Analysis Overview
SHA256
abb45d556c049eb62735f5b413c427c261f6caea26aef41bdb0a6699e0e87fd3
Threat Level: Known bad
The file 2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:47
Reported
2024-05-22 20:50
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CSvRHWv.exe | N/A |
| N/A | N/A | C:\Windows\System\CuzcdgM.exe | N/A |
| N/A | N/A | C:\Windows\System\NSJhZEs.exe | N/A |
| N/A | N/A | C:\Windows\System\MFYmUVf.exe | N/A |
| N/A | N/A | C:\Windows\System\xucWIbm.exe | N/A |
| N/A | N/A | C:\Windows\System\GNOFWQj.exe | N/A |
| N/A | N/A | C:\Windows\System\EHmzHxC.exe | N/A |
| N/A | N/A | C:\Windows\System\EiulBln.exe | N/A |
| N/A | N/A | C:\Windows\System\QeFlYYc.exe | N/A |
| N/A | N/A | C:\Windows\System\xEUWKqc.exe | N/A |
| N/A | N/A | C:\Windows\System\huXBrSN.exe | N/A |
| N/A | N/A | C:\Windows\System\pmXFEtO.exe | N/A |
| N/A | N/A | C:\Windows\System\kVLcQmU.exe | N/A |
| N/A | N/A | C:\Windows\System\orsiCaC.exe | N/A |
| N/A | N/A | C:\Windows\System\mIzkjbC.exe | N/A |
| N/A | N/A | C:\Windows\System\DMRYCvM.exe | N/A |
| N/A | N/A | C:\Windows\System\dUThcSH.exe | N/A |
| N/A | N/A | C:\Windows\System\tZdEyNI.exe | N/A |
| N/A | N/A | C:\Windows\System\HfQADJE.exe | N/A |
| N/A | N/A | C:\Windows\System\JiPbDRs.exe | N/A |
| N/A | N/A | C:\Windows\System\gAiWIbG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CSvRHWv.exe
C:\Windows\System\CSvRHWv.exe
C:\Windows\System\CuzcdgM.exe
C:\Windows\System\CuzcdgM.exe
C:\Windows\System\NSJhZEs.exe
C:\Windows\System\NSJhZEs.exe
C:\Windows\System\MFYmUVf.exe
C:\Windows\System\MFYmUVf.exe
C:\Windows\System\xucWIbm.exe
C:\Windows\System\xucWIbm.exe
C:\Windows\System\GNOFWQj.exe
C:\Windows\System\GNOFWQj.exe
C:\Windows\System\EHmzHxC.exe
C:\Windows\System\EHmzHxC.exe
C:\Windows\System\EiulBln.exe
C:\Windows\System\EiulBln.exe
C:\Windows\System\QeFlYYc.exe
C:\Windows\System\QeFlYYc.exe
C:\Windows\System\xEUWKqc.exe
C:\Windows\System\xEUWKqc.exe
C:\Windows\System\huXBrSN.exe
C:\Windows\System\huXBrSN.exe
C:\Windows\System\pmXFEtO.exe
C:\Windows\System\pmXFEtO.exe
C:\Windows\System\kVLcQmU.exe
C:\Windows\System\kVLcQmU.exe
C:\Windows\System\orsiCaC.exe
C:\Windows\System\orsiCaC.exe
C:\Windows\System\mIzkjbC.exe
C:\Windows\System\mIzkjbC.exe
C:\Windows\System\DMRYCvM.exe
C:\Windows\System\DMRYCvM.exe
C:\Windows\System\dUThcSH.exe
C:\Windows\System\dUThcSH.exe
C:\Windows\System\tZdEyNI.exe
C:\Windows\System\tZdEyNI.exe
C:\Windows\System\HfQADJE.exe
C:\Windows\System\HfQADJE.exe
C:\Windows\System\JiPbDRs.exe
C:\Windows\System\JiPbDRs.exe
C:\Windows\System\gAiWIbG.exe
C:\Windows\System\gAiWIbG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2108-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2108-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\CSvRHWv.exe
| MD5 | 161a594aa7c36b12fa6e5b353034feb7 |
| SHA1 | f5e787e6be395c63fdd5d76a158ce3d3c9be4ced |
| SHA256 | 5ac4a72f34df45a6403ab8309a85b6eaa39bff9c233bd743f04bd4f685e07f4f |
| SHA512 | 7f8291a7baa954f75f05bdda55b3619e1efb5b16e5fcac0fa9e1ff1e3ad0bd667d9c03cc9b296e090667e04ff5a40cfb9e92cbe60ff357f994ea685cd6e6a033 |
C:\Windows\system\CuzcdgM.exe
| MD5 | 009c1b1d14306b20ffbcc2707fd427fb |
| SHA1 | 9d894a98162246a6fe420bfe92c1d80990dbe63d |
| SHA256 | f2673f300e466a24af889362c8505efd9cb7cb1dfe958e424f51cc0be5bbf741 |
| SHA512 | 062e6c0e2e5eea5a631615bd9fa80ec3eea622917bcbd9a244e028d329b857d95efcd125f0e73c83bd0543a582f1d9d68c4722c74125f56da3da4a01111158ab |
C:\Windows\system\NSJhZEs.exe
| MD5 | d20d44aa66cd4d7d1d68cbc449729750 |
