Analysis Overview
SHA256
8f5e8a45471b4fd09ed2f3a0741dbafe4a64fb0da50e78bc123780f686757757
Threat Level: Known bad
The file 2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:43
Reported
2024-05-30 00:45
Platform
win7-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dzEyfEL.exe | N/A |
| N/A | N/A | C:\Windows\System\zgIlnCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ykeaEkj.exe | N/A |
| N/A | N/A | C:\Windows\System\YSSahni.exe | N/A |
| N/A | N/A | C:\Windows\System\gEGHrte.exe | N/A |
| N/A | N/A | C:\Windows\System\qSNiBFE.exe | N/A |
| N/A | N/A | C:\Windows\System\cyZXuoq.exe | N/A |
| N/A | N/A | C:\Windows\System\AjMrRoY.exe | N/A |
| N/A | N/A | C:\Windows\System\dPpJuKG.exe | N/A |
| N/A | N/A | C:\Windows\System\DIUUdTm.exe | N/A |
| N/A | N/A | C:\Windows\System\SrXvCKm.exe | N/A |
| N/A | N/A | C:\Windows\System\yezppHn.exe | N/A |
| N/A | N/A | C:\Windows\System\AHnstfR.exe | N/A |
| N/A | N/A | C:\Windows\System\ePmKXNx.exe | N/A |
| N/A | N/A | C:\Windows\System\CIrSLFy.exe | N/A |
| N/A | N/A | C:\Windows\System\GImqaar.exe | N/A |
| N/A | N/A | C:\Windows\System\EdFADix.exe | N/A |
| N/A | N/A | C:\Windows\System\ZravysT.exe | N/A |
| N/A | N/A | C:\Windows\System\BHtYVov.exe | N/A |
| N/A | N/A | C:\Windows\System\MxwEOsN.exe | N/A |
| N/A | N/A | C:\Windows\System\BcPTQlP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dzEyfEL.exe
C:\Windows\System\dzEyfEL.exe
C:\Windows\System\zgIlnCZ.exe
C:\Windows\System\zgIlnCZ.exe
C:\Windows\System\ykeaEkj.exe
C:\Windows\System\ykeaEkj.exe
C:\Windows\System\YSSahni.exe
C:\Windows\System\YSSahni.exe
C:\Windows\System\gEGHrte.exe
C:\Windows\System\gEGHrte.exe
C:\Windows\System\qSNiBFE.exe
C:\Windows\System\qSNiBFE.exe
C:\Windows\System\cyZXuoq.exe
C:\Windows\System\cyZXuoq.exe
C:\Windows\System\dPpJuKG.exe
C:\Windows\System\dPpJuKG.exe
C:\Windows\System\AjMrRoY.exe
C:\Windows\System\AjMrRoY.exe
C:\Windows\System\DIUUdTm.exe
C:\Windows\System\DIUUdTm.exe
C:\Windows\System\SrXvCKm.exe
C:\Windows\System\SrXvCKm.exe
C:\Windows\System\yezppHn.exe
C:\Windows\System\yezppHn.exe
C:\Windows\System\AHnstfR.exe
C:\Windows\System\AHnstfR.exe
C:\Windows\System\ePmKXNx.exe
C:\Windows\System\ePmKXNx.exe
C:\Windows\System\CIrSLFy.exe
C:\Windows\System\CIrSLFy.exe
C:\Windows\System\GImqaar.exe
C:\Windows\System\GImqaar.exe
C:\Windows\System\EdFADix.exe
C:\Windows\System\EdFADix.exe
C:\Windows\System\ZravysT.exe
C:\Windows\System\ZravysT.exe
C:\Windows\System\BHtYVov.exe
C:\Windows\System\BHtYVov.exe
C:\Windows\System\MxwEOsN.exe
C:\Windows\System\MxwEOsN.exe
C:\Windows\System\BcPTQlP.exe
C:\Windows\System\BcPTQlP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1712-0-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1712-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dzEyfEL.exe
| MD5 | ea9b398a7162ef7d129eab24e735eb1b |
| SHA1 | 76bbfd874e520ea67d0b2ef47dcacb9cf434932e |
| SHA256 | 4b25dc6fd3a7ef8e4d4f4c439fbbe582779a86fa53dbd573c196f315c633550a |
| SHA512 | 47da359d74a8fa30fc22ac18c2346972d1a636d361495c6fe8aa8029ec93a5875f8d729a338ee4134251dce7f5baa33895c0a723f65a6c640482a938c387a83d |
\Windows\system\zgIlnCZ.exe
| MD5 | 2d4808cbcf520e1a5b8231dd755ab5d3 |
| SHA1 | 448bef196c8be3efb24faa80b0fb7500527c1a33 |
| SHA256 | 98b839e06dfecb49d5b4935b7f478cc79b9768a3d8925fecc8d48d085366ce5d |
| SHA512 | 2036437964337ae66cb9d3e77784171ef2af93f77f6e3f4220fcbc9ffc175f1414a7de7b3eb90c9660c97ee0098defa234b2ba9a9c4c0dce992f3202c23969e4 |
