Analysis Overview
SHA256
7934ef8b6b684dcfbd38a08284be4824a4639857ac931a2b049893ae920764e0
Threat Level: Known bad
The file 2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:51
Reported
2024-05-30 00:54
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fhDNFoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TzHwpxp.exe | N/A |
| N/A | N/A | C:\Windows\System\WxuqYNb.exe | N/A |
| N/A | N/A | C:\Windows\System\ApTNwGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DLfOXdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXZmFlg.exe | N/A |
| N/A | N/A | C:\Windows\System\XLRTihA.exe | N/A |
| N/A | N/A | C:\Windows\System\RJijBPP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZfswQCo.exe | N/A |
| N/A | N/A | C:\Windows\System\jFnLvzS.exe | N/A |
| N/A | N/A | C:\Windows\System\AfntQLF.exe | N/A |
| N/A | N/A | C:\Windows\System\gcjCmhx.exe | N/A |
| N/A | N/A | C:\Windows\System\guhuenW.exe | N/A |
| N/A | N/A | C:\Windows\System\ISuPuBb.exe | N/A |
| N/A | N/A | C:\Windows\System\fgUwFIB.exe | N/A |
| N/A | N/A | C:\Windows\System\IGmQhIU.exe | N/A |
| N/A | N/A | C:\Windows\System\eTBdZJl.exe | N/A |
| N/A | N/A | C:\Windows\System\qCnFABE.exe | N/A |
| N/A | N/A | C:\Windows\System\zrHNvsu.exe | N/A |
| N/A | N/A | C:\Windows\System\UAtUytQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JWCCDGl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fhDNFoQ.exe
C:\Windows\System\fhDNFoQ.exe
C:\Windows\System\TzHwpxp.exe
C:\Windows\System\TzHwpxp.exe
C:\Windows\System\XLRTihA.exe
C:\Windows\System\XLRTihA.exe
C:\Windows\System\WxuqYNb.exe
C:\Windows\System\WxuqYNb.exe
C:\Windows\System\ZfswQCo.exe
C:\Windows\System\ZfswQCo.exe
C:\Windows\System\ApTNwGQ.exe
C:\Windows\System\ApTNwGQ.exe
C:\Windows\System\jFnLvzS.exe
C:\Windows\System\jFnLvzS.exe
C:\Windows\System\DLfOXdJ.exe
C:\Windows\System\DLfOXdJ.exe
C:\Windows\System\AfntQLF.exe
C:\Windows\System\AfntQLF.exe
C:\Windows\System\ZXZmFlg.exe
C:\Windows\System\ZXZmFlg.exe
C:\Windows\System\gcjCmhx.exe
C:\Windows\System\gcjCmhx.exe
C:\Windows\System\RJijBPP.exe
C:\Windows\System\RJijBPP.exe
C:\Windows\System\fgUwFIB.exe
C:\Windows\System\fgUwFIB.exe
C:\Windows\System\guhuenW.exe
C:\Windows\System\guhuenW.exe
C:\Windows\System\eTBdZJl.exe
C:\Windows\System\eTBdZJl.exe
C:\Windows\System\ISuPuBb.exe
C:\Windows\System\ISuPuBb.exe
C:\Windows\System\qCnFABE.exe
C:\Windows\System\qCnFABE.exe
C:\Windows\System\IGmQhIU.exe
C:\Windows\System\IGmQhIU.exe
C:\Windows\System\UAtUytQ.exe
C:\Windows\System\UAtUytQ.exe
C:\Windows\System\zrHNvsu.exe
C:\Windows\System\zrHNvsu.exe
C:\Windows\System\JWCCDGl.exe
C:\Windows\System\JWCCDGl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2964-0-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2964-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\fhDNFoQ.exe
| MD5 | 2d7ba7d1b1b13c3c261d582fad429780 |
| SHA1 | 800034c541db288dacfc3a2a58e7ae547df0d49e |
| SHA256 | c101543546aa71c385e12224742952cb15aeafbf63237505ca779cfc5e0dc6c1 |
| SHA512 | 21939778d1393877fbe25ac52a97ed5516dfe6197cefc1d3579aa180fe23a9a57ce5742ad5cb6c812819d4b827170e255b19a55f8333d83ecd8cfcc52f8a0510 |
memory/896-7-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\TzHwpxp.exe
| MD5 | 862c0ba8a02d02a3c14785fbe599e27d |
| SHA1 | 7757d47f8d04659f8b640ed82ebfc417589addc9 |
| SHA256 | b8e3e0086099634f9ec9b03de394b8cb148eba51ce2e1a8c79e1b9a758e047b7 |
