | N/A |
| N/A | N/A | C:\Windows\System\OziTErY.exe | N/A |
| N/A | N/A | C:\Windows\System\KMJiNxj.exe | N/A |
| N/A | N/A | C:\Windows\System\kbxARdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xEgVeSY.exe | N/A |
| N/A | N/A | C:\Windows\System\uFcjUQm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzIJdDP.exe | N/A |
| N/A | N/A | C:\Windows\System\lcpKSPO.exe | N/A |
| N/A | N/A | C:\Windows\System\vMjvesf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RlMgCXu.exe
C:\Windows\System\RlMgCXu.exe
C:\Windows\System\CImliPC.exe
C:\Windows\System\CImliPC.exe
C:\Windows\System\OXIvQYk.exe
C:\Windows\System\OXIvQYk.exe
C:\Windows\System\gkTZQRA.exe
C:\Windows\System\gkTZQRA.exe
C:\Windows\System\gnfQELk.exe
C:\Windows\System\gnfQELk.exe
C:\Windows\System\EMGqwBw.exe
C:\Windows\System\EMGqwBw.exe
C:\Windows\System\HEkyFMG.exe
C:\Windows\System\HEkyFMG.exe
C:\Windows\System\gaoUvlv.exe
C:\Windows\System\gaoUvlv.exe
C:\Windows\System\mVUDjZw.exe
C:\Windows\System\mVUDjZw.exe
C:\Windows\System\uNesDdg.exe
C:\Windows\System\uNesDdg.exe
C:\Windows\System\FSNvKyx.exe
C:\Windows\System\FSNvKyx.exe
C:\Windows\System\vSDiYLW.exe
C:\Windows\System\vSDiYLW.exe
C:\Windows\System\HMQRvEF.exe
C:\Windows\System\HMQRvEF.exe
C:\Windows\System\OziTErY.exe
C:\Windows\System\OziTErY.exe
C:\Windows\System\KMJiNxj.exe
C:\Windows\System\KMJiNxj.exe
C:\Windows\System\kbxARdQ.exe
C:\Windows\System\kbxARdQ.exe
C:\Windows\System\xEgVeSY.exe
C:\Windows\System\xEgVeSY.exe
C:\Windows\System\uFcjUQm.exe
C:\Windows\System\uFcjUQm.exe
C:\Windows\System\ZzIJdDP.exe
C:\Windows\System\ZzIJdDP.exe
C:\Windows\System\lcpKSPO.exe
C:\Windows\System\lcpKSPO.exe
C:\Windows\System\vMjvesf.exe
C:\Windows\System\vMjvesf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2460-1-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2460-0-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\RlMgCXu.exe
| MD5 | 7fbe0804d09f033ced6da44582edf00f |
| SHA1 | bd1966faefee12cfe8f3990f42e366ba961a16ea |
| SHA256 | 7cd68a2d67db2c1d9c744dd7d9b113554003ac59009ddcd97dcb464271ee6685 |
| SHA512 | 8b1983107fdb8e81eb453d8b790deaf00d53b934601ac47db03db06a8b48669a7d4d78fda6646244529295f9b934f082308e0174a41a4a391bd0864a904a87d1 |
\Windows\system\CImliPC.exe
| MD5 | 0cf38df7605baa990dfbffa4a8d421a1 |
| SHA1 | bea57a9d5cc0e4911fbceac979fd71e77c42f7b2 |
| SHA256 | 216d42b005e01fdcf8f1dfbaa4cee9f6fbf263ef4679eb1295c0aa12c155d699 |
| SHA512 | 10da4201ff719a5763db553af55a3465c80e7c85895c5845086e7a889dfe933b1f346840cbd0a8c69a99d5e2b467dbfb995a614363e4c28bb917ad1a6b8d08e1 |
memory/2472-12-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2460-15-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2216-14-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\OXIvQYk.exe
| MD5 | c794ab98697e47cb19e1f1f704a7fd49 |
| SHA1 | e1151066d8dfdcd48fe4c9af2c75b99537ee59cf |
| SHA256 | 8576ff3c1ad9dc329153ae3e98137217bcfb4298d0f505dd6ac6ec55b9c6ebf0 |
| SHA512 | 2aff510983c6e16c03079577a9835fb0ca2cb0f725098093fb5145c5f6d1946bcda8a69087d49f5f25c4fa25534026cc17c315ca03059e4ac3552eb647263c68 |
memory/2604-22-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2460-21-0x000000013FAB0000-0x000000013FE04000-memory.dmp
\Windows\system\gkTZQRA.exe
