Analysis Overview
SHA256
3aad0af3bf85b006f9b859e3ccdfb7ff233b3fbfd95fb1227d8eeb46cb57df99
Threat Level: Known bad
The file 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 14:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 14:32
Reported
2024-06-06 14:35
Platform
win7-20240220-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AQxHoYR.exe | N/A |
| N/A | N/A | C:\Windows\System\fQQJFtm.exe | N/A |
| N/A | N/A | C:\Windows\System\rMAFwHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\riZTMEp.exe | N/A |
| N/A | N/A | C:\Windows\System\tHTeaqT.exe | N/A |
| N/A | N/A | C:\Windows\System\WBoUYvR.exe | N/A |
| N/A | N/A | C:\Windows\System\YcwrfBK.exe | N/A |
| N/A | N/A | C:\Windows\System\euEXSVI.exe | N/A |
| N/A | N/A | C:\Windows\System\lHeMGvb.exe | N/A |
| N/A | N/A | C:\Windows\System\bjywSbF.exe | N/A |
| N/A | N/A | C:\Windows\System\qETdfOk.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQSWJWM.exe | N/A |
| N/A | N/A | C:\Windows\System\LnnKxkw.exe | N/A |
| N/A | N/A | C:\Windows\System\THsfzmp.exe | N/A |
| N/A | N/A | C:\Windows\System\ULnIwZq.exe | N/A |
| N/A | N/A | C:\Windows\System\eWlKuUw.exe | N/A |
| N/A | N/A | C:\Windows\System\tCuEaLa.exe | N/A |
| N/A | N/A | C:\Windows\System\GohwhZx.exe | N/A |
| N/A | N/A | C:\Windows\System\gqlyPNC.exe | N/A |
| N/A | N/A | C:\Windows\System\qcbliwa.exe | N/A |
| N/A | N/A | C:\Windows\System\KwhzLOi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AQxHoYR.exe
C:\Windows\System\AQxHoYR.exe
C:\Windows\System\rMAFwHQ.exe
C:\Windows\System\rMAFwHQ.exe
C:\Windows\System\fQQJFtm.exe
C:\Windows\System\fQQJFtm.exe
C:\Windows\System\riZTMEp.exe
C:\Windows\System\riZTMEp.exe
C:\Windows\System\tHTeaqT.exe
C:\Windows\System\tHTeaqT.exe
C:\Windows\System\WBoUYvR.exe
C:\Windows\System\WBoUYvR.exe
C:\Windows\System\YcwrfBK.exe
C:\Windows\System\YcwrfBK.exe
C:\Windows\System\euEXSVI.exe
C:\Windows\System\euEXSVI.exe
C:\Windows\System\lHeMGvb.exe
C:\Windows\System\lHeMGvb.exe
C:\Windows\System\bjywSbF.exe
C:\Windows\System\bjywSbF.exe
C:\Windows\System\qETdfOk.exe
C:\Windows\System\qETdfOk.exe
C:\Windows\System\ZQSWJWM.exe
C:\Windows\System\ZQSWJWM.exe
C:\Windows\System\LnnKxkw.exe
C:\Windows\System\LnnKxkw.exe
C:\Windows\System\THsfzmp.exe
C:\Windows\System\THsfzmp.exe
C:\Windows\System\ULnIwZq.exe
C:\Windows\System\ULnIwZq.exe
C:\Windows\System\eWlKuUw.exe
C:\Windows\System\eWlKuUw.exe
C:\Windows\System\tCuEaLa.exe
C:\Windows\System\tCuEaLa.exe
C:\Windows\System\GohwhZx.exe
C:\Windows\System\GohwhZx.exe
C:\Windows\System\gqlyPNC.exe
C:\Windows\System\gqlyPNC.exe
C:\Windows\System\qcbliwa.exe
C:\Windows\System\qcbliwa.exe
C:\Windows\System\KwhzLOi.exe
C:\Windows\System\KwhzLOi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2192-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2192-1-0x000000013F150000-0x000000013F4A4000-memory.dmp
\Windows\system\AQxHoYR.exe
| MD5 | 6e866f380fa41dc76616efafff8e235a |
| SHA1 | 3090f34486bc41de8dc7cd457f522a6a915d8f70 |
| SHA256 | 1a04c59793c81e611d41909a8079cd018ed7a320f46e8ba28cb3aa9b3daef2db |
| SHA512 | ab0e053eb00742fc9f5ede60fb840b8116256e334436deed5d0e920558043c94c00b3eb64758083035914511d229748a609478ad34b8181083af7d00ab4d0333 |
memory/1788-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp
\Windows\system\rMAFwHQ.exe
| MD5 | 0991882a009703c19fbd00959f5fdd2a |
