Analysis Overview
SHA256
4f02cb8dc893619c18387387bdaca2ea4b66119fb6b6fdc5d44dd3c77fefc3f2
Threat Level: Known bad
The file 2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:02
Reported
2024-05-22 21:04
Platform
win7-20240220-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QAqFsYM.exe | N/A |
| N/A | N/A | C:\Windows\System\JcWWqvp.exe | N/A |
| N/A | N/A | C:\Windows\System\SWqvjvb.exe | N/A |
| N/A | N/A | C:\Windows\System\QzaSITS.exe | N/A |
| N/A | N/A | C:\Windows\System\MFbRbix.exe | N/A |
| N/A | N/A | C:\Windows\System\fnBzsjm.exe | N/A |
| N/A | N/A | C:\Windows\System\FwkrCeH.exe | N/A |
| N/A | N/A | C:\Windows\System\rMvAQdT.exe | N/A |
| N/A | N/A | C:\Windows\System\ytzGJOh.exe | N/A |
| N/A | N/A | C:\Windows\System\uqgGauy.exe | N/A |
| N/A | N/A | C:\Windows\System\roVrrgk.exe | N/A |
| N/A | N/A | C:\Windows\System\SilITiw.exe | N/A |
| N/A | N/A | C:\Windows\System\ltzYfJp.exe | N/A |
| N/A | N/A | C:\Windows\System\LpagOpC.exe | N/A |
| N/A | N/A | C:\Windows\System\wdnNKsD.exe | N/A |
| N/A | N/A | C:\Windows\System\HtAPkUX.exe | N/A |
| N/A | N/A | C:\Windows\System\ECAODjS.exe | N/A |
| N/A | N/A | C:\Windows\System\bFLxpZu.exe | N/A |
| N/A | N/A | C:\Windows\System\uVFPRKa.exe | N/A |
| N/A | N/A | C:\Windows\System\lPuqetT.exe | N/A |
| N/A | N/A | C:\Windows\System\fsTwpdx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QAqFsYM.exe
C:\Windows\System\QAqFsYM.exe
C:\Windows\System\JcWWqvp.exe
C:\Windows\System\JcWWqvp.exe
C:\Windows\System\SWqvjvb.exe
C:\Windows\System\SWqvjvb.exe
C:\Windows\System\QzaSITS.exe
C:\Windows\System\QzaSITS.exe
C:\Windows\System\MFbRbix.exe
C:\Windows\System\MFbRbix.exe
C:\Windows\System\fnBzsjm.exe
C:\Windows\System\fnBzsjm.exe
C:\Windows\System\FwkrCeH.exe
C:\Windows\System\FwkrCeH.exe
C:\Windows\System\rMvAQdT.exe
C:\Windows\System\rMvAQdT.exe
C:\Windows\System\ytzGJOh.exe
C:\Windows\System\ytzGJOh.exe
C:\Windows\System\uqgGauy.exe
C:\Windows\System\uqgGauy.exe
C:\Windows\System\roVrrgk.exe
C:\Windows\System\roVrrgk.exe
C:\Windows\System\SilITiw.exe
C:\Windows\System\SilITiw.exe
C:\Windows\System\ltzYfJp.exe
C:\Windows\System\ltzYfJp.exe
C:\Windows\System\LpagOpC.exe
C:\Windows\System\LpagOpC.exe
C:\Windows\System\wdnNKsD.exe
C:\Windows\System\wdnNKsD.exe
C:\Windows\System\HtAPkUX.exe
C:\Windows\System\HtAPkUX.exe
C:\Windows\System\uVFPRKa.exe
C:\Windows\System\uVFPRKa.exe
C:\Windows\System\ECAODjS.exe
C:\Windows\System\ECAODjS.exe
C:\Windows\System\lPuqetT.exe
C:\Windows\System\lPuqetT.exe
C:\Windows\System\bFLxpZu.exe
C:\Windows\System\bFLxpZu.exe
C:\Windows\System\fsTwpdx.exe
C:\Windows\System\fsTwpdx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2132-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\JcWWqvp.exe
| MD5 | 130621c5cb233c2c5e34a452b595ac77 |
| SHA1 | 19ce8b25f1eac341757a6b70c4fc354948156309 |
| SHA256 | 1dbb599485bccdff6e8b7b55b503da9749145343288cf7c7286b1d3d4096e5f8 |
| SHA512 | 06a39eaed256b9507e529307d1bf74f18da2cb2c422cd5767052c5f52205c17ccd87c28054a5f41af0aaac1def5649b2ee32298406129f519a9d26d4a28623f7 |
memory/3024-16-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2524-22-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2028-36-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2688-44-0x000000013FA30000-0x000000013FD81000-memory.dmp
C:\Windows\system\rMvAQdT.exe
| MD5 | 4d00f4170c396317fa66ba55b2f3c8b3 |
| SHA1 | f4d120116a243040cac4e9aea4f942564aef781e |
