Analysis Overview
SHA256
b345984886d424a2acd7106c4d2da9e7b6df3d6e6ca380d2f6dd613846a4bcca
Threat Level: Known bad
The file 2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:55
Reported
2024-05-22 20:58
Platform
win7-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XKpueLx.exe | N/A |
| N/A | N/A | C:\Windows\System\dJSTaHt.exe | N/A |
| N/A | N/A | C:\Windows\System\fibcEeX.exe | N/A |
| N/A | N/A | C:\Windows\System\bXYsfAz.exe | N/A |
| N/A | N/A | C:\Windows\System\MzOhNzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HMcvPgJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mquleAa.exe | N/A |
| N/A | N/A | C:\Windows\System\yfIvHjc.exe | N/A |
| N/A | N/A | C:\Windows\System\DeeElTG.exe | N/A |
| N/A | N/A | C:\Windows\System\WqochvG.exe | N/A |
| N/A | N/A | C:\Windows\System\HOSQxHz.exe | N/A |
| N/A | N/A | C:\Windows\System\xAVAwGX.exe | N/A |
| N/A | N/A | C:\Windows\System\PLczjCY.exe | N/A |
| N/A | N/A | C:\Windows\System\GuZNOkp.exe | N/A |
| N/A | N/A | C:\Windows\System\lQsVNDm.exe | N/A |
| N/A | N/A | C:\Windows\System\vPkCKUl.exe | N/A |
| N/A | N/A | C:\Windows\System\NXojYXB.exe | N/A |
| N/A | N/A | C:\Windows\System\JFRapME.exe | N/A |
| N/A | N/A | C:\Windows\System\ATAmiQk.exe | N/A |
| N/A | N/A | C:\Windows\System\rzXobqq.exe | N/A |
| N/A | N/A | C:\Windows\System\SyyHXSm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XKpueLx.exe
C:\Windows\System\XKpueLx.exe
C:\Windows\System\dJSTaHt.exe
C:\Windows\System\dJSTaHt.exe
C:\Windows\System\bXYsfAz.exe
C:\Windows\System\bXYsfAz.exe
C:\Windows\System\fibcEeX.exe
C:\Windows\System\fibcEeX.exe
C:\Windows\System\HMcvPgJ.exe
C:\Windows\System\HMcvPgJ.exe
C:\Windows\System\MzOhNzZ.exe
C:\Windows\System\MzOhNzZ.exe
C:\Windows\System\mquleAa.exe
C:\Windows\System\mquleAa.exe
C:\Windows\System\yfIvHjc.exe
C:\Windows\System\yfIvHjc.exe
C:\Windows\System\DeeElTG.exe
C:\Windows\System\DeeElTG.exe
C:\Windows\System\WqochvG.exe
C:\Windows\System\WqochvG.exe
C:\Windows\System\HOSQxHz.exe
C:\Windows\System\HOSQxHz.exe
C:\Windows\System\xAVAwGX.exe
C:\Windows\System\xAVAwGX.exe
C:\Windows\System\lQsVNDm.exe
C:\Windows\System\lQsVNDm.exe
C:\Windows\System\PLczjCY.exe
C:\Windows\System\PLczjCY.exe
C:\Windows\System\vPkCKUl.exe
C:\Windows\System\vPkCKUl.exe
C:\Windows\System\GuZNOkp.exe
C:\Windows\System\GuZNOkp.exe
C:\Windows\System\NXojYXB.exe
C:\Windows\System\NXojYXB.exe
C:\Windows\System\JFRapME.exe
C:\Windows\System\JFRapME.exe
C:\Windows\System\ATAmiQk.exe
C:\Windows\System\ATAmiQk.exe
C:\Windows\System\rzXobqq.exe
C:\Windows\System\rzXobqq.exe
C:\Windows\System\SyyHXSm.exe
C:\Windows\System\SyyHXSm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2056-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\XKpueLx.exe
| MD5 | eab7e0f380ca1678ff8342c3b5a0228c |
| SHA1 | 03ad3e010e881a9409ac5cbf17c25ffc072043e0 |
| SHA256 | ea6f90c2560266874dea0f651bbc3cd991d83b83a81355cd9a2b6cfa60b5f59f |
| SHA512 | 5ad81235890d0e51d0e6edefc86fa8079cf0a2e7a05d5f96bbda2a2531437f973a7b113687546ccd5263f4e6b0990fa15b7fcd22b38cf114e0784ec3f742dc61 |
\Windows\system\dJSTaHt.exe
| MD5 | 566c6d5ce3e9bd4a1604ae0f3ce67b0a |
| SHA1 | e5962dc1032f229121fd5f97e69b5106f343e72e |
| SHA256 | b4378f064a5d58e5b5c4f7e790d30e4f87c68326365219003fceaab18db87b48 |
| SHA512 | 5bee7b5939594f05cf12774c8205e73e4933c6e8f3e93d1dccf53ce1e5080f6140acb60ed7cce0ba103f3e14f0fe77f1dda42500736e1b6a0a3288cefb906c4c |
\Windows\system\bXYsfAz.exe
