Analysis Overview
SHA256
bc87a8e01ba009f72d588748287d1d8c37a8c8da9c3577aa0aabe7b7cefe9d0b
Threat Level: Known bad
The file 2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:48
Reported
2024-06-06 13:51
Platform
win7-20240221-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jHCWHby.exe | N/A |
| N/A | N/A | C:\Windows\System\lnCieWp.exe | N/A |
| N/A | N/A | C:\Windows\System\OEniadf.exe | N/A |
| N/A | N/A | C:\Windows\System\fdhhizG.exe | N/A |
| N/A | N/A | C:\Windows\System\eLcFmDU.exe | N/A |
| N/A | N/A | C:\Windows\System\DEURpAW.exe | N/A |
| N/A | N/A | C:\Windows\System\DHbGbfs.exe | N/A |
| N/A | N/A | C:\Windows\System\VLdupUe.exe | N/A |
| N/A | N/A | C:\Windows\System\YPFNrvU.exe | N/A |
| N/A | N/A | C:\Windows\System\PKTZqnW.exe | N/A |
| N/A | N/A | C:\Windows\System\dYkceII.exe | N/A |
| N/A | N/A | C:\Windows\System\HfXpnWj.exe | N/A |
| N/A | N/A | C:\Windows\System\oCbESDE.exe | N/A |
| N/A | N/A | C:\Windows\System\TQXDjPG.exe | N/A |
| N/A | N/A | C:\Windows\System\sRNfetF.exe | N/A |
| N/A | N/A | C:\Windows\System\ywVSzoB.exe | N/A |
| N/A | N/A | C:\Windows\System\jdAyvsO.exe | N/A |
| N/A | N/A | C:\Windows\System\EkNuHQy.exe | N/A |
| N/A | N/A | C:\Windows\System\WENBqLO.exe | N/A |
| N/A | N/A | C:\Windows\System\sMpxiBS.exe | N/A |
| N/A | N/A | C:\Windows\System\AGHcAXH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jHCWHby.exe
C:\Windows\System\jHCWHby.exe
C:\Windows\System\lnCieWp.exe
C:\Windows\System\lnCieWp.exe
C:\Windows\System\OEniadf.exe
C:\Windows\System\OEniadf.exe
C:\Windows\System\fdhhizG.exe
C:\Windows\System\fdhhizG.exe
C:\Windows\System\eLcFmDU.exe
C:\Windows\System\eLcFmDU.exe
C:\Windows\System\DEURpAW.exe
C:\Windows\System\DEURpAW.exe
C:\Windows\System\YPFNrvU.exe
C:\Windows\System\YPFNrvU.exe
C:\Windows\System\DHbGbfs.exe
C:\Windows\System\DHbGbfs.exe
C:\Windows\System\PKTZqnW.exe
C:\Windows\System\PKTZqnW.exe
C:\Windows\System\VLdupUe.exe
C:\Windows\System\VLdupUe.exe
C:\Windows\System\dYkceII.exe
C:\Windows\System\dYkceII.exe
C:\Windows\System\HfXpnWj.exe
C:\Windows\System\HfXpnWj.exe
C:\Windows\System\oCbESDE.exe
C:\Windows\System\oCbESDE.exe
C:\Windows\System\TQXDjPG.exe
C:\Windows\System\TQXDjPG.exe
C:\Windows\System\sRNfetF.exe
C:\Windows\System\sRNfetF.exe
C:\Windows\System\ywVSzoB.exe
C:\Windows\System\ywVSzoB.exe
C:\Windows\System\jdAyvsO.exe
C:\Windows\System\jdAyvsO.exe
C:\Windows\System\EkNuHQy.exe
C:\Windows\System\EkNuHQy.exe
C:\Windows\System\WENBqLO.exe
C:\Windows\System\WENBqLO.exe
C:\Windows\System\sMpxiBS.exe
C:\Windows\System\sMpxiBS.exe
C:\Windows\System\AGHcAXH.exe
C:\Windows\System\AGHcAXH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1664-0-0x000000013F110000-0x000000013F464000-memory.dmp
memory/1664-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\jHCWHby.exe
| MD5 | 6a4f80c71362135f4dd4f618570031c2 |
| SHA1 | bb23d607f155f996c67846d433fdece8ba7a094e |
| SHA256 | 60925c5ca225c27989043860186f838244c3969d734de2856b32058f44ca5409 |
| SHA512 | b8f1191a1c1ccbf960b2fab66bbf8eeb617374e9dcccc97d83e9fa79fca3e23e172a9b7f1383e7ccb2fccd52135d63830a0cc3535aa83396ecb77e6f802cf40f |
memory/2628-8-0x000000013F7E0000-0x000000013FB34000-memory.dmp
\Windows\system\lnCieWp.exe
| MD5 | 6f8d82a696346bd137627d7dfda378f6 |
| SHA1 | 6aafd26a96d773b2754fcbb4373aca193b5a302b |
| SHA256 | 1273946fd47639175085fdc521858a3a465ab1c665e82304cce0b8f816e7b312 |
