Analysis Overview
SHA256
7b37ee6b0b65e1d4a1a6b358af460c9800ca7eb65dac2824bbe3f39d878dda0f
Threat Level: Known bad
The file 2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
xmrig
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:01
Reported
2024-05-22 21:04
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IuaYwzH.exe | N/A |
| N/A | N/A | C:\Windows\System\mXztLIq.exe | N/A |
| N/A | N/A | C:\Windows\System\ydWQDkN.exe | N/A |
| N/A | N/A | C:\Windows\System\OMxLHof.exe | N/A |
| N/A | N/A | C:\Windows\System\YCxgIAz.exe | N/A |
| N/A | N/A | C:\Windows\System\nlbyoJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\cNwXNwh.exe | N/A |
| N/A | N/A | C:\Windows\System\nMegjhg.exe | N/A |
| N/A | N/A | C:\Windows\System\BNrvURr.exe | N/A |
| N/A | N/A | C:\Windows\System\fuddDum.exe | N/A |
| N/A | N/A | C:\Windows\System\IWGkwDl.exe | N/A |
| N/A | N/A | C:\Windows\System\KINKTRo.exe | N/A |
| N/A | N/A | C:\Windows\System\uVAGXLs.exe | N/A |
| N/A | N/A | C:\Windows\System\KgyGmHj.exe | N/A |
| N/A | N/A | C:\Windows\System\bOQiFPA.exe | N/A |
| N/A | N/A | C:\Windows\System\YGUjFWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YOMksYz.exe | N/A |
| N/A | N/A | C:\Windows\System\sWTVtQg.exe | N/A |
| N/A | N/A | C:\Windows\System\MVGyave.exe | N/A |
| N/A | N/A | C:\Windows\System\uGOmlgt.exe | N/A |
| N/A | N/A | C:\Windows\System\cHUeMsO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mXztLIq.exe
C:\Windows\System\mXztLIq.exe
C:\Windows\System\IuaYwzH.exe
C:\Windows\System\IuaYwzH.exe
C:\Windows\System\ydWQDkN.exe
C:\Windows\System\ydWQDkN.exe
C:\Windows\System\OMxLHof.exe
C:\Windows\System\OMxLHof.exe
C:\Windows\System\YCxgIAz.exe
C:\Windows\System\YCxgIAz.exe
C:\Windows\System\cNwXNwh.exe
C:\Windows\System\cNwXNwh.exe
C:\Windows\System\nlbyoJJ.exe
C:\Windows\System\nlbyoJJ.exe
C:\Windows\System\bOQiFPA.exe
C:\Windows\System\bOQiFPA.exe
C:\Windows\System\nMegjhg.exe
C:\Windows\System\nMegjhg.exe
C:\Windows\System\YGUjFWZ.exe
C:\Windows\System\YGUjFWZ.exe
C:\Windows\System\BNrvURr.exe
C:\Windows\System\BNrvURr.exe
C:\Windows\System\YOMksYz.exe
C:\Windows\System\YOMksYz.exe
C:\Windows\System\fuddDum.exe
C:\Windows\System\fuddDum.exe
C:\Windows\System\sWTVtQg.exe
C:\Windows\System\sWTVtQg.exe
C:\Windows\System\IWGkwDl.exe
C:\Windows\System\IWGkwDl.exe
C:\Windows\System\MVGyave.exe
C:\Windows\System\MVGyave.exe
C:\Windows\System\KINKTRo.exe
C:\Windows\System\KINKTRo.exe
C:\Windows\System\uGOmlgt.exe
C:\Windows\System\uGOmlgt.exe
C:\Windows\System\uVAGXLs.exe
C:\Windows\System\uVAGXLs.exe
C:\Windows\System\cHUeMsO.exe
C:\Windows\System\cHUeMsO.exe
C:\Windows\System\KgyGmHj.exe
C:\Windows\System\KgyGmHj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
C:\Windows\system\uVAGXLs.exe
| MD5 | a9b015b04bc9b285fae94b4eb758e620 |
| SHA1 | 9df1030dfc0606b473627a75badbe8500683bda7 |
| SHA256 | a470adfa20d9009352312c0765e2f3764594e97133d44ce738358b3cbcbff621 |
| SHA512 | b9703192051ea16ca3579e3a0aadfa1610e5f66f51c17a6deacae73f775bdf25a392c1f3db3a0602f3c7e2fee40bd87a2bde53873acdc634c79082a03ba9a019 |
\Windows\system\cHUeMsO.exe
| MD5 | 6d498d1afa853a35ab29df505cbb322a |
| SHA1 | 4841c189c87d777df83a14455295493f0b4734e8 |
| SHA256 | 5cf4dfa73c148ade5bc7d4af89ba8dc57b3eb4ebd1f50ed52c69dfc014ddb61d |
| SHA512 | 9807a66be8ce3b4dfb0cde820a4c7588a05fd647ea810b025d00d7b822b2b37127faecb1593558332a15c6f9e890732b893297e79871369711a4bc9968ff0492 |
