Analysis Overview
SHA256
d97d5c9d05f05bcd1dd782000ab28732a17396be628928006eceb118db193b4b
Threat Level: Known bad
The file 2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:06
Reported
2024-05-29 19:08
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uPklOWF.exe | N/A |
| N/A | N/A | C:\Windows\System\bttwbLI.exe | N/A |
| N/A | N/A | C:\Windows\System\THsAlNq.exe | N/A |
| N/A | N/A | C:\Windows\System\dSAcUNf.exe | N/A |
| N/A | N/A | C:\Windows\System\IsTFYLl.exe | N/A |
| N/A | N/A | C:\Windows\System\OOdQhPc.exe | N/A |
| N/A | N/A | C:\Windows\System\tFiYSvI.exe | N/A |
| N/A | N/A | C:\Windows\System\oWyytyW.exe | N/A |
| N/A | N/A | C:\Windows\System\wzMZuuC.exe | N/A |
| N/A | N/A | C:\Windows\System\IajjOSC.exe | N/A |
| N/A | N/A | C:\Windows\System\VzdFPPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DZLMvgm.exe | N/A |
| N/A | N/A | C:\Windows\System\QZAGFsq.exe | N/A |
| N/A | N/A | C:\Windows\System\hZYRMbu.exe | N/A |
| N/A | N/A | C:\Windows\System\AXiuPCe.exe | N/A |
| N/A | N/A | C:\Windows\System\zEydxZi.exe | N/A |
| N/A | N/A | C:\Windows\System\yiBawIa.exe | N/A |
| N/A | N/A | C:\Windows\System\BWsoARf.exe | N/A |
| N/A | N/A | C:\Windows\System\wlhBPqA.exe | N/A |
| N/A | N/A | C:\Windows\System\GVeyksE.exe | N/A |
| N/A | N/A | C:\Windows\System\AJjkuLn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uPklOWF.exe
C:\Windows\System\uPklOWF.exe
C:\Windows\System\bttwbLI.exe
C:\Windows\System\bttwbLI.exe
C:\Windows\System\THsAlNq.exe
C:\Windows\System\THsAlNq.exe
C:\Windows\System\dSAcUNf.exe
C:\Windows\System\dSAcUNf.exe
C:\Windows\System\IsTFYLl.exe
C:\Windows\System\IsTFYLl.exe
C:\Windows\System\OOdQhPc.exe
C:\Windows\System\OOdQhPc.exe
C:\Windows\System\tFiYSvI.exe
C:\Windows\System\tFiYSvI.exe
C:\Windows\System\oWyytyW.exe
C:\Windows\System\oWyytyW.exe
C:\Windows\System\IajjOSC.exe
C:\Windows\System\IajjOSC.exe
C:\Windows\System\wzMZuuC.exe
C:\Windows\System\wzMZuuC.exe
C:\Windows\System\VzdFPPZ.exe
C:\Windows\System\VzdFPPZ.exe
C:\Windows\System\DZLMvgm.exe
C:\Windows\System\DZLMvgm.exe
C:\Windows\System\hZYRMbu.exe
C:\Windows\System\hZYRMbu.exe
C:\Windows\System\QZAGFsq.exe
C:\Windows\System\QZAGFsq.exe
C:\Windows\System\yiBawIa.exe
C:\Windows\System\yiBawIa.exe
C:\Windows\System\AXiuPCe.exe
C:\Windows\System\AXiuPCe.exe
C:\Windows\System\BWsoARf.exe
C:\Windows\System\BWsoARf.exe
C:\Windows\System\zEydxZi.exe
C:\Windows\System\zEydxZi.exe
C:\Windows\System\wlhBPqA.exe
C:\Windows\System\wlhBPqA.exe
C:\Windows\System\GVeyksE.exe
C:\Windows\System\GVeyksE.exe
C:\Windows\System\AJjkuLn.exe
C:\Windows\System\AJjkuLn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1772-0-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1772-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\uPklOWF.exe
| MD5 | cf2e33cbfb422caf58b1769cd4cfaa39 |
| SHA1 | 654d0dbf7cfe1f78406e0e7131f89778d45dc1a8 |
| SHA256 | 579ffadaa5026276fc392e61eb2e8e1dcb466e9aeec9d22a518beddf832a1ddb |
| SHA512 | d4789c8765144734430c64f8339d1299096ebf2f537e6092a6861fa50218ba14ce02bc7a13b3efebb7bba14d32d7ea597ca1cc35995f64a41075807d23daef1d |
memory/2316-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\bttwbLI.exe
| MD5 | a82a54d2dd4eeb311169bc644032f474 |
| SHA1 | 7b114321fea7cd7f83e01bb2edd903d9d8957343 |
