Analysis Overview
SHA256
5930998834b47e856ae98fdc501caccb5a2bf73d17100f5080819b140f858187
Threat Level: Known bad
The file 2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 01:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 01:33
Reported
2024-05-30 01:35
Platform
win7-20231129-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sdupVxP.exe | N/A |
| N/A | N/A | C:\Windows\System\NRPlBke.exe | N/A |
| N/A | N/A | C:\Windows\System\AQSqSgt.exe | N/A |
| N/A | N/A | C:\Windows\System\ApsiHHR.exe | N/A |
| N/A | N/A | C:\Windows\System\hYmWPPk.exe | N/A |
| N/A | N/A | C:\Windows\System\BWnVnks.exe | N/A |
| N/A | N/A | C:\Windows\System\wSaiXtM.exe | N/A |
| N/A | N/A | C:\Windows\System\rHdEcui.exe | N/A |
| N/A | N/A | C:\Windows\System\FcgosWu.exe | N/A |
| N/A | N/A | C:\Windows\System\hZvSsjo.exe | N/A |
| N/A | N/A | C:\Windows\System\DbjlyFR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWEJiXg.exe | N/A |
| N/A | N/A | C:\Windows\System\ImaMiLR.exe | N/A |
| N/A | N/A | C:\Windows\System\RfpBBfg.exe | N/A |
| N/A | N/A | C:\Windows\System\SiyCIRe.exe | N/A |
| N/A | N/A | C:\Windows\System\VIXHUXa.exe | N/A |
| N/A | N/A | C:\Windows\System\oIqbNQC.exe | N/A |
| N/A | N/A | C:\Windows\System\GjVXyvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GgCvjuw.exe | N/A |
| N/A | N/A | C:\Windows\System\EQiFHUQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bssActi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sdupVxP.exe
C:\Windows\System\sdupVxP.exe
C:\Windows\System\NRPlBke.exe
C:\Windows\System\NRPlBke.exe
C:\Windows\System\hYmWPPk.exe
C:\Windows\System\hYmWPPk.exe
C:\Windows\System\AQSqSgt.exe
C:\Windows\System\AQSqSgt.exe
C:\Windows\System\BWnVnks.exe
C:\Windows\System\BWnVnks.exe
C:\Windows\System\ApsiHHR.exe
C:\Windows\System\ApsiHHR.exe
C:\Windows\System\wSaiXtM.exe
C:\Windows\System\wSaiXtM.exe
C:\Windows\System\rHdEcui.exe
C:\Windows\System\rHdEcui.exe
C:\Windows\System\FcgosWu.exe
C:\Windows\System\FcgosWu.exe
C:\Windows\System\hZvSsjo.exe
C:\Windows\System\hZvSsjo.exe
C:\Windows\System\DbjlyFR.exe
C:\Windows\System\DbjlyFR.exe
C:\Windows\System\ZWEJiXg.exe
C:\Windows\System\ZWEJiXg.exe
C:\Windows\System\ImaMiLR.exe
C:\Windows\System\ImaMiLR.exe
C:\Windows\System\RfpBBfg.exe
C:\Windows\System\RfpBBfg.exe
C:\Windows\System\SiyCIRe.exe
C:\Windows\System\SiyCIRe.exe
C:\Windows\System\VIXHUXa.exe
C:\Windows\System\VIXHUXa.exe
C:\Windows\System\oIqbNQC.exe
C:\Windows\System\oIqbNQC.exe
C:\Windows\System\GjVXyvZ.exe
C:\Windows\System\GjVXyvZ.exe
C:\Windows\System\GgCvjuw.exe
C:\Windows\System\GgCvjuw.exe
C:\Windows\System\EQiFHUQ.exe
C:\Windows\System\EQiFHUQ.exe
C:\Windows\System\bssActi.exe
C:\Windows\System\bssActi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2232-0-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2232-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
\Windows\system\sdupVxP.exe
| MD5 | d7bfc0051083004b9b8da662dbce3bcb |
| SHA1 | e5073754e47cc68176b8ff69bd50bd88e28f86fc |
| SHA256 | c4a245bcbbffc4ceb3368a81faffd8ce0998fbcf6eeeb8ee32dbfe9c096da8c9 |
| SHA512 | 952d0f2c3c706960075ab61cb8b0e9b7ff8381ccd229da3ead79d07d5083dddbf7eeed42efde3baa972fff16f5541c0b6fbb4468f5d75e1ccd37f4c508e49081 |
\Windows\system\hYmWPPk.exe
| MD5 | a73580d043cc9c502b8c538d541c7f22 |
| SHA1 | 3ba3bb1a07d7beb7f4a60642293dd753a1763e17 |
| SHA256 | 9150682c6469ed057c29fef55406c39bf00c97f174ab37b4f576a5a1d9538371 |