memory/2912-98-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\KINKTRo.exe
| MD5 | b8886a8d34f622468bf2edbfecd9ea1f |
| SHA1 | bc562a8310b289cfbc3d52d9639db3794919fb2f |
| SHA256 | 097b6b66f21ad936b729e16e9d1d450e68dcbe33cecdae9244240eadb54fafb9 |
| SHA512 | b073bf22cede13dcf817a99c768c4831e5e4d8d84fa77724880f741bb5373512dd96b3d77ddcc3ca796b593a864696c35116c9997c7c34df1c8246978a6231eb |
\Windows\system\uGOmlgt.exe
| MD5 | 126b9c13674b3ed161e82bf8c1dcc984 |
| SHA1 | 644f92e589c134ad5ed6baa19252b3f87aa436b5 |
| SHA256 | d127d7707277032863965c4a3dba68fc7a2bc86c8ab5595faea7ae1469d4a06c |
| SHA512 | e82d4741e5f35438a2fac94f7cc105e232ebb30994b75651de0da62dffd57d32c0d35611e5b31420f612e438def4f7548520244ad1a587b114f5ad776ba8838d |
\Windows\system\MVGyave.exe
| MD5 | ad4721ec0af71226f5a3ec6cec8059fd |
| SHA1 | bb303490307a4def1e1f5dc0656861c636137ea7 |
| SHA256 | 3f92aed943214bef1588012019d19b9fda73512ae06831c2cfb87de8490fdce7 |
| SHA512 | 31405992952851bacf6ddaeaf49ee0343734432cc4a4f7e0de6d1dce01d1269d5a75369fc9360a22cee2d73bff6eeb57ac31734f22a02f7d33543dc80921f9f3 |
\Windows\system\sWTVtQg.exe
| MD5 | a0a654f5f68f346a8a3936ca6bd20784 |
| SHA1 | 7d7feb819d789ba933d344df06ddbedfec4f7ede |
| SHA256 | 275367199ca6048df16c1eca02c92321fd4df0c7d5b28073bbdc5ca0e5301e92 |
| SHA512 | 902e3c00771edad38d7967b1deea03a6b8bb81c6d9c138539e98d4b72cfb8a602d99e63db383d71819a702c27feaee7a1f86ebbdcd8e2374cbf8133b6a3a13d7 |
memory/2912-71-0x00000000023D0000-0x0000000002721000-memory.dmp
\Windows\system\YOMksYz.exe
| MD5 | 1fe614006f1e31233efb72e5da69e4c4 |
| SHA1 | ea5cc5cbb806021c3bcfa3dd640d08d0242b6262 |
| SHA256 | 6e4082bd654d9b5bdb5129f40c16e45b019bff5c8d202d26b94c6ab661b207aa |
| SHA512 | a9a9d0d0aa8cb151e5877d69f7959294be196797aabcbf321413882ffa5bfe5708a5066866f0f36609d41ef6c79fa8abf64ff5af5bed3c273a9ccf63122b64f9 |
C:\Windows\system\nMegjhg.exe
| MD5 | c290687c6e61a4ad2ba615c30d18288e |
| SHA1 | 55ecacd0abcff676e17185421aa320abe1be7ac3 |
| SHA256 | 92b370d4173f6c70fc860e149239eaa601dfc2c8094a562512a0094ea0a1134c |
| SHA512 | 309006eb750a297aff21910bb339b4e797cec578152df73ed4f0fc1b744a451299c9bb6f87e6aa34d22e6dff769e0b683d40e40b7c17971e59cbaff3b3b674b4 |
\Windows\system\YGUjFWZ.exe
| MD5 | 31a4547f15987b51a4c503ddea1ea600 |
| SHA1 | f77a71c42b5542b5ca1bd8bc468a60565d184c7e |
| SHA256 | 3eb26138066928f843e76c98b5468757bf5559e68a5554b2c676e25e4bc66f5b |
| SHA512 | 85954c4e3e821ab6cde5e53981ab41313f5e59f8f8f41e75c20552a6ac8991a32fa7ba46aa9f1da6abfa1078eb2386d82f674e421c558b2711d13b23fcef4cd5 |
memory/2856-53-0x000000013FCC0000-0x0000000140011000-memory.dmp
\Windows\system\bOQiFPA.exe
| MD5 | 63c48b5ebbba5f957e38e0765469aa64 |
| SHA1 | f80a01d1715e77ffb843a86d173087e4b2a0f06f |
| SHA256 | e6310c5a76da06cd6fd9717422bb8b63c200b9b65f0bddb043892125f960e543 |
| SHA512 | e19272af00f06860c1db6a3f50f6657ef14765e0d0baaa7595f8f7f4d57a5983a2e94af1f8ea6cb1d7bb119390ba7d2f932fd2a59bce2367954b67e7e22fe0eb |
memory/2612-116-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2756-115-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2912-114-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/868-33-0x000000013F5D0000-0x000000013F921000-memory.dmp
\Windows\system\cNwXNwh.exe
| MD5 | cc11b81f2122ab455e10ec5426cdfbc4 |
| SHA1 | bd1969d5cbb3d35ccd509d5a5197da3039096641 |
| SHA256 | b83459bfc016fc276b5483f84cd9817b415d086cb7faa7a6cd8d5ec9411ff4d5 |