memory/2216-13-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2232-15-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/1712-14-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2724-22-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1712-20-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\YSSahni.exe
| MD5 | 94b93ed59b45622ec4b296fd39e646ae |
| SHA1 | e57ea9eed9f017a697b617514c7ba6ed4b4a8438 |
| SHA256 | afef2cc85d2e5de8fd416b1ef94eb80ecbdab6765545701c287518bcee7ef9a6 |
| SHA512 | 126854c6931faed292a35fcf59216e2b0a7a35100045745453ad1f6b79076aa188d1ea486c54182523d92bfb1ef5c06d89b6e56c58b2f36fe60dc9a3e2bff6ef |
C:\Windows\system\gEGHrte.exe
| MD5 | f3dc0301d687eb052deeefd15ba65960 |
| SHA1 | 33999a8eff0d28ddeeeca4f7d2b44d3421f8aed7 |
| SHA256 | 4aab19524b15732c292016917f94c3a443e8b916d6831ea0671b60ee7911340b |
| SHA512 | efaae0f610e3c9b639460205ef5d4a8a89318bf01aba1863f38e469cdd199489727cf4703817591874b0a4802429993bc90f7ce839ee16fbd96e5a572abda7bc |
memory/3068-36-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\AjMrRoY.exe
| MD5 | ae4c8e045092f79428f0d6d642125c80 |
| SHA1 | 8c5c1b6592be3c7854971ce45afb4226ceb3ca38 |
| SHA256 | f9954a7ad3875a2c5029edf988fa7e71c07f3c3af234452d4fdf835a109d983c |
| SHA512 | c936f3d3d69ee5ba03e5bad5fb25d6094701658fb8045106cdca281d784c4eae286455c0a2111fb4f113ab24c20d60afa2a20ce3552398ba906115108b92d0f2 |
memory/1636-59-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2460-61-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1712-66-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2800-79-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1784-87-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2804-94-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
C:\Windows\system\ZravysT.exe
| MD5 | a220eddb39d47838d01bbe33591bbc78 |
| SHA1 | 523a6f612c00c0324e7d779f103cb8bb0140322b |
| SHA256 | aa6936bb9b0d295c771b27a8b6ebe889436d9e5140afa847abd747af79252146 |
| SHA512 | 66a8c9f7c8f2efbb93758b3b008ddc970da984528401aa63e7af924ff1e6d559c2b0372612a0283da3016108cc5408ca03a407aabb75ea1052d7cab9d46e9f2e |
C:\Windows\system\MxwEOsN.exe
| MD5 | d1a55707f778a67768e77e4223669f59 |
| SHA1 | 3f7dea5627936fe24532191caaa0837e9f9b24f5 |
| SHA256 | 38887eca982b9155938d9649efb212349a8e5e1d474152f1ed2dc78fc743bb34 |
| SHA512 | 5a545704290d224d8932a11293f9b650fa098fcac59532a2d786ecac6e89cda1b019eec51e2ea520f3204d7b9633aeb353b4096c2e30faf0c19cd907f744b4b0 |
C:\Windows\system\BcPTQlP.exe
| MD5 | fb7904ce478845a17df0e42182d185e9 |
| SHA1 | b6fa8c1a41a4dd97f63f158781e63a4b8f494547 |
| SHA256 | 87e12677f21599171a594adcd75aaf1325185d0c912db1c771dbb5abbe5a6ce2 |
| SHA512 | 12dc7efa794719df17bec35a8a5178b626e764acb45785b500b0dae2765e64afba311c94701ebc4b51ddf2534ade02007c3108e24723cc368b4a7a4e3d620a73 |
C:\Windows\system\BHtYVov.exe
| MD5 | 36f542b33bdae182b7d567a6a7a319e0 |
| SHA1 | 7688711b3707c1c335e64dbc6df786e0cf33b8e2 |
| SHA256 | c41867ee58f263dbdbc0fc2e1841b617c4e8e8a1f606f36a16a03fa3e01c41ae |
| SHA512 | 71a766518a428673a3312f2624401da28d5b8a25a056a6f7bc8817f25082148ef02976140a382c2eab7c164cbd0cc066aa5bff6cab9abddb83ea458e7140813e |
C:\Windows\system\EdFADix.exe
| MD5 | 1ede5556e35e0f8c5a4ba29960c3eb17 |
| SHA1 | 5aca9b917ec3ae9a8103792563ed1e6a85d1bdb5 |
| SHA256 | d56888f81d0ac1b2dda1dc1a56ea6618c14da825c5cd3df8a81f4508210db4ab |
| SHA512 | f262f44cbdcc39b80d6fe102e66a1fde75821304891cf9ee1a4a25ebf10294f22091db21f3df7f1d2a1aee769e1f1866a9ec8f9283d555e85c53ae9b7f708f0c |