| SHA512 | 512e8361f0e05e9d1093fea31c752be67c73a72fb114faef49022294fe1c11691c2eb8afd87b3eb0bb91d4e9c4aa985e2c2894af58c89a844e5e9250971403e5 |
C:\Windows\system\AQSqSgt.exe
| MD5 | c1670275602ee94c88bbddaf4cf56a53 |
| SHA1 | 84300ba768eff7b9b926e8ff6b960f354629bc66 |
| SHA256 | 54967dc060922c5767f8be03de634e3be9941cd1ba639088f586033c8e93db18 |
| SHA512 | 5621d6a5d1321126e790e3be6643b12f1a4689b3b59835917de708b381330b29abe2109fb3c4e2a847c72d06aa8a75b2ec1af64ac4980d54fcfeff09ceac2a74 |
memory/2232-12-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2724-37-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2204-39-0x000000013FFB0000-0x0000000140301000-memory.dmp
\Windows\system\BWnVnks.exe
| MD5 | 40ff4899e58e9e244d7012d946ce9439 |
| SHA1 | 94d413f4f2bb91b3bd6419fcd109229d34085987 |
| SHA256 | 47872b154bc8149de05e3cbd38751b0b0ab90cb1e1da4fd7549f1d61bbb751bf |
| SHA512 | f51a62f5a462aae0c205e0fd6668262c3348b904967c3b87a4e41c326d7f401bc9c4dadb4dfc1360b2a48717846d505d630a4f07220fe331ce7cd08c55c59635 |
memory/2664-41-0x000000013F6B0000-0x000000013FA01000-memory.dmp
C:\Windows\system\NRPlBke.exe
| MD5 | 443fdb036864ce0a3d5bf3065bbe29e2 |
| SHA1 | 54b56efb1868d27f247b5bbc0225857a2aa3557b |
| SHA256 | 99de4c3034a690f6f345ce3a3ce3378b7ac2f8a8a8de87185ffc7baffbd6d21e |
| SHA512 | ddc58c2420c3a3df20b404c544ce0462cc4644a02b11e240d5a4affe32f19fb1a3bfaeb3d9a363d6b06c824d5cef3176dc3607f54d5a1d928de8608d18b18e28 |
C:\Windows\system\rHdEcui.exe
| MD5 | 78b5437539817c68e429dfed04907f65 |
| SHA1 | 689b0ff52127e4632e994a9528ddd6792ba7974b |
| SHA256 | f2540e5d57046962dd72e4ec64dcf75d3ea5e8e0b76361e2b6c0aaa577e0ebcd |
| SHA512 | 1c749ab692d8e45ae902d3af506d6437f39ce13fe1b5a6449a17b74a0dc3625408bff44ecf6a070ca843ad5db26b91a18fa86a53bf9282fd5d1dd24476a38035 |
memory/2760-55-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2500-48-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2484-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\ZWEJiXg.exe
| MD5 | 8b811e6cb2b89361d0dedd7fe090ef96 |
| SHA1 | 75429175e05c4852bb2536aaad09ce9979f65dc0 |
| SHA256 | 726d9dc2d5d98d0da2b4aeaf841123438af3d1862cecea648525786ac69afa5e |
| SHA512 | a434958f76fb075809504e2948b785757accd076300e75c3883294c7e0cb12b639e39c5b3f38f316842af16442c83f160f1a9d27d650b4d1eff153188a788127 |
memory/2820-82-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2160-83-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1832-90-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2532-98-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\GjVXyvZ.exe
| MD5 | 375d87a80c36e73a85ebf20616d82df0 |
| SHA1 | fa195f159e592f9e421d73b3b4ff246dfa6268e1 |
| SHA256 | 9c2859bdad3fcffcf93359a1ca82780d77434916bd1db143358557b75574aa63 |
| SHA512 | 9966582eb0e5febc440924a5b28333c27d37275ac31f4ecd9a94ab8b7191af64f83504c7ea2dad0ca6e831e2578f2f7a3dacdabd8bc162cb78341fd9e8adb5ef |
C:\Windows\system\GgCvjuw.exe
| MD5 | f9fb4fcaee571c0d5c97f66364485a7f |
| SHA1 | 331eb0177d0faf611e9fe86dc7e45c40a19e65df |
| SHA256 | c19044b65eeab885ccf4bede29f18974910eba4c069c510eef55c0907199c10f |
| SHA512 | b8b614ef057a5adf06f00d7d060aa58ef6db1ab53e0894fe6fb2799a2b87132c9fc583d00267e69bae1062ba5c7c1da525259441b24c7eae1ff19de7fdac7f8b |
C:\Windows\system\EQiFHUQ.exe
| MD5 | 5a00f15ad044f82d03e89685f5068640 |
| SHA1 | d101aeec2f3a378d813fdbbe41a5c13e2a3a7dce |
| SHA256 | 6b9867cdd819f4268a7c19337c37d2c60a9940fdca4c4a159c873ab9f14a82a3 |
| SHA512 | ca59fd61ac28a8adec3819290895a3c5bc8ee5403166289f3b5c56f62fbf06fd1c32f03f2d93e1f14c9493ac01a6a1541de69b81550339f6c404fa8cffcedb96 |
