Analysis Overview
SHA256
90afe90f27b1149d6b310fdb4d6576f0adae4db71bf7a4db09fd8857402cc9d4
Threat Level: Known bad
The file 2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:50
Reported
2024-05-27 17:53
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LvvWgSw.exe | N/A |
| N/A | N/A | C:\Windows\System\ymsifIU.exe | N/A |
| N/A | N/A | C:\Windows\System\IWkVJXe.exe | N/A |
| N/A | N/A | C:\Windows\System\uixCkSD.exe | N/A |
| N/A | N/A | C:\Windows\System\emYCNOO.exe | N/A |
| N/A | N/A | C:\Windows\System\xEhawcY.exe | N/A |
| N/A | N/A | C:\Windows\System\nYbmntG.exe | N/A |
| N/A | N/A | C:\Windows\System\odgCNpa.exe | N/A |
| N/A | N/A | C:\Windows\System\TiXHcgC.exe | N/A |
| N/A | N/A | C:\Windows\System\vLiaSrd.exe | N/A |
| N/A | N/A | C:\Windows\System\WanRapI.exe | N/A |
| N/A | N/A | C:\Windows\System\epdWgUs.exe | N/A |
| N/A | N/A | C:\Windows\System\knVZYNm.exe | N/A |
| N/A | N/A | C:\Windows\System\KpmoaJP.exe | N/A |
| N/A | N/A | C:\Windows\System\cVxagOT.exe | N/A |
| N/A | N/A | C:\Windows\System\AVliJju.exe | N/A |
| N/A | N/A | C:\Windows\System\vpXhHbE.exe | N/A |
| N/A | N/A | C:\Windows\System\RALOkaH.exe | N/A |
| N/A | N/A | C:\Windows\System\qmiRLaA.exe | N/A |
| N/A | N/A | C:\Windows\System\raOvBev.exe | N/A |
| N/A | N/A | C:\Windows\System\mXxiaQk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LvvWgSw.exe
C:\Windows\System\LvvWgSw.exe
C:\Windows\System\ymsifIU.exe
C:\Windows\System\ymsifIU.exe
C:\Windows\System\IWkVJXe.exe
C:\Windows\System\IWkVJXe.exe
C:\Windows\System\uixCkSD.exe
C:\Windows\System\uixCkSD.exe
C:\Windows\System\emYCNOO.exe
C:\Windows\System\emYCNOO.exe
C:\Windows\System\xEhawcY.exe
C:\Windows\System\xEhawcY.exe
C:\Windows\System\nYbmntG.exe
C:\Windows\System\nYbmntG.exe
C:\Windows\System\odgCNpa.exe
C:\Windows\System\odgCNpa.exe
C:\Windows\System\TiXHcgC.exe
C:\Windows\System\TiXHcgC.exe
C:\Windows\System\vLiaSrd.exe
C:\Windows\System\vLiaSrd.exe
C:\Windows\System\WanRapI.exe
C:\Windows\System\WanRapI.exe
C:\Windows\System\epdWgUs.exe
C:\Windows\System\epdWgUs.exe
C:\Windows\System\knVZYNm.exe
C:\Windows\System\knVZYNm.exe
C:\Windows\System\KpmoaJP.exe
C:\Windows\System\KpmoaJP.exe
C:\Windows\System\cVxagOT.exe
C:\Windows\System\cVxagOT.exe
C:\Windows\System\AVliJju.exe
C:\Windows\System\AVliJju.exe
C:\Windows\System\vpXhHbE.exe
C:\Windows\System\vpXhHbE.exe
C:\Windows\System\RALOkaH.exe
C:\Windows\System\RALOkaH.exe
C:\Windows\System\qmiRLaA.exe
C:\Windows\System\qmiRLaA.exe
C:\Windows\System\mXxiaQk.exe
C:\Windows\System\mXxiaQk.exe
C:\Windows\System\raOvBev.exe
C:\Windows\System\raOvBev.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3400-0-0x00007FF63F740000-0x00007FF63FA94000-memory.dmp
memory/3400-1-0x00000271716E0000-0x00000271716F0000-memory.dmp
C:\Windows\System\LvvWgSw.exe
| MD5 | be807dded96e51e6ed0edbff2998ddd9 |
| SHA1 | beb79010f287926f3fdb212fad43114f2d189ff5 |
| SHA256 | 2da3096c7226df5be3871d49371fb157cf6e105c642654407d5c8788404d0eab |
| SHA512 | 1a7ba3d942f34f97985f25333446b26b88c9de0c19f75930ede676abb342e5b154dc2326533f900cc9a4458a4c0c7a1482e9ff5814beadeab48e0a6707c4446d |
memory/4340-8-0x00007FF620DD0000-0x00007FF621124000-memory.dmp
C:\Windows\System\ymsifIU.exe
| MD5 | 1e65ccb144e7271b997854400d4820a0 |
| SHA1 | 04bfa33e0d213357a110e6af5110955f9c9d4105 |
| SHA256 | 4f9c367cce32a77c77040c1d38e02982735c6a8aaf13792bfa34e51d3e7a3e51 |
| SHA512 | ca818752d41eebc2e6fbe1fbf4f38f2090acd133029bcf48a4b540a0ed7e6aeb6509e890e05f5b1e73f6119a06a0fae5e6921745236a5e0d3ff6438f09d6cdd0 |
C:\Windows\System\IWkVJXe.exe
| MD5 | f9d476eb7b27b5523b15aebd3b8184bf |
| SHA1 | 799db6a001941670257aa662dad784f647aa4a83 |
| SHA256 | 8ad30c7f93857d0559d6466c81392d2316fd7c0624879380ec2d48a294a21b72 |
| SHA512 | 3c1a07e5f9078c2c571742bf440982cda9a82e5b3705d940bfdf36d611bd20098b43c56cf7857b76f7671fe4c30085918db8ebe00c8e0129ec424967f4cc8b5d |
memory/4432-13-0x00007FF6961F0000-0x00007FF696544000-memory.dmp
memory/4620-20-0x00007FF66A4F0000-0x00007FF66A844000-memory.dmp
C:\Windows\System\uixCkSD.exe
| MD5 | be75fa4185f6031657bc82901b61f507 |
| SHA1 | b9e00a4bab0bfe2c492fa261d64dba44a024b103 |
| SHA256 | add5b33ca3fc4999f44603535c5293b0b91e07fe51257baa6a1fb59f8c6667cc |
| SHA512 | 45e66d08047179ef88095d9563a2ba7722cf6d1a955c3d76fdd1dd0db5d1154e1391648877104200016b6dbffac80d153b940743050445036c68a39d40414718 |
C:\Windows\System\emYCNOO.exe
| MD5 | dca3e670206884fb9b72792f75ac2d76 |
| SHA1 | 463d4398e4892ba50e8e9a38f474e77095e2ed41 |
| SHA256 | 41fb031f555f17abef48a69903a2c426336b02e9c8ecb712cbd60027f4701684 |
| SHA512 | c9fad8077185556367bb6f82f348680ba9f13c20282dc3d1193bc5b300b8e2a524b2afac20fa1e7c2caf969bc69df36f99ff0c55afa7544a8c58ec21596cc96e |
memory/1276-26-0x00007FF71AB10000-0x00007FF71AE64000-memory.dmp
memory/3580-30-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp
C:\Windows\System\xEhawcY.exe
| MD5 | 61e51ace7cb67ac6dc789fac5ce5ad67 |
| SHA1 | 33a60c32d9608fed8d071b45b9409f885a1ccacd |
| SHA256 | a10a366a6ed8812e9aa7355e189a43b0ae394d3942994de153887da7f3352079 |
| SHA512 | e50996a98736e5eb6a6bce3f8b5a8c634bb323cebe2c8c63b15275c6b60b4b45cf7af94910631f7c66db85395c75cc6ab803bbccb0c0356c71591c6a987dac02 |
C:\Windows\System\nYbmntG.exe
| MD5 | 8c29e199660b8b233d5f7abd303f4276 |
| SHA1 | ec9e50c4da20735fce6be9b7814350f7044b9fd3 |
| SHA256 | bb754751495360904166521f045661caa95b6d101a259c62296f5614e77f0337 |
| SHA512 | 8499bf6efa023bd8a59113c3c0b76479baf4d421994c4ffda4587b55c31b78c360bce585279d7d079363ba0db4e85a67ca56fc8190bf029f70adcc5b78cb1aaa |
C:\Windows\System\odgCNpa.exe
| MD5 | d8bff8ae4a68d928c555bd2ae4c2eee9 |
| SHA1 | 31792e4c0f96c032f06c753c9a9db149fcb06e3c |
| SHA256 | a5e99aefd0f2b96b398eaf400d039ea4d4fc6ae424c96675c71fb5e88bf3d48a |
| SHA512 | 7bccc84cf3a1ab7e8d4d56d007f42d7c57b3ecee2f13abfa00cbef3fd08e3c534066875bdbe590a9fdb04f7320df7e574797732ffa1162bb79377833c7eb2690 |
C:\Windows\System\TiXHcgC.exe
| MD5 | bd976d4fb489b8d82b17f86ad7b190f9 |
| SHA1 | a0ab927ab3ef061d3af7d8c6c8c24dcd65450461 |
| SHA256 | a98a84a94fe9cbb095fff25fc91f61de8b1b788fbd477de915ef5ff8d8c8f6df |
| SHA512 | 1ed0986ceb19d9d1dd1776abd4c0f072f2bfcaa54868c22a661d8b4a0e27b9d2aa7e8672406b3074e6971d9e176652120512af1769f110a80b704348059a86cc |
memory/4984-54-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp
memory/4756-50-0x00007FF6DEAE0000-0x00007FF6DEE34000-memory.dmp
memory/4744-40-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp
memory/3920-36-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp
memory/3400-62-0x00007FF63F740000-0x00007FF63FA94000-memory.dmp
C:\Windows\System\vLiaSrd.exe
| MD5 | 6a06c365bf9c3031bf516e14a621f450 |
| SHA1 | 34dcb0680cedd525709e15d15b83b43b07b683ab |
| SHA256 | a8d2c0bd80a39a0a4ec5fd84e947342c7f88d091cd7d97e7cf98f76ec42e1243 |
| SHA512 | 61f8487a1a4effad275809b5504336d66f164ada234f8e52616dacd10cf0e14893cbb28a99750f7024f5f670de123b045d85a9d79d98251af11268273087eeee |
C:\Windows\System\WanRapI.exe
| MD5 | 11884af191417abf54140bcee2e7d141 |
| SHA1 | e145935419985d0aa0f42d65531745f18df5052f |
| SHA256 | a353c20d9593856038b933caffc92281b39c746958d8e6c888d480dda270cc6f |
| SHA512 | 7596129fb5285df0b8976b15dc31259bee9d6ec3c6e4c0fdafe4b27b77c276dc6613e2d18ed0fe35fc0516b0c96dae36a29c69cb3fe8b440d8666838c2d80d41 |
C:\Windows\System\epdWgUs.exe
| MD5 | 5eb7ae3aafdabb4b6c90f78c309dfd66 |
| SHA1 | 9dddab5cd7b8ad83f664504411157358dd29805d |
| SHA256 | a9215201b4a3e078e5aa81d02048748c65ceef0b798cb0efa6bf9c1ad2db2725 |
| SHA512 | a96f68e64b99b86d923e2a5e2d8db6eeb343aae68cffb8948d9bc83f89a42c48b1c565319ff148f5bb5c614de3e5c2e9715ca9eeae306cdd9d95adc0ee67337b |
memory/2788-63-0x00007FF69DFF0000-0x00007FF69E344000-memory.dmp
memory/4340-74-0x00007FF620DD0000-0x00007FF621124000-memory.dmp
memory/3108-76-0x00007FF7B0370000-0x00007FF7B06C4000-memory.dmp
C:\Windows\System\knVZYNm.exe
| MD5 | 0cabec53c426e594a1e039df976d7388 |
| SHA1 | 492ecdfff2c6487eb8db125d1b23487dad7b8ab9 |
| SHA256 | 0fb6f133bfb48491c77688db1c42d6037879c27fba54688a5e9968b71d97fa88 |
| SHA512 | 993babed94339bfa5dfaf4c27accdefb24d7d73f714c7fef759de235f43768745b10e165a678f794225bb032b7eb91cf715f9cacef6b98a9c57f3b72aa543570 |
memory/4432-80-0x00007FF6961F0000-0x00007FF696544000-memory.dmp
C:\Windows\System\KpmoaJP.exe
| MD5 | 7b46ef080abf0e334ead43e5464bfa46 |
| SHA1 | 2b203dcbc174ef4440191b3e4954f2f501ee6c85 |
| SHA256 | dc5992370a7cf205aab25797394ee11ca8088505bcb57b693515f574690d7466 |
| SHA512 | eae0736637a7b3807c97b6ec0ee93e40ca4ee3fdbdf6487c2862609b7b2c5d58065bdd625491808e541fadd97121ee198e60db00e295a646b655a993f6d17739 |
memory/4004-83-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp
memory/5100-75-0x00007FF7577E0000-0x00007FF757B34000-memory.dmp
C:\Windows\System\cVxagOT.exe
| MD5 | b6d7b69556e21212e0f6fd5eab597e47 |
| SHA1 | 77a14f045869a01e2a3fdac5af5900c359dd6128 |
| SHA256 | 3afdb723846d06384e043075f1e440178e815b5a5faa8dc0d9c7f9e4ba515bdf |
| SHA512 | 01dec0015c1036697e34e8af98fe2b49b3da519bd676b1baa9b61b0f47bbb3838d2284a142b053ed24cb05e32c86ebb6a932fbbedfbdfdedaf3feb79cbcb8f2f |
memory/4888-89-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp
C:\Windows\System\AVliJju.exe
| MD5 | cb6b2a994f807c9c1a2a717da852b87a |
| SHA1 | c56bfd1fe3fa0046f79416f4a1de4f8508d6af9d |
| SHA256 | 358056f6eb6c60fc558e22713f240d9ebc7fd643122158c802a01673900f7246 |
| SHA512 | 0f717812d93bd1e8f7d5a28dafa9be2a76e13b24d4d7e388e286a8b2607f4344b2a66e2d6d5450eb343fbf6a4f7eb723e6b9f138b7cdd9c922c5b53c36264663 |
C:\Windows\System\vpXhHbE.exe
| MD5 | c678cefa72154028cbfeb955bce4ea0b |
| SHA1 | 50a98f2739a4f6e37b27fc9ba4206c5280c9e917 |
| SHA256 | da039db718904083eaa76d365063ba07964d2f928208c9a95a7cccd9b6aa58b3 |
| SHA512 | 1168cae5f4da04b88e21751375ce73e879328ce4be3b174573e2210392c314096ad4f2a63152ad2f06ef58e86b1d391766ce50b4bb370daaf6a2eb9766e80d29 |