| MD5 | aaf8b8de3744fac5340e5131e968448c |
| SHA1 | feb2da44b36dfbc06f1c721ca78337fef3157cff |
| SHA256 | e69ea46fd8d850911e8f8c98c7ca7b0580eadec6ed89278d766cdd3614896ff6 |
| SHA512 | 5d8255d66d12591352698152ba23c9037fdbf332402a3be7c1cace47d429da88f659514d21f22b736039c2abf9d56f76384d317b00fb1d6cf10ac913cd1a7526 |
C:\Windows\system\fibcEeX.exe
| MD5 | 11e353211db5b34f30b34ee38113b5d2 |
| SHA1 | e2ceeffc1fa8d92b948d41e257e52909c28ead59 |
| SHA256 | 96f86f3837ed6fc88ea25c00a6fd05d53af3c39bda3f48e773faa8a6e7d5a2d8 |
| SHA512 | cf80ee681e927619ea81792648fa82a8782cfd4432842f524088fd9c30d80ab4661aca7f096b4dfa0f09e6e3fbc63596c579d7e1bd40070a92ff5e5bd2d8a08a |
memory/2056-14-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2956-26-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2056-34-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2788-38-0x000000013F020000-0x000000013F371000-memory.dmp
C:\Windows\system\HMcvPgJ.exe
| MD5 | 56caba8fe504b753ff5f7041bc6b0e37 |
| SHA1 | b7cfe38310b1dc0733fb7cd2697fb957dacd74ed |
| SHA256 | 3d656ee152eba8c0b8a3c6bf697618d419870b0a9db679e7a78447a484ee7ba5 |
| SHA512 | 9c58f66414a2442cce7d941f7d6b77bfb1db79f43ec0c6a32ecb946e1848fb20a978ca1585172aae9b005a91e11c5b99937540894079b79f31e4d3e04ad2bdae |
memory/2684-31-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2072-30-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2652-41-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2056-37-0x000000013F020000-0x000000013F371000-memory.dmp
C:\Windows\system\MzOhNzZ.exe
| MD5 | 3486efae10ca4386c0ba4faf0b5ba73b |
| SHA1 | d6d25a6be04c59843ba53375cdc28def8532f1c8 |
| SHA256 | d02dfdbfed28b0b4d712b646febaac4a71d0cddee7fcd2c9abcfd0295aa1b42e |
| SHA512 | f64fcfb0bf2ac00c28fea607d6531512fdd56154b8f298be6ba170290cec0e880270ba158e8778439ed9adbe0c9f7aa86186f2e62c3967f340f0f3f098594d53 |
memory/2056-24-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2056-54-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2528-56-0x000000013FF20000-0x0000000140271000-memory.dmp
\Windows\system\WqochvG.exe
| MD5 | a9d98110b659ccedc7a1586026f65014 |
| SHA1 | 80b101e9356fea750a51d9aafdb6985710184ea2 |
| SHA256 | 5f89a400b9e26d5a33eb8f7c3755d849f9e83c98d01f77b61ef5234d54229108 |
| SHA512 | ced775408642d8e0e712c3ae5a83ee94af8ffa557d7b516538ff4d45a39fd4f07cb5810e358eb0f0f673f3a8ed96991d10ed396095d55bd8ddf29883d55573ea |
memory/2668-64-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2056-62-0x000000013FB60000-0x000000013FEB1000-memory.dmp
C:\Windows\system\DeeElTG.exe
| MD5 | a7cbdc84ae3af0e9f17530b50a21be02 |
| SHA1 | 4cc0a7b2f63ff81de73007a7116319d178630f14 |
| SHA256 | 945ecc1a348229509b26b8555c9458ad67ab807bf0137677bf60ba86d7c1a80c |
| SHA512 | e000fcaab0e2733499b63d2698cea70c5cf71700b6f5d01ff0ed19ecf9d4213b28f78c2fb0991f4a5cd4d037146f04038a1bc2286013e0d26be52e1dda04f2c2 |
memory/2056-65-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2772-70-0x000000013F330000-0x000000013F681000-memory.dmp
memory/3032-48-0x000000013F600000-0x000000013F951000-memory.dmp
C:\Windows\system\mquleAa.exe
| MD5 | 241d2b6ae79a16424b500a772ca18dd5 |
| SHA1 | 89b35d53c97fbe23472922b6aac8810d6f4128d0 |
| SHA256 | 9822cf55d52ebebf4c12ff893e38b6e67cd9619f4e352533609048ee83e48dde |
| SHA512 | d35dd1981699257f7ac62b173e0efe19a83840cae3045d2d72f58bdf86302cb7f91be25f106e85beba2f84fb8096d7d7481822368b59884ca8b0d8ba74fa90de |