C:\Windows\system\GImqaar.exe
| MD5 | f08337b46f97ee0e6cf3a4fe14e15e69 |
| SHA1 | 259ad82dfb3a53032a38d8b8cdc4732f47d89804 |
| SHA256 | 2a511917c55e51972ddda76e6d593bb7260a5a185f48442cb833ac411f74b04b |
| SHA512 | 52858e64f2c07780097ff386133950032617e896ac18854d757ea16197a9af853556e3b659c9860b9689da99c8797ca5a75f9df79d0969b760673c7a7a7f5919 |
memory/1712-99-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\CIrSLFy.exe
| MD5 | a181f4ddb0fae5e93fc0e5160be412d1 |
| SHA1 | 45c144627af2f99262e1549f59da2c56976ed770 |
| SHA256 | 804422ffa1e47761507b63e22d3c4b7ea09479b2d7c60e8abea174ece4ef2ad9 |
| SHA512 | 4766b83b6d54a0211f24b69bc3eee7a830348cf2bae361b40b22f3bfbd5b86e649e8cfc10e3f5ac820a899b25ec490f436dd5fb404a77d418f42a3045689139a |
memory/1712-93-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2584-92-0x000000013FA90000-0x000000013FDE1000-memory.dmp
C:\Windows\system\ePmKXNx.exe
| MD5 | 768d50117d3ff234ab9c89804cc79036 |
| SHA1 | ac2439b9c8bf6737a1dd01533bcee99a69c34304 |
| SHA256 | e43f34baf9912b509751ce9db6747f4a87aaa814b52522b044562cc3ae395ce7 |
| SHA512 | 13bb9810339c0805803bd4730b89cfd1230f2b5d51b04c826655aef691dafe475b17851011d866980b82a1190eb9a917e42513ef0a34f2f7f9cf21ddc646af3f |
memory/1712-86-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2724-85-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1712-78-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\yezppHn.exe
| MD5 | 8c9d186dc816f6a150d3fa01eb44eba9 |
| SHA1 | 14d21762d014ed588046c862388e59ca925c1cc5 |
| SHA256 | 5a6421332afeccec560bb0f5adf16b20cabedeb9bee7fc8d82ca0d6de2d955f7 |
| SHA512 | a33ce881bddbb44353f1c01609f98c5380ac39c258fb78207972312ac829b1735ef26c1622459cff4eea28ed60bfd40453ecda487b74d10cc4268349fa9917a6 |
C:\Windows\system\AHnstfR.exe
| MD5 | fadea605dde69a8e7cd379a7f9a67a6c |
| SHA1 | 9540db90b8aefc0c61a0a86eafa71f0f281e270f |
| SHA256 | 96913feb0a9821e1da3277161b91ccece8adca94321d1500cbf037656d9e8c21 |
| SHA512 | 61ffd7887ce669c3fa45f363744af2814fe2572a3af24e98595a882b74bbf5e6454a55cdf968ca83fdda9491ab2426a03be19ec21593c71ce8df07be2dfdd20e |
memory/2528-74-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1712-73-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1712-72-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\SrXvCKm.exe
| MD5 | 34509cf38feae7c7ec3301bfe2d68983 |
| SHA1 | 6cff24bc56c264bf08903980db1965089d81e830 |
| SHA256 | 21ae51685a726a4bc19fa379d7dda34ca45c01f17914146da43808ac1ae81690 |
| SHA512 | 114f5b44b0827b3693cffdfe5c035a26568902ae68fe2c0d409f4ad90e823d1e0af4f9da6e1cc175e62e835161e27b55dae9a3a7adb83886b11dd9452d172d3b |
memory/3000-67-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\DIUUdTm.exe
| MD5 | fc6f8cc0739e82e88914cc6644b8fdc2 |
| SHA1 | d8f0063de52be87d0d58a47ae5802a00870d97d8 |
| SHA256 | b4839057654a46a10bb5f49c5f40745191e6cbeef43bbb6a52675c8fdef6b590 |
| SHA512 | 395cc57ce3c92774907baceab59e9712ba147f76a3ae5c06bbc679b1751ef24df8ed544d967e271e5622c57487a429fd31ad08b0827ad5dcdee39d6649cbf56a |
\Windows\system\dPpJuKG.exe
| MD5 | 7c875e5fcad659f537ade22592195d61 |
| SHA1 | a9deb00f88553db178a6c1fa2d90feb0393b4e8a |
| SHA256 | 281f316b4b39ef2272d438f6d7cc8f4a3d904e02abcef10de6eb2dbdd6e09ed7 |
| SHA512 | 5e0418f1548885d3f90fa8e3fb903ff677ab2c2488fbb54880d32684843fe79f3e90843704fdd7fc25f3cb9cb1a335842c70bddad7a70a9b15d1968005d37aaf |