memory/3580-101-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp
memory/1528-95-0x00007FF7CDB30000-0x00007FF7CDE84000-memory.dmp
memory/548-107-0x00007FF653940000-0x00007FF653C94000-memory.dmp
memory/3920-108-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp
C:\Windows\System\RALOkaH.exe
| MD5 | e9e0a4bdbb2fe637fbcae7f321901aa2 |
| SHA1 | 755f9b065c52cf2c1ffc8b2f484581a0529cc158 |
| SHA256 | b9845a931d156458f88392776b16bb37d6c742eb04daebabd9a8036732f7d71c |
| SHA512 | ff954d6ad53af4b256258b57f6329775dd5cbfb55d979c56f9a7450ed1b110604c8eafdde13b036ca2fddc27c09dd284904425f19274af6e99a3a24817960818 |
memory/5116-116-0x00007FF6EE300000-0x00007FF6EE654000-memory.dmp
memory/4744-115-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp
memory/2868-110-0x00007FF68CBA0000-0x00007FF68CEF4000-memory.dmp
C:\Windows\System\qmiRLaA.exe
| MD5 | 4ebfa2f2fd0eb2c8a90f9505ec015d49 |
| SHA1 | 86776edcd6d7ea0efd89f7fb37d8a301b2975d6b |
| SHA256 | c49644b350e28feeaa952abb5fa655abd16c86ad9aca9c3c8adc64bc6fe194c9 |
| SHA512 | 584f63890d13d158c99b30afca54e812e2772aac7ca7dc8ddfb342a40cbe16e14a028012859c3179adb329cd96ecab6ecde80600d02566343f533c13a8645d5c |
C:\Windows\System\raOvBev.exe
| MD5 | 38eaea56e1c0a9dbd8cefc3508b72090 |
| SHA1 | 7c2a5f740ef4f58ac7d5fba9913691d875a7b454 |
| SHA256 | 4564e578b458d13afa9ff5a70c7b33372fbe60530971eb09c976c7c543f2ab2c |
| SHA512 | e1d7714d32c7a2dac0f069fe7be2a0c69ff34f4d46b7367f36213288abd5bf184f67aee9641e47587e19cf21f575a91c5a69cb2d5394f20f7657e358725d3c43 |
C:\Windows\System\mXxiaQk.exe
| MD5 | 9e9b6387007a00539e005665518c1387 |
| SHA1 | 00366c1e09f9f6a7684d17725271303dc7bbe462 |
| SHA256 | 595153710737b107cc8d08a7b03773d580149b2fd4353bc60ab35d7f82d3bb76 |
| SHA512 | 15d603b77005ca5eb9f211093e51a5eab4ab25daeb2be37a0daa4162fccf91d10dec6c2ab23e3544623e8c7fceee7be136b087f9ccbd675937fb75e71f6f47aa |
memory/560-124-0x00007FF6A3F00000-0x00007FF6A4254000-memory.dmp
memory/4984-132-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp
memory/2192-133-0x00007FF760070000-0x00007FF7603C4000-memory.dmp
memory/2384-134-0x00007FF614EC0000-0x00007FF615214000-memory.dmp
memory/4004-135-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp
memory/4340-136-0x00007FF620DD0000-0x00007FF621124000-memory.dmp
memory/4432-137-0x00007FF6961F0000-0x00007FF696544000-memory.dmp
memory/4620-138-0x00007FF66A4F0000-0x00007FF66A844000-memory.dmp
memory/1276-139-0x00007FF71AB10000-0x00007FF71AE64000-memory.dmp
memory/3580-140-0x00007FF75B4F0000-0x00007FF75B844000-memory.dmp
memory/3920-141-0x00007FF7B5DF0000-0x00007FF7B6144000-memory.dmp
memory/4756-142-0x00007FF6DEAE0000-0x00007FF6DEE34000-memory.dmp
memory/4744-143-0x00007FF64A560000-0x00007FF64A8B4000-memory.dmp
memory/4984-144-0x00007FF71DC50000-0x00007FF71DFA4000-memory.dmp
memory/2788-145-0x00007FF69DFF0000-0x00007FF69E344000-memory.dmp
memory/3108-146-0x00007FF7B0370000-0x00007FF7B06C4000-memory.dmp
memory/5100-147-0x00007FF7577E0000-0x00007FF757B34000-memory.dmp
memory/4888-148-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp
memory/4004-149-0x00007FF7A80A0000-0x00007FF7A83F4000-memory.dmp
memory/1528-150-0x00007FF7CDB30000-0x00007FF7CDE84000-memory.dmp
memory/548-151-0x00007FF653940000-0x00007FF653C94000-memory.dmp
memory/2868-152-0x00007FF68CBA0000-0x00007FF68CEF4000-memory.dmp
memory/5116-153-0x00007FF6EE300000-0x00007FF6EE654000-memory.dmp
memory/560-154-0x00007FF6A3F00000-0x00007FF6A4254000-memory.dmp
memory/2192-155-0x00007FF760070000-0x00007FF7603C4000-memory.dmp
memory/2384-156-0x00007FF614EC0000-0x00007FF615214000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:50
Reported
2024-05-27 17:53
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EiyLDQL.exe | N/A |
| N/A | N/A | C:\Windows\System\JUFibpq.exe | N/A |
| N/A | N/A | C:\Windows\System\ymZLiCX.exe | N/A |
| N/A | N/A | C:\Windows\System\taihCPY.exe | N/A |
| N/A | N/A | C:\Windows\System\yceMWHZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kdYrUNA.exe | N/A |
| N/A | N/A | C:\Windows\System\UKhZLNn.exe | N/A |
| N/A | N/A | C:\Windows\System\CPBKTVb.exe | N/A |
| N/A | N/A | C:\Windows\System\PVgVPoy.exe | N/A |
| N/A | N/A | C:\Windows\System\QCIJAiX.exe | N/A |
| N/A | N/A | C:\Windows\System\dCbcsHT.exe | N/A |
| N/A | N/A | C:\Windows\System\mxmqUMb.exe | N/A |
| N/A | N/A | C:\Windows\System\XWhBbuG.exe | N/A |
| N/A | N/A | C:\Windows\System\FWbfOzf.exe | N/A |
| N/A | N/A | C:\Windows\System\aSRSmYo.exe | N/A |
| N/A | N/A | C:\Windows\System\mRkfhtH.exe | N/A |
| N/A | N/A | C:\Windows\System\WoEHHdu.exe | N/A |
| N/A | N/A | C:\Windows\System\XIJHMln.exe | N/A |
| N/A | N/A | C:\Windows\System\UXiAWhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QvhapXa.exe | N/A |
| N/A | N/A | C:\Windows\System\UnGJuQO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_22d9fffe619827242ac149c810a173d5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EiyLDQL.exe
C:\Windows\System\EiyLDQL.exe
C:\Windows\System\JUFibpq.exe
C:\Windows\System\JUFibpq.exe
C:\Windows\System\ymZLiCX.exe
C:\Windows\System\ymZLiCX.exe
C:\Windows\System\taihCPY.exe
C:\Windows\System\taihCPY.exe
C:\Windows\System\yceMWHZ.exe
C:\Windows\System\yceMWHZ.exe
C:\Windows\System\kdYrUNA.exe
C:\Windows\System\kdYrUNA.exe
C:\Windows\System\UKhZLNn.exe
C:\Windows\System\UKhZLNn.exe
C:\Windows\System\CPBKTVb.exe
C:\Windows\System\CPBKTVb.exe
C:\Windows\System\PVgVPoy.exe
C:\Windows\System\PVgVPoy.exe
C:\Windows\System\QCIJAiX.exe
C:\Windows\System\QCIJAiX.exe
C:\Windows\System\dCbcsHT.exe
C:\Windows\System\dCbcsHT.exe
C:\Windows\System\mxmqUMb.exe
C:\Windows\System\mxmqUMb.exe
C:\Windows\System\XWhBbuG.exe
C:\Windows\System\XWhBbuG.exe
C:\Windows\System\FWbfOzf.exe
C:\Windows\System\FWbfOzf.exe
C:\Windows\System\mRkfhtH.exe
C:\Windows\System\mRkfhtH.exe
C:\Windows\System\aSRSmYo.exe
C:\Windows\System\aSRSmYo.exe
C:\Windows\System\WoEHHdu.exe
C:\Windows\System\WoEHHdu.exe
C:\Windows\System\XIJHMln.exe
C:\Windows\System\XIJHMln.exe
C:\Windows\System\UXiAWhJ.exe
C:\Windows\System\UXiAWhJ.exe
C:\Windows\System\QvhapXa.exe
C:\Windows\System\QvhapXa.exe
C:\Windows\System\UnGJuQO.exe
C:\Windows\System\UnGJuQO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2276-0-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2276-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\EiyLDQL.exe
| MD5 | a04cfbba87cd3f78cb6011cab6cc8515 |
| SHA1 | 21f970b27196b03ee8a550498ce79d383fc365c4 |
| SHA256 | 6b948da827462b4ab37e1c8fd5e54cfe76e80486f1caf11576cc246dba66687b |