| SHA512 | 81a763157a56a8b55d8728be7ec8d0cd8c13997539745c33ed953f1957e9a2eb7ba3e6d2fde595275f4872d5a1651a78b37b38bf2df495b4ea2a5d84099197e8 |
C:\Windows\system\OEniadf.exe
| MD5 | 5a9ebf5798aa569e95e9afed0e6d6607 |
| SHA1 | 6118aec10195220d20561be714d33e3779470033 |
| SHA256 | 44e5abc107b4fb58554a34af151e50ee99b08196046f7eec305b72d7edc6e2ed |
| SHA512 | 742a25c44a16e4b788953814529a6ab82a3c5b8c385019a7a7e3150f420bc477a3eba740c853be3fb5524ae2fe63de0067f5e0311ea53cf45580307809dae7fe |
memory/1664-14-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2608-21-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2944-20-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1664-18-0x000000013F810000-0x000000013FB64000-memory.dmp
\Windows\system\fdhhizG.exe
| MD5 | 6b645785710464a0cf219c3ea9e798c9 |
| SHA1 | 65473f3588ca1bebdcb75638d8ddfa3e4e6a02f0 |
| SHA256 | e048b1bb7d095d0b2641e4402d5ac2ebe4d9cff06445bf977649a9f8857a185e |
| SHA512 | c18a660284fbc089fc9eaea4d123d075bb12c845f7674e499a52faf008c1e4a7cff317779d8949666381aa2382bea311394596a26136a74070af8366766483d9 |
memory/1664-27-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2456-28-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\DEURpAW.exe
| MD5 | ab9374b200b517eee231b066a88dc756 |
| SHA1 | 87f0bc68a2ad90536a8284320805e5c9fba3a4b2 |
| SHA256 | 9af8fc7652a16b95e47f1c2a40ad001278d841e2e03c79d6e0becab8e8343e1c |
| SHA512 | addd4ed2b6500191010271de1ce89157446dafcf758fdde9e9a969ae40a65dd724b425b27c388f35c1c5aa43475b8a0d55c9535a2efd47b6ed28d858acab6b58 |
\Windows\system\YPFNrvU.exe
| MD5 | 347abb5ef31218cc8e06fc3136c7afe7 |
| SHA1 | 75b5014259492abf8c69290f84553f731c1807ad |
| SHA256 | f8a9797940a81b8082121beb86d973189b14c67caee5821d5d0f7459a74f03b6 |
| SHA512 | 10d5b269265ade174a04907d5a3b020cf38179d008a3adc17da636c0b2320da46f7545bfd1ce55501a9156955c06efe51230997775cc4bc77c280e292d6a42a0 |
C:\Windows\system\VLdupUe.exe
| MD5 | 43fbac3594c923b5e3c83e6782a9bc41 |
| SHA1 | 30c6e5befe28afe32183957f00602bdbf3ced54e |
| SHA256 | 148729ba90613bb8e91a64280fcead143a343815328d515841e72cf41fc873f1 |
| SHA512 | 1a3554dddd4652c786db7b6eebf06bdafb7a71dbd8b3cd916f7d732597ee664e552e4d3a87cc8ee8c371a90521d31c67e93bf0ec1b926362fef51aabeb4df064 |
memory/1664-56-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2160-52-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2876-51-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\DHbGbfs.exe
| MD5 | f5c04bd542a763a772f1c6f608d87a7d |
| SHA1 | 90ef3b218db750ccd5adf222bffcb1fa0e730ad5 |
| SHA256 | d196894cc10b101d6c303e1190290bc331a2b425dbdf649d90255e336f20794d |
| SHA512 | 576f1e197b813ca513a7815c19960ff180793a8f0b2f5959631b15397005163aa011d2fcf792655c1777ffbf9b723926849da95b83eb21568d0981bc7e21a861 |
\Windows\system\PKTZqnW.exe
| MD5 | a742473030f45a768ca3eeadb4227799 |
| SHA1 | 8badac25e77396e066c6e0ccdb479b88120c1b29 |
| SHA256 | babd34956eb17afc1103eebe2127723be716a6c7fe7f8ac4035b3829bccc6ab8 |
| SHA512 | 9c962a08aaf4e4df7ada077be89466adb66e7f00b28dfb3f9276659751ac481a6b0dd9f3fd7c8e74f9d82a1cf898b7bf3ceadf127718f9e9ba2195f73e39325b |
memory/1664-81-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/628-82-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\TQXDjPG.exe
| MD5 | a198608fc21bb5d7b307d51332c133df |
| SHA1 | 42377d158ee62c6d39ec586c4380627bf01c491a |