| SHA256 | bb59f04e70cc87a847615610ab7b482f4bf8ba37e7677268ca9735f349499ac8 |
| SHA512 | 7d9396e6ade9cc491bd80001755a5f289735b715716f9ec5ebbd7565ec1662fc58e82a50b8a81cba403a23147ab6606be034320443ca6198e26d1094fbd36722 |
memory/2704-50-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\ytzGJOh.exe
| MD5 | 95e876ba5453657c58ae930cda1c948a |
| SHA1 | 5618b26a5b1023516e9d6095c38ba1f57443e909 |
| SHA256 | 8ee84040c3f0f6a0f05104b2ca795ec63e8d2ab434a627ddead2eb64ac46863b |
| SHA512 | bbae5483ece1a613e56402afad2635406177bedb9f5fbab869fd500002b84084c07d3254c24d080c5b4e3c9daf9e6b2317ded7b344151fcd558a07e22144cc23 |
C:\Windows\system\uqgGauy.exe
| MD5 | e079a532debf2aa09ed43399f7482a78 |
| SHA1 | d64d769e3852c50693e4939ff3c40188d985ada3 |
| SHA256 | f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11 |
| SHA512 | 8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e |
\Windows\system\uqgGauy.exe
| MD5 | 2bb6093b9c782c12625fb574e89aba38 |
| SHA1 | 66532731c7927a0eb3031cac8dbeff796786176d |
| SHA256 | e17222151a2bbfd23dc9c3f203d22e03aeab38a39bc0105886d5639fbebf12f9 |
| SHA512 | cc6b4e23d21fa2d8ae731a24bebd85c5ac0d13d7d1610bcf3d893cdbe2f6e98be34b78c0c24fa861065a9327ac1122cd1023f34b20c8cf03e770443aee58f9be |
memory/2132-59-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2444-58-0x000000013F410000-0x000000013F761000-memory.dmp
C:\Windows\system\roVrrgk.exe
| MD5 | 35d4b9b40e9b95b4a75dec06c4c6f979 |
| SHA1 | 0b088ae4df4f56a63f25ba22b7e936e89c483dcb |
| SHA256 | a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e |
| SHA512 | 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b |
memory/2132-74-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2132-73-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2892-72-0x000000013FF00000-0x0000000140251000-memory.dmp
\Windows\system\SilITiw.exe
| MD5 | 209f4076e0883f6b7179d990252c7ee8 |
| SHA1 | b6b12768e48921d07df5a7c90d4666e3314ea26f |
| SHA256 | ec7b7167326b76a9698b1278831484d03ffbf6b57fe6a87f48426f47751b6423 |
| SHA512 | 36a02217cf0fa8956fe2ced8e9cb6fc2dfc08690443f77e9234912c66037254131dc2d77666e9c787e6a6b3fd6851cf69593d1ae8628c3e31871ffcc51ddadb4 |
memory/2636-81-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\ltzYfJp.exe
| MD5 | a039c64cd8aafca6f281cb86a3694588 |
| SHA1 | dcbb0a9307d0124c910b5ce81448b0f32944526b |
| SHA256 | abfabadec5a242036c6dfcff4013c09bc285ce20af1c4cf9554f5f6a1a76fe47 |
| SHA512 | 2fece4cdd30291029d1f894274e5915c3f3515c3badeb6a8d9b236359b7bacc5d1c2748366769d25ae1bb4d9c97e506c510ccbbf397a570765f69f8535d33e90 |
memory/2132-87-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2712-88-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2132-80-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\LpagOpC.exe
| MD5 | fa3e9e1f2e718c5f2d0796bac907e061 |
| SHA1 | 7e7eca153b07e42ac53140169b19e463101c2403 |
| SHA256 | f13df63f21babd73714af110480b6b86c050d4b9e1a336a45e8e9e547173431a |
| SHA512 | 4a628f1fa2f988a0e52f07a2893205daf7a89637c427c231ca49d0b52d5a0b118504ad65e76a9539798f479a99058088b78ee72b24d5485544cfe8057eb84451 |
memory/2768-95-0x000000013F950000-0x000000013FCA1000-memory.dmp
\Windows\system\ECAODjS.exe
| MD5 | 4892d49c14a7e283153698e747ec87c9 |
| SHA1 | 7822c69037298ccf4e2cd90381d1446721619c85 |
| SHA256 | 1bbf7ec7dfa34b0d40895a909b82a3a5ff0e7309cdbaab86e0d5c97264357e18 |
| SHA512 | 822125c120a17f4b7f203a570ed240a57e897b4dcce83658630a5c0833b272b84d104098adb903387f380218356f2efbba086a67aa762dbec174f6c315eb4502 |
