Analysis Overview
SHA256
5aa514b5fd3165a0cd8a9eda4662c884779fa5cdd6a5d186b47cb4dedc6f4a43
Threat Level: Known bad
The file 2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:44
Reported
2024-05-27 17:47
Platform
win7-20231129-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cnwaIQF.exe | N/A |
| N/A | N/A | C:\Windows\System\QrWNoVM.exe | N/A |
| N/A | N/A | C:\Windows\System\HVPLKVp.exe | N/A |
| N/A | N/A | C:\Windows\System\upwATqG.exe | N/A |
| N/A | N/A | C:\Windows\System\MSUvvaw.exe | N/A |
| N/A | N/A | C:\Windows\System\LOgGIln.exe | N/A |
| N/A | N/A | C:\Windows\System\fgTgZKj.exe | N/A |
| N/A | N/A | C:\Windows\System\unAYZPN.exe | N/A |
| N/A | N/A | C:\Windows\System\gGxkczg.exe | N/A |
| N/A | N/A | C:\Windows\System\DbTFrqB.exe | N/A |
| N/A | N/A | C:\Windows\System\rAeSOav.exe | N/A |
| N/A | N/A | C:\Windows\System\MqLIcUK.exe | N/A |
| N/A | N/A | C:\Windows\System\DKbqBZC.exe | N/A |
| N/A | N/A | C:\Windows\System\TiGjgZt.exe | N/A |
| N/A | N/A | C:\Windows\System\dBeOHLs.exe | N/A |
| N/A | N/A | C:\Windows\System\jslJgjE.exe | N/A |
| N/A | N/A | C:\Windows\System\KsAnTCd.exe | N/A |
| N/A | N/A | C:\Windows\System\oNBvjVU.exe | N/A |
| N/A | N/A | C:\Windows\System\aypZEPd.exe | N/A |
| N/A | N/A | C:\Windows\System\XqNVajr.exe | N/A |
| N/A | N/A | C:\Windows\System\yXbfIju.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cnwaIQF.exe
C:\Windows\System\cnwaIQF.exe
C:\Windows\System\QrWNoVM.exe
C:\Windows\System\QrWNoVM.exe
C:\Windows\System\HVPLKVp.exe
C:\Windows\System\HVPLKVp.exe
C:\Windows\System\upwATqG.exe
C:\Windows\System\upwATqG.exe
C:\Windows\System\MSUvvaw.exe
C:\Windows\System\MSUvvaw.exe
C:\Windows\System\LOgGIln.exe
C:\Windows\System\LOgGIln.exe
C:\Windows\System\fgTgZKj.exe
C:\Windows\System\fgTgZKj.exe
C:\Windows\System\unAYZPN.exe
C:\Windows\System\unAYZPN.exe
C:\Windows\System\gGxkczg.exe
C:\Windows\System\gGxkczg.exe
C:\Windows\System\DbTFrqB.exe
C:\Windows\System\DbTFrqB.exe
C:\Windows\System\rAeSOav.exe
C:\Windows\System\rAeSOav.exe
C:\Windows\System\MqLIcUK.exe
C:\Windows\System\MqLIcUK.exe
C:\Windows\System\DKbqBZC.exe
C:\Windows\System\DKbqBZC.exe
C:\Windows\System\TiGjgZt.exe
C:\Windows\System\TiGjgZt.exe
C:\Windows\System\dBeOHLs.exe
C:\Windows\System\dBeOHLs.exe
C:\Windows\System\jslJgjE.exe
C:\Windows\System\jslJgjE.exe
C:\Windows\System\KsAnTCd.exe
C:\Windows\System\KsAnTCd.exe
C:\Windows\System\oNBvjVU.exe
C:\Windows\System\oNBvjVU.exe
C:\Windows\System\aypZEPd.exe
C:\Windows\System\aypZEPd.exe
C:\Windows\System\XqNVajr.exe
C:\Windows\System\XqNVajr.exe
C:\Windows\System\yXbfIju.exe
C:\Windows\System\yXbfIju.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1752-1-0x0000000000180000-0x0000000000190000-memory.dmp
memory/1752-0-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\cnwaIQF.exe
| MD5 | f77e5cab53804d95722e1a215739fd5c |
| SHA1 | b5a4eadb58c87510b8f9867b91fb89f855e9b682 |
| SHA256 | 0f8c16d72db36f8079da3f266279e82261fa29bb5c8e383a63020982c55c1d40 |
| SHA512 | 047ca791669ed462bcf670b696ce092ddd524fb6d31c5c14d8494c1cb763af2167e30575918537dff97cd6dd9136536833338b774dcf8e398b96db19edcd635f |
memory/3016-9-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1752-8-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\QrWNoVM.exe