| SHA512 | 587195a88134178ad6a6fec52f8185a0274a446c45c7d84cb4155e12414e8c485e1ad2e6904049f7ee9bdc8e2e0021bbb08e3d5f962b08d07d0f874bc6afdc0a |
C:\Windows\system\WxuqYNb.exe
| MD5 | 822e29a2d70ccf80c0c4f22c290d6bfa |
| SHA1 | 057cd7bc24ca599e89c18450077c002c4d4dc446 |
| SHA256 | 2cf0547d6ba4ff45bf383d12b9b4d47cdd6c7d4ad3f958c15757470bab2cb5c8 |
| SHA512 | d951af0741761c747dd36549dc1989e077a0bcd5db19ebc62c67d06f9112c8a0e1e9bffe526f7fa9e438f83a29ddaf04185aae15c67bc3813c7cb7cd145ecd21 |
\Windows\system\DLfOXdJ.exe
| MD5 | 09c59171a52bd80ae7e2cc17b186b03a |
| SHA1 | b8782295d6a4195b183f2dd0428010f0c5da06fa |
| SHA256 | cf014dc101ff044fe03f8f0f363b634d7edc98abccbef1a20c762f317808bb14 |
| SHA512 | 20bc962380b133d539e494c55832993589a5a097baad6ec7f0e374bbfb28e47fdfcaf23e490bb60d36a699ddcbc1177ce6ac1bbabf74e7c325b48ccd73da5a89 |
C:\Windows\system\ZXZmFlg.exe
| MD5 | e47a4b93f77c4f430b3700f77fecb35b |
| SHA1 | f58c746e820b30f4e8a154f8e8a520b64f4b08fb |
| SHA256 | 768c3671c13e90579be07aca58f6c81771826ab75b222e1927b75f13c252a2cd |
| SHA512 | 7179d1c87578d67c6217681857d2b90e3a2be58b4be31f880026c5a067528d1c18b347feaf50a3709deff97d14d657ed661d3213d4f3a5aa4001aed23f14314e |
\Windows\system\XLRTihA.exe
| MD5 | 33438da19e8927826fc525fa82c46318 |
| SHA1 | 6dc38e62e8d06ffde2af762abb432cfad5e7c665 |
| SHA256 | 294f049346b2a2e971804bc03273e944636fcd1088c59bdc5ae88d3a91bcefc9 |
| SHA512 | 4d4f5aaff442cac5bda9f8f580bc88f4d805ec2cda9c7cf56bf781bfb6fd9b7641d3ffd2c969e1e59509a23d9c779857934659d0dc6414e40ba0e9fc2eccf7f4 |
memory/2964-65-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1156-67-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\ZfswQCo.exe
| MD5 | de4600501f9dfaca8a576ccaf203b848 |
| SHA1 | d94d11b0e38c7727c63605e0ce6665745795394b |
| SHA256 | 2bf4014033ebb37899ec4f50328933a972b04019b652773da5f6e8b0f283d12e |
| SHA512 | 0db300f79264839e93f2539ff7a7662dca6a75f343ee99b9ad0ad1e063aff9cc16a0d57c9a4fa2b52c7fcc01fb2c23f15418eac7cc91029fab3b4f4de4560f69 |
C:\Windows\system\guhuenW.exe
| MD5 | ec1c68c6f2370b0971b1c5e6b5005cfc |
| SHA1 | 4859498f1b5f883a6c74ee99d6cddfc20fdf50d8 |
| SHA256 | 548f5d1fc021bd671cdc405fa1b55d0d54f935dfd652b4a1d68eb5757b0b61e3 |
| SHA512 | 43972fdeb12a45291083a8963cd0c9ad735603315ee1a2f4e2f8b23d31a39c9d5dfb96aad83e766ca5c966692ea58569eb18baacbe656d774278975f6e211c24 |
memory/2776-88-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2964-101-0x000000013FA70000-0x000000013FDC1000-memory.dmp
\Windows\system\qCnFABE.exe
| MD5 | 336feda9bbaeb70aff853315380c5d34 |
| SHA1 | 4c4167623b9f2e2e366291b67824ca0b0df18c30 |
| SHA256 | c8a575bc6221674cd4f536a196f0c11aa28e9941585d97e1b84beea477d655e1 |
| SHA512 | 936c7327fc5ad3a46fb3e0e662376709a7fc52e08e177bc45989827207ef2f2af310c5a4ff1cf672588d2fb4aa9865e919939e2b29a06e40970dbfca5c215b9f |
C:\Windows\system\JWCCDGl.exe
| MD5 | 1fe0312307356f210d13f5b1ce3f860a |
| SHA1 | 8ecb892acd5ab43fbbd7468e8cf771e638e0992e |
| SHA256 | c77bc551f5432442462d2e3c9294c8228a576777b3c2381b36804ef214d3f5f3 |
| SHA512 | 183caf85146bc5d634ea13d3a0dae99489c9ed91311ef4d7f051ab35e30e0494c14d1063c0c35c5663a0ad0e26a8311e08404a9116a4f30d4e94e7d29ebd91c5 |
\Windows\system\UAtUytQ.exe
| MD5 | dd3aa8e19dd32e0c7dadfcba0211ee9b |
| SHA1 | 9a6da19ec8b8cd3bc6bb38096bda89695c4167bd |
| SHA256 | afdbc6555451a979965088f7b790c61f33bf449e64fe960e306df566d638ad0c |
| SHA512 | 629c2135fb1b6d63f3f8e1a48832e8930f566bd8b4394dabe414adcce382eab0cd82f1dc3757d51515c31067dbc8b386081fe13d81190b174994a8fdd9a9b891 |
C:\Windows\system\fgUwFIB.exe
| MD5 | dd508e9ef169493f99e54f44c2facb03 |
| SHA1 | 77503b3baf1232fb1e3212948fe8c6d1ebcaedaa |
| SHA256 | 6d365d210f79f03d47fac46443b35a6f6b9a2a38013ef19a6c262726e78eb75e |
| SHA512 | fb5b99a10fac0c269e2ab5dcbf85a0d409b7300fc20c4b41b984d2950e63ec47a785c1eb663dbfcfaa3af366fd879b88b3a19d5dea784e58f0c12e03dbc8d8d8 |
C:\Windows\system\zrHNvsu.exe
| MD5 | 71f9f3331e1a34200c43eca74499dbcb |
| SHA1 | 9177b2264987b90eb03731d7a90ca09be2945c3c |
| SHA256 | 3afed406d22cba22d2ec8607f3ef761739b9a4d6f7204da4142420679680354e |
| SHA512 | 618b6da99352a2e4e1125cf2b1307ec64eb2d6d500a4a14cac4417fcb390a1e0ee83976a9d70580a4b4047e2a99d362dfa66e991b755e055bae63cb30f0471bf |
\Windows\system\eTBdZJl.exe
| MD5 | 4bace5ae6c4f0a592078badf29c0e23e |
| SHA1 | 00a67327995538e5cf9f7f676a243597df28a1f4 |
| SHA256 | 03a0fb6b946a08b8dfd255213cee77f9b394a11570320e43530bb838e8ea4832 |
| SHA512 | 0332c97b48debdfe65b46862f6aacf00d1eda2fbb63a322e4fe4f27dda3c6d45b0c13e688c6d98bd355fce201be266ce96046dd4344cea4dcc54b98177e8b151 |
memory/2572-82-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2908-81-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2688-80-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2964-79-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2684-78-0x000000013F700000-0x000000013FA51000-memory.dmp
C:\Windows\system\gcjCmhx.exe
| MD5 | c9d0a5f14e3f4388eedacc433715f7f3 |
| SHA1 | 152f8491c69371b5879323811bb9f7af4ea9b917 |
| SHA256 | f4c836c5d65901b5bf061db5b89a706a0ba87ceb6dcd62f2d572f052b90561f9 |
| SHA512 | 36a39e146c768402a49d300e6b9e09c10849ddfe7eb0dcafc3b1b8bf2bb9b0a4a9334cf27efe513eaffd65dd6500b233d41dd9dccd968f085c642f915b9fcf54 |
C:\Windows\system\AfntQLF.exe
| MD5 | 0662620686c9f607b4964e5940f6348d |
| SHA1 | 18ecd6b506c89074d20d1fa132f0ece91a82b6c7 |
| SHA256 | 11e7a7cf64a06716ced253ca0428cbff915b15e111b9fe005506efe8915aa873 |
| SHA512 | 1884aeff2ba9a8394b1b821fdf246aa6a6e3cbde4afb02d4338834202a858752166126b5f404922e6492f0df22e1ef168443a0e5d4abb0b376f663d37f548d1b |
C:\Windows\system\jFnLvzS.exe
| MD5 | ae20af93831cad2f726aeeb81464f1dc |
| SHA1 | 10e890c7f13a61ceb4fbe6727e5b34457af55f80 |
| SHA256 | ed1bd442fde85dd454c591387e9556f4e86aa9ea8f3301d3b7729976c4e5d435 |
| SHA512 | 4b8a47cc9f38a06a91c9f39165c153c00874526d30ad563a57f58b8defb35efdf1c55c492b1c91e8a14b8050fe2671bb7a72ecb4feb85edf25ea41c8ceebd05f |
memory/2432-133-0x000000013FA70000-0x000000013FDC1000-memory.dmp
C:\Windows\system\IGmQhIU.exe
| MD5 | 8bd77f60a6befa0b6775b9baf786909f |
| SHA1 | f8044d43e772dd80f54802c8d6840b7ee93f126b |
| SHA256 | 092d712c31ac0ba5b2ee2f4c5bc0da98933555ac18c76a01a07bb04e0a6a596a |
| SHA512 | 3181ee71ab582632fa90f0199e34c400b3b2d0c2a4e7843461e0adf93ea084e40aeaad9ca986e4c48edbb626c4b9e46781a518907a250d4c43a6a0803ee26eff |
memory/2964-102-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2964-43-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1196-36-0x000000013F020000-0x000000013F371000-memory.dmp
C:\Windows\system\ApTNwGQ.exe
| MD5 | f117fd93cb40e5aa1ebd7aa6ff7544ca |
| SHA1 | 0991347b1cf77a3ab807251ae5813ea36b8a301b |
| SHA256 | 04994fa20dce3b0c6a5860c090ade292b2f3ceb00308f99d05a0d654c35b47e2 |
| SHA512 | 820c0248b385448f8c9b9763432de0eeddfdf00b216df63cc8a56e6f93c9430fab215663f8ee0914de8fde018f2212fabf4ae799eb1811bd6725068295c6973f |
memory/2964-34-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/2964-25-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2964-14-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/896-100-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\ISuPuBb.exe
| MD5 | 4d8db64d2d4f34ccc30901a412feb222 |
| SHA1 | cbae713600a5f143dcbb3adc8a51f605207fdb4e |
| SHA256 | 3381c772063bef0657e8b4c2898d94ae40e37f1e39d9023d02796070a529f6ec |
| SHA512 | 516b77a6d7e528fa68f59485521e66bdc2be892744a21a9b8b1603b0c616eb9ef4bc9812dc295686873b6a99b56e3ba50b7d86fb74af01fe84707c50583dd933 |
memory/2964-87-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2648-70-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2964-66-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2964-64-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2764-63-0x000000013FA00000-0x000000013FD51000-memory.dmp
C:\Windows\system\RJijBPP.exe
| MD5 | 46477e89b4e2dd3cd840f6a471b3d4bb |
| SHA1 | ef64edafdf2bf4e60a7441374da9e715e06e66d6 |
| SHA256 | 0238b99d9a03ec95968afe15415af844e1d2089847aa6b501e309bfdacd11603 |
| SHA512 | 098c7939b141ce903373e73f532a19028832136d5447cc95bc9d6a45e514f6878d9f2333aa34ca7faf145e3249a7eda3a273f0b6923d422d6d775278ebd5c804 |
memory/2964-61-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2876-56-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2796-48-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2432-21-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2964-134-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1156-137-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2684-139-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2572-145-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2876-148-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1704-147-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2908-143-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2688-141-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2992-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1720-154-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1028-155-0x000000013F040000-0x000000013F391000-memory.dmp
memory/1976-153-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/1744-152-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2864-150-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2024-156-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2776-149-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2964-157-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2964-179-0x0000000002350000-0x00000000026A1000-memory.dmp
memory/896-203-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2432-205-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/1196-207-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2796-209-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2764-211-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2876-213-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2648-215-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1156-228-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2908-238-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2572-240-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2688-237-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2776-234-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2684-243-0x000000013F700000-0x000000013FA51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:51
Reported
2024-05-30 00:54
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\muzYjqt.exe | N/A |
| N/A | N/A | C:\Windows\System\ARuwBQT.exe | N/A |
| N/A | N/A | C:\Windows\System\hubdICG.exe | N/A |
| N/A | N/A | C:\Windows\System\eFKTOQG.exe | N/A |
| N/A | N/A | C:\Windows\System\FheeHKl.exe | N/A |
| N/A | N/A | C:\Windows\System\FQdpYVo.exe | N/A |
| N/A | N/A | C:\Windows\System\DTifffk.exe | N/A |
| N/A | N/A | C:\Windows\System\pZCGZpI.exe | N/A |
| N/A | N/A | C:\Windows\System\EsXXdDB.exe | N/A |
| N/A | N/A | C:\Windows\System\EYALPtm.exe | N/A |
| N/A | N/A | C:\Windows\System\YAvsMPn.exe | N/A |
| N/A | N/A | C:\Windows\System\JJZIUfo.exe | N/A |
| N/A | N/A | C:\Windows\System\swITtbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\dFsDrxy.exe | N/A |
| N/A | N/A | C:\Windows\System\UXXRXmx.exe | N/A |
| N/A | N/A | C:\Windows\System\iVPXQUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\XLzfzsX.exe | N/A |
| N/A | N/A | C:\Windows\System\DyoYxGf.exe | N/A |
| N/A | N/A | C:\Windows\System\yImtnfz.exe | N/A |
| N/A | N/A | C:\Windows\System\WUXVglE.exe | N/A |
| N/A | N/A | C:\Windows\System\gRSoLcT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_62d082595e9683eaafbec296b3155001_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\muzYjqt.exe
C:\Windows\System\muzYjqt.exe
C:\Windows\System\ARuwBQT.exe
C:\Windows\System\ARuwBQT.exe
C:\Windows\System\hubdICG.exe
C:\Windows\System\hubdICG.exe
C:\Windows\System\eFKTOQG.exe
C:\Windows\System\eFKTOQG.exe
C:\Windows\System\FheeHKl.exe
C:\Windows\System\FheeHKl.exe
C:\Windows\System\FQdpYVo.exe
C:\Windows\System\FQdpYVo.exe
C:\Windows\System\DTifffk.exe
C:\Windows\System\DTifffk.exe
C:\Windows\System\pZCGZpI.exe
C:\Windows\System\pZCGZpI.exe
C:\Windows\System\EsXXdDB.exe
C:\Windows\System\EsXXdDB.exe
C:\Windows\System\EYALPtm.exe
C:\Windows\System\EYALPtm.exe
C:\Windows\System\YAvsMPn.exe
C:\Windows\System\YAvsMPn.exe
C:\Windows\System\JJZIUfo.exe
C:\Windows\System\JJZIUfo.exe
C:\Windows\System\swITtbZ.exe
C:\Windows\System\swITtbZ.exe
C:\Windows\System\dFsDrxy.exe
C:\Windows\System\dFsDrxy.exe
C:\Windows\System\UXXRXmx.exe
C:\Windows\System\UXXRXmx.exe
C:\Windows\System\iVPXQUZ.exe
C:\Windows\System\iVPXQUZ.exe
C:\Windows\System\XLzfzsX.exe
C:\Windows\System\XLzfzsX.exe
C:\Windows\System\DyoYxGf.exe
C:\Windows\System\DyoYxGf.exe
C:\Windows\System\yImtnfz.exe
C:\Windows\System\yImtnfz.exe
C:\Windows\System\WUXVglE.exe
C:\Windows\System\WUXVglE.exe
C:\Windows\System\gRSoLcT.exe
C:\Windows\System\gRSoLcT.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1620-0-0x00007FF6085D0000-0x00007FF608921000-memory.dmp
memory/1620-1-0x000002C2E1A70000-0x000002C2E1A80000-memory.dmp
C:\Windows\System\muzYjqt.exe
| MD5 | b4ec2eb9b415920648409d30a2628246 |
| SHA1 | d6cb69c31507ac34d6b9f55adaaf9ac196c781e0 |
| SHA256 | 5883671c89d556c56464d5700ac5769b075e74b9f6b17fd45a82b0fd7064705c |
| SHA512 | 17439e22ed8a2dbb7d51d5a54536f79f8592dfb4889f320ca00119f6e7038a7102a11f294ef9535102cf4ceb13ec3d3b70600441049ea2f9ad66bf0e4b8dd333 |
memory/4804-8-0x00007FF7115D0000-0x00007FF711921000-memory.dmp
C:\Windows\System\ARuwBQT.exe
| MD5 | fe9ba53c984c0f9c41f1112483086737 |
| SHA1 | ef839653bd8e93ac9c4b8206bee83d5e905199ce |
| SHA256 | 83bfb7ac80a71b6e9db59983dd067e0b86d5966ceab399ce22f830e809cdf0bd |
| SHA512 | 88cf5c3463635a8e9f0ffc7607bbd4ec506bfdcc1e1264f922e8805417852e1ad20e93f9915ee9abc4858c292a61086e5036ab04bbe77aac21bbfc0427b7cd27 |
C:\Windows\System\hubdICG.exe
| MD5 | 5a1549d1eb6a9c57e2c36fbabfe41f8e |
| SHA1 | 6da5ee752de9447e800e761a18d04f45ff972624 |
| SHA256 | 9bbe3488ef0536bcc3c220901e03977052e3190af5e893a511130a3c0ddb93a7 |
| SHA512 | 545dc090abef931a22b63e3d463057ac8b5187e7799d1e6d6278f3b53796a164eb714413c46c173f83e003595622adc4042e17b8ceb4a52d57811d0848ad2551 |
memory/3376-13-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp
C:\Windows\System\eFKTOQG.exe
| MD5 | 7c611b8227ac97efe68b05f60234c9c2 |
| SHA1 | f20493ca9d6bd54fe83deaf03ea714d1774a2a94 |
| SHA256 | 82a24994ddf1a3175e9ad0baeaa14516ec2ea40890a0117d549ad2b4b67c82f3 |
| SHA512 | 8098c742a5eb0f0ab8be5079c7810e55301cf6fb64080e99ff8888b73b94e3b5971d64d5764932511c8bc8aa5cbe9a942ea3e575d69ed89456b1eece1d485a4b |
C:\Windows\System\FheeHKl.exe
| MD5 | c38eecd81d6f30964e6feecb3b886d70 |
| SHA1 | 25202e0932e91af8a65134aab60632cdcd12cb02 |
| SHA256 | 6cd545847116e1d62c56439cbccdd2471df621f83a7a60c46968bfdeb8ef1ba3 |
| SHA512 | 4bbc12d0def67cce8285168ba59177c082197053ea49711afc649fa9aabdc2d04a43abb73335e10d7edb57f0ebda449ddc68b5e38052f7bcfde990bbd131c208 |
memory/3680-32-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp
C:\Windows\System\FQdpYVo.exe
| MD5 | b6665f059d9dedd12d39e68d619b1620 |
| SHA1 | 01caa33b3ecdf22cf848daee7a5fa28c706ff875 |
| SHA256 | 2e426cfe4b0cfe1bb511c53cd6fe9ffc3fc6abbde629b24f6fe7567e70e57430 |
| SHA512 | 4f8451752310f447a65a63ffcbb8e317bd7056d7fd984b38cf01dea4d2b122a727004317f796f81ba2ebc08c2f30da2b2ef6e7d5bcecf7210caacdf9191c3d95 |
C:\Windows\System\DTifffk.exe
| MD5 | 76d3a79d29e0aa59ad1efc1ff1053850 |
| SHA1 | ab3d138ff66cbf12bac5b037063fb27806846c83 |
| SHA256 | a629f5b2c9536a59d16f91157413381ebe7c1a7ab3d16ccb84989f4bb4524e5f |
| SHA512 | 9c5ed642f423a6dc1442b20d8adc88ba8248fb00ccbc27039ccf77b2c49dbb9515c1534a39cd95ff0b4bc6fcd4ced414395107d5bf3ac22011a1af915552fbd2 |
C:\Windows\System\pZCGZpI.exe
| MD5 | 5455afe466f31fc312567a9543895c42 |
| SHA1 | e09e47bdd2b80ebe8c29bc10646eeff7fb41b495 |
| SHA256 | 5f4d0fc796ab0fce0df3aa1df6a90b4d3696770438292ae14b202d17eff40da0 |
| SHA512 | 3eb8717e8d1f237d1c1dcffd18b72e2a3da5b0a240581257a79d0550e8ff06dafda9385bd57568ee9c119174aa2b585d28a2e73b60ea6c5336a981762a2bab94 |
C:\Windows\System\EsXXdDB.exe
| MD5 | 0132faf94abf370c5bd47f321781081c |
| SHA1 | 8683b36f17186e952111135b89fe546351d6a7e2 |
| SHA256 | 2799d25e2e4ac02a281de82cb6a8a57f8ce7011f79384839b274e743e689f80c |
| SHA512 | e8b14a3fa9e9439dd400d82f64927c04575037fd03e26989bf57773cbb0428b4a64807b2b4a652cc31de28bdea9e116d8ff3c96fc1532e8c0118188358d5c6b9 |
C:\Windows\System\YAvsMPn.exe
| MD5 | 33bd455ee6b159f482d122779a8144f0 |
| SHA1 | 48d34133f70e5bb8f9ee200c8ebe32ca35154378 |
| SHA256 | 065c7f7b0c12957289c3a2968d24989cba2bee6585ab23aca680eebebb3a9443 |
| SHA512 | d80109524b0275c4802a92dd97aad248ebe3679a2f3616e1a8f6e6889f182a2a4f659c62dd5d2ec812ae0e081afcaed35686b4d326f40d39bd6c38a5e673c9b7 |
C:\Windows\System\EYALPtm.exe
| MD5 | 39b79095a367cd80cacb1ae9679910fc |
| SHA1 | 479132e47f8489bd0f320587a9355fbe166ed921 |
| SHA256 | 8bfa4ae20ac1e1dd8cc7bc125d5f1785bab5bcb7ca43fa18a41e1cffbf8575c7 |
| SHA512 | a2a1a08bd32d0cbd1b064cb664b9513d9256562d89f9b89d522e981555756c529aa63dd8e8d221f383f9cf4d67ee4883e4d940af98fe9e98f6ebcf65b93b846d |
memory/3960-69-0x00007FF788F90000-0x00007FF7892E1000-memory.dmp
C:\Windows\System\dFsDrxy.exe
| MD5 | c9327512d87a1f0856c5f41eba0a596d |
| SHA1 | 8858b2cbda2f6254b7175eff66becdd58f0644fd |
| SHA256 | 4606ab1f1bf21e0a968c55cc7868be4b14994de3bb472b1bc9bdba5a2191b3ad |
| SHA512 | fb5374082f546aca0bee22007b3ee37d14139131e19edca147b8e8a3d2c34b57961d6237a011ee37fd8b9b158a059e0942e5ca5f745a3470a3d209dba3be23ca |
C:\Windows\System\iVPXQUZ.exe
| MD5 | f4a34457287ae3698c799369aaf6738b |
| SHA1 | 2d3629c9bc72cda0acd8c9616b6f49da27cae30d |
| SHA256 | 8e64e242828e0673f91337b019367f8e2030209fe114c9fcbdb324a5de336c25 |
| SHA512 | f87c80140370174f2218f31f99a2d0ab2e694a856088b065c523b1c9dca0f5e9491c82aee34c6afc73abb2a56ecd5376ca6d9bca69dce43695f9978d2d9d5468 |
C:\Windows\System\DyoYxGf.exe
| MD5 | a75d41f41814089800edfcd1ea3c99c0 |
| SHA1 | d9b6e3f0c74bcf2bbb80161e2899f4e4c5976378 |
| SHA256 | 65044ee5d5148abfa844eaabd822c02060fe99dbcd799fef63eff9d5aa937797 |
| SHA512 | c355399d6c5868f5a9fb8c97286cd35e2d52741e88572589a2625ddf5c0a03cf89b977ca4afe22882be5570a6a759e2ff9e2ec18ffc74954ff94971dfc88136f |
C:\Windows\System\gRSoLcT.exe
| MD5 | 06ffd2839b516d55a22388aead837a13 |
| SHA1 | 22e3388a497d480eb295cd0c27e14839c05093a6 |
| SHA256 | a52456e4984f59644f00a99ea8ec577b05d89f92f59ce3c5ee6e5820eb92c55c |
| SHA512 | e353b729dea10237a19f27c64b2ed228c90149d363aa82f060a7148e46b8f9bee737ecfb57fc0b8600715c3901a6f43a9f12a5e13bf65a984d26ed71d9d7fea2 |
C:\Windows\System\WUXVglE.exe
| MD5 | 4d110382796a231d52cc3e184956aa02 |
| SHA1 | b4a79e0f7d39e580011351780766263e0062d0a8 |
| SHA256 | bf3552cb0716b4c25036759a24fbb604ade991c220fd59652a5540dec2648f2f |
| SHA512 | 257556c2700ca30b3230d347313d943552e897cc656ff2e3ac122749a05be1ab456acdde7b6469f73d8c1283de8a68cb926a06783f3d44616d39b1318c1ab422 |
C:\Windows\System\yImtnfz.exe
| MD5 | 0c6f59a95034fd32f8f44422efbd6dea |
| SHA1 | e5eba1db32fa62d29bf2d1d17fbfd41310a15433 |
| SHA256 | a40674987c8f393db797f42f12a5f2cc5fc5fc5d34a3861251bce76f51c15792 |
| SHA512 | 474bcffca1c6b86dc0203bfa9047f6f0c85fd756ce78c28eb51c75dfc6f4ec97f21511fd1aed119ca0f811f6f0743c672ca19cd2570d30b3b7cb3ddfbdc22453 |
C:\Windows\System\XLzfzsX.exe
| MD5 | 8d3b614ae5660565fcc5cb066329e013 |
| SHA1 | 9dd7fabfe439b47d459f1fb0ca040dd24e9df7db |
| SHA256 | 21d91b280e6776dede0dfe0c1596dd85caeebd8f5dff1f5880b4982867e1daae |
| SHA512 | 78cf2803b9d0610a151b76fcc89fb6bbfc104dee45c456e5751b0c26daecb983094eddba6aa9e8924e2c42b6b5e2d56884d647787762962a8225c80169d9f737 |
C:\Windows\System\UXXRXmx.exe
| MD5 | 6fd0798da2ea827eded5793002fe3d8f |
| SHA1 | 670c31a83c7ce99272768ca14320f9db72f4f3ef |
| SHA256 | 88ef09fb6e336cbf58593c3971dad103f1812fc238bb4d2b7a1f7fa48c70b060 |
| SHA512 | 4ac6fa0af9ebca0301e5f258fe28327019b201f313bcbb21c5592228d1e206efcc25d42484e02c522eb4169da3dbea7511e4580c386ce2e92285627b596518f0 |
C:\Windows\System\swITtbZ.exe
| MD5 | 72520cc0fb33b91a0ef25eb6b4c5bd0d |
| SHA1 | 7a4de38777a0b6c2c547f2da56e779fa388db23b |
| SHA256 | d15e02caa1d3885a1a0272e4b4c55267f470fb157c9fcd61289a2022395e3fb6 |
| SHA512 | b65695e519a381a2288d6c18d5e2d65be5ec361aa63a556bf7942e9a3c1bea330a07bdf8566caefd5539ede33ba9252b233fa0661101ca0d29de70dca6d5200f |
memory/4408-75-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp
C:\Windows\System\JJZIUfo.exe
| MD5 | fef65b2eb805492208f68c9b24990d76 |
| SHA1 | ece2d89f2f7abb36d27e22c152b9a3c422ee41b3 |
| SHA256 | 332b66915219831e885acf713674d978773f0935af30e2fd9e99d533a77e021d |
| SHA512 | 4a4037a2f7507513290563b9ae4287f7d2eee6a61e5146185bbe200c22318be95509d14a08612405ec4cf459130fc6e91a89e05759298eec25d4c0195283e95a |
memory/2460-70-0x00007FF7914B0000-0x00007FF791801000-memory.dmp
memory/676-65-0x00007FF63D8F0000-0x00007FF63DC41000-memory.dmp
memory/2916-60-0x00007FF687AA0000-0x00007FF687DF1000-memory.dmp
memory/1180-45-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp
memory/1176-38-0x00007FF7E2A60000-0x00007FF7E2DB1000-memory.dmp
memory/756-28-0x00007FF7371A0000-0x00007FF7374F1000-memory.dmp
memory/3496-25-0x00007FF731170000-0x00007FF7314C1000-memory.dmp
memory/1620-119-0x00007FF6085D0000-0x00007FF608921000-memory.dmp
memory/3376-121-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp
memory/4804-120-0x00007FF7115D0000-0x00007FF711921000-memory.dmp
memory/2876-124-0x00007FF7669F0000-0x00007FF766D41000-memory.dmp
memory/1620-123-0x00007FF6085D0000-0x00007FF608921000-memory.dmp
memory/4100-125-0x00007FF688450000-0x00007FF6887A1000-memory.dmp
memory/2636-126-0x00007FF77EFB0000-0x00007FF77F301000-memory.dmp
memory/2488-128-0x00007FF7E7610000-0x00007FF7E7961000-memory.dmp
memory/2500-127-0x00007FF74B6A0000-0x00007FF74B9F1000-memory.dmp
memory/4748-129-0x00007FF70B100000-0x00007FF70B451000-memory.dmp
memory/4548-131-0x00007FF773000000-0x00007FF773351000-memory.dmp
memory/3680-133-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp
memory/4072-132-0x00007FF7FC860000-0x00007FF7FCBB1000-memory.dmp
memory/4696-134-0x00007FF6B1F10000-0x00007FF6B2261000-memory.dmp
memory/1180-136-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp
memory/4408-141-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp
memory/2460-140-0x00007FF7914B0000-0x00007FF791801000-memory.dmp
memory/1620-151-0x00007FF6085D0000-0x00007FF608921000-memory.dmp
memory/4804-196-0x00007FF7115D0000-0x00007FF711921000-memory.dmp
memory/3376-198-0x00007FF7E28F0000-0x00007FF7E2C41000-memory.dmp
memory/3496-211-0x00007FF731170000-0x00007FF7314C1000-memory.dmp
memory/756-213-0x00007FF7371A0000-0x00007FF7374F1000-memory.dmp
memory/3680-215-0x00007FF7BF7A0000-0x00007FF7BFAF1000-memory.dmp
memory/1176-217-0x00007FF7E2A60000-0x00007FF7E2DB1000-memory.dmp
memory/2916-219-0x00007FF687AA0000-0x00007FF687DF1000-memory.dmp
memory/676-221-0x00007FF63D8F0000-0x00007FF63DC41000-memory.dmp
memory/3960-223-0x00007FF788F90000-0x00007FF7892E1000-memory.dmp
memory/1180-225-0x00007FF63D3D0000-0x00007FF63D721000-memory.dmp
memory/2460-229-0x00007FF7914B0000-0x00007FF791801000-memory.dmp
memory/4408-231-0x00007FF7F96D0000-0x00007FF7F9A21000-memory.dmp
memory/2876-228-0x00007FF7669F0000-0x00007FF766D41000-memory.dmp
memory/4100-237-0x00007FF688450000-0x00007FF6887A1000-memory.dmp
memory/2500-243-0x00007FF74B6A0000-0x00007FF74B9F1000-memory.dmp
memory/4072-245-0x00007FF7FC860000-0x00007FF7FCBB1000-memory.dmp
memory/2488-242-0x00007FF7E7610000-0x00007FF7E7961000-memory.dmp
memory/2636-236-0x00007FF77EFB0000-0x00007FF77F301000-memory.dmp
memory/4548-234-0x00007FF773000000-0x00007FF773351000-memory.dmp
memory/4748-240-0x00007FF70B100000-0x00007FF70B451000-memory.dmp
memory/4696-247-0x00007FF6B1F10000-0x00007FF6B2261000-memory.dmp