| SHA256 | b0824120416fadd0dd15ce36ec0b94d40796ad429d566e382e3310d3625885d5 |
| SHA512 | 1091d7bedf1cafce6ea9276b32b4d5a406ff9096354dc91faa0d36c6c856bd1b3a4057c10c047b50637012e78c6d213652bc1af8f74849e1af26809f430e751a |
memory/1772-14-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2332-15-0x000000013F480000-0x000000013F7D4000-memory.dmp
\Windows\system\THsAlNq.exe
| MD5 | 2ea3eec0ed39eb6aa02b0ed990035ef3 |
| SHA1 | 7c32b6df5e1338bd89ba9902e90d7605249b0342 |
| SHA256 | e9ffde386c5b5f4a7b461526ccb47ab9acaf6f70bc1b8ba838700e18509beff7 |
| SHA512 | 82bb84c7158bb7d7ed6b430badc123489d87e6aa817c7fc684207b0426714a4d6ad2dcb06f05607e1e43a22fe1c37546938c4da677923d1264a3c443c99afd45 |
C:\Windows\system\dSAcUNf.exe
| MD5 | d5628ce42a4c5bdd7507ec94fbf189ef |
| SHA1 | 026b20d3bdf7d6202ca8c2987b5f7b445bb6bca5 |
| SHA256 | 3d40c31def2ab1fe29482d0b45dfc4dd4d868ab0717b803e94c887d97fc3874a |
| SHA512 | b30bd2fcd342ed8d17d7e6a075cbc6a56b4023b0b2c9a840779f6067622a4493979e43391af37cd2b0cbdd424b86cda4004a66acb98e488fd38cdfca8c50db9f |
memory/1772-22-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2876-26-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1704-29-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1772-28-0x00000000021D0000-0x0000000002524000-memory.dmp
\Windows\system\OOdQhPc.exe
| MD5 | fe3964f594edbafe962e0f8b74e92b19 |
| SHA1 | 750db799cdd920e20855f8468794ff7b9b1f6a99 |
| SHA256 | 640762e1552483ec0f9014d9a6a7bdd11ddbf1d8761da98651fdbb336f748156 |
| SHA512 | d93782ec041af5ebde671a2ecf7ac9f14f835f54798a8cd84c6b23081e123743326135400614e5a1690bb068db1ef6f72ec7f76b91ae71f1b2c8dc1e2c9ee24e |
memory/1708-43-0x000000013FE00000-0x0000000140154000-memory.dmp
\Windows\system\tFiYSvI.exe
| MD5 | ed3ec629484a793f9020a608d8928813 |
| SHA1 | 256f630fe04ecf1ecd4e5944b19656ab67397873 |
| SHA256 | 1462a1376ed0b2f0389494751a824c7a15db14ba946f784e0e3c673b12e951ff |
| SHA512 | 9866ccb4c6b7994bd0689cd02c3eb93b5edd671deb86e1ad89df06f38729cb8ef3bf6d05157ef474aa3a78f64f399404f3df5303e352c901d2230910cdfd8d05 |
\Windows\system\oWyytyW.exe
| MD5 | d6a5dbe891aa09f746b05311fbdbe277 |
| SHA1 | 2d28141fca8437f68a726c6a9025d81ffb106453 |
| SHA256 | f4ed8e4c0bcbf121b36e6a687ac667b6b131471a1b4b5d2add54048270558359 |
| SHA512 | 33b568b47ba999819d655385766cc2f2ed443c7f714d858e8bb2710465c6a4911b231d2457f75cb16550a4eb149dc63f504562f6169791bb15a9fbe6b840a8b6 |
memory/1772-60-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\wzMZuuC.exe
| MD5 | 4895eb53efee9ddf44e257fab4b5a5ec |
| SHA1 | 4e6b0c277001d960089f534b8fd1a9fe70b0b249 |
| SHA256 | 41d0d3facb1ee491319383aa171f39c1464ad3a215f7d4b0b94728ee491af9ba |
| SHA512 | 3b0b833218ac456d0d34640e9610748e088e61363ecb70783800ffde1d183612274f354d089532424d453a8df37e78388520cc740db39b5e3d7c51c83097b838 |
memory/2972-73-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2604-75-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/1772-77-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1772-71-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2512-80-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2528-70-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\IajjOSC.exe
| MD5 | 04d97b875e1d882c79bc437c695ed249 |
| SHA1 | 7954044226495c1d94d8337dcce1b0f196d35215 |