| SHA1 | a2f7b01f9c6bc629051241635c92378c60e5fdeb |
| SHA256 | 4599a819dd1a64e05780135151954760f0cd7da72ceff494cdaa23626dd1ace0 |
| SHA512 | 29663f7e5e300c2488ab17a96cc3242ecb1ba824263694f387fc96c2789560f867cb215b72a8ffd177e14284db0861c4965eab0f849df0d19993ae8d496f2cb2 |
\Windows\system\fQQJFtm.exe
| MD5 | c5a2cb7a1c3f5988ad32fcb84b0e940a |
| SHA1 | 78bc9244c2ea8f621b129551d838e215f0be3c1f |
| SHA256 | 5866f9028ea038c55bcbd41355f8623082aa00df275166175a1bf4d70ec30566 |
| SHA512 | dddf68a081b145016e78e9421fcb83eb2c8c7c9d7f0992dd4d27c3faf0beab9ee95278984e0b7f822dc2bbf8ccc57927e540a5e21ff3624e72335f17c0f99672 |
memory/2984-18-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2192-12-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2476-20-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\riZTMEp.exe
| MD5 | 53c98b2869214f870dc48cd2d8fe5f76 |
| SHA1 | 6d16cccbee3d841d3f68f4d26d118c53d3ceed09 |
| SHA256 | b0686a3b685aeb6208f14657d9d20d8be6242362ebdb5b892a2b15171b339cb8 |
| SHA512 | ca1bfbec3eb10ddd9b1f90c45c1a7df66fbf5c78b2cf8794efe62af5aaead66a375bde49faf96738b8f9f4713c831eb752a6b2bac2b1e6ec91d167f2ff6fa6b0 |
memory/2600-28-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2192-25-0x000000013F5B0000-0x000000013F904000-memory.dmp
\Windows\system\WBoUYvR.exe
| MD5 | 02511534d1f0c68052e07b24e7e0d538 |
| SHA1 | f7b0bef0ad0fe35592fcd94cb119d4dff4bcaeb9 |
| SHA256 | eb8283cfc743899b0baf8b9ee5fe9dc490426f09e1a3d2ae01f1de6ee48c967d |
| SHA512 | 4565e6db2374e3ae7718ede79da3042940c683c00652260b3afc5692163ef77fbd9db663e86f946007f8afedd87d45b67e15154519d2056d9923ebace3d53776 |
C:\Windows\system\tHTeaqT.exe
| MD5 | ce07c93c75dff7a92ec1296bfb3fdabd |
| SHA1 | 7d79d978a1e1a2fcfee7922f7ca93abfb5259c01 |
| SHA256 | b6c2323f9926d0e8d92594de77797dda75d7229f98b944662940412cf44e7432 |
| SHA512 | 910fca4eb18c46cd8ba02b44499684f56d887c84601f3bee5e23f479ad588491f9703083a50a0f935dfed6fc030d6775ecb97d775453290f86c1e48f2c5bd005 |
memory/2192-39-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2192-37-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2660-40-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2512-35-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\YcwrfBK.exe
| MD5 | 02e80e2e087b178ca9bf391459eef256 |
| SHA1 | de1e3b71e8cb5a70d7cde96f1de3c2e8fb5f81e5 |
| SHA256 | 76258342d3c22a839e22e77c5d593876da62d055dd41a0b4a08e056b394777b5 |
| SHA512 | 9e257cea5412fab8d385974a20cdbca0e4fd46310c8f54a4713524ed3f2036830012a869a07908a5af89ed2d00038e2bd8220cc5e46f323fc3c15a3ce1946ca9 |
C:\Windows\system\euEXSVI.exe
| MD5 | 3ed58b0a0865f64926b19ad4363dafcc |
| SHA1 | e196d688500431bdd5b9f1db24682529da3593b2 |
| SHA256 | 312f81ab7612d84fe05158d73807ce6e09a496fa1ffce4a54145ffe4babaecab |
| SHA512 | dbef5632b4960a0417c7d545415572cbd402d2ce708b088a0f526d6a479d67da3d157e719a1a2e7e48b09db0b2ca682676c25ca6116d12bd7896b0a0f086b4e7 |
memory/2448-47-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2404-56-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2192-46-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2192-54-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2864-70-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2192-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\ZQSWJWM.exe
| MD5 | b525b5a6463fd1688eb4aef1a6581ba6 |
| SHA1 | ab4f3b8b2cbdf486a31e0bdbf9337cf0e9136658 |