C:\Windows\system\ECAODjS.exe
| MD5 | 6003dcdabdc2275bbdb72d904f6d526d |
| SHA1 | 550ff0a398c00087b179d9952119e140b745912a |
| SHA256 | 6c8282ca3a8136fa10e3ee9920a9f43efb666346fae6c3c5d737b666fbdc17e4 |
| SHA512 | 3445788e6f24f565f93e12e3ea8e8d5e87d8bfb644ebf0445251dd413945020e3539d4a0d7c7d8569171ab981dbcfe4fd48101fd65c14a1f0ff3cc73e9bccf18 |
C:\Windows\system\fsTwpdx.exe
| MD5 | 74e193188ac1465964e222a719c66810 |
| SHA1 | d467d7116fb0cc9905d3da11172222b1df8403ed |
| SHA256 | 7d5a8593302657f8be55450a25c92f54095d583ec9f5e6a5f54d097c83b0b14a |
| SHA512 | 9f17945a977948a1cd3da734d7b680b05756382d6445040ec816f6eea1329797b108d1c96b4aaff0a39909206c1c7cd0a49b5f4099f2cd0718ef24974c8078a6 |
\Windows\system\uVFPRKa.exe
| MD5 | 780793df4d4b3b6563392e4adb2fe04c |
| SHA1 | b6e81c51432f1af6289cb3878d0fd4ae364ce76f |
| SHA256 | 6fa8b6abec7c53a67e1cd91338788a6abcc04b626745550dfa45e45581e789cf |
| SHA512 | a937c8019cf7669e218028e10d68ef03665f9a40fd3464b5f69e84f87cf69c2b2e3657218874539f24ba00b2a0a54d5980e50b16364e1b016897a6e6f444fec9 |
C:\Windows\system\lPuqetT.exe
| MD5 | 730aabbc4e95ef0b12950ff56d953c5c |
| SHA1 | 1f84278c09f207b1889b2a7da212f6b5afde3bbf |
| SHA256 | f18858b35b899e630669f94ce7f78243f7f4b04ed84a46bab35a2391d513eecb |
| SHA512 | f3f26314438fd55a7a09e2406b6305e49b565a7aefdc6aa4b6de5c58f90534132c2e2f184c5448b0d1ccf95b08adfb6a3f5159f841fb4b5977169c0a8a6b9a67 |
C:\Windows\system\bFLxpZu.exe
| MD5 | bd298aef44d11295edc79338b7927833 |
| SHA1 | ecd3ba72987fac6522940283fb3b729507019bef |
| SHA256 | 317682ee315e87576b02e774307b1b2ffe9f51e78f642e0ca06cf35b4398f987 |
| SHA512 | 47988d1852fd95806f1d30e9db31640a5f6534931c9da73e9e101483ea7779f3e0bf8aa52efba726e2368c9e64ab0a5a46fc7778243be37a3c9671f258f71b7c |
C:\Windows\system\HtAPkUX.exe
| MD5 | 18a4980b9653556073f1c51918d007a4 |
| SHA1 | 724a392e4ff2c636e2b8f7da826d4cc041a06e18 |
| SHA256 | 5c153e2223da04d75b1ab0d6fd60f410d01a534f252abfe304a9fb78cb8a0ffb |
| SHA512 | 25e3098fceb2509a8fd00ce275b47a422738c2fbdcfdb9df07e22662c19eda985246165f0d737796681760b49d95ee7669f278630326d02a3099dbc6e8471e0e |
C:\Windows\system\wdnNKsD.exe
| MD5 | 032d5d1284ec32ea021bd1cc38773c1e |
| SHA1 | 97eb7bef7a76aae0cbdae7a7db9e81038fc16ecc |
| SHA256 | d3937cc1166dd1965c2d0c3d0bc5a0daa02b2e0d5a41d4088c462dd1b37b02f3 |
| SHA512 | bbd8041a498bb1e533aa6d43b6ca4c79326170f534083f905aa656bbe81250197a864b46e8d572788d3a0743a8813d7c67d16dadc43fa8a46b13a9c3ba321c61 |
memory/2132-99-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2132-94-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2884-70-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2452-69-0x000000013FBE0000-0x000000013FF31000-memory.dmp
\Windows\system\roVrrgk.exe
| MD5 | 9e949e4b85d443d5840ff12696fadbfa |
| SHA1 | 13713499ef5a0a559cc9281f4c6b3160e6cdde62 |
| SHA256 | 213eb04e12ad7678eb81dff92b08f7f3e39a58cf91c808f514b21d9a54ded3c4 |
| SHA512 | 3e9be6e9e8d93ad25f9f60a02e272ced9f60e95ff56409a1514faf3186ca321fd21d33c7c1a951b4906441742d13ccf454f43469c6c5236f3b5801a83308697d |
memory/2168-53-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2568-45-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2132-42-0x000000013FA30000-0x000000013FD81000-memory.dmp
C:\Windows\system\FwkrCeH.exe
| MD5 | f98b75da98a6e0e1239b5d256b751dcc |
| SHA1 | 00401eed244038638d8d6ad80774f798e0600da3 |
| SHA256 | e314ae3cffcbc38782d20a9ab40327d9078f1e53bd7a9f960db02831b6fd44bd |