| SHA512 | edb76b4e6f62cfabb961847f94f5641f97866209940cdce81da87efe3b058b5284ada4edd0142b9221039840e715c711bec9ba151b52c4131d17fc5ad494bd74 |
memory/2912-113-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2912-112-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2912-111-0x00000000023D0000-0x0000000002721000-memory.dmp
C:\Windows\system\KgyGmHj.exe
| MD5 | 43034e31bb8d08fa4afb6575b04bd17c |
| SHA1 | 89e962da798d9f587096605e601ae7501d7279b0 |
| SHA256 | 11519b9bce61d70e06b08d8a96d3b00ef711837772a4f5c961531d3875d512e3 |
| SHA512 | 2f83e7d6334601b293b3d30f192edcf5131eda512705c30e87c0de5ed43a7b69535b2f6cc1cb6cc010111aac843d0d928a853fd38b0f3981ab84ea0adfbc9ffc |
memory/2912-102-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2652-91-0x000000013F970000-0x000000013FCC1000-memory.dmp
C:\Windows\system\IWGkwDl.exe
| MD5 | 11389b8a3b5f084fd0b0dcf2fbd88de4 |
| SHA1 | c96dda13a7c3fc22059964cde02bceaaad4a7399 |
| SHA256 | 214f9c63516adef6699f9eaf7327bce66e67a3b8a243079d6d5da805793f3e75 |
| SHA512 | 05c474ae6642ed895004a3423797772cb35fa869d948a8635cdfd6b70641f4bbbc57d41ef6f66c9752007d275383775317de3698711506c9b8c9812c6253da4f |
memory/2912-83-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2912-124-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\fuddDum.exe
| MD5 | 784728bb45155ac69b035043db0d1f0b |
| SHA1 | 991d67db10a9b33892f3ac9c4bd06440987af12f |
| SHA256 | 1fb66f8b1f860b3c921c29fd274870d313a88123cb6a15592614ed12c72f60c8 |
| SHA512 | 8a70c315f4a3311c5c9656080efa34cad42c7b0b9ce6dd049692824538481a0648efedb5e3af719edde2a470f52f0829e4f4b4fa5887b5452033276a3ac7f20e |
memory/2900-67-0x000000013F440000-0x000000013F791000-memory.dmp
C:\Windows\system\BNrvURr.exe
| MD5 | ba67e053681252c692524681efdcffd4 |
| SHA1 | 79e33944d8d5b3f8ff2fedefc96a3155442b374b |
| SHA256 | 3f54f985d00763bfddcf817d7f560a13d6fbd5f6018b203c1080b1ed64574b94 |
| SHA512 | 8d0b97191741c79671bf9707d4d8694b63d1499f309ee84468a7180e42fb8e4907d02987bdf5f1b33db652e5152e9f21b12b3f33f9c2d023b02929e8c376c898 |
memory/2912-65-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2912-48-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2912-47-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2912-46-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/2912-45-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2912-44-0x00000000023D0000-0x0000000002721000-memory.dmp
memory/3012-43-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1108-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\YCxgIAz.exe
| MD5 | d088059347ac43201a3ea7bd67018ab0 |
| SHA1 | 911c4535ecba3a9ce76ca3cc31c96864b10c01cb |
| SHA256 | a2afc512b58096a9ed3d7181890f425a89572ed6b09874000f4fa860b6f3e510 |
| SHA512 | ba364642981ffd4a43bfbd6c44fa4f26ae6a3e16df391c73e8648ab2a7497fbb7e2bdd8cd36e75c720afa5f5167fa13b2b5c4150b20bfb951924bf583c720506 |
memory/284-38-0x000000013F410000-0x000000013F761000-memory.dmp
C:\Windows\system\nlbyoJJ.exe
| MD5 | 80aab291fe99bad6aa96e08034c30ba8 |
| SHA1 | 02602ec8f230dcc527d03f1b828a490fa3dcb32c |
| SHA256 | 8ba9a30a9f0d1699caaca36e3cc50c0f5bd9b5757da3b1c0c4dae39cee78ab64 |
| SHA512 | 0d384f6826235d1be3a8d6c3dfaa2176a39abe91381671f8af5e5146c89cb5794d9b859eec01fadc06d65df86d5e9baa358c6bc06384208ec3123e421f5d6d1b |