memory/2056-44-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2896-55-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\yfIvHjc.exe
| MD5 | d96b7afde3c8181f5fb6a005504fc876 |
| SHA1 | eea998e19efe6465db8a20d8506d15ab21128516 |
| SHA256 | 3cca3dee1722fbeb3b620cfc816cc6bc6e8ffa40bb9675fc307c0c2c70c8edbf |
| SHA512 | 315693d652c5a2c94a6d99291984439dab2c0ab54d67e5c8ebca22700d69e696c63f4b9744b876c74a2795d05b02087c10e2709c9fbe6fcfaebb1bc782698f1a |
memory/2896-10-0x000000013FD70000-0x00000001400C1000-memory.dmp
\Windows\system\HOSQxHz.exe
| MD5 | 4290b8aa136fd773d2939de4ecacd5f0 |
| SHA1 | 4da2fda8dffc0ae0e6d6e40e9f8359ab296cb15d |
| SHA256 | 758edf15fe7ab32106f85773a45efd82238d678d2a1caa15b51547680079a26b |
| SHA512 | 2ce572284e1b0520bf0a455f9c917c745f3a7c071729850f51bb0daca55aecfe20e35863b66e530992f785de7bdfb1833a068e55cd869e961502666b3ed515f8 |
memory/620-95-0x000000013F7C0000-0x000000013FB11000-memory.dmp
\Windows\system\lQsVNDm.exe
| MD5 | ccf1105829819751c2e6b727795e89f1 |
| SHA1 | fb8298c57205852308245276cdc654e36cf2b120 |
| SHA256 | 4965b9cbf2e790b4c2eb005ff9960dc2b94275a3d4d82925039c4ee7dea9b58a |
| SHA512 | 02e0643a695a00fa3f85d5d2dd874f9c802f80f5c39f772425334d50bf35fd439d352bc951393847540c2124314ac2fd394030e3b5c1bfb3a13888c196e8ac07 |
C:\Windows\system\PLczjCY.exe
| MD5 | bb208ba03d91965d3230a89dc6634733 |
| SHA1 | e76399488114fa94098a03c7f68bba67474d0df9 |
| SHA256 | 78fd896602d600142c5ee6c63bf1a83b43c3384d803d7a2399537b120ed9a78c |
| SHA512 | 281b91e5bca4ec6a3796f0d0a1b1aca16e6993879da1a6db32499e81b69effa2a3cffe7946460cb28c3d9b53c33762f50d9c25e909ec91fe33942094928b0404 |
\Windows\system\GuZNOkp.exe
| MD5 | 9f6d543f83dda47cfeb5d1c86f186ca0 |
| SHA1 | 9af4e79992085caf1f8d6aa1cb675ecb60ea7cd1 |
| SHA256 | 6385b299b3322a66fb53931d290998c79b164ab8bb8eb0d34d25a67d3f4d4255 |
| SHA512 | f99c6ec567d5c13f1abc46e02279ea58d1528d3d56621941ce45c6ce315ac3623153c0759b08740f2cb8d5e8fc2759376c9b14e1dd425f5650fc9b84b8d6d5b7 |
C:\Windows\system\JFRapME.exe
| MD5 | da0aec64a60f42d95d466e4f96318079 |
| SHA1 | e90825b92749c4a9db921b24282517d36b2b57e1 |
| SHA256 | 30321c66c76465c79d3a0c507d8b32e2a0dfa5765d7207e7712ecd0bc9009daa |
| SHA512 | a87c1d8386e5c3271665688f77c417ab63ef7fac75ef47260aec16a69fcd5cdf672182e1a11ac4e7bab5200a8778aee42ab202edb097b91306b696fb4d698ad5 |
C:\Windows\system\NXojYXB.exe
| MD5 | 3ea69eb1b5982ff493d282eba19fa987 |
| SHA1 | ce202b70d9debc0a6c8bc46d3fedc203f09431f0 |
| SHA256 | 4f8eb271bc7de7ed28365df5bf52028ba071d1bed6f4bb7fdcae33dbbfc6e5b4 |
| SHA512 | b1859115f757369d2bf37a153a3118afab9a4b978a1635ee9a2a0e34935fb655890b734b5a70bb7d4d0b615b1243bed58c84d50b0f83f7facc520c0288d62bf2 |
C:\Windows\system\rzXobqq.exe
| MD5 | 5747ed7f8ef0e50de27022e121342af8 |
| SHA1 | 6cb35a1472af20932524b1722db594f0e32f5403 |
| SHA256 | df476699c320efaa42fce9b7e0c33e165a04e9c00656306b52e6993d0a993d06 |
| SHA512 | dae2d13b5ab2bbd149039b9c4a210f282c45722805b7bed26014451f8ddc4cc3a31c2c0b6c74465dd6b48637a0b15fac746c52152b37920d54a9a886dccceb87 |
\Windows\system\SyyHXSm.exe
| MD5 | d453d0c1a30fa9ce7a4e96780b979c8b |
| SHA1 | f0ae036acc09de7695ff5c15197a7a3ab2222645 |
| SHA256 | a332a82e529e753b7284788c0b72f776938b0950bc6cce630d4e9b8e96814cf0 |
| SHA512 | 501382ef0dd47122d36215d599ec76dad14ec68b093b265dc0ba3097a75a64d054d2cceb247c557575160cffc9fc8ce8fa0accab4b3ffb954e30feae907f5ee9 |
C:\Windows\system\ATAmiQk.exe
| MD5 | 502843420cdaceeafcf2b170fcf2eb9c |
| SHA1 | d4aea207610110a6b8cf2aaff56c4b13f29be674 |