| MD5 | 812dee2936ccd2dab225670ca23d229a |
| SHA1 | 67417b47146fa1d4758cd390319ac885e7b30366 |
| SHA256 | 31ddf63fa80274406f9b8e9f4c5844b5bd193e08e80f3a7b242b64959e143d6d |
| SHA512 | 1aec1cb018a562b2ad7fcfd5ffbf4cff30542f7748f11ad37d0be458ed360020b393e02cbcff5d7affe26f7504b6d9bf3fc4f2931fa4cdffe0e503f5a50d2b4e |
C:\Windows\system\upwATqG.exe
| MD5 | 6771159c51c074954e564b5957c9a977 |
| SHA1 | b1a6ff02dd748e0f63f13f4dff1929a47869fa19 |
| SHA256 | 35ca6b0a5d5a3fbc3d90c0fcbc51a74fbff91043fa542085309139a23f71eeb3 |
| SHA512 | 8a6da53404265bf6e6a231c4c1a04b1b1a6282dc12d35cdf7e357277fc56562e85d16fc9817eba1eb7d756a8b41502cc5b8453605fc8c2d2d0179d1802c34803 |
memory/2540-31-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1752-36-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1752-41-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2716-44-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2644-43-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/1752-42-0x0000000002220000-0x0000000002574000-memory.dmp
memory/1752-39-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\LOgGIln.exe
| MD5 | 9b038c4b54f831b4ae12e7dea68b93ec |
| SHA1 | 565e8634837f7fd52e14301f0b3f0f8f4c69b6d7 |
| SHA256 | b75cdcbe953bbdbb324fc7c69497764ca9565e8d6757cb7e2653485db599ad19 |
| SHA512 | 96b7ea5ffae8870d4e26622fe8e7762337f3704ae438dcf3ea0b94743c445a4a5aa33bba669db5a16d5e81be4989a614117724cd52690cf2b0ea13a09faa5eb8 |
C:\Windows\system\MSUvvaw.exe
| MD5 | cffc34dd8dd32a76619c38e1839d6f8b |
| SHA1 | 176856012492438c81181df0763aa1c42d3c784a |
| SHA256 | a1833a9d5f35960e21d818ec83597a0a746689b2efddb728a2ea5eaf97a61311 |
| SHA512 | 9777db5f1e04dc679b1d7478e698a2a37c425a5e676cfaa85e1efac6bed9159f0fd542bf6d2bd240a014f5f725bc4310d9faa2357f54c8d6a8e797b7e7fb6603 |
memory/2132-27-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/3044-26-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1752-19-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\HVPLKVp.exe
| MD5 | fcf13bac00bbc74f45c086fe12836619 |
| SHA1 | c126fd0dc4132f4880a38551dc6aa8bdffd42b79 |
| SHA256 | 6e048c20928034cb2c29f958a73d754394f08882ec3ac22d40dcc8e5dd78934a |
| SHA512 | e7bea25536eda573854ca629b9d1fe7982ebc5ebd53834f7525f54fed73ec427aa2516b3639cc0d5d126db9d02090a6c2561256a8dfc1f9df49364563b295c73 |
C:\Windows\system\fgTgZKj.exe
| MD5 | 52552a185c57406b73d7282a29235e70 |
| SHA1 | c8fb2dd7ba6f9bbabd83aa7a9f8d5d8da007ddc1 |
| SHA256 | 0221ed9d9e00546d3c3c5b4d3b90658b4206afe6e59bf2513e791b3acda18f69 |
| SHA512 | 5dedf6b4b1c21a0e72b7d3093b18a09df18428091a165372a6681ffae51b8caaf1a8452732794d9fe989298db52436cc34f6e8856fff889e0ed3d607836a5d98 |
\Windows\system\unAYZPN.exe
| MD5 | 145cf162c93082b298a4ad7424921e47 |
| SHA1 | 26e658f399b0bcb4a1bf0f0641e3aa0d48b11bd0 |
| SHA256 | e45bd6b00d320cdaf86518d21cdd6e8265b96ef036e876bad521fdbe82361bd3 |
| SHA512 | d711258d9eb3459b2f44e31b64a6766871d3a03ea31ff37b2622ec9a18cf9bebe709b032c1f13dc73c24d290fbec29edc472d8cf27983671aaa09e467ca09ea9 |
memory/1752-56-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2632-57-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2276-51-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\DbTFrqB.exe
| MD5 | 8971da82a4fcef70744ee57e39133bae |
