Analysis Overview
SHA256
3c10e9ed7768da7db97ea1508565b94384be210794aa7fa01bb0a732fc5253f5
Threat Level: Known bad
The file 2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 07:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 07:32
Reported
2024-05-30 07:34
Platform
win7-20240508-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zESCxDf.exe | N/A |
| N/A | N/A | C:\Windows\System\MbVmrRC.exe | N/A |
| N/A | N/A | C:\Windows\System\wMwUIqo.exe | N/A |
| N/A | N/A | C:\Windows\System\YRqeWBW.exe | N/A |
| N/A | N/A | C:\Windows\System\LcNcraQ.exe | N/A |
| N/A | N/A | C:\Windows\System\hrlgyOD.exe | N/A |
| N/A | N/A | C:\Windows\System\oNqMzKE.exe | N/A |
| N/A | N/A | C:\Windows\System\EljGcjS.exe | N/A |
| N/A | N/A | C:\Windows\System\TLZFFYu.exe | N/A |
| N/A | N/A | C:\Windows\System\nqynuTR.exe | N/A |
| N/A | N/A | C:\Windows\System\fYdEKlX.exe | N/A |
| N/A | N/A | C:\Windows\System\wMHyQXj.exe | N/A |
| N/A | N/A | C:\Windows\System\JeiCgdA.exe | N/A |
| N/A | N/A | C:\Windows\System\IXausxu.exe | N/A |
| N/A | N/A | C:\Windows\System\FmsAdfq.exe | N/A |
| N/A | N/A | C:\Windows\System\exliNCC.exe | N/A |
| N/A | N/A | C:\Windows\System\gezAjRj.exe | N/A |
| N/A | N/A | C:\Windows\System\yPGPiOO.exe | N/A |
| N/A | N/A | C:\Windows\System\GaJcnKk.exe | N/A |
| N/A | N/A | C:\Windows\System\OKTaIRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KRAWUog.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zESCxDf.exe
C:\Windows\System\zESCxDf.exe
C:\Windows\System\MbVmrRC.exe
C:\Windows\System\MbVmrRC.exe
C:\Windows\System\wMwUIqo.exe
C:\Windows\System\wMwUIqo.exe
C:\Windows\System\YRqeWBW.exe
C:\Windows\System\YRqeWBW.exe
C:\Windows\System\LcNcraQ.exe
C:\Windows\System\LcNcraQ.exe
C:\Windows\System\hrlgyOD.exe
C:\Windows\System\hrlgyOD.exe
C:\Windows\System\oNqMzKE.exe
C:\Windows\System\oNqMzKE.exe
C:\Windows\System\EljGcjS.exe
C:\Windows\System\EljGcjS.exe
C:\Windows\System\TLZFFYu.exe
C:\Windows\System\TLZFFYu.exe
C:\Windows\System\nqynuTR.exe
C:\Windows\System\nqynuTR.exe
C:\Windows\System\fYdEKlX.exe
C:\Windows\System\fYdEKlX.exe
C:\Windows\System\wMHyQXj.exe
C:\Windows\System\wMHyQXj.exe
C:\Windows\System\JeiCgdA.exe
C:\Windows\System\JeiCgdA.exe
C:\Windows\System\IXausxu.exe
C:\Windows\System\IXausxu.exe
C:\Windows\System\exliNCC.exe
C:\Windows\System\exliNCC.exe
C:\Windows\System\FmsAdfq.exe
C:\Windows\System\FmsAdfq.exe
C:\Windows\System\GaJcnKk.exe
C:\Windows\System\GaJcnKk.exe
C:\Windows\System\gezAjRj.exe
C:\Windows\System\gezAjRj.exe
C:\Windows\System\OKTaIRZ.exe
C:\Windows\System\OKTaIRZ.exe
C:\Windows\System\yPGPiOO.exe
C:\Windows\System\yPGPiOO.exe
C:\Windows\System\KRAWUog.exe
C:\Windows\System\KRAWUog.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1660-0-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1660-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\zESCxDf.exe
| MD5 | b5f33c9e71b289396cf772da880461fe |
| SHA1 | 5766db873b35475b14d23b63bba3f61ccef42ee2 |
| SHA256 | 4184e3a86c5749a3bdf4291fa6944f069ffab2400f1685be0a95e1d537c50129 |
| SHA512 | 4f5a1fb0acc42fab86e96948d6ac1a2265502869192b4a3a983373d2ea09c866f62c9bb7632a18c25acf6bc96ae0b1f07d2d64a4ed4e2cab5a8b5f0dc0774ec7 |
memory/1660-6-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2932-8-0x000000013F3E0000-0x000000013F731000-memory.dmp
C:\Windows\system\MbVmrRC.exe
| MD5 | d880010cd17d2f4d6f06cb91c863a511 |
| SHA1 | f1c63766a8fa2375380d038bbc950f4d4e3393ad |
