Analysis Overview
SHA256
80e709b4318afc6b0ca242dfecc3c3f66f07e8d914aa735190721da31f080762
Threat Level: Known bad
The file 2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:32
Reported
2024-06-01 15:35
Platform
win7-20240419-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zVHSqqX.exe | N/A |
| N/A | N/A | C:\Windows\System\KRbGAAU.exe | N/A |
| N/A | N/A | C:\Windows\System\QJNvgQL.exe | N/A |
| N/A | N/A | C:\Windows\System\rfSDpjK.exe | N/A |
| N/A | N/A | C:\Windows\System\Bvbefiu.exe | N/A |
| N/A | N/A | C:\Windows\System\nRBEIxO.exe | N/A |
| N/A | N/A | C:\Windows\System\uZhzauc.exe | N/A |
| N/A | N/A | C:\Windows\System\JkHtGQT.exe | N/A |
| N/A | N/A | C:\Windows\System\XxvXbbC.exe | N/A |
| N/A | N/A | C:\Windows\System\fvfucdC.exe | N/A |
| N/A | N/A | C:\Windows\System\aLexKiE.exe | N/A |
| N/A | N/A | C:\Windows\System\VnZcCnG.exe | N/A |
| N/A | N/A | C:\Windows\System\rxGmciP.exe | N/A |
| N/A | N/A | C:\Windows\System\WfUMnzy.exe | N/A |
| N/A | N/A | C:\Windows\System\zqfwnJi.exe | N/A |
| N/A | N/A | C:\Windows\System\OOocGlp.exe | N/A |
| N/A | N/A | C:\Windows\System\rNLXeXC.exe | N/A |
| N/A | N/A | C:\Windows\System\hVwNcuE.exe | N/A |
| N/A | N/A | C:\Windows\System\YcgVupJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jyYblqv.exe | N/A |
| N/A | N/A | C:\Windows\System\xwIzOVF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KRbGAAU.exe
C:\Windows\System\KRbGAAU.exe
C:\Windows\System\zVHSqqX.exe
C:\Windows\System\zVHSqqX.exe
C:\Windows\System\QJNvgQL.exe
C:\Windows\System\QJNvgQL.exe
C:\Windows\System\rfSDpjK.exe
C:\Windows\System\rfSDpjK.exe
C:\Windows\System\Bvbefiu.exe
C:\Windows\System\Bvbefiu.exe
C:\Windows\System\nRBEIxO.exe
C:\Windows\System\nRBEIxO.exe
C:\Windows\System\uZhzauc.exe
C:\Windows\System\uZhzauc.exe
C:\Windows\System\JkHtGQT.exe
C:\Windows\System\JkHtGQT.exe
C:\Windows\System\XxvXbbC.exe
C:\Windows\System\XxvXbbC.exe
C:\Windows\System\fvfucdC.exe
C:\Windows\System\fvfucdC.exe
C:\Windows\System\aLexKiE.exe
C:\Windows\System\aLexKiE.exe
C:\Windows\System\VnZcCnG.exe
C:\Windows\System\VnZcCnG.exe
C:\Windows\System\rxGmciP.exe
C:\Windows\System\rxGmciP.exe
C:\Windows\System\WfUMnzy.exe
C:\Windows\System\WfUMnzy.exe
C:\Windows\System\zqfwnJi.exe
C:\Windows\System\zqfwnJi.exe
C:\Windows\System\OOocGlp.exe
C:\Windows\System\OOocGlp.exe
C:\Windows\System\rNLXeXC.exe
C:\Windows\System\rNLXeXC.exe
C:\Windows\System\hVwNcuE.exe
C:\Windows\System\hVwNcuE.exe
C:\Windows\System\YcgVupJ.exe
C:\Windows\System\YcgVupJ.exe
C:\Windows\System\jyYblqv.exe
C:\Windows\System\jyYblqv.exe
C:\Windows\System\xwIzOVF.exe
C:\Windows\System\xwIzOVF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2288-0-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2288-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\KRbGAAU.exe
| MD5 | 05f92837c0787cc3ba68061f1e27a0fd |
| SHA1 | 8b17a8c9a7be0ede5b47e936aaaa59d8dcb021c4 |
| SHA256 | 6df0248371b025bb00f373b309b0e757b12aa37f863316f72ef42b9fe289967c |
| SHA512 | 212761dc80196660274a6c40a436afe5d1a0bfb9ea02c0286fab64e31dfbd943f2486fcee3691a0fc8b5ebb37e829c82406b1b547d12edad74e148b1109c5a11 |
C:\Windows\system\zVHSqqX.exe
| MD5 | 1b5fa9ffe8e972e2adfbd0a58a2226d4 |
| SHA1 | f6b33df4b600fa69f5560e445e9bb53c715ba732 |
| SHA256 | 38344b359f83d3751ef20b598a8fd7391f086eda2d7448e619f0e475e9339396 |
