Analysis Overview
SHA256
2deb57cdb578aab95fa36d4a543fb92f8cd38fa28b44fe2bb4786296aa5ca730
Threat Level: Known bad
The file 2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 22:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 22:56
Reported
2024-05-29 22:58
Platform
win7-20240221-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mzwWLrh.exe | N/A |
| N/A | N/A | C:\Windows\System\rRmjBJV.exe | N/A |
| N/A | N/A | C:\Windows\System\MAcBwLi.exe | N/A |
| N/A | N/A | C:\Windows\System\EIBiSjR.exe | N/A |
| N/A | N/A | C:\Windows\System\pUbnVZV.exe | N/A |
| N/A | N/A | C:\Windows\System\DImSBIB.exe | N/A |
| N/A | N/A | C:\Windows\System\BTDyftd.exe | N/A |
| N/A | N/A | C:\Windows\System\lkLFuym.exe | N/A |
| N/A | N/A | C:\Windows\System\aHodQZD.exe | N/A |
| N/A | N/A | C:\Windows\System\PMiltYA.exe | N/A |
| N/A | N/A | C:\Windows\System\UNbQUNv.exe | N/A |
| N/A | N/A | C:\Windows\System\bmmLbcu.exe | N/A |
| N/A | N/A | C:\Windows\System\kfXHTeb.exe | N/A |
| N/A | N/A | C:\Windows\System\PRgAqhs.exe | N/A |
| N/A | N/A | C:\Windows\System\GRRhHqL.exe | N/A |
| N/A | N/A | C:\Windows\System\PpdZkRM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZIBlMpw.exe | N/A |
| N/A | N/A | C:\Windows\System\plbjGZg.exe | N/A |
| N/A | N/A | C:\Windows\System\hfnYOVr.exe | N/A |
| N/A | N/A | C:\Windows\System\HWWajLt.exe | N/A |
| N/A | N/A | C:\Windows\System\IPCjcQI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mzwWLrh.exe
C:\Windows\System\mzwWLrh.exe
C:\Windows\System\rRmjBJV.exe
C:\Windows\System\rRmjBJV.exe
C:\Windows\System\MAcBwLi.exe
C:\Windows\System\MAcBwLi.exe
C:\Windows\System\pUbnVZV.exe
C:\Windows\System\pUbnVZV.exe
C:\Windows\System\EIBiSjR.exe
C:\Windows\System\EIBiSjR.exe
C:\Windows\System\BTDyftd.exe
C:\Windows\System\BTDyftd.exe
C:\Windows\System\DImSBIB.exe
C:\Windows\System\DImSBIB.exe
C:\Windows\System\lkLFuym.exe
C:\Windows\System\lkLFuym.exe
C:\Windows\System\aHodQZD.exe
C:\Windows\System\aHodQZD.exe
C:\Windows\System\PpdZkRM.exe
C:\Windows\System\PpdZkRM.exe
C:\Windows\System\PMiltYA.exe
C:\Windows\System\PMiltYA.exe
C:\Windows\System\ZIBlMpw.exe
C:\Windows\System\ZIBlMpw.exe
C:\Windows\System\UNbQUNv.exe
C:\Windows\System\UNbQUNv.exe
C:\Windows\System\plbjGZg.exe
C:\Windows\System\plbjGZg.exe
C:\Windows\System\bmmLbcu.exe
C:\Windows\System\bmmLbcu.exe
C:\Windows\System\hfnYOVr.exe
C:\Windows\System\hfnYOVr.exe
C:\Windows\System\kfXHTeb.exe
C:\Windows\System\kfXHTeb.exe
C:\Windows\System\HWWajLt.exe
C:\Windows\System\HWWajLt.exe
C:\Windows\System\PRgAqhs.exe
C:\Windows\System\PRgAqhs.exe
C:\Windows\System\IPCjcQI.exe
C:\Windows\System\IPCjcQI.exe
C:\Windows\System\GRRhHqL.exe
C:\Windows\System\GRRhHqL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3048-0-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/3048-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\mzwWLrh.exe
| MD5 | b7018327443fd0b49ce194719328f036 |
| SHA1 | 21936c7a7066c9df2ca87b9668ba435b1879f1ef |
| SHA256 | 65c2decaf24e0ebfd840931fbb73b5491dc8fff79d1254220128c0b0152a6163 |
| SHA512 | 361c43d9c9364dda2d1d37b1ba67ba730786b2e4581bc80a08801ffdbf690e7ddf899132a0fcd3321c88093c5eac199491c57cc9cd3b5b89e68e6f1233b0429e |
memory/3048-6-0x000000013FCD0000-0x0000000140021000-memory.dmp
C:\Windows\system\rRmjBJV.exe
| MD5 | 7c1a50b974abca51ee9a77407020c26c |
| SHA1 | dec188683d9b576e364a52c7ed3fcd2ef3a7d763 |
