Malware Analysis Report

2025-04-19 16:49

Sample ID 240522-x1na6add4z
Target 20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe
SHA256 7a0bdbd07c96cb478518ff4ab48bbe5c5d7564ad2b795120f5fbf19266a2eb90
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a0bdbd07c96cb478518ff4ab48bbe5c5d7564ad2b795120f5fbf19266a2eb90

Threat Level: Known bad

The file 20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 19:19

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 19:19

Reported

2024-05-22 19:22

Platform

win7-20240221-en

Max time kernel

136s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cSUDiPV.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\dWNcrqt.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\PpoqiQP.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\gulQWmr.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\hrEvlaN.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\PMbmMuE.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\AksQFIo.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\PrzUfgd.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\LgMlkMs.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\ikOPwFw.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\LAovnHZ.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\pmynMrf.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\MyXCkwD.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\krHzldi.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\MjsSCuN.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\vxdkRxt.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\aKhYtMc.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\iXhnjZz.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\tZtMgCi.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\TbRTbhM.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
File created C:\Windows\System\QtShKSX.exe C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\TbRTbhM.exe
PID 2292 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\TbRTbhM.exe
PID 2292 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\TbRTbhM.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PrzUfgd.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PrzUfgd.exe
PID 2292 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PrzUfgd.exe
PID 2292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\gulQWmr.exe
PID 2292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\gulQWmr.exe
PID 2292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\gulQWmr.exe
PID 2292 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\vxdkRxt.exe
PID 2292 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\vxdkRxt.exe
PID 2292 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\vxdkRxt.exe
PID 2292 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LgMlkMs.exe
PID 2292 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LgMlkMs.exe
PID 2292 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LgMlkMs.exe
PID 2292 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\hrEvlaN.exe
PID 2292 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\hrEvlaN.exe
PID 2292 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\hrEvlaN.exe
PID 2292 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\aKhYtMc.exe
PID 2292 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\aKhYtMc.exe
PID 2292 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\aKhYtMc.exe
PID 2292 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\ikOPwFw.exe
PID 2292 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\ikOPwFw.exe
PID 2292 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\ikOPwFw.exe
PID 2292 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\cSUDiPV.exe
PID 2292 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\cSUDiPV.exe
PID 2292 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\cSUDiPV.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LAovnHZ.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LAovnHZ.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\LAovnHZ.exe
PID 2292 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\QtShKSX.exe
PID 2292 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\QtShKSX.exe
PID 2292 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\QtShKSX.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\pmynMrf.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\pmynMrf.exe
PID 2292 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\pmynMrf.exe
PID 2292 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\dWNcrqt.exe
PID 2292 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\dWNcrqt.exe
PID 2292 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\dWNcrqt.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MyXCkwD.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MyXCkwD.exe
PID 2292 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MyXCkwD.exe
PID 2292 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\krHzldi.exe
PID 2292 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\krHzldi.exe
PID 2292 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\krHzldi.exe
PID 2292 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PpoqiQP.exe
PID 2292 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PpoqiQP.exe
PID 2292 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PpoqiQP.exe
PID 2292 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\iXhnjZz.exe
PID 2292 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\iXhnjZz.exe
PID 2292 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\iXhnjZz.exe
PID 2292 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PMbmMuE.exe
PID 2292 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PMbmMuE.exe
PID 2292 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\PMbmMuE.exe
PID 2292 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MjsSCuN.exe
PID 2292 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MjsSCuN.exe
PID 2292 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\MjsSCuN.exe
PID 2292 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\AksQFIo.exe
PID 2292 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\AksQFIo.exe
PID 2292 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\AksQFIo.exe
PID 2292 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\tZtMgCi.exe
PID 2292 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\tZtMgCi.exe
PID 2292 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe C:\Windows\System\tZtMgCi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"

C:\Windows\System\TbRTbhM.exe

C:\Windows\System\TbRTbhM.exe

C:\Windows\System\PrzUfgd.exe

C:\Windows\System\PrzUfgd.exe

C:\Windows\System\gulQWmr.exe

C:\Windows\System\gulQWmr.exe

C:\Windows\System\vxdkRxt.exe

C:\Windows\System\vxdkRxt.exe

C:\Windows\System\LgMlkMs.exe

C:\Windows\System\LgMlkMs.exe

C:\Windows\System\hrEvlaN.exe

C:\Windows\System\hrEvlaN.exe

C:\Windows\System\aKhYtMc.exe

C:\Windows\System\aKhYtMc.exe

C:\Windows\System\ikOPwFw.exe

C:\Windows\System\ikOPwFw.exe

C:\Windows\System\cSUDiPV.exe

C:\Windows\System\cSUDiPV.exe

C:\Windows\System\LAovnHZ.exe

C:\Windows\System\LAovnHZ.exe

C:\Windows\System\QtShKSX.exe

C:\Windows\System\QtShKSX.exe

C:\Windows\System\pmynMrf.exe

C:\Windows\System\pmynMrf.exe

C:\Windows\System\dWNcrqt.exe

C:\Windows\System\dWNcrqt.exe

C:\Windows\System\MyXCkwD.exe

C:\Windows\System\MyXCkwD.exe

C:\Windows\System\krHzldi.exe

C:\Windows\System\krHzldi.exe

C:\Windows\System\PpoqiQP.exe

C:\Windows\System\PpoqiQP.exe

C:\Windows\System\iXhnjZz.exe

C:\Windows\System\iXhnjZz.exe

C:\Windows\System\PMbmMuE.exe

C:\Windows\System\PMbmMuE.exe

C:\Windows\System\MjsSCuN.exe

C:\Windows\System\MjsSCuN.exe

C:\Windows\System\AksQFIo.exe

C:\Windows\System\AksQFIo.exe

C:\Windows\System\tZtMgCi.exe

C:\Windows\System\tZtMgCi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2292-0-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2292-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\TbRTbhM.exe

MD5 ef7181f7d55b40e895a202c2b4b48695
SHA1 853928a819a87637d4d29858fa2841a6e4ca2f70
SHA256 9bd4332323fbbdb23e06a01bbb73f4bdc4c28229f89fb657eafda3b653751cfa
SHA512 202ae66f301e9ffbe62c7a278c5d49d3313fb2e5c10e2693948e5afaeb5033210ddd5e9d221d2273772bd49b84765ce89b8b42a28f520460a83e170a39574558

memory/1064-11-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2292-19-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\aKhYtMc.exe

MD5 6614bfd83aa83877fdc6d703f645ebf7
SHA1 ee08434bf1613a40528a5d49a996f6918ec65673
SHA256 fd090cc1ba521dd12c3c20637ce6788d9ea88cec0273bb69056cc2e3d1ce72c1
SHA512 e41e42980c31cca09ed77c9bf3c4d962c93f2043321cb37bd00c5091fbdb993640835c133d7df3e0159aa17d408e457fe8f373c85db9abe155ffa9325d8cf926

memory/2292-115-0x00000000023C0000-0x0000000002714000-memory.dmp

\Windows\system\ikOPwFw.exe

MD5 3caf99e2895a9e7093e8551bacb73cad
SHA1 81051988b4d8747115679dd987a2663855971496
SHA256 af5ee75e7dad87be440c5b536c4bb36545b2e369975323bae2654dd23d246608
SHA512 ee3b00dbc455fbd5fcff2990dfd82658c9414764f04a8f2f07bcfd155f802b936f659b7bebe1f2c7bf0ddaa20bd815d390fe390e5ce042372dc7491e5099c032

C:\Windows\system\MjsSCuN.exe

MD5 8c61f7b6e8679c2dfc281a7eb27219b2
SHA1 8e27e31e54e1a64a2e9f593ea9184f8bf9d26401
SHA256 9c9b4a5d9a832c7acb8b94d5b1ce3ea44155c5a32a6e2678b9f81a7c23484db4
SHA512 2ff11a6c439439626a33c72f0b6b379aa102e61a0fc460e2da1a58802126884a33c3bf4b3d15d49431a6656617ccc8bf1bc26fc707cb7718531f5e063c6e1dc4

\Windows\system\AksQFIo.exe

MD5 f340027590e0060a1b4dad9a9b63f10a
SHA1 134743e05942e86f636fff53db242b9028087b08
SHA256 ba362b3028dfd3fd10e1cff733653a7665bbb60151e4e522e922da8213e645a3
SHA512 1e43065f8a5c5e1ee76e1515338a88c096638e59ef0e9242c6e444f16a89911bfa12c65ce2bd2b6412944a18a8252e498a3d3513fb10592b2f0b27cb8f3e0585

\Windows\system\PMbmMuE.exe

MD5 77352144316c18144deb15a83ad228c1
SHA1 685a9de040743315659521ed45611bbe25995b3c
SHA256 1b25ab627648fcd0d7744700e3d31b768cba334a0eb1aeb66fe3827ea545bf80
SHA512 a84599bccdb1e650e04b2297f0b679d17666ebd95e03a38822684b73f07b20ee2f28ec2da2afd6a04921735042ce1cc1594b2eeb0746b75ea0884f10a7763dff

memory/2292-82-0x00000000023C0000-0x0000000002714000-memory.dmp

\Windows\system\PpoqiQP.exe

MD5 2ccf3f006a4a7e4e235993329887a3ca
SHA1 f620a413f18793a7828d9e92f52d8faf606fa249
SHA256 ca6f65aeb8c0feec41c9f696619b03ab294eda3b365ba3b7eacf1252ebba6c87
SHA512 50b505dd0c962a5a53a48b7f5b87e13a19fc99a4891906c5f5bfa9d9a9a2a3dc18d6995a8bcb1a31054ac5499306c4ff0326f1bfac7cdd577f3b3b765a362e5b

memory/2656-71-0x000000013FE30000-0x0000000140184000-memory.dmp

\Windows\system\MyXCkwD.exe

MD5 3dbeb18afc2ba6b7c960d67b53e576cb
SHA1 a81134432c49154d88d6897167a9c2b7b0a71add
SHA256 af474e667a2ab901c3edf50c1a6e3c11c27f9c49055500186479d43d2e10ca43
SHA512 f0a0577d92d55723dc90526114756db7fa63e8957034412df9234b95d61987e03586f0b7900c40e359927a228262d3498fe661b79942a8fbd8340b551a2d83e7

memory/2292-62-0x000000013FE30000-0x0000000140184000-memory.dmp

\Windows\system\pmynMrf.exe

MD5 84d162dded4ccaa77eb59d92b60feb90
SHA1 25fffa56f348cf4cb93b81c32faed61712c0dda3
SHA256 39e1f001839327435ecee15600e43ec5ef92df856a968f35b06db3e678751203
SHA512 3b1caf28a1513cc0899a27b5edfec14eeacd91696a8ba9c1163de44896c9cb44a3dd33646f755144f1955a4930c7e2263bb4781bb18e792227511c99395cd3cd

\Windows\system\LAovnHZ.exe

MD5 6e9fe282c38e1ee630d117d3716ef046
SHA1 efd5d35027f0f7adfb164b4f14b3538c47d6e97c
SHA256 0eec04c4ca5cdbf7b6e486c02127a9ae8c24365321cd5bb745c814450482b314
SHA512 63e7cbabc27bac4a4c9ad4f159bcfadebaecdb31fd8dd21507e59f7193db9bce1d1ef5f1acb22ac47631ec123791e3ef8bb84c0409c87c491b3055d2ca2c803f

memory/564-117-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2292-116-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2292-114-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2292-113-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1972-112-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2292-111-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/3024-110-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2292-109-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2396-108-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2292-107-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2292-106-0x000000013F9B0000-0x000000013FD04000-memory.dmp

C:\Windows\system\tZtMgCi.exe

MD5 9e923cb509c0b52bc66bc590522b402f
SHA1 7858877cae47f7c25100ab8963a82ad8fd9e9341
SHA256 61d1df8a1934239e8923b22aa03cb3e5599d45498fe79bf253bc86f47153c6c1
SHA512 6158c126da62bbf54f21f9fcdc75f4c3d0fea569d1e1e12edfe0b738a0dab6da3dd88461e5c354d23079b379b776a552fe2d0210c4cceb47324b8107f34d3d24

memory/2528-103-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2292-96-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\iXhnjZz.exe

MD5 b31b2cd89dd7dafb6cf8fab677245b27
SHA1 8214d650dec8eed0caad22efc507e8feeeae124b
SHA256 7a3cb7161e87394b63e67b45b8eddccf2247e0d86bcb203fae842dcb31dee73c
SHA512 5027327ff7336e17ac57165f217d3a5efcee308c2e3731f81aee53f3dc752b121ddb1266f64182670db8f6bcb3c2446ad69b706ddb6656c4b6cb090641ccdd08

memory/2148-85-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2292-133-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2388-78-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2292-77-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\krHzldi.exe

MD5 b87faa7f837ef6f0d75c4b13427aec32
SHA1 ff47d57c3db6f8f08de909d6d8abe62e89aa56a4
SHA256 3351a68505a3816c95e4c8a339a95c4f7c4ac3d70b8e09cd1626d8d1ef654fc3
SHA512 d420a36a5fed57fa202bf5347a9e3cef743e6d06e33afa7462a64fb0112899d3d72a3381647ea02c598ab70816fee0ae0052b1955ee1c22193e6d2be3dfd0444

C:\Windows\system\dWNcrqt.exe

MD5 7758254974566bc5f555cac965d9aa02
SHA1 74fb5319b4c2378e1eda91ee4b200e31cacf3362
SHA256 c1c16e5e7dfb610f763fc83fdf2332659e9d9377d43de2687d958709b8d39729
SHA512 4d9eab1a8c0df6de4bd02f8a3901d777e2315680dbad20c072e9c86b3c1c9b671b00a875e8d8598b8fbfd0449ad7e71c2cf3ae95176a9b81b35c49aff9f64799

C:\Windows\system\QtShKSX.exe

MD5 7b7403b6d9fa2205835f4391dde1aea4
SHA1 c1b8b030d6f7ac5d98debe3495baee33b0e6186e
SHA256 e9b2579f1672824c69352bae10d0dabb711eae9dafb5abb4a27c3fac69dcb996
SHA512 197b3e8ce610334153158b7435659c482ee2df9b555e4ecfcc4077a569cfc34cd1718967e633873c5563855890960035442ca30432f68084d123b27be8caa05e

C:\Windows\system\cSUDiPV.exe

MD5 b5c8e737e59dcc9d91e21cdbed8aeb67
SHA1 53d2b205245aae4458d68549b9ee5b00617eb951
SHA256 8b7e9c2e971afc841d4439b648e2e0ba291cd19e22a67dd89aa3884641934e77
SHA512 0868625f154e2fa3cf95417311797ff6fb366ac27ae80e3705431c105ed959d66d7df9a60bbf926ef53a8b9e9eac0e30d1e8fb51dc5721932ae9e962235882db

memory/2632-27-0x000000013F9B0000-0x000000013FD04000-memory.dmp

C:\Windows\system\hrEvlaN.exe

MD5 a9e2d89ad139b75b677062441ba125f1
SHA1 b9a25c20b1118070fa95ad4a857c719ff44657e8
SHA256 6253b9749055a98f169528816f015baf4a4f2b112979e51e47b29ecbb7ab2434
SHA512 5fd12d9215c470464a4fe2e9ddcee2b975f2596e4606573b5b0bff860d8c1a12d3dc0c5956829d93f85ab25f5cd1cf61f9b30f4bd5d180e30a749e79c69dc5e8

C:\Windows\system\vxdkRxt.exe

MD5 3f6f345a242ad6185019431ef2735769
SHA1 051c77c3218d87fd823afe7546b82d7366d19697
SHA256 0e945f905ad4c37f5ca4d4e04d46cf9f8a75f3a3e567f265a9f459d0e51add4b
SHA512 cf0741410d569ea58b174f191c097af90133192871d23df1f83b5120992fae4a7df25c8dcae686d70c7bfd2c69bbed454b078d8e0fa080d5408d067c388617ef

memory/2292-25-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2744-24-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2924-23-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\LgMlkMs.exe

MD5 9171af05c46c8a2177375984b179f9fb
SHA1 17b8d3dda461a201b52e18a221bcb77f85333fde
SHA256 61af6724fe63b5631ce288dd42e424e0bc27ad1f4b1b105111d7e7be80701fdb
SHA512 3cc7feb0f97f81045cc37fd557f941bee515e1eebdcce78637f164d593868a120453692a1ef10733853450d306f7a7f59252fbbee19d7aed9213ff70c49ffe01

C:\Windows\system\PrzUfgd.exe

MD5 3357873d24f64dfbbc5930c02c71cbdb
SHA1 f470b4a26b1f6ba10ed3286b38194614c9eea3c9
SHA256 5fdfff051325e23f05ba927ea097f75b7480291b4837021fc6e7bb73276eb99c
SHA512 659210249938c7ff5ef79b2306ab299c3d0b969a709337424d0a069463c2369ddd2ab360cdd7dd58942a207147802d0196e446fd9f27f6bf844e8b29be123835

C:\Windows\system\gulQWmr.exe

MD5 7b302306f41f4633702d784d9d2b6888
SHA1 749b5980ea5b7472cd19ad728511f6130a481c42
SHA256 ad957921916dfe2e9965ec82a5fa1b5a4c0972b47748a7cc1cca094d1f155fc3
SHA512 b180895be2d928048fb2c39cc36dc98305a5e13f0522a12f04822023071674401dea722ca0fec8c25908e330ab07a8f44209f75a544504ef1982329fcb12b852

memory/2292-134-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2632-135-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2292-136-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1064-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2924-139-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2744-138-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2632-140-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2656-141-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2388-142-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2528-143-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2148-144-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/1972-145-0x000000013F510000-0x000000013F864000-memory.dmp

memory/564-147-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2396-148-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3024-146-0x000000013F3C0000-0x000000013F714000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 19:19

Reported

2024-05-22 19:21

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4544-0-0x00007FF7AF1D0000-0x00007FF7AF524000-memory.dmp