| SHA512 | d6ea0e401769aadbcc2c09e797633094f2ed75b91a32a698e7754312bc496a8aecbfea98f489c47776d8f91992c4116686b2fae9b57f139f7b202558cd9798dc |
C:\Windows\system\fnBzsjm.exe
| MD5 | be3db84189aba2b420ed0bc1e2827f7a |
| SHA1 | eeaec3534fa0587fc4a95d6334728015d2590b06 |
| SHA256 | c903be7eae3623a36e7c92f670e10a7faef84bb1516521aa9b7fd43930a9a6a0 |
| SHA512 | bcfa6ce225b719e216a67e48e7f9ff16cebf67b1882e8da1168ba775334139d03830f8150ade261f6addb2787d926edd01b0434315421e7d2fbfed8db082c7b4 |
memory/2132-34-0x000000013F800000-0x000000013FB51000-memory.dmp
C:\Windows\system\SWqvjvb.exe
| MD5 | 38f74c41757c902a43733fe48fb77414 |
| SHA1 | 7f834cecd277c4d30b55f693243923f789c4382f |
| SHA256 | db7065311327a51f733b3cdcfb4d371189f64f4573a20d4e23adcffcffb2332a |
| SHA512 | f8a3c5410150d745f59e6b85d5002d4c53cc5a55ba0cf7c3129ef59487b29f3824639b65e5dc59ed6da70849633854d503018a1f831eea07adc2a0ee9841bc6e |
\Windows\system\MFbRbix.exe
| MD5 | 3b17aaf539cc1857e829ec27f63eb9be |
| SHA1 | 07ddc023ea0ba5f75b3524b23e4bfa78751d32d7 |
| SHA256 | 16ca9cc5275d85391f3f87fb32645498a19480e527ae38794a765b281e2dea57 |
| SHA512 | af7c69e1a5877d1d041a2c1b29b55ae27147a05604d12c2412d7ee0c1d4c90788677639532ad5459e100033fa18c9c6cbc053d0434664b531a4d5e5fad3d35a9 |
C:\Windows\system\JcWWqvp.exe
| MD5 | e9c222c176dcec93e6f4bcafaecf8dec |
| SHA1 | 408284547d48ffa17a35887f077b4f23bb0a0474 |
| SHA256 | 2d73009204b2c349b2b19e79f38460acaa4db1841a5cf949ece7b4e9234314f6 |
| SHA512 | 89aa8b430a71579ca84dc7e3a5838ebfe3075c9c3e8efcbf9b6c81ac6851a82e376c9ed8dd121d216a9632ef094a6c84a5f9db3f4d2e69c8d55a20b17f8e42c8 |
memory/2132-10-0x000000013F490000-0x000000013F7E1000-memory.dmp
C:\Windows\system\QAqFsYM.exe
| MD5 | b0dd9e57eabba51649d470c2fe6aed06 |
| SHA1 | 997d34f9584ccba1008fd6e6ce0e76c5d8a405a8 |
| SHA256 | 7102b66ea5c8fc0ef8702081bd8bb769e89c143002595591d91f307cf7e30039 |
| SHA512 | a52a4813d54627e8928021896d4744e4d86360c9e129a7c9311dbfc8ce05dfae20c16a54332cfa3cecb3b2408ea8cbd9ada644e88ade2ceea88985a11b9050b6 |
\Windows\system\QAqFsYM.exe
| MD5 | 127fc12f6faae6241480d3135e552500 |
| SHA1 | 801e5edf3a087a26f7d10e6bccde102f07d029e4 |
| SHA256 | 825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8 |
| SHA512 | c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe |
memory/2132-0-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2132-131-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2168-133-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2132-132-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2132-134-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2892-145-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2124-149-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2044-155-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/1364-154-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1256-153-0x000000013F030000-0x000000013F381000-memory.dmp
memory/284-152-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1192-151-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/556-150-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2132-156-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/3024-201-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2524-203-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2568-207-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2028-209-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2688-206-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