| SHA256 | 09599e1a7b78ddf4aff38c3cd1a2a7a42d5556b32024293b25f4106d2f498177 |
| SHA512 | 8c4cfff93092ced8ac86be8bbf80f8c55bac7853921635cb14b2ce811890fb6e64d781ff01afaa2842434c4d9ab5259ee22f881dda29d0fcd08a16ff22973054 |
C:\Windows\system\vPkCKUl.exe
| MD5 | f343425d0d423a5c8a5662504eec4860 |
| SHA1 | a3f89302c11638747a7e03249e3b7d86dd049dcb |
| SHA256 | daf02a251355d85495164f861e73ec61d6fda9247d0b21e508e52f05fa901886 |
| SHA512 | 15d59f131996c7d162d97e0d33cc9173ee5626509ca164033ba9bf0d2b2059f376b2dfd4890aeb0b7948c98169d2d98e1a339d6d22d04f85bfab215b7c8153f4 |
memory/2056-112-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2056-111-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2056-109-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2056-108-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2652-105-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2056-103-0x0000000002420000-0x0000000002771000-memory.dmp
memory/848-102-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2548-90-0x000000013F730000-0x000000013FA81000-memory.dmp
C:\Windows\system\xAVAwGX.exe
| MD5 | 4f6e601de2cfe85efb7704e3d8963ea9 |
| SHA1 | f0dbeb26b1e0a679a3abf1edd035957dd5c7f9ea |
| SHA256 | 2be6a7986e10426e8935f22ea6cbdfa5e74d67aac407434b4da666623a9d8bc9 |
| SHA512 | 204b085b73dd90d1058a032dc9c27b79fb07a65e0544f43e5e1eea835920a2665a996d2bbb39f60b52c2ab4a7fd393f2b0109208be2e7aaa9ee8d66d032ff493 |
memory/2788-79-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2056-136-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2668-145-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/3032-147-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2528-144-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2772-146-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2056-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2704-153-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2056-160-0x000000013F330000-0x000000013F681000-memory.dmp
memory/532-158-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2200-157-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2920-155-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/1392-151-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1772-156-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2248-154-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/1564-159-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2056-161-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2056-183-0x0000000002420000-0x0000000002771000-memory.dmp
memory/2056-195-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2896-208-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2956-210-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2684-213-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2072-214-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2788-223-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2652-225-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/3032-227-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2528-229-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2668-231-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2772-233-0x000000013F330000-0x000000013F681000-memory.dmp
memory/620-246-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/848-250-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2548-248-0x000000013F730000-0x000000013FA81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:55