| SHA256 | b8d5bbf0fa0ea79d9069ea15e259d30d4a47bd665d35028f59d0663d2ec76268 |
| SHA512 | 4196b39ee30b541c9250e0b4696fc6592f801f04b357b18ddd2306d8d63bed1eab23ea7cbe7779c4fd7391c7272cf6d1d3189b8d3dd3f8d98fbb20562af85a1a |
memory/3056-10-0x000000013FCD0000-0x0000000140021000-memory.dmp
\Windows\system\MAcBwLi.exe
| MD5 | 04307d7a9259c080a3c84756324e8fa9 |
| SHA1 | 75e9b8ee414fa64d76052cd5fa2a880b89009c63 |
| SHA256 | 75406389ed56e9f4f28b677b3c93ddebc9ace2ae7a2aba15c837569bf3f81385 |
| SHA512 | 0a6556c734eec802de93c806518ac74fba8d6a06e5b83f2d157e1d7e7528dd0b7d39eb4229a72b325930d86af7c0a9732c6d82522180abb5ecdf445dfc8eaaf2 |
memory/3048-45-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2972-47-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\BTDyftd.exe
| MD5 | b03b94e0c70861d8ce4b984c8c862eef |
| SHA1 | 2998d304ac035f3ff0345e8053ae693c1044ca77 |
| SHA256 | a520ad6238c4e618f7923df3759fc756b3c58626d8a79accce444be08867ce49 |
| SHA512 | 7d2dd9efd58963ef4465f3e66160015340d0752035e02413c0a058a381e592b49adae1fe2785d40f95671e04b23024fd60aa3c0d0fd8d0da4bcf7a038b23bc8e |
memory/3056-113-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2452-55-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1640-108-0x000000013F8B0000-0x000000013FC01000-memory.dmp
\Windows\system\IPCjcQI.exe
| MD5 | 76ebd5c6d253e818552b1fef35d0dea5 |
| SHA1 | 3918fd399aff769ec39f52c72ecd2e5243e77ad9 |
| SHA256 | b15eb1bf759da557469c46c76b05e95804f6ae3ba2cd99e0181a2d186868d010 |
| SHA512 | 39ce56c4232de4146cc3b5df87b3c66e3ccf3db07ef1b93e1ccb724f7b4bb49aa470a3c96d80bc5a2c07ceb66040f836aae6f14a4a6a6a6ac589e102bddaca94 |
memory/3048-98-0x000000013F9F0000-0x000000013FD41000-memory.dmp
\Windows\system\HWWajLt.exe
| MD5 | ed0201633333025b37c80809df4ee60b |
| SHA1 | 166243bd5a490cb4aa4087b530251361d3c82272 |
| SHA256 | 430b66a5d2d4960d98d1b7fb25fcc09eb5fbfaa0ef2abfb2402489bf07fea2b8 |
| SHA512 | f5ce79e808d251b3f107b0e4f80acddc75d9d623ae5a6e3df4c383450d6a1e5c2268701c0eea0bcc4d9072d4f48a1273e9f9054e7c49281a8af04ab243552a21 |
memory/3048-90-0x000000013FCD0000-0x0000000140021000-memory.dmp
\Windows\system\hfnYOVr.exe
| MD5 | 87ac966dd384c07989603d1e53d384f7 |
| SHA1 | 9a5ed890cc2c310a8b6bc6ccafeb36a6a4c93f67 |
| SHA256 | c9a1414d98f0773c24901d79ef7122b08bf50ea7b1aa1551d2522f74c407c702 |
| SHA512 | a23664d78d4359de2d7a13fadb2a765956542550ce06207e2d9484567d5446bff69ea819488d5c4a900fe3f69914454fe88cc23956134a4908d4b693b4d4c07e |
C:\Windows\system\UNbQUNv.exe
| MD5 | 79b827c3fe81891dd53b85a0f95eb0b1 |
| SHA1 | cb2b37bd4c9d8e523a6f1e60d113cba962a45e3e |
| SHA256 | 5ffb02611a6c316fac27f8cb397d7c9537ddd0ccd425f49099e75c8bed03082a |
| SHA512 | 12a82a9f6f95ca82cfed842722b667af198e683abc0002fd331f809cf81211225f347aeeb9a64aaa9a89eb2237dc3259a926749e5774bf2e594bd19da19e008b |
\Windows\system\plbjGZg.exe
| MD5 | d45a3b257939749116708ab089e78d5f |
| SHA1 | e7375ae878deb1806a91f23eb01c5af32b35581e |
| SHA256 | 43abdb7bb20be4c755bb5c8f50aea2507db4bcff4bbac7ec8cfbe0daf541aeb8 |
| SHA512 | 6b472d069b5588659f335e3722961969bb2a14210b61119a758d6d41cc81d5a5a5dac442daa88136efc055f9c7ac1f909cdda00aef01fcd6842d3e9b9a3bdc3a |
memory/3048-72-0x000000013F4D0000-0x000000013F821000-memory.dmp
C:\Windows\system\PMiltYA.exe
| MD5 | b8e62c432bf75cf228ea47c60565a774 |
| SHA1 | 12ea5ad08e5451d68990b46cfd0da56002726d32 |
| SHA256 | ad8ad140200e71d2af3793e9c265170ba3e112bac00abc3dce5e3f35ff7195d8 |