memory/1108-129-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2652-141-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2432-152-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2964-154-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2488-153-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2476-151-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2848-150-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2436-149-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2556-140-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2600-138-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2572-142-0x000000013F220000-0x000000013F571000-memory.dmp
memory/284-128-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2912-29-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/780-28-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\OMxLHof.exe
| MD5 | 8787b3f4d5f5dfdbbd7e2b0b12582a5a |
| SHA1 | cbcf6bd8ab2544c47983ec1ecb4e2f9c3680fb51 |
| SHA256 | b32d6d04c08f89fd0b344a33c428ee18265f0cf55053373785447d66b0413643 |
| SHA512 | e792a0f185be693540b7e09f2f7f8ac98c7bc29376f6650071b8de43490679d24836a3245434229ce6d7800e93622e2652e561aaed67a4e4ed018dc1e97dc024 |
memory/2504-21-0x000000013FB10000-0x000000013FE61000-memory.dmp
C:\Windows\system\ydWQDkN.exe
| MD5 | c2b86a8ae861353964d3d80fe065b18b |
| SHA1 | c9857876178317733d2d1830d5e0cf4a0ccb4634 |
| SHA256 | 68188a394ec97f7d8949cae932918beb7cb656c68e696514c462b499584c8ed5 |
| SHA512 | decb5b2b51ba7dd0ba7fc1bc0b9bef38a3d5d96a0aa8b51f576ba8f6a02c72faa5b58c0ca48caf181d99e20edfb31bc18588854a4dd45b73065e7a1c981dccf5 |
memory/2912-16-0x00000000023D0000-0x0000000002721000-memory.dmp
C:\Windows\system\mXztLIq.exe
| MD5 | 51e111bdd1fabca2b8a881d6ff07a5d2 |
| SHA1 | 690ac57e55b473792024fe284dec1d4010a0ea9e |
| SHA256 | 6d813358b2bebdeae7066ea9ae8cc30e9fc680e95919352b5c3d1f2076095e2f |
| SHA512 | 3d5f8d5da63223df8ddc8159547ca47ffeec88de5e3272f51fb93702619e3ba3b06239b8da829831d788fbabe43c666a1cd935fcaecaa99d69513fe83e5d06ab |
C:\Windows\system\IuaYwzH.exe
| MD5 | 72cf88be5697fc374fe42d4b6ec30dbf |
| SHA1 | 341b463226d644ce48fd32ae191b8eb1898342bd |
| SHA256 | e4d8e30009f48f498fe7a863ea71b8a5d69105b81488a4579f1dec8f3d39e5c1 |
| SHA512 | 7fcb42e64fe766d5e3323b357952c32d2b0227de8199ab203b09d1d2f465ca3fb96396b3834498ce5d98cfd45cdbf9e32fe87bf5a6c22b3fc116fb1572ca304d |
memory/2912-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2912-0-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2912-155-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2912-156-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2856-162-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2504-202-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/780-204-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/868-206-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/284-209-0x000000013F410000-0x000000013F761000-memory.dmp
memory/3012-210-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1108-212-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2900-214-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2756-230-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2612-233-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2652-248-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2856-257-0x000000013FCC0000-0x0000000140011000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:01
Reported
2024-05-22 21:03
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZqHQwNc.exe | N/A |
| N/A | N/A | C:\Windows\System\uCAQoWz.exe | N/A |
| N/A | N/A | C:\Windows\System\WKJwumA.exe | N/A |
| N/A | N/A | C:\Windows\System\yEaMbZd.exe | N/A |