Reported
2024-05-22 20:58
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RptbtJU.exe | N/A |
| N/A | N/A | C:\Windows\System\wjfLWpP.exe | N/A |
| N/A | N/A | C:\Windows\System\RnOiFft.exe | N/A |
| N/A | N/A | C:\Windows\System\XbUHOTs.exe | N/A |
| N/A | N/A | C:\Windows\System\TCiFYZU.exe | N/A |
| N/A | N/A | C:\Windows\System\HYFFljB.exe | N/A |
| N/A | N/A | C:\Windows\System\EJlvFWd.exe | N/A |
| N/A | N/A | C:\Windows\System\SczZuVI.exe | N/A |
| N/A | N/A | C:\Windows\System\HRvZQbK.exe | N/A |
| N/A | N/A | C:\Windows\System\qhODPnB.exe | N/A |
| N/A | N/A | C:\Windows\System\PrGbPZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\yAdbcxy.exe | N/A |
| N/A | N/A | C:\Windows\System\YzDyRkG.exe | N/A |
| N/A | N/A | C:\Windows\System\LsRqXsn.exe | N/A |
| N/A | N/A | C:\Windows\System\yLWGUzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\oqwFzZr.exe | N/A |
| N/A | N/A | C:\Windows\System\gWUIYZi.exe | N/A |
| N/A | N/A | C:\Windows\System\OFHaZPl.exe | N/A |
| N/A | N/A | C:\Windows\System\eDAMtfu.exe | N/A |
| N/A | N/A | C:\Windows\System\VeHhixo.exe | N/A |
| N/A | N/A | C:\Windows\System\ELiVIwE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_64c8420e94fd1fe741ba97752de832ae_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RptbtJU.exe
C:\Windows\System\RptbtJU.exe
C:\Windows\System\wjfLWpP.exe
C:\Windows\System\wjfLWpP.exe
C:\Windows\System\RnOiFft.exe
C:\Windows\System\RnOiFft.exe
C:\Windows\System\XbUHOTs.exe
C:\Windows\System\XbUHOTs.exe
C:\Windows\System\TCiFYZU.exe
C:\Windows\System\TCiFYZU.exe
C:\Windows\System\HYFFljB.exe
C:\Windows\System\HYFFljB.exe
C:\Windows\System\SczZuVI.exe
C:\Windows\System\SczZuVI.exe
C:\Windows\System\EJlvFWd.exe
C:\Windows\System\EJlvFWd.exe
C:\Windows\System\HRvZQbK.exe
C:\Windows\System\HRvZQbK.exe
C:\Windows\System\qhODPnB.exe
C:\Windows\System\qhODPnB.exe
C:\Windows\System\PrGbPZJ.exe
C:\Windows\System\PrGbPZJ.exe
C:\Windows\System\yAdbcxy.exe
C:\Windows\System\yAdbcxy.exe
C:\Windows\System\YzDyRkG.exe
C:\Windows\System\YzDyRkG.exe
C:\Windows\System\LsRqXsn.exe
C:\Windows\System\LsRqXsn.exe
C:\Windows\System\yLWGUzZ.exe
C:\Windows\System\yLWGUzZ.exe
C:\Windows\System\oqwFzZr.exe
C:\Windows\System\oqwFzZr.exe
C:\Windows\System\gWUIYZi.exe
C:\Windows\System\gWUIYZi.exe
C:\Windows\System\OFHaZPl.exe
C:\Windows\System\OFHaZPl.exe
C:\Windows\System\eDAMtfu.exe
C:\Windows\System\eDAMtfu.exe
C:\Windows\System\VeHhixo.exe
C:\Windows\System\VeHhixo.exe
C:\Windows\System\ELiVIwE.exe
C:\Windows\System\ELiVIwE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp
memory/2208-1-0x00000207E2D30000-0x00000207E2D40000-memory.dmp
C:\Windows\System\RptbtJU.exe
| MD5 | 9917fe44af7ab42a95a987fe2a8e6710 |
| SHA1 | 5646ab35ca773d6cd9a12b8f9008aaf36a14689f |
| SHA256 | d8e8e2394d8d0090afef55889870d8affc7aeea870717bf3f449af9c38722023 |
| SHA512 | 833872b0fac7df973a1a7e7af03c0fe45d8a260ba6b7686056808f388f46cadf7afa216cc820cc0d42c7cdc7ad5ac92385295c72acabba319d4fed5fbf782a0d |
memory/4856-8-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp
C:\Windows\System\wjfLWpP.exe
| MD5 | 8b2c12fd65bf7acf9ca80538167f45f4 |
| SHA1 | 3b017c4c55e00b75d7d66d19a1449f32447e40ff |
| SHA256 | b74823fc04bea12ee2183349885c3baa75bfc02b8237a422a7707d1faefeb3ae |
| SHA512 | 68964e08bc43fd38d6efdf2ea34e15a8dff597bfcafaf0f32bd3b18fccd2311643f51e1bc43ab02ab6420d4ce9165b17045b92bc8cbfed4d2502ac4ec7742f06 |
C:\Windows\System\RnOiFft.exe