| MD5 | ccb140972dec12d475e6a92f790fa033 |
| SHA1 | 7b2d4bd19b7248e2a3d70432088bcd8a87ff6254 |
| SHA256 | 350662b6da395edd8e244997a5f7bcb936a2f49d194ec10978f124bd54683f80 |
| SHA512 | 74fb83f676adf8bfb53231132fe05f9f892bbf7aba1b02770e09f51552d35af9e1ff5385d83227edb3fe1c921fa12469de14c7794d02cbf4b59c71b7889c7815 |
memory/2736-29-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2460-28-0x000000013F960000-0x000000013FCB4000-memory.dmp
\Windows\system\gnfQELk.exe
| MD5 | 962ec5c95ee0fb5860e21855f5159859 |
| SHA1 | 3302d6e9a791de587ddca833f58e3decd48d82b3 |
| SHA256 | 00a65ed612592c8a2d5052afd4e976194829c81b83576eb8e1af63a70c90d842 |
| SHA512 | 04f18f836580354a1f3d9fc3b197a1cefb343a732708a1f4f568771d865d059996202058823823a91c3b69f6c28ddc042835f3494939d0e176e0cb4ada58ea78 |
memory/2540-41-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2404-39-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\EMGqwBw.exe
| MD5 | 4af22d8674fff0551c830094d2132ab7 |
| SHA1 | e6c78cb60d2c38695edbdfaff1487e0289977e3b |
| SHA256 | 1362917126edb577fcd63aeac5707865f053418c0701dfca4617971c99085f6c |
| SHA512 | 0935f95d535b38d0ded0ad773f4e7f099437ce92270b28be3573a71001a1df1a1dfa7f4d3e2db67e6ca766be4d5d84e4875181495390788296793b5d671c2cea |
memory/2460-35-0x000000013F0C0000-0x000000013F414000-memory.dmp
\Windows\system\HEkyFMG.exe
| MD5 | 350d96400b2615d10c71a207d8392974 |
| SHA1 | 24879a0ad62e7244f1d0dca8ec26de4e9259c4e3 |
| SHA256 | ce8e038aa77779619bf4215ea6e2a1465942736d57b3b2fbf51b62001dd367d7 |
| SHA512 | e63242b441fa8629b0783975c408998a86dea78f46a15e5b5776f316ca4708070fc9b1c36c86ecf47f07235420bbdb80a1facb9c483871cfd9e8b5b7fd856f72 |
memory/2376-48-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2440-57-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2460-54-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2460-47-0x000000013F120000-0x000000013F474000-memory.dmp
\Windows\system\mVUDjZw.exe
| MD5 | 4efb488ffe3ea8e411c093fb78b696b7 |
| SHA1 | d9cd1bde2ad6b589e3d42db2bff4b63fe6f65a20 |
| SHA256 | cbc2bdb62a59c737c6dd5cdb4df516eb3ccd4f062e04ff20fe65690825e3419d |
| SHA512 | fb63159ab2c39b12489fd25f8b6e9c74a0f2c6658fc587ab59b93a5b0fa0d792cab6120a23df36a67f71eac89fcbba62dacdb35a6c49b7a72d80e33cded22277 |
memory/2988-66-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2460-64-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2472-63-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2460-62-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2460-53-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\gaoUvlv.exe
| MD5 | 08d0df0d9c5e60a48bb9a0504f80a888 |
| SHA1 | 509a54064282201b1d6884a00461108863ba742d |
| SHA256 | 13be32e9ebcf7df9bdbfa7f6dd62abaad799db94baca17d383e42f6c583bde6a |
| SHA512 | 5af509b39021d49920673448f2a0e8945fcf7cedcf8d249a8b7c207ca9d89e04f64997da8b8390fd6d38f41df65982e410bdbb0d5a2f077b0754f98ca9554cd2 |
C:\Windows\system\uNesDdg.exe
| MD5 | 489692773535d250247768141d49a264 |
| SHA1 | 60832f59622069fec703156e9e21cf0310a90da9 |
| SHA256 | 003d72299edec70f683c03929927b529654dcf1488d3f653893e63eb1d7da044 |
| SHA512 | 541aaa1fd68d4fae1e1cff550a2efc889904005e2dc0c5535443ce47f6a001d337306773bdb6021e45d4e65208763729f7b71f6d4e6f90c377d70facaad364ee |