| SHA256 | f3b4241db761fb0e04e1ca09d1c73b919c02ffcfeb6ded98173779abbc0b46ef |
| SHA512 | 37dfd45d327bc34cc76611df04574b1cdb01a4bdd840aa19683a5ec8ebaa29e3472fba2c24bfa6d8993371f102ddaf378b82b5d3d3cfac6f144d8db9ae6fc26e |
memory/2640-86-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\THsfzmp.exe
| MD5 | 632af46332d3a819c99267ce065ef96e |
| SHA1 | 06e8cb68c24043f801dfdda21814709d8a1ed1a8 |
| SHA256 | 5bf77b946069bedaca18fd4055310ba733607af0c8bfa0cd5d40ea8bc1b081f2 |
| SHA512 | aee7b4f421a7a5b9e72ed4511ca033f366343390d82afb18b1f54b8d8cb90eef716a0dbd999ea840689cf2937e3426cba7e9572afca4de2402a4600333634b59 |
C:\Windows\system\qcbliwa.exe
| MD5 | e3860b7f5f3f291b57c51dbf1f6ac746 |
| SHA1 | 5de754ee16ad12f40b463b810c57881e4f449ff8 |
| SHA256 | 155d9c8abb5b00c1dc89ae360f01b1d1d2ddee9ede71f46c532511f8f85eec4d |
| SHA512 | 9d88302643034a82ee5f115732f06d7e3ce05b154b402d6157ed42eca50cc6f99d2073faaeb9adfc6c085f3b8ccdd217e92effdcf34fb95ee940817db6cc008e |
\Windows\system\KwhzLOi.exe
| MD5 | b00dd81c5b8dbcbda1ec3c34b6c1380b |
| SHA1 | 1fc54012c433a1a66d7df76c220c1f825f5428af |
| SHA256 | 8b530a6adb03610bc3ba10d469c72d4f6a00bf67d6c027d7fb55561f578e5694 |
| SHA512 | 5e35491dfba712dcf50b5af4182a3aa3e136a162270dc7fa536911457dde49ba33fe1fc722afea9c4f52ba73b7d916ab5be7cd2c4d017a812ba39f4a5517a807 |
C:\Windows\system\gqlyPNC.exe
| MD5 | 4c6dc55ac1a1afb29b8afda37e174388 |
| SHA1 | 1481d9c830d9784850c8e4f1be760221482c3985 |
| SHA256 | 9182a335b50d042524e4533a72f56bdb51e0feb5a92cb1d79413fdc3f2ba5f98 |
| SHA512 | 0640e6fbea85d79723bc0b113dcd209245ff147b6f05ed372490768cf7df37561862cccd40f2102ac589cf9e6aeab4ba38206f1e8b7d53c548bd68139b5c2fcf |
C:\Windows\system\GohwhZx.exe
| MD5 | 8201f60366b58ca5e3c27de050db4107 |
| SHA1 | fb4537af0c04c496ac85ec335686115fe54efd90 |
| SHA256 | 553262e2f1c913571b3189da05122c87349e6f12d059a79e4fab873345a264e8 |
| SHA512 | 80e7af1ba118a71d684c83ac7121f0f0645a6ce030274970605a7209cdac1a316285758ef3de10c0e5842bea17df2bf8fbfddf4d4945bd494444b11fb9220843 |
C:\Windows\system\tCuEaLa.exe
| MD5 | 575bc57cf00b28e5fc86ef00a96b54a9 |
| SHA1 | 9d7f87a40da32a42040df9e881afc468a581e9d2 |
| SHA256 | 49ceb941cd965f9ac8a5e463bd198702bc9a6b8a18fecd104f2b8d0376e4e9ff |
| SHA512 | 95caf032c30c027ca6cde123947bebe0ba00b48ac07c0cc5e73705f0ceac2f8d09a8250a1199b4782bebbf52a26d498b497ceb7c3362926dd3f5a9bdbc728115 |
C:\Windows\system\eWlKuUw.exe
| MD5 | 84695b42b75ace417fa6b5fcddc8eca9 |
| SHA1 | 72ddaf9d9d590b3343c7b3a69adfbf17a0977c37 |
| SHA256 | 037fb13da6460e3cddf732c5c62fc30efc126511199b9035426575c71df36d5c |
| SHA512 | 41a1f0e50422fb5fbf1ec17e0e00667c754b4937e57c388e84a855f22bd9f0c13976bafdcc0382ae5e90d4d1125839f4df232daeec65e9013e48a1bdfe5c5146 |
memory/2192-104-0x0000000002460000-0x00000000027B4000-memory.dmp
C:\Windows\system\ULnIwZq.exe
| MD5 | 36f695a3f4d33d9b5b7a2510393c6c65 |
| SHA1 | f13e01e88926f3f63ce3964a22d254628eaa4e26 |
| SHA256 | 010c6762a347d80e1d6af530578be22a8f3985f38ccbd1ab0b1e2609c81bc68e |
| SHA512 | 7cdad55b95fa57b8c08ecd539c681dde1c4994cf21d4381537fd2382524fa67ab92b1ecdfd77aa43e1c4773735c450483253396a415ed93e8a9763a141e496f6 |
memory/2844-99-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2820-93-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2192-92-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2600-91-0x000000013F5B0000-0x000000013F904000-memory.dmp