| SHA512 | eb744f70cd2c4730c826541b91457ea30a5e8378956aad7c723a3f125e478ce66088ae68802ff91514c2f617bd19a4b60e5af9c932ab1edd8d86340e9fdc6952 |
memory/2288-10-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2220-16-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/632-14-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2288-7-0x00000000024A0000-0x00000000027F4000-memory.dmp
C:\Windows\system\QJNvgQL.exe
| MD5 | d2fbe7443287f0e74e631af28290631b |
| SHA1 | 0ea335d421609a7ee6969ec0bed6d3b43fecda35 |
| SHA256 | 0459ae33bbde0745fb3be020ec89d42beacd3776cc96898dc80d5a192ec71122 |
| SHA512 | fa9381b47f2b8caee81741dd0d46fda40c05b4f4083d4203433ff97308eb2588d02d76d1cfd0e774c0f20327ebc5e1d41f340878b7ce06917dda9be0c3270c67 |
\Windows\system\rfSDpjK.exe
| MD5 | cec87816138884fae12e0c29b9f5bc07 |
| SHA1 | 6eac8a7534cd05fd1da3ff7cd0fd32f93178772b |
| SHA256 | 69a15fd151d91201660ba40a0ba161d8febad3b8bf7acb94f96998873db4fd55 |
| SHA512 | 74a827affdd63ee0073fd60f3a0ac55446df4b2fde207fe1b64d8f6a7423dc9f36beacf8f57d957782ed5b3ae40d8f55e5d55c59029100076a0006f33b131e85 |
memory/2288-22-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2764-34-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2668-40-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2288-39-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\nRBEIxO.exe
| MD5 | 8967fc67f94d4d2e560e176fecb9c9b3 |
| SHA1 | 0fb7cbdb98b3c8aaa45055998e2a62a3db7c1c4a |
| SHA256 | 62f8dfaf92fc237cb4a43bab086322f8e0d21bfe55f2d80ef0a445b678feec36 |
| SHA512 | ec4bec0afbf1eb3cdc628621182b73e686feaf05d22e7e8a90bd37b99c890823f20c058aecc146e073e0194781037b6a4978fb91d25847fc71ea977dbb4310f7 |
C:\Windows\system\JkHtGQT.exe
| MD5 | fa023b2efed69195e7c0f03708860f6d |
| SHA1 | ec4f8fe73d048b1c8aafd257fa69a1cfb7aa0df8 |
| SHA256 | 63d12233beedc079558d065f01d74f8470f09ee61770be019b39dd9c487dc737 |
| SHA512 | 0d241f57baab1ae62f97c296a5b71f0a091fda0e4683d61eacf4c98dc7b96bf51d375ec7b27aed6a853cdf73d70dd02a2e0d2347274b2a64cd5eb2bbee501683 |
memory/2788-54-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\fvfucdC.exe
| MD5 | c9e4fab3b68d17b803e10fc2c4688701 |
| SHA1 | fa868de5925feb21a36b8f0d152eacd665778fdc |
| SHA256 | 429aedb21ac1595ec0c633ef7a6a8d4194fd795df39274c33b7b1045f93c3c93 |
| SHA512 | 86e786fc6e418ad78617de52aaaff8621a1d6a23745dbb671457d36c9db70913fe5e4352a3cd14f92427aa31918b58311ae8f08a92fac0a89078f6e179112ffc |
memory/2288-69-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/3044-70-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2796-81-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\OOocGlp.exe
| MD5 | 4e70bc0ac3a7a4b54268f55ce0f566ae |
| SHA1 | c7a645f42bfabcada7d69dfad12fd920a370825c |
| SHA256 | 452bdc5e8b8f13d545ba4d19b5de711f5fa8f9925dfe733af9b7707db02a6e81 |
| SHA512 | fc81dac132fa5271828f084c890b2eb044a4cdddfbf0efac2ef718c07a9dbe38a19914b8a7ff9f6ee20086825cfa8f89213a28243ad1be4292b12faf6afc4aac |
C:\Windows\system\YcgVupJ.exe
| MD5 | 8d4c52ea000ac42766e68bc04ec44e9e |
| SHA1 | 6311a6ad78c1ce3262983ceb506f66897357bf62 |
| SHA256 | 45bbb21a5bba527b1b79bdf627ddecc4cd9b473a35912e0d62e9398175d8aed9 |
| SHA512 | 302f5034574870d5b9e83c85794afa7663b5f4980966a0a76534f6b4df2ff149a138070193162f08ed5d636620ff480a1dc83c0c9dd598bb326ed1771d8c5765 |
\Windows\system\xwIzOVF.exe
| MD5 | 4df3f8932e8864273cfbcaec9f7cde55 |
| SHA1 | b8cc66821f3ee4ffdf7fbc3dcb50a2d9df090857 |
| SHA256 | 17f259a004c7324c3437ff2027431bd9caf47bd45c217e016fe35f655e05d9a0 |
| SHA512 | 5ed818a269677255cad49cdef32c44861b2454b110c5e19f52b59a9136b2fe0a935cb33fcfab25233c4630d8fb7976af616fe9e311a8f39b9748fe030f903bc9 |
C:\Windows\system\jyYblqv.exe
| MD5 | f0aa685ede9b1c854e847cfcde904063 |
| SHA1 | 40aae33eaac14d763929752875651fe6b1881133 |
| SHA256 | 404bc5e082502be76539c47f701df730f28e5eec4e86de4e42008227ddc3ea22 |
| SHA512 | e937bba4df73d4156bde4851732a782b6ae906342e5210818081698968dcb9d52eb4b07d4d314483f7f2c2829ccdb839e8810b413ee07a240a363dfe4ce45c85 |
C:\Windows\system\hVwNcuE.exe
| MD5 | 84b181de2ccbc86ba08bdcc4eb74226e |
| SHA1 | 860d69fcebb6693e8f2a749eb751fc2d4d599c70 |
| SHA256 | 41543f81aeb9d58ae765c88cfa0d26d5e3b5f3f48708a6242397844c39f3a934 |
| SHA512 | 854e0faf37832d5a6cdc5770a41d0052a52c656e59e5b23f6135c5e4ef180a71117256e082cc5fb5794c4f666e73a170ae6ea94361fa0d1c3f88e7188790fe31 |
C:\Windows\system\rNLXeXC.exe
| MD5 | 0e0ea1951e5bd4755637e688303ad1a5 |
| SHA1 | 6446e7e8fa3e7e100e7babbece8d5043f0ed296b |
| SHA256 | de83f6362da05430a64049cce51ddaad34318833e5275b5aba19699884e60e9e |
| SHA512 | 3a5c646043eb822b3aa73b263b1626e91e5fd4aa3cb4dd0b43036656156d1ee3370a5521c644b5ee6525bf6af332c8698092f281a51057f26d0cfb08b6452667 |
memory/2288-103-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2668-102-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\zqfwnJi.exe
| MD5 | 4b0ff6a5095325221ec63d28fe208756 |
| SHA1 | 5839885c32ffb16971acd6c0877907d1f754f9da |
| SHA256 | f9b1054f8e95b5200006455b67ada4e73bcf24389fb646220c3a46983ed5d15a |
| SHA512 | c0039dacbb32a4cb751fca8632a765910adfa955e0a321be515fdac8cec25817e5ce1474336c210c2afe17f52b7a15704a601f11fa0e359431433b04d3817994 |
memory/2744-95-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2288-94-0x00000000024A0000-0x00000000027F4000-memory.dmp
memory/2856-89-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2288-88-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\WfUMnzy.exe
| MD5 | ce7c5afc5d6a1efae9e95f9c23b4ef23 |
| SHA1 | df40d52f353bdac351e5819008455f5516907d33 |
| SHA256 | f65622d3a57a9ce5848d6da8c042d5e558a5da37537d813c874bef619401833d |
| SHA512 | a40ea4d1da1806449f257885050079db30c716e42294e791411209bd8f7d12cfec8ad389da932a5d9182e6de46e9639df7cabeceaa9125cdeee6f7f9b707ab45 |
memory/2716-87-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\rxGmciP.exe
| MD5 | 24210ba5b458314e93a5a9591447b91f |
| SHA1 | 547e0f06fc2e20a2735f8c59998af16291e5e545 |
| SHA256 | 7d1870cda788ef0b2caadfdcb15d900b95eea90d300b21245921105ea31c8706 |
| SHA512 | 4067f6169bdf96ce106922df0bc5968e88966d736f9d8af268a1ed56ff963d6d08fcf41c14998d0a8f4891749691576066e4b36b8505ceaf5b4e69f52c4a3a82 |
C:\Windows\system\VnZcCnG.exe
| MD5 | 883dd6a7b1dfa8c8fe25c18500918b9e |
| SHA1 | d62bc5e6157ff642c251bd637a7e87c5133aca31 |
| SHA256 | bb395718c2f957ca42fc387af76ab5d3bbb750aa007de938e9e5ab2598d3bf59 |
| SHA512 | d84cc45ed83f9c7d7aecd8cf14bca39184fce0aa105e05c511fc68c00cccc3c634e9f74f2f8f62ebc31e16c14284969d56f3f17490a133fe18e742150c81b81d |
memory/2304-75-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\aLexKiE.exe
| MD5 | 445b476aee53dd0a1f122be544669390 |
| SHA1 | a6a4f973299d456add0d8a619de78cc3f35d9c03 |
| SHA256 | 2c01e9104e8e99f4612872b62a94a4a6f6af772c6d5840700b38168a1b59dd5e |
| SHA512 | 60483b27f10863e5ebf2bb5581e58dbdc489ea9ec16c94457ac4162f6b7c59fa8354802fa9799abb2636d623c0ebc3f823e4e9cb66fc7962b3167017ce8efeb2 |
memory/2568-63-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2288-62-0x00000000024A0000-0x00000000027F4000-memory.dmp
memory/2220-61-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\XxvXbbC.exe
| MD5 | c5a618f35f4f2fecd85220b922089d11 |
| SHA1 | c5821e1110ce65bbf7129c16c63b2dab85e11b0c |
| SHA256 | 0be9b93afa0b6b4a8ef9903622b83359a10b756e3141b35a7eff4ef79d148bcd |
| SHA512 | d249cc5b2af72ca26fa1232643929cde2c01a4364ef0a626cfd9f16aa21e8251d537631ccb2e2d8193a7b5b025ba949dab84e8d83523ced058e3b4727777634c |
memory/2272-49-0x000000013F500000-0x000000013F854000-memory.dmp
C:\Windows\system\uZhzauc.exe
| MD5 | 730de8c004158f85fac3804f6ee427e6 |
| SHA1 | 1cfbe5feeb0022d1ed3541dc4800c308cd6d7326 |
| SHA256 | cd8fc912e43335f5ff2b2bf2c93cf2de308b17b84116de652d88d1b9514e4afa |
| SHA512 | 048ebccd39cc79f8c4d3c2bf766b91ae1a8b9150de5503ec1d2a99a59a71c3b25686768bb5d3f104d4e6f1d0faa2af2524ea04f18699f33e0e9a35ebebf17c5f |
memory/2288-44-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\Bvbefiu.exe
| MD5 | 337c597477f9e12de6934af41ac95c92 |
| SHA1 | 12c90faec060eb02cea13b2ec987e96737f38b2a |
| SHA256 | 8f79ad92f0807fbcd07a3dba20493f5304c2dca3c72f6a4f4298082dc58f1124 |
| SHA512 | f8d745f750ceb5117c21a1268785ed005f3ca094fb4956672d09046db9e0d23d735da63e3f7dd88a5ac010cf8b0a178a827da8cc5bb84834c6a7a50e07097a1a |
memory/2716-31-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1456-23-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2788-134-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2288-135-0x00000000024A0000-0x00000000027F4000-memory.dmp
memory/2288-136-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2288-137-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2304-138-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2288-139-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2796-140-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2288-141-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2856-142-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2288-143-0x00000000024A0000-0x00000000027F4000-memory.dmp
memory/2744-144-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2288-145-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/632-146-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2220-147-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1456-148-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2764-149-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2716-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2668-150-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2272-152-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2788-153-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2568-154-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/3044-155-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2304-156-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2796-157-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2856-158-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2744-159-0x000000013F420000-0x000000013F774000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:32