| N/A | N/A | C:\Windows\System\DiRJilN.exe | N/A |
| N/A | N/A | C:\Windows\System\KLeTBak.exe | N/A |
| N/A | N/A | C:\Windows\System\IJuRcGg.exe | N/A |
| N/A | N/A | C:\Windows\System\FWPqJqK.exe | N/A |
| N/A | N/A | C:\Windows\System\mmEPKxh.exe | N/A |
| N/A | N/A | C:\Windows\System\MvLscGN.exe | N/A |
| N/A | N/A | C:\Windows\System\HBTIMBL.exe | N/A |
| N/A | N/A | C:\Windows\System\gOeeMzA.exe | N/A |
| N/A | N/A | C:\Windows\System\NUJiKYa.exe | N/A |
| N/A | N/A | C:\Windows\System\rsxCNDT.exe | N/A |
| N/A | N/A | C:\Windows\System\VNXBzFN.exe | N/A |
| N/A | N/A | C:\Windows\System\cOJhpSb.exe | N/A |
| N/A | N/A | C:\Windows\System\wxiKUcL.exe | N/A |
| N/A | N/A | C:\Windows\System\xVDfFtO.exe | N/A |
| N/A | N/A | C:\Windows\System\uHzHtoT.exe | N/A |
| N/A | N/A | C:\Windows\System\bJoPiHC.exe | N/A |
| N/A | N/A | C:\Windows\System\RGTiXXM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b501b57859a4045fe155e120900df2ab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZqHQwNc.exe
C:\Windows\System\ZqHQwNc.exe
C:\Windows\System\uCAQoWz.exe
C:\Windows\System\uCAQoWz.exe
C:\Windows\System\WKJwumA.exe
C:\Windows\System\WKJwumA.exe
C:\Windows\System\yEaMbZd.exe
C:\Windows\System\yEaMbZd.exe
C:\Windows\System\DiRJilN.exe
C:\Windows\System\DiRJilN.exe
C:\Windows\System\KLeTBak.exe
C:\Windows\System\KLeTBak.exe
C:\Windows\System\IJuRcGg.exe
C:\Windows\System\IJuRcGg.exe
C:\Windows\System\FWPqJqK.exe
C:\Windows\System\FWPqJqK.exe
C:\Windows\System\mmEPKxh.exe
C:\Windows\System\mmEPKxh.exe
C:\Windows\System\MvLscGN.exe
C:\Windows\System\MvLscGN.exe
C:\Windows\System\HBTIMBL.exe
C:\Windows\System\HBTIMBL.exe
C:\Windows\System\gOeeMzA.exe
C:\Windows\System\gOeeMzA.exe
C:\Windows\System\NUJiKYa.exe
C:\Windows\System\NUJiKYa.exe
C:\Windows\System\rsxCNDT.exe
C:\Windows\System\rsxCNDT.exe
C:\Windows\System\VNXBzFN.exe
C:\Windows\System\VNXBzFN.exe
C:\Windows\System\cOJhpSb.exe
C:\Windows\System\cOJhpSb.exe
C:\Windows\System\wxiKUcL.exe
C:\Windows\System\wxiKUcL.exe
C:\Windows\System\xVDfFtO.exe
C:\Windows\System\xVDfFtO.exe
C:\Windows\System\uHzHtoT.exe
C:\Windows\System\uHzHtoT.exe
C:\Windows\System\bJoPiHC.exe
C:\Windows\System\bJoPiHC.exe
C:\Windows\System\RGTiXXM.exe
C:\Windows\System\RGTiXXM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2068-0-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp
memory/2068-1-0x0000020640B30000-0x0000020640B40000-memory.dmp
C:\Windows\System\ZqHQwNc.exe
| MD5 | b938584f200f8a4f4a567b2a5689ce59 |
| SHA1 | 3edad355c3174a8194ebc9943f38491f9c19c1ce |
| SHA256 | 40ac2059719d16430430c339dfec526e15c0925d45ebe5eb2f797560987d1755 |
| SHA512 | 3b5fc600a419ad278f6ac47baea77b24ac9757f67e3e0e554eed8a95a80c0f15985dbcf9c654b4ea64a11e4d97212780a9608ab0a8375917288747af42ff7783 |
C:\Windows\System\uCAQoWz.exe
| MD5 | 7523adb3a708ca60393e9d8cf9db2724 |
| SHA1 | 545d563e5ea65ce7e2167bf43656cd887f5bdeaf |
| SHA256 | d40eb4f49af132d968fb8bab8259134a535c8ba31d513d7f6e4a340643bb25e8 |
| SHA512 | 9e5cce80498abb26fdc374bd495379a2fdb4fb275159fae0b347f986497bb19239bbb26f89feeea9bb36bdf2a386794459034cc993690671a9f1837f8d5cf28f |
C:\Windows\System\yEaMbZd.exe
| MD5 | 124e4007332c69e3ea7651083eb0d70a |
| SHA1 | 98694c9ad3d2fdb15a17c0b5f904d8a1ac30756c |
| SHA256 | 9499cdc8df208418aead6851c63967ca5d08c836bf6bd2f40f9f0b42b3d869a5 |
| SHA512 | 8121cb1f322108ec24816834761109fff14b95b260640a77774cd65e68b6f588023830f0d42a39b7e7617a48024da17a6a76af18fcc4279c7e55529dd3ed11df |