memory/1712-58-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/1712-57-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2716-43-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1712-42-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2632-53-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\cyZXuoq.exe
| MD5 | f44d58b29dfd44d92702c8539903c7c7 |
| SHA1 | bf066eb82fcb7a98bae19e9086a8b04ee64582f1 |
| SHA256 | f8a12ab363c0950a41840c6bb908b8f22468bf8cef876c9e19ae93889f0f748e |
| SHA512 | 0bcca1146cb8a84ae002611d60a16f0690bd3d0fcc0cb83872b964e5f06a67767a8e6a5bc5badef9fc599e24f8323472db99c0e334be4068beaa949a5953f310 |
memory/1636-137-0x000000013FE10000-0x0000000140161000-memory.dmp
C:\Windows\system\qSNiBFE.exe
| MD5 | c6cb962b5764f06175e01992a4de82bd |
| SHA1 | abee51f0976d94e17399f81ad947a59ef625aab8 |
| SHA256 | d5b0cffac72d4ceac2ef0cb91582f49afb47aac0efbf427a9b8cbc514482f163 |
| SHA512 | 5d1f5a726d4c7989bebe07d1aebb3ba1b8059fb71ab2524c3cd86e3c10520193a4e966182907c35b0fbe869f164be9aa572f54b042fe55fdc6eee0fd955c6c77 |
memory/1712-35-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2584-28-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1712-27-0x000000013FA90000-0x000000013FDE1000-memory.dmp
C:\Windows\system\ykeaEkj.exe
| MD5 | 7502d89261fed62796b89ec890740b90 |
| SHA1 | def1919343a8991f9d300941cf858ee80f2eb74c |
| SHA256 | dc5b80e9cbda76fcb863c9b1216275852050354cdb4190a55dfea055342ee700 |
| SHA512 | 6940de9c4e1c3e399d59eda824e97d367446f2176b68da8c98b7113054fcece49bb98c1a4b31ba010a9b24bbc046ba5194117110ce3a9123d7144e72868ffd88 |
memory/2460-146-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1712-138-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2528-149-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2804-152-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1784-151-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2800-150-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/3000-148-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1012-153-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2192-157-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/532-159-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1492-156-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2164-155-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/1888-154-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1340-158-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1712-160-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1712-161-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1712-175-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/1712-184-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1712-185-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2216-214-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2232-213-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2724-216-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3068-218-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2584-222-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2716-221-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2632-224-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1636-240-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2528-242-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1784-245-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/3000-252-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2460-250-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2804-256-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2800-255-0x000000013F590000-0x000000013F8E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:43
Reported
2024-05-30 00:45
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hbhdyfD.exe | N/A |
| N/A | N/A | C:\Windows\System\MXBtplO.exe | N/A |
| N/A | N/A | C:\Windows\System\hUFFVum.exe | N/A |
| N/A | N/A | C:\Windows\System\GSwkCPU.exe | N/A |
| N/A | N/A | C:\Windows\System\wfDCMbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sjsWPmR.exe | N/A |
| N/A | N/A | C:\Windows\System\mjWHmWr.exe | N/A |
| N/A | N/A | C:\Windows\System\wWaNrUk.exe | N/A |
| N/A | N/A | C:\Windows\System\CTDGxGa.exe | N/A |
| N/A | N/A | C:\Windows\System\XrldmXP.exe | N/A |
| N/A | N/A | C:\Windows\System\oCDTpxh.exe | N/A |
| N/A | N/A | C:\Windows\System\qEvfVpW.exe | N/A |
| N/A | N/A | C:\Windows\System\GQDEVkD.exe | N/A |
| N/A | N/A | C:\Windows\System\GcrodsM.exe | N/A |
| N/A | N/A | C:\Windows\System\toUQOUi.exe | N/A |
| N/A | N/A | C:\Windows\System\PgbupBu.exe | N/A |
| N/A | N/A | C:\Windows\System\VlKkZDc.exe | N/A |
| N/A | N/A | C:\Windows\System\WoEvOQh.exe | N/A |
| N/A | N/A | C:\Windows\System\mgllMPM.exe | N/A |
| N/A | N/A | C:\Windows\System\bieiLoK.exe | N/A |
| N/A | N/A | C:\Windows\System\NVWqQwg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_000a37061f94be34b9a2d812156778c1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hbhdyfD.exe
C:\Windows\System\hbhdyfD.exe
C:\Windows\System\MXBtplO.exe
C:\Windows\System\MXBtplO.exe
C:\Windows\System\hUFFVum.exe
C:\Windows\System\hUFFVum.exe
C:\Windows\System\GSwkCPU.exe
C:\Windows\System\GSwkCPU.exe
C:\Windows\System\wfDCMbZ.exe
C:\Windows\System\wfDCMbZ.exe
C:\Windows\System\sjsWPmR.exe
C:\Windows\System\sjsWPmR.exe
C:\Windows\System\mjWHmWr.exe
C:\Windows\System\mjWHmWr.exe
C:\Windows\System\wWaNrUk.exe
C:\Windows\System\wWaNrUk.exe
C:\Windows\System\CTDGxGa.exe
C:\Windows\System\CTDGxGa.exe
C:\Windows\System\XrldmXP.exe
C:\Windows\System\XrldmXP.exe
C:\Windows\System\oCDTpxh.exe
C:\Windows\System\oCDTpxh.exe
C:\Windows\System\qEvfVpW.exe
C:\Windows\System\qEvfVpW.exe
C:\Windows\System\GQDEVkD.exe
C:\Windows\System\GQDEVkD.exe
C:\Windows\System\GcrodsM.exe
C:\Windows\System\GcrodsM.exe
C:\Windows\System\toUQOUi.exe
C:\Windows\System\toUQOUi.exe
C:\Windows\System\PgbupBu.exe
C:\Windows\System\PgbupBu.exe
C:\Windows\System\VlKkZDc.exe
C:\Windows\System\VlKkZDc.exe
C:\Windows\System\WoEvOQh.exe
C:\Windows\System\WoEvOQh.exe
C:\Windows\System\mgllMPM.exe
C:\Windows\System\mgllMPM.exe
C:\Windows\System\bieiLoK.exe
C:\Windows\System\bieiLoK.exe
C:\Windows\System\NVWqQwg.exe
C:\Windows\System\NVWqQwg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/904-0-0x00007FF680AF0000-0x00007FF680E41000-memory.dmp
memory/904-1-0x0000017678110000-0x0000017678120000-memory.dmp
C:\Windows\System\hbhdyfD.exe
| MD5 | ee0462f7e0b98aff9662a11981e85535 |
| SHA1 | 392478be8e22e8e920631c7249071c1e9e8f93a1 |
| SHA256 | ded4b4f41455b4612d1cb9d76c571996149476434ad586d05bb9594e1f2c4d59 |
| SHA512 | 9662a024870f4232d7507214cb419e6065c6cdea10e8b687afe695fbc20b760708f5529802912190b4151c120433c15a681fbaa6335d628ebbb8ee23a08ea0f4 |
memory/1932-8-0x00007FF663800000-0x00007FF663B51000-memory.dmp
C:\Windows\System\hUFFVum.exe
| MD5 | 31447b33f769c64c3fa5e713263e228c |
| SHA1 | 7efed869a3fa5a15988f1e1e3824d82da3cce6a0 |
| SHA256 | 3b92cc1f7b5215c736748315f6af82492115d42a02c00989b24f1f611fa9a32e |