\Windows\system\bssActi.exe
| MD5 | 6051c7e30428fd6082e1dbfe7dc692de |
| SHA1 | 2b9ba1bf968d7e08f66baeae496d741a8c9672df |
| SHA256 | d0c452a7e67fe6ddf22f77b2a613e968cf7c8e7291ba1452cb8bbc0fb763ddce |
| SHA512 | b36d890fd83d411a014c2509edd8b980c7789d057561c38ad693f690c8ab6b723b9963dc3d6eb36a67395077fcafa7e020c2db459173013e8ca29a398024be4b |
C:\Windows\system\oIqbNQC.exe
| MD5 | 1270aa1a5c6d639a6bf3a5fa29858afb |
| SHA1 | 47f5f4612a115963afe72cd23826c97910b1d047 |
| SHA256 | 087ec4eda544eb6285b920a31d0c8388f237dc5976cd6846fb907edd86144517 |
| SHA512 | d36aee21179cd8a0a9597f73b038eb68a11b6f10e59eb76330ae2a83e8971f3b7b280db665cd50e5423b6e4faf8ed338a8ba7b3e69185bf41069f02f60b53ec0 |
memory/2232-104-0x000000013F320000-0x000000013F671000-memory.dmp
C:\Windows\system\SiyCIRe.exe
| MD5 | 23873c0308b74bc751d9b5cad5658f1b |
| SHA1 | 2a198ed3235ae2d44e1d42736f40f13cb7ea0159 |
| SHA256 | 04e9d441a7b71f512ba6258ddb197808c5ff8879f67cfeeaece951263a715893 |
| SHA512 | 1283a6833eb2c0292baef93aedc3a388f9680568c7ce4da144ae481e5d7fc16fe8e3ab3caacc1923776fcc37278b6b22bf2421454bc2991815b0626f85b69232 |
C:\Windows\system\VIXHUXa.exe
| MD5 | b4dd98b9bbe497454d183799b319c367 |
| SHA1 | f8174723aa430a0b91ea05019c97f49c4b1c8474 |
| SHA256 | 7b531faefde09289084cd2f328f9422823383e78653aa8a45071861a642a17e7 |
| SHA512 | 040bf7c5a46839f85b057b29925ad747eed720f044e08e4083edaeaa0416c5f6a095ab5742d76b0b6932b5333fff06e12fb06b1cd0b834b0b29a6910fe80d796 |
memory/2664-134-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2232-97-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2232-89-0x000000013F2D0000-0x000000013F621000-memory.dmp
C:\Windows\system\RfpBBfg.exe
| MD5 | 062acd6c0cf3f590eb8d583735d6e79a |
| SHA1 | de03c5bb841084b38f87cd08b4f04e2f323f978f |
| SHA256 | 79ce7bbe130e1cad923bf1499a2e596239b162d8f4cdd6d0ea3b7b6736197a74 |
| SHA512 | bf1d5159ab61783f79ff1cb5a4139df7e2c8b1431b8b6c1b4f9d1a5a5b3d76d142b8aa8f5766d0ba8ef49c566f03199d26a60715a27f819f1e0b16b7aed25577 |
C:\Windows\system\ImaMiLR.exe
| MD5 | 1e18d7a4e01454df2f0b3ddb0ecb2f27 |
| SHA1 | 12e91714229db18701c996d11246410c16e1ad4b |
| SHA256 | 4f37c5a9dcfae7dbca92c3b2b5498f298504e8f9b8d79e67e6f7f7cc6f21bdf2 |
| SHA512 | da9143bf2e8b7161497e0bf8988c60fcaebdaae6c8dfb18fdc62406d8712373371a14156fe4eeb8ea887dd07c777b86b4758f578b990c8104d752baa8b4cec09 |
memory/2752-76-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2232-75-0x000000013F850000-0x000000013FBA1000-memory.dmp
C:\Windows\system\DbjlyFR.exe
| MD5 | 4632c1d4437b61c1e8c8981e097a29fb |
| SHA1 | 505ba851c6fe3e9f12bc9bc15fb8cd772e29a1fb |
| SHA256 | 48e448d4c3e37d12d2821c6baa26f07903d872755709e91d6e89ec6351bc0652 |
| SHA512 | 216a533cd5c5d2656772558929bfc16d590db1e96aa5c6caede10a87990ac6cf5a57534f6c91e2f8b17f6f666964d984b9cb2a3b2559e951d0c55f4e32c2a11f |
memory/2232-68-0x0000000002290000-0x00000000025E1000-memory.dmp
C:\Windows\system\hZvSsjo.exe
| MD5 | e7d5cbef7b80762c3a75b7bab4514a3e |
| SHA1 | 23844e77be8fd11ed6562110bad386343113be0b |
| SHA256 | 55068a08461c59ab21c7ee14a81d85d981a0c5187505bb2eab9bda1e6b73b7df |
| SHA512 | 24713c2b3361dca9af84c9b027ed32c09f90034c6cbb12c2712be93e326592fe0e152d05cfd8dcda2839ecafde3a318c8586f05e6262329bb8391719e68ac78d |
memory/2576-62-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2232-61-0x000000013F3F0000-0x000000013F741000-memory.dmp
C:\Windows\system\FcgosWu.exe
| MD5 | a80768d28fd05403b6346aca26bf0dae |
| SHA1 | 43cae2ba100347b15c6113f7a2fa7b4a54d674bf |