| SHA256 | 52e743a225baecdb569ad4577158c8f455625e1944e356bb63dc979f0574816c |
| SHA512 | 3eddc390794b1a72dfca5b572552f30992878a46eaca6bebc0bca0ccd5447682f4571adc2af903417629e15b811b2540d6e35d831d1156bc09905accb81fd5dd |
memory/2368-14-0x000000013F240000-0x000000013F591000-memory.dmp
C:\Windows\system\wMwUIqo.exe
| MD5 | a596ee33515c1f708048f0f39699edc4 |
| SHA1 | 3d23c5ccff71a89f814134f8040783153d7ce8eb |
| SHA256 | 60e46e520a20fa459db183747242746966b329d484539758620684d9c55c2f6b |
| SHA512 | 859a3efd7fb7b3f605fd2ff3e3473e02bd897270e92e0b03850d23e84a7c95b00aee487e18e1b1e1ec2dba8e1c3f1638e4aa878770b154bc9095e8cb37630907 |
C:\Windows\system\YRqeWBW.exe
| MD5 | 401df8fcded4f6042983de6a1cfa8eae |
| SHA1 | 4bfc29ec2740a1c723a977bb3cdf08591206221f |
| SHA256 | 40caee777c5818b3a404b6dbf75934b94a96f647c875b2665e26e7e68367f311 |
| SHA512 | 92873df79fff68c6a789ccbc10cdb8df183f131a25a255ef565ecb96c48879ee87ea2bdac18b2549bcd070e0b6f8b0c69813765d06d0a1e32686a6ed3a16b38d |
memory/2872-28-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\hrlgyOD.exe
| MD5 | d2ce23754f8d3efe766f608136158109 |
| SHA1 | 368b2c404c71810730f23411f32edd0d5a8bc677 |
| SHA256 | e3f7793cba46637d393a6c4e723e2990ffe40294c45ac461232e8805afae1b54 |
| SHA512 | 470f0277b735f9961a54dc7bda4f17b3129a091755a4df5c863cefe198f8a664e95b2b8d9eca7ea6d54a7ba76b6bec89a4f8ce9c069f7086a083535b802220fb |
\Windows\system\LcNcraQ.exe
| MD5 | 90a2d0223da10a0cec14adf32dbf9427 |
| SHA1 | 78b458c60e374acb77bbc6a9ae498f4afd7c7bba |
| SHA256 | 6bbe4ba27d2a3c5d9c3375161f4cdeebc0d1683e9421baac3f94e6ebd01f0ada |
| SHA512 | a5596470ca77d7e06f19b914170b0ad175222eaa676bb50ff9ba3f87c84712504058967cfe8624ea85714ad6b7331991ff8277a8b7d4ec830460d76295a05aed |
C:\Windows\system\oNqMzKE.exe
| MD5 | 8578e6d507c22c333e5601aba08f6530 |
| SHA1 | a3bcf41a03a71653a1bff130a159d72cf921a8a1 |
| SHA256 | 98cf42eb78775a3375474a26b8293f896b4da6d97ebc6b7bfea08b6f66f1bd57 |
| SHA512 | 41c90fb3ff9c13990a4b480354529685ab111dacad8a1e36d8505e6e3808cbe62572c98c6ff1a4e1fbb29091b84cab07a15a7d2ebe5b9260f3602967930ef595 |
\Windows\system\EljGcjS.exe
| MD5 | a148d32882d31d2fc96e011b8f6552dd |
| SHA1 | 1535e66fd66075cb74f8cfcb8b8c45e08fff5c8e |
| SHA256 | 6cb50d757ba816af5c42466317fa3a2ffe215c13b3141aaab0207fbd5cc15a71 |
| SHA512 | e6b64160a7d87e6deb2264d13548350b79e6dd3c3477d45ece9d927872c426dc8f97dcf8d319640ff2d7c9488e3e563aa910bda7e52be24b3fb72c9aff1d7546 |
memory/2368-53-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2880-56-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1876-47-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2932-49-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1660-45-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2768-44-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1660-43-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2676-41-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/1008-25-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/1660-18-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2704-62-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1660-61-0x0000000002140000-0x0000000002491000-memory.dmp
C:\Windows\system\TLZFFYu.exe
| MD5 | c4dcbf7adb2416ef5c1d3de833c28b7d |
| SHA1 | 0bf4a0830ff2a67663914ae6f929da70183cbb5f |
| SHA256 | 8ff7af4632a95454c6d7191e1f59915cbf1ebf5333c7c7bd85c47a472345f167 |
| SHA512 | c6b26273a260f68283eb864dadc88d0be31d50f67abb7e6bd9d55a417101f9dd941ac83902304971f4724289e939e136c9cda00e1fb36fc973b009e2da3ac7a1 |