| SHA256 | ce9f12d2ffdfe3700bf0be2f97ad8c103d58fe753a0599536bb6917468d00f0c |
| SHA512 | 0f79d1fac65f5b66f3eee31eff22811f4bb6e6fbc775dad6d11ded172b78c8955f6daf0147eac46c9e7745b50d62ea8009f05b0e34698b5f5be959d69433cb10 |
memory/1864-99-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1060-92-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1664-104-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\EkNuHQy.exe
| MD5 | 828d3845d42b2a6d9da36dfaeb0d8c7f |
| SHA1 | a9f91ac4d9b2b55cf98b8e660a462aa00c23909b |
| SHA256 | f8471cde3c1f87b0de5faf84caa6e7edc1485c3650719b7879a2b1d5e4fa163a |
| SHA512 | ea0b2e2e911c8b01d437d428a345802bddb7efa3be0fe932614d33872979ba990bba242921d58121a1e1582dd39ee1785dc99e8f321afaaf0d664f29c67abf59 |
C:\Windows\system\WENBqLO.exe
| MD5 | afce5f06b80aaafee46c040e14566dac |
| SHA1 | 322c4a126c80e731c951d9ed7024ea0532129408 |
| SHA256 | 291f5f6da39893617172cb275fc6b12008817008994f91e04dd487b2f9fc77cf |
| SHA512 | b8bae5078f169c105fb45746ea5eb4c0b73872b7bffe1da49daa0149157a74b1a8994a859bd88824db614a1f80750d1ed70a5c205bfbed2bd3f89cd326c000d6 |
C:\Windows\system\sMpxiBS.exe
| MD5 | 1822d1a70c95821fe1139c9f8fff9bee |
| SHA1 | 1cce329eb28849ba88c8f854641f0fa9f32b5c3a |
| SHA256 | eaacbd207915f883037f3919f2d9fe3f7f2a2aba58940589e71a001723894a43 |
| SHA512 | f11e9c7c77297826b627a80a2c6e17cc545ea0cdfe957736a1068c90f24a6c42aa1c3276fe07a7aa38b670425816da9f8b21970bb9c9fff1d9b4210dfd404d7c |
\Windows\system\AGHcAXH.exe
| MD5 | 9e74574d0f149c677900770730544615 |
| SHA1 | 7a8bac8eee69a9b3cb20a2eecfcf8e5efcb5e090 |
| SHA256 | cdf5f6ba6cd71997097f1b058a9b5706b8bfabd7f18c21432c63684152cfdeec |
| SHA512 | 0b702ff53216fcb8558fa334f299782790c99f20f80e73b43ac5d02be5312b8d91e9f69f60a0395449e025e4c6a8ee2dc958eaa5477f4c8942dc4852423e568f |
C:\Windows\system\jdAyvsO.exe
| MD5 | c273692d7ac1501faf9ed9589db7c2e0 |
| SHA1 | 68a72a0bffb39403d20a52c89db1fe76b7f5f5df |
| SHA256 | 2334641b276bc77e58ca57394cc718365610351a1f87b3e6a449ff744a47fedd |
| SHA512 | d3c7153be820bd4a57782f9c2e37318d723333779c0843bfe66ce5ce7f857bf51c35f3a66f3c0cdcf3189135617a0654ddf65e31deb1282eb8d332a9823c860f |
memory/2608-136-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\ywVSzoB.exe
| MD5 | d1a0c6d6def4fbcec98cf56d9c88b9f1 |
| SHA1 | 3c4914a6c53c1cd406382bba5ccf7e383d1b99dc |
| SHA256 | b0a7087f478364722ba57840b30dba7c4e10fabc22cab1c8fb9128c5d6c7636c |
| SHA512 | 80199b425342e02cd9faafa522bbb27216a298f36809cd06deaf0a660bd3ecda523968321b3e00b4e5e690879cfa1c87431c256b32c7a9a407559adb5873c757 |
C:\Windows\system\sRNfetF.exe
| MD5 | c58b3bba4568ae04ee7c6a4f2fb4e63b |
| SHA1 | 4a6e277bb1ef153fde03e57c4eaf09a977bea896 |
| SHA256 | 2b9b288c6d44b9ca82449d7eb4d857fbb8ebf206cb690c27f6f3714f8575f4cd |
| SHA512 | 8886bddff96452610aba533bdf408e144851f4bbf128a3e3aecf0a4b90083ac75bd404307fd6e4620ed997758f7d6be475967a4380f02a0ff9d686b728a8a801 |
memory/1664-91-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/1664-90-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2628-89-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\oCbESDE.exe
| MD5 | ce10493fddf085606baa6268e982c2f0 |
| SHA1 | 81a3e75a567fe73e915aa172457f2d3ae4818dd3 |
| SHA256 | f12f6587eacdbe32432f452d5b39df51b25f266cba263ff9d669c4021dfedca4 |
| SHA512 | 1c8962d97a59dac994553bd18678e01b2fa99e03e4dd8546d4b08fe38ac0fc06ff6500df3c8db0a04487047973b240bdd49a4e65fb8d2e1f0accb26a13a1b2cc |