| SHA256 | 1e1cc663ba4b5260f40897116e4ba8327cd9c08aa134c013d48c01e7fc85b075 |
| SHA512 | e0f73492f8b5b0002473f993226315dd6fd7c50c6bb321c7d1eb6af31f715571376949dbeaf758629584bccb51c4f1f74351649396b1a25f23a6579f893225f5 |
memory/2232-47-0x0000000002290000-0x00000000025E1000-memory.dmp
C:\Windows\system\wSaiXtM.exe
| MD5 | 6635d94795ca310222c104ae226b83a2 |
| SHA1 | cc3db0fcdf66a8f25840c06e35a02ad7003e5bbb |
| SHA256 | 363d37fc1a9a56b4eff7b385be9cba1f8bd75c2bd4c96be6b30dfb33e8457102 |
| SHA512 | f5bb967bc8b3780911ae4294bdaf966b7cebd186add9e99d3de034fa8c913fb051c32090b72402de0d57c8d50ebe0d83609b99c7671f7ede9e971d3819ef3ca8 |
memory/2232-54-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/1172-38-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2232-35-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2232-34-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/3056-30-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\ApsiHHR.exe
| MD5 | 4431b2598e6240948fecce7fe17c9921 |
| SHA1 | edb164ec837e1aa214d6b3fd7e74145ab21e02e1 |
| SHA256 | a2e21d90a6ae3148393d56ac1f762c3081aa4700ce6a69541b24ca3d6ba2768e |
| SHA512 | 356e71e2b9a8797734180d42bfffde1c7da2ae96fb6f3ac20ff45c377b358f8d350d64bc931afe9feaef7b8b7cd3f576a1f00915096bf4afdeece6336ba3e261 |
memory/2232-26-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2820-20-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2760-136-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2232-135-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2232-137-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2752-148-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2484-147-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2576-146-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1832-150-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2296-157-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2908-155-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/1108-154-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/1348-152-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2960-158-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2184-156-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1892-153-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2160-149-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2232-159-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2232-160-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2232-168-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2232-183-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2820-208-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/3056-209-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2724-213-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/1172-212-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2204-215-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2500-217-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2664-219-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2760-221-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2576-223-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2484-233-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2752-240-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2160-242-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1832-244-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2532-246-0x000000013F590000-0x000000013F8E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 01:33
