Analysis Overview
SHA256
95cf25245f009a8c117398e0859834470d605b4af51330a40636e6fc6c1e5cbd
Threat Level: Known bad
The file 2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:28
Reported
2024-06-01 15:31
Platform
win7-20240419-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ALmUNDC.exe | N/A |
| N/A | N/A | C:\Windows\System\eUyqfEf.exe | N/A |
| N/A | N/A | C:\Windows\System\FGrdlcs.exe | N/A |
| N/A | N/A | C:\Windows\System\kFKibAA.exe | N/A |
| N/A | N/A | C:\Windows\System\DEwYJML.exe | N/A |
| N/A | N/A | C:\Windows\System\lBMtPcq.exe | N/A |
| N/A | N/A | C:\Windows\System\xPCPzqk.exe | N/A |
| N/A | N/A | C:\Windows\System\noUxRol.exe | N/A |
| N/A | N/A | C:\Windows\System\aInmIpq.exe | N/A |
| N/A | N/A | C:\Windows\System\qXsXEHG.exe | N/A |
| N/A | N/A | C:\Windows\System\zqhdbcT.exe | N/A |
| N/A | N/A | C:\Windows\System\IRRMABN.exe | N/A |
| N/A | N/A | C:\Windows\System\eGjncAV.exe | N/A |
| N/A | N/A | C:\Windows\System\OfVpXLW.exe | N/A |
| N/A | N/A | C:\Windows\System\AAfEPjp.exe | N/A |
| N/A | N/A | C:\Windows\System\tdGAEuu.exe | N/A |
| N/A | N/A | C:\Windows\System\vltOpvD.exe | N/A |
| N/A | N/A | C:\Windows\System\pKUyFzb.exe | N/A |
| N/A | N/A | C:\Windows\System\BlNvhJx.exe | N/A |
| N/A | N/A | C:\Windows\System\clHEfmY.exe | N/A |
| N/A | N/A | C:\Windows\System\JCDCXtK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ALmUNDC.exe
C:\Windows\System\ALmUNDC.exe
C:\Windows\System\eUyqfEf.exe
C:\Windows\System\eUyqfEf.exe
C:\Windows\System\FGrdlcs.exe
C:\Windows\System\FGrdlcs.exe
C:\Windows\System\kFKibAA.exe
C:\Windows\System\kFKibAA.exe
C:\Windows\System\DEwYJML.exe
C:\Windows\System\DEwYJML.exe
C:\Windows\System\lBMtPcq.exe
C:\Windows\System\lBMtPcq.exe
C:\Windows\System\xPCPzqk.exe
C:\Windows\System\xPCPzqk.exe
C:\Windows\System\noUxRol.exe
C:\Windows\System\noUxRol.exe
C:\Windows\System\aInmIpq.exe
C:\Windows\System\aInmIpq.exe
C:\Windows\System\qXsXEHG.exe
C:\Windows\System\qXsXEHG.exe
C:\Windows\System\zqhdbcT.exe
C:\Windows\System\zqhdbcT.exe
C:\Windows\System\IRRMABN.exe
C:\Windows\System\IRRMABN.exe
C:\Windows\System\eGjncAV.exe
C:\Windows\System\eGjncAV.exe
C:\Windows\System\OfVpXLW.exe
C:\Windows\System\OfVpXLW.exe
C:\Windows\System\AAfEPjp.exe
C:\Windows\System\AAfEPjp.exe
C:\Windows\System\tdGAEuu.exe
C:\Windows\System\tdGAEuu.exe
C:\Windows\System\vltOpvD.exe
C:\Windows\System\vltOpvD.exe
C:\Windows\System\pKUyFzb.exe
C:\Windows\System\pKUyFzb.exe
C:\Windows\System\clHEfmY.exe
C:\Windows\System\clHEfmY.exe
C:\Windows\System\BlNvhJx.exe
C:\Windows\System\BlNvhJx.exe
C:\Windows\System\JCDCXtK.exe
C:\Windows\System\JCDCXtK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/3000-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ALmUNDC.exe
| MD5 | 95d95f2d19afc4ba790e98f128f0985c |
| SHA1 | dd6b1a2e4b539dfa3a02a2f230cec665f3bbee7e |
| SHA256 | 17c74957f46cd9774271c6bd5e4674acb7c5502727cdec92b5e02033959e5c20 |
| SHA512 | 7dd934718a222bcce308ff498186d735818765553ebe65bdc2e9775620672bec064c3ff64e296fa88c552bf7b432e5480a483eb3787743f67401df5aecb9e07a |
memory/1808-8-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\eUyqfEf.exe
| MD5 | 064c3a80abc23401eed863637c76f8aa |
| SHA1 | 8ea125f3e421cd0c49a3684b9204d2ffa7b0cc76 |
| SHA256 | 0cca5f90ea762b8664f776d16f6c2a1db8fba1d8faebface940b471613468771 |