C:\Windows\system\nqynuTR.exe
| MD5 | 415e3586a1984464cc3e2175ba00bfd2 |
| SHA1 | 0c21185752d4097ff2f0ec80ddde7202da41cdf7 |
| SHA256 | 1afab5cbd59e7a7eb6cbad26158a6acadd3ff69050063d8424ca00c9ae2b69c9 |
| SHA512 | 369644539ba66a597106ef0afdc3a0a96972ef72c2978cdbad659f227e937a23545d00edd9a7aecbd15728c9bddd9e913f1389704d3b9e1b5e3c3d358cfa5eb3 |
memory/1660-68-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2636-69-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/1008-67-0x000000013FA70000-0x000000013FDC1000-memory.dmp
\Windows\system\fYdEKlX.exe
| MD5 | 0989856c3b33c9ac073d85eed6ba142f |
| SHA1 | 7c0a33be8b5c8def2586eaf3b50251b3b2d1ed5a |
| SHA256 | 7eaa7372b9abdd6979bbf6f550e8dbb4e4cb25068c190682f27f296e1e582b68 |
| SHA512 | 1dfde838077677776d835aa86b016d0e4d5990e60b3496cdd3c57ae427420c4832ebac08a31463cc5af0f80ddffef2c61063504aa02ab538745a568870e20cfe |
C:\Windows\system\wMHyQXj.exe
| MD5 | fff1659d37d062c0c390242036e2211b |
| SHA1 | 210024c3b421142e0a777428d7b5fd9c74019f51 |
| SHA256 | b76b2c00376c69c767c396ea5a2ceb155fbe92a7dbf9782324028ee474733b29 |
| SHA512 | af1d32a463db3bc3d51d141d04238f0b7bf1c42128da0496df8abe4bc1ab88fb7c6c5966bd56130eec4ca6bf6f0d6bfc2b218adfa7e295ff56a352a0dc9f2f85 |
memory/2480-84-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2872-85-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1660-82-0x0000000002140000-0x0000000002491000-memory.dmp
C:\Windows\system\JeiCgdA.exe
| MD5 | 85b4ed2027575298e534afbeab859567 |
| SHA1 | 429bbbc7940a3986ab9f989487b8e090d8a05743 |
| SHA256 | c27331a7aaf8e5e2b89949e255022159a13e81552355ccb384a22b0b1c4ba151 |
| SHA512 | 556720ababb0691db99c884ba6e8de36c2d7d715b71b4de78f372d8ff0158565a650ad22c14b73723952c58f1554f41e6f0d5b8ccfd761493adb4ba4dcd342f3 |
memory/1668-93-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1660-91-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2676-90-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2540-87-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/1660-80-0x0000000002140000-0x0000000002491000-memory.dmp
\Windows\system\IXausxu.exe
| MD5 | 56d57ad9f6fecd66b17c196a7807369d |
| SHA1 | c0348141a002fd1b03cbeed2b2bfb5a63fa4121a |
| SHA256 | 40981b3836df5d40dcb328beaead701d461e02e93ba3de0ec9c344c251b8cdca |
| SHA512 | e5af7cea0007a382220cbe4260fa662fa96775e7153ec5d5810039d17374ff041f4c5360ab772f63286fd4131b76d715a3e5718c7a961fb0e49de8b40b06e329 |
\Windows\system\FmsAdfq.exe
| MD5 | 80ce054d6a8547b199072c687bcb5fa5 |
| SHA1 | 0855dbdac5b983b5f6ef28822ab2811efac133e0 |
| SHA256 | fbe75033f23ab0bf9fa06d53ebca2ff801df0c42f2072f5dc7276bd6d6208866 |
| SHA512 | 17de690c42573781ade4800b04e3116d6400097b468e2d4ce8a0d1b59baa20d87e3c52ee848c6b51ca5f7b215f830844e2197b2ede6d0ac1cb8f931e3f918331 |
memory/2268-121-0x000000013F090000-0x000000013F3E1000-memory.dmp
C:\Windows\system\yPGPiOO.exe
| MD5 | fde00e7213f8937e9571a35fa63f5ccb |
| SHA1 | 1efb33d4d252c9289169440973b8f3457a50b962 |
| SHA256 | 78fcfa8432d7acb4208f70513ab6e4a60cb3c63a560435f9b0a9617071243df0 |
| SHA512 | f80a331b498db52fd0b2e58f9fa26334ec296e8eb89a7de9aa123aa28d92a0bf8a81eb1be16cd7d992a265a6ece6b66b6c618791510c34f20e56b5e104cc103d |
C:\Windows\system\gezAjRj.exe
| MD5 | 4becaa68f917685a7190d6d1536b5460 |
| SHA1 | cb4545e99e51b5e67e37afafa630e232cbd09a63 |
| SHA256 | 494d6f09f00346c5838b1aacb059646ba10644dd4843baa9ba57cbbdabb486d1 |