Reported
2024-05-30 01:35
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sdupVxP.exe | N/A |
| N/A | N/A | C:\Windows\System\NRPlBke.exe | N/A |
| N/A | N/A | C:\Windows\System\hYmWPPk.exe | N/A |
| N/A | N/A | C:\Windows\System\BWnVnks.exe | N/A |
| N/A | N/A | C:\Windows\System\AQSqSgt.exe | N/A |
| N/A | N/A | C:\Windows\System\ApsiHHR.exe | N/A |
| N/A | N/A | C:\Windows\System\wSaiXtM.exe | N/A |
| N/A | N/A | C:\Windows\System\rHdEcui.exe | N/A |
| N/A | N/A | C:\Windows\System\FcgosWu.exe | N/A |
| N/A | N/A | C:\Windows\System\hZvSsjo.exe | N/A |
| N/A | N/A | C:\Windows\System\DbjlyFR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWEJiXg.exe | N/A |
| N/A | N/A | C:\Windows\System\ImaMiLR.exe | N/A |
| N/A | N/A | C:\Windows\System\RfpBBfg.exe | N/A |
| N/A | N/A | C:\Windows\System\SiyCIRe.exe | N/A |
| N/A | N/A | C:\Windows\System\VIXHUXa.exe | N/A |
| N/A | N/A | C:\Windows\System\oIqbNQC.exe | N/A |
| N/A | N/A | C:\Windows\System\GjVXyvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GgCvjuw.exe | N/A |
| N/A | N/A | C:\Windows\System\EQiFHUQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bssActi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7c2748b0130087dde7064e58e13982c5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sdupVxP.exe
C:\Windows\System\sdupVxP.exe
C:\Windows\System\NRPlBke.exe
C:\Windows\System\NRPlBke.exe
C:\Windows\System\hYmWPPk.exe
C:\Windows\System\hYmWPPk.exe
C:\Windows\System\AQSqSgt.exe
C:\Windows\System\AQSqSgt.exe
C:\Windows\System\BWnVnks.exe
C:\Windows\System\BWnVnks.exe
C:\Windows\System\ApsiHHR.exe
C:\Windows\System\ApsiHHR.exe
C:\Windows\System\wSaiXtM.exe
C:\Windows\System\wSaiXtM.exe
C:\Windows\System\rHdEcui.exe
C:\Windows\System\rHdEcui.exe
C:\Windows\System\FcgosWu.exe
C:\Windows\System\FcgosWu.exe
C:\Windows\System\hZvSsjo.exe
C:\Windows\System\hZvSsjo.exe
C:\Windows\System\DbjlyFR.exe
C:\Windows\System\DbjlyFR.exe
C:\Windows\System\ZWEJiXg.exe
C:\Windows\System\ZWEJiXg.exe
C:\Windows\System\ImaMiLR.exe
C:\Windows\System\ImaMiLR.exe
C:\Windows\System\RfpBBfg.exe
C:\Windows\System\RfpBBfg.exe
C:\Windows\System\SiyCIRe.exe
C:\Windows\System\SiyCIRe.exe
C:\Windows\System\VIXHUXa.exe
C:\Windows\System\VIXHUXa.exe
C:\Windows\System\oIqbNQC.exe
C:\Windows\System\oIqbNQC.exe
C:\Windows\System\GjVXyvZ.exe
C:\Windows\System\GjVXyvZ.exe
C:\Windows\System\GgCvjuw.exe
C:\Windows\System\GgCvjuw.exe
C:\Windows\System\EQiFHUQ.exe
C:\Windows\System\EQiFHUQ.exe
C:\Windows\System\bssActi.exe
C:\Windows\System\bssActi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3444-0-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp
memory/3444-1-0x000001D715520000-0x000001D715530000-memory.dmp
C:\Windows\System\sdupVxP.exe
| MD5 | d7bfc0051083004b9b8da662dbce3bcb |
| SHA1 | e5073754e47cc68176b8ff69bd50bd88e28f86fc |
| SHA256 | c4a245bcbbffc4ceb3368a81faffd8ce0998fbcf6eeeb8ee32dbfe9c096da8c9 |
| SHA512 | 952d0f2c3c706960075ab61cb8b0e9b7ff8381ccd229da3ead79d07d5083dddbf7eeed42efde3baa972fff16f5541c0b6fbb4468f5d75e1ccd37f4c508e49081 |
C:\Windows\System\hYmWPPk.exe
| MD5 | a73580d043cc9c502b8c538d541c7f22 |
| SHA1 | 3ba3bb1a07d7beb7f4a60642293dd753a1763e17 |
| SHA256 | 9150682c6469ed057c29fef55406c39bf00c97f174ab37b4f576a5a1d9538371 |
| SHA512 | 512e8361f0e05e9d1093fea31c752be67c73a72fb114faef49022294fe1c11691c2eb8afd87b3eb0bb91d4e9c4aa985e2c2894af58c89a844e5e9250971403e5 |
memory/4636-6-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp
C:\Windows\System\NRPlBke.exe
| MD5 | 443fdb036864ce0a3d5bf3065bbe29e2 |
| SHA1 | 54b56efb1868d27f247b5bbc0225857a2aa3557b |
| SHA256 | 99de4c3034a690f6f345ce3a3ce3378b7ac2f8a8a8de87185ffc7baffbd6d21e |
| SHA512 | ddc58c2420c3a3df20b404c544ce0462cc4644a02b11e240d5a4affe32f19fb1a3bfaeb3d9a363d6b06c824d5cef3176dc3607f54d5a1d928de8608d18b18e28 |
memory/4080-19-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp
C:\Windows\System\AQSqSgt.exe
| MD5 | c1670275602ee94c88bbddaf4cf56a53 |
| SHA1 | 84300ba768eff7b9b926e8ff6b960f354629bc66 |
| SHA256 | 54967dc060922c5767f8be03de634e3be9941cd1ba639088f586033c8e93db18 |
| SHA512 | 5621d6a5d1321126e790e3be6643b12f1a4689b3b59835917de708b381330b29abe2109fb3c4e2a847c72d06aa8a75b2ec1af64ac4980d54fcfeff09ceac2a74 |
memory/1664-35-0x00007FF6027B0000-0x00007FF602B01000-memory.dmp
C:\Windows\System\ApsiHHR.exe
| MD5 | 4431b2598e6240948fecce7fe17c9921 |
| SHA1 | edb164ec837e1aa214d6b3fd7e74145ab21e02e1 |
| SHA256 | a2e21d90a6ae3148393d56ac1f762c3081aa4700ce6a69541b24ca3d6ba2768e |
| SHA512 | 356e71e2b9a8797734180d42bfffde1c7da2ae96fb6f3ac20ff45c377b358f8d350d64bc931afe9feaef7b8b7cd3f576a1f00915096bf4afdeece6336ba3e261 |
memory/3216-36-0x00007FF740E40000-0x00007FF741191000-memory.dmp
memory/556-29-0x00007FF780970000-0x00007FF780CC1000-memory.dmp
memory/2880-27-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp
C:\Windows\System\BWnVnks.exe
| MD5 | 40ff4899e58e9e244d7012d946ce9439 |
| SHA1 | 94d413f4f2bb91b3bd6419fcd109229d34085987 |
| SHA256 | 47872b154bc8149de05e3cbd38751b0b0ab90cb1e1da4fd7549f1d61bbb751bf |
| SHA512 | f51a62f5a462aae0c205e0fd6668262c3348b904967c3b87a4e41c326d7f401bc9c4dadb4dfc1360b2a48717846d505d630a4f07220fe331ce7cd08c55c59635 |
C:\Windows\System\wSaiXtM.exe
| MD5 | 6635d94795ca310222c104ae226b83a2 |
| SHA1 | cc3db0fcdf66a8f25840c06e35a02ad7003e5bbb |
| SHA256 | 363d37fc1a9a56b4eff7b385be9cba1f8bd75c2bd4c96be6b30dfb33e8457102 |
| SHA512 | f5bb967bc8b3780911ae4294bdaf966b7cebd186add9e99d3de034fa8c913fb051c32090b72402de0d57c8d50ebe0d83609b99c7671f7ede9e971d3819ef3ca8 |
C:\Windows\System\rHdEcui.exe
| MD5 | 78b5437539817c68e429dfed04907f65 |
| SHA1 | 689b0ff52127e4632e994a9528ddd6792ba7974b |
| SHA256 | f2540e5d57046962dd72e4ec64dcf75d3ea5e8e0b76361e2b6c0aaa577e0ebcd |
| SHA512 | 1c749ab692d8e45ae902d3af506d6437f39ce13fe1b5a6449a17b74a0dc3625408bff44ecf6a070ca843ad5db26b91a18fa86a53bf9282fd5d1dd24476a38035 |
memory/1048-42-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp
C:\Windows\System\FcgosWu.exe
| MD5 | a80768d28fd05403b6346aca26bf0dae |
| SHA1 | 43cae2ba100347b15c6113f7a2fa7b4a54d674bf |
| SHA256 | 1e1cc663ba4b5260f40897116e4ba8327cd9c08aa134c013d48c01e7fc85b075 |
| SHA512 | e0f73492f8b5b0002473f993226315dd6fd7c50c6bb321c7d1eb6af31f715571376949dbeaf758629584bccb51c4f1f74351649396b1a25f23a6579f893225f5 |
C:\Windows\System\hZvSsjo.exe
| MD5 | e7d5cbef7b80762c3a75b7bab4514a3e |
| SHA1 | 23844e77be8fd11ed6562110bad386343113be0b |
| SHA256 | 55068a08461c59ab21c7ee14a81d85d981a0c5187505bb2eab9bda1e6b73b7df |
| SHA512 | 24713c2b3361dca9af84c9b027ed32c09f90034c6cbb12c2712be93e326592fe0e152d05cfd8dcda2839ecafde3a318c8586f05e6262329bb8391719e68ac78d |
memory/4928-55-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp
memory/3260-48-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp
memory/3648-64-0x00007FF661520000-0x00007FF661871000-memory.dmp
memory/3444-68-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp
C:\Windows\System\DbjlyFR.exe
| MD5 | 4632c1d4437b61c1e8c8981e097a29fb |
| SHA1 | 505ba851c6fe3e9f12bc9bc15fb8cd772e29a1fb |
| SHA256 | 48e448d4c3e37d12d2821c6baa26f07903d872755709e91d6e89ec6351bc0652 |
| SHA512 | 216a533cd5c5d2656772558929bfc16d590db1e96aa5c6caede10a87990ac6cf5a57534f6c91e2f8b17f6f666964d984b9cb2a3b2559e951d0c55f4e32c2a11f |
memory/4080-76-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp
memory/1372-81-0x00007FF750090000-0x00007FF7503E1000-memory.dmp
memory/3608-85-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp
C:\Windows\System\SiyCIRe.exe
| MD5 | 23873c0308b74bc751d9b5cad5658f1b |
| SHA1 | 2a198ed3235ae2d44e1d42736f40f13cb7ea0159 |
| SHA256 | 04e9d441a7b71f512ba6258ddb197808c5ff8879f67cfeeaece951263a715893 |
| SHA512 | 1283a6833eb2c0292baef93aedc3a388f9680568c7ce4da144ae481e5d7fc16fe8e3ab3caacc1923776fcc37278b6b22bf2421454bc2991815b0626f85b69232 |
memory/4836-95-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp
memory/556-94-0x00007FF780970000-0x00007FF780CC1000-memory.dmp
memory/4436-92-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp
C:\Windows\System\RfpBBfg.exe
| MD5 | 062acd6c0cf3f590eb8d583735d6e79a |
| SHA1 | de03c5bb841084b38f87cd08b4f04e2f323f978f |
| SHA256 | 79ce7bbe130e1cad923bf1499a2e596239b162d8f4cdd6d0ea3b7b6736197a74 |
| SHA512 | bf1d5159ab61783f79ff1cb5a4139df7e2c8b1431b8b6c1b4f9d1a5a5b3d76d142b8aa8f5766d0ba8ef49c566f03199d26a60715a27f819f1e0b16b7aed25577 |
memory/2880-88-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp
C:\Windows\System\ImaMiLR.exe
| MD5 | 1e18d7a4e01454df2f0b3ddb0ecb2f27 |
| SHA1 | 12e91714229db18701c996d11246410c16e1ad4b |
| SHA256 | 4f37c5a9dcfae7dbca92c3b2b5498f298504e8f9b8d79e67e6f7f7cc6f21bdf2 |
| SHA512 | da9143bf2e8b7161497e0bf8988c60fcaebdaae6c8dfb18fdc62406d8712373371a14156fe4eeb8ea887dd07c777b86b4758f578b990c8104d752baa8b4cec09 |
C:\Windows\System\ZWEJiXg.exe
| MD5 | 8b811e6cb2b89361d0dedd7fe090ef96 |
| SHA1 | 75429175e05c4852bb2536aaad09ce9979f65dc0 |
| SHA256 | 726d9dc2d5d98d0da2b4aeaf841123438af3d1862cecea648525786ac69afa5e |
| SHA512 | a434958f76fb075809504e2948b785757accd076300e75c3883294c7e0cb12b639e39c5b3f38f316842af16442c83f160f1a9d27d650b4d1eff153188a788127 |
memory/4636-74-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp
memory/5020-72-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp
C:\Windows\System\VIXHUXa.exe
| MD5 | b4dd98b9bbe497454d183799b319c367 |
| SHA1 | f8174723aa430a0b91ea05019c97f49c4b1c8474 |
| SHA256 | 7b531faefde09289084cd2f328f9422823383e78653aa8a45071861a642a17e7 |
| SHA512 | 040bf7c5a46839f85b057b29925ad747eed720f044e08e4083edaeaa0416c5f6a095ab5742d76b0b6932b5333fff06e12fb06b1cd0b834b0b29a6910fe80d796 |
memory/3216-107-0x00007FF740E40000-0x00007FF741191000-memory.dmp
C:\Windows\System\oIqbNQC.exe
| MD5 | 1270aa1a5c6d639a6bf3a5fa29858afb |
| SHA1 | 47f5f4612a115963afe72cd23826c97910b1d047 |
| SHA256 | 087ec4eda544eb6285b920a31d0c8388f237dc5976cd6846fb907edd86144517 |
| SHA512 | d36aee21179cd8a0a9597f73b038eb68a11b6f10e59eb76330ae2a83e8971f3b7b280db665cd50e5423b6e4faf8ed338a8ba7b3e69185bf41069f02f60b53ec0 |
C:\Windows\System\GgCvjuw.exe
| MD5 | f9fb4fcaee571c0d5c97f66364485a7f |
| SHA1 | 331eb0177d0faf611e9fe86dc7e45c40a19e65df |
| SHA256 | c19044b65eeab885ccf4bede29f18974910eba4c069c510eef55c0907199c10f |
| SHA512 | b8b614ef057a5adf06f00d7d060aa58ef6db1ab53e0894fe6fb2799a2b87132c9fc583d00267e69bae1062ba5c7c1da525259441b24c7eae1ff19de7fdac7f8b |
C:\Windows\System\EQiFHUQ.exe