| SHA512 | 01e0593059d1ad091f32bad40835a4894d27c24c8f7f840fab1a4b8a0cb7081e70e434b452696cd7105cea5eb2ce1df784823126b959bdcd55e704cde4233247 |
memory/2848-13-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\FGrdlcs.exe
| MD5 | e002619c4fa71fc3e07c771c38f5bf7b |
| SHA1 | c34509641fc8f0320ae74c63281e841171d1f2b5 |
| SHA256 | b3cf566cdcafbab787f29d562804b7d0e940a8a6ba0b15b0b91d6801de37c603 |
| SHA512 | 8cf65c9052c2182e22f5213a8c560cfab1a0993bac1f8b0ee03b320ae1ebaf49cea09ba4e9f97e8bb3fd45e6df99da6f750dfb341e02692b2fbdcd50e91b64d5 |
C:\Windows\system\kFKibAA.exe
| MD5 | 18151fea587948ac50771b70d411d3b1 |
| SHA1 | 26500eb9fb36608439bf62aea9135af3c2e8cca1 |
| SHA256 | aaa659ff5d26ae24ec75ec98e1dfda839e5c9888f07df6e53eb35f472729f000 |
| SHA512 | cb6ac3e2ad2d2a92f7bb48b1b81970a0ddc3d650dd4f0f917bb055276e9c95f408f7134229d3c1b8fb4a02955b2d00f214cf00966efb176153001ddfec33bf97 |
memory/2656-27-0x000000013F440000-0x000000013F794000-memory.dmp
memory/3000-25-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2632-24-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2744-34-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/3000-33-0x000000013FF30000-0x0000000140284000-memory.dmp
C:\Windows\system\DEwYJML.exe
| MD5 | b5b9359861e45e2d2745efdad23f479b |
| SHA1 | 5346724a5a856b2dde3ccfefa2f679bae5bec5d9 |
| SHA256 | 18f2d4e4cb2d617ad43c5853556576202bc14da93b45ce9a06598e89624ca89a |
| SHA512 | 5abdd4d5f21d407d1ec14a4167ed862cb1409798f41df2d082d594707c4d219f482b16db36ee360f7332e4302dee875aca896e3f98567ae49332f83959e90fff |
memory/3000-19-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\lBMtPcq.exe
| MD5 | 2f54ad6f70511e9c0625ba450d909896 |
| SHA1 | 40ffb501d367454420381527f9a6ab7b3df5f93c |
| SHA256 | b85f7e31f5edb4425e2bf601d75a1f299d83a9b4be64c67d262407583dec7a11 |
| SHA512 | 14d1b41fcc78fac7326823e4d81edf19884def76d5d4b521223c07db9793f0ae184b90f34101c179cb6aef548f3710181bca642746abf5702b8d5b5c455b2389 |
memory/3000-41-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1796-42-0x000000013F330000-0x000000013F684000-memory.dmp
memory/3000-36-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\noUxRol.exe
| MD5 | 5c37f88f7613cb28055b73a8dd27aa3b |
| SHA1 | 14e2427cafb6ef53e114570776a71829a6a4501b |
| SHA256 | 4156fa849d27e50cbe640c34aa7b70d04732eb3d30e050777a7ae2c196074df3 |
| SHA512 | d08c9a829036ecdb47bf79e0148302aebe8840d0e8caa9bbb6b8855b642704a2282aa864cffc7307fc24693cef3701eb3a9f0844ed4c03597c01acb5ffc68dfd |
memory/1808-54-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/1028-58-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/3000-55-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2828-48-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/3000-47-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\xPCPzqk.exe
| MD5 | 0d120a88e394547ef46b3a045b122d72 |
| SHA1 | a5cc0b47f349395aa54b8a59a7ffe5f17e42fa29 |
| SHA256 | a3d5612d22a4f163fac3ca88f27d2e1276d94f87076d7807d5b621e395f16556 |
| SHA512 | 584cd22cc2537e63fb469a2e06d845197e2c4a9bc360006c9bbdbab0416a322201ab8f8fead6ea0a6ed23586ce67fb8695db1cd45b4c3a11d6b6c4bae6130e99 |
C:\Windows\system\aInmIpq.exe
| MD5 | 67d25966e4dee8f0b23f9fd1235cd072 |
| SHA1 | aad3fa0c9b61b77d0fceaddbfde147473b1f4e41 |
| SHA256 | 27b0c8790d67e64e16d1cc34d3f229060a50c3deb004e16e11c3e3d24853a2b9 |