/2704-211-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2444-213-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2168-215-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2452-217-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2884-219-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2892-221-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2636-223-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2712-235-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2768-237-0x000000013F950000-0x000000013FCA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:02
Reported
2024-05-22 21:04
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TkKsLzE.exe | N/A |
| N/A | N/A | C:\Windows\System\eLQesee.exe | N/A |
| N/A | N/A | C:\Windows\System\BORaANe.exe | N/A |
| N/A | N/A | C:\Windows\System\rzMlVvE.exe | N/A |
| N/A | N/A | C:\Windows\System\cgYMxIr.exe | N/A |
| N/A | N/A | C:\Windows\System\hwgnORy.exe | N/A |
| N/A | N/A | C:\Windows\System\PZhbmUR.exe | N/A |
| N/A | N/A | C:\Windows\System\SUhvVfw.exe | N/A |
| N/A | N/A | C:\Windows\System\AerVpoj.exe | N/A |
| N/A | N/A | C:\Windows\System\GZpPkyb.exe | N/A |
| N/A | N/A | C:\Windows\System\NABPmTf.exe | N/A |
| N/A | N/A | C:\Windows\System\RAgqzQe.exe | N/A |
| N/A | N/A | C:\Windows\System\sCYjzOj.exe | N/A |
| N/A | N/A | C:\Windows\System\nCfKUUR.exe | N/A |
| N/A | N/A | C:\Windows\System\mBQLGHn.exe | N/A |
| N/A | N/A | C:\Windows\System\QQpbzDa.exe | N/A |
| N/A | N/A | C:\Windows\System\KVLGvfG.exe | N/A |
| N/A | N/A | C:\Windows\System\BzXWTAY.exe | N/A |
| N/A | N/A | C:\Windows\System\qptbmWz.exe | N/A |
| N/A | N/A | C:\Windows\System\ewuCVMk.exe | N/A |
| N/A | N/A | C:\Windows\System\qubLxoO.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TkKsLzE.exe
C:\Windows\System\TkKsLzE.exe
C:\Windows\System\eLQesee.exe
C:\Windows\System\eLQesee.exe
C:\Windows\System\BORaANe.exe
C:\Windows\System\BORaANe.exe
C:\Windows\System\rzMlVvE.exe
C:\Windows\System\rzMlVvE.exe
C:\Windows\System\cgYMxIr.exe
C:\Windows\System\cgYMxIr.exe
C:\Windows\System\hwgnORy.exe
C:\Windows\System\hwgnORy.exe
C:\Windows\System\PZhbmUR.exe
C:\Windows\System\PZhbmUR.exe
C:\Windows\System\SUhvVfw.exe
C:\Windows\System\SUhvVfw.exe
C:\Windows\System\AerVpoj.exe
C:\Windows\System\AerVpoj.exe
C:\Windows\System\GZpPkyb.exe
C:\Windows\System\GZpPkyb.exe
C:\Windows\System\NABPmTf.exe
C:\Windows\System\NABPmTf.exe
C:\Windows\System\RAgqzQe.exe
C:\Windows\System\RAgqzQe.exe
C:\Windows\System\sCYjzOj.exe
C:\Windows\System\sCYjzOj.exe
C:\Windows\System\nCfKUUR.exe
C:\Windows\System\nCfKUUR.exe
C:\Windows\System\mBQLGHn.exe
C:\Windows\System\mBQLGHn.exe
C:\Windows\System\QQpbzDa.exe
C:\Windows\System\QQpbzDa.exe
C:\Windows\System\KVLGvfG.exe
C:\Windows\System\KVLGvfG.exe
C:\Windows\System\BzXWTAY.exe
C:\Windows\System\BzXWTAY.exe
C:\Windows\System\ewuCVMk.exe
C:\Windows\System\ewuCVMk.exe
C:\Windows\System\qptbmWz.exe
C:\Windows\System\qptbmWz.exe
C:\Windows\System\qubLxoO.exe
C:\Windows\System\qubLxoO.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4880-0-0x00007FF653540000-0x00007FF653891000-memory.dmp
memory/4880-1-0x000001E089070000-0x000001E089080000-memory.dmp
memory/3056-7-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp
C:\Windows\System\TkKsLzE.exe
| MD5 | 195ce6910a886350ecbe6a58daa3517d |
| SHA1 | fb547c21c122d0a2f30ebab6f5f016bb3e51fc6d |
| SHA256 | bb01b8d292cd3715a103bdb23a35220a5da22230ffc73f39f26bed321da1ec97 |
| SHA512 | 23765276ea6b1a2621ced69d382db6669973e7092e8e8d6d49b5e475bbaaea8cf7aaebb913a275db5252dce7a5e86076dd00a01f11504722bc723d50725475b1 |
C:\Windows\System\TkKsLzE.exe
| MD5 | d84891106dad0d7b4c34af85835ec4a8 |
| SHA1 | 9665f97e962cdc4144cc100086ef9767ced5a5b4 |
| SHA256 | e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d |
| SHA512 | 99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe |
C:\Windows\System\BORaANe.exe
| MD5 | 1a0047601d8611e61e69350f657e6f28 |
| SHA1 | 85c60cf532c6d8a6d9651473eef5786a92160c79 |
| SHA256 | 83756167eea91d2b94a1a0688e6b3b90fbd6feae350616d445a0c2c33ba9e0a5 |
| SHA512 | 4540f5f9149a34062d278c1e2a6080c1f5b027b63dd728fd68430e33a531cfc7be6e97aa9e365025c48fac9896d6d17d9d69917e7e72838d0a558ce473b23220 |
memory/1256-26-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp
C:\Windows\System\RAgqzQe.exe
| MD5 | dfd2c67e54cfdf354e8bbb29e332ac4c |
| SHA1 | f24c275731b407476a6020a51b76ab1e2e179598 |
| SHA256 | c0be5d6112649ab730dd260148056a01227d051b9d17131042f6515fe6c2f010 |
| SHA512 | deec41c10fe0e2347f5445324da636126b3be5f85c230d035d5b6983b80abdc078e082d7a6098e2344c9a31a02e70ce3299e88c86063ee89cb6f4bc8de2697ce |
C:\Windows\System\sCYjzOj.exe
| MD5 | 3b1eb838a01fe1e43ca67be9e0326b86 |
| SHA1 | 413824f1385e11fcaeef554eda4421930a30fe99 |
| SHA256 | c16538f5b7602b3a7801026403f451d5591c91bac592090cd517ad0412b71b87 |
| SHA512 | db1f24b7aef29bd9a61a5ff8e0815d33e2d1d85f87c5666ac0ef1bd01949c0c43a2cf24fdfa9a91e787ea234de34a490ea76c280c4f477fdb150f06fd0240d9e |
memory/4408-89-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp
memory/1572-90-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp
memory/1256-91-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp
C:\Windows\System\mBQLGHn.exe
| MD5 | c75c795d510b861f9f9b558cb79b1fbc |
| SHA1 | d5add5618e5c3a7108967d8d5b9c9510ebec09aa |
| SHA256 | 5bec47309a6327ce4ba19196bf252a4b51e899e3d727c2dc2a100e252a0eee08 |
| SHA512 | c50063c1c71134f748e573d171811d1f33c168aa105479f20b41f27a816d5fb101e3298bf4d46910a258d07a1655cf0eabe4dc22c77b55d3371cd2a75f6a17b4 |
memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp
memory/4440-114-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp
C:\Windows\System\qptbmWz.exe
| MD5 | 127fc12f6faae6241480d3135e552500 |
| SHA1 | 801e5edf3a087a26f7d10e6bccde102f07d029e4 |
| SHA256 | 825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8 |
| SHA512 | c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe |
memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp
C:\Windows\System\ewuCVMk.exe
| MD5 | 887c4db9c0e731c51c424f25723ca01e |
| SHA1 | ebd4d0fec45790285506992b629378dbdf685bed |
| SHA256 | 8bdb3ec24c554b9ccb52964f39def71f5534abceb5aec814c918cc861abcac4a |
| SHA512 | 4a80f3d26dcd27c06e3614db59a15e70eda0ed392fc46dcf36320375a85a950d986e150e3f8fe8e6a084ee6d8c9d3a0a1c85df0e3bf8dc0563096df42e12868e |
C:\Windows\System\qptbmWz.exe
| MD5 | 6eb84780ec578014fd161168296e315f |
| SHA1 | 0f588f5efd7eba784fa3acfd7eb9bee8effcf279 |
| SHA256 | 1df596e4eaf10d43f9dccf220096764379b5ce8c420de814644ae91c64482a2d |
| SHA512 | 7197619ddebc22e6fbbf209701e46c0bac88b967f72e604babbaaffe6e5aa0d17b0d6bdc5da7079d142de6e8ed7a5dfa85e9faa917239010d3e1592882be9149 |
memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp
C:\Windows\System\BzXWTAY.exe
| MD5 | 6ae8e3926593e737a07cd2ea77e0fe54 |
| SHA1 | d5517add33a51384215192f89524b867e6c48a50 |
| SHA256 | 8ba39d161a5a1842a06809bc59fa0773d59566ac6535ac922a2ff17ae7370c46 |
| SHA512 | 3ea1d4524aaba87b16261177be91aa6e73f8f3550d4b5f559a1239ff6386016d72050f518faa00db54bb02096a93eee23356dcb600757fc98ef0a68f537c8f3d |
memory/2532-110-0x00007FF725340000-0x00007FF725691000-memory.dmp
C:\Windows\System\KVLGvfG.exe
| MD5 | 07cac703e110d9fb4c0579751373869b |
| SHA1 | ad3ba740dad76cd577c59b523a4dab0dca4eeb20 |
| SHA256 | d6ec3bb8176e0535544e5780b7b02c3efa96ee294328acd8233e3d6b5b9e497a |
| SHA512 | 4cc50e2514ff78785bd1e515c427a26ed165a75d6b13b06fa80ea6306aee83558a9dac5448113070f201b1cc41b922bcb2c94066b8bc88abd74e72953e69f7b9 |
memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp
C:\Windows\System\QQpbzDa.exe
| MD5 | f638c33e4339434eb6ea0009e4ee2063 |
| SHA1 | 98b52b647ac0147d10cabccc180fc479e9fc5bca |
| SHA256 | 8e2e1c9dafaead55a526e3cd38b9260d5052f289072a7fae394f84db8a5acbdd |
| SHA512 | 6da1102f76a5778bff074dd5d2f1435bbe9da8dbb018c7e30ea5e63415fa0c37c536c9ea95e159303026d825ee6a852dd08e6c1daa61c8f757620d2f8ce8ff2a |
memory/2136-97-0x00007FF664560000-0x00007FF6648B1000-memory.dmp
memory/4308-86-0x00007FF644020000-0x00007FF644371000-memory.dmp
memory/3552-134-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp
memory/3716-133-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp
C:\Windows\System\nCfKUUR.exe
| MD5 | 61766f9cc12cf5573a414cdbe6b61b16 |
| SHA1 | 28729773373596d9f584514c8f67e595dadfb7e1 |
| SHA256 | ea519d1ac115be7d6b82e6719d9e683f74ece818f62f43c303e9387ec35a764a |
| SHA512 | 8d298316114fb9954fb0bbef0775301287c93ff0e7dce1c95a94e62f06cdab3043b842cdff9f347f3064fe87bebb71640c309ee589364844d0eddbfa04acf432 |
memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp
memory/1436-80-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp
memory/2068-72-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp
memory/3056-71-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp
C:\Windows\System\RAgqzQe.exe
| MD5 | 34ee7b80d480e878cdd0752548e1e5e4 |
| SHA1 | bd71e3bbf5c579dbdc698668a32a08c10af210a3 |
| SHA256 | dd7cc67c0b3317c94bfb0eb96de5d4280b6882f859f50dcf9cb8eda6b748117a |
| SHA512 | 05fb107cf12ddfd6b2abd14ffb89d860f20c768c96348de27bcf73e382d271373666fc1b96846447de1737fdf368615930778b20432f0a6f13208010e1169046 |
C:\Windows\System\NABPmTf.exe
| MD5 | fc7ccf2b7c19c61956cc015595ea3675 |
| SHA1 | e3e64b85797348024de32719a9e8f4b2da6422ef |
| SHA256 | 1eff488aeb6ba567013583520736b5e074abf50eb288fd915a49533594170272 |
| SHA512 | bcdec8c878c69d131730a0fae1a51b0e643359cad0f0e05c6963e5d731d81190eb74c635d9961b0e230da3d064266380e9708cb4e7801ba89f389ad8a82843fb |
memory/1452-65-0x00007FF695380000-0x00007FF6956D1000-memory.dmp
memory/4880-60-0x00007FF653540000-0x00007FF653891000-memory.dmp
memory/988-56-0x00007FF666780000-0x00007FF666AD1000-memory.dmp
memory/3996-52-0x00007FF698790000-0x00007FF698AE1000-memory.dmp
C:\Windows\System\SUhvVfw.exe
| MD5 | c896aff36ae15189bd151386dbcc0d2a |
| SHA1 | 1fef15239b2c6965a9aba85b3ffed2975b913e06 |
| SHA256 | 13490b20bcf7a9c29b3d924906c2830e06c5ea416db703813532cc8665f83a5a |
| SHA512 | 1ae382bd76d96b6cc2afc52ebf9a7bed10b4ca9b6da7182342d35e08a12506deb52279991ea536265400a636b57cd67de8dd479d28ce5b0f296bf6bf5e2c3570 |
memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp
C:\Windows\System\PZhbmUR.exe
| MD5 | 8bcb05d9bcfba893b0c9a24fb80f6614 |
| SHA1 | 5787929aa9a028156eff17f3dc6b3534a614751f |