| MD5 | 5a00f15ad044f82d03e89685f5068640 |
| SHA1 | d101aeec2f3a378d813fdbbe41a5c13e2a3a7dce |
| SHA256 | 6b9867cdd819f4268a7c19337c37d2c60a9940fdca4c4a159c873ab9f14a82a3 |
| SHA512 | ca59fd61ac28a8adec3819290895a3c5bc8ee5403166289f3b5c56f62fbf06fd1c32f03f2d93e1f14c9493ac01a6a1541de69b81550339f6c404fa8cffcedb96 |
memory/1048-130-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp
memory/544-133-0x00007FF7A89F0000-0x00007FF7A8D41000-memory.dmp
memory/3644-134-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp
C:\Windows\System\bssActi.exe
| MD5 | 6051c7e30428fd6082e1dbfe7dc692de |
| SHA1 | 2b9ba1bf968d7e08f66baeae496d741a8c9672df |
| SHA256 | d0c452a7e67fe6ddf22f77b2a613e968cf7c8e7291ba1452cb8bbc0fb763ddce |
| SHA512 | b36d890fd83d411a014c2509edd8b980c7789d057561c38ad693f690c8ab6b723b9963dc3d6eb36a67395077fcafa7e020c2db459173013e8ca29a398024be4b |
memory/4384-135-0x00007FF67B200000-0x00007FF67B551000-memory.dmp
memory/4264-132-0x00007FF6BEEC0000-0x00007FF6BF211000-memory.dmp
memory/4592-131-0x00007FF67AFC0000-0x00007FF67B311000-memory.dmp
C:\Windows\System\GjVXyvZ.exe
| MD5 | 375d87a80c36e73a85ebf20616d82df0 |
| SHA1 | fa195f159e592f9e421d73b3b4ff246dfa6268e1 |
| SHA256 | 9c2859bdad3fcffcf93359a1ca82780d77434916bd1db143358557b75574aa63 |
| SHA512 | 9966582eb0e5febc440924a5b28333c27d37275ac31f4ecd9a94ab8b7191af64f83504c7ea2dad0ca6e831e2578f2f7a3dacdabd8bc162cb78341fd9e8adb5ef |
memory/3260-140-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp
memory/4928-141-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp
memory/4836-147-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp
memory/4576-149-0x00007FF729990000-0x00007FF729CE1000-memory.dmp
memory/3608-146-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp
memory/1372-144-0x00007FF750090000-0x00007FF7503E1000-memory.dmp
memory/5020-143-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp
memory/4436-145-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp
memory/3444-150-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp
memory/3444-172-0x00007FF6FB800000-0x00007FF6FBB51000-memory.dmp
memory/4636-201-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp
memory/4080-203-0x00007FF7F5E60000-0x00007FF7F61B1000-memory.dmp
memory/2880-205-0x00007FF7DBCB0000-0x00007FF7DC001000-memory.dmp
memory/1664-208-0x00007FF6027B0000-0x00007FF602B01000-memory.dmp
memory/556-209-0x00007FF780970000-0x00007FF780CC1000-memory.dmp
memory/3216-211-0x00007FF740E40000-0x00007FF741191000-memory.dmp
memory/1048-228-0x00007FF7A3D50000-0x00007FF7A40A1000-memory.dmp
memory/3260-230-0x00007FF7C8DE0000-0x00007FF7C9131000-memory.dmp
memory/4928-232-0x00007FF7FD4B0000-0x00007FF7FD801000-memory.dmp
memory/3648-234-0x00007FF661520000-0x00007FF661871000-memory.dmp
memory/5020-236-0x00007FF6AB060000-0x00007FF6AB3B1000-memory.dmp
memory/1372-238-0x00007FF750090000-0x00007FF7503E1000-memory.dmp
memory/4436-241-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp
memory/3608-243-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp
memory/4836-244-0x00007FF63B160000-0x00007FF63B4B1000-memory.dmp
memory/4592-247-0x00007FF67AFC0000-0x00007FF67B311000-memory.dmp
memory/544-249-0x00007FF7A89F0000-0x00007FF7A8D41000-memory.dmp
memory/4264-252-0x00007FF6BEEC0000-0x00007FF6BF211000-memory.dmp
memory/3644-255-0x00007FF7F1080000-0x00007FF7F13D1000-memory.dmp
memory/4384-253-0x00007FF67B200000-0x00007FF67B551000-memory.dmp
memory/4576-257-0x00007FF729990000-0x00007FF729CE1000-memory.dmp