| SHA1 | 7369897aa6ab4e06764a736a31514cc3774c58ac |
| SHA256 | 471c16c9bd599bac7513e593806520a54bfdbc6af6d9cd1d1b1b340aa3721d68 |
| SHA512 | b24d1f392c299f11fc2cbbdeb11c0c8737a2bf2b05f32226a89deeeafbe220bc4c7a999f9523af9c422b9ca596b2f1d4a77c2785f505ce26a63306d763fede5c |
memory/2508-71-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1752-72-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2620-70-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\gGxkczg.exe
| MD5 | d09a3938e144ba21a6fc91ed46748877 |
| SHA1 | 55da238abf0086d807d26c87c9daf84960ec696a |
| SHA256 | 4197db0a416d6434eaca90af14dfcc5ad3c5db44be117e003e373876b027a151 |
| SHA512 | 130926d6b55a862e7e9b0d984dacc9add8a96548d1374b1be4f776b7022945f96b2ca789929e3b48171cc0618dcc6e4ded5a29115521163bff3373636f7b1052 |
memory/1752-62-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1752-50-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1340-79-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\rAeSOav.exe
| MD5 | cf8ffb88619b78002a5d2a59cb0ef06c |
| SHA1 | 906f582d6b4c9eaa5f869939807ff6015248f17c |
| SHA256 | c3c5ad0ebb5287abaf04dca99151ebcfc1cc6d260ff9cd22e48912c457772d85 |
| SHA512 | 1ec0aff041886edfcdd00a9d66c90684e4a0fb3ad53920e37e1f77cce4933f6fc9d3910b4ff9efae07ecb2c315000ef76b6f163a51124ff8293809e91cdd18d4 |
memory/1752-76-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\MqLIcUK.exe
| MD5 | b652de580a8b435dea43c32563b58948 |
| SHA1 | b43c63f2f70ab73e5c3e856549261a092907e36c |
| SHA256 | 6f88c8c8ffb13745f46549cac033d0d398381cf603465c8fa6b37fdbfcd41c9f |
| SHA512 | 28d45cfc3a6abff7402831d13589b4aa40e5b2291f4faedd27cbe82d942c3d24b47fbb8717dbfd6c1440dc15b8835a368ed286e055900ac3336175a7b493a8ca |
memory/1996-86-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1752-84-0x0000000002220000-0x0000000002574000-memory.dmp
\Windows\system\DKbqBZC.exe
| MD5 | 2ebca47716fd12ad923230f8c74c812a |
| SHA1 | 93c1bcab1e25a89bd3708927807187da272f453a |
| SHA256 | 998882d5972859d188e311bc80276edfd25e5422b2ac20cdea4be3e1ae5de3d4 |
| SHA512 | 75114c70b255dab9326336bde6254c2571c1a33006e1983554b2b4fc32ed8c9a5652d3174b5210674eec14d628400ba29c71d4ca318ba658e4e27c4006cce385 |
memory/1396-94-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1752-93-0x0000000002220000-0x0000000002574000-memory.dmp
memory/1752-89-0x0000000002220000-0x0000000002574000-memory.dmp
C:\Windows\system\TiGjgZt.exe
| MD5 | 59814c40122e55bb0cb301a2d4a505f9 |
| SHA1 | 894394f6be3ee9018d515f0a39062aab9c3c1083 |
| SHA256 | 97810da7fa964e705a4c90a6ffaef105863e56d54bad059eecec87225ce07401 |
| SHA512 | 42e9c87c0895d247badfc0be92342df0490f03ef5d155fa657cfd6cc69b808c014ef20670ef180d52a53c6d49c64bede0f8c6717ac709a80244d0e5ff9d97020 |
memory/1436-102-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1752-101-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2632-100-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\dBeOHLs.exe
| MD5 | a71244f82b536985f0d8311f574a7aa6 |
| SHA1 | 69101f3c54e146444b77351769db356ef71635cc |
| SHA256 | 0da742ad20adc5a436499204d302458264f06e4d1e17ffc628efd399e7909e40 |
| SHA512 | 4f9dd8abb3ce8ee926baf381550da3bf98f4a379dfb50ab9e4634094312aa3190f33fd2903692e56cb6a90a5928fa22f0b338fffe686b2dab4d4fed502ac0b88 |