| SHA1 | 8e778f0605fb76fa5b04b989ad52ed629e66c37d |
| SHA256 | 6c2ec75da5faee5eb45f15872b9092def6806d1fe9245d353f57c6dfa740a09b |
| SHA512 | 30dd8f8df97c5a031b4b452f3503abd9221a10060033176582f3094b095142a1307489c01b0069b9aa0f39bc67af2cae1d3a23a9b2b4fac03ba6f69e1263a59e |
memory/2108-6-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\MFYmUVf.exe
| MD5 | 4182bf5ff9a472d4d1af2ff9bc4d2da8 |
| SHA1 | 5fb99eb76f2d93c997e89e0831d9e01c68692342 |
| SHA256 | feca8994e94c01d1c0f6170677e6d4f7d7a905791945b71ec4c00a9daaddbc2b |
| SHA512 | f64487fc0fad7228258ce21961fbb0cded74bfd349331e4311ce6bacdbec5d402f37670b5dff19cea48f4a5f626e7628007a067de72ff5eea88c916d3a64071f |
memory/2728-29-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2108-28-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\GNOFWQj.exe
| MD5 | 0e6a432987ff65f52902aa5cb5f7bbc0 |
| SHA1 | 20f4d1a4eb838b943b81361487812bd50c47cc17 |
| SHA256 | 949c3aef865d944d9c87cc3336ef0d6cd14e886de2ed209440f4742545399c6b |
| SHA512 | ad136f6590938eae2dc15028d0b0e9e7431e4ea67587c6bf9c68d76d2045d21c3766cdc04bae66c875aab4c8a21450f634a0c0dbc82b55082e671dad92be0cfd |
memory/2660-40-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\xucWIbm.exe
| MD5 | 1dd5486a5307f0b0b446539b5fa63d13 |
| SHA1 | b30d7763f7b4e282d717c428cf920edbfd082cfa |
| SHA256 | 2b478017d9c0c1b5b204b8f9566aa6b0dedade872a7c872f53e55ea1edbe9f6d |
| SHA512 | ef63a5d479a3449585df5d791c7fa3fc876b564ad1dcaa54d6722dc9e04e88a43ce1e17ac3eec5f1d07c0b6da5e182d07c9cf72a3bffae71b1f13177d4bdd768 |
memory/2108-34-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2876-42-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2108-41-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2700-22-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2108-20-0x000000013F270000-0x000000013F5C1000-memory.dmp
C:\Windows\system\EiulBln.exe
| MD5 | 55fcac6919c2fe97607b8985f854db29 |
| SHA1 | 2608198dc855ea7e16d1c15a8a9bd75914af7787 |
| SHA256 | 7a2e93d0754eedeebfa8959fc44aa658f88eda3e240343477187d810f4d62d17 |
| SHA512 | 2c88c4fac66b898a7fd01abc3b37052547b4f0fd4057712704b6bbb126880b3e2c598b6f7c70cd2d14339b352c8b308e01cca49f584f37774a9d08b30309f514 |
C:\Windows\system\xEUWKqc.exe
| MD5 | 90b3e64342ea8a2823aeb8eaf1731f48 |
| SHA1 | 50b15dd0451ffaddf2da2fd10875c5f09cbbc68c |
| SHA256 | 07114661fbfe1b813cd059985a2ae3c243e6fd2df9152dbe17aa126ce3ee61c1 |
| SHA512 | 6797af0ef61761f86c86f967b6161076f31fe8cdf278df32c574d508886b0f0e8482466d0da914c508abb6796903a64b8db819beb41da38d3a6a8f7201f6cd1d |
memory/2504-71-0x000000013FC00000-0x000000013FF51000-memory.dmp
C:\Windows\system\pmXFEtO.exe
| MD5 | c6c7445616c3d42b28927ee97dbb4a0a |
| SHA1 | de77643b5ccfcc5c237e301c2d3834b5c4240082 |
| SHA256 | 589b7b2e4a076de3fc175f45f2e9bfe945dd01097d37fdbba5078a6b22063db5 |
| SHA512 | dabad0de13767c0db0690acdcff88e8f7ded06f863e9cefac82be629b6c45a9f0882064e3b51c3d9f6765222a74d634b188e83ef117c2bd5253a3bf74024e751 |
memory/2676-64-0x000000013FFD0000-0x0000000140321000-memory.dmp
C:\Windows\system\orsiCaC.exe
| MD5 | 434ca68b14a1e370a375b2b840111a6b |
| SHA1 | 7928f80c8f4dc11c753467c381a506c15f83b6c1 |
| SHA256 | 3dfe26604c20ff97ec9b0db05007957c20ea68864078d06c165c43b5bd659d3a |
| SHA512 | e078dec4be50ba9c938d3b4e86f10c306a1032063e45d7760942b192e7d90c9471f6895d48093d6b9f9815be35b14b742742d25d15182588974ecb3c58055e49 |
memory/2728-94-0x000000013FB10000-0x000000013FE61000-memory.dmp
C:\Windows\system\HfQADJE.exe
| MD5 | d99f7c7a82b706545f9e732fcfaf55da |
| SHA1 | 859c609498ea0ce002904c05e6a8467780c96918 |