| SHA512 | 444aab61fc89e63b942dd9f013df8fdde0649cb231ef0977a8a0f9d52535a6c688ba008c0cf37030c236352be58e771a52ebe8172c0eaae04a15c59731241b63 |
C:\Windows\system\OKTaIRZ.exe
| MD5 | b535f88dbf0ac3a6456ad09f33311639 |
| SHA1 | d192d57c425794d4eec8675f9efdaef256233086 |
| SHA256 | 58e4f86f20a25fa34c4c667e3bafb486341c25dc03979a58045acca6724c5602 |
| SHA512 | a64daeabd677bd8c9cab58ca5a51f37e5c560c2fe4c203d4138b352501dd9d2e40f409811fef10a787b202f26ba2e1c4524cfb3bfab6a43621634a523f87770c |
C:\Windows\system\KRAWUog.exe
| MD5 | aaade16a808b6de3e97f54c669b5dde3 |
| SHA1 | 6bb21dd00184e214f97ca2082ecc63584fbb43c5 |
| SHA256 | dc50adaf84c62428bdf5921b633a6486743bb6eeefb3152c09446373746985a1 |
| SHA512 | 140cf4a137f174b18d1fc0e166561c245fcb2f44f81a9e839da1f4193c5834d7640c409494fe1abfee926e8562a3d4468ce141dc5650983884ad171ad7680fae |
\Windows\system\GaJcnKk.exe
| MD5 | bc63dab8c2e805fb21bdd318843a625d |
| SHA1 | 9fe67d818be0989449ef2a7cbf898eef918a6026 |
| SHA256 | 108035f9a1640eb64b7ba7ccfd335667b6cae89168db136b40e50e20fb96a6a1 |
| SHA512 | c77daeb16f8f301d307ce31e3edfa9f99db43a4122b877ccee5f0a2fa0fdf5d432b2ea280e945f21314a7c0e2091b88492e0237e7925f9d6ed0948b7b017e30d |
C:\Windows\system\exliNCC.exe
| MD5 | e932317d67915f2cfb6913b3998e3a04 |
| SHA1 | 233388dbedb3d2cb8ecd62332de88ba5c08024f0 |
| SHA256 | 30d21fe39b4cfff0b9b37474748147c73f027187ddedb18aab9c226a197a43fc |
| SHA512 | d701eef2a4a69850e877085113e1f0fcab43690842ac870ac602c0ebe9e1a7acb59424bd34251cb9863e0a6abc685ef59e32e6c9c0be13bf0f4d1f73151f53d0 |
memory/1876-99-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1660-136-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2704-145-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1660-146-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2636-147-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/1668-150-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1660-151-0x0000000002140000-0x0000000002491000-memory.dmp
memory/2268-152-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1616-154-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2104-153-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1828-156-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2152-155-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1660-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1424-160-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/1656-159-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2128-161-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1660-170-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1660-175-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2932-206-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2368-216-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2872-220-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1008-219-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2768-222-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2676-224-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2880-227-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1876-228-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2704-230-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2636-233-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2540-237-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2480-236-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1668-239-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2268-249-0x000000013F090000-0x000000013F3E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 07:32