| SHA256 | c2b85fec940454260304826248a9c8767c8fd8661f4d8f9df2d49d53f354b177 |
| SHA512 | cd49e4319053da319c5e4d9adfd75fa0a3fa018ac7044e6437f9e748d51fcc424c57ff6b17d63db1f771e2d6057cb98e8c453c049529195658cea1958c0e6804 |
C:\Windows\System\PZhbmUR.exe
| MD5 | 88e8f420e88d62211c2c582fd715ed73 |
| SHA1 | 175d4a9e8867d5a4b6ec28fb3bd2cf004d873989 |
| SHA256 | 22d0e00279243745f5b2fee098f4fd069dc14529fa705d39b43ccff7fb8caa9e |
| SHA512 | cb0a3be81f31f4bf019d7a2e14a9a6b7b4ebb554467e0263a45cab191071560d560eb544a963c4981fa518d1ad465358fe490e9ba1e73aa28beed4b6fcc7408a |
memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp
memory/3272-135-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp
memory/632-32-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp
C:\Windows\System\rzMlVvE.exe
| MD5 | 4302e29560732a68d4ff81b99a9a6728 |
| SHA1 | 867d3426704c9287d13c44a18f34eb929d02e60f |
| SHA256 | eed7eb266aa3940308760212ce5afbae4e7c432894c30852d3d1775f4c7eed6c |
| SHA512 | 2ee8a738ad84db753abd103ff3d354485aa1cf9e249c2ea0fcf0e26edd26120d75a4c9186760b250295587218a1b2d94c1e8013658858f6ad83769cb8dd4057d |
memory/4408-19-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp
memory/116-14-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp
C:\Windows\System\eLQesee.exe
| MD5 | a13a8d0815d860885bfa9dffc2cf3f43 |
| SHA1 | ba8ed394c789c67da35f142462ffcb146ba23145 |
| SHA256 | 37801cac559eef09a2eafcac36911ee601c76d10a22a1e9fbdc475bb69ec2fef |
| SHA512 | 3e6ab34661d36946a5104f7f4a8797aed42473fba76921631e0d5bcc8950086db5f33a7e5f5d3fd5d0a18aeaa339c59a05dd30cc8cea91201cf5cf9f392095c2 |
memory/1436-137-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp
memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp
memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp
memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp
memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp
memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp
memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp
memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp
memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp
memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp
memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp
memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp
memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp
memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp
memory/2992-233-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp
memory/3996-236-0x00007FF698790000-0x00007FF698AE1000-memory.dmp
memory/1452-238-0x00007FF695380000-0x00007FF6956D1000-memory.dmp
memory/988-240-0x00007FF666780000-0x00007FF666AD1000-memory.dmp
memory/2068-245-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp
memory/4308-248-0x00007FF644020000-0x00007FF644371000-memory.dmp
memory/1436-246-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp
memory/1572-243-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp
memory/4440-253-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp
memory/2136-254-0x00007FF664560000-0x00007FF6648B1000-memory.dmp
memory/2532-256-0x00007FF725340000-0x00007FF725691000-memory.dmp
memory/3552-258-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp
memory/3716-260-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp
memory/3272-262-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp
memory/5096-251-0x00007FF646210000-0x00007FF646561000-memory.dmp