| MD5 | da503e65a596a275a4776569f6df55d7 |
| SHA1 | 5ce65f456e076127f644b0d58d03c0fa68fe8549 |
| SHA256 | 16b0146695d224b3eef8eaa14d2abbe25d7ab9f20b05f754f845c786341aeb8f |
| SHA512 | 18551b31f0f93b616f34dfdeb0d84ad47ae8157492a8f1ddcbb40a2402d7026ec748c8fa177a8e02748c1cb905188f61162b7dcaa1fd9514b2c5d5a95622060d |
memory/3988-18-0x00007FF757900000-0x00007FF757C51000-memory.dmp
C:\Windows\System\XbUHOTs.exe
| MD5 | 7f9c5e5403324372561012391944e1ac |
| SHA1 | 38e8b7d1367419e29be23bc1b173026011571a6f |
| SHA256 | 1f0ea35bf977099aec41a41c3d82cb059271c818efbb11906ffff507f63420f4 |
| SHA512 | 2913d12e20fd68321a70e02cfca2de94ff4031e9a4dc88cf8b92c34b789d751014ff76b9eb320c30224d98cd6f578984dad65e496c2c7131c21a846f31f21ea1 |
C:\Windows\System\TCiFYZU.exe
| MD5 | 081f2c57494ebb45e2a87950e652ad20 |
| SHA1 | 94960f9ba9a97134b1d86d8bbba69af6c3d81fd9 |
| SHA256 | 3f1bce8a00e6d194763b2261a780d7cf5ad686a9bdaf2ce09bf8c71d61715296 |
| SHA512 | fd53b90ae4510137e6a654c106241a1266000084f433d42dc1027fcfd5a5a895fdc5c281f336c1dfba7d6690544b473755096d08975d86f88dabbdefe36a73a8 |
C:\Windows\System\HYFFljB.exe
| MD5 | 403c2657783956ebcc803b1c2f07181c |
| SHA1 | a8ba29c75952bcd480ca1708c8f3de20805669c1 |
| SHA256 | baeab97b6c8277bed897a27d8d8bc9f3a5748b9e9745398b884addae96352d5b |
| SHA512 | 4e36356cf9e4c69e781fb4303bdad3678fbc4ac36efe8e9a53ada93b262a2c958cfde5898f3d443055c6df41908bb9a692b86ce707fe2ebacc9da2f761407507 |
memory/4392-43-0x00007FF6306C0000-0x00007FF630A11000-memory.dmp
C:\Windows\System\SczZuVI.exe
| MD5 | 099275e07a391704108f1fb793463689 |
| SHA1 | 44db857eac17980941cf77bba79987e3f664648b |
| SHA256 | 925b2cd263c9e7efb1b4bfaf70e746d1db21d98bbea18e648fa3c1063ec7ab23 |
| SHA512 | 732a33f403779a65a74795e514e60bc08fa19285c63d642256baa35fb69cff3210515e9917bcccc821c498501f225a8a61800e265ebf6f17cc1c1b274e0b04d6 |
C:\Windows\System\EJlvFWd.exe
| MD5 | dd8e5b3d87d237732b8b6386759e726a |
| SHA1 | 72b2d87c95f6cb3c754517a7edd3146d9ba5417b |
| SHA256 | 0b3333d206507f7b9192865720156fb3ffa25294e3f30914d770a159a0656bff |
| SHA512 | b7ed5af807aa683436b4c2bbeba25ce42f7bb38cf9437451fe7d8945699dfc73c27781ce3e9a91729eb2fdbeec2189679c719d8d0e081ac2ce9896882097b8bd |
memory/1396-49-0x00007FF7681C0000-0x00007FF768511000-memory.dmp
memory/4428-53-0x00007FF7A2290000-0x00007FF7A25E1000-memory.dmp
C:\Windows\System\HRvZQbK.exe
| MD5 | dc2bc44ce7b231dacc408343d4ee63de |
| SHA1 | 120f3bfebe016717cb9dbea5a1a98de3d75f7b38 |
| SHA256 | cb936583a73d5ac26ce5b3899f0b5c31e1f6612936c30c90094fc2c64d4e603a |
| SHA512 | 38ce1717d62facbc35ac3be3caaa799a6ad0b6f84f6505e7f57fbd95feef9d1b45f9e70ded9e0c036484b3f9a5ddfa335b4dbf753bf72bc00b8aa4f1837c31e7 |
memory/2772-54-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp
memory/1620-52-0x00007FF72E840000-0x00007FF72EB91000-memory.dmp
memory/1616-35-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp
memory/2972-24-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp
C:\Windows\System\qhODPnB.exe
| MD5 | 6488d25581a9c65fd851e3f089579a95 |
| SHA1 | b35a78efcf7419a78f2f315afaab3cca19a721c4 |
| SHA256 | 10783515ed524a86b7d9e91a886c9826bdf731a2ec10c74d20fbda97082d3981 |
| SHA512 | 952bac4f7edb852de8251c57b0708668b9eaf27fb49d229a426d4584b65a1f2048f90fe7a185a3e5d970181dd00571375cbca5833fb1517ed77e61ae7aa2d55a |
memory/2628-60-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp
C:\Windows\System\PrGbPZJ.exe
| MD5 | d686f855e6f70020355acdc8263f4e2e |
| SHA1 | 48a7acb2154a421ead93d344c654479efc6daf34 |