| SHA256 | 16f9d016e8de6da0ef7b2f8661ee24c4681c3811373bf9ade2e27273ce02e21a |
| SHA512 | 2b68cde10650736fda58a4923bc55b84a1440c6c0a469f6632b7c4c71cca2f35100bdaaec61209434c33fefbfc80e56040a923a64c1b72deae5f7ad3f7f4cfe4 |
memory/1772-67-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2576-66-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\VzdFPPZ.exe
| MD5 | a8d350b107d730d96a32be9d014dfd07 |
| SHA1 | a54dbc74f1f39d82d3ae2e7c22aa8c18d770e903 |
| SHA256 | 292ea14200868aa413d6d5028572f1eb82d465ddff175e26ab91a1dea658fd03 |
| SHA512 | 47ada9414331665bd0a97d4f0adcd627fa7132a90cc580254b307d21391e1d06c44a7eec7fbc0c5bb844f2d463a7cf5df40537dd8908a565a116597287ab91a1 |
memory/1772-53-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/1772-76-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1772-74-0x00000000021D0000-0x0000000002524000-memory.dmp
\Windows\system\DZLMvgm.exe
| MD5 | d8b3b8f45e87476829d5a68914282b81 |
| SHA1 | 011b1769984c010a290bb4c559207d41ce255cb2 |
| SHA256 | 05f9438d4c41d42159e6017ac15737c5b09764f67ba67b1d5064da684eecea13 |
| SHA512 | c48808936c6f82db11646425c9d50110d0b95b89aec53b74250a972ffc7c6198cf668d7ebd8bbdd94e3f4adc75613985a1ccca4f8febef6dbf23ceb46d787fce |
\Windows\system\IsTFYLl.exe
| MD5 | e0cedd6317f2c0ec59a623611678ce85 |
| SHA1 | ec28376d124906965ffeb796b23e1e0f834f2845 |
| SHA256 | 1ef234f5da7293d43df4c872e50484baa1fb828c33342f137a1ef2c61fa87217 |
| SHA512 | e3e7f312e15426f6e9a03d15d39f2b3a80912218df856eee8e339f9077c0c8b8155f9611508a78a64fc68b2eb5f1299618152ab343a6768d17a5ac938caf1c36 |
memory/1772-42-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2316-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2288-39-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1772-34-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1772-83-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2876-88-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1772-95-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\QZAGFsq.exe
| MD5 | 63cb8f2892b05a3907ef0ab247bb42f6 |
| SHA1 | 68668b7c3f0b3fd0f0bbfa3bf5f8fa8db746461c |
| SHA256 | c285808531cbab798ff9ff19e205e98148773a397cb3c0961af0a4963bcab2ca |
| SHA512 | 78b5ea969ac3f9087d51ea842352f0e5dcd0b3f6f8294db013641466a4a077668e4bd1305c5e43c249c1a7a17bffb6742b291f26e70cf2b7f45193965294b930 |
\Windows\system\hZYRMbu.exe
| MD5 | fb59fa1fa4ca3bf0552f704037439899 |
| SHA1 | 24404541d9d2de851137b8c323efb71ef81f0a34 |
| SHA256 | 179664c6a0a10baf071d05892b15ea0c3e0cc8184061091e9db16b8aa4bc6448 |
| SHA512 | 5751797db6507c93f7d6fab4b973b76bb475a90de6928c17a721947f283fcca1e1ed1fa470efe4e5bf79a3ba44decb7c6d8c5a7ae3134ec75ff4442dfc30ccd7 |
\Windows\system\AXiuPCe.exe
| MD5 | 352e8cfb63280261aebaa9fcadc912f3 |
| SHA1 | 874757c65dd1a8c5a7b712062c95eebf1684d005 |
| SHA256 | 9184b5c1ef962b43a06c93a5fcec2885edc096e030b2af2946c991ab587af01d |
| SHA512 | 7349ab0ad2eeab46da0647b806a302ad52cf431af3437c5d73de6104f06f91aa448f44a66760c346e4a61b0abba16c8ade4adc2e3496c196de66a58f2e397ac0 |
\Windows\system\zEydxZi.exe
| MD5 | a3e990fe868371ebd45e909d44cf5755 |
| SHA1 | 97530f7004071ae9944cd620f392bc783194f165 |
| SHA256 | 498a9e389e72385a8173d5aa8234cab9b4698bda354e9dbafec96b1dec5b3e95 |
| SHA512 | 1751422961276d428c567b21e0dfdb8b3e5bda771f72299c8d0a3cc9db47b308eacb0384334d12f30764f2f0d93acb70922756e24e71e2a4fd9c5e34ed772020 |
