Analysis Overview
SHA256
71b4daa378e59e37a443fbf7fe2bd4924821d93b8873e73c4f00bae5db3e8160
Threat Level: Known bad
The file 2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:36
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:36
Reported
2024-06-01 15:39
Platform
win7-20240419-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lMAFJOS.exe | N/A |
| N/A | N/A | C:\Windows\System\nBlxnjJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dWLnRpY.exe | N/A |
| N/A | N/A | C:\Windows\System\lyOhLsg.exe | N/A |
| N/A | N/A | C:\Windows\System\xJQYSNY.exe | N/A |
| N/A | N/A | C:\Windows\System\SyIUgXp.exe | N/A |
| N/A | N/A | C:\Windows\System\UDoTbdm.exe | N/A |
| N/A | N/A | C:\Windows\System\WecvQVu.exe | N/A |
| N/A | N/A | C:\Windows\System\XZnubmP.exe | N/A |
| N/A | N/A | C:\Windows\System\uCedUiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pagwcbg.exe | N/A |
| N/A | N/A | C:\Windows\System\AyuDMVu.exe | N/A |
| N/A | N/A | C:\Windows\System\DjBoeBd.exe | N/A |
| N/A | N/A | C:\Windows\System\TroEqmk.exe | N/A |
| N/A | N/A | C:\Windows\System\ookuqpf.exe | N/A |
| N/A | N/A | C:\Windows\System\pxAKQDd.exe | N/A |
| N/A | N/A | C:\Windows\System\KAzzyLG.exe | N/A |
| N/A | N/A | C:\Windows\System\zYybtCI.exe | N/A |
| N/A | N/A | C:\Windows\System\PVktnru.exe | N/A |
| N/A | N/A | C:\Windows\System\yrhJXQL.exe | N/A |
| N/A | N/A | C:\Windows\System\BUyqIfm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lMAFJOS.exe
C:\Windows\System\lMAFJOS.exe
C:\Windows\System\nBlxnjJ.exe
C:\Windows\System\nBlxnjJ.exe
C:\Windows\System\dWLnRpY.exe
C:\Windows\System\dWLnRpY.exe
C:\Windows\System\lyOhLsg.exe
C:\Windows\System\lyOhLsg.exe
C:\Windows\System\xJQYSNY.exe
C:\Windows\System\xJQYSNY.exe
C:\Windows\System\SyIUgXp.exe
C:\Windows\System\SyIUgXp.exe
C:\Windows\System\UDoTbdm.exe
C:\Windows\System\UDoTbdm.exe
C:\Windows\System\WecvQVu.exe
C:\Windows\System\WecvQVu.exe
C:\Windows\System\XZnubmP.exe
C:\Windows\System\XZnubmP.exe
C:\Windows\System\uCedUiZ.exe
C:\Windows\System\uCedUiZ.exe
C:\Windows\System\pagwcbg.exe
C:\Windows\System\pagwcbg.exe
C:\Windows\System\AyuDMVu.exe
C:\Windows\System\AyuDMVu.exe
C:\Windows\System\DjBoeBd.exe
C:\Windows\System\DjBoeBd.exe
C:\Windows\System\TroEqmk.exe
C:\Windows\System\TroEqmk.exe
C:\Windows\System\ookuqpf.exe
C:\Windows\System\ookuqpf.exe
C:\Windows\System\pxAKQDd.exe
C:\Windows\System\pxAKQDd.exe
C:\Windows\System\KAzzyLG.exe
C:\Windows\System\KAzzyLG.exe
C:\Windows\System\zYybtCI.exe
C:\Windows\System\zYybtCI.exe
C:\Windows\System\PVktnru.exe
C:\Windows\System\PVktnru.exe
C:\Windows\System\yrhJXQL.exe
C:\Windows\System\yrhJXQL.exe
C:\Windows\System\BUyqIfm.exe
C:\Windows\System\BUyqIfm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1752-0-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1752-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\lMAFJOS.exe
| MD5 | be1898ebecebfdbb68ea9076262f9eb5 |
| SHA1 | 32136f607ae3c2e6485484e3fd1cb6d658c7e95e |
| SHA256 | 30ded6997032c5a72dbd5794d3b489a37f0f1832800a1c1b5e5483294cd3bc9c |
| SHA512 | 62eeccad73ce2403bcd72e76ea717e53cef44a5467c4c0c18342d717dcc2dadf67c7368320ab584a54f86491e6816d696bc3445238cbec13e3cc006a95986961 |
memory/2456-10-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3060-15-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1752-13-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\nBlxnjJ.exe