| SHA512 | fe5cf8269e371fbe4a847209e6e671f7d62acce32cdd18d9668169611b4d7b4965f4a87fef8ddffc7ccb2e463231d07903d5ad0fcb63e6b55524bd7be6e97a67 |
memory/2604-66-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3000-65-0x0000000002220000-0x0000000002574000-memory.dmp
memory/3000-64-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\qXsXEHG.exe
| MD5 | 4963ea3ee6c33abfcb27b2eff794b829 |
| SHA1 | 2328baef7a0555f6c20a15155b2c53ee76c33215 |
| SHA256 | d97106e5835f9af78b138546ce3b14db8c99ccbafeb4e12265875d9e78a89d5f |
| SHA512 | ad41a3948de58355adb0397fe8913965aea6849c5853328b253d0d91749f33cf6be4090cb44a404454014de7dc6e7aa23c41d432a4538990a3ef41fdcd09c2cb |
memory/3000-86-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\IRRMABN.exe
| MD5 | 486bbee03b581f60a4b12eccaf73d234 |
| SHA1 | 34e56df83e3b70bdf72490888af94c7e0510089c |
| SHA256 | 723b97e4511be5d9380658af91f6127a22168dc3dd9450311dad2780c3122b1c |
| SHA512 | 4bde8ddbed671dea900544c34e679f2f1f76e6a98ac3cc2d6544ab41ce2f0f6cc60c65a242e0abae24cd5ddf229b25e924aee1d7a42ec0b20b58382c5732d2aa |
C:\Windows\system\eGjncAV.exe
| MD5 | 345042ddc66a820ee21c83b50affc24f |
| SHA1 | c6db7b5ecc97ada8a3637351dccd3eb83bb641ee |
| SHA256 | 2701a1c9a6a95a2c71dab0e6286f4d278d9aebd792a15463f25a1c31560adb38 |
| SHA512 | 278f10234a4c3344eb6783d0cbb8ccf4605ad43e7278b96b843c3c177fdad0e8eac7a064b7eaff90b61a37999e80eb03c4c64bc7ff26e00a2187cfd694a1024f |
memory/2576-87-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2892-96-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3000-94-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/3000-93-0x0000000002220000-0x0000000002574000-memory.dmp
memory/3000-92-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2864-91-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2540-90-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2632-82-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2848-76-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\zqhdbcT.exe
| MD5 | 5c16e676126cdf700786c7abff281df8 |
| SHA1 | 42bdebee4dbcae20b18cd8beffbb44a0410ae7c9 |
| SHA256 | 2dadb131c5a3db0addf1d93260e2816fb2b4c8256bae88090676babbce66c68c |
| SHA512 | 016fe1f41af889e4bd80da72f081a16ab7e1897ee0315d4818637b639f69cc8c4a568b9e15400e0a2078215cea86175b15f2a49a808a996ee94a901f2893b03a |
C:\Windows\system\OfVpXLW.exe
| MD5 | 67468345c2e93cdd8dd479591af7d3a3 |
| SHA1 | eed61fe61649b27fa26bb0d1e1ff74c51b3e3f50 |
| SHA256 | cda2ea447a4f28f910deeb34a212fc3c36ff3e0ff753f410e7b0c392a534a519 |
| SHA512 | 23a30fec8c5fe833ee987a2e1a6e361e9c7fc6f54417a1e34dbf52ed12d4d6c96b6cc1c910daa173a5fbdb9e122ab7b5fb151fe49533335df33a93857a1d7482 |
\Windows\system\BlNvhJx.exe
| MD5 | 058310d529c1acc262c031dbc5e6197a |
| SHA1 | 9c183a91e457b25e7dd92579cf23f7d335e9ebe0 |
| SHA256 | 2ea86784feb7d90fdd74998622c71e87275bb7d438c3e7797f04509f15db3704 |
| SHA512 | 9857541f61d6d5aeaec4ba15e5763f542d424015352483d0a838ed9cc016fc6f1d5572ed99b94a8a99cc2a4c0173b5b618d0be6c109d4f1b8ccfd6a3e49aff20 |
\Windows\system\AAfEPjp.exe
| MD5 | b9d8b854ee7a17fab9e503be708cfa34 |
| SHA1 | 0a2bb85a26b8e315393ef33b9b30acf78bdbe2ac |
| SHA256 | 0420b513f28d390110426f49f7a1cc8cc28d13a15cc71b04cea1b57ab930524b |
| SHA512 | ce5f69544032cb18442fe2c76af39f74c53ccb4e743e2ebb26ed3cd481d1968d4dce311bcea5fd6afc5bf866d87b192822d4e38d8c7156ae89a4d69ea8587d17 |
\Windows\system\JCDCXtK.exe
| MD5 | 8c3907c68809ac1dcb00d2b0c07f4d4b |
| SHA1 | f8ae79ce75fa8094b9c4dc86536662e9c634f29d |
| SHA256 | 8f3305cfb0902f52b4cf9b27c1043f0bf42a90d9d5f773b24e3aed2ba9b34f2b |
| SHA512 | 9826c14dff997342f8f3d652f1619d76997a5a325758296d70517413c4c8c58151f1726d1facf7000203308ef2ed98fbd56d00beb38c1c89f045b1620dda1000 |
memory/3000-137-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\clHEfmY.exe
| MD5 | f0abbc28a8f954787418846c115a5816 |
| SHA1 | ab7474ccfa28f38dcddba9d8e658c2fc2d94f426 |
| SHA256 | 0f0403582a888029370146cb975dc2453792af3d420df76220909c55468df05e |
| SHA512 | 843e347e8d03e44779489f27ab48f60ae299a4b04f735f5b7974b30699b477974b4ab3a23a5b41111d11774f9acb39ed2020b0c76a2b5527594c4fe3058db580 |
C:\Windows\system\pKUyFzb.exe
| MD5 | b5857b4b45a310f5ed14380fc9360736 |
| SHA1 | 62a19ea43254bcbf2e410045b92668dc4d1175e8 |
| SHA256 | 83741f7ac89b7ff316c5ba0d6fceb44efc48a6f81c4ba9d9315105529f45976b |
| SHA512 | 8be5a7d92f8e759c2786a5a55fcbcb56719f5729d1c39939ba0acc609f8c645fbf63b78e30f6259a4f1ab6a8fbcfb8920303554b45b80fb2b35e1c83417803f0 |
C:\Windows\system\vltOpvD.exe
| MD5 | 79b0af8e483c7eb61526acf3bb5e7721 |
| SHA1 | f5bc912b8f25790b94f6a8f7b70a7f4cb6b2a713 |
| SHA256 | ea5d809e7c7cb26865c0e8f04ca8c4b0c0a572354af52cd455056d751cbff7a8 |
| SHA512 | d3118d137972e0597b6545a3080a05b4e9c5087f2272b65de86a00f936ee1241f4fd053ee09ff52b0ae7975b07befb8a1e8b91cf5f607a744f741ebc475d9d9f |
memory/3000-128-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2656-123-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\tdGAEuu.exe
| MD5 | fa4352292e39e0f4edbfec83cfd31b2b |
| SHA1 | aebed6021afe9bc36b2fec0e006e2ef37d1951be |
| SHA256 | cc1aad1eb14b42a7ae60c48e128a2b366b68a973b46be23cc99d8badab3746aa |
| SHA512 | 26aa1d515cd9cf7b53ad6b0f1ec28e29a36a517d3da58b4f9b28f08c4ec9c3dd0fbe9261e190fa65eb8800d0b9af28aff2f50061c3eb3a78edc360686a9051c8 |
memory/3000-105-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2744-141-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/3000-140-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/3000-142-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2828-143-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1028-144-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/3000-145-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2864-146-0x000000013F130000-0x000000013F484000-memory.dmp
memory/3000-147-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/3000-148-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1808-149-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2848-150-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2632-151-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2656-152-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1796-153-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2828-154-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2744-156-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1028-155-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2604-157-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2576-158-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2540-159-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2892-160-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2864-161-0x000000013F130000-0x000000013F484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:28
Reported
2024-06-01 15:31
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ALmUNDC.exe | N/A |
| N/A | N/A | C:\Windows\System\eUyqfEf.exe | N/A |
| N/A | N/A | C:\Windows\System\FGrdlcs.exe | N/A |
| N/A | N/A | C:\Windows\System\kFKibAA.exe | N/A |
| N/A | N/A | C:\Windows\System\DEwYJML.exe | N/A |
| N/A | N/A | C:\Windows\System\lBMtPcq.exe | N/A |
| N/A | N/A | C:\Windows\System\xPCPzqk.exe | N/A |
| N/A | N/A | C:\Windows\System\noUxRol.exe | N/A |
| N/A | N/A | C:\Windows\System\aInmIpq.exe | N/A |
| N/A | N/A | C:\Windows\System\qXsXEHG.exe | N/A |
| N/A | N/A | C:\Windows\System\zqhdbcT.exe | N/A |
| N/A | N/A | C:\Windows\System\IRRMABN.exe | N/A |
| N/A | N/A | C:\Windows\System\eGjncAV.exe | N/A |
| N/A | N/A | C:\Windows\System\OfVpXLW.exe | N/A |
| N/A | N/A | C:\Windows\System\AAfEPjp.exe | N/A |
| N/A | N/A | C:\Windows\System\tdGAEuu.exe | N/A |
| N/A | N/A | C:\Windows\System\vltOpvD.exe | N/A |
| N/A | N/A | C:\Windows\System\pKUyFzb.exe | N/A |
| N/A | N/A | C:\Windows\System\clHEfmY.exe | N/A |
| N/A | N/A | C:\Windows\System\BlNvhJx.exe | N/A |
| N/A | N/A | C:\Windows\System\JCDCXtK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_13c6aff69708e5a44d288fa7c7ee3b2f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ALmUNDC.exe
C:\Windows\System\ALmUNDC.exe
C:\Windows\System\eUyqfEf.exe
C:\Windows\System\eUyqfEf.exe
C:\Windows\System\FGrdlcs.exe
C:\Windows\System\FGrdlcs.exe
C:\Windows\System\kFKibAA.exe
C:\Windows\System\kFKibAA.exe
C:\Windows\System\DEwYJML.exe
C:\Windows\System\DEwYJML.exe
C:\Windows\System\lBMtPcq.exe
C:\Windows\System\lBMtPcq.exe
C:\Windows\System\xPCPzqk.exe
C:\Windows\System\xPCPzqk.exe
C:\Windows\System\noUxRol.exe
C:\Windows\System\noUxRol.exe
C:\Windows\System\aInmIpq.exe
C:\Windows\System\aInmIpq.exe
C:\Windows\System\qXsXEHG.exe
C:\Windows\System\qXsXEHG.exe
C:\Windows\System\zqhdbcT.exe
C:\Windows\System\zqhdbcT.exe
C:\Windows\System\IRRMABN.exe
C:\Windows\System\IRRMABN.exe
C:\Windows\System\eGjncAV.exe
C:\Windows\System\eGjncAV.exe
C:\Windows\System\OfVpXLW.exe
C:\Windows\System\OfVpXLW.exe
C:\Windows\System\AAfEPjp.exe
C:\Windows\System\AAfEPjp.exe
C:\Windows\System\tdGAEuu.exe
C:\Windows\System\tdGAEuu.exe
C:\Windows\System\vltOpvD.exe
C:\Windows\System\vltOpvD.exe
C:\Windows\System\pKUyFzb.exe
C:\Windows\System\pKUyFzb.exe
C:\Windows\System\clHEfmY.exe
C:\Windows\System\clHEfmY.exe
C:\Windows\System\BlNvhJx.exe
C:\Windows\System\BlNvhJx.exe
C:\Windows\System\JCDCXtK.exe
C:\Windows\System\JCDCXtK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/116-0-0x00007FF736540000-0x00007FF736894000-memory.dmp
memory/116-1-0x000001805F030000-0x000001805F040000-memory.dmp
C:\Windows\System\ALmUNDC.exe
| MD5 | 95d95f2d19afc4ba790e98f128f0985c |
| SHA1 | dd6b1a2e4b539dfa3a02a2f230cec665f3bbee7e |
| SHA256 | 17c74957f46cd9774271c6bd5e4674acb7c5502727cdec92b5e02033959e5c20 |
| SHA512 | 7dd934718a222bcce308ff498186d735818765553ebe65bdc2e9775620672bec064c3ff64e296fa88c552bf7b432e5480a483eb3787743f67401df5aecb9e07a |
memory/4392-7-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp
C:\Windows\System\eUyqfEf.exe
| MD5 | 064c3a80abc23401eed863637c76f8aa |
| SHA1 | 8ea125f3e421cd0c49a3684b9204d2ffa7b0cc76 |
| SHA256 | 0cca5f90ea762b8664f776d16f6c2a1db8fba1d8faebface940b471613468771 |
| SHA512 | 01e0593059d1ad091f32bad40835a4894d27c24c8f7f840fab1a4b8a0cb7081e70e434b452696cd7105cea5eb2ce1df784823126b959bdcd55e704cde4233247 |
C:\Windows\System\FGrdlcs.exe
| MD5 | e002619c4fa71fc3e07c771c38f5bf7b |
| SHA1 | c34509641fc8f0320ae74c63281e841171d1f2b5 |
| SHA256 | b3cf566cdcafbab787f29d562804b7d0e940a8a6ba0b15b0b91d6801de37c603 |
| SHA512 | 8cf65c9052c2182e22f5213a8c560cfab1a0993bac1f8b0ee03b320ae1ebaf49cea09ba4e9f97e8bb3fd45e6df99da6f750dfb341e02692b2fbdcd50e91b64d5 |
memory/2676-18-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/1660-17-0x00007FF7FC910000-0x00007FF7FCC64000-memory.dmp
C:\Windows\System\kFKibAA.exe
| MD5 | 18151fea587948ac50771b70d411d3b1 |
| SHA1 | 26500eb9fb36608439bf62aea9135af3c2e8cca1 |
| SHA256 | aaa659ff5d26ae24ec75ec98e1dfda839e5c9888f07df6e53eb35f472729f000 |
| SHA512 | cb6ac3e2ad2d2a92f7bb48b1b81970a0ddc3d650dd4f0f917bb055276e9c95f408f7134229d3c1b8fb4a02955b2d00f214cf00966efb176153001ddfec33bf97 |
memory/2004-26-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp
C:\Windows\System\DEwYJML.exe
| MD5 | b5b9359861e45e2d2745efdad23f479b |
| SHA1 | 5346724a5a856b2dde3ccfefa2f679bae5bec5d9 |
| SHA256 | 18f2d4e4cb2d617ad43c5853556576202bc14da93b45ce9a06598e89624ca89a |
| SHA512 | 5abdd4d5f21d407d1ec14a4167ed862cb1409798f41df2d082d594707c4d219f482b16db36ee360f7332e4302dee875aca896e3f98567ae49332f83959e90fff |
memory/3124-35-0x00007FF722170000-0x00007FF7224C4000-memory.dmp
C:\Windows\System\lBMtPcq.exe
| MD5 | 2f54ad6f70511e9c0625ba450d909896 |
| SHA1 | 40ffb501d367454420381527f9a6ab7b3df5f93c |
| SHA256 | b85f7e31f5edb4425e2bf601d75a1f299d83a9b4be64c67d262407583dec7a11 |
| SHA512 | 14d1b41fcc78fac7326823e4d81edf19884def76d5d4b521223c07db9793f0ae184b90f34101c179cb6aef548f3710181bca642746abf5702b8d5b5c455b2389 |
C:\Windows\System\noUxRol.exe
| MD5 | 5c37f88f7613cb28055b73a8dd27aa3b |
| SHA1 | 14e2427cafb6ef53e114570776a71829a6a4501b |
| SHA256 | 4156fa849d27e50cbe640c34aa7b70d04732eb3d30e050777a7ae2c196074df3 |
| SHA512 | d08c9a829036ecdb47bf79e0148302aebe8840d0e8caa9bbb6b8855b642704a2282aa864cffc7307fc24693cef3701eb3a9f0844ed4c03597c01acb5ffc68dfd |
C:\Windows\System\aInmIpq.exe
| MD5 | 67d25966e4dee8f0b23f9fd1235cd072 |
| SHA1 | aad3fa0c9b61b77d0fceaddbfde147473b1f4e41 |
| SHA256 | 27b0c8790d67e64e16d1cc34d3f229060a50c3deb004e16e11c3e3d24853a2b9 |
| SHA512 | fe5cf8269e371fbe4a847209e6e671f7d62acce32cdd18d9668169611b4d7b4965f4a87fef8ddffc7ccb2e463231d07903d5ad0fcb63e6b55524bd7be6e97a67 |
C:\Windows\System\qXsXEHG.exe
| MD5 | 4963ea3ee6c33abfcb27b2eff794b829 |
| SHA1 | 2328baef7a0555f6c20a15155b2c53ee76c33215 |
| SHA256 | d97106e5835f9af78b138546ce3b14db8c99ccbafeb4e12265875d9e78a89d5f |
| SHA512 | ad41a3948de58355adb0397fe8913965aea6849c5853328b253d0d91749f33cf6be4090cb44a404454014de7dc6e7aa23c41d432a4538990a3ef41fdcd09c2cb |
C:\Windows\System\zqhdbcT.exe
| MD5 | 5c16e676126cdf700786c7abff281df8 |
| SHA1 | 42bdebee4dbcae20b18cd8beffbb44a0410ae7c9 |
| SHA256 | 2dadb131c5a3db0addf1d93260e2816fb2b4c8256bae88090676babbce66c68c |
| SHA512 | 016fe1f41af889e4bd80da72f081a16ab7e1897ee0315d4818637b639f69cc8c4a568b9e15400e0a2078215cea86175b15f2a49a808a996ee94a901f2893b03a |
C:\Windows\System\OfVpXLW.exe
| MD5 | 67468345c2e93cdd8dd479591af7d3a3 |
| SHA1 | eed61fe61649b27fa26bb0d1e1ff74c51b3e3f50 |
| SHA256 | cda2ea447a4f28f910deeb34a212fc3c36ff3e0ff753f410e7b0c392a534a519 |
| SHA512 | 23a30fec8c5fe833ee987a2e1a6e361e9c7fc6f54417a1e34dbf52ed12d4d6c96b6cc1c910daa173a5fbdb9e122ab7b5fb151fe49533335df33a93857a1d7482 |
C:\Windows\System\AAfEPjp.exe
| MD5 | b9d8b854ee7a17fab9e503be708cfa34 |
| SHA1 | 0a2bb85a26b8e315393ef33b9b30acf78bdbe2ac |
| SHA256 | 0420b513f28d390110426f49f7a1cc8cc28d13a15cc71b04cea1b57ab930524b |
| SHA512 | ce5f69544032cb18442fe2c76af39f74c53ccb4e743e2ebb26ed3cd481d1968d4dce311bcea5fd6afc5bf866d87b192822d4e38d8c7156ae89a4d69ea8587d17 |
C:\Windows\System\vltOpvD.exe
| MD5 | 79b0af8e483c7eb61526acf3bb5e7721 |
| SHA1 | f5bc912b8f25790b94f6a8f7b70a7f4cb6b2a713 |
| SHA256 | ea5d809e7c7cb26865c0e8f04ca8c4b0c0a572354af52cd455056d751cbff7a8 |
| SHA512 | d3118d137972e0597b6545a3080a05b4e9c5087f2272b65de86a00f936ee1241f4fd053ee09ff52b0ae7975b07befb8a1e8b91cf5f607a744f741ebc475d9d9f |
C:\Windows\System\pKUyFzb.exe
| MD5 | b5857b4b45a310f5ed14380fc9360736 |
| SHA1 | 62a19ea43254bcbf2e410045b92668dc4d1175e8 |
| SHA256 | 83741f7ac89b7ff316c5ba0d6fceb44efc48a6f81c4ba9d9315105529f45976b |
| SHA512 | 8be5a7d92f8e759c2786a5a55fcbcb56719f5729d1c39939ba0acc609f8c645fbf63b78e30f6259a4f1ab6a8fbcfb8920303554b45b80fb2b35e1c83417803f0 |
C:\Windows\System\JCDCXtK.exe
| MD5 | 8c3907c68809ac1dcb00d2b0c07f4d4b |
| SHA1 | f8ae79ce75fa8094b9c4dc86536662e9c634f29d |
| SHA256 | 8f3305cfb0902f52b4cf9b27c1043f0bf42a90d9d5f773b24e3aed2ba9b34f2b |
| SHA512 | 9826c14dff997342f8f3d652f1619d76997a5a325758296d70517413c4c8c58151f1726d1facf7000203308ef2ed98fbd56d00beb38c1c89f045b1620dda1000 |
C:\Windows\System\BlNvhJx.exe
| MD5 | 058310d529c1acc262c031dbc5e6197a |
| SHA1 | 9c183a91e457b25e7dd92579cf23f7d335e9ebe0 |
| SHA256 | 2ea86784feb7d90fdd74998622c71e87275bb7d438c3e7797f04509f15db3704 |
| SHA512 | 9857541f61d6d5aeaec4ba15e5763f542d424015352483d0a838ed9cc016fc6f1d5572ed99b94a8a99cc2a4c0173b5b618d0be6c109d4f1b8ccfd6a3e49aff20 |
C:\Windows\System\clHEfmY.exe
| MD5 | f0abbc28a8f954787418846c115a5816 |
| SHA1 | ab7474ccfa28f38dcddba9d8e658c2fc2d94f426 |
| SHA256 | 0f0403582a888029370146cb975dc2453792af3d420df76220909c55468df05e |
| SHA512 | 843e347e8d03e44779489f27ab48f60ae299a4b04f735f5b7974b30699b477974b4ab3a23a5b41111d11774f9acb39ed2020b0c76a2b5527594c4fe3058db580 |
C:\Windows\System\tdGAEuu.exe
| MD5 | fa4352292e39e0f4edbfec83cfd31b2b |
| SHA1 | aebed6021afe9bc36b2fec0e006e2ef37d1951be |
| SHA256 | cc1aad1eb14b42a7ae60c48e128a2b366b68a973b46be23cc99d8badab3746aa |
| SHA512 | 26aa1d515cd9cf7b53ad6b0f1ec28e29a36a517d3da58b4f9b28f08c4ec9c3dd0fbe9261e190fa65eb8800d0b9af28aff2f50061c3eb3a78edc360686a9051c8 |
C:\Windows\System\eGjncAV.exe
| MD5 | 345042ddc66a820ee21c83b50affc24f |
| SHA1 | c6db7b5ecc97ada8a3637351dccd3eb83bb641ee |
| SHA256 | 2701a1c9a6a95a2c71dab0e6286f4d278d9aebd792a15463f25a1c31560adb38 |
| SHA512 | 278f10234a4c3344eb6783d0cbb8ccf4605ad43e7278b96b843c3c177fdad0e8eac7a064b7eaff90b61a37999e80eb03c4c64bc7ff26e00a2187cfd694a1024f |
C:\Windows\System\IRRMABN.exe
| MD5 | 486bbee03b581f60a4b12eccaf73d234 |
| SHA1 | 34e56df83e3b70bdf72490888af94c7e0510089c |
| SHA256 | 723b97e4511be5d9380658af91f6127a22168dc3dd9450311dad2780c3122b1c |
| SHA512 | 4bde8ddbed671dea900544c34e679f2f1f76e6a98ac3cc2d6544ab41ce2f0f6cc60c65a242e0abae24cd5ddf229b25e924aee1d7a42ec0b20b58382c5732d2aa |
C:\Windows\System\xPCPzqk.exe
| MD5 | 0d120a88e394547ef46b3a045b122d72 |
| SHA1 | a5cc0b47f349395aa54b8a59a7ffe5f17e42fa29 |
| SHA256 | a3d5612d22a4f163fac3ca88f27d2e1276d94f87076d7807d5b621e395f16556 |
| SHA512 | 584cd22cc2537e63fb469a2e06d845197e2c4a9bc360006c9bbdbab0416a322201ab8f8fead6ea0a6ed23586ce67fb8695db1cd45b4c3a11d6b6c4bae6130e99 |
memory/2508-39-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp
memory/1288-114-0x00007FF784260000-0x00007FF7845B4000-memory.dmp
memory/264-115-0x00007FF6CBEF0000-0x00007FF6CC244000-memory.dmp
memory/4092-116-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp
memory/5020-113-0x00007FF7B5440000-0x00007FF7B5794000-memory.dmp
memory/4416-117-0x00007FF6A5AD0000-0x00007FF6A5E24000-memory.dmp
memory/1784-118-0x00007FF67AC50000-0x00007FF67AFA4000-memory.dmp
memory/2992-120-0x00007FF703610000-0x00007FF703964000-memory.dmp
memory/2372-121-0x00007FF7AE6A0000-0x00007FF7AE9F4000-memory.dmp
memory/2308-122-0x00007FF7B8D40000-0x00007FF7B9094000-memory.dmp
memory/2412-123-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp
memory/3464-125-0x00007FF77F150000-0x00007FF77F4A4000-memory.dmp
memory/1696-124-0x00007FF7C3BE0000-0x00007FF7C3F34000-memory.dmp
memory/2212-119-0x00007FF7BA9C0000-0x00007FF7BAD14000-memory.dmp
memory/2296-126-0x00007FF674300000-0x00007FF674654000-memory.dmp
memory/852-127-0x00007FF669EA0000-0x00007FF66A1F4000-memory.dmp
memory/116-128-0x00007FF736540000-0x00007FF736894000-memory.dmp
memory/4392-129-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp
memory/2676-130-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/2004-131-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp
memory/2508-132-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp
memory/4392-133-0x00007FF6FFAA0000-0x00007FF6FFDF4000-memory.dmp
memory/1660-134-0x00007FF7FC910000-0x00007FF7FCC64000-memory.dmp
memory/2676-135-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/2004-136-0x00007FF7EB440000-0x00007FF7EB794000-memory.dmp
memory/3124-137-0x00007FF722170000-0x00007FF7224C4000-memory.dmp
memory/2508-138-0x00007FF77D470000-0x00007FF77D7C4000-memory.dmp
memory/5020-139-0x00007FF7B5440000-0x00007FF7B5794000-memory.dmp
memory/264-141-0x00007FF6CBEF0000-0x00007FF6CC244000-memory.dmp
memory/1288-140-0x00007FF784260000-0x00007FF7845B4000-memory.dmp
memory/4416-142-0x00007FF6A5AD0000-0x00007FF6A5E24000-memory.dmp
memory/4092-143-0x00007FF7219F0000-0x00007FF721D44000-memory.dmp
memory/1784-144-0x00007FF67AC50000-0x00007FF67AFA4000-memory.dmp
memory/2212-145-0x00007FF7BA9C0000-0x00007FF7BAD14000-memory.dmp
memory/2372-146-0x00007FF7AE6A0000-0x00007FF7AE9F4000-memory.dmp
memory/2308-148-0x00007FF7B8D40000-0x00007FF7B9094000-memory.dmp
memory/2296-150-0x00007FF674300000-0x00007FF674654000-memory.dmp
memory/2412-153-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp
memory/1696-152-0x00007FF7C3BE0000-0x00007FF7C3F34000-memory.dmp
memory/3464-151-0x00007FF77F150000-0x00007FF77F4A4000-memory.dmp
memory/2992-149-0x00007FF703610000-0x00007FF703964000-memory.dmp
memory/852-147-0x00007FF669EA0000-0x00007FF66A1F4000-memory.dmp