Analysis Overview
SHA256
f5851138c90455555ea2f0f1e55b7447069c83f70bd40963159d9b4ccd84c68c
Threat Level: Known bad
The file 2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:14
Reported
2024-06-06 18:16
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qpixQxX.exe | N/A |
| N/A | N/A | C:\Windows\System\HUmevNu.exe | N/A |
| N/A | N/A | C:\Windows\System\yzlBTfj.exe | N/A |
| N/A | N/A | C:\Windows\System\LsvOVqL.exe | N/A |
| N/A | N/A | C:\Windows\System\KXvoIRx.exe | N/A |
| N/A | N/A | C:\Windows\System\JxVsfaC.exe | N/A |
| N/A | N/A | C:\Windows\System\OfdYZqW.exe | N/A |
| N/A | N/A | C:\Windows\System\CSXATNF.exe | N/A |
| N/A | N/A | C:\Windows\System\CNSTUKt.exe | N/A |
| N/A | N/A | C:\Windows\System\SRurGDz.exe | N/A |
| N/A | N/A | C:\Windows\System\eCNnNMX.exe | N/A |
| N/A | N/A | C:\Windows\System\DHBJBLI.exe | N/A |
| N/A | N/A | C:\Windows\System\tZgJruj.exe | N/A |
| N/A | N/A | C:\Windows\System\LRPECIp.exe | N/A |
| N/A | N/A | C:\Windows\System\WEHXHaU.exe | N/A |
| N/A | N/A | C:\Windows\System\GoQspZl.exe | N/A |
| N/A | N/A | C:\Windows\System\pWTEXyL.exe | N/A |
| N/A | N/A | C:\Windows\System\JJuBjvb.exe | N/A |
| N/A | N/A | C:\Windows\System\aqOwWKa.exe | N/A |
| N/A | N/A | C:\Windows\System\PaJOKez.exe | N/A |
| N/A | N/A | C:\Windows\System\bSqUJLZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qpixQxX.exe
C:\Windows\System\qpixQxX.exe
C:\Windows\System\HUmevNu.exe
C:\Windows\System\HUmevNu.exe
C:\Windows\System\yzlBTfj.exe
C:\Windows\System\yzlBTfj.exe
C:\Windows\System\LsvOVqL.exe
C:\Windows\System\LsvOVqL.exe
C:\Windows\System\KXvoIRx.exe
C:\Windows\System\KXvoIRx.exe
C:\Windows\System\JxVsfaC.exe
C:\Windows\System\JxVsfaC.exe
C:\Windows\System\OfdYZqW.exe
C:\Windows\System\OfdYZqW.exe
C:\Windows\System\CSXATNF.exe
C:\Windows\System\CSXATNF.exe
C:\Windows\System\CNSTUKt.exe
C:\Windows\System\CNSTUKt.exe
C:\Windows\System\SRurGDz.exe
C:\Windows\System\SRurGDz.exe
C:\Windows\System\eCNnNMX.exe
C:\Windows\System\eCNnNMX.exe
C:\Windows\System\DHBJBLI.exe
C:\Windows\System\DHBJBLI.exe
C:\Windows\System\tZgJruj.exe
C:\Windows\System\tZgJruj.exe
C:\Windows\System\LRPECIp.exe
C:\Windows\System\LRPECIp.exe
C:\Windows\System\WEHXHaU.exe
C:\Windows\System\WEHXHaU.exe
C:\Windows\System\GoQspZl.exe
C:\Windows\System\GoQspZl.exe
C:\Windows\System\pWTEXyL.exe
C:\Windows\System\pWTEXyL.exe
C:\Windows\System\JJuBjvb.exe
C:\Windows\System\JJuBjvb.exe
C:\Windows\System\aqOwWKa.exe
C:\Windows\System\aqOwWKa.exe
C:\Windows\System\PaJOKez.exe
C:\Windows\System\PaJOKez.exe
C:\Windows\System\bSqUJLZ.exe
C:\Windows\System\bSqUJLZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3068-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/3068-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\qpixQxX.exe
| MD5 | ccaf4e90192a9858556c520c247e79eb |
| SHA1 | 69eaa98bf6d52fb62fbbfbd66a3dcd437369d7bd |
| SHA256 | c760786be003a4f612779cd1dc048b72e5055c991112957c75b111b2db7c3d13 |
| SHA512 | 7bfbe1c40d15d96b3f2c3d49aa1152b4f2403d51b5f9bcb9fde60ee4ae6cb40831c8149e7c923918f458f7a14301a71fa1f75e1cdf7bf7dd3a37c8568311aad1 |
memory/2452-9-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3068-8-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\HUmevNu.exe
| MD5 | d2229139cd32dd4fac4953970d9d768f |
| SHA1 | 329527597e6be7dd58b8468135d28babdf0cfd64 |