memory/2456-137-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1664-98-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2620-77-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1664-76-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\dYkceII.exe
| MD5 | 12ae8f513a1bd4dc9301c873f8b38872 |
| SHA1 | 16080fc6a2658cfae2e7aa66b0e7a66c33801999 |
| SHA256 | bc239a30a590e5af68ddf571c2c6ccc5ce3472468102b37e94847c41315f0bc7 |
| SHA512 | 21407848866fc6f4ece518b99ceea9e24f0cb91b85a03c4e5eae6350a27418c1717961c35d189efa1a3331a931b09e41809adecc9949de6aa0718921a7007cb2 |
memory/2404-72-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2372-71-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2364-70-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1664-69-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1664-67-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/1664-66-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1664-65-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1664-64-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2488-63-0x000000013FE20000-0x0000000140174000-memory.dmp
C:\Windows\system\HfXpnWj.exe
| MD5 | 9efbdd2e6034f8861a79365b3d17d0be |
| SHA1 | 6925fec8e30cf959828b858d24a2b4eb2726f73b |
| SHA256 | d6819dd1f019c2cb2ad8cb56ac9a63c13f631e6fbd850f10153042ce923ea19d |
| SHA512 | 420e98fb8d3ed6ecb70d0ed9f59f66c1ca653f2b12176a31e57c8ced3700de2ddc8d3587726575e93a1f4d2801d01800d467642a01e77c27ddcedf3e936b20f8 |
C:\Windows\system\eLcFmDU.exe
| MD5 | 8668217a051186533eb48f234a811744 |
| SHA1 | 1b2b61ce8dfd73bb4795e257c3cc956799d3ca73 |
| SHA256 | 345a350d464fa543ec0988d6575351b290f856747e6dd96f54dbba4d2032f2ac |
| SHA512 | 9a6ede279f49e0de6358e2fa9afa4adba94d83024b1f39683de723afd0da0f7c730754060f54d9ad72a17372fdf5a62c5224139df1f40ce5fb84f852d36ce8ec |
memory/1664-138-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2404-140-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1664-141-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/628-142-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1060-143-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1664-144-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1864-145-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2628-146-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2944-147-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2608-148-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2456-149-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2160-150-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2488-151-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2876-152-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2364-153-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2372-154-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2620-155-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/628-156-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1060-157-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1864-158-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2404-159-0x000000013F350000-0x000000013F6A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:48
Reported
2024-06-06 13:51
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZKmYLHc.exe | N/A |
| N/A | N/A | C:\Windows\System\rnVaXcW.exe | N/A |