C:\Windows\System\WKJwumA.exe
| MD5 | 58f9de17e2a5090fb5f2063fc0008611 |
| SHA1 | de73670116f0649b165c673e04ba0afa01d5d075 |
| SHA256 | 7d3ca5313e28662f4548031897226df14f9fbb5a605f49da53fec4a99fc25d97 |
| SHA512 | 1eec883f97fbf192d6c21a1be334dc02404dd47d841da7fc87a4f0f7ccfcde97361d8f6be36f32c78b1626d4d5ca59c91d8a7a6db7b3368c1bb36f39519e7686 |
C:\Windows\System\DiRJilN.exe
| MD5 | 38798a6290118a5be2f4701c57556e41 |
| SHA1 | 9d07f734da5ea199e515a13a8e3392d64a76a5f6 |
| SHA256 | 0b23630ba3d1c383f57336a495fcab9ede6131c35b4be98c5d4bfeef845fd776 |
| SHA512 | 33632490a18d18601bf62a2769f20ca09c553f6bc598f97b3db69baa5183c166825339f76f572931d29b941c2bfff4a50d05195418cdd1829c7ba0f112c8945e |
C:\Windows\System\IJuRcGg.exe
| MD5 | 7feb6ded00ee23c9b53d76e53061e144 |
| SHA1 | 0d1b74d13315365916069c9772334669479eb879 |
| SHA256 | a1742ccf008e06462d6b5c29d36af13982c751932b264da04f58474f17ff737f |
| SHA512 | 574620150f6ad3c111364cd9d07b75edf9325943bc8c9d358f3033f082fb57434dc057678869cac32245129b3025d009f6b18df4ef35b95401eef96b4efdde69 |
memory/2908-50-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp
C:\Windows\System\mmEPKxh.exe
| MD5 | cb5fc19ad5778e212210b6d31d638855 |
| SHA1 | 043aafb5cab245e2f60c70939c34462bf773c245 |
| SHA256 | 64940d46225046a2ab456f2b3624295f6389707bf50604e6c986e0704b578e00 |
| SHA512 | 13fc92d1fe26bb94292d24a6827248bf41db9aa249b3f8446ec2266fa1e1c8a89177be1edb6274a64baaeddcfecce482d59517d16bafbe233f20418b28fccebc |
C:\Windows\System\HBTIMBL.exe
| MD5 | 227a9f8268f7b048fabb2f54ca070a83 |
| SHA1 | c0d88ad5724f82d78856782457bf8e2a29d83ea7 |
| SHA256 | fdf958ef1c3e9ec9d78f2f4e29c27ca48850855670e8d2b3474eb877dcb68ca5 |
| SHA512 | 02629095b88a3f44572692724421a5a6e188d03fc896d6dbab09cd7496aa74f6cf8ae48ad5c23d55f8c564380a780e1b686aa65746bf73068d11ea98042646a4 |
memory/3600-62-0x00007FF7783E0000-0x00007FF778731000-memory.dmp
C:\Windows\System\FWPqJqK.exe
| MD5 | 0d806c08ef12fc9c2bcbf3da0d2d4e5f |
| SHA1 | 3b929878b531f18c042f740553e52d23a50673a6 |
| SHA256 | 7c11684db86d30a9f813688e7dbd14c860e7e04e39c412066c8bf71e69ff84f2 |
| SHA512 | f5e3eddb83d776930e5c7031971890e8438cd4f1530849d78e0e812c95b83d17163e786abdac80e41cec5f11aac73568e2f4cf34dbc8157ad8e67fb4884b63ac |
memory/4936-58-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp
C:\Windows\System\MvLscGN.exe
| MD5 | 7f81c1384552c0992499865c1bf5227c |
| SHA1 | 22e067edea35e8bf8ed1c616bc6d62c6c609a04b |
| SHA256 | 3f72cb8531d9962df5175e428d7362ae2e9c75402282b55e4578120de292f40f |
| SHA512 | 1064844ffe30189f3bfd92abdf35b7972f43af245f97add491e49538cb0355cbf5c8f4be0bffef7ddb5f0b143e1961ee0d5fd8c0b76e4e75d20d87828450d50d |
memory/3452-75-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp
C:\Windows\System\wxiKUcL.exe
| MD5 | 3d624c5e1950bb6f274588616197fe6c |
| SHA1 | 3b2977ffcfd13af12bf033d5434d479ce37c8c77 |
| SHA256 | a2282adc29393f7cd883f0933ca5ecbb114ebc8b743a88ef509713c24bb6ae89 |
| SHA512 | ed888f6ffd9e7947fcdd5e288d54992f88a5f56ff2c674b8c0ff621aa15f31eee5c0454676b0bb5cb440c304f1d0194ab86c64a423676cbc39f22d8556a83e52 |
memory/372-108-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp
memory/1916-118-0x00007FF628B40000-0x00007FF628E91000-memory.dmp
C:\Windows\System\bJoPiHC.exe
| MD5 | 0ddedbbc8053cbdb62b189a8f952df5f |
| SHA1 | b9c0acdda4c3c4138fd522a53af1585243e19b4e |
| SHA256 | 390f18a2a7fa70476e15f17602172948def3c0b4043c16b321f1ec085aaf7ba8 |
