Analysis Overview
SHA256
5c55e0bee233057766789deae731c7668bf0ffb43687c5e8c603d5206fadafac
Threat Level: Known bad
The file 2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:44
Reported
2024-06-01 17:46
Platform
win7-20240221-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lbDCJij.exe | N/A |
| N/A | N/A | C:\Windows\System\zkReuHy.exe | N/A |
| N/A | N/A | C:\Windows\System\DOrFxxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bvEXQpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pkfIHvf.exe | N/A |
| N/A | N/A | C:\Windows\System\iPYOgQK.exe | N/A |
| N/A | N/A | C:\Windows\System\iKWCiNg.exe | N/A |
| N/A | N/A | C:\Windows\System\aOwcfYE.exe | N/A |
| N/A | N/A | C:\Windows\System\URxQuJK.exe | N/A |
| N/A | N/A | C:\Windows\System\jCEUYFI.exe | N/A |
| N/A | N/A | C:\Windows\System\RbIaOyp.exe | N/A |
| N/A | N/A | C:\Windows\System\UQHVwtA.exe | N/A |
| N/A | N/A | C:\Windows\System\iDQigrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PLiCvue.exe | N/A |
| N/A | N/A | C:\Windows\System\CGYhfcr.exe | N/A |
| N/A | N/A | C:\Windows\System\abZSOJh.exe | N/A |
| N/A | N/A | C:\Windows\System\vNVUBNA.exe | N/A |
| N/A | N/A | C:\Windows\System\BDBhDwL.exe | N/A |
| N/A | N/A | C:\Windows\System\ExMGXQG.exe | N/A |
| N/A | N/A | C:\Windows\System\scmeabX.exe | N/A |
| N/A | N/A | C:\Windows\System\hArjOHP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lbDCJij.exe
C:\Windows\System\lbDCJij.exe
C:\Windows\System\zkReuHy.exe
C:\Windows\System\zkReuHy.exe
C:\Windows\System\DOrFxxQ.exe
C:\Windows\System\DOrFxxQ.exe
C:\Windows\System\pkfIHvf.exe
C:\Windows\System\pkfIHvf.exe
C:\Windows\System\bvEXQpJ.exe
C:\Windows\System\bvEXQpJ.exe
C:\Windows\System\iPYOgQK.exe
C:\Windows\System\iPYOgQK.exe
C:\Windows\System\iKWCiNg.exe
C:\Windows\System\iKWCiNg.exe
C:\Windows\System\aOwcfYE.exe
C:\Windows\System\aOwcfYE.exe
C:\Windows\System\URxQuJK.exe
C:\Windows\System\URxQuJK.exe
C:\Windows\System\jCEUYFI.exe
C:\Windows\System\jCEUYFI.exe
C:\Windows\System\RbIaOyp.exe
C:\Windows\System\RbIaOyp.exe
C:\Windows\System\UQHVwtA.exe
C:\Windows\System\UQHVwtA.exe
C:\Windows\System\iDQigrQ.exe
C:\Windows\System\iDQigrQ.exe
C:\Windows\System\PLiCvue.exe
C:\Windows\System\PLiCvue.exe
C:\Windows\System\CGYhfcr.exe
C:\Windows\System\CGYhfcr.exe
C:\Windows\System\abZSOJh.exe
C:\Windows\System\abZSOJh.exe
C:\Windows\System\vNVUBNA.exe
C:\Windows\System\vNVUBNA.exe
C:\Windows\System\BDBhDwL.exe
C:\Windows\System\BDBhDwL.exe
C:\Windows\System\ExMGXQG.exe
C:\Windows\System\ExMGXQG.exe
C:\Windows\System\scmeabX.exe
C:\Windows\System\scmeabX.exe
C:\Windows\System\hArjOHP.exe
C:\Windows\System\hArjOHP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2060-1-0x0000000000270000-0x0000000000280000-memory.dmp
\Windows\system\lbDCJij.exe
| MD5 | e0a92f5df6c12b3387edd58a08f16615 |
| SHA1 | 47b13ade5e9a1568442dcf2b5816452f81232434 |
| SHA256 | 08bb5500c20b9b9f6beecc28072158630a0c3c5bdc3c24ccbebca064e7112b36 |
| SHA512 | 8b67443558c506208edbbaadcd090cf4b73ecbaac5aec0e421d44dd879e9248a302f0fe6dddf4bb79a144e55869c1053f0add72f6014911e67991df49764da9b |
C:\Windows\system\zkReuHy.exe
| MD5 | 8ab46b292d4c618017a9fd80c557658f |
| SHA1 | a899f977b7872c8284cbe218515b6737dba3dd3c |