Reported
2024-05-30 07:34
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DgmiQeX.exe | N/A |
| N/A | N/A | C:\Windows\System\hKOmtAr.exe | N/A |
| N/A | N/A | C:\Windows\System\fDXzRAr.exe | N/A |
| N/A | N/A | C:\Windows\System\GRUxrcH.exe | N/A |
| N/A | N/A | C:\Windows\System\bDKXNzS.exe | N/A |
| N/A | N/A | C:\Windows\System\rIQUMwP.exe | N/A |
| N/A | N/A | C:\Windows\System\yqnwrAN.exe | N/A |
| N/A | N/A | C:\Windows\System\XsVKhln.exe | N/A |
| N/A | N/A | C:\Windows\System\WwZctqw.exe | N/A |
| N/A | N/A | C:\Windows\System\GRPwDXu.exe | N/A |
| N/A | N/A | C:\Windows\System\BsJdxgS.exe | N/A |
| N/A | N/A | C:\Windows\System\wmCgwxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PmGNAjm.exe | N/A |
| N/A | N/A | C:\Windows\System\dlgZycI.exe | N/A |
| N/A | N/A | C:\Windows\System\UWWfJRm.exe | N/A |
| N/A | N/A | C:\Windows\System\OSgEkPt.exe | N/A |
| N/A | N/A | C:\Windows\System\WiOLIfP.exe | N/A |
| N/A | N/A | C:\Windows\System\laeAzpo.exe | N/A |
| N/A | N/A | C:\Windows\System\HjTnHkq.exe | N/A |
| N/A | N/A | C:\Windows\System\NAoteLL.exe | N/A |
| N/A | N/A | C:\Windows\System\WLAlczF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_854ea7d5fb2a0205ab89028ef51101f7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DgmiQeX.exe
C:\Windows\System\DgmiQeX.exe
C:\Windows\System\hKOmtAr.exe
C:\Windows\System\hKOmtAr.exe
C:\Windows\System\fDXzRAr.exe
C:\Windows\System\fDXzRAr.exe
C:\Windows\System\GRUxrcH.exe
C:\Windows\System\GRUxrcH.exe
C:\Windows\System\bDKXNzS.exe
C:\Windows\System\bDKXNzS.exe
C:\Windows\System\rIQUMwP.exe
C:\Windows\System\rIQUMwP.exe
C:\Windows\System\yqnwrAN.exe
C:\Windows\System\yqnwrAN.exe
C:\Windows\System\XsVKhln.exe
C:\Windows\System\XsVKhln.exe
C:\Windows\System\WwZctqw.exe
C:\Windows\System\WwZctqw.exe
C:\Windows\System\GRPwDXu.exe
C:\Windows\System\GRPwDXu.exe
C:\Windows\System\BsJdxgS.exe
C:\Windows\System\BsJdxgS.exe
C:\Windows\System\wmCgwxZ.exe
C:\Windows\System\wmCgwxZ.exe
C:\Windows\System\PmGNAjm.exe
C:\Windows\System\PmGNAjm.exe
C:\Windows\System\dlgZycI.exe
C:\Windows\System\dlgZycI.exe
C:\Windows\System\UWWfJRm.exe
C:\Windows\System\UWWfJRm.exe
C:\Windows\System\OSgEkPt.exe
C:\Windows\System\OSgEkPt.exe
C:\Windows\System\WiOLIfP.exe
C:\Windows\System\WiOLIfP.exe
C:\Windows\System\laeAzpo.exe
C:\Windows\System\laeAzpo.exe
C:\Windows\System\HjTnHkq.exe
C:\Windows\System\HjTnHkq.exe
C:\Windows\System\NAoteLL.exe
C:\Windows\System\NAoteLL.exe
C:\Windows\System\WLAlczF.exe
C:\Windows\System\WLAlczF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4252-0-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp
memory/4252-1-0x00000218714B0000-0x00000218714C0000-memory.dmp
C:\Windows\System\DgmiQeX.exe
| MD5 | a1c634d0e709e8cdd5f5e3a8c891e349 |
| SHA1 | d2470da4854b6c7fc9b9f220523e3096c5a01894 |
| SHA256 | 44258ee1d23012742473f3d7d8736a7a742f25c078d08d678ce9ff784ae08fbf |
| SHA512 | 8463ed1a8be01913c899fcb47a8cd64240f30ce15c416fe9628b9273cedfdc8efcb66cdd57a42eab3a8c35540ee133c110107c21d68c37b62005bfeb5b374ba5 |
C:\Windows\System\fDXzRAr.exe
| MD5 | 569738d331e700a4de5ce15dc2053fc2 |
| SHA1 | e788e50a8819046c569eedc492969b5187b877f7 |
| SHA256 | 15c2c712805946926c8cd4a294817f23f0669d90d764d37eb03bebc6dd6df6b2 |
| SHA512 | dc336ea0657039fd2eed49627a7c44ce22499df93964449c27d3054e48c11d6e00fa4db6747a3234f301d854423b2d181042b7b2ad53f91a51b0e3be1225feef |