| SHA512 | 27a25818ea3cdaab2c7e1be54fa2bdc2745306e9faac99482cb5c7f86c595fc3980ea5dec6921fcb57a4906eef1d1a303cb90ac4424169aefab7d51017df43f3 |
\Windows\system\ZIBlMpw.exe
| MD5 | 7a4cfc8991bfde47a09ffa09622ee70c |
| SHA1 | c7cfd165364eae9f1b15c38cef6a12a1ef80ca20 |
| SHA256 | c28f8048a8e71d08000c721cd564ed7ca93eddb11b9a3558b7f8719a8e433e71 |
| SHA512 | 25079b61f7aa5eb61cb0a5ff9a83ecb8cf6def81cd625b16e4eb4d087f996b4016f3194f652d23e277597f2d943261b2c9f241b5556eaefd2e53759c84f4abca |
\Windows\system\PpdZkRM.exe
| MD5 | 2aa00e77d84fe6be6283e4338fc30e18 |
| SHA1 | 42ce429dcad9c9da292d0a85869b893ce8166abc |
| SHA256 | 430e682ee90cc6f369f17702b53b5c0404ca53d242d42d71f1d68a07e1b52deb |
| SHA512 | 9c6e54a8d691361a0e3588113b7b58b9140bc7f83597b6e5bc77529dfe311c5390e5d1966ba9d15e72b9542786f19d7f821869985502465b86a9ab42e7b66eae |
C:\Windows\system\GRRhHqL.exe
| MD5 | c8b3a3aa0602b568ba3801e7a640bdb9 |
| SHA1 | 46e5333c18627db006aac1456158995091f0b533 |
| SHA256 | e6090ca5332bb94b6ea34d85e728b77a63f44006e4f3f62de70a8a072d6dda48 |
| SHA512 | 0d20ce04ababae129543e44dc79ec0923dd2a177294f377e5d27c7e8d247c9d11510c406140f0bfa985e283fb8aa7a50a7976cde6e90af4de381f276d0b0b77c |
memory/3048-111-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/3048-104-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/3048-103-0x0000000002190000-0x00000000024E1000-memory.dmp
C:\Windows\system\PRgAqhs.exe
| MD5 | ebce8ab0ff07b364ea76b73ebfe4f29c |
| SHA1 | 462e8c9fcc1d8e57d6a0507ee6e6298d26421ef9 |
| SHA256 | 03b9d650af94fdde7486c350a5b2305742c671eef033aedd2e2f59d99f92ac07 |
| SHA512 | ee2bcc73a8eac88785ca61da2b7ebf0b23e43489ea1210dcb8f88662605e55f5e99db9e9d9e784cecf794560e64a88bad3551f31a0505b5b0b7c3a905bd181ee |
C:\Windows\system\kfXHTeb.exe
| MD5 | 802c62d819c8ab00a4771c50c549b921 |
| SHA1 | 67c053185ac82d57e1660d04701fca2dde847503 |
| SHA256 | 8ff545676081fda0525863bc5bc732ef2d30b3625ea261d1aea8d3d2559f766f |
| SHA512 | 39052dfc88416e30597ac69e88a8ab231bb665ff1a329eda5b150a20e69f9aaa26b50ae182d37f579ac30fff0ac2fe0fe2f1ac38358c6bc3d7948933e6ca1f69 |
memory/1608-86-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\bmmLbcu.exe
| MD5 | 049b15e6ae3e4d9e9d2cc38b9c85b7c4 |
| SHA1 | d3903d0a61f91d77599d20b39a0279d467129674 |
| SHA256 | b3096332fedd98992f875a75adc7dedafbe4e786df9e4b4bcf4228949d69d81c |
| SHA512 | f3c27c1ea1152f5624c6b215e4bf6817bde5c9ae3b15f9476cf9f92ead340a558a3ea71a6ef30e69e699e476425663632be1a22fcc774ea0ccde67751d0cdfc4 |
memory/2404-84-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/3048-82-0x0000000002190000-0x00000000024E1000-memory.dmp
memory/2972-143-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2452-144-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2456-142-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/3048-136-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2100-61-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/3048-60-0x0000000002190000-0x00000000024E1000-memory.dmp
C:\Windows\system\aHodQZD.exe
| MD5 | b9b9ab25f4479f71f902825b486cfacc |
| SHA1 | 1246200a17876a6cf0f167fdc726c5ae3d5f1118 |
| SHA256 | 8951aa8ed34b45b903807b39089b8ce3a52f54d05cfb15e39a31e50456fd77e8 |
| SHA512 | 397cd867fd1428120701527306355cf38d6e8c2471b42af6663620b6a2ceadb2905b1985143df17534521d9aae5633acd3757f577a2b4193f8c8a3ac1b56ea21 |
memory/2100-145-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2904-154-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2324-157-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1936-156-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1324-155-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2836-153-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2812-152-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1640-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1728-150-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1608-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1800-148-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2404-147-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/672-146-0x000000013FA40000-0x000000013FD91000-memory.dmp
C:\Windows\system\lkLFuym.exe
| MD5 | 13ec576e2317f3df5a0dd80030ea2228 |
| SHA1 | c7069a420d9bbe2d73931766202c71743f54cab3 |
| SHA256 | fcf72ba524f1af8b3e92c9d60e0ae118ade6607d9c9d3a1a4ff0e9e5bb2c131a |
| SHA512 | 65c6e61c62dba13c154904de70485f1c87a029d11a13ba2e77d9ea2408b21a5ffc2e16cb4da99f7fea45bf253e9bbd5c24f78518fd4cef7e28f0d3f79a548c30 |
memory/2456-53-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/3048-52-0x0000000002190000-0x00000000024E1000-memory.dmp
memory/2692-38-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2544-37-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/3048-35-0x0000000002190000-0x00000000024E1000-memory.dmp
memory/2752-33-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/3048-46-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2428-44-0x000000013F920000-0x000000013FC71000-memory.dmp
C:\Windows\system\DImSBIB.exe
| MD5 | b7e520586ea3b475726b11a25bbba361 |
| SHA1 | 046cfa530c04172805a765f5273a800abc99191a |
| SHA256 | dc36af4aaef63d1e6df4f230d8bac184b85a4c1af06152898487fe2a558450a1 |
| SHA512 | 3d7d638419e899af080caa043a46cb8587cf2e40bd515b410defd5d031883e8a94eaeeef8d98247caa4faf5804306a59d82e522283dcc6064ab0767a9ec92285 |
memory/3048-42-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/3048-30-0x0000000002190000-0x00000000024E1000-memory.dmp
C:\Windows\system\pUbnVZV.exe
| MD5 | f6e8c9e332b1bffe63a335ad26df248b |
| SHA1 | 2b7492ec0bb861bcb41d8365c999a5182951cb8f |
| SHA256 | ff92721c9887671d169d30df2cc660584cef3e2e13f85e181eb517e2768618b7 |
| SHA512 | ae1e1c1ab87623a67a6e771187cbc5890326f0358ac3beca43fdf9f278d0959d3f8c7a6303876c1d54a6ea9e352a44a6914bc314fdba819c944cd41dd19200f0 |
C:\Windows\system\EIBiSjR.exe
| MD5 | e523d4e3e70ed0500072dfb8991c8380 |
| SHA1 | 0e3ba38c353868f92740b2f86bb51740feb91cff |
| SHA256 | 2ee1da2d44b0dcded1aab70f1ecdd756736cf9bf1ab303986cc186cc2e296680 |
| SHA512 | 30b4a43bca92eb27d694b68a95876962539fe16da006cde64a7beb0ab594e6f16a6b4d26c0685996cd59ca0a6a7db509f1df5fc830e52177acde561dc277f492 |
memory/3048-25-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/3048-158-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/3056-212-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2752-214-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2692-220-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2428-219-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2544-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2972-236-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2100-238-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/1640-243-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1608-242-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2404-239-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2456-248-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2452-256-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 22:56
Reported
2024-05-29 22:58
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZaDtxoL.exe | N/A |
| N/A | N/A | C:\Windows\System\VZMctgN.exe | N/A |
| N/A | N/A | C:\Windows\System\lpHhoNO.exe | N/A |
| N/A | N/A | C:\Windows\System\YMDopTT.exe | N/A |
| N/A | N/A | C:\Windows\System\jwVClVe.exe | N/A |
| N/A | N/A | C:\Windows\System\sRluTPY.exe | N/A |
| N/A | N/A | C:\Windows\System\XgxloNg.exe | N/A |
| N/A | N/A | C:\Windows\System\GzKVyZx.exe | N/A |
| N/A | N/A | C:\Windows\System\aZGNjxD.exe | N/A |
| N/A | N/A | C:\Windows\System\EeUiIAB.exe | N/A |
| N/A | N/A | C:\Windows\System\WJKGlIU.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQSggQG.exe | N/A |
| N/A | N/A | C:\Windows\System\CoHVkrj.exe | N/A |
| N/A | N/A | C:\Windows\System\oAxQiFK.exe | N/A |
| N/A | N/A | C:\Windows\System\nmDcelW.exe | N/A |
| N/A | N/A | C:\Windows\System\xYpzdsn.exe | N/A |
| N/A | N/A | C:\Windows\System\VUkHcpy.exe | N/A |
| N/A | N/A | C:\Windows\System\KkLTvYG.exe | N/A |
| N/A | N/A | C:\Windows\System\PvoBTKT.exe | N/A |
| N/A | N/A | C:\Windows\System\AKWTyew.exe | N/A |
| N/A | N/A | C:\Windows\System\UruJsGg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de94cb8d077771587d99b9eca1cd7251_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZaDtxoL.exe
C:\Windows\System\ZaDtxoL.exe
C:\Windows\System\VZMctgN.exe
C:\Windows\System\VZMctgN.exe
C:\Windows\System\lpHhoNO.exe
C:\Windows\System\lpHhoNO.exe
C:\Windows\System\YMDopTT.exe
C:\Windows\System\YMDopTT.exe
C:\Windows\System\jwVClVe.exe
C:\Windows\System\jwVClVe.exe
C:\Windows\System\sRluTPY.exe
C:\Windows\System\sRluTPY.exe
C:\Windows\System\XgxloNg.exe
C:\Windows\System\XgxloNg.exe
C:\Windows\System\GzKVyZx.exe
C:\Windows\System\GzKVyZx.exe
C:\Windows\System\aZGNjxD.exe
C:\Windows\System\aZGNjxD.exe
C:\Windows\System\EeUiIAB.exe
C:\Windows\System\EeUiIAB.exe
C:\Windows\System\WJKGlIU.exe
C:\Windows\System\WJKGlIU.exe
C:\Windows\System\ZQSggQG.exe
C:\Windows\System\ZQSggQG.exe
C:\Windows\System\CoHVkrj.exe
C:\Windows\System\CoHVkrj.exe
C:\Windows\System\oAxQiFK.exe
C:\Windows\System\oAxQiFK.exe
C:\Windows\System\nmDcelW.exe
C:\Windows\System\nmDcelW.exe
C:\Windows\System\xYpzdsn.exe
C:\Windows\System\xYpzdsn.exe
C:\Windows\System\VUkHcpy.exe
C:\Windows\System\VUkHcpy.exe
C:\Windows\System\KkLTvYG.exe
C:\Windows\System\KkLTvYG.exe
C:\Windows\System\PvoBTKT.exe
C:\Windows\System\PvoBTKT.exe
C:\Windows\System\AKWTyew.exe
C:\Windows\System\AKWTyew.exe
C:\Windows\System\UruJsGg.exe
C:\Windows\System\UruJsGg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3524-0-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp
memory/3524-1-0x000001B584590000-0x000001B5845A0000-memory.dmp
C:\Windows\System\ZaDtxoL.exe
| MD5 | 87e8edcfbb87acc9a2984cdeb8f3474f |
| SHA1 | 16137ee6e2f3bb1b2ebbfd34b0570ab88ca7c541 |
| SHA256 | 2572ad178277e8eee432116ce25d3b5c978e5aba360d4df84d56816b9a1d545c |
| SHA512 | 18e9d6cc2e89d0dd82e2e2e698e8a851d291f541dcb2c9c4da27f960b063b9de0b7117151ae62f785fd61fd13b56e9590f5aa325d8da561d47e2605e657b4014 |
C:\Windows\System\lpHhoNO.exe
| MD5 | 8fea7c5f197ce5aa6e1534f718472ac8 |
| SHA1 | e43d77245a9606ebda974cb421d1e604e87ae9b6 |
| SHA256 | 8ae5076d9cb1a41f0fa459109d1bf98f7a69d6b9773a100b34e33e4714584605 |
| SHA512 | 6bf0bbf5ce65d0d327c72501d34a3c521789c1df6b57326057f2103cd5e9563be13db9fa083d0095a8efa29e65b5bb4b2f7160266ce9c0210ad049dd51db9915 |
C:\Windows\System\VZMctgN.exe
| MD5 | c6369448894e658a77370b35e47b3801 |
| SHA1 | 695304ae51b9cd9727ebd510e2012dd2c09ffb2a |
| SHA256 | 85560513280d502e0fcccae68ca78adf65c3655a784a10191301653b20f4ff50 |
| SHA512 | 92ce9c199428c7321d89028e804764474c973c6df9736626c7a0954415303eaf5e5928927d99ff8f06fb69a166ea8106a469c6cfa650b95f220873c2944582fb |
memory/2552-29-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp
C:\Windows\System\sRluTPY.exe
| MD5 | 96d7a3d0fc06b39775f740dbe1c35504 |
| SHA1 | c520bd842ece71e1871f59efc67e85112d858bff |
| SHA256 | 205521d54420c1b76be3180b9f777a9be0575f0b86a0599b0744be0014a1a631 |
| SHA512 | f4aabb581461cbf5f1bb1aee49eaa67c2a44cd8388c9dcc24e66d4d3723033d8bf6b5c6b51225ba56121249191b1d1b1f70dec48d1854d2e03600436cbd57371 |
C:\Windows\System\GzKVyZx.exe
| MD5 | 0ab4424d8ae3b34f5ab4d32b040306f6 |
| SHA1 | cd0cc0e4a2c3385a84f844a057c6b65a3dd9eddd |
| SHA256 | af766c34deb9101154a35d717360994ca595d5b96e28900ea5d5b76b8950227a |
| SHA512 | b9cdec7df53070b79b335b32f916312ff601568f9a73a4ef55ab8149f83fddb6ffb14eb1406ce8d2124b9018e31298faeb49d0d3dc418664e8d1bcc6963e0412 |
C:\Windows\System\aZGNjxD.exe
| MD5 | 02e68dd75bf349457081a6dc85064f4c |
| SHA1 | c29a58f594179fe22635e27e2d8f5212c11148b3 |
| SHA256 | f9d89ef716d598e230d54e8949037018562e65f6a2694ef7ac21f3e47ab1dbce |
| SHA512 | af3640335e5f39f1bf18d84015b24d6e8c8fcc94c84ec0a16602d2e9947025dbc3fd1fbbba2fee5867cee41ffbcd2d17c8da4c24251d44e8e88e357cbd3b2a05 |
memory/2720-45-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp
C:\Windows\System\EeUiIAB.exe
| MD5 | 9596f62e99ebe3a99ac71c184708e3fe |
| SHA1 | 42b1cde965833938ae2e1ff87e97a4a73cac514b |
| SHA256 | def01387f1b892c6596603b02ea4291f953dd217ad48412d9b8e298bb62efcd1 |
| SHA512 | ce33bf6cbc4d7a5a2f56767795817875eacd9c64fa16fe3d60c7a47a068f097a7a2793cf304f448d612e687d157c23c67f51a89afd08495ec846cfa51ac1241a |
memory/3772-66-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp
C:\Windows\System\WJKGlIU.exe
| MD5 | 88e7861c910d57a922da1aac73975a7f |
| SHA1 | bb6982c292d9ac75fc21000359210b21ff87d594 |
| SHA256 | 719a814d8bc85dbd0e5a21f88b15c12db2c4c257e336a3673a133ff54d8b07ad |
| SHA512 | dce2c6c0e138c530d056418f71ada871ee3b8efa2205bbb02fbb6b6b691bc1473be9e21474d548315dd610f009831f9c510e2cdff4fdd1aefe1f7607ae8d484d |
memory/2328-73-0x00007FF6CC340000-0x00007FF6CC691000-memory.dmp
C:\Windows\System\oAxQiFK.exe
| MD5 | b44a7a57e14096a9f431d0f0fb2a8e25 |
| SHA1 | 816191134a3025cbadd3e48fd164f6d039eeb715 |
| SHA256 | f8db696ab3532e63d7d4f93389ea875f019d704cee0067ac21bea01c16952029 |
| SHA512 | 2b916c8ff735e471b585310e1e1efc9755168b843a452642b30655d017cd26789fe0963ade00f827bf8ad47daecb3c8ecc0c8b0452fed885a2b39b6ecd44161a |
memory/2372-86-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp
C:\Windows\System\xYpzdsn.exe
| MD5 | 7882ecf089d9e716ecf70d4a64cc6473 |
| SHA1 | 6d29747538b1c8d1c6f1ee089ceb18228cef5aab |
| SHA256 | ce2ba9bd811f7fd760695a248bd46a85abbc81ae6e2be85d46d89012b6d3526d |
| SHA512 | 9ac0cfa901bb74e79cee6dac58835b3684e753ebed66600eb0d521fc92e635506b6d1408f4345a56828108287458f5863406fe865185408fe0b5a2e306f361b4 |
C:\Windows\System\nmDcelW.exe
| MD5 | 17f0516b58f54139b73154dbc6330c6e |
| SHA1 | 298b0e479a69fbaabb889c08c436b01e89b197a5 |
| SHA256 | 1b35d93ad0c1563a49f0203b890995989aad426c3fd0238ae8f3e272a4fd96bc |
| SHA512 | eaf3f031b4e2e15bae5bd39d6b87b188d605b065dd566c6bf85513ea58e25280d62d622c2c04d166b40997c5904ecca2a4a66f9e2dcb9fedee8da217d9f797a7 |
memory/2872-83-0x00007FF6DCCA0000-0x00007FF6DCFF1000-memory.dmp
memory/1248-82-0x00007FF6FFE70000-0x00007FF7001C1000-memory.dmp
memory/2444-81-0x00007FF77B110000-0x00007FF77B461000-memory.dmp
memory/2100-79-0x00007FF7BAEA0000-0x00007FF7BB1F1000-memory.dmp
C:\Windows\System\CoHVkrj.exe
| MD5 | 530ba1ee15541d5a4a62e366caa23ad0 |
| SHA1 | 61a95066484b000d8822a7e9faea2b08ff57a5fd |
| SHA256 | e4e9f1dfdfbb45630588fd1477171f0934100f2c294a70346579aee60edc88dc |
| SHA512 | d2fd70270795c6b1f6d2b7668aba2bea30ed776efd24e16721c9d74c641d5f94989a38394222ba0f54c1cda11fdbe345b3eaaaba934c634ad00744c6e51045cc |
C:\Windows\System\ZQSggQG.exe
| MD5 | d2a4496f7414a6e4c166c5386db44c52 |
| SHA1 | f267976cb51d5d9925502d618e79bf577660a2da |
| SHA256 | 815a0c3b3376338af46eaa207bdf94a227a5287d42ef864d593eb912ed6fb163 |
| SHA512 | 1c75552f1cb04b1c45092342548e1986685f4cea9a66e37f802212b35304f2155b6ad9a3ff7f8ae236a9a92d1adfe61754a6758779e03fdac4adbccbd726ba55 |
memory/3740-71-0x00007FF6597F0000-0x00007FF659B41000-memory.dmp
memory/3824-67-0x00007FF672F20000-0x00007FF673271000-memory.dmp
memory/4448-62-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp
C:\Windows\System\XgxloNg.exe
| MD5 | 830b1453fd09537dd237d70a39cab526 |
| SHA1 | 6239d4f9dafdfe96be3606e13171f44935ed4771 |
| SHA256 | 179ca7cb92af0abf5bcacd2b9a763d36192b83b182e3fa64262c0f7aed0a1d51 |
| SHA512 | 011ab580893896ce09a529c590fb445742e1dcc54ab2a9bd9b733b5183703bf0c439d5e9f37becf71bc62ead91471cbbf8cb9f57564e3ef51a9a43dcb0f4b867 |
C:\Windows\System\jwVClVe.exe
| MD5 | e160607c756c0cd2e61a25ade5cd4551 |
| SHA1 | 2cd60978a4654ba86beb59bc0b1ebb19cb2f8fb3 |
| SHA256 | 41d23fe22f3c6fd30df5398fdfa39029dea984f673c76aa3d6cc75d6f4e17b26 |
| SHA512 | 75b016f7a2cd22dca4dd2394f30c995d68cf521fc201f7558cdb3a4e9153b209d09bf9d7c57967ab9e87790857dd1835abba61507292bf95793156cda4d721ae |
memory/628-25-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp
C:\Windows\System\YMDopTT.exe
| MD5 | f1fb829d1be5e87c7505bdccbcc0be70 |
| SHA1 | 1ed14f9a1c94ea4af8cfd967c403c4d0d98e2fbb |
| SHA256 | e5d24fe7f7f22d2b49689d936cb2337e9b3b1f3cf2917ba9d6cb1cd957fe1b2e |
| SHA512 | 34a057be91c2c3a141c22f047f308631d4f1b52bbf6ca9aea26511c6c641e8b5123d17059840866947534f40ce1d7ee4aecd6e6cc2d8f038adb13c006e0f0405 |
memory/3900-12-0x00007FF60F050000-0x00007FF60F3A1000-memory.dmp
C:\Windows\System\VUkHcpy.exe
| MD5 | 5c69cddb8b852f8abdb0f673df50d2ee |
| SHA1 | 6623da1da8683987140e848efa091f323cc94312 |
| SHA256 | f3b79115de7f955575fc3ed4493bb5104225fd9ea8d0ba43c9e4f76278abdf91 |
| SHA512 | f6e07964ca0fdf21aa2189d53a35ff9d9d8b6cf2fa6cdc1e8eacbf8b456ce93aade0ab79be4b72279459584b96f3de55e63027fe5773e15858607ec40812812f |
C:\Windows\System\KkLTvYG.exe
| MD5 | 0e1fae0faaca22a843e215685c852ef8 |
| SHA1 | a334dbf2950582a2ec185106d67b480a187ca5ed |
| SHA256 | 1cf6252f67f75caf1f3c42986d04ffc396d944d99370b42fed851aed71123259 |
| SHA512 | 97b9adacf0e67cb984ce2f8bb12031c1b395c68758c558ea8e93856eda0510dcd11b384395d7ad84fa69f6acc5c71163605e1a66d19d5c1e9c0ca772b1cc674c |
C:\Windows\System\UruJsGg.exe
| MD5 | 553a05130eb8055fe248a2ecea99e207 |
| SHA1 | c44e8291b10f4d76fa564780b403559560c78c25 |
| SHA256 | 5f249f57f83beb1cebacf5b884bb6f2a1afb31d7ddfbbe72498d75f15731dd8c |
| SHA512 | 8b7e8bbe5142aba1dec305b5cb375e75c57cd9723aaf88948d8c5a37ae89d985b036cf0a12d2d39f4d34764ff2fd30462c5c55217bfc2a276d384a60f38849b8 |
memory/2104-142-0x00007FF753E90000-0x00007FF7541E1000-memory.dmp
memory/1000-143-0x00007FF64D270000-0x00007FF64D5C1000-memory.dmp
memory/2952-144-0x00007FF62A420000-0x00007FF62A771000-memory.dmp
memory/1844-141-0x00007FF6392A0000-0x00007FF6395F1000-memory.dmp
memory/4880-140-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp
C:\Windows\System\AKWTyew.exe
| MD5 | af2e9b17df2b3a3053222cbde9f9e53c |
| SHA1 | 133be167aa9120748f12158a1ed10406bfe86530 |
| SHA256 | 909e98b5cf0c92e3ea3c1efdfd9dd16d82e1f358cbbac1f4e74dc6702d4c6719 |
| SHA512 | f5f3b5d36a50321932e46ada5842e0cf6d5904cf52fd7877c6317add61e2d0755530a8b8c46ff8fab337484abef946cd61ce0ad781984186c10e57877c19e1a5 |
memory/4556-129-0x00007FF658350000-0x00007FF6586A1000-memory.dmp
memory/2248-128-0x00007FF67DB80000-0x00007FF67DED1000-memory.dmp
C:\Windows\System\PvoBTKT.exe
| MD5 | 92ea7dcbf2e2a816da613db73e74bf03 |
| SHA1 | 2cdb5e67146f84ff91005a736bbe02acd31ffc3a |
| SHA256 | 287c022e91a0d1bfddfaead13e90fa94da71229082ee714d17f064c3d8563f8f |
| SHA512 | 76c5b6b44b0479250bb616abcb420e8e5801d5f796e2a7e72855bac47637d9a0d3aa1d495b403d61d98515ac894cb619e28a5c04cc1ad060cc7e1dfe9ce688d2 |
memory/3824-110-0x00007FF672F20000-0x00007FF673271000-memory.dmp
memory/4448-106-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp
memory/2720-105-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp
memory/2552-102-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp
memory/628-100-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp
memory/3524-97-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp
memory/3524-145-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp
memory/3524-167-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp
memory/3524-168-0x00007FF6D0B20000-0x00007FF6D0E71000-memory.dmp
memory/3900-192-0x00007FF60F050000-0x00007FF60F3A1000-memory.dmp
memory/628-194-0x00007FF6CC770000-0x00007FF6CCAC1000-memory.dmp
memory/3740-196-0x00007FF6597F0000-0x00007FF659B41000-memory.dmp
memory/2552-199-0x00007FF6B6840000-0x00007FF6B6B91000-memory.dmp
memory/2328-200-0x00007FF6CC340000-0x00007FF6CC691000-memory.dmp
memory/4448-204-0x00007FF6D38E0000-0x00007FF6D3C31000-memory.dmp
memory/2100-206-0x00007FF7BAEA0000-0x00007FF7BB1F1000-memory.dmp
memory/3772-210-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp
memory/2444-209-0x00007FF77B110000-0x00007FF77B461000-memory.dmp
memory/2720-203-0x00007FF798EA0000-0x00007FF7991F1000-memory.dmp
memory/3824-212-0x00007FF672F20000-0x00007FF673271000-memory.dmp
memory/2872-214-0x00007FF6DCCA0000-0x00007FF6DCFF1000-memory.dmp
memory/1248-216-0x00007FF6FFE70000-0x00007FF7001C1000-memory.dmp
memory/2248-222-0x00007FF67DB80000-0x00007FF67DED1000-memory.dmp
memory/2372-220-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp
memory/4556-219-0x00007FF658350000-0x00007FF6586A1000-memory.dmp
memory/1844-234-0x00007FF6392A0000-0x00007FF6395F1000-memory.dmp
memory/1000-236-0x00007FF64D270000-0x00007FF64D5C1000-memory.dmp
memory/4880-240-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp
memory/2104-242-0x00007FF753E90000-0x00007FF7541E1000-memory.dmp
memory/2952-239-0x00007FF62A420000-0x00007FF62A771000-memory.dmp