memory/1428-73-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2216-70-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2460-82-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\vSDiYLW.exe
| MD5 | 38ec489be1cc24dc819d50bc4802d944 |
| SHA1 | 961eb4e1f877647770eeade91d0bd1b61ad1037b |
| SHA256 | 92b1dbf3f18154e3782ca8bb6e693757ce352e82dac697b0e42375681df8bb02 |
| SHA512 | c25c4443b59dc2d760dd551fffd13504dc2e5bd86caca44cecb5a21117dfb2ba0ae17c474a5955871a809bea7388dd744bc63c15aa24ea7c31ba6fd0c0e388f7 |
C:\Windows\system\FSNvKyx.exe
| MD5 | 5167798c62929565bc32ed06028a5628 |
| SHA1 | 76146dd36ad0e5faafd82eae923200ed1df9c97f |
| SHA256 | 7c88899acf30e5a0083208f995074bf8da51805e999232eea4b563f277198ee3 |
| SHA512 | daf9e79e65d40b6c32770aed79578377a1b787ce944ee451414c97ed20134f5bfb4764a78860e41cb43c8d35498fe279485a1a472692fe56d3366ac848740e55 |
C:\Windows\system\OziTErY.exe
| MD5 | f015bd8659b045895812b57ee189623c |
| SHA1 | 6c389a82db256567ee3e305562dd56c826706897 |
| SHA256 | 793f3e419fcad3104d28e70f8ac3943f19b3876f594e9cacd769dca1f0dd2a0a |
| SHA512 | eb3cc5c778980cfc822b45118b2cfce96aa5607714e056f6bef27b93502e739c50131c1ea4a8e0d9ea48eb0c3771b86141c1c418a871281acd974e72bace637d |
memory/2460-99-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2688-94-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2460-93-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\HMQRvEF.exe
| MD5 | 13fddd3115008a5b0f1617e13e7dd570 |
| SHA1 | 3a793ac270b71aeeaf2c05bf6d1bfac4ad7f4de3 |
| SHA256 | a5d5f9a359cfdd3597ff29846200f6968381512be35b3896a9499f6276261b81 |
| SHA512 | fb4dfaca4143e4b43ca7bce4c146653961650f39496ac4dacf46b041e48cbe76e37b1ae71751b16df777ce720083fb17a92331c2994d48aae87715b7bcfbc545 |
memory/320-100-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/1196-80-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2460-79-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2624-87-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2460-83-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2404-102-0x000000013F0C0000-0x000000013F414000-memory.dmp
\Windows\system\KMJiNxj.exe
| MD5 | 2ec6357e0b2971fe1bfd3ac9298f10de |
| SHA1 | 0f8d80fcf745babc2ba6419a8d1a30051c8e21a1 |
| SHA256 | 0dcd61e69ad9dc4fb382270da3d82d6866cba1691cae186ca1ceb4d3b2fa6069 |
| SHA512 | b3e3f1c08187a0c7ee1fb6545c0aeda57b79496f0bde820cbe50e8d193cd361e33eed81745c29721325954202a4f86bbb9068380019f9c925d34cea5d6d643e5 |
memory/2376-109-0x000000013F120000-0x000000013F474000-memory.dmp
\Windows\system\kbxARdQ.exe
| MD5 | 98a68b26156ae000e46fa3ba473c832e |
| SHA1 | 59a14046995cdc4c40afd11c499da67fd2a5a234 |
| SHA256 | e3f5cf7beb02c43a89cd5688c37faf3f9283d1c9fcdb37b6fb688ae295e2a0ec |
| SHA512 | 59f20af0c7a686975b5dcdcbb034b3e34787d54deffdd0480c36b68911f6e669d834d0892f5939da0e340e65f7b14296950ca7068676f96796445dce0341f93f |
C:\Windows\system\xEgVeSY.exe
| MD5 | 51b02ba8459db5a37d2da42a2bbe0d4f |
| SHA1 | bbc84b730269df777b9a10ff563d36b29e5902eb |
| SHA256 | 9d4d587704f219039c20ba420c92b480859c8cae859d5cc0e495f6304c876b28 |
| SHA512 | 5229400752190bbcb7bd8a606c82569c9f50f2714f8b098348592834ddf7b46d79569e71fdf92a0413e0973de6621983ec5710fa7498931a69a20af591aaa462 |
C:\Windows\system\uFcjUQm.exe