memory/1752-109-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2620-107-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\jslJgjE.exe
| MD5 | 96f1f32e76654ba63177f9f74f8eb699 |
| SHA1 | edcbed5270737de530992c4d5c097effe769891d |
| SHA256 | b0c9c51680fd21461707a158f5174c20dc02ee7c0e7528f1729127676fac51ec |
| SHA512 | 30f0ebf4e766e380bf0df89d19a5e014b6660df92f93c22066ea569152c3e71bca45ed16c6e51be87cd1dc1f29d5d7f29a018d93b19ac7c865022a8a61a20a7a |
C:\Windows\system\KsAnTCd.exe
| MD5 | 4d242186574d7a4c5c863e711b35dcf4 |
| SHA1 | 1394439f182edf437811eb7f8412d61266e8143f |
| SHA256 | 2c2e1ba990b7aa0f0a7588391bfd31717d26881f7f62f44bda7dad02f415af65 |
| SHA512 | 18eeb463fcf6a7ee39ed4b8344329285488e9aa92927b4511b96b0c53444856d250614b70588ba5c1b0aa8ee581c95fecddee6aa1d26bee9dea74bcbf6a92f11 |
\Windows\system\oNBvjVU.exe
| MD5 | 9e44baa25242f069e509daccad721f11 |
| SHA1 | 0f4cf62ec60b6b7646fdd3d2c7cb90fb67050fe8 |
| SHA256 | 7b3c7845cefe13e99f522ef769c89ed5d0e7dd268888a7ed9fe355cdf76aa4e4 |
| SHA512 | ea5e135dca2aa0e664d62ed7df76f668496f66453b2b48d27c8b4dc90993e1f82e6d2a68c884fb4f0e0fc81b6ede3a7222088a8ed7251e123b8692a68d92f863 |
C:\Windows\system\aypZEPd.exe
| MD5 | 37035a93dc8afe3a23601cdcdd1bcc6c |
| SHA1 | 4a324d626946ecf42715a044c05304b202bee2d6 |
| SHA256 | a58c9656cf98440a216c95d6b79fff5465baf245354b9926d9f895d3457a2164 |
| SHA512 | 7f4977af2afdca1aebfe5db2da4382cf82328ded73eb61c9dbd6e951cc00608a4f7727ff1f5e9dd3f6761baf973dfe5b1ed3cf72680348bf37ff26026c1eaf89 |
\Windows\system\yXbfIju.exe
| MD5 | 0079d5bbc63fb374722c90148627f0a1 |
| SHA1 | 7a806414c4f2aab2a46d42fae74f7f2e45354922 |
| SHA256 | d9527ce92da77729bc5d8e7555c7489c62276312616f813d4b1ca43639871ac3 |
| SHA512 | 79cb9a76120d844ed84b6e7addbc45772ade206a6fd03d39033d5480e3ee803f071022eef718ee81c5b03497ff264926624c7434b77dad8d9ce2bc4322ebce08 |
C:\Windows\system\XqNVajr.exe
| MD5 | 1ec1f114600f25945f0c6c97f5e2af33 |
| SHA1 | 5d06cdd23f79cb307ea4d2ff88b8bf6a1612f3e8 |
| SHA256 | 25b3e80c5fb9155b7db7bc3b41f8a65e574c4287a0d0dcaab868554172549da1 |
| SHA512 | 123cbe0507ff913f006b2056259d9c58026c5e12ebebf9bdc518e285928679b08537127430dc5dd57feec6bbb917bc36670cc2717d94b55c41b2adf10441a5e0 |
memory/1752-139-0x0000000002220000-0x0000000002574000-memory.dmp
memory/1996-140-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1752-141-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1752-142-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/3016-143-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/3044-144-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2540-145-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2132-146-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2644-147-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2716-148-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2276-149-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2632-150-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2508-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2620-152-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1340-153-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1996-154-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1396-155-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1436-156-0x000000013F060000-0x000000013F3B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:44
