Analysis Overview
SHA256
a31e6f960916f228578c969131c3e6b02c3ef93319df8f9d056bc00d3feec737
Threat Level: Known bad
The file 2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:13
Reported
2024-05-29 19:16
Platform
win7-20240419-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BvWdihE.exe | N/A |
| N/A | N/A | C:\Windows\System\ueidQnl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxwTWuW.exe | N/A |
| N/A | N/A | C:\Windows\System\YsPSorj.exe | N/A |
| N/A | N/A | C:\Windows\System\fOyrXMf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYlYTcg.exe | N/A |
| N/A | N/A | C:\Windows\System\aRlgFON.exe | N/A |
| N/A | N/A | C:\Windows\System\LIaAMTu.exe | N/A |
| N/A | N/A | C:\Windows\System\dbBnTYb.exe | N/A |
| N/A | N/A | C:\Windows\System\yxapqKY.exe | N/A |
| N/A | N/A | C:\Windows\System\oHFPZMH.exe | N/A |
| N/A | N/A | C:\Windows\System\zeFBNHw.exe | N/A |
| N/A | N/A | C:\Windows\System\qaDnzMp.exe | N/A |
| N/A | N/A | C:\Windows\System\VKVPcSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CwvXqCB.exe | N/A |
| N/A | N/A | C:\Windows\System\AZJWuML.exe | N/A |
| N/A | N/A | C:\Windows\System\cEtqLun.exe | N/A |
| N/A | N/A | C:\Windows\System\pKNYenw.exe | N/A |
| N/A | N/A | C:\Windows\System\oBHYyHG.exe | N/A |
| N/A | N/A | C:\Windows\System\kZRiRVi.exe | N/A |
| N/A | N/A | C:\Windows\System\mFzUZsO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BvWdihE.exe
C:\Windows\System\BvWdihE.exe
C:\Windows\System\ueidQnl.exe
C:\Windows\System\ueidQnl.exe
C:\Windows\System\ZxwTWuW.exe
C:\Windows\System\ZxwTWuW.exe
C:\Windows\System\YsPSorj.exe
C:\Windows\System\YsPSorj.exe
C:\Windows\System\fOyrXMf.exe
C:\Windows\System\fOyrXMf.exe
C:\Windows\System\ZYlYTcg.exe
C:\Windows\System\ZYlYTcg.exe
C:\Windows\System\aRlgFON.exe
C:\Windows\System\aRlgFON.exe
C:\Windows\System\LIaAMTu.exe
C:\Windows\System\LIaAMTu.exe
C:\Windows\System\dbBnTYb.exe
C:\Windows\System\dbBnTYb.exe
C:\Windows\System\yxapqKY.exe
C:\Windows\System\yxapqKY.exe
C:\Windows\System\oHFPZMH.exe
C:\Windows\System\oHFPZMH.exe
C:\Windows\System\zeFBNHw.exe
C:\Windows\System\zeFBNHw.exe
C:\Windows\System\qaDnzMp.exe
C:\Windows\System\qaDnzMp.exe
C:\Windows\System\VKVPcSZ.exe
C:\Windows\System\VKVPcSZ.exe
C:\Windows\System\CwvXqCB.exe
C:\Windows\System\CwvXqCB.exe
C:\Windows\System\AZJWuML.exe
C:\Windows\System\AZJWuML.exe
C:\Windows\System\cEtqLun.exe
C:\Windows\System\cEtqLun.exe
C:\Windows\System\pKNYenw.exe
C:\Windows\System\pKNYenw.exe
C:\Windows\System\oBHYyHG.exe
C:\Windows\System\oBHYyHG.exe
C:\Windows\System\kZRiRVi.exe
C:\Windows\System\kZRiRVi.exe
C:\Windows\System\mFzUZsO.exe
C:\Windows\System\mFzUZsO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2976-0-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2976-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\BvWdihE.exe
| MD5 | 26b5b9871e359895c99b2436e17de504 |
| SHA1 | 336788a19b16d5dfd877325465dead1399a7b6d5 |
| SHA256 | d352d73fbe736ad85bb154c5cde59352ff77696ee96a937109c870375cc0545f |
| SHA512 | f9f7b2cf99ad116d43e628fc33120a278357722b31ab3c91471bbef5838e3b277916f0489665ff0c8db7d06ef93fb19d904d4b1c63add45d21bc5178190f9ecb |
memory/1656-8-0x000000013F680000-0x000000013F9D1000-memory.dmp
C:\Windows\system\ueidQnl.exe
| MD5 | b4aa0be30467a948c19b252179e77f0c |
| SHA1 | fb841e74d3acceccc36078fdd4c2bcfee5ebbdb4 |
| SHA256 | aec672678b979839cb5f2de9901cb889d3b6500f8112159ae4f7f548f91a17ed |
| SHA512 | 144d913409cc7f4498a74a6ab14097bd04e2f04c458e7089ec3114a188ca1b24aa32921bee89a93cbf7086f6d03489f416dbe07fa9bc6bd74986a5ff1e3c84be |
memory/2976-14-0x000000013F100000-0x000000013F451000-memory.dmp
C:\Windows\system\ZxwTWuW.exe
| MD5 | ec97579da2cead9678de7182839652f1 |
| SHA1 | 47aa75257311f67245a232d51590d0fa529e16d2 |
| SHA256 | eeff442a114e96650dcf3bbe638c1932fb80e8093bb0c451aa111fde45ad82bb |
| SHA512 | c247e7b1024699191372c61278e09d55bd24b3d3aac1ae5369a3fa485310ba419f90e2c1e9b174297e2572c10b1b0a9015c21c9b856a94c598aa880f9887223f |
memory/2648-21-0x000000013F0E0000-0x000000013F431000-memory.dmp
C:\Windows\system\YsPSorj.exe
| MD5 | 2f5583617c1445d828569ab67a10fcd8 |
| SHA1 | fedddfb07d6b39930d826a56569bd41fd6f57cbc |
| SHA256 | da7955a7dd7aa090749ce74dedd3d55ce52c4c3a5b15da4c364b67030778573c |
| SHA512 | 4a16e48b3940ad6183110dacf581406d1eed80538e769406c858ca2240dc045337340365590a5dc1554a6f677ddec101444fb7b4cc48cbcf673674787b95fc7c |
memory/2740-28-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2976-26-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2976-20-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2808-15-0x000000013F100000-0x000000013F451000-memory.dmp
C:\Windows\system\ZYlYTcg.exe
| MD5 | 656b12c62169556f5575ee65cb2b4f81 |
| SHA1 | 2060f7dd9f0622ee4156ef673767bb81b1762acd |
| SHA256 | c3361b61c55ffa695e1df0734e50e08a07859b07b6f53b2358dee50383000a31 |
| SHA512 | 193acbc0c61c7f9f20f5c7466dac8646118dfed7a36d425b2b192593acd7bbf38bbaa9dfe7fddddd20862fb0e5cc0d676a659700a33602868398f088e7ace6e4 |
C:\Windows\system\dbBnTYb.exe
| MD5 | c1a10250220a2c70132b2498f047a4ab |
| SHA1 | 9b870f29e08cd29f863b13e79857591d4ff8b1bf |
| SHA256 | 6d3c1ae532cb8fe73630b6b650bd8298dd24f88a9bd0c3cc89d5cc859484a942 |
| SHA512 | d3a71530e800b854b30677279bdb860e9bcb422c84c8ef63cd6d38dfb8338c3081750d5af3802346921bda881ae6de094d616531385f901384756d9ebe8c4102 |
C:\Windows\system\LIaAMTu.exe
| MD5 | 2c44afb24f357e48a97b6043c3705041 |
| SHA1 | 3beeeaa0c4571c2713d991ecf1270b6a9633fdf2 |
| SHA256 | 0244265bf71cec90192a849ef895802bc9ed9a2b19f52877c19d2fda811a7eb5 |
| SHA512 | 6bc7182ff5ff7707000dfda055cd2cd9c45de0ffb9c318afbabbde8c94cb813a25f5cd1108392d10b9318d7e6b636dc0af933925022f6c36a4c791cd0ddc613d |
C:\Windows\system\aRlgFON.exe
| MD5 | a70447b68f7bf20766c7bda329901761 |
| SHA1 | 16a4f6a3b6bf91f3abe9e9fb0b8194257b60ddc9 |
| SHA256 | cb765b3ac5458640e4e73b097eacec8e9d06aa66e1d7db4445b14d0e360322b1 |
| SHA512 | 6f592af70da0b6c184da38b1d7b7effe573796944f844285583fc847c57a3dbe224a68d44f6ab3c7fc2f32b66eea7acd7735ea618c41ea915e20da4e934f599a |
memory/2540-64-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2976-63-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2552-62-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2976-61-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2784-60-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2976-58-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2804-57-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2976-56-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2664-54-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2976-53-0x000000013F920000-0x000000013FC71000-memory.dmp
C:\Windows\system\fOyrXMf.exe
| MD5 | c13879cde72f8855f80e590d4a94064f |
| SHA1 | 3b3f2be21a78932147b1d4625f6d73caa89b56dd |
| SHA256 | a9ad9b3f800591e829aa804c86d737c3daca3ec39ff7c9719b6b868b078269b9 |
| SHA512 | 41e1deb13766487d81b983fbc638137f781f2b4dea18bd646639c8ff06fd647c9604c59caf25bcf6aaf503a1bc6d35e6519f470fa2b231faa71e8da54f0a1d78 |
C:\Windows\system\yxapqKY.exe
| MD5 | 99cbe63b53593238bae1d3ba63ba1101 |
| SHA1 | 2c00402fe790c50cb96ada02727c8947cf56d511 |
| SHA256 | cab619bfbe35c31070f305e1c5c9922f3e53031e34f672ceb088b98c36af6d11 |
| SHA512 | 7c08a3e621633e260bf5db0c5103062f49ea0839ccbe60b6477f2f9a47c3aba42a4a4dee6e4ee7496a5ff2c97e83fd1d3374a402e3f9c7d1d5be723cc2cdbf0a |
\Windows\system\VKVPcSZ.exe
| MD5 | 980a8ffd27ee9fbd06b56a1779fe727d |
| SHA1 | bc3e44b761e0651284b0ae114014772299f85264 |
| SHA256 | 58d702923b32586f3b9a2e247fbdf002b618279334b8ebeac193011553571299 |
| SHA512 | 0cf87b8dd063793f0add035238a26c332d090ac33873529da560aa0bc011909082e3cf655a582a3b2e9102bae15b230ebf25b30c16939b1781239ccf4a2257b4 |
C:\Windows\system\AZJWuML.exe
| MD5 | e621b7e600f5c30a500af0f1fca67ef4 |
| SHA1 | b180e9f438baa6e04de8e7246ebdeadd86f0a596 |
| SHA256 | 8ea275fb5f9facdb6da582d1620ea91cb23e0a4a32541d1cd6244015ecd53c90 |
| SHA512 | c5da3b0108aed70c425d79370e63ed0965acaaf211ff94de10df8fcb747039908c5c70cec5f57411cec6c1fa3ca71e175712eb090e8cb64a69fd5639a9727129 |
C:\Windows\system\oBHYyHG.exe
| MD5 | 30f9d2d29153dd48f66c6b163daeb99c |
| SHA1 | 53a22911b487a7204d12e01d101763f438813562 |
| SHA256 | 14b65af129b7bf5e855027713e1eab6eba03355008a2a528181d38d61a1db86c |
| SHA512 | 09bbe46f1acb77895642e14bfa02fd61991b1820748ce87b92691b7cf5a628d07ae29f741c0763b0f939ea92a51e8c5fa152a98d83fdb0b12a1ec3f92fe0903f |
\Windows\system\mFzUZsO.exe
| MD5 | 044fbe1835b9c469dad695f51e16d9d7 |
| SHA1 | 38957319f790d17ab12408ffa6fe567e29e8d93a |
| SHA256 | b59c1413ef4ec4748207a2792f29ffff4912527d4c0792bb5b84bce32503a57a |
| SHA512 | c7e3681a81e977f349a9265f6bd22e3e8cfa7687cd4758cd7f0f3b34df31e99756ae4341badf8c0b327ca3725194bc3880316ba454296f2e1a034820b8555ccf |
C:\Windows\system\kZRiRVi.exe
| MD5 | 2811415cfea8454a0cbd8e6bdab27ecb |
| SHA1 | d65b396facc61ba8212fa84bf0bb6094bc2a6dcc |
| SHA256 | 3e7ad48afac69b2e4eaee0f3d133dac580818a092f9f71a479b13e8d29b0aaa0 |
| SHA512 | 777cd1ce13aa6927192dfda74912dda5350caa473fc6905516c2838816429a4582586ae040a3649036ca75aa26a992eac1d7462a01d8bc99bcff0e22fd60136f |
C:\Windows\system\cEtqLun.exe
| MD5 | 2ab409dc6abc71ec74ca53ece846cd96 |
| SHA1 | b2d89209aa2051c15be965063225fd859518ba61 |
| SHA256 | c4f0b477325d316ee4233f64bd54e8870c6d8cab549f4d14ca9c042122e5ddec |
| SHA512 | 180fc9d5871f0d236a433fa420d061d2d174a9d32f35b6bd457952fdcc19a9fc507f6504caae3ab88f43b91469d12c1dc2e6f4940a864381c43aef3736a879e3 |
C:\Windows\system\pKNYenw.exe
| MD5 | ad1a0b0e00c35c6b8da0b5c7056ba2fe |
| SHA1 | c29fc9b71c72728f839c8c6fac29da8d133214c0 |
| SHA256 | f340346b7e05f8053453e59f3b4e907db6b49d4b005522715cc35d60ca347322 |
| SHA512 | 3f77591afa121617da8a7130cb92bf310a06f0f6b2b64acb0a1d4817eb653fdc71ae194d7b519fe290e078637f81aa15e5a10ef99725a5f5f87740b548478930 |
memory/2976-134-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1656-103-0x000000013F680000-0x000000013F9D1000-memory.dmp
C:\Windows\system\CwvXqCB.exe
| MD5 | 9fd06a9b35154695fdfff3ceb7d2212a |
| SHA1 | 29b569de5069b841ae50ce2cbb038a8314df59c1 |
| SHA256 | be8537418cf7fda915a7bf149c4da34bb23753c6070699444b4128489e13a4e9 |
| SHA512 | 1d6e2d106ca44db5345d515e026058cc053e6591ef49cf400819ba68af36f189dadaa1ca5b5021fc89109649e8608470c7ac6d20e0468c4eb65128ce6a48f04f |
memory/792-97-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2620-91-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2976-90-0x000000013FF20000-0x0000000140271000-memory.dmp
C:\Windows\system\qaDnzMp.exe
| MD5 | 45489847445a233cf5b91ea2c752fe12 |
| SHA1 | 71eff237865f16f211e4dd7a4e2c9a4bccf70af8 |
| SHA256 | 128a97534a1251957e86547901a83fba87dac0d2f12f54bc469203adfe3e8788 |
| SHA512 | c3988c19f625361a93dbfce71f5baa144f4976d87be34b6072658f130aa02ebb07fc55533913809cae913b5e1201d45c14cdae79dcf73bcac1c6172f82c4b0c9 |
memory/2864-84-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2976-83-0x000000013F660000-0x000000013F9B1000-memory.dmp
C:\Windows\system\zeFBNHw.exe
| MD5 | bc6a156cb64e80344aa55e581f7d03e1 |
| SHA1 | 830f7f16329226dad20c3d83b7806de533ef34f6 |
| SHA256 | c8066300a7d7188445a17ad31156c2b3404428c349a8de816def0aa424cb66dc |
| SHA512 | 4e7b7bf53093a626fbd53b9dfe4fbb60cb3672b865943a187cf3824395ccb2c523d13d4f06471c1c0969bf5f20f3c539a412aab7719e8a0136d936010ce98ae3 |
memory/2648-135-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2780-77-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2976-76-0x000000013F710000-0x000000013FA61000-memory.dmp
C:\Windows\system\oHFPZMH.exe
| MD5 | c35c4a8fedf878a9545deb65e1530b9c |
| SHA1 | 93b5bdf5f73b80a5ff3429b3533dce55d2aef182 |
| SHA256 | c5dd22165d4ab980912a53b7c9d21048b95611ccf964093ee5c68e05bf7265d2 |
| SHA512 | 884b973cff10ac32cdc5a2ac9bc4b4f465fb3ef5b646dddf131d9767a25f10a058de8f42dc313655819b489cd6fe239f57b5d95e03ccf6435066e6f74311326e |
memory/1252-70-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2976-69-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2976-136-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2740-137-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2780-148-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2864-149-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/1252-147-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2620-150-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/792-151-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/788-153-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1276-152-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/760-155-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1844-154-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1604-156-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/756-158-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1416-157-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2976-159-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2976-173-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/1656-205-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2808-207-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2648-217-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2740-219-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2552-223-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2664-225-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2804-224-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2784-227-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2540-229-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1252-231-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2780-233-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2864-235-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2620-237-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/792-239-0x000000013F370000-0x000000013F6C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:13
Reported
2024-05-29 19:16
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EfyIBAx.exe | N/A |
| N/A | N/A | C:\Windows\System\HNcdTWa.exe | N/A |
| N/A | N/A | C:\Windows\System\IpXynEh.exe | N/A |
| N/A | N/A | C:\Windows\System\GstcBTc.exe | N/A |
| N/A | N/A | C:\Windows\System\vpvmsuh.exe | N/A |
| N/A | N/A | C:\Windows\System\cpQMhBs.exe | N/A |
| N/A | N/A | C:\Windows\System\kCiQxEX.exe | N/A |
| N/A | N/A | C:\Windows\System\dPLwJVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XDtKHxd.exe | N/A |
| N/A | N/A | C:\Windows\System\KXjxzPB.exe | N/A |
| N/A | N/A | C:\Windows\System\KTlgMHC.exe | N/A |
| N/A | N/A | C:\Windows\System\zEAstpe.exe | N/A |
| N/A | N/A | C:\Windows\System\xiTyTSj.exe | N/A |
| N/A | N/A | C:\Windows\System\yXauqxo.exe | N/A |
| N/A | N/A | C:\Windows\System\sdgVuJl.exe | N/A |
| N/A | N/A | C:\Windows\System\JxpjJoG.exe | N/A |
| N/A | N/A | C:\Windows\System\sFzZhQS.exe | N/A |
| N/A | N/A | C:\Windows\System\mGsYmEJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaHlpaY.exe | N/A |
| N/A | N/A | C:\Windows\System\rKzMNSn.exe | N/A |
| N/A | N/A | C:\Windows\System\xyHjZDf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8ea5a5df1b891761afd3492604045726_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EfyIBAx.exe
C:\Windows\System\EfyIBAx.exe
C:\Windows\System\HNcdTWa.exe
C:\Windows\System\HNcdTWa.exe
C:\Windows\System\IpXynEh.exe
C:\Windows\System\IpXynEh.exe
C:\Windows\System\GstcBTc.exe
C:\Windows\System\GstcBTc.exe
C:\Windows\System\vpvmsuh.exe
C:\Windows\System\vpvmsuh.exe
C:\Windows\System\cpQMhBs.exe
C:\Windows\System\cpQMhBs.exe
C:\Windows\System\kCiQxEX.exe
C:\Windows\System\kCiQxEX.exe
C:\Windows\System\dPLwJVQ.exe
C:\Windows\System\dPLwJVQ.exe
C:\Windows\System\XDtKHxd.exe
C:\Windows\System\XDtKHxd.exe
C:\Windows\System\KXjxzPB.exe
C:\Windows\System\KXjxzPB.exe
C:\Windows\System\KTlgMHC.exe
C:\Windows\System\KTlgMHC.exe
C:\Windows\System\zEAstpe.exe
C:\Windows\System\zEAstpe.exe
C:\Windows\System\xiTyTSj.exe
C:\Windows\System\xiTyTSj.exe
C:\Windows\System\yXauqxo.exe
C:\Windows\System\yXauqxo.exe
C:\Windows\System\sdgVuJl.exe
C:\Windows\System\sdgVuJl.exe
C:\Windows\System\JxpjJoG.exe
C:\Windows\System\JxpjJoG.exe
C:\Windows\System\sFzZhQS.exe
C:\Windows\System\sFzZhQS.exe
C:\Windows\System\mGsYmEJ.exe
C:\Windows\System\mGsYmEJ.exe
C:\Windows\System\ZaHlpaY.exe
C:\Windows\System\ZaHlpaY.exe
C:\Windows\System\rKzMNSn.exe
C:\Windows\System\rKzMNSn.exe
C:\Windows\System\xyHjZDf.exe
C:\Windows\System\xyHjZDf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.133.100.95.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3968-0-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp
memory/3968-1-0x0000016178F30000-0x0000016178F40000-memory.dmp
C:\Windows\System\EfyIBAx.exe
| MD5 | 48573d70f3a5ffa08b133989a82c75f6 |
| SHA1 | 61e9b45dbf7b87cb13534766afc7fa5b94d21321 |
| SHA256 | 6f6a785131dbe0f1f23a925804cd5f333472e0d16929fb3247d362e989592ead |
| SHA512 | d69a124c8c0c3c396381544639c4b9484dd6e5e92dd0d7eb32da5b3d42ceb4a35c805fab89f1113486be50f0225ad1a45800ad2d50700873e259142174cf7e6f |
C:\Windows\System\HNcdTWa.exe
| MD5 | 354cf1fe2e182266fb11951799f65e14 |
| SHA1 | 43f67f90223d708139ab17a6c0df549bd82f6257 |
| SHA256 | d990c8fe93bb75cc2c9f7b1ff424d7653e281b052616c7422df8f702ce83aff8 |
| SHA512 | 9880622b50bf60fe30dd2ba04d8d548f068aa6f755eea807d821107fb069928cb058d6d40f725988cc8568899193855d62d649eb9375444fd02f54af56bf9c1c |
memory/4744-8-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp
C:\Windows\System\IpXynEh.exe
| MD5 | 29082e1fc238a298e49046a4fcb86dd5 |
| SHA1 | 8bc6c0122de1a8147594608499550068dd25a27a |
| SHA256 | f844b0e9274a7fd9fc5bc0f2ed0d7e9e73a51e5c30394e29fceafb9121a33af7 |
| SHA512 | 830a5f5ee3c3bdbb9607ec1d6eff54626df0cb3e02d6f5a0deb90225936d5a3919e64783fcbf3d367446de1a3c979886450198104d7b70d50ebd85cc8a555f03 |
memory/1636-18-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp
memory/4552-17-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp
C:\Windows\System\GstcBTc.exe
| MD5 | c6405e50eedd4d146f2e87622ee24e5e |
| SHA1 | 049ba33ce77eff12e08b5ffe35f632f5f14fe3b5 |
| SHA256 | 5b9e0fd8a96b4eb73988439eecfaffc944ae055077945d0a00a14489ab9fca24 |
| SHA512 | 6017cc445b8b21e7be91bc2395a78c028925f5f4bd11814f013b17e79bc6a31d103fa9d9b18be7b6da8ef137ea3f8cd6877f9bd3babedd92cdcdc18f9e290aca |
memory/3340-26-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp
C:\Windows\System\vpvmsuh.exe
| MD5 | 9bf1674b0a9d87b73cd4e4b9a9d2d601 |
| SHA1 | 64d401cd2759c7bdeb04f5f68dc72ba14c3fcb81 |
| SHA256 | 3ee673f2b3df1ab3e4eb15f3572d52a7204c41e0860b39b68c11bf7e84caa193 |
| SHA512 | c72854f6b75b93a63cba965a019e99150ecf8451623faa2da7160d3a42961e90100fdc01533fb824601cd568add57ede5cd4ca48a9a47d5534a46bc2cc299c01 |
C:\Windows\System\cpQMhBs.exe
| MD5 | 089df0051435fa7bf3a0df639a1312b9 |
| SHA1 | 6763df5bf161fdd94740faf786789233b362e053 |
| SHA256 | 02742d6ed106cb88c291b62f544ef0dff93031f33ed18db651adbeac72123600 |
| SHA512 | c62c7c4baa3b7b5f926738f75dec1829c96781790d7036f6f809bacaf6b7a11aa1b9f9226117387d178fd85683bfa3f69ae578fc7d8ac7d7aa43e75bcabcd5c7 |
memory/2176-38-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp
C:\Windows\System\kCiQxEX.exe
| MD5 | 0095fd13162ff2a9e2c9a8c5fde54521 |
| SHA1 | 242fafe4427b422e5a7346ba3a22fca9bd497589 |
| SHA256 | 6b5befb509d4b6124e85565524c8d27aaef429faab95b848adb78863b8a0f91e |
| SHA512 | 6583edf64ef6bddadb3c10dcb2f5b99f0e1626c06a257c9e618076c2c82306669e107aee3a0885cbd5688248c1a6f5ff74ca9c8234e288368286342ab4523ad9 |
C:\Windows\System\xiTyTSj.exe
| MD5 | a81aaecec24dd6f789b2810427488303 |
| SHA1 | 3385d6bb57bcf48901dc38007a85c5035a4e1207 |
| SHA256 | b8090c5ae310ec100149b8ba15dd775bd2430314d6ec0c2d1a568b5db7b60084 |
| SHA512 | cf704e47518fda321fc8c860369a78685784c5d9afeb305d3095c31ea80c51da1348f02ba031bfe99a28194624e1ab5d7337e45289ccaac650d49803a2fdcdc3 |
C:\Windows\System\yXauqxo.exe
| MD5 | c1c82a237edfb43fca15ca9d46e4f447 |
| SHA1 | 924430a5356de1a834407eefb2cefd67d247f9b0 |
| SHA256 | f15cee2ef8c94b16b4d2cbcc67eb6d17c8605e4aeb8bc01efd0ac1a649699b72 |
| SHA512 | 18efd3f4f27fbe4d3a65c61f9b208f4ca2e702fccbaed8c187fd7990a556ff8145cc55b38aa34dc8a6fe7abe9fae91456946d0145986eabfe97f585be3b20dfd |
C:\Windows\System\JxpjJoG.exe
| MD5 | 4b41db534805d6427691cd503ca25257 |
| SHA1 | 2d3ffd562d5a0b12c738ce85bdeb3b93537f7387 |
| SHA256 | 62173e412a5cf5abb1ad6136518a04e4522a694fa27193766690f8d933353cef |
| SHA512 | 7565baa91bc2e014279aa3d3b765c6864ab821da9dba629510c51289860af73432d077bb600882618d4e2781c521c559076fad792053db5a9d6b2d2e3d736db4 |
C:\Windows\System\mGsYmEJ.exe
| MD5 | 663dc9130aed7d5f0ec3ff638fcf88df |