| MD5 | 78102cbbbcba64bec21e6c4187778997 |
| SHA1 | f7487272c37220c8152891aa49f062a883bd961f |
| SHA256 | 0de0af83b1b560821bcd2cc3ba5e16cd3574a12b12f701cf5cfd9a870cd813a5 |
| SHA512 | 1b754c190443c26c656613169cb0933bffddd0cd6d914482a98c4c473123c9555d0f01f6f44833217326fc67a1f47076d27f6f98bc0d11d1ec6abc20cb6d41c8 |
C:\Windows\system\ZzIJdDP.exe
| MD5 | 376497affb2ba99b8f94fdfae4d40936 |
| SHA1 | da06ca4472c568db662c8e17d132f3f022ef04a4 |
| SHA256 | 3adb9e03d276a13bfd7026e38d3ee6a135f7d359cda7b2960daf4f2cde894ee5 |
| SHA512 | 7d38174f9bb3d96c17e135a2a41b07fd07aee30f08117ff4df4908d79d3f5907d7d159b3582dd939e97a67bc14edd8822d0be2ed27f3d60baa2a1eb71122b42e |
C:\Windows\system\lcpKSPO.exe
| MD5 | 0397b61eab10711c625e3e75a9ab5df1 |
| SHA1 | d865207bf9ca585abc79026d714ac9348f1b6c78 |
| SHA256 | e705cd7e6e2994186d24dce81ac64dbb4ae6a7ce105d40afb74a305c84bcf1e0 |
| SHA512 | d9e39144dd361f3078b797b1d9a42053ead3a8e6e5e060f7179fdbba9225462afb13ead111875a0205d25e8dcdecb65a8e8cfd87a932f199264d08cb9d9d763b |
\Windows\system\vMjvesf.exe
| MD5 | 0064dd16f456190f8858e5624f76d11c |
| SHA1 | c52deab81090351dcedc90a08b368d1525cbda3b |
| SHA256 | f3134f6f004af7d29478349880f06644dd20d1361b1885a6cb400c40f887a671 |
| SHA512 | ca3dee7fd5df62dcfd08530b14208d455fda1fb2c21fc47eb56416767794b1341db2bca2cd8bcaef1e5f023fb176b79eccd4037570c5ca948a769ccc77102861 |
memory/2440-139-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2460-140-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2988-141-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2460-142-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1428-143-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2460-144-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2624-145-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2688-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2460-147-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/320-148-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2472-149-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2216-150-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2604-151-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2736-152-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2540-153-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2404-154-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2376-156-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2440-155-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2988-157-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1428-158-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1196-159-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2624-160-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2688-161-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/320-162-0x000000013F960000-0x000000013FCB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:42
Reported
2024-06-11 20:45
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RlMgCXu.exe | N/A |
| N/A | N/A | C:\Windows\System\CImliPC.exe | N/A |
| N/A | N/A | C:\Windows\System\OXIvQYk.exe | N/A |
| N/A | N/A | C:\Windows\System\gkTZQRA.exe | N/A |
| N/A | N/A | C:\Windows\System\gnfQELk.exe | N/A |
| N/A | N/A | C:\Windows\System\EMGqwBw.exe | N/A |