| SHA512 | 6d1597f64ac0cbd29dd04f6dcbc4f1c8e39f5dfc4178b68b3bd4176082043e5485b39311d566f15bb70c2ac6958c9a7a48f84afee13174155fa9643cf34314bc |
C:\Windows\System\uHzHtoT.exe
| MD5 | 5f7739fb50f6d3a5458fc8b3f19155a6 |
| SHA1 | f0a8a693b17a95209636d9636630a331dd6014a8 |
| SHA256 | 60ea7f3a75d7114fe5b741e133cb68e311cf46a876d09c19d83f0c08d759eb83 |
| SHA512 | 6485c262de336fc93f8573166e14bc17e3135c23964ea3f062f17781d6402290cf4b5e7f292ef42a2cb91a769aa8e0fb4b17ab24df621a7a4f62cffc3442e620 |
memory/8-117-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp
C:\Windows\System\xVDfFtO.exe
| MD5 | ea4022c6ec4dd060864555f9d3978602 |
| SHA1 | 547006436c58ba001c36fac1ea9b8821f17a3955 |
| SHA256 | 5f6192eee5f7592f7b270f7a51e726d27717e8539e76b1a18e54bdcb229bc5bb |
| SHA512 | 7711629e540dd8616ab22a90ffa8056831bf209e87caafb89a395c4eccc70fc9ed17b41e396f04d6ac711b21cc4586a71837378e0317a58add9e2df48bd800ac |
memory/3660-107-0x00007FF7A5860000-0x00007FF7A5BB1000-memory.dmp
memory/2068-103-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp
memory/1336-102-0x00007FF67A000000-0x00007FF67A351000-memory.dmp
C:\Windows\System\cOJhpSb.exe
| MD5 | 3b8018493e2fda57389b1993f1be6284 |
| SHA1 | 2892aea9adbd84cce34f832f99e375b96bdfbfdb |
| SHA256 | a647b253a57ea164cd944af2e44dd74c47d70085053f983be523afaad9eb25fb |
| SHA512 | ebb25bbf9dfd66bd57dbd6018fa366cff55a8dfb76d29c8e4f6b858aedc5943548fc47af05fac5cab858bb19193625d1fcbf05e02f01c079334d4f8525cd567b |
memory/3076-96-0x00007FF659D40000-0x00007FF65A091000-memory.dmp
C:\Windows\System\rsxCNDT.exe
| MD5 | b75dd4361249965b60d0ba9481ca8ddb |
| SHA1 | f9257cb8faaebc9e40912189489700acbb44771d |
| SHA256 | 4b4aee91f7bba4e194a943cbff0016a64354a99c1befcf604c0a4c7a0185f878 |
| SHA512 | b2287e304c8946edf66d36b3ba83ffcd61fb5db310bea14b5bffc24cdad35145750eda8602865192d26dc0f3d7daa43572b4e909bd11dcc37a9aecde1a12b4e7 |
C:\Windows\System\VNXBzFN.exe
| MD5 | 97e56e1f738c312b3acdc0e0178720ab |
| SHA1 | 157184a1c7418e54b8edfa2e43433336dd11c4d8 |
| SHA256 | 5558bea662639f3963c2cc69b827920fcd728faacfe9dc3d77e388a5f6d42541 |
| SHA512 | fa2b229ca697419595d2b0f5cd2edcf52401b143ab2b5e8d643c32700f2f6a6049a06ae6b0e2e8146ccd683d7291c09f520908b10506076dbd7bd65f135c23bd |
memory/2272-90-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp
memory/4264-88-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp
memory/5008-79-0x00007FF7B8E60000-0x00007FF7B91B1000-memory.dmp
C:\Windows\System\gOeeMzA.exe
| MD5 | 4d7d9287612d2d9190d0f2a08593872c |
| SHA1 | 415552ae4cb8f1a5aaf7fe2eea5e29b0765662e9 |
| SHA256 | 1b8d86af3ee087341cc01a7bb8aa53c0817ef38909197c1f73413bd74e196d66 |
| SHA512 | 3c65fe4dc8e36251e963322cac3e4111283821198785a1aefd14cc30cc5a7e15f78c436bda4fa1f2a6fe5ca5184552f403016fd940df4f2bcefcf3d774efaa98 |
memory/1360-76-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp
C:\Windows\System\NUJiKYa.exe
| MD5 | 1317754879d80151c5f5e2f993778a35 |
| SHA1 | 510caaddd35144222c8aa53479db292ef7ccbef4 |
| SHA256 | 01553361a3d5b250b50a7018304cd7f1ad655bf99206545f4be5793924521c64 |
| SHA512 | 0dd4d32023e97684672818fbcaa3faedf8d848cbed287b05780ffc23f4c2b3285ecd366a007258e7cab39493ec23d77e7450664a554c4cf755f5959263200580 |
memory/3624-42-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp
C:\Windows\System\KLeTBak.exe
| MD5 | d70353bbacc56b240ca4195517262154 |
| SHA1 | a7e0ce11e959ec1f83fcd28eb269d4e669dd178e |
| SHA256 | c707e67ca6c6e7f806d41c2e1400cfc8f8fbda19163c21eca02ba23c00e50ae8 |