| SHA256 | aee98be518b0565cb7a0ab03bd6057cb5226836275db2b70709e8101dba4b539 |
| SHA512 | 5dc157330d30ab299b1389095556fccc4691d5c206d6c934b7fa322a92b24daf9fbdbe754acd5c78b3742fa0c3cdd4f4e85f6d6bcad1fe6596f882ab79fe80bd |
\Windows\system\gAiWIbG.exe
| MD5 | 62e94cb807f5a227d9c7c81e578aa4c5 |
| SHA1 | 95ce5d55add9ec6c5af9adcbe31787f68498fe6e |
| SHA256 | 64815a8d62f6a0aebbe72874d5b12a2fc9defbb41a7fb0be50e4138ba4b29f09 |
| SHA512 | 147a6dd8af872e8c8d3f73b939a4c67d4efbafb17b18911a54ebb42da7d62b066693bdea6eff876f8894cc494f059e9be3361b032a843bffeb5ceb4eab695c4a |
C:\Windows\system\JiPbDRs.exe
| MD5 | 64a4f45238c67bda1e759f268d1d40c2 |
| SHA1 | 69ae0137c81f328274b70638396a4b3c2950e42f |
| SHA256 | 752a9a33506dfdf573f667f91fdaffed17f45cd148b1b623ca20f9c175ee788a |
| SHA512 | 995e68732103419a6ed52e06b05d67a563081e0e98bdd5b493a83a9cc020efbb9c3170f143ab332231e8a8038ab0eb31fda656b3d19da0a7b71387912639b90d |
C:\Windows\system\tZdEyNI.exe
| MD5 | 1ba2c231a08d99057c24ff54ebc09f64 |
| SHA1 | d3d82efe315b8f9c14687461fbd64d81180133bf |
| SHA256 | 840dae24b4892585d241cb898e56d21dddb803ae0f92b8d43838af2118b3889a |
| SHA512 | 03dc9dbe61d32f60e32310d5636eb0827d2067c248e632bfdb6afa00da65f971d38739f120dd3d6cf9a9afc76a5099e470b0d9e31652b812a3c396335ea58c6c |
C:\Windows\system\dUThcSH.exe
| MD5 | efbcd7c1ec864c4b1c0efed747ddbf42 |
| SHA1 | fd5b783cec7d10c27dbcf188badd8c8250ee9230 |
| SHA256 | 132b08c3d0eee4e4732a0841744d4febc5d724ba9b2ae448b8925f3b0a4036ca |
| SHA512 | dd3906d3485a742830b4673cbb79108fa93dea247b3a682bf540b51077f4040d17159197623a309a6934cc5153f14cde5d3f399299d93c408622aff4a315d1a9 |
C:\Windows\system\DMRYCvM.exe
| MD5 | 5f54eaaa694a65accbb64578da7e5f8b |
| SHA1 | cebcd02c0caa9ff445f51f232bf9633b0c200c7b |
| SHA256 | 7e209e8c5011d74159dd54fe81359822a19a7f872996df5959581d40a3658b6c |
| SHA512 | 5a85008ad0cd80db336ad40d0602a6d49da8c54d58447aebd3589bd13d4505dafa09a404761d912084864ff420304ae3e582908b17f6e1eeb965b57b79e9b38e |
memory/2792-139-0x000000013F9E0000-0x000000013FD31000-memory.dmp
C:\Windows\system\mIzkjbC.exe
| MD5 | 7ac041d0faff083de8c6987cf8315829 |
| SHA1 | 2fd67fb501b60125593be628206be763ff0d967c |
| SHA256 | b6c8e51ab20e82d04a5cebad328bc046dfb9fee44e88bd6b8922dad7bb2c5bca |
| SHA512 | c44b6fe7969d715e2a25931fced8dc74237769f394127c90efe147f10a40f3b4c42f5dc17673fff9766b8acd75c123267c6448996d93ab11a6e78027b3abbb69 |
memory/2108-106-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2876-105-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1240-95-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
C:\Windows\system\kVLcQmU.exe
| MD5 | 93bec035d275917e899abf362bf9cd23 |
| SHA1 | 51912603539212a4b195a32f17c7299d760bfb0a |
| SHA256 | 5405338cd18198d8f72c52f8d4de7b3761bec53215601c88a93e013535502379 |
| SHA512 | 20add1fd3c962b2be32f08bc8cb8fe4561d0a480ae55862c5d5398e6a5abbe9a534c916029f87c417a39da4f6736995e0eb940044d2fa4a9c2d048e5c6dffcdd |
memory/2108-90-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2700-89-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2624-78-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2108-77-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1920-100-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2108-99-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2696-140-0x000000013FF30000-0x0000000140281000-memory.dmp
C:\Windows\system\huXBrSN.exe
| MD5 | 01ea54a7c0278f0ec69059f9f5ad1e21 |
| SHA1 | ab4c04fadfb63638b10a3855a18f9bc8d3019ca8 |