C:\Windows\system\LnnKxkw.exe
| MD5 | f300f4ec2c3c3149846e79a45b9aa607 |
| SHA1 | 77796be619439d28e40bb9ed54e5098296e8c743 |
| SHA256 | 0fb3034731e7c7a9fed7ef0ad0f344c847e0c783276b982a0d28018ec8bae975 |
| SHA512 | a9aa2c8473b98d44aa86f312df889f9c01495984cd758d37283805ed9d6b49578fd89e11f510eb791aa8bfa4cfe60d1700ced4be0a3d8141b80018cd7938f1d1 |
memory/2192-85-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2476-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2044-77-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2192-76-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2984-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\qETdfOk.exe
| MD5 | 868b2e8b4453c3bed6d30d9bc91b7a2b |
| SHA1 | 3101e7ef6e640a7c44fc9953715e72bfbb27bbd6 |
| SHA256 | 600892c2ee1c53976b53096b1d0521065a3d04b07746b9396aca0a5f5eac676a |
| SHA512 | d10a4093e1e62b6eb643c33bbee655ee370798dc9e605d9edf59916290851736dc4701448ba5af8866f0b7796505bda48020738c51efd85ad8ec75308a6256e6 |
memory/2660-136-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\bjywSbF.exe
| MD5 | 42227e40c23b12fefe00607a5c21861f |
| SHA1 | 7f1e35b0aac5fbc2628bf4ce125c8d9ec13ac64d |
| SHA256 | b117345dd357ad728950579464e913754c8a61f361c4fbc032b419a257285f55 |
| SHA512 | 04e520ca40342f9a152069c9bea110b575a043aad1625b13c0d12ceded82657d98a9e8e17eaa22aab213a396b4b82eb815f8986898b3e9206a791ed08eb0e7ab |
memory/2856-62-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2192-61-0x000000013FF30000-0x0000000140284000-memory.dmp
C:\Windows\system\lHeMGvb.exe
| MD5 | fd758c80ca265ba8f9d2fd0144aa6b0f |
| SHA1 | 895b1e1e9a93e3e913171721b2c9ff891adf7c9a |
| SHA256 | f604756d2e40cfd0b3d712355b43993c1f422b78c9047adbb2016a2d6c618b07 |
| SHA512 | b5a10f8bcf8826388f91c22a268a76d2d8d49384056278789e61ec9c8ca95b7ca0c56c4bfefe089f64fa3d4546def5f9686c7317405a0d23cbf48653d14bc69f |
memory/2448-137-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2192-138-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2856-139-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2192-140-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2044-141-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2192-142-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2192-143-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2820-144-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2844-145-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1788-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2984-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2476-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2600-149-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2512-150-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2660-151-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2404-152-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2448-153-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2856-154-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2864-155-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2044-156-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2640-157-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2820-158-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2844-159-0x000000013F250000-0x000000013F5A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 14:32
Reported
2024-06-06 14:35
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DBRmGrK.exe | N/A |
| N/A | N/A | C:\Windows\System\DvuFyiF.exe | N/A |
| N/A | N/A | C:\Windows\System\OIroWEp.exe | N/A |
| N/A | N/A | C:\Windows\System\RiDdZoi.exe | N/A |
| N/A | N/A | C:\Windows\System\JiQRnYN.exe | N/A |
| N/A | N/A | C:\Windows\System\YTSIudd.exe | N/A |
| N/A | N/A | C:\Windows\System\aFtbXjT.exe | N/A |
| N/A | N/A | C:\Windows\System\FJpbPfe.exe | N/A |
| N/A | N/A | C:\Windows\System\nsecmVd.exe | N/A |
| N/A | N/A | C:\Windows\System\nSPNcgi.exe | N/A |
| N/A | N/A | C:\Windows\System\MQzCSBf.exe | N/A |
| N/A | N/A | C:\Windows\System\RqOFpEC.exe | N/A |
| N/A | N/A | C:\Windows\System\RvDWRqi.exe | N/A |
| N/A | N/A | C:\Windows\System\wUxKFRM.exe | N/A |
| N/A | N/A | C:\Windows\System\TsYFzga.exe | N/A |
| N/A | N/A | C:\Windows\System\nuROKDz.exe | N/A |
| N/A | N/A | C:\Windows\System\JDAvwoF.exe | N/A |
| N/A | N/A | C:\Windows\System\DkMvpyD.exe | N/A |
| N/A | N/A | C:\Windows\System\RYlKGgT.exe | N/A |
| N/A | N/A | C:\Windows\System\xNJPeAf.exe | N/A |
| N/A | N/A | C:\Windows\System\VppWLZz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DBRmGrK.exe
C:\Windows\System\DBRmGrK.exe
C:\Windows\System\DvuFyiF.exe
C:\Windows\System\DvuFyiF.exe
C:\Windows\System\OIroWEp.exe
C:\Windows\System\OIroWEp.exe
C:\Windows\System\RiDdZoi.exe
C:\Windows\System\RiDdZoi.exe
C:\Windows\System\JiQRnYN.exe
C:\Windows\System\JiQRnYN.exe
C:\Windows\System\YTSIudd.exe
C:\Windows\System\YTSIudd.exe
C:\Windows\System\aFtbXjT.exe
C:\Windows\System\aFtbXjT.exe
C:\Windows\System\FJpbPfe.exe
C:\Windows\System\FJpbPfe.exe
C:\Windows\System\nsecmVd.exe
C:\Windows\System\nsecmVd.exe
C:\Windows\System\nSPNcgi.exe
C:\Windows\System\nSPNcgi.exe
C:\Windows\System\MQzCSBf.exe
C:\Windows\System\MQzCSBf.exe
C:\Windows\System\RqOFpEC.exe
C:\Windows\System\RqOFpEC.exe
C:\Windows\System\RvDWRqi.exe
C:\Windows\System\RvDWRqi.exe
C:\Windows\System\wUxKFRM.exe
C:\Windows\System\wUxKFRM.exe
C:\Windows\System\TsYFzga.exe
C:\Windows\System\TsYFzga.exe
C:\Windows\System\nuROKDz.exe
C:\Windows\System\nuROKDz.exe
C:\Windows\System\JDAvwoF.exe
C:\Windows\System\JDAvwoF.exe
C:\Windows\System\DkMvpyD.exe
C:\Windows\System\DkMvpyD.exe
C:\Windows\System\RYlKGgT.exe
C:\Windows\System\RYlKGgT.exe
C:\Windows\System\xNJPeAf.exe
C:\Windows\System\xNJPeAf.exe
C:\Windows\System\VppWLZz.exe
C:\Windows\System\VppWLZz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 23.62.61.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4772-0-0x00007FF777740000-0x00007FF777A94000-memory.dmp
memory/4772-1-0x00000248A6A50000-0x00000248A6A60000-memory.dmp
C:\Windows\System\DBRmGrK.exe
| MD5 | aa2aa2ab4c353b49fe61cd9578e9cad8 |
| SHA1 | f10c83373fe7f8b8f8d88c260a46931216fab054 |
| SHA256 | 62cb4715b1d520b9d16b42b224f02c7744d4716129df41f1a374dccde0ebeb1b |
| SHA512 | d87af411a459dd1de351f8ded0da255cd191ae7935439fa61a9fa0e62f6502c3b03e2cf349ffc637be7962b5f439d07d77bac02adabacd3b65f6042443722894 |
memory/212-8-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp
C:\Windows\System\DvuFyiF.exe
| MD5 | f024d18a9da2e3b0ae8a72f4cd37784f |
| SHA1 | 1f24ae508f863841a961ccecc1c35826568e4083 |
| SHA256 | a364b7c74c33973e21da020c1d8520e35f3f00800aabfd485f7723e6e36b5ff2 |
| SHA512 | 340ed9f12f363c69fcbe5bd3aefa2d7766f9230c8a4a00ebb84b262aef20c7b835036b7a357d6ec33da71ff453fd37947a2e7a1bea877fc050d692cad9455def |
C:\Windows\System\OIroWEp.exe
| MD5 | a9b9af2594e6de1344d7c3c5e5456581 |
| SHA1 | 49cdf69a95bd0b8064f03b6e00199bfa68fc2d5b |
| SHA256 | c32f7408e9db6c65cfbead436a9a48da0475453a385f51ac3509f300e75e5e01 |
| SHA512 | d42ecc98102b5469db26f94baf19bb2fc20f12254237b1de0d7af96084f7fc2b055d88d171854bac0111d9cf7a1072f7dc6d5c7ec3d32db4f08773c527bb5690 |
memory/3844-14-0x00007FF72C480000-0x00007FF72C7D4000-memory.dmp
memory/776-20-0x00007FF61AFA0000-0x00007FF61B2F4000-memory.dmp
C:\Windows\System\RiDdZoi.exe
| MD5 | 569a73e855fbc0417c1a9237534055a4 |
| SHA1 | 351324fe7fc41ea762def83d0024821ecc7ee9b2 |
| SHA256 | ae39014a991a0564c1936e2a6ff7322c64d9bee14705559e6edcdbd4e5a2a297 |
| SHA512 | 30b8a2a592aa7b7f035977dd100dab0c3200d50203434052cd15a3147ee0dbd9c45b084ce7c9029885ca62f2bef31d29ab24acc122c3a303436babeb352a999f |
C:\Windows\System\JiQRnYN.exe
| MD5 | a893cb8e158ab3d2f51c18993a909d53 |
| SHA1 | 840ef551967d1c71790ebbea3be1558ea3bfc1e2 |
| SHA256 | da48e55a17794b8a9ed0d1146e3844b3dff8b77c713fbf0e7429112ec92c9788 |
| SHA512 | de72714bd1f65e69b7a7fe6ecc8ce98d5f4d2f532efd9cb27ee560a92c18b8f9df2870fc76819e3a0edb9db7eb25dd20f13b20763f905e7ce7f93c17362ad42f |
memory/3388-28-0x00007FF6B54E0000-0x00007FF6B5834000-memory.dmp
C:\Windows\System\YTSIudd.exe
| MD5 | fde2f9df8545e859072cba253a1d4874 |
| SHA1 | 99c15bd29d919200ae78fd1c48edc3b77259f0d4 |
| SHA256 | 4b3b48045261b9ca5c420f4c737b87665f9252d4dfa186e736030a798e76b426 |
| SHA512 | 246897a946595aaa1941dc4a31665fa7b2eb78252b419ce862bf8a68553b24110c240a8e135ec0743fab7a91cd236d83537fd815a9c6733f2a9da89960f7f574 |
C:\Windows\System\aFtbXjT.exe
| MD5 | 40a0f1e0ff37179f126cd25771c3f7f2 |
| SHA1 | de4635558fbcc300b7d529058f588b792a905613 |
| SHA256 | cb3baea58c1be9831bb4a247f3b1d8603543c94daae4995a6fac9db9883adf08 |
| SHA512 | 666d879d7f79a6c666b89a51579c0f274a7fa4164a8ccbf9b700323acf6837c9842a7263fe8008f24ec024b2663608508e1dc13f3ec1f150026908511e8ff58e |
memory/2476-36-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp
memory/1852-43-0x00007FF609C10000-0x00007FF609F64000-memory.dmp
memory/384-35-0x00007FF68C590000-0x00007FF68C8E4000-memory.dmp
C:\Windows\System\FJpbPfe.exe
| MD5 | a93acec8a942b86f978446a7e59601b9 |
| SHA1 | b7b80ebebb9161923619fa81cd0a1a477333e1b5 |
| SHA256 | 60fdb08ea16466273f224f5d54edd2c21f12dff686243b4cff19179df50e9d58 |
| SHA512 | 5e85063e762da18ac4e99846ce21e83cf9c1a07125cfc1bea932c8e5cb939885c9a7ea35857bb7b056e9df21a96180a682dc22f0e3a57f860bcc1559240a549a |
memory/464-50-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp
C:\Windows\System\nsecmVd.exe
| MD5 | dd631c9e213e21fa478fbf03d9c96a76 |
| SHA1 | a7ed86d836b2a49ea7b473bf6775715b18c2eee2 |
| SHA256 | d551955c65134bf5d240a212ded0a4706d1041777355d1e0ac496eb73ec447a6 |
| SHA512 | bae505d772cfd06f6a2927d2cd9cd694da53583c40cc6ad7e42f35559dae393e984facbf231c4ba232b4f1c5e14490301f46fdb949f8781acf8471ce61cb695a |
memory/4536-56-0x00007FF6483D0000-0x00007FF648724000-memory.dmp
C:\Windows\System\nSPNcgi.exe
| MD5 | 6c5badbc54934af8cdcda256f1a59c07 |
| SHA1 | 80ea14a03cd81e710145eb987e8f2441207bdcbf |
| SHA256 | 2d64ea5282e8e14a7c9b205318c42e0c752a29fdc0f61cf87d620d9106bc6213 |
| SHA512 | c5950eb5a5365c52197784075050e2ac91490406f190e56a088d6a658749d41c252d5dd27d3e4e32c1bcfd292495b4b57fa0fb5b0467622dd0d98b1966974caf |
memory/4796-63-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp
memory/4772-62-0x00007FF777740000-0x00007FF777A94000-memory.dmp
memory/2108-70-0x00007FF6312C0000-0x00007FF631614000-memory.dmp
memory/212-68-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp
C:\Windows\System\MQzCSBf.exe
| MD5 | 301249e60730e7a79bdb085b63fc1192 |
| SHA1 | 39a74ee3723186c0d8e62dcbc671d312dd414d0f |
| SHA256 | 22da3a917b585ad64bf71316a906d5f71ec661bdebde82305b152cace127bba9 |
| SHA512 | 5114146747005ac77c5f8e8595e502be84e7a170d15fdfd42ae0a27fd483ddd9b28ad41f4cb6f0aa90374dbee4a8444efafd1fd226be1012165b38f90dce3f31 |
C:\Windows\System\RqOFpEC.exe
| MD5 | 345df1684408c79a18483b29e7b081c0 |
| SHA1 | 4bf62b47e562d2e84954c0103b3aa494414c826b |
| SHA256 | a2df4dee51e1ab35a9a0fb68f9e6e49e94b83edf359fe970933d745b740dc2ab |
| SHA512 | 683225c6499359de4bad5342398159708a93c189584e19a6ecd0162bedc22fc8075b08a7e96915352a2cd6f54ae94b893b70e9942dbd9a0a4849315b502c7079 |
memory/2240-74-0x00007FF715DC0000-0x00007FF716114000-memory.dmp
C:\Windows\System\RvDWRqi.exe
| MD5 | 6eef4ca720bc71d5c2a1b73ecbdfbd71 |
| SHA1 | c82ec93607b450187bcf7873371ad5f54c45af87 |
| SHA256 | 20f27ef321db6e4dd7561bcdafd57127933dd7164e83143fab2175546a64e7bf |
| SHA512 | 9c5f248691f3801a71614b7fc1c7fd9ec699a91de738e3ec7c5b747a54317bb15277a06f0862912e4bdc21591ce11960314ad254cdfe6781c2ad54cbd719d628 |
memory/1548-82-0x00007FF7670E0000-0x00007FF767434000-memory.dmp
C:\Windows\System\wUxKFRM.exe
| MD5 | 4f16543e7a94840b470de3918a620eb7 |
| SHA1 | 0e2844f9ee923dcf8e1cd54a1eac032646832a1b |
| SHA256 | e02e7c9a707119e5cb853eebde45d84bf5dc47f7c65bf7d36e83cd139c9fc090 |
| SHA512 | ec7c13be1dff33a37e99383ccf0f2f161604a4b9c91e518ec7f4f9e53cd4aeb767239d461d1c911095ada7491e03759a63c9e17bb3e208831a05769c5f7de7c9 |
memory/4080-88-0x00007FF634970000-0x00007FF634CC4000-memory.dmp
C:\Windows\System\TsYFzga.exe
| MD5 | 12cb8e8ca58c02c3e13e1c4fc731e795 |
| SHA1 | 2dd04067665aaf039a590cce28555b36506382d1 |
| SHA256 | 33b7ac9234e385ca13c963405c52e031b213bfb13c3ebdfeccaa40e35aede202 |
| SHA512 | 9787c5fdd82472e9086c3a877ca587167948f9a74972c416adf737daa50d9e1367cd721809d6405f8ccd1240fcb1c196a7267106637eefd21ce3830bdbdb9471 |
memory/3600-94-0x00007FF79AB90000-0x00007FF79AEE4000-memory.dmp
memory/2476-98-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp
C:\Windows\System\nuROKDz.exe
| MD5 | 6a2c4d84a2f4c7a3b1fa85a862280392 |
| SHA1 | a57663f2c8f384533f61217af1af29e3e15d0eeb |
| SHA256 | 577772741514f0f53be0602f8c23ce4e67233001682059c1f08bc2d520b40112 |
| SHA512 | 1c64068379b721bb727ff9aa9ed9c661965f52614087711ea7ba66555382539af7860f537f980b2f05047c8bf170a7cf615f55a5f506c2b3ab9de2b61983520f |
C:\Windows\System\JDAvwoF.exe
| MD5 | fb0fd11bcacd55b52c963e879b50774b |
| SHA1 | c0b0d802f7381227c7f4e72e62537a257be2b6da |
| SHA256 | c786b3aeb391a465816555698eed1532ad0d496e5077fad70caba2c202b9669f |
| SHA512 | 59d7b75cc1fe342dca1b3368d1491c21310104cacae7acd8b24112745c6f5e0a2c411bd8c87a90eefc656890ee124d406e99a41a3bf21a979fbed3088f0db5e1 |
memory/3660-99-0x00007FF68D410000-0x00007FF68D764000-memory.dmp
memory/1852-107-0x00007FF609C10000-0x00007FF609F64000-memory.dmp
C:\Windows\System\DkMvpyD.exe
| MD5 | 0e7e3f437d4617666a254917ffbdd233 |
| SHA1 | 193255140dba4d1acfbe73a159b819e0433f1937 |
| SHA256 | f5bee43a4f812de68c0e88e4022d362ca225ec93fee4370a0d955b84d6c89426 |
| SHA512 | 410c1f23c027a08f93c858cd88dd6310af094049393c465a1464bcf80e1029de44f4717b40df33928e97522b3913b9cd39419690fe8ec1b244553c1a4d9ffdf4 |
memory/2600-108-0x00007FF73A6B0000-0x00007FF73AA04000-memory.dmp
memory/2156-113-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp
memory/464-112-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp
C:\Windows\System\xNJPeAf.exe
| MD5 | d999eeb0dbbfe9871618fb8fff69a346 |
| SHA1 | 3b49c03f05973447d7fd1bc20400fb287c628013 |
| SHA256 | bbd32cf24a137ee27050d6c0af1bb440e32a38cdb54adc61e1cdf19319f35645 |
| SHA512 | 6940cdcc93ad6174fa13485c98ce105ca7a1de710971309c2f70385dbe95152443f10e87bf178c3032b6bd8d8fee0cced8daee3ec1fbc23ebe1b73407b86519c |
C:\Windows\System\RYlKGgT.exe
| MD5 | 6b447926854f41475b34d9d2ada010e5 |
| SHA1 | caa338bc81c32aa72b2128f06875ab0eb06e38c6 |
| SHA256 | 81799970aef7b67295d8dd5fc25b3eb42ea4cf4eaaf8ca7a0279a30ea3470d99 |
| SHA512 | 1ef2d836341f65b1780e1bd96673ded3291910ec4fde3cf964f0b1f2c2818cbbf23ab4d87f7b85b7fee424ecd50175930ec14661ad304b773c311d87845aed19 |
memory/4536-126-0x00007FF6483D0000-0x00007FF648724000-memory.dmp
memory/1044-127-0x00007FF7B2830000-0x00007FF7B2B84000-memory.dmp
memory/3172-129-0x00007FF628220000-0x00007FF628574000-memory.dmp
C:\Windows\System\VppWLZz.exe
| MD5 | 40d05f41ea5d424cdd78828b97ca8704 |
| SHA1 | f608b1bb9e1d0679da024af07222d197ace4ea17 |
| SHA256 | 644ba547fcf4568033c0fbdf63e4ae19733ae5426a29b7c45298e6bec9fe3cec |
| SHA512 | afc4b4a574830777cc95f52b95a0d23d739261c37cbe676a173b4f7c147875d406dee732b86a776a02d11b9f0d01681c7226c344286fb788e15e7755626d88cd |
memory/1484-133-0x00007FF636260000-0x00007FF6365B4000-memory.dmp
memory/2240-134-0x00007FF715DC0000-0x00007FF716114000-memory.dmp
memory/3660-135-0x00007FF68D410000-0x00007FF68D764000-memory.dmp
memory/2156-136-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp
memory/1484-137-0x00007FF636260000-0x00007FF6365B4000-memory.dmp
memory/212-138-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp
memory/3844-139-0x00007FF72C480000-0x00007FF72C7D4000-memory.dmp
memory/776-140-0x00007FF61AFA0000-0x00007FF61B2F4000-memory.dmp
memory/3388-141-0x00007FF6B54E0000-0x00007FF6B5834000-memory.dmp
memory/384-142-0x00007FF68C590000-0x00007FF68C8E4000-memory.dmp
memory/2476-143-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp
memory/1852-144-0x00007FF609C10000-0x00007FF609F64000-memory.dmp
memory/464-145-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp
memory/4536-146-0x00007FF6483D0000-0x00007FF648724000-memory.dmp
memory/4796-147-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp
memory/2108-148-0x00007FF6312C0000-0x00007FF631614000-memory.dmp
memory/2240-149-0x00007FF715DC0000-0x00007FF716114000-memory.dmp
memory/1548-150-0x00007FF7670E0000-0x00007FF767434000-memory.dmp
memory/4080-151-0x00007FF634970000-0x00007FF634CC4000-memory.dmp
memory/3600-152-0x00007FF79AB90000-0x00007FF79AEE4000-memory.dmp
memory/2600-154-0x00007FF73A6B0000-0x00007FF73AA04000-memory.dmp
memory/3660-153-0x00007FF68D410000-0x00007FF68D764000-memory.dmp
memory/1044-155-0x00007FF7B2830000-0x00007FF7B2B84000-memory.dmp
memory/2156-156-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp
memory/3172-157-0x00007FF628220000-0x00007FF628574000-memory.dmp
memory/1484-158-0x00007FF636260000-0x00007FF6365B4000-memory.dmp