| MD5 | 5adee43c793699f1940f9add68ac8b05 |
| SHA1 | 17ad8a8edb1127b1d69049d409ab983d1891d067 |
| SHA256 | a95f85275eeeccc912d507612ce76ffa1c4da85efda0e70aa1bb73d500f12b1e |
| SHA512 | e624cb567b19e7156a2b3c968bcbff964f7e0e77ee94aacafd62f8694819be64d4a2ec343b5b133908cca87eb2244d78dc446a8dd423054487116d93de6374fc |
C:\Windows\system\dWLnRpY.exe
| MD5 | 655ca31ec421ee4fb3e8170b24a0be9a |
| SHA1 | ef4db7831d9d1893b2e0762e38802d7dacffeb2a |
| SHA256 | 94d0737ce8b43a0cd146f6cf87827e0b5a9c7f4ea6d83ee4f1f9630abbdfa659 |
| SHA512 | 64dad0957a7d16354d9fa44bce1b73cfba1da29ab17759192016a4720daeeb85a10007b7e9464ac6a2ce42353af7c8cb3340cab16270b1e0704ad6775c0c9e44 |
memory/2160-22-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\lyOhLsg.exe
| MD5 | 46d5579ac014a49b8e10eaab159bafcb |
| SHA1 | 6ebc0dce918fdbaa0b773f35cc9de9de44e9edf6 |
| SHA256 | 2046f5dc2f65e3acf4a0c3680fb4315d9627b0f53a6b8e6ec1d57f655eb541ce |
| SHA512 | 8729a7f3d8eed33c35ed2fc74273810dcc937c21b36bd802212d7f55d4ef182fa677e0a13d489d6a2689883fe6fdf455b8819ff1fd665df74bacb9b7cdb767d7 |
memory/1752-27-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2824-28-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1752-20-0x000000013F3D0000-0x000000013F724000-memory.dmp
\Windows\system\xJQYSNY.exe
| MD5 | 1a68ba77631e2cbf2a2e51e3498cb73b |
| SHA1 | dcedc8b10ea2e844e348ba2f380637dc77449b52 |
| SHA256 | 95844fdd07ad8a681cb6d2ad298eddfeb336f27af2960b9df9e620ba0130919b |
| SHA512 | 7032ef04abc96a21d22c2ab3d397d7991606539edf94b971bd35b1fe626f27fc6d2985d51cc164c37e79d12e0bd4609bdadc749ac389be3c49b0bab75ecc705d |
C:\Windows\system\SyIUgXp.exe
| MD5 | 50a5911561e00e055e3927d4749345fe |
| SHA1 | aacaa5a1511fd6acb81d7c84b138e00649dd0f26 |
| SHA256 | 1dc3d8d71a898e8af3b3934e07235eb7217df6135e5595fd492e93a7bea2f1a0 |
| SHA512 | 91baaf17cbf10157a14874f01a80691c91b24be0dcf21196e1c7691d629346a5e007c55a6769e27b84f446e4d79a3d5fc5ea4830b3a087d10f4b7e978fc7bcf5 |
memory/2568-42-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2148-35-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1752-41-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\WecvQVu.exe
| MD5 | 2effe4683b857ae18774d28e3a8a9014 |
| SHA1 | 566b81c65fdbd2efece1024e0d520e347f128140 |
| SHA256 | d32e9991aa07de37048a27ee1f689dcc83db01005230c23c4b12248733ca7403 |
| SHA512 | a328e363b208bad1547525ab0dfc7b0b57d00de7a8ebe22f0c84c30c1b74dbc983959302e766fc353244f624108bf20390398144f0be28a32ef017d5fe6ab365 |
memory/2908-49-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\XZnubmP.exe
| MD5 | 3d39c9c5700bcc1c06017c79ab598dbd |
| SHA1 | b51d85ce71d7a3c8c98fd0f9528e0a5299391cb8 |
| SHA256 | 319d95c68711b08da8b11b6d802e2591d4e15c60a0fedfc3863fd8025670c6a0 |
| SHA512 | a5e83814fb88c3e0b3944fac58ef290adb04230553d506c2152efbd3714e03f7f63b4d5f6fd1b061dcfbe424218d59be3f6477bd1a93ec6d2e8523ac0c2982ec |
C:\Windows\system\uCedUiZ.exe
| MD5 | 9dcd5c08959a6a4f188e3e56d20510bb |
| SHA1 | 9345757685e34f6934b1a1a300edd39b106ba827 |
| SHA256 | 1e5b62e8a891c998338b40ebe4f5b95adf17f9f4777a6a82e78600b2cbf7aa2e |
| SHA512 | 07b884609d6ac2a286ac6971b07914d123c3e9d2522e3f712ec527c925f5dc4c3ecaa6caa9c7162744d166a1adf64f3048822c4e4a89c13bf3a0a19ca0db9a8e |
C:\Windows\system\pagwcbg.exe