Reported
2024-06-01 15:35
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KRbGAAU.exe | N/A |
| N/A | N/A | C:\Windows\System\zVHSqqX.exe | N/A |
| N/A | N/A | C:\Windows\System\QJNvgQL.exe | N/A |
| N/A | N/A | C:\Windows\System\rfSDpjK.exe | N/A |
| N/A | N/A | C:\Windows\System\Bvbefiu.exe | N/A |
| N/A | N/A | C:\Windows\System\nRBEIxO.exe | N/A |
| N/A | N/A | C:\Windows\System\uZhzauc.exe | N/A |
| N/A | N/A | C:\Windows\System\JkHtGQT.exe | N/A |
| N/A | N/A | C:\Windows\System\XxvXbbC.exe | N/A |
| N/A | N/A | C:\Windows\System\fvfucdC.exe | N/A |
| N/A | N/A | C:\Windows\System\aLexKiE.exe | N/A |
| N/A | N/A | C:\Windows\System\VnZcCnG.exe | N/A |
| N/A | N/A | C:\Windows\System\rxGmciP.exe | N/A |
| N/A | N/A | C:\Windows\System\WfUMnzy.exe | N/A |
| N/A | N/A | C:\Windows\System\zqfwnJi.exe | N/A |
| N/A | N/A | C:\Windows\System\OOocGlp.exe | N/A |
| N/A | N/A | C:\Windows\System\rNLXeXC.exe | N/A |
| N/A | N/A | C:\Windows\System\hVwNcuE.exe | N/A |
| N/A | N/A | C:\Windows\System\YcgVupJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jyYblqv.exe | N/A |
| N/A | N/A | C:\Windows\System\xwIzOVF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KRbGAAU.exe
C:\Windows\System\KRbGAAU.exe
C:\Windows\System\zVHSqqX.exe
C:\Windows\System\zVHSqqX.exe
C:\Windows\System\QJNvgQL.exe
C:\Windows\System\QJNvgQL.exe
C:\Windows\System\rfSDpjK.exe
C:\Windows\System\rfSDpjK.exe
C:\Windows\System\Bvbefiu.exe
C:\Windows\System\Bvbefiu.exe
C:\Windows\System\nRBEIxO.exe
C:\Windows\System\nRBEIxO.exe
C:\Windows\System\uZhzauc.exe
C:\Windows\System\uZhzauc.exe
C:\Windows\System\JkHtGQT.exe
C:\Windows\System\JkHtGQT.exe
C:\Windows\System\XxvXbbC.exe
C:\Windows\System\XxvXbbC.exe
C:\Windows\System\fvfucdC.exe
C:\Windows\System\fvfucdC.exe
C:\Windows\System\aLexKiE.exe
C:\Windows\System\aLexKiE.exe
C:\Windows\System\VnZcCnG.exe
C:\Windows\System\VnZcCnG.exe
C:\Windows\System\rxGmciP.exe
C:\Windows\System\rxGmciP.exe
C:\Windows\System\WfUMnzy.exe
C:\Windows\System\WfUMnzy.exe
C:\Windows\System\zqfwnJi.exe
C:\Windows\System\zqfwnJi.exe
C:\Windows\System\OOocGlp.exe
C:\Windows\System\OOocGlp.exe
C:\Windows\System\rNLXeXC.exe
C:\Windows\System\rNLXeXC.exe
C:\Windows\System\hVwNcuE.exe
C:\Windows\System\hVwNcuE.exe
C:\Windows\System\YcgVupJ.exe
C:\Windows\System\YcgVupJ.exe
C:\Windows\System\jyYblqv.exe
C:\Windows\System\jyYblqv.exe
C:\Windows\System\xwIzOVF.exe
C:\Windows\System\xwIzOVF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
memory/2396-0-0x00007FF748B70000-0x00007FF748EC4000-memory.dmp
memory/2396-1-0x000001EB06380000-0x000001EB06390000-memory.dmp
C:\Windows\System\KRbGAAU.exe
| MD5 | 05f92837c0787cc3ba68061f1e27a0fd |
| SHA1 | 8b17a8c9a7be0ede5b47e936aaaa59d8dcb021c4 |
| SHA256 | 6df0248371b025bb00f373b309b0e757b12aa37f863316f72ef42b9fe289967c |
| SHA512 | 212761dc80196660274a6c40a436afe5d1a0bfb9ea02c0286fab64e31dfbd943f2486fcee3691a0fc8b5ebb37e829c82406b1b547d12edad74e148b1109c5a11 |
memory/3360-6-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp
C:\Windows\System\QJNvgQL.exe
| MD5 | d2fbe7443287f0e74e631af28290631b |
| SHA1 | 0ea335d421609a7ee6969ec0bed6d3b43fecda35 |
| SHA256 | 0459ae33bbde0745fb3be020ec89d42beacd3776cc96898dc80d5a192ec71122 |
| SHA512 | fa9381b47f2b8caee81741dd0d46fda40c05b4f4083d4203433ff97308eb2588d02d76d1cfd0e774c0f20327ebc5e1d41f340878b7ce06917dda9be0c3270c67 |
C:\Windows\System\zVHSqqX.exe
| MD5 | 1b5fa9ffe8e972e2adfbd0a58a2226d4 |
| SHA1 | f6b33df4b600fa69f5560e445e9bb53c715ba732 |
| SHA256 | 38344b359f83d3751ef20b598a8fd7391f086eda2d7448e619f0e475e9339396 |
| SHA512 | eb744f70cd2c4730c826541b91457ea30a5e8378956aad7c723a3f125e478ce66088ae68802ff91514c2f617bd19a4b60e5af9c932ab1edd8d86340e9fdc6952 |
memory/3412-14-0x00007FF746940000-0x00007FF746C94000-memory.dmp
C:\Windows\System\rfSDpjK.exe
| MD5 | cec87816138884fae12e0c29b9f5bc07 |
| SHA1 | 6eac8a7534cd05fd1da3ff7cd0fd32f93178772b |
| SHA256 | 69a15fd151d91201660ba40a0ba161d8febad3b8bf7acb94f96998873db4fd55 |
| SHA512 | 74a827affdd63ee0073fd60f3a0ac55446df4b2fde207fe1b64d8f6a7423dc9f36beacf8f57d957782ed5b3ae40d8f55e5d55c59029100076a0006f33b131e85 |
memory/5112-21-0x00007FF64D4E0000-0x00007FF64D834000-memory.dmp
memory/1464-26-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp
C:\Windows\System\Bvbefiu.exe
| MD5 | 337c597477f9e12de6934af41ac95c92 |
| SHA1 | 12c90faec060eb02cea13b2ec987e96737f38b2a |
| SHA256 | 8f79ad92f0807fbcd07a3dba20493f5304c2dca3c72f6a4f4298082dc58f1124 |
| SHA512 | f8d745f750ceb5117c21a1268785ed005f3ca094fb4956672d09046db9e0d23d735da63e3f7dd88a5ac010cf8b0a178a827da8cc5bb84834c6a7a50e07097a1a |
memory/1624-32-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp
C:\Windows\System\nRBEIxO.exe
| MD5 | 8967fc67f94d4d2e560e176fecb9c9b3 |
| SHA1 | 0fb7cbdb98b3c8aaa45055998e2a62a3db7c1c4a |
| SHA256 | 62f8dfaf92fc237cb4a43bab086322f8e0d21bfe55f2d80ef0a445b678feec36 |
| SHA512 | ec4bec0afbf1eb3cdc628621182b73e686feaf05d22e7e8a90bd37b99c890823f20c058aecc146e073e0194781037b6a4978fb91d25847fc71ea977dbb4310f7 |
C:\Windows\System\uZhzauc.exe
| MD5 | 730de8c004158f85fac3804f6ee427e6 |
| SHA1 | 1cfbe5feeb0022d1ed3541dc4800c308cd6d7326 |
| SHA256 | cd8fc912e43335f5ff2b2bf2c93cf2de308b17b84116de652d88d1b9514e4afa |
| SHA512 | 048ebccd39cc79f8c4d3c2bf766b91ae1a8b9150de5503ec1d2a99a59a71c3b25686768bb5d3f104d4e6f1d0faa2af2524ea04f18699f33e0e9a35ebebf17c5f |
memory/4624-38-0x00007FF72BD80000-0x00007FF72C0D4000-memory.dmp
C:\Windows\System\JkHtGQT.exe
| MD5 | fa023b2efed69195e7c0f03708860f6d |
| SHA1 | ec4f8fe73d048b1c8aafd257fa69a1cfb7aa0df8 |
| SHA256 | 63d12233beedc079558d065f01d74f8470f09ee61770be019b39dd9c487dc737 |
| SHA512 | 0d241f57baab1ae62f97c296a5b71f0a091fda0e4683d61eacf4c98dc7b96bf51d375ec7b27aed6a853cdf73d70dd02a2e0d2347274b2a64cd5eb2bbee501683 |
memory/4044-43-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp
memory/2940-50-0x00007FF630900000-0x00007FF630C54000-memory.dmp
C:\Windows\System\XxvXbbC.exe
| MD5 | c5a618f35f4f2fecd85220b922089d11 |
| SHA1 | c5821e1110ce65bbf7129c16c63b2dab85e11b0c |
| SHA256 | 0be9b93afa0b6b4a8ef9903622b83359a10b756e3141b35a7eff4ef79d148bcd |
| SHA512 | d249cc5b2af72ca26fa1232643929cde2c01a4364ef0a626cfd9f16aa21e8251d537631ccb2e2d8193a7b5b025ba949dab84e8d83523ced058e3b4727777634c |
memory/2944-58-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp
memory/2396-61-0x00007FF748B70000-0x00007FF748EC4000-memory.dmp
C:\Windows\System\aLexKiE.exe
| MD5 | 445b476aee53dd0a1f122be544669390 |
| SHA1 | a6a4f973299d456add0d8a619de78cc3f35d9c03 |
| SHA256 | 2c01e9104e8e99f4612872b62a94a4a6f6af772c6d5840700b38168a1b59dd5e |
| SHA512 | 60483b27f10863e5ebf2bb5581e58dbdc489ea9ec16c94457ac4162f6b7c59fa8354802fa9799abb2636d623c0ebc3f823e4e9cb66fc7962b3167017ce8efeb2 |
memory/2764-69-0x00007FF654EC0000-0x00007FF655214000-memory.dmp
memory/3360-72-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp
memory/1224-74-0x00007FF660980000-0x00007FF660CD4000-memory.dmp
memory/3112-73-0x00007FF7F8FF0000-0x00007FF7F9344000-memory.dmp
C:\Windows\System\VnZcCnG.exe
| MD5 | 883dd6a7b1dfa8c8fe25c18500918b9e |
| SHA1 | d62bc5e6157ff642c251bd637a7e87c5133aca31 |
| SHA256 | bb395718c2f957ca42fc387af76ab5d3bbb750aa007de938e9e5ab2598d3bf59 |
| SHA512 | d84cc45ed83f9c7d7aecd8cf14bca39184fce0aa105e05c511fc68c00cccc3c634e9f74f2f8f62ebc31e16c14284969d56f3f17490a133fe18e742150c81b81d |
C:\Windows\System\fvfucdC.exe
| MD5 | c9e4fab3b68d17b803e10fc2c4688701 |
| SHA1 | fa868de5925feb21a36b8f0d152eacd665778fdc |
| SHA256 | 429aedb21ac1595ec0c633ef7a6a8d4194fd795df39274c33b7b1045f93c3c93 |
| SHA512 | 86e786fc6e418ad78617de52aaaff8621a1d6a23745dbb671457d36c9db70913fe5e4352a3cd14f92427aa31918b58311ae8f08a92fac0a89078f6e179112ffc |
C:\Windows\System\rxGmciP.exe
| MD5 | 24210ba5b458314e93a5a9591447b91f |
| SHA1 | 547e0f06fc2e20a2735f8c59998af16291e5e545 |
| SHA256 | 7d1870cda788ef0b2caadfdcb15d900b95eea90d300b21245921105ea31c8706 |
| SHA512 | 4067f6169bdf96ce106922df0bc5968e88966d736f9d8af268a1ed56ff963d6d08fcf41c14998d0a8f4891749691576066e4b36b8505ceaf5b4e69f52c4a3a82 |
memory/4940-82-0x00007FF685CE0000-0x00007FF686034000-memory.dmp
C:\Windows\System\WfUMnzy.exe
| MD5 | ce7c5afc5d6a1efae9e95f9c23b4ef23 |
| SHA1 | df40d52f353bdac351e5819008455f5516907d33 |
| SHA256 | f65622d3a57a9ce5848d6da8c042d5e558a5da37537d813c874bef619401833d |
| SHA512 | a40ea4d1da1806449f257885050079db30c716e42294e791411209bd8f7d12cfec8ad389da932a5d9182e6de46e9639df7cabeceaa9125cdeee6f7f9b707ab45 |
memory/792-87-0x00007FF615090000-0x00007FF6153E4000-memory.dmp
C:\Windows\System\zqfwnJi.exe
| MD5 | 4b0ff6a5095325221ec63d28fe208756 |
| SHA1 | 5839885c32ffb16971acd6c0877907d1f754f9da |
| SHA256 | f9b1054f8e95b5200006455b67ada4e73bcf24389fb646220c3a46983ed5d15a |
| SHA512 | c0039dacbb32a4cb751fca8632a765910adfa955e0a321be515fdac8cec25817e5ce1474336c210c2afe17f52b7a15704a601f11fa0e359431433b04d3817994 |
memory/1464-86-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp
memory/1624-95-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp
memory/4552-99-0x00007FF76D4C0000-0x00007FF76D814000-memory.dmp
C:\Windows\System\rNLXeXC.exe
| MD5 | 0e0ea1951e5bd4755637e688303ad1a5 |
| SHA1 | 6446e7e8fa3e7e100e7babbece8d5043f0ed296b |
| SHA256 | de83f6362da05430a64049cce51ddaad34318833e5275b5aba19699884e60e9e |
| SHA512 | 3a5c646043eb822b3aa73b263b1626e91e5fd4aa3cb4dd0b43036656156d1ee3370a5521c644b5ee6525bf6af332c8698092f281a51057f26d0cfb08b6452667 |
C:\Windows\System\OOocGlp.exe
| MD5 | 4e70bc0ac3a7a4b54268f55ce0f566ae |
| SHA1 | c7a645f42bfabcada7d69dfad12fd920a370825c |
| SHA256 | 452bdc5e8b8f13d545ba4d19b5de711f5fa8f9925dfe733af9b7707db02a6e81 |
| SHA512 | fc81dac132fa5271828f084c890b2eb044a4cdddfbf0efac2ef718c07a9dbe38a19914b8a7ff9f6ee20086825cfa8f89213a28243ad1be4292b12faf6afc4aac |
C:\Windows\System\hVwNcuE.exe
| MD5 | 84b181de2ccbc86ba08bdcc4eb74226e |
| SHA1 | 860d69fcebb6693e8f2a749eb751fc2d4d599c70 |
| SHA256 | 41543f81aeb9d58ae765c88cfa0d26d5e3b5f3f48708a6242397844c39f3a934 |
| SHA512 | 854e0faf37832d5a6cdc5770a41d0052a52c656e59e5b23f6135c5e4ef180a71117256e082cc5fb5794c4f666e73a170ae6ea94361fa0d1c3f88e7188790fe31 |
C:\Windows\System\jyYblqv.exe
| MD5 | f0aa685ede9b1c854e847cfcde904063 |
| SHA1 | 40aae33eaac14d763929752875651fe6b1881133 |
| SHA256 | 404bc5e082502be76539c47f701df730f28e5eec4e86de4e42008227ddc3ea22 |
| SHA512 | e937bba4df73d4156bde4851732a782b6ae906342e5210818081698968dcb9d52eb4b07d4d314483f7f2c2829ccdb839e8810b413ee07a240a363dfe4ce45c85 |
C:\Windows\System\YcgVupJ.exe
| MD5 | 8d4c52ea000ac42766e68bc04ec44e9e |
| SHA1 | 6311a6ad78c1ce3262983ceb506f66897357bf62 |
| SHA256 | 45bbb21a5bba527b1b79bdf627ddecc4cd9b473a35912e0d62e9398175d8aed9 |
| SHA512 | 302f5034574870d5b9e83c85794afa7663b5f4980966a0a76534f6b4df2ff149a138070193162f08ed5d636620ff480a1dc83c0c9dd598bb326ed1771d8c5765 |
C:\Windows\System\xwIzOVF.exe
| MD5 | 4df3f8932e8864273cfbcaec9f7cde55 |
| SHA1 | b8cc66821f3ee4ffdf7fbc3dcb50a2d9df090857 |
| SHA256 | 17f259a004c7324c3437ff2027431bd9caf47bd45c217e016fe35f655e05d9a0 |
| SHA512 | 5ed818a269677255cad49cdef32c44861b2454b110c5e19f52b59a9136b2fe0a935cb33fcfab25233c4630d8fb7976af616fe9e311a8f39b9748fe030f903bc9 |
memory/3376-121-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp
memory/1788-127-0x00007FF648D50000-0x00007FF6490A4000-memory.dmp
memory/2824-128-0x00007FF6ADC10000-0x00007FF6ADF64000-memory.dmp
memory/4692-130-0x00007FF6A28A0000-0x00007FF6A2BF4000-memory.dmp
memory/4896-129-0x00007FF727030000-0x00007FF727384000-memory.dmp
memory/3732-132-0x00007FF7F8190000-0x00007FF7F84E4000-memory.dmp
memory/4044-131-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp
memory/2944-133-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp
memory/1224-134-0x00007FF660980000-0x00007FF660CD4000-memory.dmp
memory/792-135-0x00007FF615090000-0x00007FF6153E4000-memory.dmp
memory/3376-136-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp
memory/3412-137-0x00007FF746940000-0x00007FF746C94000-memory.dmp
memory/3360-138-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp
memory/5112-139-0x00007FF64D4E0000-0x00007FF64D834000-memory.dmp
memory/1464-140-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp
memory/1624-141-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp
memory/4624-142-0x00007FF72BD80000-0x00007FF72C0D4000-memory.dmp
memory/2940-143-0x00007FF630900000-0x00007FF630C54000-memory.dmp
memory/4044-144-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp
memory/2944-145-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp
memory/3112-146-0x00007FF7F8FF0000-0x00007FF7F9344000-memory.dmp
memory/2764-147-0x00007FF654EC0000-0x00007FF655214000-memory.dmp
memory/1224-148-0x00007FF660980000-0x00007FF660CD4000-memory.dmp
memory/4940-149-0x00007FF685CE0000-0x00007FF686034000-memory.dmp
memory/4552-151-0x00007FF76D4C0000-0x00007FF76D814000-memory.dmp
memory/792-150-0x00007FF615090000-0x00007FF6153E4000-memory.dmp
memory/3376-152-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp
memory/3732-153-0x00007FF7F8190000-0x00007FF7F84E4000-memory.dmp
memory/1788-154-0x00007FF648D50000-0x00007FF6490A4000-memory.dmp
memory/2824-155-0x00007FF6ADC10000-0x00007FF6ADF64000-memory.dmp
memory/4692-156-0x00007FF6A28A0000-0x00007FF6A2BF4000-memory.dmp
memory/4896-157-0x00007FF727030000-0x00007FF727384000-memory.dmp