| SHA512 | 37d5f5cc0f6efcb2586dda5661b598bc954d59f0ce61c565edb810daeb993267c67fbbb102308666728a5779fbf6130052e2ed65689b55a50daf425d4bc869df |
memory/2504-34-0x00007FF603C30000-0x00007FF603F81000-memory.dmp
memory/2540-27-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp
memory/888-18-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp
memory/4952-17-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp
memory/8-10-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp
C:\Windows\System\RGTiXXM.exe
| MD5 | 6dfe5f12bb488a3a1172c37c713776c2 |
| SHA1 | a69ec947ad27912746686c896b5c162342c6cd6c |
| SHA256 | 44cca416e12b759b451c6030e27cad93d8ba675ffd0162cfe65ef8609d16833b |
| SHA512 | 6a739f86b9de85d21998ce4744138193ebde3d9ef128e82cbafc05341cc115d80d60437436b3bc6a738cadcaefb1539fef311ae8226e129556a94818a86c81ff |
memory/3372-126-0x00007FF63EA70000-0x00007FF63EDC1000-memory.dmp
memory/888-129-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp
memory/4496-130-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp
memory/2540-131-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp
memory/3452-142-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp
memory/3076-148-0x00007FF659D40000-0x00007FF65A091000-memory.dmp
memory/1916-151-0x00007FF628B40000-0x00007FF628E91000-memory.dmp
memory/372-150-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp
memory/2272-146-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp
memory/1360-145-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp
memory/1336-149-0x00007FF67A000000-0x00007FF67A351000-memory.dmp
memory/4936-141-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp
memory/4264-144-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp
memory/3600-140-0x00007FF7783E0000-0x00007FF778731000-memory.dmp
memory/2908-139-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp
memory/3624-138-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp
memory/2068-132-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp
memory/2068-154-0x00007FF623F90000-0x00007FF6242E1000-memory.dmp
memory/8-205-0x00007FF60AEB0000-0x00007FF60B201000-memory.dmp
memory/4952-207-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp
memory/888-209-0x00007FF691F60000-0x00007FF6922B1000-memory.dmp
memory/2540-211-0x00007FF7FA610000-0x00007FF7FA961000-memory.dmp
memory/2504-213-0x00007FF603C30000-0x00007FF603F81000-memory.dmp
memory/3624-215-0x00007FF6A5E90000-0x00007FF6A61E1000-memory.dmp
memory/2908-217-0x00007FF6C73C0000-0x00007FF6C7711000-memory.dmp
memory/4936-219-0x00007FF60B390000-0x00007FF60B6E1000-memory.dmp
memory/3600-221-0x00007FF7783E0000-0x00007FF778731000-memory.dmp
memory/3452-223-0x00007FF7DCF40000-0x00007FF7DD291000-memory.dmp
memory/5008-225-0x00007FF7B8E60000-0x00007FF7B91B1000-memory.dmp
memory/1360-228-0x00007FF6B03B0000-0x00007FF6B0701000-memory.dmp
memory/4264-229-0x00007FF7E6D90000-0x00007FF7E70E1000-memory.dmp
memory/2272-233-0x00007FF75DCF0000-0x00007FF75E041000-memory.dmp
memory/3660-231-0x00007FF7A5860000-0x00007FF7A5BB1000-memory.dmp
memory/3076-235-0x00007FF659D40000-0x00007FF65A091000-memory.dmp
memory/1336-237-0x00007FF67A000000-0x00007FF67A351000-memory.dmp
memory/372-239-0x00007FF74E9D0000-0x00007FF74ED21000-memory.dmp
memory/1916-241-0x00007FF628B40000-0x00007FF628E91000-memory.dmp
memory/3372-245-0x00007FF63EA70000-0x00007FF63EDC1000-memory.dmp
memory/4496-247-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp