Analysis Overview
SHA256
9caede73510afad6241aae0f3dc3a5efe2410c845e75cc07e7227eb0330b6bc2
Threat Level: Known bad
The file 2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:12
Reported
2024-06-01 07:14
Platform
win7-20240215-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SBUwRaU.exe | N/A |
| N/A | N/A | C:\Windows\System\ComUJeC.exe | N/A |
| N/A | N/A | C:\Windows\System\iZqPKfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\IXhTiEn.exe | N/A |
| N/A | N/A | C:\Windows\System\KYkPJjz.exe | N/A |
| N/A | N/A | C:\Windows\System\dMnHnKx.exe | N/A |
| N/A | N/A | C:\Windows\System\rIlHPcn.exe | N/A |
| N/A | N/A | C:\Windows\System\PDyQXol.exe | N/A |
| N/A | N/A | C:\Windows\System\quUuvYR.exe | N/A |
| N/A | N/A | C:\Windows\System\xSvpADe.exe | N/A |
| N/A | N/A | C:\Windows\System\baoqPta.exe | N/A |
| N/A | N/A | C:\Windows\System\WpCyjYb.exe | N/A |
| N/A | N/A | C:\Windows\System\qZChCKN.exe | N/A |
| N/A | N/A | C:\Windows\System\zJGqCam.exe | N/A |
| N/A | N/A | C:\Windows\System\NnyTSlW.exe | N/A |
| N/A | N/A | C:\Windows\System\fOgobdy.exe | N/A |
| N/A | N/A | C:\Windows\System\GmERsVh.exe | N/A |
| N/A | N/A | C:\Windows\System\qQOibNh.exe | N/A |
| N/A | N/A | C:\Windows\System\iliRSua.exe | N/A |
| N/A | N/A | C:\Windows\System\uwTuPUR.exe | N/A |
| N/A | N/A | C:\Windows\System\VUvALFr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SBUwRaU.exe
C:\Windows\System\SBUwRaU.exe
C:\Windows\System\ComUJeC.exe
C:\Windows\System\ComUJeC.exe
C:\Windows\System\iZqPKfJ.exe
C:\Windows\System\iZqPKfJ.exe
C:\Windows\System\KYkPJjz.exe
C:\Windows\System\KYkPJjz.exe
C:\Windows\System\IXhTiEn.exe
C:\Windows\System\IXhTiEn.exe
C:\Windows\System\dMnHnKx.exe
C:\Windows\System\dMnHnKx.exe
C:\Windows\System\rIlHPcn.exe
C:\Windows\System\rIlHPcn.exe
C:\Windows\System\PDyQXol.exe
C:\Windows\System\PDyQXol.exe
C:\Windows\System\quUuvYR.exe
C:\Windows\System\quUuvYR.exe
C:\Windows\System\xSvpADe.exe
C:\Windows\System\xSvpADe.exe
C:\Windows\System\baoqPta.exe
C:\Windows\System\baoqPta.exe
C:\Windows\System\WpCyjYb.exe
C:\Windows\System\WpCyjYb.exe
C:\Windows\System\qZChCKN.exe
C:\Windows\System\qZChCKN.exe
C:\Windows\System\zJGqCam.exe
C:\Windows\System\zJGqCam.exe
C:\Windows\System\NnyTSlW.exe
C:\Windows\System\NnyTSlW.exe
C:\Windows\System\fOgobdy.exe
C:\Windows\System\fOgobdy.exe
C:\Windows\System\GmERsVh.exe
C:\Windows\System\GmERsVh.exe
C:\Windows\System\qQOibNh.exe
C:\Windows\System\qQOibNh.exe
C:\Windows\System\iliRSua.exe
C:\Windows\System\iliRSua.exe
C:\Windows\System\uwTuPUR.exe
C:\Windows\System\uwTuPUR.exe
C:\Windows\System\VUvALFr.exe
C:\Windows\System\VUvALFr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2040-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2040-1-0x0000000001BA0000-0x0000000001BB0000-memory.dmp
\Windows\system\ComUJeC.exe
| MD5 | d052ba773a170a7d4869cd1b0b37650e |
| SHA1 | a3fddbc65b075eefcee0a92677ded5e2843d1f4a |
| SHA256 | 6802eaaa6bbd1234662c7c4cd2619145f5986e15ecad55052e98777f2e1c976a |
| SHA512 | 33a51f182a0164a94f6c9029f54534c382c8b4ebde19a4cd98da875330c10e9ff470cff6c9fbc5873f479fc3ece428e06b785e8d08a4e184322ee506cee2916d |
memory/2040-15-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2004-12-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2040-11-0x00000000021A0000-0x00000000024F4000-memory.dmp
C:\Windows\system\SBUwRaU.exe
| MD5 | cbea0cc0e2b63f041fde561142551b88 |
| SHA1 | b0e9ed2bd6b53f919bde9376e39507524e170ea1 |
| SHA256 | 2e6faa4692bec7f942d6cb80ff54ca62af8c20be0345d9c1c2b5559540685e83 |
| SHA512 | fe376026e6591dde5a47915ebb6deac75c342be6c48b145b1e147f38935c825e10adac5956ee1db25e0b91ecf2dc44bdb58c16ec78389398abdcf733def0941b |
memory/2800-16-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\iZqPKfJ.exe
| MD5 | 5c7d0005403e5ae4abf20cdad15997b2 |
| SHA1 | 79f01f7efdabd7c6a3b92a480c3da09586a60f25 |
| SHA256 | 1674e7079c1dc9d28f574d91abc65da04319785b145ffc527c4a8438a2d03bad |
| SHA512 | 9b53385b65047b8bf2eaface8541868fb7b135a91a92788cfae288aa50390f908073dacc0bba55b7d88771e9d4f3dfaee4b015d2767a61f940e0f34461bbf3b1 |
memory/2040-20-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\IXhTiEn.exe
| MD5 | 6e5b54b4de7b333e49e813606cc6f846 |
| SHA1 | 8990a56775b1a758466e3ae33fed9f973c744e70 |
| SHA256 | de8906d2308503204cc78c3ffabcb86e3b991660fa16bd31da225e404354b3ad |
| SHA512 | 584ce684f4c6fbf698ee0da1412f619c03f2c2fdb5e0e16dbed5adeb69824a6262eb8e8aa04cfeeec694548fa8fa1754a6a6967292d64929fcd82d97bd93a986 |
memory/2640-26-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\dMnHnKx.exe
| MD5 | 78e866eb7c5af429cc418819022dc4d8 |
| SHA1 | 5c2be63f6096922bfa79429ef42d816cfc6fcd1b |
| SHA256 | bfa9c63c336711427785894738cc10952d3439b86ccf8968b16564ca167ff5b8 |
| SHA512 | e91c2d2309b15817096fcca9a882f1cbb5b031b511b7fe33f168c066fb05a8ffe0402accc35feb82b8bf92938a6f04d20f4554dcee4f6a94a324f8faf366342b |
memory/2572-39-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\KYkPJjz.exe
| MD5 | 3ea60474018a3afec169d7d770b94938 |
| SHA1 | 6fa2e26b110424ca641af7dcbd2b11f58ea2c4c8 |
| SHA256 | 6eb82fe34a71dc4d9e61425d1bcc0335b2b8dbd8e89a0905ea7c11b063363c20 |
| SHA512 | d9e21f37b203968c0b32d30caa6054ef6afdff468be6a38fbb8af13b7e23387eb0fc0ecb06dd940dbe522f1c5331fbc52865ca729a420e6e620a980c9d52f28d |
memory/2960-36-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2040-33-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2040-42-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2676-44-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\rIlHPcn.exe
| MD5 | 8e49ebc2e4cafee6e8485b3a9654c2ca |
| SHA1 | 8ab881edd4976d8c5b12055004576d0bd4470f2b |
| SHA256 | 57c42f9ce130df43e1c2a5ee68e685ce1f6e61015266db2cbf645ea68317c889 |
| SHA512 | 09e5c68b5c75069f2d4fe68a5f99f8708f9a48018ed74ce4844f224fe37f199f41191c683f21269d84164be27e20a2bf71249c2db4a0739ec862fe5060f2a651 |
C:\Windows\system\PDyQXol.exe
| MD5 | 8ea90cef2e0cccded1692acd7642b1d8 |
| SHA1 | c051fb533e03b1525617086ea6ebc6f71b222e1c |
| SHA256 | 57f0d402d6a8468806c48ce22d32269db45a0361f596f40940e0231360fe29c5 |
| SHA512 | 2eca95c4d16a766995d9a0eb92de6404fb7204a3130a2bae1e2d4b51e2f5c5b339700170850b91d6f93491fffd0c151ff35077eb95a7cd30b469093507442199 |
memory/2040-56-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2924-57-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2696-50-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\quUuvYR.exe
| MD5 | e6132873c0ea49b85f6914d65b18412e |
| SHA1 | fb2e9fd2c328cfe0ef6b6b0a242344240e56b8c0 |
| SHA256 | 1e57e9f4a0bbb2e98eed3b1b57dc6a1bac8ef49b74c76fc1b3ccb7da53df178a |
| SHA512 | 68d2db2962b3b8bfa1aa5bc8ed2c21a65fa9a64f5b0e70b8883954f55fe9fd70466eabb1efe8251e56a8a2e26872445ae5e06b3b1cbbf2e75b2681a2de42d409 |
C:\Windows\system\xSvpADe.exe
| MD5 | 8e1f1d234c2c2cfa36cef90a90d2311b |
| SHA1 | 0f45ccaa8344cd5ed4c7dcbddca186eda668580e |
| SHA256 | 2698d0730617655b383172f18990146724fcf527e148ee437ce5cf822b8d18cd |
| SHA512 | f3c11b92c6d0a436a0e4aba9917c163e8c6c785463fab3a1a7639001155d7538ca568b347c4f8b6a5c4fc4c9b9f9bbc96def0aa056b1f886632cc600ba91ea8a |
memory/2712-72-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2520-63-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2040-67-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2040-65-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2040-49-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2040-43-0x000000013F3C0000-0x000000013F714000-memory.dmp
\Windows\system\baoqPta.exe
| MD5 | d709be32ed6af9a15acd73cdfdbeaa85 |
| SHA1 | c8ff65ccfe7ab5dc8c4981f7482ab4fdb21307b9 |
| SHA256 | 76386930b12f59042e52bbb464bb355a359e04deb3d13fd0ef69a5a22817e09e |
| SHA512 | fdacc60f75a8419143bd8c18d0e3718e66479cc84b284fafab0b7f38d90da685c33532356d05a881830a4766bc9cfa9a397b199be478eb71011916a85b2f23be |
\Windows\system\WpCyjYb.exe
| MD5 | 511d0eba50b9cbadca966d52c5072547 |
| SHA1 | 839430e8b4978e2bd230c3f2c064f6686686eee2 |
| SHA256 | 596041d7ca12fc42764cf51bd43d505a507ece79da2fff22926250b5da1b9022 |
| SHA512 | 56c543499ea1b56e1756494292401fbee154a30a9b14428607333cbc63d4725c4b8cd8f98eed103a5a28ca89fe2ef3fb1f0c8d6730754185ef438d17c39ae481 |
memory/1824-83-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2040-85-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\zJGqCam.exe
| MD5 | 531fe4af0c0b4746249bea8f14498c2b |
| SHA1 | 21a829d71860ee32e505e82825e7d9ef223c3e80 |
| SHA256 | d8f188b3c405e192f0783090c7a3948c19067f39a41245eaa84c1e4fe8df0195 |
| SHA512 | 829d738fbd22a14ce718ecdfbe403e0e815c2336ec2ffe48fae494d974c225d93ff1b7ef99f41bde61577bf5d41a2395f159be55323f76829aac7a7edc3d84b0 |
memory/2960-97-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2532-101-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2692-90-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2640-88-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\fOgobdy.exe
| MD5 | 0eb9ee8ef1f64009f1eb6a8c5ba00869 |
| SHA1 | 83bc7a3d205fb3b28e8bcffe567e26897d8a7977 |
| SHA256 | 185f3181576266d114afda7181ebc908476f5eb55bc88d4ccb6083532d5ecb97 |
| SHA512 | 7e74f275c4fdb372d67a87a5da363a9f164621edbe56c2147a6372a2c78d5c223793a931cc02ccb79c1224650fe838ed8a3b246f7fafe47df3b5cfc266d6219d |
C:\Windows\system\uwTuPUR.exe
| MD5 | f37938d762581d272399feff08f9ae4b |
| SHA1 | d4ea46acdabf6ae7876599ce3dd977c33e190b88 |
| SHA256 | 6aa20ad76d6c6a3f547bbd975a9e9d8723e568ac70be5320545753b106acafcf |
| SHA512 | 699434de18829f71ef223c1e52b93377a1ff76202ac5d7c6bfdee41b772c4a91f419b62ac1fb18d49231ba1c4528dd5bcaa47b1a5c56462274d6588afafe6864 |
\Windows\system\VUvALFr.exe
| MD5 | 22d0d6880a09b256caeb8ebee2fa9663 |
| SHA1 | d9318f51bdc38cf0b1b2ec5561753bec95658ada |
| SHA256 | b27dfde8235d484b7f88b164d9bb8c54d6a745928b13aaa9befc87e720fc5572 |
| SHA512 | 8a9a59f690407e14307e7e0943caba55314e7be7b103c60ceb9be8a735e4f243c703584c8d5eb0c2c225a9b0d9ea96601fc8de0f166254176abb89c96312bd21 |
C:\Windows\system\iliRSua.exe
| MD5 | c0ea344234b163f188b2d6f6bf0f6d8f |
| SHA1 | f529951a279a27e13da7c6e216db3e1edd711884 |
| SHA256 | 9ed85b56a544d90fe6812416079c904aa18781244ccf814a702890d56c1b7751 |
| SHA512 | 92a8cd6b4f49b7b83251016f565da0f66570ad40732df1e116d005adb9f27f3d10ddd8f9fd915c99e4307ed8cd61a088f2f8df9d57227a44da72d7ad32e85860 |
C:\Windows\system\qQOibNh.exe
| MD5 | df6c7ae9dfa02a187471f1567d7ff152 |
| SHA1 | a455154671ccca108fd693ed7f0be9baf483a07e |
| SHA256 | d5e3f2b4815fb3812b3fcdfbe9c6565cec5dee46316a1462e5871c6780ffdaef |
| SHA512 | ed7bd6f598f26a2ad4f9c33de474aede73285a4f9261af6f09d27e3db6491bd632555c2e59f918d3035f633eda5be4000a78d38ef80d9d460469b5c9c5b6e10f |
C:\Windows\system\GmERsVh.exe
| MD5 | 90c508b16c8ced492b898b39f58066f6 |
| SHA1 | 84fe2ddefd1f70db29af65403cec9497298d6fce |
| SHA256 | ab2115ecc7c9cf1569daf94168e749e919224c27d1a5ef83b3f79cc8b54ea02d |
| SHA512 | 9b1912232368f8620ed5fdb1310f63e81f5cbe4db511769b8e601263f18426d169d204053613e0a71786dc9e0cbd7bfa5289a0ed6b795eea706cf935c6c6da48 |
memory/2040-110-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2040-109-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2040-108-0x00000000021A0000-0x00000000024F4000-memory.dmp
C:\Windows\system\NnyTSlW.exe
| MD5 | a532b3f9c3790d7a72652c25097937ba |
| SHA1 | 1edb441aa264b4aab9109f9370d86b233457b3cc |
| SHA256 | 5bf832d2cae1160a2c77e017d1feeeb91fdd6259b8d4ac4e63131b860f48f7d5 |
| SHA512 | a177d68dd926058cd4a5babc893b34037c13acbbfba98aedc8f6b192edacaa30e65e4986605300743127862d8d2db9d04b36814a60810d5879541b1f3d8dd6c9 |
memory/2744-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2572-102-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2040-99-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\qZChCKN.exe
| MD5 | a0d722a4c4f67e3900696c00b4ccee6d |
| SHA1 | 5478b947cb782a5b2084461bf4e4ab9898f0af2f |
| SHA256 | db559948e2d3e65f06b46b5a38725076d7e32e5f9d7d71696ace69ecc8730658 |
| SHA512 | 10a7f263268d178a9a370a78c08c32777cb14c6c015c4b933b520f79dbcd37c841254e8ad4452ef5980c43a98a0a961c5e3fe615b103d59164d112e909946cd2 |
memory/2040-92-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2040-82-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2696-141-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2924-142-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2520-143-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2040-144-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2040-145-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2040-146-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2004-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2800-148-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2640-149-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2960-150-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2572-151-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2676-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2696-153-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2924-154-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2712-156-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2520-155-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/1824-157-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2692-158-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2744-159-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2532-160-0x000000013F1C0000-0x000000013F514000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:12
Reported
2024-06-01 07:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PRzJzzc.exe | N/A |
| N/A | N/A | C:\Windows\System\pFtUHvF.exe | N/A |
| N/A | N/A | C:\Windows\System\HhHkBUG.exe | N/A |
| N/A | N/A | C:\Windows\System\cQGwoHN.exe | N/A |
| N/A | N/A | C:\Windows\System\swkYNWs.exe | N/A |
| N/A | N/A | C:\Windows\System\avITRck.exe | N/A |
| N/A | N/A | C:\Windows\System\hfoWXne.exe | N/A |
| N/A | N/A | C:\Windows\System\ooNUalQ.exe | N/A |
| N/A | N/A | C:\Windows\System\oJdfOyP.exe | N/A |
| N/A | N/A | C:\Windows\System\lreYrzB.exe | N/A |
| N/A | N/A | C:\Windows\System\xGIRcGf.exe | N/A |
| N/A | N/A | C:\Windows\System\ePHIvqt.exe | N/A |
| N/A | N/A | C:\Windows\System\jQmVZEb.exe | N/A |
| N/A | N/A | C:\Windows\System\XDATwDQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PGNVXfm.exe | N/A |
| N/A | N/A | C:\Windows\System\WjskUtv.exe | N/A |
| N/A | N/A | C:\Windows\System\qdzaWAB.exe | N/A |
| N/A | N/A | C:\Windows\System\tUjaLob.exe | N/A |
| N/A | N/A | C:\Windows\System\xMhFTbJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fMmQTYU.exe | N/A |
| N/A | N/A | C:\Windows\System\KSvdLCa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_22a6a9f4c6bd639f0c369388adeb16a7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\PRzJzzc.exe
C:\Windows\System\PRzJzzc.exe
C:\Windows\System\pFtUHvF.exe
C:\Windows\System\pFtUHvF.exe
C:\Windows\System\HhHkBUG.exe
C:\Windows\System\HhHkBUG.exe
C:\Windows\System\cQGwoHN.exe
C:\Windows\System\cQGwoHN.exe
C:\Windows\System\swkYNWs.exe
C:\Windows\System\swkYNWs.exe
C:\Windows\System\avITRck.exe
C:\Windows\System\avITRck.exe
C:\Windows\System\hfoWXne.exe
C:\Windows\System\hfoWXne.exe
C:\Windows\System\ooNUalQ.exe
C:\Windows\System\ooNUalQ.exe
C:\Windows\System\oJdfOyP.exe
C:\Windows\System\oJdfOyP.exe
C:\Windows\System\lreYrzB.exe
C:\Windows\System\lreYrzB.exe
C:\Windows\System\xGIRcGf.exe
C:\Windows\System\xGIRcGf.exe
C:\Windows\System\ePHIvqt.exe
C:\Windows\System\ePHIvqt.exe
C:\Windows\System\jQmVZEb.exe
C:\Windows\System\jQmVZEb.exe
C:\Windows\System\XDATwDQ.exe
C:\Windows\System\XDATwDQ.exe
C:\Windows\System\PGNVXfm.exe
C:\Windows\System\PGNVXfm.exe
C:\Windows\System\WjskUtv.exe
C:\Windows\System\WjskUtv.exe
C:\Windows\System\qdzaWAB.exe
C:\Windows\System\qdzaWAB.exe
C:\Windows\System\tUjaLob.exe
C:\Windows\System\tUjaLob.exe
C:\Windows\System\xMhFTbJ.exe
C:\Windows\System\xMhFTbJ.exe
C:\Windows\System\fMmQTYU.exe
C:\Windows\System\fMmQTYU.exe
C:\Windows\System\KSvdLCa.exe
C:\Windows\System\KSvdLCa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3856-0-0x00007FF6D8BF0000-0x00007FF6D8F44000-memory.dmp
memory/3856-1-0x0000028D5CC80000-0x0000028D5CC90000-memory.dmp
C:\Windows\System\PRzJzzc.exe
| MD5 | 2ee5bb22fe47e13a4128df61b13bc426 |
| SHA1 | 831dc8f125d636f79aae9a426c48dde6468fb466 |
| SHA256 | 758c74b54b383e8551cbb009eb299faf5a44b90142b5f5d77d0ba44a28551480 |
| SHA512 | 7c32d69bea123b8fb5b26b21373f6dd7708560f52f286a2a4bad9bdcd1a57a87d03fe465f37ba74967348f76c44777bb4bbb387991edcf18faa362c822c87af0 |
memory/220-8-0x00007FF746210000-0x00007FF746564000-memory.dmp
C:\Windows\System\pFtUHvF.exe
| MD5 | 69b530448a2ba0da1623124170e21abd |
| SHA1 | 77ec57652abfe1aed99fbb32a80b7e447436b5cc |
| SHA256 | 2c94dffdee072f1415849e2f6cd3e8c1b76e749fe8a44f1802bbdd549d3d019c |
| SHA512 | 5769f9a454447d7a522172a29b559c7ef55c28feb17f133b1056651e256feeb349e1c10083e8e9745e519e1b8311c4dc8961ec5f0909322572bd3ccebfb124ba |