| SHA1 | 0560ca5dd399eddd38566b70e228c0c4d30a4cc2 |
| SHA256 | 45eca7f98589ddaba885402143a3a0bfb83f97bfde8afad1a773e7a0aaa5899c |
| SHA512 | c6b48c90637508c74a39dc8ceac796687874c099ac02c73fe61e4a6defe3a61305566c6f81385b53565aec62ab163450d0900392eedae4fcf4215172eeb38b95 |
C:\Windows\System\rKzMNSn.exe
| MD5 | 46cc25a61b4ee3051539bc13f251a492 |
| SHA1 | 7678ca6c2d24b50f95641e07f1b18593f2ca4072 |
| SHA256 | 88d4e0cfee1568310d35599c8329ecbd4fe20df45cdd50defca35a80d42f7272 |
| SHA512 | 8cd0283062f7308eff47b361dbc277d2751e1fafb6f7f295ff485291d68d5509f0e1d1c93a8b3d1b3091b2be2b943da15d2bf7bf84b10a2f41e5f8847e07de6f |
C:\Windows\System\xyHjZDf.exe
| MD5 | 745403f0e0218b44a640930d96d2050a |
| SHA1 | 250f72aee2b17b0130917f110479a2a972de2502 |
| SHA256 | 4ba2a99f3437fbf8fd0e45313eaa41887f18a1ae19f1e0d1dcb9347b7c20c274 |
| SHA512 | a43ea1bc76b843b3f27d630930efd5fffc9a2395c7861f565f44f5185d7ebc0e2c11a341291eec39e111578ced1321638806287f7424d0f638764fca26df720e |
C:\Windows\System\ZaHlpaY.exe
| MD5 | 4bf021db857b3eb08713c593ddb30d6d |
| SHA1 | e9711c142d32015865a263a9645fb3a60e0554d0 |
| SHA256 | 6ced2260d06f84fe74dd657846d0b10ff8b9648d31632a1012adbe368b3ea761 |
| SHA512 | 3f5a8b542851c1f79f5a6066d593a7a399a3175b0e193b842ea9b80cc36729e0cdaeeb00aea5039de7e800a546536a4d3c2cdef670d0623a796ef47c86f61f4d |
C:\Windows\System\sFzZhQS.exe
| MD5 | 0d8e336d30dd5cb88a56683fed71a9c2 |
| SHA1 | 534adeed634e0c6d8ab41346c9a346608786f671 |
| SHA256 | 8c710019cbc0f6ee48c7a4d14e7962f4254041bd8906d520f56c04f9d723ff47 |
| SHA512 | 7bf6dd6cab6c0a138d55b5fa2c92b437170467a4125637be7bfe44c50992db22543f6c0a5abfa692fe81afe243f1d57a67f244c1ae220c556a08a7ef032bf171 |
C:\Windows\System\sdgVuJl.exe
| MD5 | 56345fc73ed4c798afdadd44663e5455 |
| SHA1 | f8f337dfc521bdf4d8ca7516b07904bef60e53af |
| SHA256 | 6eee89480e8c56c4f258d79ae958f58b70c9d26d4a99fe30fd28d378e2059ca0 |
| SHA512 | a95d4466f209574990e887d5076cb74f0c5eea8b75eaa97366f1d834f9fdb62131c4460617dbb992b00bafab5b0bcd2b89ef776c69a41b0827ad75df776ca990 |
C:\Windows\System\zEAstpe.exe
| MD5 | cc63e2363d654dfb3a4703c3e6a273d3 |
| SHA1 | de7eef1120489a593ee9d39feebd510ed1ff110b |
| SHA256 | 037c6ebd317f12af91897bee489922492e38b5b0690435fae8fb808c3f7d2c05 |
| SHA512 | 09ba6d713b56336d2d925850d59a56a585e8453eb5a4f58825862fbae2fbaac6f515079db14b83a7313452bc422a6ded039a4c53b1ff15a0e28ac5fbfdd54298 |
C:\Windows\System\KTlgMHC.exe
| MD5 | cbcfeb2417d3edfe97d978c81480dbb6 |
| SHA1 | efa8b4ee560117ccb390e0bdbba402e8f400d73f |
| SHA256 | 62c79046a7a7d753b2701e625b6d61c95b22c6e088896069063922203263a932 |
| SHA512 | f26a1bd91e315d3add6fa60339c67f800b4388265b8cee4aa1a88c78fc34494dadcd3485e52c198881ed30e44b97423f5fdbcafc504907618099b6005cd6b7c2 |
C:\Windows\System\KXjxzPB.exe
| MD5 | 6068364602d9ba621572f92918bb21d8 |
| SHA1 | 7f8f45ce31e904ab826b4f3cc52173838fa710a5 |
| SHA256 | 46c2448adaf081051e9ce4b6394f841bec0b1f2cff77bbf7c9fc78746915f8a6 |
| SHA512 | 3e1931043eda482c98efe55aaf0fa55dec60f0245dd19242d3b9d37257a1fb70b6b43cd93b4282a83ae8ad45137f101b9dd782452fd7a73f0fb8fa7a879f1d4a |
C:\Windows\System\XDtKHxd.exe
| MD5 | e8a2f18bf65b04d574aa6cf9d0fca142 |
| SHA1 | 31fa975a4bd60ab9cd9623f4a8a9f6330bb7215d |
| SHA256 | d0f6ae35f952c700bb4eeb72631b1e5083baa79952cbd14f87b1b6177ffc3e35 |
| SHA512 | 950e40074a784bd81c119a1c3c36fff0c9f31a9933fd7771cb28cf2d7d0199f981f20d674a187bd1aa27a3a41cf6ce7e745c83f3b5b16fa7cdcb10c4fde338ad |
C:\Windows\System\dPLwJVQ.exe
| MD5 | 2328caeaabbccecdb9e682bc40ea7491 |
| SHA1 | 3a25968a5eba555b9d5c1d4ec7a0a61cf34f0d6f |
| SHA256 | 28d2445edde920a23bf7eb6e725d3398716d463fe7821534cfbcc2c5f47e008e |
| SHA512 | 2f0d82e20d9fac620b6ba3d2893cf2bc6599794d7a244596272645df0e5fdacf388f406b958e349e0fc6b6d06cfaca5b78cc9b2ec2256906aa1da6d518da95f1 |
memory/716-31-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp
memory/2500-113-0x00007FF7E96A0000-0x00007FF7E99F1000-memory.dmp
memory/1148-115-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp
memory/4356-114-0x00007FF763230000-0x00007FF763581000-memory.dmp
memory/400-116-0x00007FF637D50000-0x00007FF6380A1000-memory.dmp
memory/2096-117-0x00007FF643600000-0x00007FF643951000-memory.dmp
memory/2448-120-0x00007FF61E130000-0x00007FF61E481000-memory.dmp
memory/3968-121-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp
memory/4808-119-0x00007FF735FD0000-0x00007FF736321000-memory.dmp
memory/1616-118-0x00007FF698B00000-0x00007FF698E51000-memory.dmp
memory/4552-124-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp
memory/4296-127-0x00007FF645EA0000-0x00007FF6461F1000-memory.dmp
memory/2436-128-0x00007FF709D80000-0x00007FF70A0D1000-memory.dmp
memory/2488-131-0x00007FF66E640000-0x00007FF66E991000-memory.dmp
memory/3340-130-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp
memory/224-132-0x00007FF7121B0000-0x00007FF712501000-memory.dmp
memory/1624-129-0x00007FF7A4540000-0x00007FF7A4891000-memory.dmp
memory/1636-126-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp
memory/5104-125-0x00007FF60FB30000-0x00007FF60FE81000-memory.dmp
memory/4744-123-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp
memory/1360-122-0x00007FF75F3A0000-0x00007FF75F6F1000-memory.dmp
memory/2176-134-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp
memory/716-133-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp
memory/3968-150-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp
memory/3968-151-0x00007FF701EA0000-0x00007FF7021F1000-memory.dmp
memory/4744-196-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp
memory/4552-198-0x00007FF743A60000-0x00007FF743DB1000-memory.dmp
memory/1636-200-0x00007FF67E3A0000-0x00007FF67E6F1000-memory.dmp
memory/3340-207-0x00007FF6D3770000-0x00007FF6D3AC1000-memory.dmp
memory/2176-210-0x00007FF7718A0000-0x00007FF771BF1000-memory.dmp
memory/716-211-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp
memory/2500-213-0x00007FF7E96A0000-0x00007FF7E99F1000-memory.dmp
memory/4356-215-0x00007FF763230000-0x00007FF763581000-memory.dmp
memory/1148-217-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp
memory/400-219-0x00007FF637D50000-0x00007FF6380A1000-memory.dmp
memory/2096-221-0x00007FF643600000-0x00007FF643951000-memory.dmp
memory/1616-223-0x00007FF698B00000-0x00007FF698E51000-memory.dmp
memory/4808-225-0x00007FF735FD0000-0x00007FF736321000-memory.dmp
memory/2448-227-0x00007FF61E130000-0x00007FF61E481000-memory.dmp
memory/1360-229-0x00007FF75F3A0000-0x00007FF75F6F1000-memory.dmp
memory/5104-231-0x00007FF60FB30000-0x00007FF60FE81000-memory.dmp
memory/4296-233-0x00007FF645EA0000-0x00007FF6461F1000-memory.dmp
memory/2436-241-0x00007FF709D80000-0x00007FF70A0D1000-memory.dmp
memory/1624-240-0x00007FF7A4540000-0x00007FF7A4891000-memory.dmp
memory/2488-238-0x00007FF66E640000-0x00007FF66E991000-memory.dmp
memory/224-236-0x00007FF7121B0000-0x00007FF712501000-memory.dmp