| SHA512 | 67b7e3d626a5f43f1ba83a2d4201b51d329defa0c2279b39c2858ebde0b1c24c49feb65ef2602ec76e82ac65d375038a1128ca94ca169b3331cfee1151d19828 |
C:\Windows\System\MXBtplO.exe
| MD5 | 36a371914d28d01a26f24c44c2c7466d |
| SHA1 | 2667f9a8d168af3039e77091a7744c78c7ce580f |
| SHA256 | fda397bafb0a6a7ced13188d7ceec29f850805c75f7f3528a29a4872a80d99fd |
| SHA512 | 3955c55b87c5b56312747dfc71ebd6e6b0f71bec9865bdb1bd7e8c0023a86630c7ea8a58ad9d8789341d23f854c8e7ed03e0a13a20ddb6be8f512acbe64bc97f |
memory/4932-13-0x00007FF78E5D0000-0x00007FF78E921000-memory.dmp
memory/1408-20-0x00007FF7CB6A0000-0x00007FF7CB9F1000-memory.dmp
C:\Windows\System\GSwkCPU.exe
| MD5 | 2f71bb6ad6b015db8e037beea6089129 |
| SHA1 | 289bdafbee91833431237a693e4841e004bbdeef |
| SHA256 | 10881023e2c49dfd79e264e0ed3c833ca41f176583306b3b77390d6c78627d27 |
| SHA512 | 330ad2c86a93176cd19c1447c515f919904309739209993effc95e269f5ad1ec67edcae783c11168b5aee91ec7d0574c8353dc1f3a6360b91fe5e0e4d7bd5290 |
memory/2460-26-0x00007FF620B30000-0x00007FF620E81000-memory.dmp
C:\Windows\System\wfDCMbZ.exe
| MD5 | 9acfb7d021c80df575081594274d0166 |
| SHA1 | b73b3eedefbed39c5669f401bc013cc79d53d50c |
| SHA256 | b0d8450b74cc90139ef86415746c14372ce97c60000bf9a0700b92df58396003 |
| SHA512 | 02c848dbe39cf04105070297270b6f37893386603849758088a9daf1ffa3d040be1e2253c9a3df8acf1f62677080786ca373fe9fe1e59bcca967eb6da2f0c251 |
C:\Windows\System\sjsWPmR.exe
| MD5 | 13f6bfe461b33a138590e0f2fb47de01 |
| SHA1 | b633ed677e091d4edeacfebc24ff642d2df62366 |
| SHA256 | 9074a1c175981bc4a18997a192f60de03f14c1c1ea43e2a80b95e663dace6ae0 |
| SHA512 | df3665c4aa5e0620b73fc330440cfc8a4c9ac95104a0ab21e60e72100cd023f1872d28732110d90d2e6b2a42279770fb7940892bd617761c5df47370e274450a |
memory/3772-36-0x00007FF63A8D0000-0x00007FF63AC21000-memory.dmp
C:\Windows\System\mjWHmWr.exe
| MD5 | 35a6df8e86a11799ba77be2b17ddd691 |
| SHA1 | 6b7ba00e6a9a2f9bb852013529ed396a43dc02fc |
| SHA256 | ab2ff8d8ac6861a27e1b264e004d6cc42777e777a0acc59bbf99cf426679e56a |
| SHA512 | 2855bc13c7026880b18f0c5f69806ed3b0c29d0fee016119616f7b59312a163669c59b2e31a3e3ceba5955c39a63b946233a2bd7b71648f45b6b33816f19cb32 |
memory/4728-42-0x00007FF7C06A0000-0x00007FF7C09F1000-memory.dmp
memory/4372-35-0x00007FF608BB0000-0x00007FF608F01000-memory.dmp
C:\Windows\System\wWaNrUk.exe
| MD5 | c7da150fdf7206ba37ecc56e60c4bd49 |
| SHA1 | 7e534d7b659029f2189bf16c6ba0fb03d3847516 |
| SHA256 | 525134b76ff432c6446d8155065b373353665fe0ae72f40b3382c7a5df089b09 |
| SHA512 | 9c32cc54b50a37d2baa4a85f306cc50d6cd945975104b1dc7fe2aa4bb8fb174b9cfe8650ea329004568fd301593cc34f7d13d9acaae7465898720f176055c383 |
memory/1468-48-0x00007FF626AD0000-0x00007FF626E21000-memory.dmp
C:\Windows\System\CTDGxGa.exe
| MD5 | 1d22f737f5e41da7f471027ad5caa35a |
| SHA1 | 23bc6d4cc801619c646b3329b028c15749f50f04 |
| SHA256 | d0698b08b7faa02bd743270d4fa9063e70fe7c4cfe742145e6d882d546453769 |
| SHA512 | 79d9c6d4dc676df16c600a60f1edd66fa1ac046cb5ce810ae67a61c0ba302b7ff11dda918f32daf3fb35248de91fd8c0e2de04a6161ae2670de4cb7e2ac249d3 |
memory/4748-58-0x00007FF76BD10000-0x00007FF76C061000-memory.dmp
C:\Windows\System\XrldmXP.exe
| MD5 | 844eef3e64132b84d351f019ffc98ce9 |
| SHA1 | 0de46f63f55beb763615117321f1d3d2bf78d9b9 |
| SHA256 | 649c3be5d24935a9078efcd036a53ad0670069cf7e2c0505c49dc0758b416c2e |
| SHA512 | b15e043ec4ad59e6e6e514c0fcc23ca4404af892c441580086837c2a885a2b25dfa755a7dbb29751532a6a96501c752069d8c29b405f2207f31a602292541231 |
memory/2584-62-0x00007FF69A230000-0x00007FF69A581000-memory.dmp
C:\Windows\System\oCDTpxh.exe
| MD5 | 545d44cc3eece78efa7390563d5e103c |
| SHA1 | 05117c9159028f15fb619be60ef0a7e60af02a4d |
| SHA256 | 8615c44a9016a63e7eee323f5c98667c1dfee2126a9faf0880855a582950294f |
| SHA512 | 77e80bfd6aee2ba2739ccd20a53744d6486108358c1457c8ebe2feb2a7ae543c2c771847147402163e5af5ca697e1c7f725158ee3d75acae040feff048399f01 |
C:\Windows\System\qEvfVpW.exe
| MD5 | 35703f007291bbac9c0eb1ed46f4f4c1 |
| SHA1 | b172b0769beddaeab9c1bd987e59dfc49e83e51b |
| SHA256 | 118654f8544b1348319054a9c883f41b123373c6b0c1ed2232b3f761bacb8f19 |
| SHA512 | a5ea4c27cb3e4b42bc30fdcb1a37eebe79e1518cc187026c57e48b00d0b92cca3db6eabad694535725d850a4d390556e59ce828c8d7590a59756a0db895cd104 |
memory/3940-72-0x00007FF7E1790000-0x00007FF7E1AE1000-memory.dmp
memory/4932-78-0x00007FF78E5D0000-0x00007FF78E921000-memory.dmp
C:\Windows\System\GQDEVkD.exe
| MD5 | cfe07174f36c0549f319a6d23fd50bc9 |
| SHA1 | a24674b454da060ac273d1f0bf064364e0950afe |
| SHA256 | 3f4e087a63015f66256907e7d97ae1e5eb6e1436fb81bb95975e55bc358bfca7 |
| SHA512 | df090edbacebdc170f7b486248c9862d2e16465eac05b31d6ed5559bc183ae9dc081e15fcdb7b877677a0315f1b6a1f4a78d1c1ecd804b800934df6daada9f5b |
C:\Windows\System\GcrodsM.exe
| MD5 | 0eaf63c096518b7f79412f1201ef9cc5 |
| SHA1 | aaa1239e9d2251f6ed66566e86b5714869db410f |
| SHA256 | cc8a7d1e745ffbca3b31df618d04a0d34a45c359b8d67372df18cfea43dd040c |
| SHA512 | 21aab51a5c3122fd9078df15af22b8881af5ae9a792f7f9c6c6a326c9c07a7941e97811197b99c70e847a155599323fda86edd4e9f677df295215c25adbf4807 |
C:\Windows\System\toUQOUi.exe
| MD5 | b8df3e1352d0a8c9ad3ea85fa9ef9c50 |
| SHA1 | 3e4e38a37c8d8478b1469e0be42206596aafe069 |
| SHA256 | b87595535bd2eee6c7cf1658254aec89b9e3fc9d400e18d8d95cba7dede9c1ca |
| SHA512 | 56799fa89f5c98df11c803c244571d5a3f093c649aab11c91fc0962570076cc0715ed54e886a6e1a6a3431246a8426d4e93b0c201d27c6df8920ae84efc482d9 |
memory/1592-99-0x00007FF748E70000-0x00007FF7491C1000-memory.dmp
memory/1172-102-0x00007FF781F00000-0x00007FF782251000-memory.dmp
C:\Windows\System\VlKkZDc.exe
| MD5 | 3f1cc155bb42e52292b993800d6fc853 |
| SHA1 | 0c2793c22ff7835c30d1002e76274e7756da87a7 |
| SHA256 | da7cdf0a5bf31e8c202cdab4cc641c462219b314e795ac98dc2b6df53f13f681 |
| SHA512 | b0a85013d559933ee9f4ae2120d46ad2df3d7eb47509b4d97b32f055386020f235e14e757ce6cd38f0df2e0d2bc52df94d3b784c6f110df6ef4544b2079206da |
C:\Windows\System\PgbupBu.exe
| MD5 | 1996bc3d25b2670763eedbb29017b3ae |
| SHA1 | 6367ab0795dc9fbac05841d68005d5dbf959c4b5 |
| SHA256 | 10b8994771b9ac37819c2319f9200fcf4ddd2a5d3b9391cd98dbbbffdd6235a4 |
| SHA512 | 42793c8c7337b0142260ea4de5dc45182f5a159848bc0c4e3516118ccb66f500849e4bf4bca5fdbffb0f8750ee5f60487fef7f0d934b6a49227e8e98ea6c4c0d |
memory/1896-101-0x00007FF60BC10000-0x00007FF60BF61000-memory.dmp
memory/2884-100-0x00007FF737F20000-0x00007FF738271000-memory.dmp
memory/1408-98-0x00007FF7CB6A0000-0x00007FF7CB9F1000-memory.dmp
memory/1084-80-0x00007FF75E5E0000-0x00007FF75E931000-memory.dmp
memory/2188-75-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp
memory/904-70-0x00007FF680AF0000-0x00007FF680E41000-memory.dmp
C:\Windows\System\mgllMPM.exe
| MD5 | 88ffe3a1c66af956e8644b32eb160017 |
| SHA1 | 1540ae78546f00fa82c1bd2da37f91b242a7cdc7 |
| SHA256 | 6293f933aeae169b6366a1600fcd13ee8eced65cf8419f81ad5ba45d3ae54981 |
| SHA512 | e7a8199cb04b821b4742bff8ebaa7abeac7e35e8f4803e1f891a22654c4cc17f9d93c650bdd9dab4d00134638e694fcbfa27aa352604d98823fd6e03f4a93fcc |
memory/1468-122-0x00007FF626AD0000-0x00007FF626E21000-memory.dmp