C:\Windows\System\HhHkBUG.exe
| MD5 | 822b4356e94cb60a74174b9b2619400e |
| SHA1 | 84fc376de46612637b2a7f92242fe3ccea0eda36 |
| SHA256 | 6a5e2d886905a9ea960a79eaa638d3c858236f6bfdf44023f0c3547a9b0ec602 |
| SHA512 | 29b53d17cbc3fc4ebc90b4963a8d507fb1d965d60ed2253bfdd67946340e960cfe69bdd22eddd7673d3058d2668334741b0f5fcccd49b02c4fb7c1ec12566443 |
memory/2556-25-0x00007FF72CE00000-0x00007FF72D154000-memory.dmp
C:\Windows\System\swkYNWs.exe
| MD5 | fd00f3df9076ceab7aa3713feafe5845 |
| SHA1 | 8b218bb0ff7f73f170ff8202451c0a4b5df95b07 |
| SHA256 | 6d14bdbcd8c0d2ac5028450253947c6ad169d48c7926efbc789c4b43fb347ae3 |
| SHA512 | d3a506badbc33b16652a7f4bffbf736370416aaeb45e1919099e77269cec0dc728ea0eeb7ce0f24edcedd2e53800346550bcd4aadcdd06d6893433567a9be32d |
C:\Windows\System\avITRck.exe
| MD5 | fd5a9e805e6580333b9b50e8f160bd89 |
| SHA1 | c10d4e4829a4de974e0325845fa72e0dfd73cdc1 |
| SHA256 | f8b4d481451860e28dfcc309a9b682f1f33c021cac89d2d5ed737ecafa3541e9 |
| SHA512 | 8ee08e4fc0dbf0730ca97eedb3590ce47f97374639c5f3a27c6aaf441fc823469d0dadd0030181f3ab58cc1e5029b8cb651bfb4269e956d48a429db8daac2dec |
C:\Windows\System\hfoWXne.exe
| MD5 | c14083cc5cf8113026362fb02a842cac |
| SHA1 | 3e02e481fec33f59f902bea5872e4c4198b68b40 |
| SHA256 | 912696ff98a3e6fdb7cbbccc531119f5660a3eb5690bb72c0bfc811825345a24 |
| SHA512 | 667657fb0e6e13b8400f25415e78ea6efc10529cfca27f8a2996b71a6d60cc54901703fc5c62a576ae567ee4740fb2d441e8082dbf1c905b64c58987b46fa6e1 |
memory/2680-46-0x00007FF62E920000-0x00007FF62EC74000-memory.dmp
C:\Windows\System\oJdfOyP.exe
| MD5 | 424506fc5ae3f9364fd0db058a9172d5 |
| SHA1 | 73ee2845dc18b82db75cac105b9b169d13770721 |
| SHA256 | 994b9e41061ee1fc86adcf962901ef523d2495b2564a109ae37e6b8f0b7e1772 |
| SHA512 | e5bc7939ea6c99bf0f943bd30e7f7536c798696d36f0a5ba2500fe3f9ccf4f512ddd3583683028eb4bf2543474b8ba78dcf454f009a24c9dab26892503822212 |
memory/2496-53-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp
memory/3696-51-0x00007FF7D0DE0000-0x00007FF7D1134000-memory.dmp
memory/3528-50-0x00007FF6F3200000-0x00007FF6F3554000-memory.dmp
C:\Windows\System\ooNUalQ.exe
| MD5 | 467581ee690c122f0427b657649cfff6 |
| SHA1 | 64942b512d9be14e90f8ec14681e83f953bb692b |
| SHA256 | c020c53632dab3b82bfad134fb4023c2d8986879fbe68e0ef1e9db6d9be44c08 |
| SHA512 | aa34cfda582e05c1bbb6d4a76d48fcfdad3f2470bef5715915a351c6e934789b7c98b91f5823f799c3b01d5e584738564c11eb3841e8f7f091c24b131cfd358b |
memory/2968-35-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp
C:\Windows\System\cQGwoHN.exe
| MD5 | 83987e642f826b169c250039c649a583 |
| SHA1 | bde35e71c62dd1e371c8c3244a5e1c5e2bf6f03f |
| SHA256 | dd50e955bd304f6ae9505442bb5db73cea8c899e6f4d91761126cd567634ade2 |
| SHA512 | a0cb823f993cd5a7cdc119f2df40ab3384b6c890f3082d24bb3cb1761c23456be5ad1f17f00380225f06fe54e9cee7effa585f2ba110137ce99ee46af3c13e3c |
memory/1708-28-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp
memory/3940-16-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp
C:\Windows\System\lreYrzB.exe
| MD5 | 5085b197ccd7795fba7a80fcbde7beda |
| SHA1 | 54c675db5c012035677978c5605580f5777abe22 |
| SHA256 | 3c98488c4d10b24ae869cd2534006ec950fef99cf3d0f89bc422962336940ced |
| SHA512 | fb9f7aeb78110e2381053d62d80e64607fa1cb26449daee80f2a4940c6a25a8f4c5426f758198c415f1ca7167ae06142ca69a2ba93b0a8b88d79b79ff4b7f672 |
memory/2116-61-0x00007FF750630000-0x00007FF750984000-memory.dmp
C:\Windows\System\xGIRcGf.exe
| MD5 | e01395fe8c35dc3060dc05be3eae4d34 |
| SHA1 | 34528f3950a150805c1f4a27e9609a9a1782f264 |
| SHA256 | 7c28a1166ee5f00a89536c573529f8421dc703302dc57a9e9fe38ae6bd941b17 |
| SHA512 | 630bb2de44368b9d9ff1d1db52f8d97d231057d861caf2580528fe5d9664e90f3bfc189928a3713b4ad556726f0f6c38dccbd163eff11c681bbcd6cda791cb3c |
memory/5096-68-0x00007FF6412A0000-0x00007FF6415F4000-memory.dmp
C:\Windows\System\ePHIvqt.exe
| MD5 | f66f272af9a7014fdcaee7e0c48eca95 |
| SHA1 | fd7dc63595875f0f540c57e43dab4d22d3c59149 |
| SHA256 | 6ead512b4d0c26ce3f58954b98d6ef135731b77955d201ffbe85ac481525a9fd |
| SHA512 | feaa3e54a6082007a72af017b34edcecf4f1ef3ad39cabcb6de3a4fbcf8b4f9e237416a4492d04b8cee2afa9e08a18eac94473661bcdb3065ac600443452cc33 |
memory/220-77-0x00007FF746210000-0x00007FF746564000-memory.dmp
C:\Windows\System\XDATwDQ.exe
| MD5 | 8fa685b4fb52392585ac3e16d03e2b46 |
| SHA1 | 11f3d392434031e0791320ede19897a8bb0acd87 |
| SHA256 | 8be3aa1197c54539fa39adf0c0f397295581616ecfd5539985c0ab1fb51bb279 |
| SHA512 | 924133e24451ff36f44fc74042daaa5d6657d877dedca8c1c0b105c6d39b63a59f57d7081ebb86f632b756797b399025fd4cce951ef4eacbb44115de0c38a4a8 |
memory/3932-86-0x00007FF7A7E00000-0x00007FF7A8154000-memory.dmp
C:\Windows\System\PGNVXfm.exe
| MD5 | 822ed14194a7bed851664cc707c4a060 |
| SHA1 | bf8b35ebfc4795605c2996fca199a46e058a9900 |
| SHA256 | 34747f439701644a7b3487fec498d9be4aace3f9902d77785206ca57fd748ed7 |
| SHA512 | f7c4e075b657dc470fd1a343fd54c44c2f79dc43a353cb6370f03840c802bf8fc74b3ec7ec049d16b7a600523fb8712907eddb77d335ccfb568e2466014c1a3e |
memory/4468-89-0x00007FF60FEB0000-0x00007FF610204000-memory.dmp
memory/1580-85-0x00007FF70BAA0000-0x00007FF70BDF4000-memory.dmp
C:\Windows\System\jQmVZEb.exe
| MD5 | 1c02f3bb9b18c9f6ae6c7c1600defe23 |
| SHA1 | 347a533eb059bcab1ea4f546e116d97aabc25c98 |
| SHA256 | ed5f56a98397e2dc3e59fffda62e3fc942ff3d2a57eba170fbee21ed46212b46 |
| SHA512 | 3650c68416b550bfa4acfd96cf40cc74af5dccd0fc0cb810905c5764a317d01ad5f6b209a729248098d95439c1579a61cae572546ef35558a5863e9228450905 |
memory/3856-76-0x00007FF6D8BF0000-0x00007FF6D8F44000-memory.dmp
C:\Windows\System\WjskUtv.exe
| MD5 | 7ee1a20b433ca5172f7c4a115138551e |
| SHA1 | 572bdbdfc5e0126468c1824237b0b23eb1522100 |
| SHA256 | d2f475b0c5e4ae20f1232879303f252261ab7753197a80c695cd05e590b79690 |
| SHA512 | 19305e9f80ed4dac7a923a37f02c6b6ff86809683671d7504f8df689e3051f566c42c5e4120307b37a203ec38c9f93de9a724d9ffba12a3d2f9cfbc60b670621 |
memory/1668-97-0x00007FF73CE80000-0x00007FF73D1D4000-memory.dmp
memory/3940-94-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp
memory/1708-101-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp
memory/1672-103-0x00007FF747050000-0x00007FF7473A4000-memory.dmp
C:\Windows\System\qdzaWAB.exe
| MD5 | f708e432f7d4b2e00653ca5db4fc8006 |
| SHA1 | ce67c5f1a2aa660306f297903c549273b1f9c1cb |
| SHA256 | 768ba7318060eadee9459f553ca3110bd2aa000e95830b6b68e36c08614fbcbd |
| SHA512 | 93ee12a20e4834b18b9211c2cf61b2fefaadcd04dd75e66f298039e28e2a74889cb42b4c705b12300796b167decea236e7edfdcb216b1811d71ec958e53f3e3d |
memory/2968-108-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp
memory/2084-109-0x00007FF733730000-0x00007FF733A84000-memory.dmp
C:\Windows\System\tUjaLob.exe
| MD5 | 5291840bc143d134d2e5ca851e3b60a0 |
| SHA1 | 3b95d36fb9b6658c4d6ec8f06559cdc40057b01e |
| SHA256 | 6f636cbfd7d0bb607202756807967c1af799d231dd53ee3b5f84939f7e6fead5 |
| SHA512 | 173228aa36b419529dc0b623a609f6a636013be1aab0531e70f7dabecb1030332c0218d98001c14c119ee8e91bd253490b20d848605b42dcfa3728d15e36dc14 |
C:\Windows\System\xMhFTbJ.exe
| MD5 | a0d6963ba8eec3fc4013f72f451ee45d |
| SHA1 | 9bb361863bed24b5b65ed799a7d7d3e17b0dc262 |
| SHA256 | d8a5183a22006edc0ddef682d0dd683b5542d7ffea048f57a8364a0b39708ce0 |
| SHA512 | 61d868e2ef67c64fdf3579101b24d4aa8fab5bd077b931c64e0f8752af6b2206cc6bd38f8d7927ca8bc17f823966dd9e38d49b598a27421f93613897bb65f6f8 |
C:\Windows\System\fMmQTYU.exe
| MD5 | e4d8666a318f4ad79a668038861e41e6 |
| SHA1 | 8a54f4c3f1d241cfd13c34b01a1db53e5c48bb88 |
| SHA256 | 2db3f9f9460b68de517c69661e277982e961827593f433d5a786eb9b49cf2e31 |
| SHA512 | 8cd7d00e16a0c871ffbe3332189fc44f54b9e62cb6c723ff2e849689455ea5affdb169ab1f2e685b603d8a1ab32bed8c32ffb3827fda00e98f8b34f1d8e95d76 |
C:\Windows\System\KSvdLCa.exe
| MD5 | d269153e6211587e534448b7a13704f5 |
| SHA1 | dccd944bff3ec425f8ff1283d0fdf4ed36077aba |
| SHA256 | 7ac3555e3f0cfbbbb95d0f235913e66b5b543728f8b6cd7f1f74594179b72218 |
| SHA512 | 61a352a0b5188ed8137c54847703e93730d811e3dce0d60c5b18df3902194adaa28e07d622eaf56690dc70cf3001ce5e54554cbd8062c52b7aab98b53fc2a6ee |
memory/2496-129-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp
memory/4788-131-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp
memory/3728-128-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp
memory/4296-123-0x00007FF661130000-0x00007FF661484000-memory.dmp
memory/1968-116-0x00007FF655750000-0x00007FF655AA4000-memory.dmp
memory/2116-134-0x00007FF750630000-0x00007FF750984000-memory.dmp
memory/1968-135-0x00007FF655750000-0x00007FF655AA4000-memory.dmp
memory/3728-136-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp
memory/4296-137-0x00007FF661130000-0x00007FF661484000-memory.dmp
memory/4788-138-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp
memory/220-139-0x00007FF746210000-0x00007FF746564000-memory.dmp
memory/3940-140-0x00007FF7E1E90000-0x00007FF7E21E4000-memory.dmp
memory/2556-141-0x00007FF72CE00000-0x00007FF72D154000-memory.dmp
memory/1708-142-0x00007FF7D3AC0000-0x00007FF7D3E14000-memory.dmp
memory/2680-144-0x00007FF62E920000-0x00007FF62EC74000-memory.dmp
memory/2968-143-0x00007FF6F18A0000-0x00007FF6F1BF4000-memory.dmp
memory/3528-145-0x00007FF6F3200000-0x00007FF6F3554000-memory.dmp
memory/3696-147-0x00007FF7D0DE0000-0x00007FF7D1134000-memory.dmp
memory/2496-146-0x00007FF69EC10000-0x00007FF69EF64000-memory.dmp
memory/2116-148-0x00007FF750630000-0x00007FF750984000-memory.dmp
memory/5096-149-0x00007FF6412A0000-0x00007FF6415F4000-memory.dmp
memory/1580-150-0x00007FF70BAA0000-0x00007FF70BDF4000-memory.dmp
memory/4468-151-0x00007FF60FEB0000-0x00007FF610204000-memory.dmp
memory/3932-152-0x00007FF7A7E00000-0x00007FF7A8154000-memory.dmp
memory/1668-153-0x00007FF73CE80000-0x00007FF73D1D4000-memory.dmp
memory/1672-154-0x00007FF747050000-0x00007FF7473A4000-memory.dmp
memory/2084-155-0x00007FF733730000-0x00007FF733A84000-memory.dmp
memory/1968-156-0x00007FF655750000-0x00007FF655AA4000-memory.dmp
memory/3728-157-0x00007FF6889F0000-0x00007FF688D44000-memory.dmp
memory/4788-158-0x00007FF67B8D0000-0x00007FF67BC24000-memory.dmp
memory/4296-159-0x00007FF661130000-0x00007FF661484000-memory.dmp