Reported
2024-05-27 17:47
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fXYOSrx.exe | N/A |
| N/A | N/A | C:\Windows\System\laQNqEB.exe | N/A |
| N/A | N/A | C:\Windows\System\iNqyTns.exe | N/A |
| N/A | N/A | C:\Windows\System\UpaLoSz.exe | N/A |
| N/A | N/A | C:\Windows\System\dBRqRIr.exe | N/A |
| N/A | N/A | C:\Windows\System\NYCuWSz.exe | N/A |
| N/A | N/A | C:\Windows\System\oRQQRzt.exe | N/A |
| N/A | N/A | C:\Windows\System\NulUWRj.exe | N/A |
| N/A | N/A | C:\Windows\System\iqxzIRa.exe | N/A |
| N/A | N/A | C:\Windows\System\PCkNAve.exe | N/A |
| N/A | N/A | C:\Windows\System\NMKrBVq.exe | N/A |
| N/A | N/A | C:\Windows\System\MQHzQCs.exe | N/A |
| N/A | N/A | C:\Windows\System\KSrKeeo.exe | N/A |
| N/A | N/A | C:\Windows\System\wwLNmEP.exe | N/A |
| N/A | N/A | C:\Windows\System\ciPECaU.exe | N/A |
| N/A | N/A | C:\Windows\System\tXaNwLH.exe | N/A |
| N/A | N/A | C:\Windows\System\btFWxXI.exe | N/A |
| N/A | N/A | C:\Windows\System\mKYvruZ.exe | N/A |
| N/A | N/A | C:\Windows\System\LgqmCiu.exe | N/A |
| N/A | N/A | C:\Windows\System\mavzWgw.exe | N/A |
| N/A | N/A | C:\Windows\System\KQiCIuK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0214bd96e5f951d12358c17f1328d710_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fXYOSrx.exe
C:\Windows\System\fXYOSrx.exe
C:\Windows\System\laQNqEB.exe
C:\Windows\System\laQNqEB.exe
C:\Windows\System\iNqyTns.exe
C:\Windows\System\iNqyTns.exe
C:\Windows\System\UpaLoSz.exe
C:\Windows\System\UpaLoSz.exe
C:\Windows\System\dBRqRIr.exe
C:\Windows\System\dBRqRIr.exe
C:\Windows\System\NYCuWSz.exe
C:\Windows\System\NYCuWSz.exe
C:\Windows\System\oRQQRzt.exe
C:\Windows\System\oRQQRzt.exe
C:\Windows\System\NulUWRj.exe
C:\Windows\System\NulUWRj.exe
C:\Windows\System\iqxzIRa.exe
C:\Windows\System\iqxzIRa.exe
C:\Windows\System\PCkNAve.exe
C:\Windows\System\PCkNAve.exe
C:\Windows\System\NMKrBVq.exe
C:\Windows\System\NMKrBVq.exe
C:\Windows\System\MQHzQCs.exe
C:\Windows\System\MQHzQCs.exe
C:\Windows\System\KSrKeeo.exe
C:\Windows\System\KSrKeeo.exe
C:\Windows\System\wwLNmEP.exe
C:\Windows\System\wwLNmEP.exe
C:\Windows\System\ciPECaU.exe
C:\Windows\System\ciPECaU.exe
C:\Windows\System\tXaNwLH.exe
C:\Windows\System\tXaNwLH.exe
C:\Windows\System\btFWxXI.exe
C:\Windows\System\btFWxXI.exe
C:\Windows\System\mKYvruZ.exe
C:\Windows\System\mKYvruZ.exe
C:\Windows\System\LgqmCiu.exe
C:\Windows\System\LgqmCiu.exe
C:\Windows\System\mavzWgw.exe
C:\Windows\System\mavzWgw.exe
C:\Windows\System\KQiCIuK.exe
C:\Windows\System\KQiCIuK.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.242.123.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1448-0-0x00007FF771570000-0x00007FF7718C4000-memory.dmp
memory/1448-1-0x000001B3C7790000-0x000001B3C77A0000-memory.dmp
C:\Windows\System\fXYOSrx.exe
| MD5 | 764f0a7478ef3ae0a7e23d906988d533 |
| SHA1 | bddf982072ccd28e62db962f6c34f8d9b16af376 |
| SHA256 | 82bb8ac96404ff928afb0837e75c1e8a04698e71fe896930b49cda9aae065b40 |
| SHA512 | 8b38b5bf4a7b18afe5d6badbe844f14ff7687c2c9ad6d1ded94ba4a03b7226cf49d46fc13b10c2cd95c66edbbbbbd2677762be1c68e91df9eb0856c358107ccf |
memory/3948-8-0x00007FF61E520000-0x00007FF61E874000-memory.dmp
C:\Windows\System\laQNqEB.exe
| MD5 | 76016c71900b249a7a6de7179c6c4949 |