C:\Windows\System\hKOmtAr.exe
| MD5 | e144982a65f695ae35ce02300ba1785d |
| SHA1 | cb6148361eeb076a7a2e244ad4625cdfbbb6df81 |
| SHA256 | f2decb6965ccb74dc8a3498c6f9393a77e9841132258259d5a8179a2013e0190 |
| SHA512 | f87e01b4acb111f3377b8c794479a8323f3c6aabec006b33e0f8f60345ed79aad1c4a2e1d6f51f98d2314582773fb75c2e81588943e49968d854986d51ef0a2c |
memory/1780-10-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp
memory/3988-19-0x00007FF767850000-0x00007FF767BA1000-memory.dmp
C:\Windows\System\GRUxrcH.exe
| MD5 | ab799ad920b1cbfbece4ba29dc92b1d3 |
| SHA1 | 5f1f776478caee9f21f835dc19ed159b5bb7edca |
| SHA256 | 09100d4cca42d1f21ce815969ee6f4ed3fd700d87de96d2097a0df5d3b58a03c |
| SHA512 | b962af400243a52504f4eddd1c76ee5b5e75151a4cf2c7f15e873971b00b4f7309d5f14ef67b3fd8eb1663337aa171f283ad37e30712d7b883234c2f92c2f0c3 |
memory/876-28-0x00007FF787F70000-0x00007FF7882C1000-memory.dmp
C:\Windows\System\bDKXNzS.exe
| MD5 | f75adab880445b9a375a2a26a1eddd1c |
| SHA1 | 61af8d1692fac9d763ed152d4cc2434233edd087 |
| SHA256 | 1c05fd2004bfd0cc726ea3b15eed790b964003b6a831d292e8ddfd29b3a2b51a |
| SHA512 | b5d96f5b28c4da9af8d1f93ce6961c861e40b8e562a0c7ec398edee5d8039b5dd2e18ea1475b45b11dd42e5cfad0d0ee9cbf03af0b5508327b3ed7f007a94736 |
memory/4660-15-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp
C:\Windows\System\rIQUMwP.exe
| MD5 | 59119d65d8a47299723199fcec0cfe3c |
| SHA1 | e64fb5ecef78a4740e073ac9a0e8462f189e908c |
| SHA256 | f895d01eb8d0d7f505e4e807e58d5f9021a678ed03c435d4eb632940243ab70d |
| SHA512 | 861d39e12b0f90de2d416b7d2fd211403d3b979a827f618a92a8f80dde4d5f73e95cd6b7685000b8cd0c3430d195ff3acb68dbcd1e4374682dc0b2744ec610ea |
memory/3696-36-0x00007FF7D7040000-0x00007FF7D7391000-memory.dmp
C:\Windows\System\yqnwrAN.exe
| MD5 | f78c7b6cf32ac5db6400d1247d915cf0 |
| SHA1 | a902e2fe42329e22657f4b1da31186bb81e9ac8d |
| SHA256 | 4449fa6015fd50b0184d6d10620e7141bfa44c1b0f9e6e9f9a45150565e886fb |
| SHA512 | 6ebf9826a0ad148ca83aa761ca52e3d16b4c30925b98dbf3b255c546a4f6d7d961c0871f4552473d30faf1af6b8735acc64195d2c25fd470463c3ce4c06fd6ef |
memory/3296-44-0x00007FF665DD0000-0x00007FF666121000-memory.dmp
memory/4648-40-0x00007FF752940000-0x00007FF752C91000-memory.dmp
C:\Windows\System\XsVKhln.exe
| MD5 | 4d964e3717fed2e8cb31061f1442c91a |
| SHA1 | c001e966f52d3c3de79141322178a410f5d42698 |
| SHA256 | afe7f46dee00950df2caa5b1bb98f09d42ee5f487750633a67d51ea92fe3f1ae |
| SHA512 | 2586e027473e1aba557f51f76ff3322ffd1844f8d8218a8c61e81f2b6a8c36a8de22b5763b5edeeef62604117331cabd19c593a190332fbe7ddaed303337a9a8 |
memory/4852-49-0x00007FF77C100000-0x00007FF77C451000-memory.dmp
C:\Windows\System\WwZctqw.exe
| MD5 | abde53094d7de32fca994028dc63ada9 |
| SHA1 | 7801d525d5bcfee440981bc3948e77b968aaf3ae |
| SHA256 | b1687f823ddf9605bb7e767e45307a075672f7d7b076e0279e2670ac97f5f823 |
| SHA512 | 9a13dc892fb08a62d62abce8c26d1ec157502da861f4e5d2946052d83386f0e93d58ff62c5e27f0f15f132079adf16b6ddafb285752f8e8d1d79c0e75f04659b |
memory/752-55-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp
C:\Windows\System\GRPwDXu.exe
| MD5 | 7878eb2c91f4a75b4f70162d1ef3d2ee |
| SHA1 | 7cb64c60e211ba7b2a0bee4d7c2d9209dbf0fea5 |
| SHA256 | bec36b41d3bd376142260632f5d203361cc42b87938a5d64c257d22dfff91652 |
| SHA512 | a2e39c97961cbe689fd1e91c9d18f57606562054607547df046df6badfd6b69c6d9b7a68898c432d6af86dc42ac440ee96de432434bf5a99efe22406a4b6927d |
memory/1548-69-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp
memory/1464-73-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp
C:\Windows\System\PmGNAjm.exe
| MD5 | ab4b9043f9b3487b8eab0283d463e46c |
| SHA1 | e209279695a28fa00e6219dc1b8acd00208c439e |
| SHA256 | 32cdea892804b4b72faa1d4218f230cbe060a939fdb86742bb8a929fdce50997 |
| SHA512 | e0b478713e8f4d50a82d9a43d46d888c6177125270e6d7c1b8d9880fe7a12b3de98bcaf5299c62c8500efba103f1b80f021113d65dda4839f19692497a20a11a |
C:\Windows\System\dlgZycI.exe
| MD5 | 618b44b55f60d8c852208890c75906b4 |
| SHA1 | 57d33364a3ccf9b26d0173c93ecac761cd76a071 |
| SHA256 | 0258128ab871d1444b15938aa8705bb6c9b0bbd7775333f6d31f384c7b21bad1 |
| SHA512 | 1388fff41d9815115663fc18e5176de1e7ec2497abbe2db6ed7e2458b864f05b3b39a1129a836e1f97b2fc0f1eb33fa4375a9f3c86a62884bf17dce4333c85a1 |
memory/4164-85-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp
C:\Windows\System\laeAzpo.exe
| MD5 | a4b86861d13ec4168910f00570f312eb |
| SHA1 | a33e6d6e80b6af0c2885dca5f99f4e5f01b90e85 |
| SHA256 | c95f23c1cc8bbc61f71df7d151e6fa50ecf140eae78c8bef45eb29bd6ebb8922 |
| SHA512 | d6763f01f2b297bf995dddd19cdfd8f40c7cf48cf48cb237ffef5d1d5dae73311692df95479bb949f63511cb7536b8303eeec72fa02aa6432489fbe42df181f5 |
C:\Windows\System\HjTnHkq.exe
| MD5 | c9554a93d2d2452961856b5c01399bc2 |
| SHA1 | 8fae89cd8826a2e16ab000b2663ae850f6951944 |
| SHA256 | af8afd66cf05ef285c4fe9aafc207c67323ea698c4aa22ea9844ba89c85ea768 |
| SHA512 | 033410571867e3b9ed7412b5419a1779a80ad08d705edded7e529bbf6fd847cb0c126b24c7daed4d5b08f0e5cb241ebde2b5a0b4eb5144364c515d89b4214c2f |
C:\Windows\System\NAoteLL.exe
| MD5 | 2eaa67974c006e58daa7eeee7e4f4cdb |
| SHA1 | 3e4dc5dce5ce0e0b998444778bd750dd04c18458 |
| SHA256 | 34c3370c6c4eaa07815e49c937e6668d0ed2f808fc889bbecfb258167d87d5e7 |
| SHA512 | 393c98760339a81d93c6ac1e3e507e8e9264493e68d565ca363e3ab55398250b6cf9f9362c957efc64c0a17fcebe184c82cfd3d46a61df4e7e3cb10e0eda3e34 |
C:\Windows\System\WLAlczF.exe
| MD5 | 5e568dbcfbfef1bbf86002a79d051f1e |
| SHA1 | 12e2f8e3a99a9d8b4da073df8f38f534a6c240d8 |
| SHA256 | b579621a428718ec3aadcd67cbcc54bddcde162762054a9c18827727620d6fff |
| SHA512 | b144cf7a8ad9685fd1c955026db63eef440dbc151b8ddf5aca1e012fa89d586e4cd8c9e36fbaf777f7627992b2a4f32b711c5bff4d44027037bf650a71854279 |
C:\Windows\System\WiOLIfP.exe
| MD5 | 23e788dffb1a2a02213e8c4658ea14f6 |
| SHA1 | b83bfcec22280640709d64afe7a6fce210a01c88 |
| SHA256 | 5672e28ecd6ec990b5e516c147364787347b64561de60b59b896a8e1bd8a42a2 |
| SHA512 | b99c36f7eb7fd04276701aa707db2b6a3c1898d6103e28e0352c219d4c91d985f4cce575050e2a0983370adc92eaffddda6ad79a5e1d71184d3a3b72755831e9 |
C:\Windows\System\OSgEkPt.exe
| MD5 | 28a3baacbe98b42cd5248cb0f6db78af |
| SHA1 | da148cd15f533ac132912147e00361fef8069fc4 |
| SHA256 | 4c4774319ba49ed5d9738293f74d5c545ad21efc46f10c0b9cb9d172a45a5226 |
| SHA512 | 0ed734f8b793660c32328f97260074767a08e23bf2a0aabf3ec1918145ce61d902fff07ae1e186d116e8d4e2096757f9a70193b7a15ce2aaa9fc8ff0f2260f42 |
C:\Windows\System\UWWfJRm.exe
| MD5 | eb4c7ce2e39b58c2f99903eac057f489 |
| SHA1 | 238334656c270164ee0066298abf065c1a687a7e |
| SHA256 | b3c1834b5086bb1266ac47424bb628250dd5cea3130100fb955b60a6ebeb6d9c |
| SHA512 | 474f85a9df1cfb0c90517cc2667db80681123fc8b359b3ed79c8e1c4a66798d96e04126fa600892285b29057004eaf973fc0e6f000ebec2484796e6bca71312f |
memory/412-84-0x00007FF696570000-0x00007FF6968C1000-memory.dmp
C:\Windows\System\wmCgwxZ.exe
| MD5 | 237f3b0ac88f9ece6bbe0d5f995c61c1 |
| SHA1 | 1f4df300a374d52826bcf64e6c3ff989f1731fe6 |
| SHA256 | ff422ed340aa9b24f6a4bb457ee085b168bf5d24a40130ae0675d6dbecd22efb |
| SHA512 | b21abb3be5ebe70fbd89e4d87a5ca2c2f78bd2dee9596783f51aa90dd5b30afd4593196285001fc0be517844e3d2fe6908ff8fec938a88b073c54c9405d81c8d |
memory/3988-82-0x00007FF767850000-0x00007FF767BA1000-memory.dmp
memory/3624-77-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp
C:\Windows\System\BsJdxgS.exe
| MD5 | 95a618c0586e47b0da75a589aa1b2fc6 |
| SHA1 | a11b6b96439dbc376b106bdcb5bb422c1c5b0020 |
| SHA256 | c8d56ce3cf37e9ad9818769fff2f8c95d3218bf7ff5054a89ae1ddfc8be803ea |
| SHA512 | 4ddfb76995ae2b7ad052ca6b8ef257fd0d0c0c52022f0d0c5f0208a73f566d8a8e3218f90d331ac22772a100445b7b0b635251f308fe8f71ea54f5eb27945376 |
memory/4660-74-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp
memory/1780-63-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp
memory/4252-62-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp
memory/4252-124-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp
memory/4852-132-0x00007FF77C100000-0x00007FF77C451000-memory.dmp
memory/4648-130-0x00007FF752940000-0x00007FF752C91000-memory.dmp
memory/2804-135-0x00007FF7CE260000-0x00007FF7CE5B1000-memory.dmp
memory/2760-138-0x00007FF7C3270000-0x00007FF7C35C1000-memory.dmp
memory/4024-137-0x00007FF6C7D40000-0x00007FF6C8091000-memory.dmp
memory/4360-136-0x00007FF6923C0000-0x00007FF692711000-memory.dmp
memory/4596-133-0x00007FF6D8D20000-0x00007FF6D9071000-memory.dmp
memory/3588-139-0x00007FF611410000-0x00007FF611761000-memory.dmp
memory/4912-140-0x00007FF7285A0000-0x00007FF7288F1000-memory.dmp
memory/752-141-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp
memory/1548-142-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp
memory/4164-146-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp
memory/412-145-0x00007FF696570000-0x00007FF6968C1000-memory.dmp
memory/3624-144-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp
memory/1464-143-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp
memory/4252-154-0x00007FF669F90000-0x00007FF66A2E1000-memory.dmp
memory/1780-206-0x00007FF7E8370000-0x00007FF7E86C1000-memory.dmp
memory/4660-208-0x00007FF7E2720000-0x00007FF7E2A71000-memory.dmp
memory/3988-210-0x00007FF767850000-0x00007FF767BA1000-memory.dmp
memory/876-212-0x00007FF787F70000-0x00007FF7882C1000-memory.dmp
memory/3696-214-0x00007FF7D7040000-0x00007FF7D7391000-memory.dmp
memory/4648-216-0x00007FF752940000-0x00007FF752C91000-memory.dmp
memory/3296-218-0x00007FF665DD0000-0x00007FF666121000-memory.dmp
memory/4852-226-0x00007FF77C100000-0x00007FF77C451000-memory.dmp
memory/752-228-0x00007FF74F060000-0x00007FF74F3B1000-memory.dmp
memory/1548-230-0x00007FF67B9D0000-0x00007FF67BD21000-memory.dmp
memory/1464-232-0x00007FF76FC40000-0x00007FF76FF91000-memory.dmp
memory/412-234-0x00007FF696570000-0x00007FF6968C1000-memory.dmp
memory/3624-236-0x00007FF6779F0000-0x00007FF677D41000-memory.dmp
memory/4596-238-0x00007FF6D8D20000-0x00007FF6D9071000-memory.dmp
memory/2804-240-0x00007FF7CE260000-0x00007FF7CE5B1000-memory.dmp
memory/4360-242-0x00007FF6923C0000-0x00007FF692711000-memory.dmp
memory/4024-244-0x00007FF6C7D40000-0x00007FF6C8091000-memory.dmp
memory/2760-246-0x00007FF7C3270000-0x00007FF7C35C1000-memory.dmp
memory/4912-248-0x00007FF7285A0000-0x00007FF7288F1000-memory.dmp
memory/3588-250-0x00007FF611410000-0x00007FF611761000-memory.dmp
memory/4164-254-0x00007FF79F970000-0x00007FF79FCC1000-memory.dmp