| SHA256 | 5493b32b67819f729c87c3dd0c524c72e798975605404c01fea5b0db01a3849c |
| SHA512 | 42c6a7c7b0fd0aa350a97191bbb425fda4f0eebc148ef3a5be8dbf9f94fa53a46e9b271e5f5e43a99127f785c2e579655e1857a4aef2b010c941c3da88f6705f |
memory/2616-16-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/3068-14-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\yzlBTfj.exe
| MD5 | b63deba39dbd2b702753b9782070f573 |
| SHA1 | e9585ef68f5937821dee77478b0799c8c06f182e |
| SHA256 | 51bf5a8171b0f17bccc47644879824b9e69f4b5b921029a7a7854271564a99d1 |
| SHA512 | 8881cc26b1986b8218d531051cd210474bb0dbce5966417d8c6f85e937cd1050fb367ccac5dc7f0db49f5d188e92d2061bc7a00078aa83a689da258c56fcab8f |
memory/2848-23-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3068-22-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\LsvOVqL.exe
| MD5 | 6dc667d9bf240a0592c6301038a1a6ec |
| SHA1 | 0553cbeaad552ff751405dc6c66db8714ee1ef0b |
| SHA256 | f6021be748336443bf6913ab0f2ce7352b1342b12aed284e98298c5141df7c37 |
| SHA512 | 6d17b46034a41e83a8d20bcb61904608651c865a5550435d348a413165fee9d678d8b72f3a623dbf994cbaa60a976d2db0d3a7d79a1c67ecae931a75c7236f33 |
memory/3068-28-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/3068-38-0x0000000002200000-0x0000000002554000-memory.dmp
memory/3068-48-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/3068-49-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\CSXATNF.exe
| MD5 | b5374ffa6569776bb6011531dfe87342 |
| SHA1 | 9552ed6ce1b15b956e67c4c3c3a90607d66571c9 |
| SHA256 | 3bbf4f35112443bc051732b77fb932a64c76cef70731dc5f24c72545222d1ae9 |
| SHA512 | 99e7e6a62c181e74d8f15e43df56a61ba99ee4c4d8975f823eca6486c1479d6e6e8ed0c715026662d4b8bdebb3f8e6bef114b7220a2f99d1e1b98e806527e6d3 |
memory/2068-55-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2800-44-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2548-69-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/3068-78-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2064-84-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2864-94-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/3068-107-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\bSqUJLZ.exe
| MD5 | b1564c52505d29223a90fb302f7c13a2 |
| SHA1 | 9101a9fa85ceb0e92e88911b4c9cfa7290604392 |
| SHA256 | 07cb90c8f64845b70f0b2366c5ca0f60c14fccdeb9d9494268384d95c529a687 |
| SHA512 | 17f7c59d27c569257c8c4315bdd5489d44e3a2332be960e4735d248d67613e82ee804b1d1e4cdede975707e69e104c359e9707d9ef53e7d99893cc0ad102a35d |
C:\Windows\system\PaJOKez.exe
| MD5 | ff2dd77b8f04008c10c2132c43408685 |
| SHA1 | d91c2e822bcee5072886765d18a0ff3f6ea2ea58 |
| SHA256 | 0c17e508b6a6a0d91e60fcbc2d36ac6b903ce5af25995077bb1e6350d3b6666a |
| SHA512 | 1323bf5d3600fe7434ea1d1afdf40276a45742c9011845e55da7851f9490a82f85a3bb866adcc992f95001d273512a40102db18e16e66bb5e2852496c0dfeb56 |
C:\Windows\system\aqOwWKa.exe
| MD5 | 9337a012ba05203d06d18075ff0c4687 |
| SHA1 | 816292621a19f9807041b20f28a27c2a5be89e23 |
| SHA256 | d03122ee592580ace32cc81b0b8f6873a85569ebda64f326e1fae04a109a78e7 |
| SHA512 | 3019842227f5d72b351d2824215bfa3b229b26334c674528ddea521d5fb86e10414075be0aba1655799f74384cd9f39fe94e10b2eeeac352c0fe797279b51e48 |
C:\Windows\system\JJuBjvb.exe
| MD5 | 68042017754a70fab8583cf47b3a8295 |
| SHA1 | 1b7c40c26d555ad71af1ed83c1ddc1e0d5bc4b02 |
| SHA256 | 3fddc7131ebd4fdaccb8f3d1a858fc9b9054ece9dbeb8629ad27908f521ca202 |
| SHA512 | c3323903ff1760ff6e50f579cb12cd5673697873afa0f07d1a892405106dbc7cb5738806649b2b20308dab0fa500daf402d8ac1a491760d6a057ec447b2604f1 |
C:\Windows\system\pWTEXyL.exe
| MD5 | b647e19ad40a6bdd2f275bf8caec5dc6 |
| SHA1 | 65418a28dfc1057768b90b3f6bd7621a381305c2 |
| SHA256 | 5b5e2b99c97018a0e23bf989745ddf6b3980d49ea9a8f12c102a1434bb3d71f0 |
| SHA512 | 2ef0e9240e58fd4e5ac5cc9b77400217181a92fa10a6d73c3706f0f45aa9cd4a10d84d913298baaeb0fcb801f781915823a480e2ed16ea5c00f35e7a3dc64a05 |
C:\Windows\system\GoQspZl.exe
| MD5 | 84fce61e7ba8f17cf2f0ec8c8240e5e2 |
| SHA1 | a47e54fb2840ba0c149a2bbf3df97bd501b241b1 |
| SHA256 | 444244ef6981af02beeef1f9eea9c0bf23912eadc8f65212fbed60b8e41405bf |
| SHA512 | 7e75d660d44b6eb7f935771da59bc33ce14f645d364e98ea42419be6d48925ca2203f91749ba2bf2dfcf08439d07c8fdc7ceeeefd1a2f3bf8c3bacd04724123e |
memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp
C:\Windows\system\WEHXHaU.exe
| MD5 | e7c95bd4618e7a8acdcde6297005f170 |
| SHA1 | eabdad799e65c6f38df4b04ada0a1b2ebf119b2d |
| SHA256 | f9610fd2337b82b0964249f74fbc29c7557129d5866a327333c0a5e9a7ca9573 |
| SHA512 | 3bdc15439f16cd8a5a77d72e18e1ebc2a8524653b4d7d832d791fe265278c1e730f91a8063993f3fea27b820778a83da66a1787f0431368253c79ecc878ad071 |
memory/2980-102-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/3068-93-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2812-92-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2800-91-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/3068-101-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\LRPECIp.exe
| MD5 | 899b1fce7fb37a42022b8d75813b97d0 |
| SHA1 | 8e4879c9f8514226d3035b6dbc56edc79af9ea90 |
| SHA256 | d6135fc7fff4377aaabdca4b789f248b8b753e092cbd2b7bd41f5bb4828847a9 |
| SHA512 | 08eca19b4f9031fe98c6669cc4ee7167e505da402ade17b1d47f7cb0227bf39a076abed21b9cba6a9e878f6ae8a2c1c97f3ddb5baf9d0d75cc2f43557856c381 |
memory/2640-90-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\tZgJruj.exe
| MD5 | 2ed99325ab13dde528d6dd1b7fb6c9be |
| SHA1 | 25f5e2ced6ce5780a1418cd852f4e9bd5a39ab07 |
| SHA256 | e7f836806d3381ff76ca3f90a96dd9da6ed13305c891003ee3dbd8e6b2852fbe |
| SHA512 | 2947b562b5b08b7400b755e85fdc9c69903680b90539660506473e6b1b16895d124359d50e5474b9aa99699856156a7c9af8f6fa5f74b986ce3d83176967fb73 |
C:\Windows\system\eCNnNMX.exe
| MD5 | 2ab8dfa292dbdd3aee4763a866c04652 |
| SHA1 | 306a48c5b524535767ddbc046fc7c513685b3506 |
| SHA256 | d551188e636b9989c2fc86185915106bbb7459426fe3dc21f039248814673173 |
| SHA512 | f2857580e8cc494cf808c7f47ffd4cad91b3927aebfa60a2ce4f03b2b9de252ec0b995133ab64fccc230bccda8a03cc455e1fde602de8212823b22095d04ff72 |
memory/3068-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\DHBJBLI.exe
| MD5 | 4a4614a664745cb9ee93255551da96bb |
| SHA1 | accf224c060f24c7f7ca07f3cc619ba664a23496 |
| SHA256 | e9ce730e075eccea4d5d7c95f14fdffb807b76b22a53ba30d1da5d83a5daaba4 |
| SHA512 | e50d8ebc9ae816ee6ab29270f99b9df436222bf1cc667dfd896788ede046cd43d25c3c8e966cf00eff1ee473db66cb5b9e272f700032e0b9ab605540fd45c70d |
memory/2992-77-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2576-63-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/3068-68-0x0000000002200000-0x0000000002554000-memory.dmp
memory/3068-62-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\CNSTUKt.exe
| MD5 | d937132312c5dea21fe720f2c5a9df6d |
| SHA1 | 73c327cdf9882e8515fb0a3aff08bcd014c6371d |
| SHA256 | 846a3b84dcc2a022f175b9c5fcd219c3a5018e4a1865867e1737b8136b39d3d8 |
| SHA512 | 0adeb912af242096daae513eb488a0257d73ae6c5ac01daca556be2194cb035688a01442de5318678be35185205ce9c63c9b60261c0778703a357ab6b11d4bce |
C:\Windows\system\SRurGDz.exe
| MD5 | 4f56e87d624ad22f4c4604cde1e6268f |
| SHA1 | fdd7cc82322fceb92783b5b7287edad7e5199324 |
| SHA256 | 4550037008da7afef1bb7d498e72726c7eda97140acf005e47a1822cb71f7c3a |
| SHA512 | 107646bb65c40e12b6e64418d5180be8aef0d07b2bb00329f31c475a62ac370449198a6ab1e026bfc13493b5b149f6e45a9be2b59093fc3885576693dfe926ea |
C:\Windows\system\JxVsfaC.exe
| MD5 | 77b7a2d75c0e6050d032690b38375586 |
| SHA1 | 13d92975a8aa18d6c65a6607242832ecdc04c091 |
| SHA256 | f52db8f02644663a4906f18cbe46c489b8bd1c07f4b6500a7f55fef4561798dd |
| SHA512 | 6418016e838b8e8b48d35baf0e40e0d93a82eaf3708384164dfef255f86ed266338ebea5d3e849ea4c2ab8acb3f6400f5e2cb2fcff793cfbb06bc8dcab557d49 |
\Windows\system\OfdYZqW.exe
| MD5 | f571b9ed97a788b3058d7e60d7eba399 |
| SHA1 | 4ef080c30c85f7ae8ec825eb0feb9f511407ea4f |
| SHA256 | f3f1eed909d3bc50145cc32041abc681ea75a9c940aec3cd1a52a2f4ff91e0cf |
| SHA512 | 4f775e5d8d53ed19ee899d586ff22d2fbe04f0fec4908438d8d56ae46f3f805612aeceb9fd55b8fe40839501b80074a6353355e8ae2df4da756bdd1b40f5527c |
C:\Windows\system\KXvoIRx.exe
| MD5 | 4d91ef979e52aaad2a5a988b54c2957f |
| SHA1 | 4e2b33e9738ec359bf4353349e859362ced84c1f |
| SHA256 | e8e3083edbaf868c44dc7f7e838702866f6ae731670b59c5fd530f45326f9f2b |
| SHA512 | 8c8b2e6990743c7ddeb935f69ff12a06b302b6ce39534d0dd9e6719acbfe6ede950fa0b09318b634ebb8f6509073d229d07de8186642fab652d707434b5f24ca |
memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2812-47-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2640-29-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2548-139-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2992-140-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/3068-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2064-142-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/3068-143-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2864-144-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/3068-145-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2452-146-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2616-147-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2848-148-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2640-149-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2800-150-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2812-151-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2068-152-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2576-153-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2548-154-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2088-155-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2992-156-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2064-157-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2864-158-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2980-159-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:14
Reported
2024-06-06 18:16
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qpixQxX.exe | N/A |
| N/A | N/A | C:\Windows\System\HUmevNu.exe | N/A |
| N/A | N/A | C:\Windows\System\yzlBTfj.exe | N/A |
| N/A | N/A | C:\Windows\System\LsvOVqL.exe | N/A |
| N/A | N/A | C:\Windows\System\KXvoIRx.exe | N/A |
| N/A | N/A | C:\Windows\System\JxVsfaC.exe | N/A |
| N/A | N/A | C:\Windows\System\OfdYZqW.exe | N/A |
| N/A | N/A | C:\Windows\System\CSXATNF.exe | N/A |
| N/A | N/A | C:\Windows\System\CNSTUKt.exe | N/A |
| N/A | N/A | C:\Windows\System\SRurGDz.exe | N/A |
| N/A | N/A | C:\Windows\System\eCNnNMX.exe | N/A |
| N/A | N/A | C:\Windows\System\DHBJBLI.exe | N/A |
| N/A | N/A | C:\Windows\System\tZgJruj.exe | N/A |
| N/A | N/A | C:\Windows\System\LRPECIp.exe | N/A |
| N/A | N/A | C:\Windows\System\WEHXHaU.exe | N/A |
| N/A | N/A | C:\Windows\System\GoQspZl.exe | N/A |
| N/A | N/A | C:\Windows\System\pWTEXyL.exe | N/A |
| N/A | N/A | C:\Windows\System\JJuBjvb.exe | N/A |
| N/A | N/A | C:\Windows\System\aqOwWKa.exe | N/A |
| N/A | N/A | C:\Windows\System\PaJOKez.exe | N/A |
| N/A | N/A | C:\Windows\System\bSqUJLZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_401158d80ce612f9c18ca3a3c9a2d70d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qpixQxX.exe
C:\Windows\System\qpixQxX.exe
C:\Windows\System\HUmevNu.exe
C:\Windows\System\HUmevNu.exe
C:\Windows\System\yzlBTfj.exe
C:\Windows\System\yzlBTfj.exe
C:\Windows\System\LsvOVqL.exe
C:\Windows\System\LsvOVqL.exe
C:\Windows\System\KXvoIRx.exe
C:\Windows\System\KXvoIRx.exe
C:\Windows\System\JxVsfaC.exe
C:\Windows\System\JxVsfaC.exe
C:\Windows\System\OfdYZqW.exe
C:\Windows\System\OfdYZqW.exe
C:\Windows\System\CSXATNF.exe
C:\Windows\System\CSXATNF.exe
C:\Windows\System\CNSTUKt.exe
C:\Windows\System\CNSTUKt.exe
C:\Windows\System\SRurGDz.exe
C:\Windows\System\SRurGDz.exe
C:\Windows\System\eCNnNMX.exe
C:\Windows\System\eCNnNMX.exe
C:\Windows\System\DHBJBLI.exe
C:\Windows\System\DHBJBLI.exe
C:\Windows\System\tZgJruj.exe
C:\Windows\System\tZgJruj.exe
C:\Windows\System\LRPECIp.exe
C:\Windows\System\LRPECIp.exe
C:\Windows\System\WEHXHaU.exe
C:\Windows\System\WEHXHaU.exe
C:\Windows\System\GoQspZl.exe
C:\Windows\System\GoQspZl.exe
C:\Windows\System\pWTEXyL.exe
C:\Windows\System\pWTEXyL.exe
C:\Windows\System\JJuBjvb.exe
C:\Windows\System\JJuBjvb.exe
C:\Windows\System\aqOwWKa.exe
C:\Windows\System\aqOwWKa.exe
C:\Windows\System\PaJOKez.exe
C:\Windows\System\PaJOKez.exe
C:\Windows\System\bSqUJLZ.exe
C:\Windows\System\bSqUJLZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1216-0-0x00007FF76A510000-0x00007FF76A864000-memory.dmp
memory/1216-1-0x0000026A0A9F0000-0x0000026A0AA00000-memory.dmp
C:\Windows\System\qpixQxX.exe
| MD5 | ccaf4e90192a9858556c520c247e79eb |
| SHA1 | 69eaa98bf6d52fb62fbbfbd66a3dcd437369d7bd |
| SHA256 | c760786be003a4f612779cd1dc048b72e5055c991112957c75b111b2db7c3d13 |
| SHA512 | 7bfbe1c40d15d96b3f2c3d49aa1152b4f2403d51b5f9bcb9fde60ee4ae6cb40831c8149e7c923918f458f7a14301a71fa1f75e1cdf7bf7dd3a37c8568311aad1 |
memory/896-7-0x00007FF6102C0000-0x00007FF610614000-memory.dmp
C:\Windows\System\yzlBTfj.exe
| MD5 | b63deba39dbd2b702753b9782070f573 |
| SHA1 | e9585ef68f5937821dee77478b0799c8c06f182e |
| SHA256 | 51bf5a8171b0f17bccc47644879824b9e69f4b5b921029a7a7854271564a99d1 |
| SHA512 | 8881cc26b1986b8218d531051cd210474bb0dbce5966417d8c6f85e937cd1050fb367ccac5dc7f0db49f5d188e92d2061bc7a00078aa83a689da258c56fcab8f |
C:\Windows\System\HUmevNu.exe
| MD5 | d2229139cd32dd4fac4953970d9d768f |
| SHA1 | 329527597e6be7dd58b8468135d28babdf0cfd64 |
| SHA256 | 5493b32b67819f729c87c3dd0c524c72e798975605404c01fea5b0db01a3849c |
| SHA512 | 42c6a7c7b0fd0aa350a97191bbb425fda4f0eebc148ef3a5be8dbf9f94fa53a46e9b271e5f5e43a99127f785c2e579655e1857a4aef2b010c941c3da88f6705f |
C:\Windows\System\LsvOVqL.exe
| MD5 | 6dc667d9bf240a0592c6301038a1a6ec |
| SHA1 | 0553cbeaad552ff751405dc6c66db8714ee1ef0b |
| SHA256 | f6021be748336443bf6913ab0f2ce7352b1342b12aed284e98298c5141df7c37 |
| SHA512 | 6d17b46034a41e83a8d20bcb61904608651c865a5550435d348a413165fee9d678d8b72f3a623dbf994cbaa60a976d2db0d3a7d79a1c67ecae931a75c7236f33 |
memory/4552-28-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp
C:\Windows\System\KXvoIRx.exe
| MD5 | 4d91ef979e52aaad2a5a988b54c2957f |
| SHA1 | 4e2b33e9738ec359bf4353349e859362ced84c1f |
| SHA256 | e8e3083edbaf868c44dc7f7e838702866f6ae731670b59c5fd530f45326f9f2b |
| SHA512 | 8c8b2e6990743c7ddeb935f69ff12a06b302b6ce39534d0dd9e6719acbfe6ede950fa0b09318b634ebb8f6509073d229d07de8186642fab652d707434b5f24ca |
memory/4100-22-0x00007FF66B4A0000-0x00007FF66B7F4000-memory.dmp
memory/1580-14-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp
memory/2872-32-0x00007FF6BD0B0000-0x00007FF6BD404000-memory.dmp
C:\Windows\System\JxVsfaC.exe
| MD5 | 77b7a2d75c0e6050d032690b38375586 |
| SHA1 | 13d92975a8aa18d6c65a6607242832ecdc04c091 |
| SHA256 | f52db8f02644663a4906f18cbe46c489b8bd1c07f4b6500a7f55fef4561798dd |
| SHA512 | 6418016e838b8e8b48d35baf0e40e0d93a82eaf3708384164dfef255f86ed266338ebea5d3e849ea4c2ab8acb3f6400f5e2cb2fcff793cfbb06bc8dcab557d49 |
memory/3688-38-0x00007FF674D20000-0x00007FF675074000-memory.dmp
C:\Windows\System\OfdYZqW.exe
| MD5 | f571b9ed97a788b3058d7e60d7eba399 |
| SHA1 | 4ef080c30c85f7ae8ec825eb0feb9f511407ea4f |
| SHA256 | f3f1eed909d3bc50145cc32041abc681ea75a9c940aec3cd1a52a2f4ff91e0cf |
| SHA512 | 4f775e5d8d53ed19ee899d586ff22d2fbe04f0fec4908438d8d56ae46f3f805612aeceb9fd55b8fe40839501b80074a6353355e8ae2df4da756bdd1b40f5527c |
memory/2532-44-0x00007FF68F790000-0x00007FF68FAE4000-memory.dmp
C:\Windows\System\CSXATNF.exe
| MD5 | b5374ffa6569776bb6011531dfe87342 |
| SHA1 | 9552ed6ce1b15b956e67c4c3c3a90607d66571c9 |
| SHA256 | 3bbf4f35112443bc051732b77fb932a64c76cef70731dc5f24c72545222d1ae9 |
| SHA512 | 99e7e6a62c181e74d8f15e43df56a61ba99ee4c4d8975f823eca6486c1479d6e6e8ed0c715026662d4b8bdebb3f8e6bef114b7220a2f99d1e1b98e806527e6d3 |
memory/3088-48-0x00007FF633270000-0x00007FF6335C4000-memory.dmp
C:\Windows\System\CNSTUKt.exe
| MD5 | d937132312c5dea21fe720f2c5a9df6d |
| SHA1 | 73c327cdf9882e8515fb0a3aff08bcd014c6371d |
| SHA256 | 846a3b84dcc2a022f175b9c5fcd219c3a5018e4a1865867e1737b8136b39d3d8 |
| SHA512 | 0adeb912af242096daae513eb488a0257d73ae6c5ac01daca556be2194cb035688a01442de5318678be35185205ce9c63c9b60261c0778703a357ab6b11d4bce |
C:\Windows\System\SRurGDz.exe
| MD5 | 4f56e87d624ad22f4c4604cde1e6268f |
| SHA1 | fdd7cc82322fceb92783b5b7287edad7e5199324 |
| SHA256 | 4550037008da7afef1bb7d498e72726c7eda97140acf005e47a1822cb71f7c3a |
| SHA512 | 107646bb65c40e12b6e64418d5180be8aef0d07b2bb00329f31c475a62ac370449198a6ab1e026bfc13493b5b149f6e45a9be2b59093fc3885576693dfe926ea |
C:\Windows\System\eCNnNMX.exe
| MD5 | 2ab8dfa292dbdd3aee4763a866c04652 |
| SHA1 | 306a48c5b524535767ddbc046fc7c513685b3506 |
| SHA256 | d551188e636b9989c2fc86185915106bbb7459426fe3dc21f039248814673173 |
| SHA512 | f2857580e8cc494cf808c7f47ffd4cad91b3927aebfa60a2ce4f03b2b9de252ec0b995133ab64fccc230bccda8a03cc455e1fde602de8212823b22095d04ff72 |
C:\Windows\System\DHBJBLI.exe
| MD5 | 4a4614a664745cb9ee93255551da96bb |
| SHA1 | accf224c060f24c7f7ca07f3cc619ba664a23496 |
| SHA256 | e9ce730e075eccea4d5d7c95f14fdffb807b76b22a53ba30d1da5d83a5daaba4 |
| SHA512 | e50d8ebc9ae816ee6ab29270f99b9df436222bf1cc667dfd896788ede046cd43d25c3c8e966cf00eff1ee473db66cb5b9e272f700032e0b9ab605540fd45c70d |
memory/5092-71-0x00007FF716370000-0x00007FF7166C4000-memory.dmp
memory/3096-72-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp
memory/5020-76-0x00007FF7C9D00000-0x00007FF7CA054000-memory.dmp
C:\Windows\System\LRPECIp.exe
| MD5 | 899b1fce7fb37a42022b8d75813b97d0 |
| SHA1 | 8e4879c9f8514226d3035b6dbc56edc79af9ea90 |
| SHA256 | d6135fc7fff4377aaabdca4b789f248b8b753e092cbd2b7bd41f5bb4828847a9 |
| SHA512 | 08eca19b4f9031fe98c6669cc4ee7167e505da402ade17b1d47f7cb0227bf39a076abed21b9cba6a9e878f6ae8a2c1c97f3ddb5baf9d0d75cc2f43557856c381 |
memory/2252-88-0x00007FF7F5D50000-0x00007FF7F60A4000-memory.dmp
memory/896-90-0x00007FF6102C0000-0x00007FF610614000-memory.dmp
C:\Windows\System\WEHXHaU.exe
| MD5 | e7c95bd4618e7a8acdcde6297005f170 |
| SHA1 | eabdad799e65c6f38df4b04ada0a1b2ebf119b2d |
| SHA256 | f9610fd2337b82b0964249f74fbc29c7557129d5866a327333c0a5e9a7ca9573 |
| SHA512 | 3bdc15439f16cd8a5a77d72e18e1ebc2a8524653b4d7d832d791fe265278c1e730f91a8063993f3fea27b820778a83da66a1787f0431368253c79ecc878ad071 |
memory/4428-91-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp
memory/4620-89-0x00007FF6E4590000-0x00007FF6E48E4000-memory.dmp
memory/548-86-0x00007FF72E780000-0x00007FF72EAD4000-memory.dmp
memory/1216-82-0x00007FF76A510000-0x00007FF76A864000-memory.dmp
C:\Windows\System\tZgJruj.exe
| MD5 | 2ed99325ab13dde528d6dd1b7fb6c9be |
| SHA1 | 25f5e2ced6ce5780a1418cd852f4e9bd5a39ab07 |
| SHA256 | e7f836806d3381ff76ca3f90a96dd9da6ed13305c891003ee3dbd8e6b2852fbe |
| SHA512 | 2947b562b5b08b7400b755e85fdc9c69903680b90539660506473e6b1b16895d124359d50e5474b9aa99699856156a7c9af8f6fa5f74b986ce3d83176967fb73 |
C:\Windows\System\GoQspZl.exe
| MD5 | 84fce61e7ba8f17cf2f0ec8c8240e5e2 |
| SHA1 | a47e54fb2840ba0c149a2bbf3df97bd501b241b1 |
| SHA256 | 444244ef6981af02beeef1f9eea9c0bf23912eadc8f65212fbed60b8e41405bf |
| SHA512 | 7e75d660d44b6eb7f935771da59bc33ce14f645d364e98ea42419be6d48925ca2203f91749ba2bf2dfcf08439d07c8fdc7ceeeefd1a2f3bf8c3bacd04724123e |
memory/544-100-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp
C:\Windows\System\pWTEXyL.exe
| MD5 | b647e19ad40a6bdd2f275bf8caec5dc6 |
| SHA1 | 65418a28dfc1057768b90b3f6bd7621a381305c2 |
| SHA256 | 5b5e2b99c97018a0e23bf989745ddf6b3980d49ea9a8f12c102a1434bb3d71f0 |
| SHA512 | 2ef0e9240e58fd4e5ac5cc9b77400217181a92fa10a6d73c3706f0f45aa9cd4a10d84d913298baaeb0fcb801f781915823a480e2ed16ea5c00f35e7a3dc64a05 |
C:\Windows\System\JJuBjvb.exe
| MD5 | 68042017754a70fab8583cf47b3a8295 |
| SHA1 | 1b7c40c26d555ad71af1ed83c1ddc1e0d5bc4b02 |
| SHA256 | 3fddc7131ebd4fdaccb8f3d1a858fc9b9054ece9dbeb8629ad27908f521ca202 |
| SHA512 | c3323903ff1760ff6e50f579cb12cd5673697873afa0f07d1a892405106dbc7cb5738806649b2b20308dab0fa500daf402d8ac1a491760d6a057ec447b2604f1 |
C:\Windows\System\aqOwWKa.exe
| MD5 | 9337a012ba05203d06d18075ff0c4687 |
| SHA1 | 816292621a19f9807041b20f28a27c2a5be89e23 |
| SHA256 | d03122ee592580ace32cc81b0b8f6873a85569ebda64f326e1fae04a109a78e7 |
| SHA512 | 3019842227f5d72b351d2824215bfa3b229b26334c674528ddea521d5fb86e10414075be0aba1655799f74384cd9f39fe94e10b2eeeac352c0fe797279b51e48 |
memory/1760-114-0x00007FF68F270000-0x00007FF68F5C4000-memory.dmp
memory/4552-113-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp
memory/556-107-0x00007FF7FCE10000-0x00007FF7FD164000-memory.dmp
C:\Windows\System\PaJOKez.exe
| MD5 | ff2dd77b8f04008c10c2132c43408685 |
| SHA1 | d91c2e822bcee5072886765d18a0ff3f6ea2ea58 |
| SHA256 | 0c17e508b6a6a0d91e60fcbc2d36ac6b903ce5af25995077bb1e6350d3b6666a |
| SHA512 | 1323bf5d3600fe7434ea1d1afdf40276a45742c9011845e55da7851f9490a82f85a3bb866adcc992f95001d273512a40102db18e16e66bb5e2852496c0dfeb56 |
memory/3584-128-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp
C:\Windows\System\bSqUJLZ.exe
| MD5 | b1564c52505d29223a90fb302f7c13a2 |
| SHA1 | 9101a9fa85ceb0e92e88911b4c9cfa7290604392 |
| SHA256 | 07cb90c8f64845b70f0b2366c5ca0f60c14fccdeb9d9494268384d95c529a687 |
| SHA512 | 17f7c59d27c569257c8c4315bdd5489d44e3a2332be960e4735d248d67613e82ee804b1d1e4cdede975707e69e104c359e9707d9ef53e7d99893cc0ad102a35d |
memory/3688-126-0x00007FF674D20000-0x00007FF675074000-memory.dmp
memory/2728-122-0x00007FF7D8750000-0x00007FF7D8AA4000-memory.dmp
memory/1580-99-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp
memory/4900-132-0x00007FF7EF240000-0x00007FF7EF594000-memory.dmp
memory/3088-133-0x00007FF633270000-0x00007FF6335C4000-memory.dmp
memory/4428-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp
memory/544-135-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp
memory/3584-136-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp
memory/896-137-0x00007FF6102C0000-0x00007FF610614000-memory.dmp
memory/1580-138-0x00007FF78AC00000-0x00007FF78AF54000-memory.dmp
memory/4100-139-0x00007FF66B4A0000-0x00007FF66B7F4000-memory.dmp
memory/4552-140-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp
memory/2872-141-0x00007FF6BD0B0000-0x00007FF6BD404000-memory.dmp
memory/3688-142-0x00007FF674D20000-0x00007FF675074000-memory.dmp
memory/2532-143-0x00007FF68F790000-0x00007FF68FAE4000-memory.dmp
memory/3088-145-0x00007FF633270000-0x00007FF6335C4000-memory.dmp
memory/5092-144-0x00007FF716370000-0x00007FF7166C4000-memory.dmp
memory/5020-146-0x00007FF7C9D00000-0x00007FF7CA054000-memory.dmp
memory/548-147-0x00007FF72E780000-0x00007FF72EAD4000-memory.dmp
memory/3096-148-0x00007FF607E90000-0x00007FF6081E4000-memory.dmp
memory/4620-149-0x00007FF6E4590000-0x00007FF6E48E4000-memory.dmp
memory/2252-150-0x00007FF7F5D50000-0x00007FF7F60A4000-memory.dmp
memory/4428-151-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp
memory/556-152-0x00007FF7FCE10000-0x00007FF7FD164000-memory.dmp
memory/544-153-0x00007FF619AC0000-0x00007FF619E14000-memory.dmp
memory/2728-154-0x00007FF7D8750000-0x00007FF7D8AA4000-memory.dmp
memory/1760-155-0x00007FF68F270000-0x00007FF68F5C4000-memory.dmp
memory/3584-156-0x00007FF6D0360000-0x00007FF6D06B4000-memory.dmp
memory/4900-157-0x00007FF7EF240000-0x00007FF7EF594000-memory.dmp