memory/1772-115-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\wlhBPqA.exe
| MD5 | ec5d3ae610a014a429b38ce86505a535 |
| SHA1 | 89109ae219cdf73b822e08153c733e1ba88f2d13 |
| SHA256 | d4e54e1a9396d0b3db13f32690ca3b524c13a1b8c00e9a550a1362ced3d3a5aa |
| SHA512 | 079aad9b5be0c51fbfcd98d96c082fcd9bc921b7f89fded9ffac413bc8f503b6f1bca7d50bc351a5292f5bf1bddf12c616bdcbfa560b36c5ddb3a7d9e6dc7752 |
\Windows\system\AJjkuLn.exe
| MD5 | c8fd5e77935f762d9cc8f9d953c11aae |
| SHA1 | 7a5954d71f8fe4e008334acbadd5b52dfa3c478d |
| SHA256 | 79ba3361b50febb19907528fa0aa2ba060a9a5cf7180fe69518662cd889e8e65 |
| SHA512 | 8b5ad2e045955dbd547b48bbc1eab3011aaec5eb01c2028cde07ccf8a3dd51b509bc3bb5b5132f5c180239378e63bfb041d3826521a6a7635265514064282e9b |
C:\Windows\system\GVeyksE.exe
| MD5 | 3df4d3650df675c7bfc8d573c8b60ebb |
| SHA1 | 6f9acf88ee6690cc1cfff80c1bdb936671e53568 |
| SHA256 | ae3b3bc94b0363f94bb7209c9623dbed3fccff37f1d25abb172d9617a1ca7ae9 |
| SHA512 | e5b2d35af581cc687101b26fa3e3feacc859fef3d456968541afa7d5602444d62f24c92d50c41dd007a1112691eace395d45652c7ef3cf75f874075b301ba823 |
memory/2380-111-0x000000013F220000-0x000000013F574000-memory.dmp
\Windows\system\BWsoARf.exe
| MD5 | 2437dd40125264bfda1e8fdd7e6b8147 |
| SHA1 | 00468c1b22480c0836fb94881885fdb4c1d154cd |
| SHA256 | d324c43a33918b2d312ec608cf0b7fe84e2f53077bcb5057d321efe2a1b4cc2f |
| SHA512 | 2fd95ef77f233da8ad006598bc8e03f22280ccb2732fcc564f60b193ec45b24aad48b77ea95129997294b77ecb26cbaa1febd44c37bdaf07fb5d991c71cce633 |
memory/2408-105-0x000000013FF90000-0x00000001402E4000-memory.dmp
\Windows\system\yiBawIa.exe
| MD5 | 9fc7e3952ad272ec671c5b72f86cb2df |
| SHA1 | a5c9437ef104d246beffc47cb21d46e1d30d6aff |
| SHA256 | 2367b6547deac515d17a64b4387611ce409a512b42956de5d68c12a95d2664e6 |
| SHA512 | 4232a480b23381f3747fd3455448fa57e32df27cfcde884f5fb9a1e4f6028449e95f7342fc7b23095c1e402eb50436279fa6c0a23d9fa87c6348670ca6fb19a6 |
memory/1772-100-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2288-99-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2552-92-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2528-122-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2604-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2512-142-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1772-143-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1772-144-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2380-145-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2316-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2332-147-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1704-148-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2876-149-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1708-150-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2288-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2576-152-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2972-153-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2528-154-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2604-155-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2512-156-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2552-157-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2408-158-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2380-159-0x000000013F220000-0x000000013F574000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:06