| SHA256 | db3f51c179a6ebe6f2f0846d1fc0ef045e9b04ec3914ed4df0f93de04ce4b917 |
| SHA512 | 10ca0bb31b91056b31004e197dde12638654f4a3fd08315324d5901000e4f0ea1eb0002205bf5708f71137c1b8aefa204d6ac72d443dc7ab4c7366f5e04f7f8b |
memory/4172-67-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp
C:\Windows\System\yAdbcxy.exe
| MD5 | 14ab448d07767e3930da592312520b5b |
| SHA1 | 1610c30f1b3ab5d779908beca9c914e0a0fb9a65 |
| SHA256 | 723b6ad767b7bf24f24edfde143071c281350221e0969b53a603412560ebc0d5 |
| SHA512 | 979ce07962989ca61590292de6d870bfeddac9ca60fe2beb66bdb5bc1fad408dc7f16ded25e942daf276e9c4c36c9e47c146d426eff25a984f7116b19ecb45ab |
memory/4092-75-0x00007FF6AD5F0000-0x00007FF6AD941000-memory.dmp
C:\Windows\System\YzDyRkG.exe
| MD5 | 648733dda3772b6affaea9b8520e226f |
| SHA1 | e8b55b033e5515a9c4caa02be97367536f3acfee |
| SHA256 | 4abfd366f4416bb67dc76cdae8e119eb7d952d26d89c88697e9a22b4ec6ff4e6 |
| SHA512 | 18fd7eb12a72eaecbbe0e315632a95b1816f42a71a93e25cadab6c88f0e4c337a3f29a817d53877537dd6b2b4fe2a6ae406a664683a6e0c20a252d9571a58075 |
C:\Windows\System\LsRqXsn.exe
| MD5 | 0d64a1ee7727bb8bd08be8dc796a632e |
| SHA1 | 01c4b47b7fabb85849581818917b8d6247ba2fed |
| SHA256 | 09147df93443b301afe1f206c9ddce4a6f12e7f5049f76d1df96c601975da648 |
| SHA512 | 3628529209f863b231a353e51f93aaa77605bbc45bb8eeba01b585fae48c207c84b3bdd68b7a589d46ce236a9f84a00c374b3015f4cc6d7078a9f0a7bcf136b8 |
memory/2208-88-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp
C:\Windows\System\oqwFzZr.exe
| MD5 | e45b313938d0b44f11a37c70f26617f5 |
| SHA1 | 0b912515c533b2dedd856d0d4f92d63ad682a203 |
| SHA256 | a58fd29b88289151dcf858b7dfdd4c4ab2a046e24cbd39bc587e52b2d2fb0b2a |
| SHA512 | 40e084647b7243d3b312cf5b9fd62270a205f3939e7829568b7388f49810d7481952296985d18af0c77c94e33503bfdff5dd44dc9605743ca27f64c10057c247 |
memory/4856-98-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp
C:\Windows\System\eDAMtfu.exe
| MD5 | f94944ee29f9aa23a1a7012e212a15ea |
| SHA1 | 69cb0ae5af0a7fec8c3d2b167e23f1ed44b003cc |
| SHA256 | fda61bd54acd2e71580a8668c53e83e54c67605e7c4b04aafa81a1546e57b37d |
| SHA512 | 57068ad33f9b009b46c4f25504b96046505625eae9fd5fbb317b14c14ce1bd082fb2009896147df70df9f08d1224e7c68539597654cf46ab8b405378b7f46195 |
memory/4400-112-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp
memory/64-109-0x00007FF788AD0000-0x00007FF788E21000-memory.dmp
memory/2960-123-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp
C:\Windows\System\VeHhixo.exe
| MD5 | 828108d2732a794742d10e280a5c5e12 |
| SHA1 | db14bbe1dfbb64dca310c875410134a0d7feda82 |
| SHA256 | bf324c2a2897c914d58d9d2a716b61e543e87a529c63e2e6acaddbba2638e922 |
| SHA512 | 9caac5d1aa5342897897cc8c43f7c8023a88907b69a6ab17466905b8bd55b8e9f8b827e7a166f6114872b601f9e3ca6682ec2dca970a1c812187c3ea9b699f1d |
C:\Windows\System\ELiVIwE.exe
| MD5 | 4738149331db1214ae9565c45ee37232 |
| SHA1 | 1da6a516ba0d5601fb80d4aa3635a0b0e71fadf1 |
| SHA256 | ffaaebc4e72a19e9192e47d5b1cab3435b570c291fc7e561b97456fc77f5740f |
| SHA512 | 26c51c82904386e546c6c7c5b28708b1e2f671aca981c3c7c0ad2cd5ac76de6acc99641804b9faaedef1084af28ac526a1332df32d42a06b9138a852e262eea9 |
C:\Windows\System\OFHaZPl.exe
| MD5 | 6a3af279e7b9122e7c20662eb5899fb6 |
| SHA1 | 50e200775743d5bd4d881e43ca50ddfc162db03c |
| SHA256 | ba6d42e3a9c471f82e9213035e8a2da4a7cc22a9a0c37be3dca586354df885cb |
| SHA512 | abfee200636cd316daa12d248926861bc91a93f5b3e1af6c61729574a6e2505beb3e98de9ae91e200b823689e2f1815dc3995f28317f85e1e6090fe94b344c50 |
memory/2392-124-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp
memory/432-122-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp
memory/1196-120-0x00007FF6AA770000-0x00007FF6AAAC1000-memory.dmp
memory/1616-119-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp
memory/2972-118-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp
C:\Windows\System\gWUIYZi.exe
| MD5 | 0a04adef7789eb2115d67ca873d039c3 |
| SHA1 | db37720b3cec0874b7ac219426fab7eb05180855 |
| SHA256 | a5540ccbb911b5bcfecae749b504fe42cd95b876c9354ad63ced00d29861f767 |
| SHA512 | 22c29bbd54faae469c6616c93d809bfbc5e73867a1220303c0f1d5f0d0f0105e2dba48bf97311c9d55ce4316b0f58431aff89d73bd0071748c7b0846fc2f754a |
memory/3856-104-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp
memory/3988-99-0x00007FF757900000-0x00007FF757C51000-memory.dmp
C:\Windows\System\yLWGUzZ.exe
| MD5 | 45464eeb46fa054b18ac92d9250ae5a6 |
| SHA1 | f0af9f252c49b20fb8c15031579f06933333ebdb |
| SHA256 | be2858217aa7818ee386b73861a14a1f59fa7246570cfe8e8fab8d3f14866f50 |
| SHA512 | ae86f55770609cc0b141c6d73dc4d57ed7fc66e9ef8ed010593360ae4d422196b5e71058d1530a8ed98791823c3206031aff4e9ae937dc20cd1ccd10c6b6dc7d |
memory/1464-90-0x00007FF6BE230000-0x00007FF6BE581000-memory.dmp
memory/4380-79-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp
memory/2208-133-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp
memory/2628-143-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp
memory/4172-144-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp
memory/2772-142-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp
memory/4380-146-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp
memory/2960-153-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp
memory/4400-151-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp
memory/2392-154-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp
memory/432-152-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp
memory/2208-155-0x00007FF7F2200000-0x00007FF7F2551000-memory.dmp
memory/4856-200-0x00007FF61DE80000-0x00007FF61E1D1000-memory.dmp
memory/3988-202-0x00007FF757900000-0x00007FF757C51000-memory.dmp
memory/2972-204-0x00007FF637BD0000-0x00007FF637F21000-memory.dmp
memory/4392-206-0x00007FF6306C0000-0x00007FF630A11000-memory.dmp
memory/1616-208-0x00007FF6F2370000-0x00007FF6F26C1000-memory.dmp
memory/1396-210-0x00007FF7681C0000-0x00007FF768511000-memory.dmp
memory/1620-212-0x00007FF72E840000-0x00007FF72EB91000-memory.dmp
memory/4428-214-0x00007FF7A2290000-0x00007FF7A25E1000-memory.dmp
memory/2772-220-0x00007FF7D50D0000-0x00007FF7D5421000-memory.dmp
memory/2628-222-0x00007FF6DDC40000-0x00007FF6DDF91000-memory.dmp
memory/4172-224-0x00007FF60F470000-0x00007FF60F7C1000-memory.dmp
memory/4092-226-0x00007FF6AD5F0000-0x00007FF6AD941000-memory.dmp
memory/4380-228-0x00007FF6F0D10000-0x00007FF6F1061000-memory.dmp
memory/1464-230-0x00007FF6BE230000-0x00007FF6BE581000-memory.dmp
memory/3856-239-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp
memory/64-241-0x00007FF788AD0000-0x00007FF788E21000-memory.dmp
memory/1196-243-0x00007FF6AA770000-0x00007FF6AAAC1000-memory.dmp
memory/4400-245-0x00007FF7A1B20000-0x00007FF7A1E71000-memory.dmp
memory/432-247-0x00007FF6DA990000-0x00007FF6DACE1000-memory.dmp
memory/2960-249-0x00007FF7CBC00000-0x00007FF7CBF51000-memory.dmp
memory/2392-251-0x00007FF7E6F00000-0x00007FF7E7251000-memory.dmp