| MD5 | 501ae4e8a4d8e02490848766e96db24a |
| SHA1 | 904217b54898179c41523af2780ed68301e84e9a |
| SHA256 | d65c890991568b0cf1a27314e52b367f71dabc223797a98107408c7c0a7a1058 |
| SHA512 | b43e7fd02cf0fafbc369cbfafe7a80f57804e021f7862c6a8628a83a218fcae7a77bc98f20fe051db3a7d8d28ad0a610d3e101ebb722acdb8747129b160e806b |
memory/2160-83-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\DjBoeBd.exe
| MD5 | 4d955c1813ef533c51b6ffa4d21d0812 |
| SHA1 | 55e50204dee9a2b88f5710be42c832bcc6c33d0f |
| SHA256 | 1fa8b20037bdb8d1e25900a05e4656b75641a85ad8dfa355a537844a82389937 |
| SHA512 | 613006a2965857ebd8587b5d0bf244a5bf50fec02a21c86d08fe8e9728c86656c094a49fa22d420bc2e167bb0cabe0cfb7c95c5ecc0ef9f8d990700cb642598e |
memory/2824-90-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\pxAKQDd.exe
| MD5 | fe1624e82df490c42bdf19b517488ebe |
| SHA1 | e692b0004e06ff980c00a2a3380aae28654ffac7 |
| SHA256 | c056f9cb6eccafd70dd3cd7c160c2fda2b67d11280948a50e537348d18a9adc3 |
| SHA512 | e70a539e8d6d25a850f12dec6a359795bcbd600e572d2dc20dcb44d864f8596c370b9cf4ca67ea84e727a5b59c74a4f85930002fd7955da0141b575b35c06bf2 |
C:\Windows\system\yrhJXQL.exe
| MD5 | c5358d21da1eb49149b61d61ec1dd04e |
| SHA1 | d03f41d67db2dca605905ff246e51474a9a12bd2 |
| SHA256 | 68313d6b22cf8068fbf9e5ca6765375a9e3d660fd34add753e4dda2f0725d7ba |
| SHA512 | d9ce052a3ded3c0f1943a26c889fdffb2487d0ccb5956f6ce958113ba916337fb5af5d072cf2cd27c5817b821666e8683b3868d3d994ae3b1125dd6ab06ab7fe |
\Windows\system\BUyqIfm.exe
| MD5 | abb444f78bf77ba5b70ff6f6aaab57f3 |
| SHA1 | b1b739265a836d483f838b57ad6bed8c2e16ec58 |
| SHA256 | 43041d9f33a3c6c314f1f6ad6779375fe44cb8b33bf78cf936c89bf1858cdf21 |
| SHA512 | 6a7b555ad46592c9f99c04603bcdae1775dfd8d8a10827298b1d5e8c348049f9d07750d9f1ed38cfac0b4500a5c980076e8012dd5cd4d5f88a879cdd7c38592c |
C:\Windows\system\PVktnru.exe
| MD5 | 2a5534d2c3dc9e594d233326d4317135 |
| SHA1 | bc00f6e9a4d36467d18b3878cdaca2d430304562 |
| SHA256 | b287e32f0e630f44baeeeaed8d358bb8c3d2575b1c19a9b3e4ebdf51250e2b36 |
| SHA512 | c155f70a7d4c6024add0e5f1fe41ee7216a4f4df1e93c237e9becf21daa7723cbc2b22cf229e582e5f9598fec0bab983bd8280d783561c9b7403ce7eaede0c19 |
C:\Windows\system\zYybtCI.exe
| MD5 | bfe30e5a8817b1744f82ac979798d8bb |
| SHA1 | f1467952a86db150aeadeb5db27aec3eb19d0295 |
| SHA256 | e494220073dfdd1d4e88d7fc6ed6676b6cb6e901347de08b194208babf22d3d7 |
| SHA512 | 26d13366105d0bada66b48ff49f8ca8d9413b5226ecfef52f57e297fe0a72b1df3c97fffe9bf5871e501258ab2e1d5c3b88ebdbeadee17e710320788970c6e45 |
C:\Windows\system\KAzzyLG.exe
| MD5 | 704b2b8a69e4a40dfeb925ce9c0378b8 |
| SHA1 | 291b8c7aeb585099f6b076cde502f17a88fcfbc4 |
| SHA256 | b274912cdd2f2a100d2a484e74a5e6590a9194fcf443186bfd4c6194bb3e8c6b |
| SHA512 | 8165be0efe3629f87634d48316f484b9c754857da0917ad701a2b5abdd91b8326b25b4e3d9b610dadd5cd235539f202eb44259cd0c8586924b6e4f56ba878110 |
memory/1752-106-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\ookuqpf.exe
| MD5 | cf3eb0778f9d16376e0aff154e89a191 |
| SHA1 | 7bbbff1fc37eaab3d74dbfe98e2e41aea81fc6a6 |
| SHA256 | 9aa4a7b783b0d3ed04aff4f9f4f96375701172f0fbcee9d5ed9e6157878591c2 |
| SHA512 | 8295a88b544f90eae236eaee38f95df3efe8a92254a699f9ca86de27d8430ecd4bb9a2dfe4801970d47a7449464573d3b6edd7058f9cfae6f6a2d1b1f962ee83 |
memory/1448-101-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1752-100-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\TroEqmk.exe
| MD5 | f4a1d56d6c023d5ea2a679caf2a6ac66 |
| SHA1 | 27595d551d6b3b4dcca5d1bce045e4091a1e9d32 |
| SHA256 | 10c7e10ee55f41606baa02d6c7dd9fd76e89e4118c13d7c504a4c5931da291bb |
| SHA512 | 34377affefb3f20680774d3e98f5ec4199688c1af0d8370f8714b9dbac392c612d43f94896a1c07ee11a975dd55df4a32c27586612127104062c1fd4c1c18d12 |
memory/2896-92-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/1752-91-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2884-85-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1752-84-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\AyuDMVu.exe
| MD5 | 9b1f636f2cfd39b389a07fa6e2457240 |
| SHA1 | b92820368eb435f233e848771f23de7adaa34d5d |
| SHA256 | fac1120a646c0105c446fa74dc128e79082c8752f5a427e0514706f09eaf1b9b |
| SHA512 | 95fa1e15dea54ae073fc6b29c706970bcaab8ab0541df0c13a548b6fafe58620059f6d64b3162ac7065ebe6c1a2bbd54de034bceb79a4eb13cde386df9f29964 |
memory/3040-76-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1752-75-0x000000013F140000-0x000000013F494000-memory.dmp
memory/3060-74-0x000000013F020000-0x000000013F374000-memory.dmp
memory/3068-69-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1752-68-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2564-61-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1752-60-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2220-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2456-54-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\UDoTbdm.exe
| MD5 | 28ef74962d934d9ee64c41035b8ba86c |
| SHA1 | cfe77d587e19f562c1bdf7731913db843181653b |
| SHA256 | a22581aaada54bad184bbfec4354d87977f79124af0d40104ff6949845864d85 |
| SHA512 | 8c26f7d2545b5db2220a649bfa826db6146422c7d9f2b664bffc4677849bd6072c9d472a6024442ff4eb9e70bdb1ae3cc60651b6dfc05156a6a7b51716b69d67 |
memory/1752-46-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2220-137-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2564-138-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1752-139-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/3068-140-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1752-141-0x000000013F140000-0x000000013F494000-memory.dmp
memory/3040-142-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1752-143-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2884-144-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1752-145-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2896-146-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/1752-147-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1752-148-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2456-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3060-150-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2160-151-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2824-152-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2148-153-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2568-154-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2908-155-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2220-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2564-156-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/3068-158-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/3040-159-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2884-160-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2896-161-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/1448-162-0x000000013F480000-0x000000013F7D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:36
Reported
2024-06-01 15:39
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\owUtboL.exe | N/A |
| N/A | N/A | C:\Windows\System\zkexpTy.exe | N/A |
| N/A | N/A | C:\Windows\System\MOuSiAb.exe | N/A |
| N/A | N/A | C:\Windows\System\TysrgbS.exe | N/A |
| N/A | N/A | C:\Windows\System\NsNTnmb.exe | N/A |
| N/A | N/A | C:\Windows\System\UQmHuxC.exe | N/A |
| N/A | N/A | C:\Windows\System\eolvLLw.exe | N/A |
| N/A | N/A | C:\Windows\System\ptNrVfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBeJHER.exe | N/A |
| N/A | N/A | C:\Windows\System\GdvlVmC.exe | N/A |
| N/A | N/A | C:\Windows\System\LuMVPOb.exe | N/A |
| N/A | N/A | C:\Windows\System\AYqmswd.exe | N/A |
| N/A | N/A | C:\Windows\System\JrRAGGW.exe | N/A |
| N/A | N/A | C:\Windows\System\vwtjwKy.exe | N/A |
| N/A | N/A | C:\Windows\System\nUVstDH.exe | N/A |
| N/A | N/A | C:\Windows\System\GVhWXmX.exe | N/A |
| N/A | N/A | C:\Windows\System\bAMicgl.exe | N/A |
| N/A | N/A | C:\Windows\System\wUdbBbO.exe | N/A |
| N/A | N/A | C:\Windows\System\ACkGdKL.exe | N/A |
| N/A | N/A | C:\Windows\System\OkPnUVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MNGFPqD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\owUtboL.exe
C:\Windows\System\owUtboL.exe
C:\Windows\System\zkexpTy.exe
C:\Windows\System\zkexpTy.exe
C:\Windows\System\MOuSiAb.exe
C:\Windows\System\MOuSiAb.exe
C:\Windows\System\TysrgbS.exe
C:\Windows\System\TysrgbS.exe
C:\Windows\System\NsNTnmb.exe
C:\Windows\System\NsNTnmb.exe
C:\Windows\System\UQmHuxC.exe
C:\Windows\System\UQmHuxC.exe
C:\Windows\System\eolvLLw.exe
C:\Windows\System\eolvLLw.exe
C:\Windows\System\ptNrVfQ.exe
C:\Windows\System\ptNrVfQ.exe
C:\Windows\System\ZBeJHER.exe
C:\Windows\System\ZBeJHER.exe
C:\Windows\System\GdvlVmC.exe
C:\Windows\System\GdvlVmC.exe
C:\Windows\System\LuMVPOb.exe
C:\Windows\System\LuMVPOb.exe
C:\Windows\System\AYqmswd.exe
C:\Windows\System\AYqmswd.exe
C:\Windows\System\JrRAGGW.exe
C:\Windows\System\JrRAGGW.exe
C:\Windows\System\vwtjwKy.exe
C:\Windows\System\vwtjwKy.exe
C:\Windows\System\nUVstDH.exe
C:\Windows\System\nUVstDH.exe
C:\Windows\System\GVhWXmX.exe
C:\Windows\System\GVhWXmX.exe
C:\Windows\System\bAMicgl.exe
C:\Windows\System\bAMicgl.exe
C:\Windows\System\wUdbBbO.exe
C:\Windows\System\wUdbBbO.exe
C:\Windows\System\ACkGdKL.exe
C:\Windows\System\ACkGdKL.exe
C:\Windows\System\OkPnUVQ.exe
C:\Windows\System\OkPnUVQ.exe
C:\Windows\System\MNGFPqD.exe
C:\Windows\System\MNGFPqD.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4796-0-0x00007FF78B930000-0x00007FF78BC84000-memory.dmp
memory/4796-1-0x0000024963750000-0x0000024963760000-memory.dmp
C:\Windows\System\owUtboL.exe
| MD5 | f49bc8a6cea6f08ecb3d230622f4629d |
| SHA1 | a7ee99d464d4b5145aeffe43a449c114b521102c |
| SHA256 | e65c414eb3cca890032f119e363f990e937a7ab4a4cd9b2af9ad6d6b255d5244 |
| SHA512 | 387f8891e8bb58b7fce25c680a7ab48112871aa892b380edc91289575596dbe95160b8eeb2ce9d6c0a1fc89ff24156e59e205140bb103ea12b0c6102aa9b39ce |
memory/5864-6-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp
C:\Windows\System\zkexpTy.exe
| MD5 | 9823a5a26acc6251b6683179edf53887 |
| SHA1 | 226e3bb6aba90adc4b8b323674c6dac8dfff2619 |
| SHA256 | 0aa3fe454c86f0d420917bd88641b335b75cd4a2d32f580c2fdf305a7228bda6 |
| SHA512 | 7f1bebb83aa8364d747091839e44c32aaa4a8047d1b32105e8e2bbe87ebe2ca00a8b4e18d36345d774943caf330f183bd32c1e0ca180a748ba1dda37eba5f326 |
memory/4740-14-0x00007FF7F0C20000-0x00007FF7F0F74000-memory.dmp
C:\Windows\System\MOuSiAb.exe
| MD5 | 283e4bba841bfcb84a58aad480640c19 |
| SHA1 | 357d12a786caa71437be51687287973b16437184 |
| SHA256 | 264806320d71134f52a189cd1586de3285f437212f63a54dba62dc7d634fac3b |
| SHA512 | 0454fa303b9cd4ec8e1a848ce62a113b6e88012368159a58f2315f935cfb4792abae06193350a59d0be1efbf86fcb9d60346877578c5f915637604b4e10fdae9 |
memory/4076-19-0x00007FF770990000-0x00007FF770CE4000-memory.dmp
C:\Windows\System\TysrgbS.exe
| MD5 | 7b37bef3d1b2496f840030fb696c2974 |
| SHA1 | d448dbb99c347a4786fd5eb4023328069536febb |
| SHA256 | 4c74d9de072666410ea6cea7f6d4f7fcec06d846c690e967a2a41e076745c3b7 |
| SHA512 | 75d15f9171d350f11f443814661945a8fe773a241120fcbcf705e7c989aa2afedd0a28d57a5abf505de2cb8262c7805b841b5845915adecc84d9501665a9f95c |
C:\Windows\System\NsNTnmb.exe
| MD5 | 9906c1b29d49302dcbdc63f01cb12262 |
| SHA1 | de583953e81c7797e23d00fc8b26ac3b42d82ad3 |
| SHA256 | ef46d83be4525841de7834d1310eb9961f1021898b138ee1b4c3fe1f44995862 |
| SHA512 | 93dc24a3c6bbc7cd63bee200e166f8f5d72d5f8400f0a0bcc20334c7e197431c69bc5a2a5096e2d175e479e5df85bcda670ad482a703d2eac81073245df78630 |
C:\Windows\System\eolvLLw.exe
| MD5 | 4dbf6e4ddcae18d39a4318ee661dac0e |
| SHA1 | 2cad5a9dba341d26c265e1353e73c545028ef4c3 |
| SHA256 | edf96435e545d2c45a669395532dd0188430f4a1fa1b71001e15c5c6806ebadc |
| SHA512 | 98a4f8fcb1c29f6e20a92b25aef40295c45b676485a891d1daec011ec133714d643a8615edc7a2e0ac2b3ef474fe48b3618ced719fa77898ad393ff4fbb1d6f2 |
C:\Windows\System\ZBeJHER.exe
| MD5 | ca2dece297d6e98e43d5054f7b7e940b |
| SHA1 | c30be0c3f19d4d6bd31593d3767ed41982c1e0c6 |
| SHA256 | f6eeb80ca3960dd17df6c728c0f992508df8ce04054049f8f9f2f9a777b0aaaf |
| SHA512 | 37bda99a1779437b6cd115f227ebe33ccadc71fa7c75413603481e7399c47458a4eca2dd182beabe28a10add1b9ce92f00e5180c1e10f886b35da674b5e56a59 |
C:\Windows\System\LuMVPOb.exe
| MD5 | 322001433848d7af5e80009aea246171 |
| SHA1 | e6bb9677c4b57e97d8396c610448e9a39291e0d4 |
| SHA256 | 1d172132cf2ce956697bdbd059a42806d0ce194bfeb5b4fb3fe6f113b77b95ed |
| SHA512 | b08af6c409504600ce2ace97419da1872c2e2e78baaac55a8e48665cda93d6023ba5c953a72b5a8ba7030922ecfb04cdc2584e45356b2dd35fb64b9dad3be748 |
C:\Windows\System\GdvlVmC.exe
| MD5 | 85f8c7f35b9a81ebd027b066c3c32688 |
| SHA1 | cbf81476d8df8aaf504328fc1f52aceadc7f9601 |
| SHA256 | cf736922959936eb9f1400d51951789e193e5a06cdef15f0cd9e778b22aa5d7f |
| SHA512 | 0a1b5fbbaf742bea7d947b7fd1510e9988860770a879d26e49823a2e08191f41c20a6374ce50be5e0c482d6c4cb36aadbc1675410e5e6fe5ec878250752147d2 |
memory/5860-72-0x00007FF603410000-0x00007FF603764000-memory.dmp
C:\Windows\System\AYqmswd.exe
| MD5 | d5fa73943ebaa8bd245ad8baaf8f2843 |
| SHA1 | 928580f3ae7c861477fc2cd05d696430aecf1512 |
| SHA256 | af3824f4043f8d5a16b0d3030fc2a2dfaa64e1b29212e620d9b42cc709eb772a |
| SHA512 | 3ba2fb8328442962c86dd770f9addacfbf01f6d528bf1fdd284a5bb2b138549819e3d37a79ab308e052067c63117cc30a9bf94fc8aa1a55e260631c887fd6b55 |
memory/2092-71-0x00007FF650A40000-0x00007FF650D94000-memory.dmp
memory/3260-70-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp
memory/6084-67-0x00007FF7860B0000-0x00007FF786404000-memory.dmp
memory/4404-66-0x00007FF6C9040000-0x00007FF6C9394000-memory.dmp
memory/5240-62-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp
memory/1512-52-0x00007FF73B210000-0x00007FF73B564000-memory.dmp
C:\Windows\System\ptNrVfQ.exe
| MD5 | 93a4bfffcfd031e094cb234196c8ac97 |
| SHA1 | e51e48ca46cf1ab56cbb221736bb7d221cb32c88 |
| SHA256 | e840d31898d80e84dcfbfb680691f3559305306a97ce8879ada2e287895ddf50 |
| SHA512 | 72143af47be16d9928c75e240444b0b8a20a9b667283ca7fa936b37500b1b33f321e566c1a72c99051106d74a0343fee1fbc958250665b22d83914c9437792db |
memory/3832-37-0x00007FF7CAE20000-0x00007FF7CB174000-memory.dmp
C:\Windows\System\UQmHuxC.exe
| MD5 | e1f3fa6435b92d1caa8cd7713684775d |
| SHA1 | 939ae8b103b70be496f561e7a4bc118109e32bac |
| SHA256 | 5c47876bd2d0fe71c3b2ec66249989ef7ccbe77db80796c0f441a2f212778ee8 |
| SHA512 | 9c527da09976fc168c05e0593c648dcd62edc23dec3ca48e8ca24614b762625037343c6ef725680dc0d41535508f77e114a16c736c3094fe2b72b985147bb8cd |
memory/2064-32-0x00007FF6A6580000-0x00007FF6A68D4000-memory.dmp
C:\Windows\System\JrRAGGW.exe
| MD5 | ea79d54a1f652b984173fcaac59935c9 |
| SHA1 | 3dae05cfd5de3647b812785084876a8b32ac9d81 |
| SHA256 | 5326f94cf9da46f6e542aae9016461acbcecbfdddbdca27772912061166fcac7 |
| SHA512 | e702be45746ae9d3b58aa74f80f6760beb6a4a0e06c7fb5f9764afa99394742fef2a73cd4fdd4ace23fbf3f982e8c6514411b92aec72c0fe4260ac22509daee3 |
memory/5608-80-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp
C:\Windows\System\vwtjwKy.exe
| MD5 | 36bcfaeb6413ccfd4f354ef2ad3f2903 |
| SHA1 | 4caa7738055963134ac43d403007d7213edb1435 |
| SHA256 | addd1d4c3453446190f6ef5f0c0f72574c9f10083dd4e2592b01c9ef6f8ff38a |
| SHA512 | 1ade4d2ca0a2b976a07ae7e85cea39ae764da0099c3aefbec25102bd1e7283a67eda851f3acb41ad524dcd8add0700a1ae9504aeaa2cb6fa056a967be7f21d2d |
C:\Windows\System\nUVstDH.exe
| MD5 | a935d34ce49a6b7768af1fe2e32cee5d |
| SHA1 | 22da49e31322c43db8830bcf02d5dc8bb48e302b |
| SHA256 | e63db2516a283e1dd4f956e00d939528c2b484f2c373f4e1d45ae1ede1f6f90e |
| SHA512 | c815534c8c808b20c0671f606ce2485622707703b6914b435a841409b9e672c5505e2c902e8e01fa5f3589d12271747b3182e6eb446035d8ec1e9726ff9d9774 |
memory/5316-91-0x00007FF6DC310000-0x00007FF6DC664000-memory.dmp
C:\Windows\System\GVhWXmX.exe
| MD5 | 0c73d1e6553f121882789600284e8efa |
| SHA1 | 8f77288992ab6d107ecc6d6c3c659b03532906f4 |
| SHA256 | 373a3fe9cc10a904b6b68b91a1b78d2211268e483a88aafadef6c0e7f0be3990 |
| SHA512 | f6a9b1635363455b0c55565c356e07e6078e99a279820c1fb0bd159ebd37e533205ca43792407396befcd486ce9d94c896bef865d73e03a77aae3e29cb188e01 |
C:\Windows\System\wUdbBbO.exe
| MD5 | 31c5ea93101f7e00b563b3e0bca82197 |
| SHA1 | b1693ed13b7749decde293219287ad6a011bbfa3 |
| SHA256 | fa5d870127457f978a1028acb312bc441b32fbaf26d9ce6e3bfca4d0cca40fea |
| SHA512 | d926c37f97c1905f277d09cddfbdb764061ca8bf7bf69ae1d007b7a98a8dbfeed7f03fac0a6ac5516ccf14bebcea16180ba6952654fc08db3b312a30235876cb |
C:\Windows\System\MNGFPqD.exe
| MD5 | 238fca0fd57a41672026cf014e20397f |
| SHA1 | 478002612bf61920c7255601bad226e37dd170cc |
| SHA256 | ef36ace92f15f8e7ff23f12231b0e73ee9a1fa01b9f6fb61ffdc6f4e0c1a7e91 |
| SHA512 | 338f960f752aa8bd2d0b583f1381d00f0111130fe9e2d18e1bc6b50c3d80138a5458195b59b09ab0fdac5f3a56bc4fd6ceafc34b0bb1b8b82b8d5911189c12aa |