| N/A | N/A | C:\Windows\System\HEkyFMG.exe | N/A |
| N/A | N/A | C:\Windows\System\gaoUvlv.exe | N/A |
| N/A | N/A | C:\Windows\System\mVUDjZw.exe | N/A |
| N/A | N/A | C:\Windows\System\uNesDdg.exe | N/A |
| N/A | N/A | C:\Windows\System\FSNvKyx.exe | N/A |
| N/A | N/A | C:\Windows\System\vSDiYLW.exe | N/A |
| N/A | N/A | C:\Windows\System\HMQRvEF.exe | N/A |
| N/A | N/A | C:\Windows\System\OziTErY.exe | N/A |
| N/A | N/A | C:\Windows\System\KMJiNxj.exe | N/A |
| N/A | N/A | C:\Windows\System\kbxARdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xEgVeSY.exe | N/A |
| N/A | N/A | C:\Windows\System\uFcjUQm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzIJdDP.exe | N/A |
| N/A | N/A | C:\Windows\System\lcpKSPO.exe | N/A |
| N/A | N/A | C:\Windows\System\vMjvesf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_33e192cf04d97d9578558215350eafe7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RlMgCXu.exe
C:\Windows\System\RlMgCXu.exe
C:\Windows\System\CImliPC.exe
C:\Windows\System\CImliPC.exe
C:\Windows\System\OXIvQYk.exe
C:\Windows\System\OXIvQYk.exe
C:\Windows\System\gkTZQRA.exe
C:\Windows\System\gkTZQRA.exe
C:\Windows\System\gnfQELk.exe
C:\Windows\System\gnfQELk.exe
C:\Windows\System\EMGqwBw.exe
C:\Windows\System\EMGqwBw.exe
C:\Windows\System\HEkyFMG.exe
C:\Windows\System\HEkyFMG.exe
C:\Windows\System\gaoUvlv.exe
C:\Windows\System\gaoUvlv.exe
C:\Windows\System\mVUDjZw.exe
C:\Windows\System\mVUDjZw.exe
C:\Windows\System\uNesDdg.exe
C:\Windows\System\uNesDdg.exe
C:\Windows\System\FSNvKyx.exe
C:\Windows\System\FSNvKyx.exe
C:\Windows\System\vSDiYLW.exe
C:\Windows\System\vSDiYLW.exe
C:\Windows\System\HMQRvEF.exe
C:\Windows\System\HMQRvEF.exe
C:\Windows\System\OziTErY.exe
C:\Windows\System\OziTErY.exe
C:\Windows\System\KMJiNxj.exe
C:\Windows\System\KMJiNxj.exe
C:\Windows\System\kbxARdQ.exe
C:\Windows\System\kbxARdQ.exe
C:\Windows\System\xEgVeSY.exe
C:\Windows\System\xEgVeSY.exe
C:\Windows\System\uFcjUQm.exe
C:\Windows\System\uFcjUQm.exe
C:\Windows\System\ZzIJdDP.exe
C:\Windows\System\ZzIJdDP.exe
C:\Windows\System\lcpKSPO.exe
C:\Windows\System\lcpKSPO.exe
C:\Windows\System\vMjvesf.exe
C:\Windows\System\vMjvesf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4164-0-0x00007FF648260000-0x00007FF6485B4000-memory.dmp
memory/4164-1-0x0000018489340000-0x0000018489350000-memory.dmp
C:\Windows\System\RlMgCXu.exe
| MD5 | 7fbe0804d09f033ced6da44582edf00f |
| SHA1 | bd1966faefee12cfe8f3990f42e366ba961a16ea |
| SHA256 | 7cd68a2d67db2c1d9c744dd7d9b113554003ac59009ddcd97dcb464271ee6685 |
| SHA512 | 8b1983107fdb8e81eb453d8b790deaf00d53b934601ac47db03db06a8b48669a7d4d78fda6646244529295f9b934f082308e0174a41a4a391bd0864a904a87d1 |
C:\Windows\System\CImliPC.exe
| MD5 | 0cf38df7605baa990dfbffa4a8d421a1 |
| SHA1 | bea57a9d5cc0e4911fbceac979fd71e77c42f7b2 |
| SHA256 | 216d42b005e01fdcf8f1dfbaa4cee9f6fbf263ef4679eb1295c0aa12c155d699 |
| SHA512 | 10da4201ff719a5763db553af55a3465c80e7c85895c5845086e7a889dfe933b1f346840cbd0a8c69a99d5e2b467dbfb995a614363e4c28bb917ad1a6b8d08e1 |
memory/1448-6-0x00007FF709F30000-0x00007FF70A284000-memory.dmp
C:\Windows\System\OXIvQYk.exe
| MD5 | c794ab98697e47cb19e1f1f704a7fd49 |
| SHA1 | e1151066d8dfdcd48fe4c9af2c75b99537ee59cf |
| SHA256 | 8576ff3c1ad9dc329153ae3e98137217bcfb4298d0f505dd6ac6ec55b9c6ebf0 |
| SHA512 | 2aff510983c6e16c03079577a9835fb0ca2cb0f725098093fb5145c5f6d1946bcda8a69087d49f5f25c4fa25534026cc17c315ca03059e4ac3552eb647263c68 |
C:\Windows\System\gkTZQRA.exe
| MD5 | ccb140972dec12d475e6a92f790fa033 |
| SHA1 | 7b2d4bd19b7248e2a3d70432088bcd8a87ff6254 |
| SHA256 | 350662b6da395edd8e244997a5f7bcb936a2f49d194ec10978f124bd54683f80 |
| SHA512 | 74fb83f676adf8bfb53231132fe05f9f892bbf7aba1b02770e09f51552d35af9e1ff5385d83227edb3fe1c921fa12469de14c7794d02cbf4b59c71b7889c7815 |
memory/3412-20-0x00007FF7D1DC0000-0x00007FF7D2114000-memory.dmp
memory/4900-14-0x00007FF7F23A0000-0x00007FF7F26F4000-memory.dmp
memory/4756-26-0x00007FF6E4E20000-0x00007FF6E5174000-memory.dmp
C:\Windows\System\gnfQELk.exe
| MD5 | 962ec5c95ee0fb5860e21855f5159859 |
| SHA1 | 3302d6e9a791de587ddca833f58e3decd48d82b3 |
| SHA256 | 00a65ed612592c8a2d5052afd4e976194829c81b83576eb8e1af63a70c90d842 |
| SHA512 | 04f18f836580354a1f3d9fc3b197a1cefb343a732708a1f4f568771d865d059996202058823823a91c3b69f6c28ddc042835f3494939d0e176e0cb4ada58ea78 |
C:\Windows\System\EMGqwBw.exe
| MD5 | 4af22d8674fff0551c830094d2132ab7 |
| SHA1 | e6c78cb60d2c38695edbdfaff1487e0289977e3b |
| SHA256 | 1362917126edb577fcd63aeac5707865f053418c0701dfca4617971c99085f6c |
| SHA512 | 0935f95d535b38d0ded0ad773f4e7f099437ce92270b28be3573a71001a1df1a1dfa7f4d3e2db67e6ca766be4d5d84e4875181495390788296793b5d671c2cea |
C:\Windows\System\HEkyFMG.exe
| MD5 | 350d96400b2615d10c71a207d8392974 |
| SHA1 | 24879a0ad62e7244f1d0dca8ec26de4e9259c4e3 |
| SHA256 | ce8e038aa77779619bf4215ea6e2a1465942736d57b3b2fbf51b62001dd367d7 |
| SHA512 | e63242b441fa8629b0783975c408998a86dea78f46a15e5b5776f316ca4708070fc9b1c36c86ecf47f07235420bbdb80a1facb9c483871cfd9e8b5b7fd856f72 |
C:\Windows\System\gaoUvlv.exe
| MD5 | 08d0df0d9c5e60a48bb9a0504f80a888 |
| SHA1 | 509a54064282201b1d6884a00461108863ba742d |
| SHA256 | 13be32e9ebcf7df9bdbfa7f6dd62abaad799db94baca17d383e42f6c583bde6a |
| SHA512 | 5af509b39021d49920673448f2a0e8945fcf7cedcf8d249a8b7c207ca9d89e04f64997da8b8390fd6d38f41df65982e410bdbb0d5a2f077b0754f98ca9554cd2 |
memory/1616-44-0x00007FF7FDA80000-0x00007FF7FDDD4000-memory.dmp
memory/2364-38-0x00007FF660400000-0x00007FF660754000-memory.dmp
memory/2448-37-0x00007FF66B6D0000-0x00007FF66BA24000-memory.dmp
memory/1728-50-0x00007FF708590000-0x00007FF7088E4000-memory.dmp
C:\Windows\System\mVUDjZw.exe
| MD5 | 4efb488ffe3ea8e411c093fb78b696b7 |
| SHA1 | d9cd1bde2ad6b589e3d42db2bff4b63fe6f65a20 |
| SHA256 | cbc2bdb62a59c737c6dd5cdb4df516eb3ccd4f062e04ff20fe65690825e3419d |
| SHA512 | fb63159ab2c39b12489fd25f8b6e9c74a0f2c6658fc587ab59b93a5b0fa0d792cab6120a23df36a67f71eac89fcbba62dacdb35a6c49b7a72d80e33cded22277 |
C:\Windows\System\uNesDdg.exe
| MD5 | 489692773535d250247768141d49a264 |
| SHA1 | 60832f59622069fec703156e9e21cf0310a90da9 |
| SHA256 | 003d72299edec70f683c03929927b529654dcf1488d3f653893e63eb1d7da044 |
| SHA512 | 541aaa1fd68d4fae1e1cff550a2efc889904005e2dc0c5535443ce47f6a001d337306773bdb6021e45d4e65208763729f7b71f6d4e6f90c377d70facaad364ee |
memory/1988-56-0x00007FF70C4A0000-0x00007FF70C7F4000-memory.dmp
memory/4108-65-0x00007FF79D010000-0x00007FF79D364000-memory.dmp
C:\Windows\System\OziTErY.exe
| MD5 | f015bd8659b045895812b57ee189623c |
| SHA1 | 6c389a82db256567ee3e305562dd56c826706897 |
| SHA256 | 793f3e419fcad3104d28e70f8ac3943f19b3876f594e9cacd769dca1f0dd2a0a |
| SHA512 | eb3cc5c778980cfc822b45118b2cfce96aa5607714e056f6bef27b93502e739c50131c1ea4a8e0d9ea48eb0c3771b86141c1c418a871281acd974e72bace637d |
C:\Windows\System\HMQRvEF.exe
| MD5 | 13fddd3115008a5b0f1617e13e7dd570 |
| SHA1 | 3a793ac270b71aeeaf2c05bf6d1bfac4ad7f4de3 |
| SHA256 | a5d5f9a359cfdd3597ff29846200f6968381512be35b3896a9499f6276261b81 |
| SHA512 | fb4dfaca4143e4b43ca7bce4c146653961650f39496ac4dacf46b041e48cbe76e37b1ae71751b16df777ce720083fb17a92331c2994d48aae87715b7bcfbc545 |
memory/1996-86-0x00007FF7B0480000-0x00007FF7B07D4000-memory.dmp
memory/4728-83-0x00007FF717E70000-0x00007FF7181C4000-memory.dmp
memory/4656-78-0x00007FF712750000-0x00007FF712AA4000-memory.dmp
memory/4896-77-0x00007FF729280000-0x00007FF7295D4000-memory.dmp
C:\Windows\System\vSDiYLW.exe
| MD5 | 38ec489be1cc24dc819d50bc4802d944 |
| SHA1 | 961eb4e1f877647770eeade91d0bd1b61ad1037b |
| SHA256 | 92b1dbf3f18154e3782ca8bb6e693757ce352e82dac697b0e42375681df8bb02 |
| SHA512 | c25c4443b59dc2d760dd551fffd13504dc2e5bd86caca44cecb5a21117dfb2ba0ae17c474a5955871a809bea7388dd744bc63c15aa24ea7c31ba6fd0c0e388f7 |
memory/1448-69-0x00007FF709F30000-0x00007FF70A284000-memory.dmp
C:\Windows\System\FSNvKyx.exe
| MD5 | 5167798c62929565bc32ed06028a5628 |
| SHA1 | 76146dd36ad0e5faafd82eae923200ed1df9c97f |
| SHA256 | 7c88899acf30e5a0083208f995074bf8da51805e999232eea4b563f277198ee3 |
| SHA512 | daf9e79e65d40b6c32770aed79578377a1b787ce944ee451414c97ed20134f5bfb4764a78860e41cb43c8d35498fe279485a1a472692fe56d3366ac848740e55 |
memory/4164-62-0x00007FF648260000-0x00007FF6485B4000-memory.dmp
C:\Windows\System\KMJiNxj.exe
| MD5 | 2ec6357e0b2971fe1bfd3ac9298f10de |
| SHA1 | 0f8d80fcf745babc2ba6419a8d1a30051c8e21a1 |
| SHA256 | 0dcd61e69ad9dc4fb382270da3d82d6866cba1691cae186ca1ceb4d3b2fa6069 |
| SHA512 | b3e3f1c08187a0c7ee1fb6545c0aeda57b79496f0bde820cbe50e8d193cd361e33eed81745c29721325954202a4f86bbb9068380019f9c925d34cea5d6d643e5 |
memory/1196-96-0x00007FF7D9690000-0x00007FF7D99E4000-memory.dmp
C:\Windows\System\kbxARdQ.exe
| MD5 | 98a68b26156ae000e46fa3ba473c832e |
| SHA1 | 59a14046995cdc4c40afd11c499da67fd2a5a234 |
| SHA256 | e3f5cf7beb02c43a89cd5688c37faf3f9283d1c9fcdb37b6fb688ae295e2a0ec |
| SHA512 | 59f20af0c7a686975b5dcdcbb034b3e34787d54deffdd0480c36b68911f6e669d834d0892f5939da0e340e65f7b14296950ca7068676f96796445dce0341f93f |
C:\Windows\System\xEgVeSY.exe
| MD5 | 51b02ba8459db5a37d2da42a2bbe0d4f |
| SHA1 | bbc84b730269df777b9a10ff563d36b29e5902eb |
| SHA256 | 9d4d587704f219039c20ba420c92b480859c8cae859d5cc0e495f6304c876b28 |
| SHA512 | 5229400752190bbcb7bd8a606c82569c9f50f2714f8b098348592834ddf7b46d79569e71fdf92a0413e0973de6621983ec5710fa7498931a69a20af591aaa462 |
C:\Windows\System\uFcjUQm.exe
| MD5 | 78102cbbbcba64bec21e6c4187778997 |
| SHA1 | f7487272c37220c8152891aa49f062a883bd961f |
| SHA256 | 0de0af83b1b560821bcd2cc3ba5e16cd3574a12b12f701cf5cfd9a870cd813a5 |
| SHA512 | 1b754c190443c26c656613169cb0933bffddd0cd6d914482a98c4c473123c9555d0f01f6f44833217326fc67a1f47076d27f6f98bc0d11d1ec6abc20cb6d41c8 |
C:\Windows\System\lcpKSPO.exe
| MD5 | 0397b61eab10711c625e3e75a9ab5df1 |
| SHA1 | d865207bf9ca585abc79026d714ac9348f1b6c78 |
| SHA256 | e705cd7e6e2994186d24dce81ac64dbb4ae6a7ce105d40afb74a305c84bcf1e0 |
| SHA512 | d9e39144dd361f3078b797b1d9a42053ead3a8e6e5e060f7179fdbba9225462afb13ead111875a0205d25e8dcdecb65a8e8cfd87a932f199264d08cb9d9d763b |
memory/1068-116-0x00007FF657F10000-0x00007FF658264000-memory.dmp
memory/2116-120-0x00007FF7458A0000-0x00007FF745BF4000-memory.dmp
memory/1596-125-0x00007FF7B4470000-0x00007FF7B47C4000-memory.dmp
C:\Windows\System\ZzIJdDP.exe
| MD5 | 376497affb2ba99b8f94fdfae4d40936 |
| SHA1 | da06ca4472c568db662c8e17d132f3f022ef04a4 |
| SHA256 | 3adb9e03d276a13bfd7026e38d3ee6a135f7d359cda7b2960daf4f2cde894ee5 |
| SHA512 | 7d38174f9bb3d96c17e135a2a41b07fd07aee30f08117ff4df4908d79d3f5907d7d159b3582dd939e97a67bc14edd8822d0be2ed27f3d60baa2a1eb71122b42e |
memory/1616-112-0x00007FF7FDA80000-0x00007FF7FDDD4000-memory.dmp
memory/3300-109-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp
memory/3708-97-0x00007FF7CA1E0000-0x00007FF7CA534000-memory.dmp
C:\Windows\System\vMjvesf.exe
| MD5 | 0064dd16f456190f8858e5624f76d11c |
| SHA1 | c52deab81090351dcedc90a08b368d1525cbda3b |
| SHA256 | f3134f6f004af7d29478349880f06644dd20d1361b1885a6cb400c40f887a671 |
| SHA512 | ca3dee7fd5df62dcfd08530b14208d455fda1fb2c21fc47eb56416767794b1341db2bca2cd8bcaef1e5f023fb176b79eccd4037570c5ca948a769ccc77102861 |
memory/4896-130-0x00007FF729280000-0x00007FF7295D4000-memory.dmp
memory/752-131-0x00007FF7E17D0000-0x00007FF7E1B24000-memory.dmp
memory/4728-132-0x00007FF717E70000-0x00007FF7181C4000-memory.dmp
memory/1196-133-0x00007FF7D9690000-0x00007FF7D99E4000-memory.dmp
memory/3708-134-0x00007FF7CA1E0000-0x00007FF7CA534000-memory.dmp
memory/1068-135-0x00007FF657F10000-0x00007FF658264000-memory.dmp
memory/2116-136-0x00007FF7458A0000-0x00007FF745BF4000-memory.dmp
memory/1596-137-0x00007FF7B4470000-0x00007FF7B47C4000-memory.dmp
memory/4900-139-0x00007FF7F23A0000-0x00007FF7F26F4000-memory.dmp
memory/1448-138-0x00007FF709F30000-0x00007FF70A284000-memory.dmp
memory/3412-140-0x00007FF7D1DC0000-0x00007FF7D2114000-memory.dmp
memory/4756-141-0x00007FF6E4E20000-0x00007FF6E5174000-memory.dmp
memory/2448-142-0x00007FF66B6D0000-0x00007FF66BA24000-memory.dmp
memory/2364-143-0x00007FF660400000-0x00007FF660754000-memory.dmp
memory/1616-144-0x00007FF7FDA80000-0x00007FF7FDDD4000-memory.dmp
memory/1728-145-0x00007FF708590000-0x00007FF7088E4000-memory.dmp
memory/1988-146-0x00007FF70C4A0000-0x00007FF70C7F4000-memory.dmp
memory/4108-147-0x00007FF79D010000-0x00007FF79D364000-memory.dmp
memory/4896-148-0x00007FF729280000-0x00007FF7295D4000-memory.dmp
memory/4656-149-0x00007FF712750000-0x00007FF712AA4000-memory.dmp
memory/1996-150-0x00007FF7B0480000-0x00007FF7B07D4000-memory.dmp
memory/4728-151-0x00007FF717E70000-0x00007FF7181C4000-memory.dmp
memory/1196-152-0x00007FF7D9690000-0x00007FF7D99E4000-memory.dmp
memory/3300-154-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp
memory/3708-153-0x00007FF7CA1E0000-0x00007FF7CA534000-memory.dmp
memory/1068-155-0x00007FF657F10000-0x00007FF658264000-memory.dmp
memory/1596-156-0x00007FF7B4470000-0x00007FF7B47C4000-memory.dmp
memory/2116-157-0x00007FF7458A0000-0x00007FF745BF4000-memory.dmp
memory/752-158-0x00007FF7E17D0000-0x00007FF7E1B24000-memory.dmp