| SHA256 | b0bb775a560c1d2823bb6b28e0da19e7febbdfd1cde441a3da90c036e3accc37 |
| SHA512 | 786928294bc1060d6c082f362dab1f5e3e44407d7d5336cb40c3880073fbb4f47c0bda220e464aaec015aa843dfbeb344f227b124cd701c8ba3cf65f87168da1 |
\Windows\system\DOrFxxQ.exe
| MD5 | 538b2c1fb5ceed8a947777505549be3e |
| SHA1 | 390d9fbe9186cc991cbf7d58ef1a09f2d937a036 |
| SHA256 | 5b8b94aa9c83ae60e5e1bf6aa3836e894d8e01d7ec14e67d8c6e210b6d37f916 |
| SHA512 | 797face2c4ba496abeab63a5c249b6576bb860fcc1044632bd84b29e39be853739a3f9a9b1be38769861568e5b473fa2db92d3abece8feae2f1a2f8e9aef014d |
memory/1708-18-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2672-31-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2060-23-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\iKWCiNg.exe
| MD5 | d8e6d53709f496f4ed1d0644514fb1b9 |
| SHA1 | f0706d29a4f3182f78358c7fc092e8b8a85c839a |
| SHA256 | 3f8f636883409cc53fc44d33bb6e5a92be234187dca9bce3bd9e84fb0896e2ea |
| SHA512 | d7405c531c11dad0304ff33d96286792f1966f1400aa12b18baf1b8ff86aa14c73c0f0e0dc16ff9be4d14d686e0ad4efd07cb857e4f2fcd934d9ca28e351923a |
memory/2444-62-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2060-75-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2288-77-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\UQHVwtA.exe
| MD5 | f06c479a737593d25303281b2a5b6deb |
| SHA1 | c06d9b1c0e2740f932d90682cf172cdd542321f7 |
| SHA256 | 3c6499e65034de39c73cc94f2f7ba879067bc245e4b806341c17084b716656bc |
| SHA512 | 25535f457f5d1ab7694845220571defc52a4dccd71dab3173881bd2b0f27f9dbbd7b4c67f946265bb776bc91a033c37d98dac4051408c426d5ba1a2ea463ba5a |
memory/2608-92-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2060-99-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2060-104-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\ExMGXQG.exe
| MD5 | 5afda535951d0fe8e46061664713dc7d |
| SHA1 | d047a239614b1580c02ce9acbb27ccc90fd6b74f |
| SHA256 | df9b217b68de4912cae619c0ba1fd38473d6900a2f97f9b650104ff22abf476c |
| SHA512 | 60443a1386d738cb5efc36e06f5e70bb5f534a5109c81ad82aa54d7f4b9f52f3eb9e98dbf82759442bfc8a567364616bbbcd7512a96b9ed3875c8ec5a426ca0b |
C:\Windows\system\hArjOHP.exe
| MD5 | 8ffbee9efca3de746da86a771e67da71 |
| SHA1 | db284883144cb23c54dd6447ed424676d7dccc08 |
| SHA256 | 404d1008db2c9932f0a55985cd5cb9988a7ac2b8cb5fd10b36151e9b194b5d11 |
| SHA512 | 6a8d92fbdacef9ba1176a060d34df0c992c24b799d130cf22ed735e937ac86a4ad40a6f0fd9a02794dba730a5ecf8e3f529a2820dd757b7363fc78ad86203e2d |
C:\Windows\system\scmeabX.exe
| MD5 | 39ee9e2111a069beb474005c89d8cec7 |
| SHA1 | 11c35708a015a02f4cd4c034e5db54cbf4c741e6 |
| SHA256 | 770fd5f26e493af9b6b0d6119546ed9dd70e97e1c8293581aa0d70a0ac022419 |
| SHA512 | f800772c280887650b67cfbaf5b355e5358077c00f77f505f2ada0e861feb18858a8e2d7658d853554eb91732d4bf8f6256ea6db9d0ab955601ecbe0cfd2e27f |
C:\Windows\system\BDBhDwL.exe
| MD5 | f9f7863290b07e64fed6ed2b25bf1db3 |
| SHA1 | 16b6ade5f8fbbd1900d189562f14a0c90b3e0250 |
| SHA256 | 8ee5de32a5ec6248c9c2030dd7a6d89e7a68d46873ebc7234278a4561f8f78f9 |
| SHA512 | bb9cbcab6fa7b61e7b651b790a89f010a9e91ad574990c745c279f0df97becdbbc7fd69cb7d275131c036ed873f270047ae8dcb47ebfb172df7a033067156313 |
C:\Windows\system\vNVUBNA.exe
| MD5 | 6b11452704c6456f97f151c4475c7228 |
| SHA1 | 4a47e27b92f3c9e0c044781f6b8b570525b32503 |
| SHA256 | d6dcbe472c379b3e257f49020b49ddca1ed894060e7d9488b85a854956cad6bb |
| SHA512 | 4b66621ec64e59a57d11b2152990b519482d46e46f6a71afb18d9af7a23f9c080c2e680a308360af3098c6f457c7164e33eb1c26d588cedc3f068b51d0ae67e5 |
C:\Windows\system\abZSOJh.exe
| MD5 | 5c5d5ab4b01af3a50302d487a0c1fc4f |
| SHA1 | e1da14e78111b2512248ab418825e020c2414cde |
| SHA256 | 9efc2bf3813cacac38d6a2495d00280bc331159a160af7145e30bec165816f90 |
| SHA512 | f84235cc5ed1f9a3dc35f798b2efd919b16f4f8238ea04b44420d0540f40625b18fc49f2fa6b3a0621648b6764910fa01f25ead2e42bce2864a6b4d48812b783 |
C:\Windows\system\CGYhfcr.exe
| MD5 | ca56f969d0b5c9ada3c797f2adcc2e05 |
| SHA1 | 12330cecfc9efddde20389c89e133674d23f8d64 |
| SHA256 | 5a46d9db24e44351b1a43b142b00d91ed3291edd1958e335dc439dcc93762a9d |
| SHA512 | 338fc2a6665b3baf88f7de4183020163d6d9a717dd3a430710a2c8e7e4914017aaaba555fd1320cf21f6d8865a2e34a7b8226af8746804b6e86f7b40ea236651 |
memory/2696-100-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2672-98-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\PLiCvue.exe
| MD5 | 6c0c167ce018b688b8cc5ea5efe48dec |
| SHA1 | 9aba86bded02d9685460defffe90e1d23795cb3e |
| SHA256 | e062b1a60cc86a46d72e97088941ad5d7c602e231873804580795081d3634493 |
| SHA512 | aacf066e3d0211b4258696467be59cdca3b8e5b7fcc950ecbbd9c22498183eef6bcf0a5c63b54ba578da6c605c2eeba4138ebf8e3304cdde8153eefd02cfd923 |
memory/2060-91-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\iDQigrQ.exe
| MD5 | 4828897679a2deed5b651b9deeaa2806 |
| SHA1 | aff3ad5c05e354e13df361d7f4d839b90b1417a3 |
| SHA256 | 621d5517d7529b6581c6ec2254e1b33068bcd196150276c93ecd6599f3bec4b4 |
| SHA512 | 5a125536aa01eb295f4689b079c2db76867d5653ffe7a74da08cbc1e1ecde0bfb7ce51658a9ad66ff99952c4413e72b264ae98866186e166e195961f3a936c93 |
memory/2420-83-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2060-82-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2060-76-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2552-70-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2060-69-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\RbIaOyp.exe
| MD5 | e2e417be7dd1e27017bc7d39f531675c |
| SHA1 | e17ddb06dba8bf0ad5f31a2ca9ef2bea8c0542d6 |
| SHA256 | e09280e5e7f1bdbca5fbf68559e36e079475939ab0159e568096dea51b99f624 |
| SHA512 | 077ee8f5956f79d3133d728722e0400f548b20f9ef04c5b97b8b5fee6077a3956c0f429df65fae768537e847b2b8ab939d8c1ceef532d2ab956f0516ea881707 |
C:\Windows\system\jCEUYFI.exe
| MD5 | c0750d7fddb85a3dc3f55fedd124e57f |
| SHA1 | 0eec5fa9d9bd845364c1078ba23dd63792ca8322 |
| SHA256 | a772b46897a9e913ec25e246b808bab6d673a894f173d26049497d65fc25dba7 |
| SHA512 | 262633956d63e8eb971fdb54828c8ea6cc6ba266b6c5d37ee04dd151b9c258ae9138d544d2edaa47315798de7049cbbd2b7fd9eced3f18615d0134e94e8c0ad3 |
memory/2060-61-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\URxQuJK.exe
| MD5 | bc6cc51af6ba92a70460d9141f7f9889 |
| SHA1 | a39c493823e4ea1607bf4acc99e71e7d64e0ecc3 |
| SHA256 | 3c3899568658d7025766e55a3db3d9de37f53df2661a0f3ac38d515db67978d8 |
| SHA512 | efc570f8bb74c7b808ec28eb595b615c5f15e8800f403a6baf31c77194e8d537373cdd4eae7bf6cda9140bb33d92018a2f7252b0a6e87aeac44c1d30a8606a37 |
memory/2596-56-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2060-55-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\aOwcfYE.exe
| MD5 | a9d04721416ae73c44b0884b04555f72 |
| SHA1 | 0d813389db6e47916cff0cf9bb3c588f8019daf2 |
| SHA256 | 11bb75ce62db3e3cf92fe51022118f45cdd2b43bfaab6d56dde640a3d3fefb99 |
| SHA512 | 651c4b50241453b983f3cf67151f461796b80be100c4b0795d37a36d3df77abed67eb059fe94b6c4386f6a16896a561e24ff3e7e0b3f39d57485fda3a41f34d2 |
memory/2768-49-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2060-48-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2444-136-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2828-42-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2060-41-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\iPYOgQK.exe
| MD5 | 82613c0a857d3844c3a539b733bcba38 |
| SHA1 | 3a5471fa3b3875392495240e274c7fc6d80574c8 |
| SHA256 | 6d1014d2c9f04af8d92a8dda9bb8476207784e1b186cd4607c89fc8e29dafa01 |
| SHA512 | 5f80c854510cd01936f28ab075606c16bdad5f40712543d842b74ec68e445982bac9a23731cefc5b060999b101e621575ba48dfe53f4b872f3e43218008a27fc |
memory/1300-20-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2112-34-0x000000013FB70000-0x000000013FEC4000-memory.dmp
\Windows\system\pkfIHvf.exe
| MD5 | dafe1c8dc1f64c6704e33a6cdef9d320 |
| SHA1 | b54f761316bac88dba03d5f16632570c7f17d892 |
| SHA256 | f25e764b7d040fe0251f5182824e4581ef5b1a3c50d3b2bea1f4d608f4c47f14 |
| SHA512 | f88fe3f7a31af071eef7523f63a769f0e66a715286baeee5d8e61eee46daf217d6e13da3f7b6da935811a4ee78a9f27c78415c212e64593d79a0b89767e1e068 |
memory/2060-30-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\bvEXQpJ.exe
| MD5 | 159dbde76bbbfaa8297ed846c0b9a105 |
| SHA1 | f4efa530b70e86c6a218a76b813cda92e37e953c |
| SHA256 | 91fa9ce9cdaf59086083eab5521fce8a3ff218dfc6133f7967504115896738fb |
| SHA512 | b96808034ac0c39cc0d05688bb9e9e069655edf7f5168b44e5a1128c0cbceb08e7e732e93930334ed7fe1a430dec969b79683d784184889eddc795870475ad06 |
memory/2060-28-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/1160-27-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2288-138-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2060-137-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2060-139-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2420-140-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2060-141-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2060-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2060-143-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1708-144-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1160-145-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1300-146-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2112-147-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2672-148-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2828-149-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2768-150-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2596-151-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2444-152-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2552-153-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2288-154-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2420-155-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2608-156-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2696-157-0x000000013FAB0000-0x000000013FE04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:44
Reported
2024-06-01 17:46
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pMXiTJb.exe | N/A |
| N/A | N/A | C:\Windows\System\LTLmwin.exe | N/A |
| N/A | N/A | C:\Windows\System\mGSkOQT.exe | N/A |
| N/A | N/A | C:\Windows\System\XrIbcXR.exe | N/A |
| N/A | N/A | C:\Windows\System\rWtSlOE.exe | N/A |
| N/A | N/A | C:\Windows\System\lZDCuyW.exe | N/A |
| N/A | N/A | C:\Windows\System\snTmaCh.exe | N/A |
| N/A | N/A | C:\Windows\System\teigcii.exe | N/A |
| N/A | N/A | C:\Windows\System\WBogabM.exe | N/A |
| N/A | N/A | C:\Windows\System\vlWdhKl.exe | N/A |
| N/A | N/A | C:\Windows\System\ovozBtk.exe | N/A |
| N/A | N/A | C:\Windows\System\MqDLcbi.exe | N/A |
| N/A | N/A | C:\Windows\System\oLguAxC.exe | N/A |
| N/A | N/A | C:\Windows\System\rYwhBZs.exe | N/A |
| N/A | N/A | C:\Windows\System\BeJWbrb.exe | N/A |
| N/A | N/A | C:\Windows\System\rHOWdsc.exe | N/A |
| N/A | N/A | C:\Windows\System\MOjDXqf.exe | N/A |
| N/A | N/A | C:\Windows\System\zAgpMVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\peETOjX.exe | N/A |
| N/A | N/A | C:\Windows\System\IMUHWXc.exe | N/A |
| N/A | N/A | C:\Windows\System\tuzGVSo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_08d474d351c6ca54deb133e54d279402_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pMXiTJb.exe
C:\Windows\System\pMXiTJb.exe
C:\Windows\System\LTLmwin.exe
C:\Windows\System\LTLmwin.exe
C:\Windows\System\mGSkOQT.exe
C:\Windows\System\mGSkOQT.exe
C:\Windows\System\XrIbcXR.exe
C:\Windows\System\XrIbcXR.exe
C:\Windows\System\rWtSlOE.exe
C:\Windows\System\rWtSlOE.exe
C:\Windows\System\lZDCuyW.exe
C:\Windows\System\lZDCuyW.exe
C:\Windows\System\snTmaCh.exe
C:\Windows\System\snTmaCh.exe
C:\Windows\System\teigcii.exe
C:\Windows\System\teigcii.exe
C:\Windows\System\WBogabM.exe
C:\Windows\System\WBogabM.exe
C:\Windows\System\vlWdhKl.exe
C:\Windows\System\vlWdhKl.exe
C:\Windows\System\ovozBtk.exe
C:\Windows\System\ovozBtk.exe
C:\Windows\System\MqDLcbi.exe
C:\Windows\System\MqDLcbi.exe
C:\Windows\System\oLguAxC.exe
C:\Windows\System\oLguAxC.exe
C:\Windows\System\rYwhBZs.exe
C:\Windows\System\rYwhBZs.exe
C:\Windows\System\BeJWbrb.exe
C:\Windows\System\BeJWbrb.exe
C:\Windows\System\rHOWdsc.exe
C:\Windows\System\rHOWdsc.exe
C:\Windows\System\MOjDXqf.exe
C:\Windows\System\MOjDXqf.exe
C:\Windows\System\zAgpMVQ.exe
C:\Windows\System\zAgpMVQ.exe
C:\Windows\System\peETOjX.exe
C:\Windows\System\peETOjX.exe
C:\Windows\System\IMUHWXc.exe
C:\Windows\System\IMUHWXc.exe
C:\Windows\System\tuzGVSo.exe
C:\Windows\System\tuzGVSo.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1912-0-0x00007FF6A9C80000-0x00007FF6A9FD4000-memory.dmp
memory/1912-1-0x000001A752EF0000-0x000001A752F00000-memory.dmp
C:\Windows\System\pMXiTJb.exe
| MD5 | 7a551bdd7f3f09852181cbd6418b4986 |
| SHA1 | c51fcc11ac555663866ab39c975207f821a7cf7a |
| SHA256 | 9c35e26ab7916c4d1547d2fe06e1ae5cae096c0670a5c7b0b8a1e9d59d31e76f |
| SHA512 | bf83a53384da79a8ecd29417fc93b43ff979a1ea657d61425c5db8a38fe4f3e71b0349e689910caf0e3e8dfa3d4e57660a591144be8fb4fdd06bf85174d45855 |
memory/1336-6-0x00007FF698ED0000-0x00007FF699224000-memory.dmp
C:\Windows\System\mGSkOQT.exe
| MD5 | b2eb03bfe9f0c0b80c8d4ff242c307a7 |
| SHA1 | 971d97a99b349ecc1f2bb70e98a75a084607b0de |
| SHA256 | 4b3d2b04abd769d26f6b121cd90e5557bf868e361d2f812197f1d4b87a852498 |
| SHA512 | 38be2fa506021d3d1a6b5d6f432397780e77fbf6db3d33d43530afeaddf0c4122b2c2c7cfff9a295e1dcb676caf453a1d6f9d078867ed3b67c4de6f9b46cf7f4 |
C:\Windows\System\rWtSlOE.exe
| MD5 | 1685969007a181069c93311b637d4163 |
| SHA1 | 34e26471c567554385fcd23f0aca80f4677a1f93 |
| SHA256 | 3ab871ba477570cf96f2aeca881b1dea3e43d3b8cbee3e2644f3bf71e0bc1783 |
| SHA512 | 502c86ff5974470df014b1f5e2ec1fb7e18269a49b3413ffe6ada83410158d4e490db1bc9da234c4824424596bc97d935691dc9a2b889286008ac8ac36cac543 |
C:\Windows\System\XrIbcXR.exe
| MD5 | cff3065bd2b1c735d373fcc0ee0e0599 |
| SHA1 | 7f7145b1484722094ccc44c59880a546409ea0c0 |
| SHA256 | 6a95c7127bd0df8fa6716d25df560da59e4ee68a9f97c92543b0eaa75a04c786 |
| SHA512 | ccf8b2bdb3b2eaf57b4983317f33b971ff3f918c4fd0a6ba9c4af7328a1d43dccdbb0804a1db59f99f53dd181e3581a5127710c00ba9f91612e26b0c0c885637 |
memory/3056-30-0x00007FF7B7D60000-0x00007FF7B80B4000-memory.dmp
memory/4480-35-0x00007FF69A450000-0x00007FF69A7A4000-memory.dmp
C:\Windows\System\lZDCuyW.exe
| MD5 | 9f7e1fac919e8751798729724ae03cea |
| SHA1 | 7a0daeebb6157adbf5e0dc1ea5cfc3eb4210376f |
| SHA256 | e40fbea0622d2694027dd1ba24909dc002e31111469a34da3aa9dc859727fcdc |
| SHA512 | d4f4a479bac4e52f71c4f4f731a7826e436b52c59abdc9d1820a73679c92dd294f461cfe1844028b11d649645e0f539b1646bc85c8bfc3f9f1b57bd8dc7e211d |
C:\Windows\System\snTmaCh.exe
| MD5 | bca5499465875ea86cc573bf7fb69734 |
| SHA1 | ca8f61309297c26159e9ec13ab7f42c66f62caa5 |
| SHA256 | 6201b697cca17121e193d6d60b3bb53efca5c26ebfe5aee4176be35cbdfd1307 |
| SHA512 | 00b04cef8d02d91fc0f7d2ba03ffe578faa7fb1ad360ea817daac3ae832dfa89f536b53021d3928cbd5e36982c664c1a7a89151dd79018e4518e8d29ee95238b |
C:\Windows\System\teigcii.exe
| MD5 | 3873bdf5eb33d80a8ecff453cccef714 |
| SHA1 | 20b9d1b9ce6af9197437fd35ad7744e6f2820643 |
| SHA256 | a0f28152258bdc2a1454df92929ceb6c6e91059a1f6590d83bd4a7199fe32081 |
| SHA512 | 1eeb575b73fb59b6812c628dcf55e4f2dfdcba7506c14b726c9fac3b6bb67f37d5285428a22ac15859dae10a1726839e6fb7b147ed8cab84ad478e86c3cdbd65 |
C:\Windows\System\vlWdhKl.exe
| MD5 | 4cbd371f851246909ea452c2bb5399de |
| SHA1 | 6e3a2146c32aca04876fa19b1b38f8014b6b1ec7 |
| SHA256 | 6776365d4fddb73275ce7b9f56d64a2bb114d555b0d34491bc6eb3dcd326dac1 |
| SHA512 | 87007758214ebde2cc73d855b8df9bc70884ad30c7080eb5a078071ee22bb5d0d28aeb53f33cf58ec6abd8ef6273fab79682d9b1306a783c2f3e7dfdf7f8aab0 |
C:\Windows\System\MqDLcbi.exe
| MD5 | 228e72cd05b75e3abecee4359e944dff |
| SHA1 | 0082dc53a429d6177d678bdc209b18e15af5c962 |
| SHA256 | 23e7d0186a9c4dedae3869da592cd692bd111e313f03474d8c05b09442f52fca |
| SHA512 | 0bdfb1c91e49c25fd726a388f44e1e834f0ebd9eb4c7a112f392982143b1c69c088aa36e111193eb3053a8a2fd2c910941409ba00cc688fdf573f1ae97f8d938 |
C:\Windows\System\rYwhBZs.exe
| MD5 | c651755675841565da6877d34d15094d |
| SHA1 | 7e97ddee3f49de26aa7216efa80aeed31b1935f6 |
| SHA256 | 79c24644b546edf4d10cd1458a2dffed8a6c5ba12c39ed47a08e26edd350baee |
| SHA512 | 2959d68e42f818de68a1bb65f7823801b0586174e553ca1cfde634326e5fe3026053e665ec89fc1a935feb1b5ffb1b7553b655b3a5891b9f1610d601dd5134ee |
C:\Windows\System\BeJWbrb.exe
| MD5 | e354ed55bb41855d44dc433f9814b54a |
| SHA1 | 63d21d0136ceea721a7dac48b4df5b9180fc5ab1 |
| SHA256 | 1eb68693c2b27405f4f57d6e3abfd3f631149a710d646b5a9041942d6eb9102a |
| SHA512 | 8f066a332dffc6b34979f1131cd4e8b10817424c2a83df5c01c4a6538302ef39fd7b5d328d5f491443f54321c6db340dfd4c14097aa7846900333665c8ba6049 |
C:\Windows\System\rHOWdsc.exe
| MD5 | 9d85a7c3305f8a1fb891d05cbdd9ce15 |
| SHA1 | 692b19eb2c91b00b004c657bd958f5f1c7a0cf7c |
| SHA256 | 84ad6a1c35e2f5eeef2e7aff55a4556c4e86b1d15c0c81c1f15e705b52d7995a |
| SHA512 | a3cb26ab8c84525fe7472f846534ac189ff483720286c3900dcd0d46cf08135a4e1b3e612f2a85234b170fbae69add6e1cc6777d425bdc859ebbcdecd0be52bb |
C:\Windows\System\MOjDXqf.exe
| MD5 | ee394babf011886b36bce35cf2c2a033 |
| SHA1 | 4a9ef45d03cdea14b1a63e8c544f83d2fd610dc9 |
| SHA256 | 64dce23ab4bfa3adaffc16a00be9343769cbba4d0f4162ee914f889305efc404 |
| SHA512 | f8afb50312aa4cdc995eeca52d642ac210b79b308e234dcfb2d749446c2e920f3f85cf5471e03ef1506f9fadb959c54be5426490d20b6f563950cd1ace7af37c |
C:\Windows\System\tuzGVSo.exe
| MD5 | f878506fe8ddfcb479159d881c25db9d |
| SHA1 | b7f5d280d8243517ede7349e706ced8f3020a2f3 |
| SHA256 | 9e0dbda108ec2ae8fb1b4c8aa878f513ab9e1dc97f69b3bab4cddd6b88a2331f |
| SHA512 | 68a6cdf43075d7a8160781c1ec8ef96858d6c36f338abc09d6968262435e660e13322a13af571441c6f1afb72592e89f29323b030fb7c866b9231a8d3b560f33 |
C:\Windows\System\IMUHWXc.exe
| MD5 | ecf9303fdbc5f9277453b75cd0f24ce6 |
| SHA1 | eaef13c4466d10a22c2cc81c874746763df0678a |
| SHA256 | 3d0f5fec28cba59f38577b64db915295d8a0c72902a9e54fec1307a512be6167 |
| SHA512 | a5e047c0e9ad133dcdc06cb0e86c67b7e0eae317d30a0e7ccf2a1dc6bf9e84402946cc6430111b3191897940d9a1c61fbbac092170bd42679ab8b7c8ed9c27a1 |
C:\Windows\System\peETOjX.exe
| MD5 | 55e53624636620b27803662517f149fd |
| SHA1 | c46fdaf40b8e091b9954b112b9a1cc34c32da4ad |
| SHA256 | 56190943271e8dbaa974ac5f84ee836fba6c96cff3a0a0d8ef738d5ce8c9e4d0 |
| SHA512 | 19cf472256343c1002b54f859482b200d0f137286fd6558e0c8cca04d0a7231a44d527aecb2faf345f29a17498bd3a2f11adb2a12e17a9d7dad3403c89ed03a3 |
C:\Windows\System\zAgpMVQ.exe
| MD5 | 0cf864b1a42364661e295d694ba628d9 |
| SHA1 | a4ad62b209bcf2492d1f34152ee309135ce55a22 |
| SHA256 | 0cad76d93b4b35b3fe809724e4a99742f8d757e5e0dd5ef070e65d707356b8a4 |
| SHA512 | 3f1bb42b6540e1a8f021031f635b9e8b3c190565ac88e8cf33af7c06ca822327765c001b5a2102cf576cbd8cbf49cf476441f9aeb45d18a7d71a29b9f09d2620 |
C:\Windows\System\oLguAxC.exe
| MD5 | 61c29ef88fb302306660dfe003b2412d |
| SHA1 | 5a9ae64b84dea0eff24c01d6c74e92292c673057 |
| SHA256 | d10526464243f4d49439a7df833fddf8756bef131c3fd82d0513ceaf16998ba1 |
| SHA512 | f0599e6b6ab00f6b867c991888bd4e37e4b602a4667ae2cf76080bc133475ec3a7832af9afc4ce00dffbf3f4c51fbeb2dafa116c6417c30de30123457255d077 |
C:\Windows\System\ovozBtk.exe
| MD5 | 7778ea3db0d94fde8405287b1242c7a1 |
| SHA1 | fcc9c70f01e58a39278eb9cb6e846616ee3d416b |
| SHA256 | fdc5c1bdf6153a2f7fe7a04df478dfa78db8a684b1758e5badd74822ba321054 |
| SHA512 | eedca48d05b0f2dba26a602f09f39c23ceb91d5b9caa3364444780fed269dff2a7c9768183d2b6f43dae7c17e2c70d29198257ea5c1f8a542cd7228f6f4ff102 |
C:\Windows\System\WBogabM.exe
| MD5 | 7ab885979e0ac610b517c4912ef429c8 |
| SHA1 | 7fcf5b7c0b5830fde4ae92fb666bc83b97d87455 |
| SHA256 | 40c45dff463df871442a513216c2cbaa9cea8aceb1d500b2c3ceaa96bd61735b |
| SHA512 | d643ae1f86c905ac26258847fc97c858ed23952dbad025e7b373b71b06bc246baa6917048e389790651e8ce99b90ffeb0bc6bb84adddd89d3913898fb78c7200 |
memory/2308-36-0x00007FF6B95E0000-0x00007FF6B9934000-memory.dmp
memory/1136-33-0x00007FF679600000-0x00007FF679954000-memory.dmp
C:\Windows\System\LTLmwin.exe
| MD5 | 2eee7ffe787e2deb3cf6e0daf87a39c7 |
| SHA1 | e6dc12cc2c770099a6fbc459001449a38993c335 |
| SHA256 | 6a164f0c721b1b63b640e9b70eb43b8f528f056b39c2be5395b2e521af7a1feb |
| SHA512 | 8bde0d821f8986994d9a8cb03400ca99265214878256116ea807da304e6157f0ebeffc267ad379c86d79d2d8e5958fe950537bbeaa9ebb2b8c2277b3f51476ee |
memory/2328-12-0x00007FF7CBEB0000-0x00007FF7CC204000-memory.dmp
memory/2548-114-0x00007FF72C780000-0x00007FF72CAD4000-memory.dmp
memory/4896-113-0x00007FF73E2D0000-0x00007FF73E624000-memory.dmp
memory/3400-115-0x00007FF713170000-0x00007FF7134C4000-memory.dmp
memory/1332-116-0x00007FF694C10000-0x00007FF694F64000-memory.dmp
memory/2000-117-0x00007FF65FCF0000-0x00007FF660044000-memory.dmp
memory/2844-118-0x00007FF61CB00000-0x00007FF61CE54000-memory.dmp
memory/4648-119-0x00007FF6F7550000-0x00007FF6F78A4000-memory.dmp
memory/4936-121-0x00007FF602240000-0x00007FF602594000-memory.dmp
memory/4224-122-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp
memory/1088-120-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp
memory/4612-123-0x00007FF602730000-0x00007FF602A84000-memory.dmp
memory/4252-124-0x00007FF7655F0000-0x00007FF765944000-memory.dmp
memory/3092-125-0x00007FF678A50000-0x00007FF678DA4000-memory.dmp
memory/960-126-0x00007FF7A8F40000-0x00007FF7A9294000-memory.dmp
memory/4436-127-0x00007FF68D160000-0x00007FF68D4B4000-memory.dmp
memory/1912-128-0x00007FF6A9C80000-0x00007FF6A9FD4000-memory.dmp
memory/1336-129-0x00007FF698ED0000-0x00007FF699224000-memory.dmp
memory/2328-130-0x00007FF7CBEB0000-0x00007FF7CC204000-memory.dmp
memory/1336-131-0x00007FF698ED0000-0x00007FF699224000-memory.dmp
memory/2328-132-0x00007FF7CBEB0000-0x00007FF7CC204000-memory.dmp
memory/3056-133-0x00007FF7B7D60000-0x00007FF7B80B4000-memory.dmp
memory/4480-134-0x00007FF69A450000-0x00007FF69A7A4000-memory.dmp
memory/4896-136-0x00007FF73E2D0000-0x00007FF73E624000-memory.dmp
memory/2308-135-0x00007FF6B95E0000-0x00007FF6B9934000-memory.dmp
memory/2548-138-0x00007FF72C780000-0x00007FF72CAD4000-memory.dmp
memory/1332-140-0x00007FF694C10000-0x00007FF694F64000-memory.dmp
memory/3400-139-0x00007FF713170000-0x00007FF7134C4000-memory.dmp
memory/1136-137-0x00007FF679600000-0x00007FF679954000-memory.dmp
memory/960-145-0x00007FF7A8F40000-0x00007FF7A9294000-memory.dmp
memory/4224-143-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp
memory/3092-151-0x00007FF678A50000-0x00007FF678DA4000-memory.dmp
memory/4252-150-0x00007FF7655F0000-0x00007FF765944000-memory.dmp
memory/2844-149-0x00007FF61CB00000-0x00007FF61CE54000-memory.dmp
memory/2000-148-0x00007FF65FCF0000-0x00007FF660044000-memory.dmp
memory/4648-147-0x00007FF6F7550000-0x00007FF6F78A4000-memory.dmp
memory/4936-146-0x00007FF602240000-0x00007FF602594000-memory.dmp
memory/4612-142-0x00007FF602730000-0x00007FF602A84000-memory.dmp
memory/4436-141-0x00007FF68D160000-0x00007FF68D4B4000-memory.dmp
memory/1088-144-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp