Analysis Overview
SHA256
34c7c70ec2dd176df22551f6928b4c23ea1b324d20d95ade3d5a3e6a4e1a964c
Threat Level: Known bad
The file 2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 01:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 01:01
Reported
2024-05-30 01:03
Platform
win7-20240419-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PbeFDtr.exe | N/A |
| N/A | N/A | C:\Windows\System\bJxFmKq.exe | N/A |
| N/A | N/A | C:\Windows\System\EdIeRIC.exe | N/A |
| N/A | N/A | C:\Windows\System\TqbqKqv.exe | N/A |
| N/A | N/A | C:\Windows\System\hycMwqq.exe | N/A |
| N/A | N/A | C:\Windows\System\jFkhEik.exe | N/A |
| N/A | N/A | C:\Windows\System\FdpJPYm.exe | N/A |
| N/A | N/A | C:\Windows\System\rxnRUdF.exe | N/A |
| N/A | N/A | C:\Windows\System\XLCtvZp.exe | N/A |
| N/A | N/A | C:\Windows\System\hHJZfov.exe | N/A |
| N/A | N/A | C:\Windows\System\zMVJpeT.exe | N/A |
| N/A | N/A | C:\Windows\System\VZcpHvV.exe | N/A |
| N/A | N/A | C:\Windows\System\xtYByjm.exe | N/A |
| N/A | N/A | C:\Windows\System\ecKetds.exe | N/A |
| N/A | N/A | C:\Windows\System\YSMpmPy.exe | N/A |
| N/A | N/A | C:\Windows\System\GmiiXOC.exe | N/A |
| N/A | N/A | C:\Windows\System\qAHFXgN.exe | N/A |
| N/A | N/A | C:\Windows\System\vyKcXnW.exe | N/A |
| N/A | N/A | C:\Windows\System\fkgDDWv.exe | N/A |
| N/A | N/A | C:\Windows\System\uRXbgIo.exe | N/A |
| N/A | N/A | C:\Windows\System\qNyWYsC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bJxFmKq.exe
C:\Windows\System\bJxFmKq.exe
C:\Windows\System\PbeFDtr.exe
C:\Windows\System\PbeFDtr.exe
C:\Windows\System\TqbqKqv.exe
C:\Windows\System\TqbqKqv.exe
C:\Windows\System\EdIeRIC.exe
C:\Windows\System\EdIeRIC.exe
C:\Windows\System\jFkhEik.exe
C:\Windows\System\jFkhEik.exe
C:\Windows\System\hycMwqq.exe
C:\Windows\System\hycMwqq.exe
C:\Windows\System\FdpJPYm.exe
C:\Windows\System\FdpJPYm.exe
C:\Windows\System\rxnRUdF.exe
C:\Windows\System\rxnRUdF.exe
C:\Windows\System\XLCtvZp.exe
C:\Windows\System\XLCtvZp.exe
C:\Windows\System\hHJZfov.exe
C:\Windows\System\hHJZfov.exe
C:\Windows\System\zMVJpeT.exe
C:\Windows\System\zMVJpeT.exe
C:\Windows\System\VZcpHvV.exe
C:\Windows\System\VZcpHvV.exe
C:\Windows\System\xtYByjm.exe
C:\Windows\System\xtYByjm.exe
C:\Windows\System\ecKetds.exe
C:\Windows\System\ecKetds.exe
C:\Windows\System\YSMpmPy.exe
C:\Windows\System\YSMpmPy.exe
C:\Windows\System\GmiiXOC.exe
C:\Windows\System\GmiiXOC.exe
C:\Windows\System\qAHFXgN.exe
C:\Windows\System\qAHFXgN.exe
C:\Windows\System\vyKcXnW.exe
C:\Windows\System\vyKcXnW.exe
C:\Windows\System\fkgDDWv.exe
C:\Windows\System\fkgDDWv.exe
C:\Windows\System\uRXbgIo.exe
C:\Windows\System\uRXbgIo.exe
C:\Windows\System\qNyWYsC.exe
C:\Windows\System\qNyWYsC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2068-0-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2068-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\bJxFmKq.exe
| MD5 | 3db87a360e32f323f1d9c078983397e0 |
| SHA1 | 555ee6985b73afbc3c1830d2c312be4cda929184 |
| SHA256 | 469b62a37465bc0edc972f1d4298671a73c7e3fee17376344c94e2d5c3f7923b |
| SHA512 | f7d25f0d00167eee162c9521f89218ec8f9b4971e07ece39e42cf0e22c27a53f068607b2d5d0eb999bfb6648f6d243f53a6d7cba2584d9e55667438ec107d270 |
C:\Windows\system\PbeFDtr.exe
| MD5 | c595d83055452dbb17cb0b50a8aba724 |
| SHA1 | 03d4c05bfb893741c3047e93609060e87199e349 |
| SHA256 | 487b2643d38152617a3389b1e68bf768a04cec16f83e53a86bb0d3b97c3e6c87 |
| SHA512 | a5705fbe6ff91bc35ab5cf4a7a10033fa998e60ddfa91d7e428ddb9b45f12f60961ac45bd51fbfb45fe647f8d4d2c0b2286dc5c35ed3c4489f9ff47b473f832a |
\Windows\system\TqbqKqv.exe
| MD5 | e88e913c0aea1c3aacba74b29abe0b15 |
| SHA1 | c322acd828cd3707ce1c30d0ef46b008d37acaba |
| SHA256 | 3bb25f9f3f10f49b18ebe77866dfee190bb32fb484cc0056127467d8662b555c |
| SHA512 | 2b82c43106ffb1d4fce6f4e139be61912a0e47e1547a453b91491587e262b5342e3db198a1a23f9bac1b7e2e49f239138a06a40599118c45e98ab820093d7ca2 |
C:\Windows\system\EdIeRIC.exe
| MD5 | 07264a57d17c780284aab8500718585c |
| SHA1 | d1bff4a1ea287727b0b442aaedcf951bff83e7d6 |
| SHA256 | 4a12df9fb4476017f858514f921af55eebb1ff74403a6004c2aef3ff496beaae |
| SHA512 | 04bc0cbc6fc96f1009498acdef2264ccba5d8fa12292329bdf37f15ed85d35b10f4cb01f1d842c2be8ba3c1798de8d46413c7731059214362336e508a23229de |
\Windows\system\jFkhEik.exe
| MD5 | e76aac89c5fcf3a8657496348cf9e1e6 |
| SHA1 | a5c9e95d93d48cf2e07aa1691baef2788ac72f95 |
| SHA256 | 2d0ea9963c2879eeed90ff1a2efac829fb5232267e7909a7a32605d55791ef8e |
| SHA512 | 7e9f0fe6a9942d0fc27cdcad9fc22de254ecce628c98fe2c349c6a7a76dfc191d001b89c903f0787d36876a67bc552ed0adfc37fa6e065c78c0e71124f8a90f8 |
memory/2604-17-0x000000013FAC0000-0x000000013FE11000-memory.dmp
\Windows\system\hycMwqq.exe
| MD5 | d711bc62a2067e8d38d9b05e611ec434 |
| SHA1 | 1efb359f257ebd5405d91449a8aed8fe2c27cca4 |
| SHA256 | f53984a36d2a8229ccd40739d538209dd5113bf14f75b1c3b5a169c977d165dd |
| SHA512 | 2a9695fcaafba3adbd92d791586c4ceb710a7dcc32120c4fe7cd19afa9cfc56c1e827023b3557ae6e9671d39b5526c565e973659be408685618dced0ceb5b3dd |
memory/2624-48-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2856-54-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2836-69-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2520-81-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
C:\Windows\system\zMVJpeT.exe
| MD5 | 407b82ef19aff7c67a73ced612506924 |
| SHA1 | e446796be33ace52f9baafc08a1ba1770157a542 |
| SHA256 | e414d7325a80bd1ce0e62772f93a6e88698137763e14ca2d4b4e98978b420568 |
| SHA512 | c310b41a98bf7a98263d726a5f275f606c54d9539ecb42a13cfeff5c191d888d23a8bce037f03bdfaff2c73b407dc2a9892bef6d2b559c879172939b029bf7aa |
C:\Windows\system\GmiiXOC.exe
| MD5 | 3ade26363a89885e3c241dad75e797ff |
| SHA1 | 71dc55f869bc28cc06fd6a3362043fca53487c89 |
| SHA256 | 97259811da0575846fab5192eb18773fb1c48f12f2759232018eaacab05fe9d1 |
| SHA512 | 14bcd86009b6f3310ac4b721938f8ad66d5a23c791e50c49050896b1d45efc7865ac6b7e6e5711ac4cca7db5303d73bfbc9b97d22cc132f7fc94cd5948002e82 |
C:\Windows\system\vyKcXnW.exe
| MD5 | 551bafcdb7a05f2867ed4746e6cba3e3 |
| SHA1 | f9b80c0603a3d96f8e844eb586ce5bebf2d8457b |
| SHA256 | 90319362110977c3a6f8d86360b85ace4dad926c352360ca5f03da4004169054 |
| SHA512 | c894e9e2e12d59cdb05f0e9c9b3a72d02505c943ca2b058ab6f56e91a7299b49e25fe045c002b8e6fd30c86becf24dd978ca2f92d0620c04fd50ed03b847aa75 |
C:\Windows\system\fkgDDWv.exe
| MD5 | 46cf96f55926ab63725b2357a281d2b5 |
| SHA1 | 1913b69547203c558a1287a4ac6d83e9f4d34c50 |
| SHA256 | 58f86ef6fb9340c6cbfce2d83111181323083c4a5641bd4aaf9d923af220f13c |
| SHA512 | cfca574d6ba1e515e2b9255dea13c7df114e1dd7e2676939a1727356b67ef96fbbba10abf446e88c30f921711f1904dbb19d4aef175787c3703d7b5119d5bd51 |
\Windows\system\qNyWYsC.exe
| MD5 | 9e52af66a6b49774f21880ef70dcbda6 |
| SHA1 | 2019b199d291683b2f6b6d04932ffb94c12295e9 |
| SHA256 | 0398653d72dddd15c7cd2a6f9c0381b1d5c3333be7f1b63a41b945b2a3c42485 |
| SHA512 | 1010da9add4bf1022b10cdb9d3808a18ae82ad4837824b1ff80b3278e634389c96edb137d8e8aa882c402f8b01ad882de69cf42114994266e09c3668bc460156 |
C:\Windows\system\qAHFXgN.exe
| MD5 | 19a53079b33c5b0310603c8248ca347a |
| SHA1 | 09663130c820c1faccca0cd0f608b86203066310 |
| SHA256 | 88e69cc93629bdf316d3e6fece6e2860e94bf85410ef9175f3aa78e12c27e9c5 |
| SHA512 | c01e0f5f8b1b9db37b6c3a373b5a0ef4f539031e1ffbc006a8e4d4f68e16ea04f3a9ea285cf5f954ac2dfe9f8b4b2c28eca88756f8224c33b27e9304bc4936cd |
C:\Windows\system\uRXbgIo.exe
| MD5 | 94044f173be9be3f8e723758bf43fd40 |
| SHA1 | eebea970d4afb1eb21d891bc6a9678059a0aa990 |
| SHA256 | 40ea892740e346b3eac69563a1995068e826305df25fe4707b9e2f2c2af4642d |
| SHA512 | e3be9e6a89222fe89156c21bb3be91f8496e6a0981e167fbcb39cb67c59465597d1e1ae73dc5665b63772f0d1a3631222b2c78d1171da986716133e15ff919d2 |
memory/2068-105-0x0000000002410000-0x0000000002761000-memory.dmp
memory/2844-104-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2624-136-0x000000013F0D0000-0x000000013F421000-memory.dmp
C:\Windows\system\YSMpmPy.exe
| MD5 | 8f4ff74ff0803f37e4f497491c2847e3 |
| SHA1 | dd11607e7b915482851a025794c6eee62d18695b |
| SHA256 | 4b99da1f6562726f4a3dc070e3f7239a85d9cea8d334c80545c651da1c9b1266 |
| SHA512 | 09841fe0041caf47e5be101c1689cbabc2064a109a0d79d6849283d95bb3522dd36f6c19a8d1ecf6e108a01bd51705081bad3c32430eb5cf5c9b6feded65b367 |
memory/2584-91-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1664-90-0x000000013FC20000-0x000000013FF71000-memory.dmp
C:\Windows\system\xtYByjm.exe
| MD5 | 3b18259cb6df2f71fffdf10a5af40f93 |
| SHA1 | ef8dae1a1085307f0e5a031164f9fd7e5f00b701 |
| SHA256 | 630fb3a139745435bd6054c79149efcf89eb72acf98b9fd2f3ebb3064114c0ef |
| SHA512 | 48452e7e256ed877a4e289e4fb441e38ffbb7b536d7694c331589b3cb747735e054af6041c3de16748fb1f49fe9d1b3d926c7d26c7e223ac034067803e094a82 |
memory/2068-87-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2604-86-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2856-137-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2164-97-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2068-96-0x0000000002410000-0x0000000002761000-memory.dmp
memory/2692-76-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2068-75-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\ecKetds.exe
| MD5 | 0ce392ee03146595941643ffda4f965d |
| SHA1 | 2a3bb37ba4c3c08fe57f3351310ea8ced92b8767 |
| SHA256 | 95ee0de3f899c6cb0363f86fc33b1f7360b1323c69b927f1a6583b86b190a4c3 |
| SHA512 | a6bd7227c26e92a99be3f51ad94b02b0be3dbdda2ade4445a6b497e6c287e3dd4d675d6dea996583a5e54668aeb069ba3070faf194ad1016a1944f7ca66dc503 |
C:\Windows\system\VZcpHvV.exe
| MD5 | 6ccfdb5c07b1d79e79c37d7fd9af36db |
| SHA1 | 7ec9ce8c6c2c713f17d217874e62b0b9b5b699ec |
| SHA256 | 8b2d24a33479ccc0d189eb35e12477627cca5a06129946690f6a4bc604fe3684 |
| SHA512 | 18aa0fea28222cd2a504f6cc7139f2fd86d7addb9866d606561c74500b89d0c2ffbe3008c7a61d5197257dbf5f5a298aedfab43550ccd7b3a0baf0b276734d11 |
memory/2068-68-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2556-63-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2068-62-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
C:\Windows\system\hHJZfov.exe
| MD5 | 87edcb13e816890d84e5879cd5b07467 |
| SHA1 | 969a4af72817323fef6999b35d0e7906f3b1a65b |
| SHA256 | 90ee602c7b5b0d006a854a611826782eae01c188d3dac85cbac38423a2dc6374 |
| SHA512 | d366bf311f6ba7818717a3aee82d5711c061a67e9b1e03b306e89b3c62fa1fb10d4e9fa94629758f091c27fc03275faff9c55ef40d278d9047c82244f3461aa1 |
C:\Windows\system\XLCtvZp.exe
| MD5 | f18eef96b54c324593aeb4a4c0c588a6 |
| SHA1 | 5bf4663742b360d73090278b84a9870a80f673ab |
| SHA256 | 02ff24fa6f29f4def6dab56c2fd5c228633eaa383bc45676e3f5eab390ab092d |
| SHA512 | 96ec57afdf399e24c4a5cc1e69f63e1b3b43632495a676a39e5bf23591912c08cb430e209a5d759886b0f113d06846f0288ad26b99f128752d2adfe9c03a4402 |
memory/2068-53-0x0000000002410000-0x0000000002761000-memory.dmp
C:\Windows\system\rxnRUdF.exe
| MD5 | 0253e3380852bd7d96e6930dfdfebbb0 |
| SHA1 | ad0927137cd16d4d12cbb6dbcf89dc18501c96cc |
| SHA256 | 248e95dd0917935f33c3afc18437d044adcfb7bcdd069f7914afb36a79cac96f |
| SHA512 | a4c8158bc513905b661b7bef189dfd258fd6cba5f3a1a5d047478f83ba4d3fedf1025650d865b5724dd203c30671558803cac677744eab1474c457477c7af83e |
C:\Windows\system\FdpJPYm.exe
| MD5 | 00acbdf96cc1c7b700d70d18b41a9651 |
| SHA1 | 82488baad223c3d8af2507225f0eba1a72b1e4c1 |
| SHA256 | b719baf76e2dc82d9ff644d295725b1d7763bccd4eaa8c551ebe31a67f4681e5 |
| SHA512 | 40efe670a971af46bd6914f234c77003f3f3d4f264c6587111fabbd453c9a0a76ef5f6afea02ec711f054cf1c8b762bcd58ca9c71b9d65c97aeb70f3f261ed78 |
memory/2844-46-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2612-44-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2068-43-0x0000000002410000-0x0000000002761000-memory.dmp
memory/2912-42-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2068-39-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2956-38-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2068-37-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/1664-34-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2692-149-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2584-151-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2520-150-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2836-148-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2068-138-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2068-11-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2068-7-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1500-157-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1032-159-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1996-158-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1952-156-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1940-155-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/1436-154-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1052-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2164-152-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2068-160-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2068-161-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2068-183-0x0000000002410000-0x0000000002761000-memory.dmp
memory/2604-207-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2956-210-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/1664-211-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2912-213-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2612-215-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2856-219-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2844-217-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2624-223-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2556-222-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2836-225-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2692-241-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2520-233-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2164-245-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2584-244-0x000000013FF40000-0x0000000140291000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 01:01
Reported
2024-05-30 01:04
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lGNDimT.exe | N/A |
| N/A | N/A | C:\Windows\System\QcLMJnK.exe | N/A |
| N/A | N/A | C:\Windows\System\MRNfCeN.exe | N/A |
| N/A | N/A | C:\Windows\System\vlBScoT.exe | N/A |
| N/A | N/A | C:\Windows\System\nqTSQXc.exe | N/A |
| N/A | N/A | C:\Windows\System\oiPbuma.exe | N/A |
| N/A | N/A | C:\Windows\System\jcYGjmG.exe | N/A |
| N/A | N/A | C:\Windows\System\vivNLAa.exe | N/A |
| N/A | N/A | C:\Windows\System\dIluwjn.exe | N/A |
| N/A | N/A | C:\Windows\System\grBHHAe.exe | N/A |
| N/A | N/A | C:\Windows\System\WDNPKHE.exe | N/A |
| N/A | N/A | C:\Windows\System\NAPEHmd.exe | N/A |
| N/A | N/A | C:\Windows\System\IKckOAD.exe | N/A |
| N/A | N/A | C:\Windows\System\DAjSMTr.exe | N/A |
| N/A | N/A | C:\Windows\System\NuTagyu.exe | N/A |
| N/A | N/A | C:\Windows\System\pNruAIC.exe | N/A |
| N/A | N/A | C:\Windows\System\oCgPtrD.exe | N/A |
| N/A | N/A | C:\Windows\System\nnykvCw.exe | N/A |
| N/A | N/A | C:\Windows\System\mQZpjaC.exe | N/A |
| N/A | N/A | C:\Windows\System\neUMNxu.exe | N/A |
| N/A | N/A | C:\Windows\System\YtVfnRI.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_bcbc227d67f3d73034341a973dd731d8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lGNDimT.exe
C:\Windows\System\lGNDimT.exe
C:\Windows\System\QcLMJnK.exe
C:\Windows\System\QcLMJnK.exe
C:\Windows\System\MRNfCeN.exe
C:\Windows\System\MRNfCeN.exe
C:\Windows\System\vlBScoT.exe
C:\Windows\System\vlBScoT.exe
C:\Windows\System\nqTSQXc.exe
C:\Windows\System\nqTSQXc.exe
C:\Windows\System\oiPbuma.exe
C:\Windows\System\oiPbuma.exe
C:\Windows\System\jcYGjmG.exe
C:\Windows\System\jcYGjmG.exe
C:\Windows\System\vivNLAa.exe
C:\Windows\System\vivNLAa.exe
C:\Windows\System\dIluwjn.exe
C:\Windows\System\dIluwjn.exe
C:\Windows\System\grBHHAe.exe
C:\Windows\System\grBHHAe.exe
C:\Windows\System\WDNPKHE.exe
C:\Windows\System\WDNPKHE.exe
C:\Windows\System\NAPEHmd.exe
C:\Windows\System\NAPEHmd.exe
C:\Windows\System\IKckOAD.exe
C:\Windows\System\IKckOAD.exe
C:\Windows\System\DAjSMTr.exe
C:\Windows\System\DAjSMTr.exe
C:\Windows\System\NuTagyu.exe
C:\Windows\System\NuTagyu.exe
C:\Windows\System\pNruAIC.exe
C:\Windows\System\pNruAIC.exe
C:\Windows\System\oCgPtrD.exe
C:\Windows\System\oCgPtrD.exe
C:\Windows\System\nnykvCw.exe
C:\Windows\System\nnykvCw.exe
C:\Windows\System\mQZpjaC.exe
C:\Windows\System\mQZpjaC.exe
C:\Windows\System\neUMNxu.exe
C:\Windows\System\neUMNxu.exe
C:\Windows\System\YtVfnRI.exe
C:\Windows\System\YtVfnRI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
Files
memory/1856-0-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp
memory/1856-1-0x000001A3109C0000-0x000001A3109D0000-memory.dmp
C:\Windows\System\lGNDimT.exe
| MD5 | eb26281c5abcecbbc5b31744fa3add54 |
| SHA1 | b643709018ad6818a3aff87c5098024103f36821 |
| SHA256 | cc5b6dcef901a43cf55b2349c8516d6fe966322c0c5d786d6a941149fd764459 |
| SHA512 | c02b560447b7a1b885bbbd5bc0efc82bc680f6c4c89800e37cbb55345fc9f882d247b9323c1a656c1b928e7fe97b8d9815e6ac79e78da1b305577f6ddfa5f420 |
C:\Windows\System\MRNfCeN.exe
| MD5 | 01d8ec88513dc8ac6de180250e4977bb |
| SHA1 | a86b55c1b5c62c335ab8cb3b3e15b1a4b204e5ff |
| SHA256 | 7db5322b5b373b17d7bf0b1132869ad8e9f7ce9dd947a7773bc0f56b05704437 |
| SHA512 | 295edd2990c731d0320f35cbce32e29526f3bac53417052e67abae1193f598ddcec9dbde61b11c3f7d61d6814c3cb5f2153b5dbce13e9cf05bb96c61b8b2dba7 |
C:\Windows\System\QcLMJnK.exe
| MD5 | 99d172869b9098e404d327fd8e94f84c |
| SHA1 | 5a999cbfd18eae0c20b3534706a4937cf0f1610f |
| SHA256 | 0503f73d815a21e1aaf70201cc0eeaf7dd431eb36f4156f9950c65d0015c638e |
| SHA512 | e4432d1245acbab24cf6a3fcb730697c44191d8cd8765d99fb83f79ce7bc7375bc961dc03eab4f0643aa70f57b2fcfbd9776db0f5d52bf0b51babaa809a93107 |
memory/2744-12-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp
memory/1984-8-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp
C:\Windows\System\vlBScoT.exe
| MD5 | 04c34172a144b7826e325d9c88a5c80b |
| SHA1 | 95aa3a5303374c208443a52d63bca95694e407a3 |
| SHA256 | ea3d5f0b51abafdf4397a119f75005302506a3e3acec3a4d4c2d2966fefd83b4 |
| SHA512 | 3dc25336946da755db2a39aa07d0d907281d4a459e63a4bdf5d3cae3d37322829dbe23d7b194ea8c6b16f6802e633a3b839c7b8b03e61a31ae12ee3b89a6b7ac |
memory/1992-18-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp
C:\Windows\System\oiPbuma.exe
| MD5 | dc893e8e4816f97a400f6f904da75943 |
| SHA1 | 400cbb089f966ad2bbdeee79e1219026ec5ef288 |
| SHA256 | ff55ebc5a766176a6d8ca61f28f9fc1f58e4aab849f2c05f889b86402497d311 |
| SHA512 | 9f02fc3cc16d8de50a5731182d1700ace750cae71587c28b32f2eaa6705fb986af18c6f7f9699b44593acb601d4f3fd736f83da3b9e0f49b4bf77db32f59f2bd |
C:\Windows\System\nqTSQXc.exe
| MD5 | 1b17bd55549899f827ff75806eafbcf1 |
| SHA1 | ffda8c502547958285cec43f4b972b3d963f5536 |
| SHA256 | 6d771fbaa8d3ceae2db74fafbb7e723842df3a5a12a1c0e3feb36a05635ead35 |
| SHA512 | 6b26129054517467140c899592912120f4b278011caf9d57c14695bf40e64f81b3353d7aad57fb7ed4071aa17b3e21a86ea1a4965f484a3a7aef268c8903f664 |
C:\Windows\System\jcYGjmG.exe
| MD5 | e98319ddd3b288230202c5d45a59f4cf |
| SHA1 | b45e559643272ffa871c8c7bd5ae79877cbe6065 |
| SHA256 | ef3a858bc90a913d50e88a4e75da5217975cb64e998ac482a892a1ab4a9b7482 |
| SHA512 | e742f8cde5672df8b68c1c99a85403aca342e116df31337b89aff3ffb52b3b5c8a9ddfce3a45c726ca203bb0b35fa4c39f11cffa65c3b412e251a348946448cf |
memory/3672-38-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp
memory/2396-33-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp
memory/1020-28-0x00007FF7E55C0000-0x00007FF7E5911000-memory.dmp
memory/4912-44-0x00007FF73D7F0000-0x00007FF73DB41000-memory.dmp
C:\Windows\System\vivNLAa.exe
| MD5 | 754d1296aba65ca97e739ad368d96943 |
| SHA1 | e9637bc18148fdc618ab8e3e13a4250461f3bd82 |
| SHA256 | b6c816512e991f3b39c0a118948bec741ceede579fd9bc4158d8a4cea1ad88d1 |
| SHA512 | a8803189eef62f457b06586eaa36df0164cb5d2c0afa4add163f87f0bc39905163e38d8b360e27dc4653a7a61d7187aa45dc6123dd2c234c97c3ccfc6dd69288 |
memory/4944-49-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp
C:\Windows\System\dIluwjn.exe
| MD5 | 2e3d0ddf4f99316f84c7a88a78bb9173 |
| SHA1 | 6278906eb35fc1f513ecdff1864f2145886cf168 |
| SHA256 | 50be82411e385fe2f1e9758e9164a8083d4f0d67b74b2122932aac1e5433eb6c |
| SHA512 | 09e607dfbf0c0773033227b3ffd9f99adc8ac1864cf578d2145beab71e90ece777dd3089a15b701b7e3fbb4b38597288471a9666efedd07da23723d0ee3cae88 |
memory/2372-56-0x00007FF77FF40000-0x00007FF780291000-memory.dmp
C:\Windows\System\grBHHAe.exe
| MD5 | b670b3eaff8f5c560695e923d895fc9f |
| SHA1 | a79cf2665ac1813677ad8229df12e11193c7f281 |
| SHA256 | 9819c345fc913580be1a64dd92c4ca73cbdbb942c81d0ecbf6563e94c7168777 |
| SHA512 | 396d5c338f5b5842343f0e58612f95c5afb5638cc7b9223ff889603a9a41d1a53b2ef8983c20bf44b9fad877f371534457e61678be8aa29495731d589ea1b658 |
C:\Windows\System\WDNPKHE.exe
| MD5 | 13332f4eba1e911e89977fe24b6c0e47 |
| SHA1 | 07a2c13c0c1fc289ed24712a676187cc3c9a7364 |
| SHA256 | 6f432adb2ed2148d3dffffa4eb0933d86c7c216839ba1aa09b0ba898e408685a |
| SHA512 | 8ede730c54240ed27045ac812eb7fc6fc2d5e5c5726a7300f13322f8c0e31a3ac437cdbfcc2393415c899b0d383a6c3d2bb00180a630b91a206bc15cf797de8a |
memory/1856-67-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp
C:\Windows\System\NAPEHmd.exe
| MD5 | 0d19982db39d3b146e3b15843134b28a |
| SHA1 | 272a501dc08ed83a386f2ffd44e267fec678ea35 |
| SHA256 | dbd04dea307cf9c343393d0605afb16a3234abd141c01ea1dd03f1e121d575a4 |
| SHA512 | 184754fba88dac023f918d12b0dd8379e5c99e3968bd7c56d03cc6a0107e156dbee2838c6e178d104bfc314387265802085d180eee4e5c2f178e172b980149d8 |
memory/2308-71-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp
memory/2444-61-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp
memory/4184-76-0x00007FF715590000-0x00007FF7158E1000-memory.dmp
memory/1984-75-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp
C:\Windows\System\IKckOAD.exe
| MD5 | 1a4cb6cafca447e1b1b75999e80e60ac |
| SHA1 | a49d49558e84b89ed662070887a4efb7f54b39fe |
| SHA256 | 887e72a68067977558e7da9cc83334322e865a7d89a7aee212ff3558875bed42 |
| SHA512 | b83ae2f6380e480b874c6e0e7ba66e03d69a404e4f102d7d8c9b04e219fd080843b7a17a066834e14f8375c7f5bef6b7fbdaa9e3ad3732a4e0cd28cc418c15ad |
memory/2744-80-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp
C:\Windows\System\DAjSMTr.exe
| MD5 | 0c7a3ce0494d6f4199f16f1dfaf10b8d |
| SHA1 | ebb21bd1f093b3634b10706748c6ebc8d0f14673 |
| SHA256 | 090c881d5d587cea423434250ad644c30cf7e74ff441e2aa07d3d36bdc35935d |
| SHA512 | 8ce064d9272bfe17d6e1cd39aaafa7b415bd95f4069b239a6e5c7827c2ec49fe36606703b9805786908918b756b6a3e640df06b835e875e75174bd47a2be82c7 |
memory/3036-90-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp
memory/1992-88-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp
memory/1836-83-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp
C:\Windows\System\NuTagyu.exe
| MD5 | fda6f64d8f2081cfe898b53d76e626a8 |
| SHA1 | 40ed5c80cb904c84336ca1e522e571fc0e5ca2db |
| SHA256 | d0845614df89bb8bac59def5ceb91fa9ea899bc7967e07f34ecaecb6f880b235 |
| SHA512 | 4c51f1dc1659539367aa7fba54f385a168e58ede053d8e8bbe54ec85655d0f697db4051fb67c676689074b6b6a7ed35d1a89b01a39488be0348dca3394f92991 |
memory/3216-103-0x00007FF757910000-0x00007FF757C61000-memory.dmp
memory/2396-108-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp
C:\Windows\System\pNruAIC.exe
| MD5 | d97f0eb24648ec1248b0a075fd09c0e9 |
| SHA1 | 442f7bcf50f4ced3a7044ae23f89f6cad8305a53 |
| SHA256 | 6feb8bf54336807246844ea2d466fcf78f58f4ffab6394732c42cc220ed93c06 |
| SHA512 | f7d42e6aa79ab6c10f63f8d472a727fe597cde708b228cb9bce18d4bbcc75a1ee15848b11ea0ac5bede1220211d753b338726505a45c91ad30467e807d95b667 |
C:\Windows\System\mQZpjaC.exe
| MD5 | 0d7d6fc7b5e4302c499432538aceb0c2 |
| SHA1 | 50bd7bb62252b871ecd272935b15f47223e1da6d |
| SHA256 | 56ef132390c9303dbaa07ee0d613560da553b5d81e7404d288d0452cf93373dd |
| SHA512 | 58ea1aeed0d0a52f3311bf1a42a5411d62ce5840c8ec48e5caf9fb180e8d5eec753747b2ef17962685c3286d4d7aa6d32d50627624c5bea1ae483aad0c010fb2 |
C:\Windows\System\neUMNxu.exe
| MD5 | bbd8cdd389c39c104afebe203936bbf9 |
| SHA1 | 2cc6aac21b97956aa0482dc372b264428851bba9 |
| SHA256 | 6dc6d9359319830a2aa234be2cc8e8bd6d56ef7b8ec934d0dc6e3f3b88a1430d |
| SHA512 | 540a55581ff11a1e9d1672fd37e711bd23f1ddbca515b516c13ec1ec5b5f53fc5c1886b04327b3053e25b9af1f86218e9fc5ef4d8bfce0de919cb0bea911796e |
C:\Windows\System\YtVfnRI.exe
| MD5 | 9b87604336fb1c07b3d7d19d5ee801d2 |
| SHA1 | b6633bd2cb6e630b95fa71e1bc621071ed39401a |
| SHA256 | de8404ffcc90a2268dfc33430b6c252aa86e7e111eedd618633808901ddb8087 |
| SHA512 | f7954c39e182a931bea0ea6ed25016a982a43b993b121d1b0e207ce62e20ef8e8ede396d17fb305b20fbe4f45915da68df5aaec80be774893460c3e35cb211f8 |
memory/996-135-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp
memory/2680-131-0x00007FF673550000-0x00007FF6738A1000-memory.dmp
memory/4944-129-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp
memory/4920-128-0x00007FF67A570000-0x00007FF67A8C1000-memory.dmp
C:\Windows\System\nnykvCw.exe
| MD5 | 10c0a28674633b79d795139ae71488f9 |
| SHA1 | b804968a84f2827e08f09bb61506daa0eb341e02 |
| SHA256 | 9486f8f04961287ade0766fe500a8bde7db9ec04ef56fd6c20b1ebad05a59d8c |
| SHA512 | f9d88356c3d39c1d2b1291acf9a14ae5d8673a8ade8cf489e3a7337ec8819916a12d308e3d9c669fa8201fad058df1c989883b8114629ddaa790928b4b583c41 |
C:\Windows\System\oCgPtrD.exe
| MD5 | 875d7a58ae0a042c9390dd933c5a7710 |
| SHA1 | c9fc940780c76568137ba1abe8c233a0542def55 |
| SHA256 | 713505b63f896a19d4ac986ae460f3222017d6f78c0fb1e60553bd1113c4e48f |
| SHA512 | bc4ebcb41377fd2f82aaebd6fb620cd119a17eb1f6a6c4f124c6401d5b010c5ebbf805c32ee394e07c497eb8fe318fddb8fa7a76ec2e1585c082f39e853989d3 |
memory/4216-122-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp
memory/3672-109-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp
memory/2924-143-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp
memory/2372-141-0x00007FF77FF40000-0x00007FF780291000-memory.dmp
memory/4828-144-0x00007FF6C3E40000-0x00007FF6C4191000-memory.dmp
memory/2444-145-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp
memory/1836-148-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp
memory/1856-149-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp
memory/3216-159-0x00007FF757910000-0x00007FF757C61000-memory.dmp
memory/4216-160-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp
memory/996-163-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp
memory/3036-158-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp
memory/1856-171-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp
memory/1984-211-0x00007FF7C3B30000-0x00007FF7C3E81000-memory.dmp
memory/2744-213-0x00007FF7CCF60000-0x00007FF7CD2B1000-memory.dmp
memory/1992-215-0x00007FF6D8BD0000-0x00007FF6D8F21000-memory.dmp
memory/1020-217-0x00007FF7E55C0000-0x00007FF7E5911000-memory.dmp
memory/2396-219-0x00007FF7B4D90000-0x00007FF7B50E1000-memory.dmp
memory/3672-221-0x00007FF66E250000-0x00007FF66E5A1000-memory.dmp
memory/4912-223-0x00007FF73D7F0000-0x00007FF73DB41000-memory.dmp
memory/4944-230-0x00007FF6EEA70000-0x00007FF6EEDC1000-memory.dmp
memory/2372-232-0x00007FF77FF40000-0x00007FF780291000-memory.dmp
memory/2308-234-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp
memory/2444-236-0x00007FF7884A0000-0x00007FF7887F1000-memory.dmp
memory/4184-238-0x00007FF715590000-0x00007FF7158E1000-memory.dmp
memory/1836-240-0x00007FF71E830000-0x00007FF71EB81000-memory.dmp
memory/3036-242-0x00007FF7628B0000-0x00007FF762C01000-memory.dmp
memory/3216-252-0x00007FF757910000-0x00007FF757C61000-memory.dmp
memory/4920-254-0x00007FF67A570000-0x00007FF67A8C1000-memory.dmp
memory/2680-256-0x00007FF673550000-0x00007FF6738A1000-memory.dmp
memory/4216-258-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp
memory/2924-260-0x00007FF67FEE0000-0x00007FF680231000-memory.dmp
memory/996-264-0x00007FF79BE80000-0x00007FF79C1D1000-memory.dmp
memory/4828-263-0x00007FF6C3E40000-0x00007FF6C4191000-memory.dmp