| SHA1 | 5353b3940fb6081743338f9a20b34b78d74a579f |
| SHA256 | 45e714593a76fdca85f18bc184719d762f57af300c8cd2e5011af593a792d12a |
| SHA512 | 8b3fd36c8d923a444482bf9bb979761d6270949bb1baf424dce33adfd023366d062f7d9638a328d3a822d837579578c1faf2804629d812cb92c5cc18b57509ae |
memory/884-12-0x00007FF6B30B0000-0x00007FF6B3404000-memory.dmp
C:\Windows\System\iNqyTns.exe
| MD5 | 84d7f9931dea04629fc703c59f093300 |
| SHA1 | 10c84f1b3fb9dde75b6e809a9d02c52e7f72d3f0 |
| SHA256 | a3493d2e773a2799c79bca9184c0372a5f280b511b5a863921ea3397c006e003 |
| SHA512 | 7c50b89a3f4088bbf5ad9d3a8a8935a39a59400c3dfb26455d7585201998de0e954e66cd767b641320c044ade6206f5c89ca808b6e482a7b40ecf57f99b87006 |
C:\Windows\System\UpaLoSz.exe
| MD5 | 475e86fea1a80a2e291a62147e9cd2b8 |
| SHA1 | f77e95a3e3439bee725dd2926153b0610010efb0 |
| SHA256 | 582b188b5fb0b2c48c6ee06f11054b8aaaa5d3da9a074c2891d6098ce437d1ff |
| SHA512 | ab4c3454f0a25053d408e0a7d3a84a6f0a66fc141b81a522b1ae59872d031de026a960d202f478add82289206c3a61f82a8124c14122cff7f8ccb2cc2260e851 |
C:\Windows\System\dBRqRIr.exe
| MD5 | ae8b1db1430b1df3b292d2d91092d70f |
| SHA1 | 17864f12cda8aebef5ad03012eb1bbb4e1b5c210 |
| SHA256 | df49cd86c4b6132cb211b7dbb25922a98ca18cee378c60aa4959dbb082626d0a |
| SHA512 | 0fb9c7836d1076b61770855288cdb8ff9c926454e13cb3561575f90fd5eb3dc4deb85054c358d61bdc95440a61527b4ed8916286c539ce61527189a10ca6dfb0 |
C:\Windows\System\NYCuWSz.exe
| MD5 | e69410acb27efc3ca03fd26e078d5442 |
| SHA1 | 103e35123e6455f1aaf076060b96d1dc24ed8e0a |
| SHA256 | 18d8a58e36fbf68ed0b22a08f2b1d946f64aa16749250aa7e51c23e89ae76415 |
| SHA512 | 874604e447d6d7bd77f8c1b406aadbd276a968fb277fc0f8813438ac61144aff6c7f3cd68585dd195e1a58c4afc67641d27c3d0318c981d5f6c081b83eb2c615 |
C:\Windows\System\oRQQRzt.exe
| MD5 | f70c537019aa553ec2750ef8a6f80157 |
| SHA1 | b99300d6e963160402255f5f6d00be80cbb87740 |
| SHA256 | 1a475a99d4c49e9f319209588156de5526eb3b4170ae7f75846d49397975902b |
| SHA512 | 7df5d78f0f102e46ad185c3b0f2d2785519d1da9d4d7cc4e54358841679114644ae1a0e18a6d357282714ca7e0a76998e8c29f187b9a4bf0d757e73818f16f31 |
C:\Windows\System\NulUWRj.exe
| MD5 | 4a6d48a0a563b1dff4d7b84cb1d0caa3 |
| SHA1 | 3da33e915420468369fc7bbd0980a17159082543 |
| SHA256 | 6ab21bfcd1027a9edda2a91c52979458e781db8dcc0e0e8740e23edf5a1d4406 |
| SHA512 | 4da1238e87198cf70a97eaff53d5bfa8c600bad700744b2d1d041daccfa58eaca128f92d08021aec5cf9e5a1e3b84479476312ce36611135b25712382a259dc8 |
C:\Windows\System\iqxzIRa.exe
| MD5 | 87bcefabf27099131380812af10c43d7 |
| SHA1 | 8a5e5b7acc1eed0a5ed1cee1c279cf3d54ddd5e6 |
| SHA256 | ab2ad756da1f8e9621f0fb8a0a684bbcd5ac92157edaa1086e2322f0ee1c4cda |
| SHA512 | 3d1137b3b1b96871239704d54b6da09b2fbd5816932e3df4972bf24a5be0b63233eb75de5eb448ffe11925340fa36cdad407049951643ea6cbaf62cabbf30901 |
C:\Windows\System\PCkNAve.exe
| MD5 | 6ab264c1c4d43e747f646771337bd682 |
| SHA1 | 2892fe560c52404d1f523b4a6b67bb0a4cdf16e3 |
| SHA256 | 8f423ea1be18c7ec4c43bf7cb5546a97ea827f10a84ae6faa58c878313ff5bef |
| SHA512 | 5be2ba93999dcdc77e6de032bb76e13c36b9babe536b17fcc90148d2935f3492ca50492ef9eaa616a058ac6a583fa0ee4c2f8e1fdfcb1254e76472e785df11e8 |
C:\Windows\System\NMKrBVq.exe
| MD5 | 229060cf4adebcc5d0f6be73e96b8fa7 |
| SHA1 | d77debd5bfdf936578920e04c6e39b1ea3d6adb4 |