| SHA256 | a0604c3e313db1df756d9fae4ee52c0e3368a7396d6f7bd805c58676bb846f3b |
| SHA512 | 937f2a764b1bfb0b93e5f510b2b34e8c12a56f6fb5f0c86ed5aea7d151d5f5b7b14c632e1bca97ede8c591c954195711e0f39fcb0386a697a12ed3f729652657 |
memory/2392-84-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2108-83-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1700-70-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2108-63-0x000000013F8F0000-0x000000013FC41000-memory.dmp
C:\Windows\system\QeFlYYc.exe
| MD5 | 6878154b0d07382926928b77135fa9b1 |
| SHA1 | 265bd0c9df1d98dae76f1fa26fcd64115fb9b175 |
| SHA256 | f119e669a5b9db979401e95d251b0ae6132fc798fc1fe2c60226eed93e96a136 |
| SHA512 | a7f52e6a16c231d552a428380fa6613ee8c3358a0333140c7a58064f4ff4343ed72f9c47da92d346683f8f26a995195f6d06204ea60f7b30371e78e016161840 |
memory/2696-56-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2108-55-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2792-50-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2676-141-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2108-49-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\EHmzHxC.exe
| MD5 | 5195f0870ca444aba20dbf5bcfaad45b |
| SHA1 | 0f0b39ec7840616314f96cf9a23a7993822933c5 |
| SHA256 | 856f8ce2848f0f3f0d21549a35604924078d4c64cf8173f63615466eab86f2eb |
| SHA512 | 4916a9331cd782ab3589fdd41aa74197dd4c50a36a9db176c551df86bd89849e68278501e712c328da933f29c894803332e619c54979c6ebf3ef698cfad39bab |
memory/2856-19-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2108-18-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1700-17-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2108-142-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2504-151-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2496-158-0x000000013F630000-0x000000013F981000-memory.dmp
memory/304-160-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1324-162-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2108-165-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2428-163-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1440-161-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2820-159-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/1920-157-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2392-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2624-154-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2440-164-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2108-166-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2108-167-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2108-189-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2856-215-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1700-214-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2700-217-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2728-219-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2660-221-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2876-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2792-234-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2696-243-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2676-245-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2504-247-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2624-249-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2392-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/1240-253-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/1920-255-0x000000013F400000-0x000000013F751000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:47
Reported
2024-05-22 20:50
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JfsckXg.exe | N/A |
| N/A | N/A | C:\Windows\System\rUmchyq.exe | N/A |
| N/A | N/A | C:\Windows\System\XBUrHZy.exe | N/A |
| N/A | N/A | C:\Windows\System\UMgPKYK.exe | N/A |
| N/A | N/A | C:\Windows\System\dEWMrij.exe | N/A |
| N/A | N/A | C:\Windows\System\LoYhGfH.exe | N/A |
| N/A | N/A | C:\Windows\System\YVgTrVM.exe | N/A |
| N/A | N/A | C:\Windows\System\pERkvxl.exe | N/A |
| N/A | N/A | C:\Windows\System\MroXsQg.exe | N/A |
| N/A | N/A | C:\Windows\System\dFDvcyi.exe | N/A |
| N/A | N/A | C:\Windows\System\iajrRAD.exe | N/A |
| N/A | N/A | C:\Windows\System\pmOeQBg.exe | N/A |
| N/A | N/A | C:\Windows\System\pmzHMxA.exe | N/A |
| N/A | N/A | C:\Windows\System\sJDrOcn.exe | N/A |
| N/A | N/A | C:\Windows\System\kNVfhwW.exe | N/A |
| N/A | N/A | C:\Windows\System\VPmgZGK.exe | N/A |
| N/A | N/A | C:\Windows\System\KemHcIR.exe | N/A |
| N/A | N/A | C:\Windows\System\vSeMODb.exe | N/A |
| N/A | N/A | C:\Windows\System\dmIZkun.exe | N/A |
| N/A | N/A | C:\Windows\System\nLfjoKu.exe | N/A |
| N/A | N/A | C:\Windows\System\DnxHQxo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1d9d037b375d15758e9f6cbfacffbbaf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JfsckXg.exe
C:\Windows\System\JfsckXg.exe
C:\Windows\System\rUmchyq.exe
C:\Windows\System\rUmchyq.exe
C:\Windows\System\XBUrHZy.exe
C:\Windows\System\XBUrHZy.exe
C:\Windows\System\UMgPKYK.exe
C:\Windows\System\UMgPKYK.exe
C:\Windows\System\dEWMrij.exe
C:\Windows\System\dEWMrij.exe
C:\Windows\System\LoYhGfH.exe
C:\Windows\System\LoYhGfH.exe
C:\Windows\System\YVgTrVM.exe
C:\Windows\System\YVgTrVM.exe
C:\Windows\System\pERkvxl.exe
C:\Windows\System\pERkvxl.exe
C:\Windows\System\MroXsQg.exe
C:\Windows\System\MroXsQg.exe
C:\Windows\System\dFDvcyi.exe
C:\Windows\System\dFDvcyi.exe
C:\Windows\System\iajrRAD.exe
C:\Windows\System\iajrRAD.exe
C:\Windows\System\pmOeQBg.exe
C:\Windows\System\pmOeQBg.exe
C:\Windows\System\pmzHMxA.exe
C:\Windows\System\pmzHMxA.exe
C:\Windows\System\sJDrOcn.exe
C:\Windows\System\sJDrOcn.exe
C:\Windows\System\kNVfhwW.exe
C:\Windows\System\kNVfhwW.exe
C:\Windows\System\VPmgZGK.exe
C:\Windows\System\VPmgZGK.exe
C:\Windows\System\KemHcIR.exe
C:\Windows\System\KemHcIR.exe
C:\Windows\System\vSeMODb.exe
C:\Windows\System\vSeMODb.exe
C:\Windows\System\dmIZkun.exe
C:\Windows\System\dmIZkun.exe
C:\Windows\System\nLfjoKu.exe
C:\Windows\System\nLfjoKu.exe
C:\Windows\System\DnxHQxo.exe
C:\Windows\System\DnxHQxo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3200-0-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp
memory/3200-1-0x000001AA3CAC0000-0x000001AA3CAD0000-memory.dmp
C:\Windows\System\JfsckXg.exe
| MD5 | 14259bf3729c09b816c82b51a0fbfbf1 |
| SHA1 | 7e9d3688eac7b6432fd68f5f1a2ddb72e9daaf7c |
| SHA256 | 8159b95a70b6e2e68612bb2a418b97ea659d8e0a2f26b1e6f2fc723abe95dc30 |
| SHA512 | 871d5837b75b9fd95be54a93c44d1d2ee71cd29a2ee034817c3357fb700e27ba6d302df3e845c4a05b5c770e2b750d9663664500152f5f605f86c22a4b4a09e3 |
memory/4000-7-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp
C:\Windows\System\XBUrHZy.exe
| MD5 | c1ecdde6c9b6be3884c2b78480d3b628 |
| SHA1 | 951cb33fbb8031b50f884742a3f8b4780b66b696 |
| SHA256 | 231bb173c66558f0508f23a7ff10ea41e83eb11e0b29809d4fa1cd374c25e496 |
| SHA512 | 9e11b32b73c9ba91f43935f7376b98c623376e3e7b7a4b63423a6566273f6df31eecf4d751d478f5b1aab7539292de1c5b6673e78d0d555bf457fb21076b661c |
memory/3592-14-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp
C:\Windows\System\rUmchyq.exe
| MD5 | b23363373171e4b30d433a891e900234 |
| SHA1 | 4bdfccbdb1e7febcf15c9f547ae7cb4992b3d759 |
| SHA256 | f45a2e192e242fb8d897ca41a08fc45807e0644dd6fbbae4bf6b8f177811dc90 |
| SHA512 | 4510a8d2e3fc7a0ccb4471eb23bb2fa9fc02c04a905117b1d9dc8cfaaa4fe8f7ad8cb9da04d1aa11965400be197ddaa1243f30d04616c79309835356d27d53b1 |
memory/2196-18-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp
C:\Windows\System\UMgPKYK.exe
| MD5 | 56ef7b18695887c0248703bfd01f9c6e |
| SHA1 | e6084d90504508d5448af44cf5b36b96acb8a48e |
| SHA256 | dc6eb9b9065c6c476eab26c15905243b1f090504639653b7e763f31aed709087 |
| SHA512 | 521d7bec0135806c22f361da746ded485dd2bb028ce6d4fe59ffd8c4466425fc8b6aba09f0c127132e2f02a1b1c5edef23d1950c5b0158ea38b0f3195da78fc1 |
memory/1880-24-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp
C:\Windows\System\dEWMrij.exe
| MD5 | c3f72750c34a384ef838a72645a8eca7 |
| SHA1 | 00eb22fa9684677c30f2ab177f173e33242576d1 |
| SHA256 | 7ba53ff7d0d641e6360b69f51937b6195046d6bb1281c202cb68ede3a8e652b8 |
| SHA512 | 84fbf335598a87a71007dfd295a635a019959b8cbcab3f379639d33c73865ba53617dd29ea1432942b143803f28916f9e473bb1dd46ed969c2669f85a8956cff |
C:\Windows\System\LoYhGfH.exe
| MD5 | b48abd456a47a06ea9a6660ef54119a9 |
| SHA1 | 58945c729e8cb7ed43f504b582b69d6a809bf30a |
| SHA256 | 6db6581fc56568c009dca3850ad33b08e104b510126f5fa4ac3eb70c11d88951 |
| SHA512 | 1c98f693f3dfea915c6e6be361c9b9b93af788c6f377093171cd6407bd10fba2ae06981774c0893d2d50161246714babaddb182de486c11c08eb634c28152cb9 |
memory/2384-37-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp
memory/912-36-0x00007FF638C40000-0x00007FF638F91000-memory.dmp
C:\Windows\System\YVgTrVM.exe
| MD5 | d33b550f8319d6c11e0248c2edb56635 |
| SHA1 | 232b9bf49a95acbb7f2070f1ef545cc32cd29d17 |
| SHA256 | 93a682aa4c4c3b23203f00ca8793fc997983f07463ad40d1cdb9374fcdbae463 |
| SHA512 | 9f53547f84c597b49e43845f8fc67711a618dbc83d2621c7e3ff59a60634b339f50e4f292eaf072c7b8d6487fb664e9b29c5b9972b28c06267590a35fccf8b87 |
memory/4092-44-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp
memory/1232-49-0x00007FF63D020000-0x00007FF63D371000-memory.dmp
memory/3192-56-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp
C:\Windows\System\dFDvcyi.exe
| MD5 | 1d244fa645cc23bee402599ac70c80d9 |
| SHA1 | 0deafb2944f7194c20f8224cfa86906053ed2370 |
| SHA256 | d394db777575dcc3a5e570a0a5b6bb090b1c91925571a3cee2f8e053db36784c |
| SHA512 | a7126e4795f936c7de6dc938607eaf26a652bfb81d3abc393a8969834fd507a692c70b387db166a87055e09e1f3a2f07de3de81d2b0e8c2b7c929dba1a628dd7 |
memory/4844-68-0x00007FF765320000-0x00007FF765671000-memory.dmp
memory/4052-71-0x00007FF78DF40000-0x00007FF78E291000-memory.dmp
C:\Windows\System\pmOeQBg.exe
| MD5 | cb548981c61a404fa382c629a5a027b4 |
| SHA1 | 14e02d06c28817c95f958631acca1f741643bb19 |
| SHA256 | 284b7d5b91f3e994a86120dcee673d7f57063809015a0824e11f929e06a1e423 |
| SHA512 | 7826290ad66c27129540c89446f7b80b73c8e11b172d3d8ba544916d1bfd36674e6bd3133550292496b6102eb14e7476c19564880157f671f5378481281f1b11 |
memory/3592-75-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp
memory/848-74-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp
memory/4000-73-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp
C:\Windows\System\iajrRAD.exe
| MD5 | 89afa7e718ac47e574b433d6114bcc42 |
| SHA1 | 394851751969bd925f3fa453daa14c59fbfe72e5 |
| SHA256 | ddf8b01b8739e9037b0c3f19d35f6010615370d6b54a7c51ee58c1c03290b94d |
| SHA512 | eeaeade3feb17082e8cb8d034a5cfa207a4646ea149b6d4373b0a030f6c5af1a7dbc57990b8e278fd29658ef376c96eb81306d4ca31b7557fbefac3c62323c38 |
memory/3200-65-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp
C:\Windows\System\MroXsQg.exe
| MD5 | 07415ed6173fd38c2248a4738508b1b7 |
| SHA1 | 56a03d2f59092994a59e2a363495c937bea23e5f |
| SHA256 | 39c6ea4e8879e8b39e8282ae5af99931cd6a0860cae3f8e44007185d4c19dae3 |
| SHA512 | 963883d4051e8be1a8154b1e830cf9b6b874f5f147120408a79d74f4f22a0a45fdd9922d3d6c4c865a0139cf62cff7e547aab5c5b2289a8415dbc1561c0610c8 |
C:\Windows\System\pERkvxl.exe
| MD5 | 1c3637bc4976eeed1660f782b402184a |
| SHA1 | d14667cb7c77c609a9d207809de873352a3fa662 |
| SHA256 | 05a6c6cd542df763737719f47104b580e66bb192eb1ab72f30b5014f4c8b352f |
| SHA512 | 729f9d96cbbba86e76125563c953082b59b152e15ee19fd2ee69b2ee4c2b1187a2c4d3f114d18e1e1cc4311b6ddba2da50931a85a1238f1a0c10267a0430fdbb |
memory/2196-81-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp
C:\Windows\System\pmzHMxA.exe
| MD5 | 5bc1a92a60296174bcdc0c53531c2a67 |
| SHA1 | 49bea84190892af8e64f640681a4078c76a19ea5 |
| SHA256 | 7b436eaa88b0059aba6a451ecbc8336ade21cef4499d3d763f33e379e03b8fec |
| SHA512 | dd8c4d615701b131031ecd4d0a0b5dc0b7c8d8ee0b114b5e80cae823c9890454cd8cfa2fac8b415d9120cbfdaa75d56e47377236644665dc512ac3fea161e208 |
memory/1428-95-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp
C:\Windows\System\kNVfhwW.exe
| MD5 | 0b7695a28af95c6fb50b89a2a10d2262 |
| SHA1 | 46ade0c50a17d5e557f469f52038de152691e6c2 |
| SHA256 | dffdc06bb08853b929d7374f32699959d81776e238e5430149f0c4248a160420 |
| SHA512 | 80525d2eb33d3b90150653a06ffa3c1314b6e0ec1e5976560cc3f1c9aa94a90fdf5faf907c1c0ffad06eae50e5d5b66b4afc3b7ef0b54cc2f0dd15dfb49ab5be |
memory/3772-94-0x00007FF765F40000-0x00007FF766291000-memory.dmp
C:\Windows\System\sJDrOcn.exe
| MD5 | 1eda768d9b036f5c95050278dd411bd4 |
| SHA1 | 5981f511162cb7ebc11e7fe651e47bca3981bd71 |
| SHA256 | f3a160a94703dba4d1ca8373959b17b1bb0ea97cde2fab90714d24dbad099333 |
| SHA512 | d4847d19ebfc63c81fb93069326daa45fce8798c4c9013cf1ee2ceb199cd73d8043a6381fd1a4ccda479dee566487924bcb7bcb3adb17aa56704dc258418735e |
memory/1880-89-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp
memory/4072-84-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp
C:\Windows\System\KemHcIR.exe
| MD5 | 96622b51b612ed7699d91d6b89942dc4 |
| SHA1 | dbf8ee589d091c91f1f840747d7f587856e37d6a |
| SHA256 | ece758a4e6a136a6d90f0fcf42892da4306b9b0fb4fa79eed73d7bbd862e04d7 |
| SHA512 | f6b23a2af5215c7d6b7f7925d38abed6c8c6037a6de3be28f7d794bc0a650f082a85ce2e988aaee95c3cb4e5dc0237418e0c13047101f1dae1e8b97a432b3514 |
memory/4092-112-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp
C:\Windows\System\dmIZkun.exe
| MD5 | 96019c76d7f9ba8676daed3cd28106b6 |
| SHA1 | 1dbf651628a6a67865259282b86b5e1a400ea64e |
| SHA256 | 348be8e7f2487f76ad3ba6d7738a026c37500d9cb2f4c8ba75d630fc5d43aff3 |
| SHA512 | 1998c1127d728369a4b50d3240535c11303eaca12c6e06fa297cb310bf9228430cf694a96ee09a5e295419bd681cde3d66f79f40ff86cf0ee174828bff003918 |
memory/1812-124-0x00007FF6E74E0000-0x00007FF6E7831000-memory.dmp
memory/3192-123-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp
C:\Windows\System\vSeMODb.exe
| MD5 | 11546ec2076cd88b126f23d213000476 |
| SHA1 | b7d818dbd0c4d9ebec066cd4af40856760564ca2 |
| SHA256 | 8c16b716d55c48119a43e7d79ce8539ae35b303b6bcaf8877b88144317cc63f7 |
| SHA512 | a803f3dcf9037e07f4bad291d68bdd8382bc9e2f33c8a3de05439ead57006339962cadb47fbd4bdfd73e750aa12b654ea7c0d199c71ca7959b08f71244b3d4f8 |
memory/1232-117-0x00007FF63D020000-0x00007FF63D371000-memory.dmp
memory/4312-116-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp
memory/3028-111-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp
memory/2424-109-0x00007FF6162E0000-0x00007FF616631000-memory.dmp
memory/2384-108-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp
C:\Windows\System\VPmgZGK.exe
| MD5 | 94035829afab5bf4a99414b1ce251005 |
| SHA1 | e087d1a7462fe2b2189787c78b64c96efce92f28 |
| SHA256 | 52042d61cea63e075b25a93f9047f61e49657af93e4d3946422d2da72eb7f0ee |
| SHA512 | 74fc9e0711c0da5777bb4a38495bf180cd6e8442dc65a6575b51fdfe4851b542e79cba93c0e5f5fbb77ff5f7b62d2c7a0e48637c776db19e94437d6ff93d50da |
C:\Windows\System\nLfjoKu.exe
| MD5 | 06df3866de86d8da9b016acd0d8a06b4 |
| SHA1 | a769886b3eaf3a2a7b1480bd0ddd93868eaf3747 |
| SHA256 | f451a6694cea1e4f1cfe3bc28db980d1eab1e4324ae6562da0100545ea876fe4 |
| SHA512 | 4e20856d6b74cc0804bdadc5c9140bc8d223c6e8b9a606d523e88a2a9893076d6daae1c1037a65b1f7690582d6ca1a4b3a3f29dec0a8a10f211d9ea6e3b307b1 |
C:\Windows\System\DnxHQxo.exe
| MD5 | 8f26e0777168cfdb72c503a0b8dab0c8 |
| SHA1 | b956917c1f8951084dc057ae2142fc1b9ed6c061 |
| SHA256 | 305e57fd8082c442b1b5eff852e7c9c2ed8cce091513a8e98b6382afdad69b71 |
| SHA512 | a2903bf8a1cdf69170c3b26bc731409138c41aaef930d9d453aa199948a5c2ad3f039a603c765238e41d3cb1b22db51879573a8ac55e688628b2e5e381c8a0e7 |
memory/3712-134-0x00007FF6940E0000-0x00007FF694431000-memory.dmp
memory/2288-132-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp
memory/848-137-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp
memory/3200-138-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp
memory/3772-147-0x00007FF765F40000-0x00007FF766291000-memory.dmp
memory/4072-146-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp
memory/1428-155-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp
memory/4312-158-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp
memory/2288-160-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp
memory/3712-161-0x00007FF6940E0000-0x00007FF694431000-memory.dmp
memory/3028-157-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp
memory/3200-162-0x00007FF7E7230000-0x00007FF7E7581000-memory.dmp
memory/4000-207-0x00007FF6F0D80000-0x00007FF6F10D1000-memory.dmp
memory/3592-209-0x00007FF6F8D90000-0x00007FF6F90E1000-memory.dmp
memory/2196-211-0x00007FF72F6A0000-0x00007FF72F9F1000-memory.dmp
memory/1880-213-0x00007FF6B6790000-0x00007FF6B6AE1000-memory.dmp
memory/912-215-0x00007FF638C40000-0x00007FF638F91000-memory.dmp
memory/2384-225-0x00007FF6EB980000-0x00007FF6EBCD1000-memory.dmp
memory/4092-228-0x00007FF673BD0000-0x00007FF673F21000-memory.dmp
memory/1232-230-0x00007FF63D020000-0x00007FF63D371000-memory.dmp
memory/3192-232-0x00007FF77C990000-0x00007FF77CCE1000-memory.dmp
memory/4844-234-0x00007FF765320000-0x00007FF765671000-memory.dmp
memory/4052-236-0x00007FF78DF40000-0x00007FF78E291000-memory.dmp
memory/848-238-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp
memory/4072-241-0x00007FF63BC50000-0x00007FF63BFA1000-memory.dmp
memory/3772-242-0x00007FF765F40000-0x00007FF766291000-memory.dmp
memory/1428-244-0x00007FF6E5270000-0x00007FF6E55C1000-memory.dmp
memory/2424-249-0x00007FF6162E0000-0x00007FF616631000-memory.dmp
memory/3028-251-0x00007FF7BBB10000-0x00007FF7BBE61000-memory.dmp
memory/1812-253-0x00007FF6E74E0000-0x00007FF6E7831000-memory.dmp
memory/4312-255-0x00007FF71D450000-0x00007FF71D7A1000-memory.dmp
memory/2288-257-0x00007FF6BD9B0000-0x00007FF6BDD01000-memory.dmp
memory/3712-259-0x00007FF6940E0000-0x00007FF694431000-memory.dmp