| SHA512 | 1a495c387096b2f400dc635993dc118b3508f7cd6d90351176e8365eb6d8f153cd32b7fd9da7bc2468289c547373884db7001fb89376133b870a059f97ffa177 |
C:\Windows\system\JUFibpq.exe
| MD5 | f6921eba0bff11b581f10943bc449de9 |
| SHA1 | 2220689502f95e2fdd8fbe72ea2ee4659c5d7a22 |
| SHA256 | 26b02811ed13c8442cb89e2ada03bbbc2b9ad5974fe8880d62ff335de8c692b8 |
| SHA512 | 28eeb709fdac552d98544b7ece00574b5a0f69b8ca91224a8546b0cd5a7de49ef98bd45d491ac7bdf97677c8356352d5df1a6ea696260ac9e4a7de4289bca010 |
memory/2892-9-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2276-14-0x00000000023D0000-0x0000000002724000-memory.dmp
\Windows\system\ymZLiCX.exe
| MD5 | 992eea9ed1102c914d49f19026225fb6 |
| SHA1 | 3d916f822f87dd7fe4c9969bb8542072842d7df7 |
| SHA256 | bcc95bbd6a840e554ea1df91703682b4b253b0d9ba20ee4bdc3c4bd38ef0c3f2 |
| SHA512 | 64fb81db09266caebca0116650bbfd7ba0e99798fe4afe9c2d65d0989ebf111d323940a96ab6d72b94f1213909a1d53eefab863440f4c9f0e92d6143f9dff19c |
memory/2616-20-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2980-19-0x000000013FD60000-0x00000001400B4000-memory.dmp
\Windows\system\taihCPY.exe
| MD5 | 825a4ef26d5d52325374d5081c44aeac |
| SHA1 | 5b9fcf3f0aca1d3dbf5f00585e3d96d0a968c470 |
| SHA256 | 2b8e98b95e0993fb5835dd6e4d7d034d1539a668cd9f5d035801b51366270aca |
| SHA512 | fe5bc8a8bf1f807919c32a39b9867caeaa82035434d4d401a9f4712eb83d6a270b8fceb7b8581b465ce820a5648cd1147ff3b7269e5f184f6441e8745179c40c |
memory/2276-26-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2604-28-0x000000013F920000-0x000000013FC74000-memory.dmp
\Windows\system\yceMWHZ.exe
| MD5 | 5cc6c1d797ddefba10f98c124b54f382 |
| SHA1 | 612201e140900fe6eb7b398ba73b227c0eece7fb |
| SHA256 | 9fce14876c501186776151009ed83f6cfe7812806eac45bd43116c7d7219875f |
| SHA512 | 06d41716f2abbf1e98680721a0840b1cf95307813794a3bcdea5642570d9caa00a67970dac95e9dfc38f42c18e3a6e487daa8ed8bf9c2fff6c4452b972f42ab7 |
C:\Windows\system\kdYrUNA.exe
| MD5 | bebc9930242652ad608a8a4b7dbe564f |
| SHA1 | 007f50ac8c0fe26a841eaa82ce5e4d37d865e585 |
| SHA256 | fa5ab72a29e22f4d0ff2fc565ee94f56367c1ad6d6e1555b7a28a46e36f3ae8f |
| SHA512 | 4ab27200044136ca6dc03459d775e27bcb741b725925f8c8fec652a70b71e9d442defb4b23865c998a4257089e78f8fe88240965e4b789334c8764f18ab794f5 |
C:\Windows\system\UKhZLNn.exe
| MD5 | 8bfb54d016f5b83def404b94081f0abd |
| SHA1 | 64245c173667a3bf819e6e9872aebd90279b86b3 |
| SHA256 | 8c7d55d903883b70dbeaa480fa034542f28d42b50624bd76c36ea4cb4f47b9cb |
| SHA512 | bca9e942f4047dd117039a95986c88a9cbf844c622320b7b1fc7f5c88066c4d8ee5eb7fe2bf0c0e68e762f13080ae611481b77a907ff7c69c5951d0db05a1e4a |
C:\Windows\system\CPBKTVb.exe
| MD5 | b1ca7e7bd1856b35baf2fd82ee1531da |
| SHA1 | 390329abf67f0581b171b64eb1dda6fa12667da5 |
| SHA256 | 20f51321720e60e047aa278554adbed08fbfee0d3456e6e1c9944f9f43e8ca29 |
| SHA512 | 3f6f5e708c304c29b00d328dc2a1ba2d5d4977d212b6bd29f9cb62fecc7d6ec98b6fcc3b91b2890342f3ff86eb1f3f47fa669b03adc4b5e160bd0d8277506475 |
C:\Windows\system\PVgVPoy.exe
| MD5 | 757a17250d4ad4f7da3c66a22142e124 |
| SHA1 | a583720d49c1540ae844d21fa28ca3f9e99549e4 |
| SHA256 | 616198677e663873490086b124542d8ad210bbde200e8d97e8229e9aba535bce |
| SHA512 | ddde7adc30bbee08be92164c5db74b4a64f1d5fab832fed17d8adbee9da6b4d4de12fcd0382d98cb83a78148a8c7ef13089ac3c4cb0f35414bb21e14df3ff504 |