| SHA256 | 04a9931d50000b27d393bc94a0f380a389760a5f18c440c910d7c96e7973d373 |
| SHA512 | 876faa0a3b17017354132d6cc314090d176724a343b58601175987871b66c2df1c3f6d4fba18cc51dd93488249f7fa58fc6fb18ba53e2b2c1ed9bf53c5c16c0f |
C:\Windows\System\KSrKeeo.exe
| MD5 | 13eb263b69a53a47af172f32fb2a3e35 |
| SHA1 | ce54c44a79ceff8bbb72951e0b581269eeba4065 |
| SHA256 | 258ead867f47347e1d048d21b94ef29401e53b1009a2ee2d9d7d1cdd29f3eb08 |
| SHA512 | 2d2eb2fdafa19dc6e35b32ac6bde8ef959230d8ea8a45790052061dd0661ee117f25d3607c82ed48fe9db9d2b15f7a56397cbcada7fab5eaf93bb268de170fcc |
C:\Windows\System\btFWxXI.exe
| MD5 | 8c8a854406478c5605e718523ccc2dd6 |
| SHA1 | 29e15850e18b647959646830eee4eb682d1bd801 |
| SHA256 | 8ee4b5d22f21626e83eb9d0a08f8709e488c321883e2cc11f4baabc6cb260857 |
| SHA512 | 4d36a527bc98c366abb1dc0d148965cdef2f39f59ab238d384bacfa11ce9b721af83b4397d44dd9a94b87b9ccdbbb2d24298c01f49cf85f6b874bc03fab71c71 |
C:\Windows\System\KQiCIuK.exe
| MD5 | 19044806fe65af31b52f4833160c4686 |
| SHA1 | 1fb7e6bb0e74122f852ca26452a9e2b6fa0c15a5 |
| SHA256 | 6b65bb48c8f116dd1bd0e130899eb65c636885a115aefc59cc5a8994d04c5378 |
| SHA512 | d5b79685516ea61252d7bf60f0228c1ee8e994e6667823bf978dd66b324b71f74737007fb334e980919000c132fa990f70e3a1ab2fae50046428ef704543973b |
C:\Windows\System\mavzWgw.exe
| MD5 | 35d054d6a3e6c2b9a0fb06bf920eb637 |
| SHA1 | 740054230025d08157f8fac04f2128e5db3d4b4b |
| SHA256 | eb827ff9e4dd11617514dac6025d211a0e20ff48ea316c6ce71798ec2bf890cc |
| SHA512 | 9538bc3e4ae10e3090189bea1ae5df12b3bd1c2c232605602f16ccc19e0f3c4f62df0100c8c6db6fa20a2374cd87df3fdd286ef1df6b27a214b204b27a483a3b |
C:\Windows\System\LgqmCiu.exe
| MD5 | 6aae02d66f8614db918eee2b18409224 |
| SHA1 | b8fa4d9f8aa47f34d7559dd64bb034479900f925 |
| SHA256 | c784f122a14ec3144528a352f2e1ce09b5de76ac560728ac92137d2ec3a906d8 |
| SHA512 | 32473e38dd0804848b5b3a37f2b4d0f47f80808ab5fbbac8eeb18bac0b55abc4fa35d0b79af667f4eac33710121c511f195e68247577469d54f027236719746e |
C:\Windows\System\mKYvruZ.exe
| MD5 | 5ff988373826b62e53c9f9e266256fba |
| SHA1 | ca97a0ff3ade1adf129d96f02786fbccea49b6b4 |
| SHA256 | 624cdecd5bb4255846e2b861932235fe989d8b71518597a6369885cf428f6048 |
| SHA512 | e6006f10215731a65dce18f7752395d336a2767e08ae7bc84fe34e9a85324788f2eb88bafcebef946a913637058c135f36a5a0fc8816bad86a9f3bd3396809a1 |
C:\Windows\System\tXaNwLH.exe
| MD5 | a97cca0d0ead67949f7cba4c54ad9939 |
| SHA1 | 8a7b55b2919975d848dfd39b3b9e8abc61e5cad1 |
| SHA256 | 9285d1cb86ab23bd1fa160eed9edffe6d4e19c235e1d8a566bf2b0b10b0475b7 |
| SHA512 | 912dbf31fcb941eced87b2cd05509277aca5f903527f943ffa9c8212c98470d2f672f77433b47aca8c27b8345164c90b2b5798fcec1aff994bcf24d87f758581 |
C:\Windows\System\ciPECaU.exe
| MD5 | adc54d1a32c195b2e562ae4634bc3aa0 |
| SHA1 | 193f27e2bf316c3120183574715c27e2f1ad7c2f |
| SHA256 | cdd59c3cb8d8233a59a5b9cacef72027bd0333e6cc3972807f0a60a6b8469d43 |
| SHA512 | bd497d7fdc61960dda811467a2458eb8bf0da38f586aa7a2afa62a4720f58952c6d86ad59e52c804962e5216db7d61ad9350323f019617293d74b72f77bed93f |
C:\Windows\System\wwLNmEP.exe
| MD5 | 7c642dfd7c51a3078103c8b07f0e3a9c |
| SHA1 | 007969671b01972ec039462beacda6a2c3d0534e |
| SHA256 | 625cacac43fa0de91270d7aa882be88e4febb964d01f5e560a0ca9e8d1a1c75a |
| SHA512 | 02e49a59390911eec02998464e0fb230dcde3106f30ed27d05fd21e06b35daa0d6d5dd19008e0ee3f53b9529fa6334903d3e1eaa7dc4c61cbd70994fd88bd2a1 |