C:\Windows\System\OkPnUVQ.exe
| MD5 | 4d533bcd7f35edbd2f166610238b107b |
| SHA1 | 9f09b5dade02da2bc7b60a566fe000607ed9d774 |
| SHA256 | 0d374332d022ccb3601f921286615cc490fdc4555ecf8ceef9cc62fafc9c3c17 |
| SHA512 | e29bb300213edd568661bcbd2c51c55f39fe90952c94b906067b70e7fda8ffc0dae018e5079b9cd5868cbf7814a76dd9bea096129200f65277b96537cbe99d4f |
C:\Windows\System\ACkGdKL.exe
| MD5 | b6268ac2af21eb4a0fe6e41fbcc60d88 |
| SHA1 | 84f88d11caea78e49b919d708be4980e4fe1cb8b |
| SHA256 | f5ebd1585491b5b7230fd6b2521cfdfdc1e3ff2d0b443b83ea80324f8333cf27 |
| SHA512 | 4293726bc91e2f4280a5967d8a59c1e8b0bee04be41011d6bf1f428dee49e08fcc025d73a7bda2ac77849407191348f18414ad2fdc26746db9390e8365132216 |
C:\Windows\System\bAMicgl.exe
| MD5 | f255f813a608815427311e93becc04d9 |
| SHA1 | 807ae159652423c1f41fc3c0fb6f214e200e5da3 |
| SHA256 | 9ce186bd5defaca263f2232b0e407ba3e42debd9401e5c3355270101d9425c7b |
| SHA512 | 5647ef84d5b772e47daa0a20de4d74c2538874951d610f9cb529796f66ec6297e39cd6da49b76d7aa99f5b8116ec128ed82ae332697a937ed861b325be2e2ac1 |
memory/3568-122-0x00007FF668310000-0x00007FF668664000-memory.dmp
memory/2376-121-0x00007FF6E14F0000-0x00007FF6E1844000-memory.dmp
memory/5272-123-0x00007FF66FE00000-0x00007FF670154000-memory.dmp
memory/4160-126-0x00007FF6A47E0000-0x00007FF6A4B34000-memory.dmp
memory/4796-127-0x00007FF78B930000-0x00007FF78BC84000-memory.dmp
memory/5204-125-0x00007FF6C3D50000-0x00007FF6C40A4000-memory.dmp
memory/4300-128-0x00007FF6F6920000-0x00007FF6F6C74000-memory.dmp
memory/3208-124-0x00007FF66B2B0000-0x00007FF66B604000-memory.dmp
memory/5864-129-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp
memory/4076-130-0x00007FF770990000-0x00007FF770CE4000-memory.dmp
memory/5240-131-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp
memory/5860-132-0x00007FF603410000-0x00007FF603764000-memory.dmp
memory/5608-133-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp
memory/5864-134-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp
memory/4740-135-0x00007FF7F0C20000-0x00007FF7F0F74000-memory.dmp
memory/4076-136-0x00007FF770990000-0x00007FF770CE4000-memory.dmp
memory/2064-137-0x00007FF6A6580000-0x00007FF6A68D4000-memory.dmp
memory/3832-138-0x00007FF7CAE20000-0x00007FF7CB174000-memory.dmp
memory/1512-139-0x00007FF73B210000-0x00007FF73B564000-memory.dmp
memory/3260-140-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp
memory/5240-141-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp
memory/4404-142-0x00007FF6C9040000-0x00007FF6C9394000-memory.dmp
memory/6084-143-0x00007FF7860B0000-0x00007FF786404000-memory.dmp
memory/2092-144-0x00007FF650A40000-0x00007FF650D94000-memory.dmp
memory/5860-145-0x00007FF603410000-0x00007FF603764000-memory.dmp
memory/5608-146-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp
memory/5316-147-0x00007FF6DC310000-0x00007FF6DC664000-memory.dmp
memory/4300-148-0x00007FF6F6920000-0x00007FF6F6C74000-memory.dmp
memory/2376-149-0x00007FF6E14F0000-0x00007FF6E1844000-memory.dmp
memory/3568-150-0x00007FF668310000-0x00007FF668664000-memory.dmp
memory/5272-151-0x00007FF66FE00000-0x00007FF670154000-memory.dmp
memory/4160-154-0x00007FF6A47E0000-0x00007FF6A4B34000-memory.dmp
memory/5204-153-0x00007FF6C3D50000-0x00007FF6C40A4000-memory.dmp
memory/3208-152-0x00007FF66B2B0000-0x00007FF66B604000-memory.dmp