C:\Windows\system\FWbfOzf.exe
| MD5 | 1e7a9cd0ee214d916091f0a28fa55b78 |
| SHA1 | ce95f4286011b9b57ffbf19cb43052e3783a318b |
| SHA256 | 259bfcd80fe3faa91148f33d7d359a4447380cb6a4c1a2952de202d7b3a938fd |
| SHA512 | 183ea854a1948fb40a0add3690204f0f2545a29d17ba3b706eff641a913ab680aff68d74d03e5b2be73f4c06ab7aa0eb39a3da538e81c45a2e5c9566af4dc5b4 |
\Windows\system\aSRSmYo.exe
| MD5 | e1d2e7d60e14c0eeb26088c6d5ad6d34 |
| SHA1 | 850c13d6b6bff8599257b2bf1868902ca2236f4d |
| SHA256 | e5df22db188bb02aaf2aed5140438358529ee93f8a97ee43353f0801fb9b9b46 |
| SHA512 | afb0e66520fdc33a19c5ad71ec337701a7f6ad4cf9d1199ea06615da6b87fcaf2f4b67f35654fdaab17377a499905c0e50a8889679acfba6f4eac083b00b6e56 |
memory/2276-92-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2580-85-0x000000013F640000-0x000000013F994000-memory.dmp
\Windows\system\mRkfhtH.exe
| MD5 | b7f38a7612faef9bd1a619a6986552aa |
| SHA1 | ed79bf2c87a614e9ec45384aa5608691bca506e9 |
| SHA256 | dc94c44dc51f73c7a30c5a73b52e571d016e52cf4dac26797e3e0b4bc5467fa2 |
| SHA512 | b3bc46bc95bb5ee5cb0d04d95f377191aec1d20c4d67aa766b7e445501e848855066b2ee7c76246dbeb8c5e011dcd09285e2cce6ac363eba53e8c80d590808b6 |
memory/2276-87-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2464-90-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2276-106-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\QvhapXa.exe
| MD5 | 4fea6f1e733fd9cee9b15addf85891c9 |
| SHA1 | 5b14a1242d6ec446d4530f1a0d45470e0df3a8ff |
| SHA256 | 943374614fce65325b78485f96a630912d7db3eaaa8410a09a7ce85cbded5e2f |
| SHA512 | 873ca164b42a113f0a6aab70a822e536fe369c87e4c3ee40ea9095411ee52abe7cbfd6f7c2c853e06a6e4e7d1e9c363df65d861dddcf6c83449ba98ca4553287 |
\Windows\system\UnGJuQO.exe
| MD5 | aacbe4609573ecedc12b10facb31afae |
| SHA1 | 78439cd21972b9afb98d67c07cb3c3772d827d23 |
| SHA256 | e752ffb53968b4b6e91ea53fd934a31fcb9142157c3ed1ee58e039a6da7b3d23 |
| SHA512 | ee3844dbe2fa9f2168a4601c4eb40f4f8a3b503c018c5f2bba9afe71463a083c6188bf6a2702d8b8784ddc146dbdb4d80ae2eb9faad52b44891ff920515dffc6 |
C:\Windows\system\UXiAWhJ.exe
| MD5 | 198ba94b9024512018044d6d1b97fbcd |
| SHA1 | 297e02ae4b504d2c2edd969645b5a6f5e828e3f8 |
| SHA256 | 4bf9bea3665c72bf771089e2d5a442e9eb84a6fe6cd04ff3ca711d67a97a8844 |
| SHA512 | de4584f5c4155f3c20921645de65dcf0ae7dba8e984ce1660b9f0356487277a86c9965e91c3289d771a5fcfb847b615deac9858812e349d4b8f5d8591d4e9877 |
C:\Windows\system\XIJHMln.exe
| MD5 | 384df71345039ffcb5993d441ff32926 |
| SHA1 | dd71455445c7fe2758d977891ac63910b3cd330e |
| SHA256 | 8cdff0b5796a628666faf32204c51330514f07e5211bd7ac52413aee1e39863a |
| SHA512 | b272616c50a3c1b0aeab183f1ef4ca6ef4fc8ddfe04dce0e0dc0ecdd03e8d2161a8af7832335b6600cbfd9996e9152c9eeaf6df2c6f5763142f32a2e517679d8 |
C:\Windows\system\WoEHHdu.exe
| MD5 | 01e2de858f7ddbe3eb1e620f2acdf83f |
| SHA1 | d0c56b68936ba000726927abdc79038e26a3ff34 |
| SHA256 | 1c76017bbf0cbaa1625361eece786d39ca799055ce850846b130ed635d02756e |
| SHA512 | 29bef7be693002e3f76687c2671b7685d7e607fc57cf30ee4bb9ea767cebb6222d6f2a4bf39109f2a182a70e0cc4b2e9f6fea073a3651d4774cf1cb86b439645 |
memory/2752-111-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2276-110-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2276-109-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1552-108-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1456-105-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2276-103-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3060-102-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2276-101-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1740-100-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2276-99-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1240-97-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2276-82-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2436-81-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2276-80-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\XWhBbuG.exe
| MD5 | b700230c29d8c2708e4433168421dfa6 |
| SHA1 | ccbef77a19066aa8144912a3fd1830c0e66de705 |
| SHA256 | a83a378daaf42066305af6d3159c85a2aad5f99fc09c5b33dccec5beef64b327 |
| SHA512 | d244636e2d2cb47b77694266e71ba96a647b417229d489f5d39fe3f666ecf66e2f59b59f8f80a71c34f16b7b60748ce207027370188dd982bf479f2135f0ea65 |
C:\Windows\system\mxmqUMb.exe
| MD5 | 8992f0facbf7e5522127d1afa37472b7 |
| SHA1 | ea76909645348a1e83ab932057fb32f9868bd7cf |
| SHA256 | 15df4a908148d26afc317fab59b5b1e9d76f7dd5d180901da5bcb1345de7357c |
| SHA512 | 42829a19b9753f54c964dad12595671f9296851e0b0b2f45319405b5e2290ba2cc6e3619f4bf31c6d6becb763e1aced353d18d6a1a743c3fde732cd322b84ad4 |
C:\Windows\system\dCbcsHT.exe
| MD5 | 8eb74720c0c8280cdeacbd3f6778201b |
| SHA1 | 03a96b21c2c0a9c1c6b34b35fe51155f9dec725e |
| SHA256 | 06a5dcdf947642df097eb3b158819e585528dee7740bf16e6c83705bc98a5e0b |
| SHA512 | 895c71f029c4eaf1b40119f6e4f33342503690a42ba8af48aa7cfefd2aca57cb18069fdd71cac89a2a1cec724f20c80a1d7a876f3b86834b769904b93e310224 |
C:\Windows\system\QCIJAiX.exe
| MD5 | 75beedeaca3b1b35da425062ad58438a |
| SHA1 | 060629e60c532aa2f73ccf0b686b1d1c71e0245c |
| SHA256 | fbedad49082bc00d9c4011d8b91dfb040b815f71897e281d72ff2391dd11143b |
| SHA512 | d40996fc07682133e0d3bda29bc5f090162a53fd58279506098f30b79dca4990f23267f5b7761b387578c3a7a2b255fe73f56d180f25aae5dc6ccebf4bbac1c5 |
memory/2588-37-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2892-128-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2616-135-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2276-134-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2588-136-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2892-137-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2980-138-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2616-139-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2604-140-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2752-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2436-141-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2580-143-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2464-144-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1240-145-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1740-146-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/3060-147-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1456-148-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1552-149-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2588-150-0x000000013FF70000-0x00000001402C4000-memory.dmp