C:\Windows\System\MQHzQCs.exe
| MD5 | 6527d729d0177033ec67f6d2079c02de |
| SHA1 | ffd382933c323b4e4e0cc0c373de6b28b27711ba |
| SHA256 | cf3dc2b25197876c3ba1f6334cec18fe1a72a421eeb2be05a591a398be5f4996 |
| SHA512 | 8923e45d1a489d516c226d4d4278761a84548683ff0c52da9b562eac644f4f88a0410f86cbcb7bb54d32c8546b661ba9592913533906e5e3620e0084bf5d1616 |
memory/3124-109-0x00007FF682100000-0x00007FF682454000-memory.dmp
memory/2384-110-0x00007FF650140000-0x00007FF650494000-memory.dmp
memory/4544-111-0x00007FF693F80000-0x00007FF6942D4000-memory.dmp
memory/4296-112-0x00007FF6938B0000-0x00007FF693C04000-memory.dmp
memory/3312-113-0x00007FF65F590000-0x00007FF65F8E4000-memory.dmp
memory/3088-115-0x00007FF6D6F10000-0x00007FF6D7264000-memory.dmp
memory/4932-116-0x00007FF71BF30000-0x00007FF71C284000-memory.dmp
memory/1044-117-0x00007FF64FCC0000-0x00007FF650014000-memory.dmp
memory/4196-114-0x00007FF7D2840000-0x00007FF7D2B94000-memory.dmp
memory/4560-118-0x00007FF77E0A0000-0x00007FF77E3F4000-memory.dmp
memory/1132-119-0x00007FF72E790000-0x00007FF72EAE4000-memory.dmp
memory/3768-120-0x00007FF6D49E0000-0x00007FF6D4D34000-memory.dmp
memory/1588-121-0x00007FF6444A0000-0x00007FF6447F4000-memory.dmp
memory/5028-122-0x00007FF651050000-0x00007FF6513A4000-memory.dmp
memory/2268-124-0x00007FF6DF450000-0x00007FF6DF7A4000-memory.dmp
memory/2604-123-0x00007FF681C40000-0x00007FF681F94000-memory.dmp
memory/2576-126-0x00007FF68E2F0000-0x00007FF68E644000-memory.dmp
memory/3168-125-0x00007FF744B00000-0x00007FF744E54000-memory.dmp
memory/1624-127-0x00007FF7C3510000-0x00007FF7C3864000-memory.dmp
memory/1448-128-0x00007FF771570000-0x00007FF7718C4000-memory.dmp
memory/3948-129-0x00007FF61E520000-0x00007FF61E874000-memory.dmp
memory/884-130-0x00007FF6B30B0000-0x00007FF6B3404000-memory.dmp
memory/3124-131-0x00007FF682100000-0x00007FF682454000-memory.dmp
memory/3948-132-0x00007FF61E520000-0x00007FF61E874000-memory.dmp
memory/884-133-0x00007FF6B30B0000-0x00007FF6B3404000-memory.dmp
memory/1624-134-0x00007FF7C3510000-0x00007FF7C3864000-memory.dmp
memory/3124-135-0x00007FF682100000-0x00007FF682454000-memory.dmp
memory/4544-137-0x00007FF693F80000-0x00007FF6942D4000-memory.dmp
memory/2384-136-0x00007FF650140000-0x00007FF650494000-memory.dmp
memory/3088-139-0x00007FF6D6F10000-0x00007FF6D7264000-memory.dmp
memory/4196-142-0x00007FF7D2840000-0x00007FF7D2B94000-memory.dmp
memory/4932-141-0x00007FF71BF30000-0x00007FF71C284000-memory.dmp
memory/4296-143-0x00007FF6938B0000-0x00007FF693C04000-memory.dmp
memory/1044-140-0x00007FF64FCC0000-0x00007FF650014000-memory.dmp
memory/3312-138-0x00007FF65F590000-0x00007FF65F8E4000-memory.dmp
memory/3768-148-0x00007FF6D49E0000-0x00007FF6D4D34000-memory.dmp
memory/2268-151-0x00007FF6DF450000-0x00007FF6DF7A4000-memory.dmp
memory/2604-150-0x00007FF681C40000-0x00007FF681F94000-memory.dmp
memory/1132-149-0x00007FF72E790000-0x00007FF72EAE4000-memory.dmp
memory/1588-147-0x00007FF6444A0000-0x00007FF6447F4000-memory.dmp
memory/3168-146-0x00007FF744B00000-0x00007FF744E54000-memory.dmp
memory/2576-145-0x00007FF68E2F0000-0x00007FF68E644000-memory.dmp
memory/4560-144-0x00007FF77E0A0000-0x00007FF77E3F4000-memory.dmp
memory/5028-152-0x00007FF651050000-0x00007FF6513A4000-memory.dmp