C:\Windows\System\bieiLoK.exe
| MD5 | 7b8b0359a0badd6171c5a382cebdb264 |
| SHA1 | 042895d2a91a7e981f72575d9724258197f1fb80 |
| SHA256 | ae01f0aa87c159f3f048a903485a55cd22d47a7dc5825ef3c42452a473581e89 |
| SHA512 | bfcfd1fd8d1e05cdd130e6ae99336cf06c7881e8697111b2b8a7e85b7228245462e63c8092d1ee8e180ee9847e9738f305099cb8ac8dc465b30b64bb538fa6b3 |
memory/2896-128-0x00007FF71C5A0000-0x00007FF71C8F1000-memory.dmp
memory/4488-134-0x00007FF69BF50000-0x00007FF69C2A1000-memory.dmp
memory/1580-136-0x00007FF79CA40000-0x00007FF79CD91000-memory.dmp
C:\Windows\System\NVWqQwg.exe
| MD5 | 951228ae0c3efd5520495f8f7451f99f |
| SHA1 | 48a4dae8e15b9860ca2464836370205f6a5f217d |
| SHA256 | 31c81d12b39284259e26c647075e7e175b9565949a62f51f3084c0d39ee3e532 |
| SHA512 | 32aa721717f24cf98810812a39cb06e374819b0605fb634cfd5bb6fc433c465784732408859b27a692e5fcde781672b5f24ee24651fedb28a7342cad99da357d |
memory/4308-135-0x00007FF6B0AF0000-0x00007FF6B0E41000-memory.dmp
memory/3772-120-0x00007FF63A8D0000-0x00007FF63AC21000-memory.dmp
memory/4728-121-0x00007FF7C06A0000-0x00007FF7C09F1000-memory.dmp
C:\Windows\System\WoEvOQh.exe
| MD5 | 99762b31e60e9e54293df2f2412ca3a3 |
| SHA1 | 5be9aa32f5a4f22a9f28412ef4453bf07cd7055f |
| SHA256 | fd11b31228aa9b7db9d4e04870df919885d589115c3f02603ddbf7216958752b |
| SHA512 | 5732cb04c5ec5c2daf812ca27eb9a12248e02fb0440f170710bb0400932a6e990972e72a4fe4260a2a6a9193083fba9da696d485194c178939277d14d5db7afe |
memory/4748-140-0x00007FF76BD10000-0x00007FF76C061000-memory.dmp
memory/2188-143-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp
memory/1896-147-0x00007FF60BC10000-0x00007FF60BF61000-memory.dmp
memory/1172-148-0x00007FF781F00000-0x00007FF782251000-memory.dmp
memory/1084-144-0x00007FF75E5E0000-0x00007FF75E931000-memory.dmp
memory/904-149-0x00007FF680AF0000-0x00007FF680E41000-memory.dmp
memory/2896-158-0x00007FF71C5A0000-0x00007FF71C8F1000-memory.dmp
memory/1580-161-0x00007FF79CA40000-0x00007FF79CD91000-memory.dmp
memory/4488-159-0x00007FF69BF50000-0x00007FF69C2A1000-memory.dmp
memory/904-171-0x00007FF680AF0000-0x00007FF680E41000-memory.dmp
memory/1932-201-0x00007FF663800000-0x00007FF663B51000-memory.dmp
memory/4932-203-0x00007FF78E5D0000-0x00007FF78E921000-memory.dmp
memory/1408-205-0x00007FF7CB6A0000-0x00007FF7CB9F1000-memory.dmp
memory/2460-207-0x00007FF620B30000-0x00007FF620E81000-memory.dmp
memory/4372-209-0x00007FF608BB0000-0x00007FF608F01000-memory.dmp
memory/3772-211-0x00007FF63A8D0000-0x00007FF63AC21000-memory.dmp
memory/4728-213-0x00007FF7C06A0000-0x00007FF7C09F1000-memory.dmp
memory/1468-222-0x00007FF626AD0000-0x00007FF626E21000-memory.dmp
memory/4748-224-0x00007FF76BD10000-0x00007FF76C061000-memory.dmp
memory/2584-226-0x00007FF69A230000-0x00007FF69A581000-memory.dmp
memory/3940-228-0x00007FF7E1790000-0x00007FF7E1AE1000-memory.dmp
memory/2188-230-0x00007FF795B80000-0x00007FF795ED1000-memory.dmp
memory/1084-232-0x00007FF75E5E0000-0x00007FF75E931000-memory.dmp
memory/1592-234-0x00007FF748E70000-0x00007FF7491C1000-memory.dmp
memory/2884-236-0x00007FF737F20000-0x00007FF738271000-memory.dmp
memory/1896-238-0x00007FF60BC10000-0x00007FF60BF61000-memory.dmp
memory/1172-240-0x00007FF781F00000-0x00007FF782251000-memory.dmp
memory/2896-243-0x00007FF71C5A0000-0x00007FF71C8F1000-memory.dmp
memory/4308-245-0x00007FF6B0AF0000-0x00007FF6B0E41000-memory.dmp
memory/4488-249-0x00007FF69BF50000-0x00007FF69C2A1000-memory.dmp
memory/1580-248-0x00007FF79CA40000-0x00007FF79CD91000-memory.dmp