| N/A | N/A | C:\Windows\System\VlBljyN.exe | N/A |
| N/A | N/A | C:\Windows\System\xVwuXUp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZalUaOc.exe | N/A |
| N/A | N/A | C:\Windows\System\oLgBzDl.exe | N/A |
| N/A | N/A | C:\Windows\System\DYOQXiA.exe | N/A |
| N/A | N/A | C:\Windows\System\zdLSbJY.exe | N/A |
| N/A | N/A | C:\Windows\System\JNkYqdY.exe | N/A |
| N/A | N/A | C:\Windows\System\dbdMNIv.exe | N/A |
| N/A | N/A | C:\Windows\System\GhsWRnX.exe | N/A |
| N/A | N/A | C:\Windows\System\PEkaofb.exe | N/A |
| N/A | N/A | C:\Windows\System\VdWVCmm.exe | N/A |
| N/A | N/A | C:\Windows\System\usHPJhH.exe | N/A |
| N/A | N/A | C:\Windows\System\EgPmlJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PVLFVuB.exe | N/A |
| N/A | N/A | C:\Windows\System\lbSpZhR.exe | N/A |
| N/A | N/A | C:\Windows\System\FvZnjBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GXVOKzH.exe | N/A |
| N/A | N/A | C:\Windows\System\zzsMAME.exe | N/A |
| N/A | N/A | C:\Windows\System\RZjTlqA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6f3c326d3d95c5e12460bc46dee67e3d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZKmYLHc.exe
C:\Windows\System\ZKmYLHc.exe
C:\Windows\System\rnVaXcW.exe
C:\Windows\System\rnVaXcW.exe
C:\Windows\System\VlBljyN.exe
C:\Windows\System\VlBljyN.exe
C:\Windows\System\xVwuXUp.exe
C:\Windows\System\xVwuXUp.exe
C:\Windows\System\ZalUaOc.exe
C:\Windows\System\ZalUaOc.exe
C:\Windows\System\oLgBzDl.exe
C:\Windows\System\oLgBzDl.exe
C:\Windows\System\DYOQXiA.exe
C:\Windows\System\DYOQXiA.exe
C:\Windows\System\zdLSbJY.exe
C:\Windows\System\zdLSbJY.exe
C:\Windows\System\JNkYqdY.exe
C:\Windows\System\JNkYqdY.exe
C:\Windows\System\dbdMNIv.exe
C:\Windows\System\dbdMNIv.exe
C:\Windows\System\GhsWRnX.exe
C:\Windows\System\GhsWRnX.exe
C:\Windows\System\PEkaofb.exe
C:\Windows\System\PEkaofb.exe
C:\Windows\System\VdWVCmm.exe
C:\Windows\System\VdWVCmm.exe
C:\Windows\System\usHPJhH.exe
C:\Windows\System\usHPJhH.exe
C:\Windows\System\EgPmlJJ.exe
C:\Windows\System\EgPmlJJ.exe
C:\Windows\System\PVLFVuB.exe
C:\Windows\System\PVLFVuB.exe
C:\Windows\System\lbSpZhR.exe
C:\Windows\System\lbSpZhR.exe
C:\Windows\System\FvZnjBZ.exe
C:\Windows\System\FvZnjBZ.exe
C:\Windows\System\GXVOKzH.exe
C:\Windows\System\GXVOKzH.exe
C:\Windows\System\zzsMAME.exe
C:\Windows\System\zzsMAME.exe
C:\Windows\System\RZjTlqA.exe
C:\Windows\System\RZjTlqA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3392-0-0x00007FF6821A0000-0x00007FF6824F4000-memory.dmp
memory/3392-1-0x00000242AA5A0000-0x00000242AA5B0000-memory.dmp
C:\Windows\System\ZKmYLHc.exe
| MD5 | 0807945374ac8f8de64fbffc5dc6238a |
| SHA1 | 58a6f3a144105f7bf2081ca23b60b57265fbb835 |
| SHA256 | 0dfb4e2b7eed5bae14e219a6b630cd89ad0b4d564ddec10fc8b6cedeaac04ef6 |
| SHA512 | ab2086fad471d15ce8518fd296e834b99d6cdb21e3eca7bbe518aff43891969effcf012028dbda8f1aa5f94b05df27658c16fe84e37c61aae26db98346b5144c |
C:\Windows\System\rnVaXcW.exe
| MD5 | a4fdc1ab565e1cd4d7202493bd722437 |
| SHA1 | a4cd923361ccc3a1e9a465857326d2d37b4337eb |
| SHA256 | ef2595b3c234dc3e89525e55c1fe0ffe02e6c84e3f440a57c5dece17f537a388 |
| SHA512 | 06c94116b8ae178dfddcda66e0811bf6ef4c3667446649cd72b5a17c6f3064f4efbd17c2696158b5dfbf42dd5a22c3a963add9573e477f1855bf8f2c1276584a |
C:\Windows\System\VlBljyN.exe
| MD5 | da74c2af7937f8430a00959cba7fa0dd |
| SHA1 | 25882fa6b330a5ce992077e31752aa58aa54eac6 |
| SHA256 | 666c21dc6ec8e6773a5c62295164259b1f1bcba8507fd2b7c7076b85f959f3dc |
| SHA512 | ba4ddc80e5e091e8815db996a5d3473d149eb56a85446f72649b52e74ac00e94e962efb7ec4a5b734b9e8325bcc8d4023eb974399b6c8676404ba22a31d4cfd2 |
memory/4636-15-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp
memory/728-6-0x00007FF646690000-0x00007FF6469E4000-memory.dmp
memory/4340-20-0x00007FF690AC0000-0x00007FF690E14000-memory.dmp
C:\Windows\System\xVwuXUp.exe
| MD5 | cc3b52a74365e1450e7b60e38e97fe4b |
| SHA1 | b1be9f602b736f920cc4f0610fba9dba25c5871f |
| SHA256 | 8246721644f9c803a68338dd73a6d0d01ab5b794f6cae3349749cc5912265b0e |
| SHA512 | 8fe3b5db8000eaf730629dddc0de32f65e43002563b9fafb83649ed46cb748693f1420954d181da251a28725319f89a3e03962247ca1464f8d68caf272014e48 |
memory/1208-27-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp
C:\Windows\System\ZalUaOc.exe
| MD5 | 51507ae40ef3b39fc68a2df12c75f10e |
| SHA1 | 93720b4890e180be1e9e61c15bd8328f0105f90d |
| SHA256 | ef740cf9ddd75459b5e9de8d8e5bf93471cd9687b3e5e79dc59eed98e99dd0e1 |
| SHA512 | 0ce6883a1a85dbc1c44d9b6bbfbedaeb0f98654cff74d789fd980823620ecf52a1926138db7f24b247cf19e2772831bf867972c48753b3bf9781a4ca4cb5a3a7 |
C:\Windows\System\oLgBzDl.exe
| MD5 | 541c7c79cd70e73e584de9bedbcdd664 |
| SHA1 | 6a259573e5d382520b5a46c827cfc0dda2e8c8ce |
| SHA256 | 6c183f06f8887cfeae5eb4d505d08e2ce50bb65f7c1592ef3c2dfd9d2a448475 |
| SHA512 | 4df6ffc14d91a4579497044f1933ad63a1f470ec3cd4b346e3326d88eb105fbcca70c1fe1baa528c6d55fc55bb4a4d27c2c51a21e28816914d38f7524da00a36 |
memory/3104-36-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/2920-32-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
C:\Windows\System\DYOQXiA.exe
| MD5 | 7acfbe38ff0c34ed39e9a5e66b43ab42 |
| SHA1 | 63c99a1fb1782d83a13165c8d889626d87e90d3f |
| SHA256 | 3f0ab3a2222ed72a567ca0cba388297bfacf276e28a61ade9aa1e8962a4c3fc2 |
| SHA512 | 7c4da0ed71ebb0f34ea0921cee6a38770a3491de6bec8bab5569f9cdf0bdbff5a671e04ebe60f0134648fe326cbd0d74a128870062e6dd45ba1adebb38d225fe |
memory/3800-47-0x00007FF67DA60000-0x00007FF67DDB4000-memory.dmp
C:\Windows\System\zdLSbJY.exe
| MD5 | cce167957b8e1fa53a5fd303426898e0 |
| SHA1 | 31c0547b879b8dff842a97ae991e592e9388b8ff |
| SHA256 | 92a7c9a0e4f68d90c2d2be26837482bd6799fd6db71887cf9f75156106668943 |
| SHA512 | 572ad5a20852efdaa61abf05de62394e92e478836f8a92ad37becbf50c4dda70ac42ed3742d5e73837f87874ff1714f8743745330f637c51574968614e90da01 |
C:\Windows\System\JNkYqdY.exe
| MD5 | a6360fe92deb7bae5f5b04ec07f5bc30 |
| SHA1 | 32f03ce5e786f8269cd9031dbd192fc7bdbe48d0 |
| SHA256 | 34db40a2cd4ab9d1f39eccaab60557deb00067d254f09fde77fb6f630ebd8c12 |
| SHA512 | b42a9abf6b66563780c73d5cdf2425e821b756b5053655afe10129300a0b29529fb6c9f4e0e5123ec468525c46068cb5c5adddbc5cbfbd828b07f464c0323d6c |
memory/3648-50-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp
memory/4280-52-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp
C:\Windows\System\dbdMNIv.exe
| MD5 | 5c76c8ac16af4727b6cfb97c5074b48c |
| SHA1 | 7ef37aeebaa3a68975fba31ab9ee3f891ccd7572 |
| SHA256 | 7f3c63322a21d57dabea6df32c444170f587556b5c64e0c50db6f90d953bf0e3 |
| SHA512 | 3ec81128354ebe1e9874c44dd7975342c2d1635edba86d42676f343536e8cef3753f5e3bc97122abd6795f44e90c0397d8a238a2c8d51e49c854a12753e7f3b0 |
C:\Windows\System\GhsWRnX.exe
| MD5 | 2bf25c61bc90991fe2633252c7e09552 |
| SHA1 | 6d518795b6633aee4d6174638839683e7a8da026 |
| SHA256 | 9d9f656e6fae7a95d539b62f92870365c085b468a54efd661a9a937635fe6daa |
| SHA512 | 03be5c35dc0a5fa798f8cfbbae7a4852eb87759f3846a87e468a6e5e881de6208375e7c6fa8a607bd2abfb50e4c983d950b501114d51a0b8b30b0101f14ddbdc |
C:\Windows\System\PEkaofb.exe
| MD5 | f4031a662d0ba414281cc0406e7356f1 |
| SHA1 | 14c028e8bb3552f0f6aa82cb6e7c38d7486b7eb4 |
| SHA256 | 18a67b2455fee4c963e9598d56e40fe8f73225140c54cfee40589f76e1cf6747 |
| SHA512 | dbfc7a36b3318baaaf1581430ebd10273477c8e5de755deb3e901ee12a2ab15f1a00127bcbaeae37272069c0f2761889d98b48c97d5bfe1a7d9b27249842d443 |
memory/4908-77-0x00007FF78F0E0000-0x00007FF78F434000-memory.dmp
C:\Windows\System\VdWVCmm.exe
| MD5 | 9b39234d84ae74c988aa9772fcc941d0 |
| SHA1 | 67e629a5d34af1fb4f878f20097d8204915160bb |
| SHA256 | 05efaa26f271703f293651bcc8bc3da2b27c304aaff6b16fa53d2cb3b4e87d08 |
| SHA512 | 25aa1345f5c5cbfc52ce683225d05925e3b0aa0906426178e51aee3912e1b8bef0d93b40e28f5745cd8f62d4a0fe4190bcca4260ec0593eb87a4992ec4f8e9ec |
memory/4060-82-0x00007FF771520000-0x00007FF771874000-memory.dmp
C:\Windows\System\usHPJhH.exe
| MD5 | a6b1e07f30012e8fc51bdca15f7b39ec |
| SHA1 | b1f17cd3a217d3d846ab6e3d65c107a17fa97c5f |
| SHA256 | bfad9c52198ded45a70b1324710381c590993aca07079687e21f4217e3b57a30 |
| SHA512 | 9b383ec08d851e843a82fb188d1798181cba353e1492663bbbda1e9dee2d61e6d87063c23e11fffaa8576f0cbcce27b7d27c92d31896cb5261fe6ec8cc88c0f3 |
memory/728-73-0x00007FF646690000-0x00007FF6469E4000-memory.dmp
memory/1264-65-0x00007FF71AED0000-0x00007FF71B224000-memory.dmp
memory/3392-64-0x00007FF6821A0000-0x00007FF6824F4000-memory.dmp
C:\Windows\System\PVLFVuB.exe
| MD5 | e60999b9649c6e0ca35747f24844896a |
| SHA1 | 2498fa0f8e8620fa3e3a034ba544cd133b9f4907 |
| SHA256 | eadd39ccfb3e58772b591cf9b398bbabc5c2ec6f709fdeab13655b0b6a7747b7 |
| SHA512 | ac47d253c142a104a2b0a72854a8701074b52c47fe57feefe188317a67231fe71b8ba9ed0530f8ff3e0083379d60dc49e6487419528397fbaa16a910afe044a7 |
C:\Windows\System\lbSpZhR.exe
| MD5 | 419ff44afdb1452abb587ade5fc46722 |
| SHA1 | 4754e935aff461e5b505d8c0b3e5f8aa082b9d5e |
| SHA256 | f8f431f833a0c664180abe8679696af61d09f955a0e87e35f578b2f0c17f3b2a |
| SHA512 | f507629ccc2a7b79882c21f83764493df1abf0c8a6e5c1e8af0892f567f94149cd01dea96ca2e329602bb6d8b9222043ab03d3d73f1460d794a595f2ccd7a68c |
C:\Windows\System\FvZnjBZ.exe
| MD5 | 27c05d9550f206e099cee0578289db1f |
| SHA1 | 87d55872e15a1e46501d17840a56276ee2630d58 |
| SHA256 | 4d32913e29dd9303af72961ad73cfeea8adcac3e880e18773020d3b8bfc3e0bf |
| SHA512 | 69118c8e9c83393b6b6b36967deff4c298cbaa996d315b4bc74bc9bff88675c64669a380465a1db654cf0ec1edb615432adc0e9c42acd461646ff13976af6faf |
C:\Windows\System\GXVOKzH.exe
| MD5 | 11e19b871df3f59a0583062bd1f9e47c |
| SHA1 | cdbf8dee04c46347d1d4559e62589e2c3948c4d6 |
| SHA256 | ed27084e374ad890b243f9cdadcd3d72e7d29c29ea2bebd2a31e253479ad9eec |
| SHA512 | a91f3b2dfb6f5a0d060ee3cb4360c9ddfc9fac2647d5687e355ca41bcc50297fc481221e61f36ef5f720a55d50fc16434e38acf481c14378c97e88ee68f20a49 |
memory/3904-113-0x00007FF795A40000-0x00007FF795D94000-memory.dmp
memory/2920-109-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
memory/2736-108-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp
memory/1208-104-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp
memory/4684-103-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp
C:\Windows\System\EgPmlJJ.exe
| MD5 | 6091ee407b838de07984e94a8afdd980 |
| SHA1 | 4d4b0ac6e4dddacc6309f25503eaf5f4c8b30843 |
| SHA256 | 078d068715f838b4ada3b82e5faf123ecef5aad20d7e6dec8a3782ceb9a35e06 |
| SHA512 | 632e04d79a601ffd0ea3ee831cf149423f7690c29713b2328aeb5bceb02f4a28dfea967280d88085ccbaad643ad36193dce4cf6ac656c7c43597315a2e5b89e9 |
memory/2140-98-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp
memory/4504-94-0x00007FF746730000-0x00007FF746A84000-memory.dmp
memory/544-89-0x00007FF6787C0000-0x00007FF678B14000-memory.dmp
memory/4636-88-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp
memory/3104-121-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/4912-122-0x00007FF7B55B0000-0x00007FF7B5904000-memory.dmp
C:\Windows\System\zzsMAME.exe
| MD5 | ecf7d036269a17401e4e8a8ee4fff9cf |
| SHA1 | 9da814a6f78d364d580747f38d04b145e5bf3356 |
| SHA256 | 9e2a2d6b55dd0db1e7fc9ce0eeaf473fe038f90347713f7417c68185c7edc409 |
| SHA512 | ddbc63061b07c84bfc53849141915dde11621a9a59012137e7af807cd1cfaea25c603e66db989c3a2153dbc8f7c1cafaa7bc6d4b70741a496df46224b0878ba8 |
C:\Windows\System\RZjTlqA.exe
| MD5 | e72acb81d2455e0346983b0842025fa9 |
| SHA1 | 739c691fde67a6708c19a912853d11723b3c815f |
| SHA256 | e112b747d876e075b9735c4ae99dbe11ec8277efbf387a9f93aa42d7ce3c4cb4 |
| SHA512 | fbe64d84a29790f048d093d56b8805852d071115d9d93366f03a91ac46de659903038ca443320c2d3be2f26022c543d3a70661ab24abe306fc903d268eaa6d8f |
memory/3648-133-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp
memory/2188-134-0x00007FF7F8F90000-0x00007FF7F92E4000-memory.dmp
memory/1860-132-0x00007FF77CA50000-0x00007FF77CDA4000-memory.dmp
memory/4280-135-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp
memory/4060-136-0x00007FF771520000-0x00007FF771874000-memory.dmp
memory/2140-137-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp
memory/4684-138-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp
memory/2736-139-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp
memory/3904-140-0x00007FF795A40000-0x00007FF795D94000-memory.dmp
memory/728-141-0x00007FF646690000-0x00007FF6469E4000-memory.dmp
memory/4340-143-0x00007FF690AC0000-0x00007FF690E14000-memory.dmp
memory/4636-142-0x00007FF6CF0C0000-0x00007FF6CF414000-memory.dmp
memory/1208-144-0x00007FF7C7CB0000-0x00007FF7C8004000-memory.dmp
memory/2920-145-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
memory/3104-146-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/3800-147-0x00007FF67DA60000-0x00007FF67DDB4000-memory.dmp
memory/3648-148-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp
memory/4280-149-0x00007FF6D5C00000-0x00007FF6D5F54000-memory.dmp
memory/1264-150-0x00007FF71AED0000-0x00007FF71B224000-memory.dmp
memory/4060-152-0x00007FF771520000-0x00007FF771874000-memory.dmp
memory/544-151-0x00007FF6787C0000-0x00007FF678B14000-memory.dmp
memory/4908-153-0x00007FF78F0E0000-0x00007FF78F434000-memory.dmp
memory/4684-155-0x00007FF7C12B0000-0x00007FF7C1604000-memory.dmp
memory/4504-154-0x00007FF746730000-0x00007FF746A84000-memory.dmp
memory/2140-156-0x00007FF7D9320000-0x00007FF7D9674000-memory.dmp
memory/3904-157-0x00007FF795A40000-0x00007FF795D94000-memory.dmp
memory/4912-159-0x00007FF7B55B0000-0x00007FF7B5904000-memory.dmp
memory/2736-158-0x00007FF7F7D80000-0x00007FF7F80D4000-memory.dmp
memory/1860-160-0x00007FF77CA50000-0x00007FF77CDA4000-memory.dmp
memory/2188-161-0x00007FF7F8F90000-0x00007FF7F92E4000-memory.dmp