Reported
2024-05-29 19:08
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nunblcU.exe | N/A |
| N/A | N/A | C:\Windows\System\uTGoXse.exe | N/A |
| N/A | N/A | C:\Windows\System\JXhqDsc.exe | N/A |
| N/A | N/A | C:\Windows\System\VKtzmCA.exe | N/A |
| N/A | N/A | C:\Windows\System\ciZPiEn.exe | N/A |
| N/A | N/A | C:\Windows\System\JnUoxAE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrnEiYy.exe | N/A |
| N/A | N/A | C:\Windows\System\DAbGzmX.exe | N/A |
| N/A | N/A | C:\Windows\System\EOsFtaH.exe | N/A |
| N/A | N/A | C:\Windows\System\RpmIklx.exe | N/A |
| N/A | N/A | C:\Windows\System\VTRPhhj.exe | N/A |
| N/A | N/A | C:\Windows\System\DZUfbYU.exe | N/A |
| N/A | N/A | C:\Windows\System\UIktQQO.exe | N/A |
| N/A | N/A | C:\Windows\System\THpwlhF.exe | N/A |
| N/A | N/A | C:\Windows\System\IdfmynO.exe | N/A |
| N/A | N/A | C:\Windows\System\aTFmtsY.exe | N/A |
| N/A | N/A | C:\Windows\System\TUYOAaU.exe | N/A |
| N/A | N/A | C:\Windows\System\FEwdgcO.exe | N/A |
| N/A | N/A | C:\Windows\System\aehbaFK.exe | N/A |
| N/A | N/A | C:\Windows\System\csPqrAC.exe | N/A |
| N/A | N/A | C:\Windows\System\dOTyfxG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a9d825410512a227ede48763fe742f63_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nunblcU.exe
C:\Windows\System\nunblcU.exe
C:\Windows\System\uTGoXse.exe
C:\Windows\System\uTGoXse.exe
C:\Windows\System\JXhqDsc.exe
C:\Windows\System\JXhqDsc.exe
C:\Windows\System\VKtzmCA.exe
C:\Windows\System\VKtzmCA.exe
C:\Windows\System\ciZPiEn.exe
C:\Windows\System\ciZPiEn.exe
C:\Windows\System\JnUoxAE.exe
C:\Windows\System\JnUoxAE.exe
C:\Windows\System\ZrnEiYy.exe
C:\Windows\System\ZrnEiYy.exe
C:\Windows\System\DAbGzmX.exe
C:\Windows\System\DAbGzmX.exe
C:\Windows\System\EOsFtaH.exe
C:\Windows\System\EOsFtaH.exe
C:\Windows\System\RpmIklx.exe
C:\Windows\System\RpmIklx.exe
C:\Windows\System\VTRPhhj.exe
C:\Windows\System\VTRPhhj.exe
C:\Windows\System\DZUfbYU.exe
C:\Windows\System\DZUfbYU.exe
C:\Windows\System\UIktQQO.exe
C:\Windows\System\UIktQQO.exe
C:\Windows\System\THpwlhF.exe
C:\Windows\System\THpwlhF.exe
C:\Windows\System\IdfmynO.exe
C:\Windows\System\IdfmynO.exe
C:\Windows\System\aTFmtsY.exe
C:\Windows\System\aTFmtsY.exe
C:\Windows\System\TUYOAaU.exe
C:\Windows\System\TUYOAaU.exe
C:\Windows\System\FEwdgcO.exe
C:\Windows\System\FEwdgcO.exe
C:\Windows\System\aehbaFK.exe
C:\Windows\System\aehbaFK.exe
C:\Windows\System\csPqrAC.exe
C:\Windows\System\csPqrAC.exe
C:\Windows\System\dOTyfxG.exe
C:\Windows\System\dOTyfxG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2912-0-0x00007FF732A30000-0x00007FF732D84000-memory.dmp
memory/2912-1-0x000001D29DB00000-0x000001D29DB10000-memory.dmp
C:\Windows\System\nunblcU.exe
| MD5 | 6a17440191129a51660a07187ba4338d |
| SHA1 | 82eb31ec8937fe23c1851a1f08dd76e7aa76b400 |
| SHA256 | ff13e986c4cec0788061effca681bdb371d4715c326774df536982a8a89af7d5 |
| SHA512 | 69931d338c1108ea968cfa0c81f534a931308ab78d95f1f3c4e730fde9cb923e4c3d4ed86e193974f360a2f2c05eb20c6b9d5b44bf99e7087016611cc4664ccc |
memory/1724-8-0x00007FF74F900000-0x00007FF74FC54000-memory.dmp
C:\Windows\System\JXhqDsc.exe
| MD5 | 99e341f578e5eb457dd4982767f68fee |
| SHA1 | 99163eb5d3b1900b07921a42478b65b12e8a8b8c |
| SHA256 | 3f2141675da4be077023cdec4cedf1ab1aae925b83b84483a965d1c58dbc0459 |
| SHA512 | cbecbf46f7b7c20a54e5f3bd1fb5725ab12d440c0a73c233054598f6beeefd94b110a662975f0317231609a41995c047ae3894d7ca0e9b5d1b12815e047c68ff |
C:\Windows\System\uTGoXse.exe
| MD5 | 63cf98ec3ce30c079841ff09a6d9fe4a |
| SHA1 | 16941d5ddc29f0e748df8d6320db52a59cd0b8d8 |
| SHA256 | 7df2657048363e0203c3b5c43d096bbef5171fe48cb4311771f3bc3c33f455c1 |
| SHA512 | 1121392aa8c99df15793bfaf06abcdc4fc62d4a95cac31a8778926e5395eec6ce39cf923deefb8b52b33cd306e44523f3176fb3c9cb52848553cc2dccdfa82b6 |
memory/1900-16-0x00007FF6B7DB0000-0x00007FF6B8104000-memory.dmp
memory/1816-26-0x00007FF7604D0000-0x00007FF760824000-memory.dmp
C:\Windows\System\VKtzmCA.exe
| MD5 | fe35258404c60a15baba77c307f273b2 |
| SHA1 | 0c3f92ea6875d6a612c14f02fa209802b2b9d79f |
| SHA256 | 58fb3f57387df1435f7897a7165beaaea32cc7e163c50f2d0bc4de71da98d31e |
| SHA512 | 92d119f12275b275164ca0723e42574ba8e7fc8bd99d8e1fb9885723ec77c314365cf38d38de77a927db1f776b225130f106311599473e0d738bc0d1de8ee398 |
memory/3104-19-0x00007FF7AC620000-0x00007FF7AC974000-memory.dmp
C:\Windows\System\ciZPiEn.exe
| MD5 | 025a38eccf826ed7feb9f987327b307a |
| SHA1 | 614ff00eb9620f47854593e8458bc7bef9f4e155 |
| SHA256 | c2965fe7102c27ad0464d95efc1aaa7420122e77c3af5b7ff95033d7809d3e6b |
| SHA512 | 3949c6942a7a6547b6a92d955a75fe660a0122c76d7e77add457cce1fd54e905461e897ad74415ee1ce589b2f704697fb6de05f109c07f5a448904f8d953a63b |
C:\Windows\System\JnUoxAE.exe
| MD5 | 21d3f6b1c35d891515d46df129a78bb0 |
| SHA1 | 5016d08df8db6d1f752f833a67e4eb789a72d9e9 |
| SHA256 | af6ee2996397956a993786333bc631b9600e740d1e9caa2f713789b64356ea5c |
| SHA512 | 64c43c303a5e6b00f9a088589a46a7e31ed037882fdafc2d0f826c22e449d8946c4b1aedf456b3283dff30bce59ec2ed8b991e949c93b8fb0b4dfca837855d02 |
C:\Windows\System\ZrnEiYy.exe
| MD5 | 83721d41d44915c45af112aa75de7219 |
| SHA1 | d69dc46c921387102ee8610bbef7fb3db29a6411 |
| SHA256 | 3c103ff0340d3ebf70526026253043043dce787b154193d5712428723576032e |
| SHA512 | e3931f766c0e91210281b2e1c43452f0a7b710c25b038c3fcdc62e901ae689d643ea18076aac213402b99526da1c2bdf51bb8e7b502fe70ca774cc52e35a7aac |
memory/4772-37-0x00007FF634390000-0x00007FF6346E4000-memory.dmp
C:\Windows\System\EOsFtaH.exe
| MD5 | 48550cbea7033e596fdb6999116d0586 |
| SHA1 | 98bbe6cdcee8b83aa7a26596915b86894c01ee53 |
| SHA256 | 0d44953f8c237e56061b40d02bf51fe1c9cea12ff665d09c1d717e4d7eaff724 |
| SHA512 | 6770346edc8556a31a5e199d1c8e26a2242cd593dfc822827e79ad75788031edecb9008a47924ab87735efd8ae9c4fe78a0bac412e098bedcda5cb8fb6d36e77 |
C:\Windows\System\VTRPhhj.exe
| MD5 | 8f7b6473d3e7cc09d1bf7fa67334b289 |
| SHA1 | 77fd84729f803b6b696bbec66c058cbd18a42952 |
| SHA256 | 214817d74a921ac151ba6c19bcddaa74791a5511576b3db666b0d95905979270 |
| SHA512 | 9f0b1a74e9a24cf317a1f018dd9814e98efb5ad55ce9172c7e5dced2b71ed2c1c78fa09a558ede844cc8e15ac2ef90820101d2097e47324671ace4fdc4010789 |
C:\Windows\System\UIktQQO.exe
| MD5 | db59b88abc144572547adc6011dcde8f |
| SHA1 | 5d41a1f3fa0012f5774abd01372bed5b189f387b |
| SHA256 | 64ebc3119dee76e2b96c44661b21e6ff42bfde0065aee796205768bdc1e1b2ac |
| SHA512 | dfafd76b5bcae6ff3d55a60d20199de5a3511fe6fd575b03eb815740cf26e6bf296faebcc11ba48c1b0ea0ec128c89396288b5e28d74a8abda5935f291e38af9 |
C:\Windows\System\THpwlhF.exe
| MD5 | 2b05eaece3420f3e5618f37b599be2b0 |
| SHA1 | f1bb42fbe17a671857bd0673fae909f43762e893 |
| SHA256 | f43c44fd58ae903d2163a0e45d1736adaebffc9c4ab40c71e842b55681ab9ec6 |
| SHA512 | a2432a4c57a0d2b67552f634be948e97691abe23fb4bf5d7ed299cb18ebe45bfb01aae9b0116110030c4d92db29ba8b7fd1185a7541c57ccf1374019e87e44d9 |
C:\Windows\System\aTFmtsY.exe
| MD5 | 22508e0fe9df66bcd137348b1e513a63 |
| SHA1 | e57c34b76194f498fadfdcff41365403cbcc4c74 |
| SHA256 | 12cc3469125857c6a125d3a667965731535bdd6a78e547ede2b61ef4ff6ce7c2 |
| SHA512 | 1ff53a183d2d5b6e360fc33586388791b3be1563ef20a8839d4334dd512dd577a69c39a0afddca4586c278398f438b22b0e5cff8c28ce7c6cdc50801e5319992 |
C:\Windows\System\TUYOAaU.exe
| MD5 | d9cb084fe8b3b909689aa673a8043a36 |
| SHA1 | 2e45127afecea677057f02048edb6651ca927e1a |
| SHA256 | d6cd80bbb282c13662e609d38e1909a8a169d7be6e9aec773b4bbd4abc367763 |
| SHA512 | ba99259133107189083d3cdae427a928de6f4b3adbd16628216530768ad9156327ca645e154b4fac53795112e6a065bceb641c93f97412bab41f48df27166169 |
C:\Windows\System\aehbaFK.exe
| MD5 | cd6317d0150c29dc196a0dd21dc090f4 |
| SHA1 | ae1ad71392bb4133dafa2eaf8c21ed5714c8b8db |
| SHA256 | 1a19b848842b90efda972729d53882837201dd512ca3befb8f906e3b17555505 |
| SHA512 | 29d0053f5a1493d807196bc6ff75e270d9375db8c3fedf238d3617c927cdcfcfd36760de64e8e3df60132da99c35bebee5d75c3573eedfdbbc169a4ac590c3ce |
C:\Windows\System\dOTyfxG.exe
| MD5 | fb26d3edbee7d209db41f778dccc2f81 |
| SHA1 | 7d0524cfa76fb6b172d4aa88e7b0073c9a062f26 |
| SHA256 | 55d1fe5d92a092a5456d6f69b3b45a2fe61baaac5869d523c0f98faee3ae15b1 |
| SHA512 | f3b2eba76d1353d4b1d7a9a2886013e20f415246c2dd8e0b385fba8a2c0fe9629dc0471f6d0ad477b321c0bc2aa2886aa2f661e9de742b6c299cd3ab8b52bec5 |
C:\Windows\System\csPqrAC.exe
| MD5 | a56b9f3009aeab30b5cb08bab80b4960 |
| SHA1 | 75e5dfd80d5d1f8e506020df43994848dc957053 |
| SHA256 | c5f7b7fc51fe331eba566506f112781a3dad5c5dd85b2fad8f743a456c27829d |
| SHA512 | 0aea9e32c86094d56f84ab293aed8797ce3f9e23f85cd43644a892f60141f6ba233c49c3be0349c00c51faafec87ff9a7ca5d696f073d4ebdb3159018d3cf975 |
C:\Windows\System\FEwdgcO.exe
| MD5 | 568ab110a451f5cadd8532d71e4902ac |
| SHA1 | c4f562135376409f5efd56772b55ea7e86781f56 |
| SHA256 | 8699510797b7756cc7ddf7beb1e0d7601c9a607aca1b0de577630ca2387e5b3d |
| SHA512 | 71830450a22c470e5ef90f233a8f32a49a9e43845277ae540d8b8b0788aefc992feb1816eae7d44714487a58c3bf64b792b0547f5f3249da5b4b20bdee1f0b2e |
C:\Windows\System\IdfmynO.exe
| MD5 | 3b0b43e90f49a84328259c69af296154 |
| SHA1 | 7420c66487c42ca6fe0603aff8c16ce97c037cfc |
| SHA256 | c59da73168cecc95c4752aa51b91e8ca4aad254a990b518c4cf0ed98856975b1 |
| SHA512 | bba923d975f49ff5855c31340eb6a954005e11b48a2a28ae52a21a84a38439607809093bdf9175f75ac0dd5b6703bfdabf21b4d67b00a67f6bc49e3515b0ede8 |
C:\Windows\System\DZUfbYU.exe
| MD5 | 56c558bfea91ca6502a1e3d090dc1eb7 |
| SHA1 | 45829eee38cc4e9bfabcf7fa570854abfcac9c3d |
| SHA256 | 907c57a47e5cf5af72f37a5b7414d2108fd701475c811e994a62e1ed9783bad7 |
| SHA512 | 424a0628881149c02b5197aacb822e67859cf3c7ab379a82e17114f3528ad9ed8b297c625dea31d96742c6b6d666530124a5c78f7665bf5273ade62f74bda591 |
C:\Windows\System\RpmIklx.exe
| MD5 | b1fd4fac6b18eff34924ac5a1760030a |
| SHA1 | ba6b6cf9afd53ce1aab4778a85a6fae9a4116b53 |
| SHA256 | 38a6e7acb4844b4444ff6a61fcd3aa27285d49a9b597dbe3d1f86086a8567297 |
| SHA512 | 85f0c58a83b076bf679b50dcd0b1a4233247a06f0f87cf32f115af455eb97ab27e40da01261b42be784ba3a716330de2b11ca01494a4af780918c901e2d4713f |
C:\Windows\System\DAbGzmX.exe
| MD5 | 2391d7c44eab7e189f9242e19766e66f |
| SHA1 | db985837ce096e33c49133eefbf2dc33d6f1fa99 |
| SHA256 | 9d65fb6e10745cb99630a21edf83986854a537e0ed4d97b360e8326cdee2e8e5 |
| SHA512 | f34b44d77a4cade3585ac93f10d0a24c07f9aea3718e795ed61b049ce47351dbd29b7c075d584f367d7c5ccebc8ade42963290bfac300b54255dd1441ed9739d |
memory/2744-40-0x00007FF7F2D40000-0x00007FF7F3094000-memory.dmp
memory/1144-35-0x00007FF7E3F00000-0x00007FF7E4254000-memory.dmp
memory/5060-114-0x00007FF789B20000-0x00007FF789E74000-memory.dmp
memory/2768-115-0x00007FF757050000-0x00007FF7573A4000-memory.dmp
memory/4332-117-0x00007FF68BD10000-0x00007FF68C064000-memory.dmp
memory/3124-116-0x00007FF6ADBC0000-0x00007FF6ADF14000-memory.dmp
memory/3696-118-0x00007FF78FE40000-0x00007FF790194000-memory.dmp
memory/4404-119-0x00007FF67ED40000-0x00007FF67F094000-memory.dmp
memory/4460-121-0x00007FF6108E0000-0x00007FF610C34000-memory.dmp
memory/1200-122-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/1308-123-0x00007FF70F6B0000-0x00007FF70FA04000-memory.dmp
memory/1172-124-0x00007FF614850000-0x00007FF614BA4000-memory.dmp
memory/1544-125-0x00007FF746780000-0x00007FF746AD4000-memory.dmp
memory/1744-126-0x00007FF6F8F90000-0x00007FF6F92E4000-memory.dmp
memory/4232-120-0x00007FF7669C0000-0x00007FF766D14000-memory.dmp
memory/4936-127-0x00007FF7569B0000-0x00007FF756D04000-memory.dmp
memory/2912-128-0x00007FF732A30000-0x00007FF732D84000-memory.dmp
memory/3104-129-0x00007FF7AC620000-0x00007FF7AC974000-memory.dmp
memory/4772-130-0x00007FF634390000-0x00007FF6346E4000-memory.dmp
memory/2744-131-0x00007FF7F2D40000-0x00007FF7F3094000-memory.dmp
memory/5060-132-0x00007FF789B20000-0x00007FF789E74000-memory.dmp
memory/1724-133-0x00007FF74F900000-0x00007FF74FC54000-memory.dmp
memory/1900-134-0x00007FF6B7DB0000-0x00007FF6B8104000-memory.dmp
memory/1816-135-0x00007FF7604D0000-0x00007FF760824000-memory.dmp
memory/3104-136-0x00007FF7AC620000-0x00007FF7AC974000-memory.dmp
memory/1144-137-0x00007FF7E3F00000-0x00007FF7E4254000-memory.dmp
memory/4772-138-0x00007FF634390000-0x00007FF6346E4000-memory.dmp
memory/2744-139-0x00007FF7F2D40000-0x00007FF7F3094000-memory.dmp
memory/5060-140-0x00007FF789B20000-0x00007FF789E74000-memory.dmp
memory/2768-142-0x00007FF757050000-0x00007FF7573A4000-memory.dmp
memory/4936-141-0x00007FF7569B0000-0x00007FF756D04000-memory.dmp
memory/3124-143-0x00007FF6ADBC0000-0x00007FF6ADF14000-memory.dmp
memory/3696-146-0x00007FF78FE40000-0x00007FF790194000-memory.dmp
memory/4232-145-0x00007FF7669C0000-0x00007FF766D14000-memory.dmp
memory/4404-144-0x00007FF67ED40000-0x00007FF67F094000-memory.dmp
memory/4460-147-0x00007FF6108E0000-0x00007FF610C34000-memory.dmp
memory/1744-150-0x00007FF6F8F90000-0x00007FF6F92E4000-memory.dmp
memory/1308-152-0x00007FF70F6B0000-0x00007FF70FA04000-memory.dmp
memory/1172-151-0x00007FF614850000-0x00007FF614BA4000-memory.dmp
memory/1544-149-0x00007FF746780000-0x00007FF746AD4000-memory.dmp
memory/4332-148-0x00007FF68BD10000-0x00007FF68C064000-memory.dmp
memory/1200-153-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp