Analysis Overview
SHA256
19bbbabaca818038443d32fd552ce2d3f523fd9cae3c8d06606e679b40843301
Threat Level: Known bad
The file 2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:53
Reported
2024-05-29 21:56
Platform
win7-20240221-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dcZdrnX.exe | N/A |
| N/A | N/A | C:\Windows\System\LAkoLNa.exe | N/A |
| N/A | N/A | C:\Windows\System\sKCOsQq.exe | N/A |
| N/A | N/A | C:\Windows\System\LzseMhO.exe | N/A |
| N/A | N/A | C:\Windows\System\IyDCpQn.exe | N/A |
| N/A | N/A | C:\Windows\System\DxgvBxl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZyApJlx.exe | N/A |
| N/A | N/A | C:\Windows\System\NGgsJJD.exe | N/A |
| N/A | N/A | C:\Windows\System\pcPMPfo.exe | N/A |
| N/A | N/A | C:\Windows\System\WuatAju.exe | N/A |
| N/A | N/A | C:\Windows\System\AmdsSOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aaMaadW.exe | N/A |
| N/A | N/A | C:\Windows\System\lbMMGca.exe | N/A |
| N/A | N/A | C:\Windows\System\LynZrPp.exe | N/A |
| N/A | N/A | C:\Windows\System\SpEdBNy.exe | N/A |
| N/A | N/A | C:\Windows\System\utphlxh.exe | N/A |
| N/A | N/A | C:\Windows\System\emtJVnX.exe | N/A |
| N/A | N/A | C:\Windows\System\rAIqXsj.exe | N/A |
| N/A | N/A | C:\Windows\System\LHOcPDx.exe | N/A |
| N/A | N/A | C:\Windows\System\mixpxmv.exe | N/A |
| N/A | N/A | C:\Windows\System\LislqQR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dcZdrnX.exe
C:\Windows\System\dcZdrnX.exe
C:\Windows\System\LAkoLNa.exe
C:\Windows\System\LAkoLNa.exe
C:\Windows\System\sKCOsQq.exe
C:\Windows\System\sKCOsQq.exe
C:\Windows\System\DxgvBxl.exe
C:\Windows\System\DxgvBxl.exe
C:\Windows\System\LzseMhO.exe
C:\Windows\System\LzseMhO.exe
C:\Windows\System\ZyApJlx.exe
C:\Windows\System\ZyApJlx.exe
C:\Windows\System\IyDCpQn.exe
C:\Windows\System\IyDCpQn.exe
C:\Windows\System\NGgsJJD.exe
C:\Windows\System\NGgsJJD.exe
C:\Windows\System\pcPMPfo.exe
C:\Windows\System\pcPMPfo.exe
C:\Windows\System\lbMMGca.exe
C:\Windows\System\lbMMGca.exe
C:\Windows\System\WuatAju.exe
C:\Windows\System\WuatAju.exe
C:\Windows\System\LynZrPp.exe
C:\Windows\System\LynZrPp.exe
C:\Windows\System\AmdsSOQ.exe
C:\Windows\System\AmdsSOQ.exe
C:\Windows\System\SpEdBNy.exe
C:\Windows\System\SpEdBNy.exe
C:\Windows\System\aaMaadW.exe
C:\Windows\System\aaMaadW.exe
C:\Windows\System\rAIqXsj.exe
C:\Windows\System\rAIqXsj.exe
C:\Windows\System\utphlxh.exe
C:\Windows\System\utphlxh.exe
C:\Windows\System\LHOcPDx.exe
C:\Windows\System\LHOcPDx.exe
C:\Windows\System\emtJVnX.exe
C:\Windows\System\emtJVnX.exe
C:\Windows\System\mixpxmv.exe
C:\Windows\System\mixpxmv.exe
C:\Windows\System\LislqQR.exe
C:\Windows\System\LislqQR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2020-0-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2020-1-0x0000000000300000-0x0000000000310000-memory.dmp
\Windows\system\dcZdrnX.exe
| MD5 | ffb6e414dadd3c8197c0b7978f2ea7bc |
| SHA1 | 93e09fc5532418dfab3b7a678f94e17e79cbe388 |
| SHA256 | f14c2345d845d4b1df6dc2baf458fa1fd40e630a2ea00b23353651d88f20fbef |
| SHA512 | 875eca41a8351d25de4b4d938d6c94f3c5e307e2625c1111e6b29924fd31bff024bf9b2cc6339dab89ca6d384a5b1ddad8bd48107894787e5f5e27653e3c5f7e |
\Windows\system\LAkoLNa.exe
| MD5 | 41ca104450ea4c38209e872307c88561 |
| SHA1 | 84d0d2a25ca0a220c8ac04f72909131e5166fafb |
| SHA256 | 3ef9b087a0bbfb4d61cd948998f174404a1fe482d8b58e3a81d702c07cf60407 |
| SHA512 | 210f6dbe37c43e3194a6fd53480527d92584d8b12a43d90d83c6e092bd0a25b326ab7a6618fbf3e0d72fbaccc60a2237c33627d024e5188179cc609a1eb6f5eb |
C:\Windows\system\sKCOsQq.exe
| MD5 | 3dfdc5a7e462db30d23631fdccf14864 |
| SHA1 | cc3aaf8152aa1a374202e95279f6eafc5dc8021b |
| SHA256 | 4c3ba97dea576840fb3c9eceecc0edba504d9f18b4f2458c27a404c6dd5e3cac |
| SHA512 | 274533d8e2961356746ee133262badeddb1bb4d0b5455dff42bf29e52d86b5546a473c671cf26f0a8fd50fee2337802be71adb7b84bcd6178f7aafe2c023b5a5 |
memory/2020-37-0x00000000021D0000-0x0000000002521000-memory.dmp
\Windows\system\IyDCpQn.exe
| MD5 | 825a485ee547c880fb266f1e8db529d9 |
| SHA1 | 82ada232c9cdf9371a69fd0562fb31827607abef |
| SHA256 | 6cee684e1a6e6116b9214a0d02c4e0cf79fe9a64f599b4002d1cc460f60e5912 |
| SHA512 | bd039d88de81dafab418b864dee856fdf84807ba00d7e3e0c3130fd7b2d5252d7d64fe28e038f29f7bbdf2f884e94b57d8bf3f19a3cf478cb9a40547ef820e16 |
memory/2716-45-0x000000013FA60000-0x000000013FDB1000-memory.dmp
C:\Windows\system\LzseMhO.exe
| MD5 | d0ee6c008a6314427d6279eb807755af |
| SHA1 | 6da7d4278152060a4007ceb03139445db71123fa |
| SHA256 | 3db1542e9d5df9a5800e923379f8f11c76bf133638dd2907023e4d29ca9849cf |
| SHA512 | 325311a0ee682009329aa9d7a341308e3ead2b9e446faba2838a7bb7b4c4ccf7d8e977a90e0aa310f17a8b42971943e32b68edf587244e3fce4653db3a1efd07 |
memory/2020-30-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/2536-53-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2020-60-0x000000013F160000-0x000000013F4B1000-memory.dmp
C:\Windows\system\SpEdBNy.exe
| MD5 | 9845cf41adf3f017dbab7eb3042422c1 |
| SHA1 | fe364ebafaab03933626443271c5e0f9ee5323d2 |
| SHA256 | 604f677596e99a0135c2c4d66dc33eb3d24d86d792cd5df096384d6ede8cafb9 |
| SHA512 | 1a5d0341aa0544b15490e9eec41c94257e7930f13c4294d9a8f86f0864abd11517331af58608014cd62f53593b256f3f6e3bc21d6d1d7323174aa824e43cde75 |
C:\Windows\system\mixpxmv.exe
| MD5 | 919a62ebe77fb56bdd6ae7978434677c |
| SHA1 | b476ba903d9874e8be49cb3bf69d8cf1cb95ef48 |
| SHA256 | 5b1aa7fcae8a38e4971383498b814e225678eba54eeaf21b05fcf22363f45530 |
| SHA512 | a5d56344b4dac06c9db975f9a9cf2dcc6ae81f7f8b36c030800aeb7b2dbcb583dc9c51e02ff6df32c702c46757743c6cc6cb043cc7d63f5ebaaea7fc6d45d9ff |
memory/1688-108-0x000000013F150000-0x000000013F4A1000-memory.dmp
\Windows\system\LHOcPDx.exe
| MD5 | 5d5ea7283175a77e7216d019eb154b2b |
| SHA1 | e8700da9524a3e4cf718f7392fbff96eb82475fd |
| SHA256 | f3b21c3958ce2fbfed4a40cd3f5c2f22f61bf3566086146b1ef35151ac90959e |
| SHA512 | a5f9f57a8cf09de4ebe9036ad142f79581e8463992f9813535523767bb96a001e41b7e8775baeddb3f1302e120ef4c778d02f5632eddc1712dfb34094c2690dc |
\Windows\system\rAIqXsj.exe
| MD5 | 0d28829a77ff3f8be1d7ffb5b7d517b5 |
| SHA1 | c1ae8a1e570c06ac60b78e9fd3a9cebaf6dd273e |
| SHA256 | 413828ec3ff24f397f3e7e64db62b852d236bf660ff20a336ebfa6be162ed101 |
| SHA512 | f1f097508797bf6e86cfb2b47d525f455cc5a7a03bcbd2bdc77ebe4431dd75a96cee93b64f3453a59f7138e22ce0cecea4f0e7fccee4fbccc407c3fda48db411 |
C:\Windows\system\LislqQR.exe
| MD5 | 0714a5edfdc9ee3fa1540cb669e92b34 |
| SHA1 | b7f6de57854de10ff48e9b6884a812c57193a2cd |
| SHA256 | 2735411c7d43c4eb2f53a18dcecfa6eaede97287078dd8ab0950d4b3a647477d |
| SHA512 | 4816f62365c5632785bfa5208a637654a26eb154625614413ab8851bf91f91486c3f8589412957d13d6c8ce90f8a0ceee03767fdaa185fb00ba5d216758298c8 |
memory/2872-114-0x000000013F650000-0x000000013F9A1000-memory.dmp
C:\Windows\system\emtJVnX.exe
| MD5 | e5f131fadb6d60435d05652b68547287 |
| SHA1 | 3da3f397bec27e8b7fe0cdd474f31202c443aba5 |
| SHA256 | db30b9634378816a5c9b19abdc7a69cc5d0723276e3032f934230b1c7cea0039 |
| SHA512 | f20eccf3114fbb56707a1a0185844c5a3012b64e091f8806204ccccc30447dd33906de4397ffe6ab126dc0cb7e811cf7610fa9345bdb37806164f8496f744183 |
memory/2396-112-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2020-78-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\AmdsSOQ.exe
| MD5 | a1add0e8fbb3d6676af6c8b6951b67aa |
| SHA1 | 64edcc71ffa5926a3aadf36d82993c481267a70b |
| SHA256 | ef5b5df95edba5486ecdde905cd6aea11c4d947313276c86435a6985f95bfdf6 |
| SHA512 | e948d8d0938921ab38ddec39eea923abfada8803e0d392407509bfa18979535d81e2a0432d4b5093c5098bf1e399db22f687dfc9edf47460b154a072bb9f024b |
\Windows\system\LynZrPp.exe
| MD5 | 94e7f43f08ce3e46111d48d905f97936 |
| SHA1 | ccc9a29d0535a57947e68b66aee1dd8da67b82d6 |
| SHA256 | b3153d8c6dbcaab5dbfad8f7e1f5f7c8def275e8c51c5d4f5e936cce81748b0c |
| SHA512 | 87f0ec9b0110c94e27ce53f0e0902b980613593bf2a90c2b4170bb19cbdcca51d44337580bb7d86467c77b4974edbdb2a89feb98084d802e25b5fec65b0aa494 |
memory/2448-62-0x000000013F160000-0x000000013F4B1000-memory.dmp
\Windows\system\lbMMGca.exe
| MD5 | 95c7e1009185f3e0e810b4b2a95345bb |
| SHA1 | 2536d4f65bbf6c6270b30401e32e98a83b0f5d2a |
| SHA256 | 2994a3800cba18431794ed75c1ff21f219ca4dcf34a99c4bb44a3f19a57b28b4 |
| SHA512 | a174554521e98b15a51699a981ae8ef55a291cf57dcf49445b3951a874def4ed7683d53a7bd2600ca3ff7ac2d7357b0657e435f2a38215adde7a271bf5a2de2b |
C:\Windows\system\utphlxh.exe
| MD5 | 769c93988a5faba80ed4baf0c90104bd |
| SHA1 | f7ac26fab0b1c42a096e3397a29df6ffacd4f95d |
| SHA256 | 9833b242c0219d588ea1b8978b1a383b9dd051885afc0e1f03756ae1c7234389 |
| SHA512 | 493479aeb60694569b33481e6ec3a9769cb7536b66e1bd18bb5e851fda3d0561865fdb988b697dd52d03ace5fa370901a7acdb44fd8b47f1833c5e67be0f0ead |
C:\Windows\system\aaMaadW.exe
| MD5 | d8954bf97d650914265be9c018124d65 |
| SHA1 | 754bc6620cc3ba55fff421964fb55826124de9de |
| SHA256 | 072f0852a10cb2b493304c4ab4b00e5a76167b742312b4bb26d1108a3348cc0e |
| SHA512 | 4cdbdc07408c88588506f41dc265d0d6ed87f4e6f64cc345399bdae7497da3d11b1d017b9b5897232bba0cd6fb5486eba14a4f4e90930ff4b308a78555c53ec8 |
memory/2020-91-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\NGgsJJD.exe
| MD5 | 661a6d51135cbd35fd6486be7cba098a |
| SHA1 | cc8550d718147504193885a5bc72d2b606fcfdbc |
| SHA256 | 54294b67ac0cc6635eed56f01c1c3bc0fa2af0f14b8f8b3a6450246e869e0065 |
| SHA512 | 193a16fd86cbdc9399286514da458dd88a7ff948f56ec6af5335ca150e9daec3273a172b1dcad272ac6d5732506af3959f40ec635339af9571e724c51765eafc |
memory/2020-88-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2492-87-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2068-86-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2020-85-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2020-84-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2020-73-0x000000013FE90000-0x00000001401E1000-memory.dmp
C:\Windows\system\WuatAju.exe
| MD5 | e46828658a7feec7ec645062340b5974 |
| SHA1 | cdf81e8b22895b76dca177696dcc04a169ac76ac |
| SHA256 | b05a86756a78c273e23a57d418a7ef83e884ca194231b0cf9aa895724c3dd36a |
| SHA512 | 67a472a0932a7ed121c5f841b4b5a6c3f93073b619551e29ed11c05e3d89ebf36cb56d71706c0df9c98f0d8cb08cf13985f76b61be9e81c05f0fe0f783c8cb0d |
C:\Windows\system\pcPMPfo.exe
| MD5 | cbfc8d09a0ab8aa54312b32786231afd |
| SHA1 | 2f89ebd800dbe77ac227a819dc8bd9f8cbec1f4a |
| SHA256 | 2a4f44ee23085b1ef6f4d3239e817449a836d55ed64d1f68e97a60b8573e293d |
| SHA512 | 8ee0b4b4b658cc8a1e1c7a31375104864c7fb2dfe9cff0f8545890aeee3597d9f605621f91b42071289d937de45b00c50fb496eecb9fd2397e6791d8ffea3cf4 |
\Windows\system\ZyApJlx.exe
| MD5 | bc9b358c32324e8fd2445a6a0fdf23fc |
| SHA1 | 3f582b0343596519d1bd48f91cb4361667cb4844 |
| SHA256 | 3454f8e132960511c8a71827bd5b7c9c7470043ebf9205bd1267987849ea0d4e |
| SHA512 | 847d0f3e7ae3bb54153190fb2f27799df6d043a43d9554809dc8b9f946790bdc9115b0e59097fbc8c91fec4695d25aae8823b739e093788360354c5115fb8da1 |
memory/2968-23-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2532-48-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2632-46-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2532-136-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2632-135-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2020-133-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2020-44-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2020-20-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2556-43-0x000000013F580000-0x000000013F8D1000-memory.dmp
C:\Windows\system\DxgvBxl.exe
| MD5 | 5fd0b61f1792a7d0a13a4cfe7fca4374 |
| SHA1 | 7123d5f9d0e12ef12c994ef204808ab2482fde0f |
| SHA256 | 41675bb863a70a31d717107f777e45b467706a476179d1b9de51a76bfcb3365a |
| SHA512 | 2472fd8f43cdc305d673aa89697b6d39f170f9e24c5b217278e195cd4db80dab0d9cf015b819e57559e276a74f6f1b7eca1c6e9eac75a0cb6cd9a79dc3421241 |
memory/2020-40-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2020-39-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/1540-27-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2492-17-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2472-147-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1688-151-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/944-152-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2016-150-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/788-157-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1100-156-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2764-155-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2488-154-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2696-153-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2872-148-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2396-146-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2448-145-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2536-144-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2020-158-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/2020-159-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2020-181-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1540-214-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2968-218-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2492-217-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2556-220-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2716-222-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2448-230-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2068-229-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2632-228-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2532-225-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2472-233-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2536-234-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1688-238-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2872-242-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2396-248-0x000000013F880000-0x000000013FBD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:53
Reported
2024-05-29 21:56
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NKMUSKR.exe | N/A |
| N/A | N/A | C:\Windows\System\dhQgAJV.exe | N/A |
| N/A | N/A | C:\Windows\System\hIyPTPS.exe | N/A |
| N/A | N/A | C:\Windows\System\MqneBPp.exe | N/A |
| N/A | N/A | C:\Windows\System\bEPLJlY.exe | N/A |
| N/A | N/A | C:\Windows\System\FfDyjZg.exe | N/A |
| N/A | N/A | C:\Windows\System\KlZtdXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\XGuEQik.exe | N/A |
| N/A | N/A | C:\Windows\System\nSxgCdm.exe | N/A |
| N/A | N/A | C:\Windows\System\OilOVHm.exe | N/A |
| N/A | N/A | C:\Windows\System\HWWpxgU.exe | N/A |
| N/A | N/A | C:\Windows\System\LgJdXII.exe | N/A |
| N/A | N/A | C:\Windows\System\cwsmGeS.exe | N/A |
| N/A | N/A | C:\Windows\System\oydfXNO.exe | N/A |
| N/A | N/A | C:\Windows\System\olsvaQO.exe | N/A |
| N/A | N/A | C:\Windows\System\yWVOWnl.exe | N/A |
| N/A | N/A | C:\Windows\System\PaFyYmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JZgVbrE.exe | N/A |
| N/A | N/A | C:\Windows\System\kqAyAqh.exe | N/A |
| N/A | N/A | C:\Windows\System\XskEfEe.exe | N/A |
| N/A | N/A | C:\Windows\System\GONqUVV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ed14aa33be29e505773e2372d9ccd80_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NKMUSKR.exe
C:\Windows\System\NKMUSKR.exe
C:\Windows\System\dhQgAJV.exe
C:\Windows\System\dhQgAJV.exe
C:\Windows\System\hIyPTPS.exe
C:\Windows\System\hIyPTPS.exe
C:\Windows\System\MqneBPp.exe
C:\Windows\System\MqneBPp.exe
C:\Windows\System\bEPLJlY.exe
C:\Windows\System\bEPLJlY.exe
C:\Windows\System\FfDyjZg.exe
C:\Windows\System\FfDyjZg.exe
C:\Windows\System\KlZtdXJ.exe
C:\Windows\System\KlZtdXJ.exe
C:\Windows\System\XGuEQik.exe
C:\Windows\System\XGuEQik.exe
C:\Windows\System\nSxgCdm.exe
C:\Windows\System\nSxgCdm.exe
C:\Windows\System\OilOVHm.exe
C:\Windows\System\OilOVHm.exe
C:\Windows\System\HWWpxgU.exe
C:\Windows\System\HWWpxgU.exe
C:\Windows\System\LgJdXII.exe
C:\Windows\System\LgJdXII.exe
C:\Windows\System\cwsmGeS.exe
C:\Windows\System\cwsmGeS.exe
C:\Windows\System\oydfXNO.exe
C:\Windows\System\oydfXNO.exe
C:\Windows\System\olsvaQO.exe
C:\Windows\System\olsvaQO.exe
C:\Windows\System\yWVOWnl.exe
C:\Windows\System\yWVOWnl.exe
C:\Windows\System\PaFyYmZ.exe
C:\Windows\System\PaFyYmZ.exe
C:\Windows\System\JZgVbrE.exe
C:\Windows\System\JZgVbrE.exe
C:\Windows\System\kqAyAqh.exe
C:\Windows\System\kqAyAqh.exe
C:\Windows\System\XskEfEe.exe
C:\Windows\System\XskEfEe.exe
C:\Windows\System\GONqUVV.exe
C:\Windows\System\GONqUVV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.216:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 216.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/60-0-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp
memory/60-1-0x00000255FBC60000-0x00000255FBC70000-memory.dmp
C:\Windows\System\NKMUSKR.exe
| MD5 | 9b14219226907e53abe84d4ad6a3788b |
| SHA1 | 4e890d5f24f751e471aeb4e694ca814a5b3a8314 |
| SHA256 | 33ed1d71c382ad9d81ae9c3db5f9a7ce9ca2093f3211e6c33785cf4c0a9fef14 |
| SHA512 | 7b63455902b738c7b1be8acd977c2aa0c4eb3fb7fda4bd6c3772cafeea3f7223d4bb1b483f91d0cea8b9ca2fd8e87ae3faa783648a5243aae69221caa8108118 |
C:\Windows\System\hIyPTPS.exe
| MD5 | f2af9d12d21138eda68c3a9a39656254 |
| SHA1 | 56c76f6d213257a048aa3720aa53ecdd76a53331 |
| SHA256 | 7c836ab66a4a03750ff6566a4c840fd18dae4f3be3738e094ce2c4616f170de3 |
| SHA512 | 860737255b7f9d970b79262a37cf83fa5b27a0aa7b7e977ec26655d1a42a051e74a7960c33ed11914a259a5374ff4f509b40572dbc219fac8384baf2e2b4d1d8 |
C:\Windows\System\dhQgAJV.exe
| MD5 | b5da2192c3e3fd0e8c707de4fd8b794b |
| SHA1 | 6ce7ba19e32c4df627997788c47c6881b581e383 |
| SHA256 | c901b42680a5f68e0177eb2efeba332f9c5477474b1f861a0d9955ff61807524 |
| SHA512 | 0eb2bb8ab4f0dc7614c9b902cb57c77a72f6d1a1593a662d06a8810b68218cfb176b066added4f1efbf7d05566f07348accc66c5e678f07a2608f5ce38fa7682 |
memory/404-14-0x00007FF666D20000-0x00007FF667071000-memory.dmp
C:\Windows\System\MqneBPp.exe
| MD5 | 32d3a9da77e52b10137d85ebb6cd813c |
| SHA1 | ade0b2b6d52a5e97458cf3017ea8c510a9255fd7 |
| SHA256 | 880df22c3176b1121746a6b46a70c95b513db622aba21faddbde71021804511c |
| SHA512 | e6e38a802da15a0fc02b67f97c75c4042dcaccb5a0ed594f741ea751733c4179c0ce9565c4b8588733c56c1667ef8a9014de2909dab3cb18f00a333d860a17e1 |
memory/2688-26-0x00007FF660DC0000-0x00007FF661111000-memory.dmp
memory/3932-21-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp
memory/1000-8-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp
C:\Windows\System\bEPLJlY.exe
| MD5 | de108bf1c50d7b9780d8204aa249bad6 |
| SHA1 | 9a510695993feb9eb5e598bf8ba7f44563f5fa8f |
| SHA256 | 62aa8ac62e03b7f1bcbc827fb86f3aebffc2d492e60c2a27a23f8702b7131555 |
| SHA512 | eb7415cbf378e461e635d753d23c96cdcd40a7d7f1d70680a13ad72a54772b46b11a3b7496c82ffc488b47e4e4b68e7290e451cec719c76b0fe73eb7b108c565 |
memory/3040-32-0x00007FF745310000-0x00007FF745661000-memory.dmp
C:\Windows\System\FfDyjZg.exe
| MD5 | 991cb4380e96d5e3a2db7a281ed2ac59 |
| SHA1 | cac68e097f41bb1003dc75b2155da6b4b987a2a4 |
| SHA256 | d1ff06cfabe403d5ad7c1f0a45ff4f2734a17e7970a255417a7612af23c44a1d |
| SHA512 | 2350bc36b0689be4ac36a20fd5fb69acf2ed6106f89f08b107f600007bec8f7b62f60a041157832aa55ef4e58e8f96f250e00b095ad4d78126a81226feee78eb |
memory/3928-38-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp
C:\Windows\System\KlZtdXJ.exe
| MD5 | 72958c9c4305a8a1fac28fb766ae46d2 |
| SHA1 | 25872ae05594d283299904067da0cb1b9151439c |
| SHA256 | c38947899786c840074edb731e25f580caf2d9572a8a3f6d6e5b4ac7a74f571a |
| SHA512 | 1443017f229f0909c04b56cd609e10cd0d261f3f7763348699c9027b9bf431c3864d966d8b84e128b38e0c72825b7b91fe4c6543565d63aa9456ffe3d4aff3cb |
memory/4388-44-0x00007FF717D60000-0x00007FF7180B1000-memory.dmp
C:\Windows\System\XGuEQik.exe
| MD5 | 3b52bdf6792a0720a7c8159d1fc78fcf |
| SHA1 | c94d78cd0bf7a45a86fedb426cc76bdd111d81e4 |
| SHA256 | 9affbff4c254ad4ebe75ad5b958d4a9242622e06aecff9325357facd41f792b4 |
| SHA512 | 785818dd16007ae1bf1f6e29af934e5de3968c01456bedaab865b52fd1686b3fcc1cb040b2cf59babb4946cabe37d99151fac35fdee4d289cdecac748a81b2d9 |
C:\Windows\System\nSxgCdm.exe
| MD5 | ad1581a7317543390b7e778488a1de5e |
| SHA1 | 943c0f8ccc70aab8b16ab0e501f0fbd05411f4e0 |
| SHA256 | 518fc1cbec49c22b1a4d07bc1176852f0473983fba86e24bbdc9e5c5bef2dca3 |
| SHA512 | 9d778f9a484ee00ce9d96c470aa0a92579d2e0e76e839de4baa5bb00bff5c7a62c655a5e4fa37750c3e3568c32850a6621d26a00ff7526029185bdb4adc6369d |
memory/3516-49-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp
C:\Windows\System\HWWpxgU.exe
| MD5 | 5b78d9eb67ebf4cf497c1985a81568ee |
| SHA1 | b084c23d2685a6d822d9a388ad4270928b3b454c |
| SHA256 | cd5aab9d1b6cf3bfa71d00b89ea00faa5e232bb52d7e181efd210ef85025410b |
| SHA512 | 64edb5e2e2d8f2f4b80bd90b62e09e254b2f11b357994ac9b03b313f0c1ca6d75cf3a976007e19bb54fde8d3328c126ce6cb30d6ac3d62d026b19bc15dfd6b9c |
C:\Windows\System\OilOVHm.exe
| MD5 | 6345fec7acd13220d21cacc4ea34bdd7 |
| SHA1 | 5bb5c808504cc59d5060dae1f8290cbbea7c3e55 |
| SHA256 | 37b50e7adc120b3890f53bbbd68302c8e68b5ac5a3def1ce8511de95e602a3bb |
| SHA512 | 2359701835230332b9a609881d48342a788a3da2c0345dc7b6305722694cccfda61c3aa3196e8ad86ea03500297b12a19c349c0717fef16452c79ecf5b9e5c06 |
C:\Windows\System\cwsmGeS.exe
| MD5 | c177c2324a722597e34e7053090ec860 |
| SHA1 | e876106c3f374c7855d76b0ebad1104ee46835a3 |
| SHA256 | 4b9d2d4d57b9d7a4a3de87e2055217ed5bc2a0832cc3937e3d08b5b4e1672ed9 |
| SHA512 | 18d3450a9a26b433c4eb5ab30bd5cd820669904ad86473c25820d30e34e9eb48bc33ec7e46617513a78932926f42b00bb192fd7462291521cee3ef7fc11fba84 |
C:\Windows\System\olsvaQO.exe
| MD5 | b7e4131d637e46535e89e89cdb7c96cd |
| SHA1 | 11fc38701696cbfbc6ea29b7fda096ef88c53051 |
| SHA256 | 3a86d0790310ca1b85acfddd6d0f5fd1bb63903b26494cc308865d97abce379b |
| SHA512 | d637d899a099248cbf40f38e02187cc56c9eb0f6c6b7c362cd15b7b6e1fbb644a9504be1a1139cdc18a221822304d6c5910d5718168513794c55dfd118e4b2c1 |
C:\Windows\System\yWVOWnl.exe
| MD5 | 7149a240048443f1a84b1a1d1a14f4c0 |
| SHA1 | 39e44ec6e73cc1f4a9e1958a934ebc5d7eff77fb |
| SHA256 | 0801093b0c81b6ff2038ee9863d6b144f9e77c855c3e7a73d4bc1e3152f4ff9a |
| SHA512 | 230e48694b5c5a057bd82888d555c623c922dc7d7dedc40d351692aab607c347dd7396a7739d9322069abe09e6237e67fe3b6df42ea016ee31ad81891d221b94 |
C:\Windows\System\PaFyYmZ.exe
| MD5 | 97cfde77a05c20f7663bcaf6730d37aa |
| SHA1 | c1f26c333e57018f730f44dafd7370fc96f52eea |
| SHA256 | 9a6eb5ccac28de7a814ec39244b779100a6c1afd79413f197320b964d578cc05 |
| SHA512 | 43beabfc4bde9429e8b83fcfa66bd5a4789e53c1105402c46aa7bddcb835d88ce728302ad0bb9da3466842413ba9975bf375ad09548b0091e85b179138ad4606 |
C:\Windows\System\kqAyAqh.exe
| MD5 | 600d3c55201becb3d98ba0cea4cb36a3 |
| SHA1 | 0595b87bc40fb624a7f1af4e6306a6ac309ecc69 |
| SHA256 | 927c03cdaa38ccdeee589c79ae368650de5a4c39bd864d1ef5d54f2c88770ab5 |
| SHA512 | f93e6e4754d7496f715b0391416252ed934160ea5aa0302f8bc796f5539d4264e2630b02d40df6a57efe61e6dce8dfce55364b49908d4b96f418a7882c959358 |
C:\Windows\System\GONqUVV.exe
| MD5 | ac8224f710d2e3dd602766b144c9f75b |
| SHA1 | 714e51b6d18fe996832d03928917d9accca0d872 |
| SHA256 | 2a5ccb68af1b165123fe8a75c41ad810b861f38141958c219891d5a55d2af341 |
| SHA512 | 146aae6d0b2fab4426d0740e12508cb0ac6e816d38fe0459715c2ac4e4425b4369c4435cb7d000a231b952a529c728050e1173ef1a4b0c97a3169c356dbf9801 |
C:\Windows\System\XskEfEe.exe
| MD5 | a7238f9c93f17d72d7dc5af6204f4558 |
| SHA1 | 7efdefd6a4f032c7976ce5a27a9e3d50ee3b2eb9 |
| SHA256 | e211ad941b1190cd4657875237342afb29c09334e6733ee34b00fd99202df13a |
| SHA512 | a5dc6fd11046f5e8fe4e590bd22664ec0db371dadb352f0cb89e2221c3cc395dbf064885ab6484df8f3d37165cbbbb79dd647c4aee8921e115fc6e1940b17735 |
C:\Windows\System\JZgVbrE.exe
| MD5 | b5e23ae3aecafef664196e61795f3137 |
| SHA1 | f47e86ab57b049223f2bc4aa7b888e400936d77f |
| SHA256 | cfc32e9580b024b04cfb8a8db275e75375b5bb9b901e7f7a7b466ea1d60abe2c |
| SHA512 | 5d9f59242522ccd06aeb1342c8851102434097dd8703ac18236052d23d2385096f06479564515da5434c3bb13a8188b267ba7bf9f83bd91a3ab9d6ec41b44c3b |
C:\Windows\System\oydfXNO.exe
| MD5 | d3454536b29e150d5f8bcfc095c462f7 |
| SHA1 | 1ebf0466b048a7f31c02119a51e5ffaa8226bab9 |
| SHA256 | b45a02443c0c66f011131bfb9d927e2bb90b88c09585f53b54defdc2bde026b5 |
| SHA512 | 3801d435903faee1272cac55594b1f26bf72ac5c017d17c485f00067163defe51672182726ad839a960ea5334c365e4545d81286353cf1804a336ed3afdd701d |
C:\Windows\System\LgJdXII.exe
| MD5 | 8caf65d3d25a01cee8670480b575e406 |
| SHA1 | dd87728d138142cdb67b5f4ac4f5a692573f1148 |
| SHA256 | e2202db27441039d1012ff7e90365773f9fa6191a250ffe86f79c0c261803ba6 |
| SHA512 | 146f19bcbc1d01874dd4c323455260a5a88854340d592609a8a972600e1ca91897be2fdde4b5e64fc9164d281fb2f3e95bc66e217396869816fd7c10a113d95d |
memory/432-71-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp
memory/3748-65-0x00007FF601CD0000-0x00007FF602021000-memory.dmp
memory/60-62-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp
memory/2776-53-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp
memory/60-119-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp
memory/3516-127-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp
memory/2776-128-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp
memory/1000-120-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp
memory/3928-125-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp
memory/3932-122-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp
memory/3748-130-0x00007FF601CD0000-0x00007FF602021000-memory.dmp
memory/432-132-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp
memory/4516-133-0x00007FF740BB0000-0x00007FF740F01000-memory.dmp
memory/4976-134-0x00007FF7DC3D0000-0x00007FF7DC721000-memory.dmp
memory/2316-135-0x00007FF6C7290000-0x00007FF6C75E1000-memory.dmp
memory/2128-137-0x00007FF6B04A0000-0x00007FF6B07F1000-memory.dmp
memory/724-131-0x00007FF6401E0000-0x00007FF640531000-memory.dmp
memory/3380-129-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp
memory/428-138-0x00007FF770F90000-0x00007FF7712E1000-memory.dmp
memory/452-148-0x00007FF666330000-0x00007FF666681000-memory.dmp
memory/4912-146-0x00007FF776470000-0x00007FF7767C1000-memory.dmp
memory/1556-147-0x00007FF75C8B0000-0x00007FF75CC01000-memory.dmp
memory/60-149-0x00007FF7AAE10000-0x00007FF7AB161000-memory.dmp
memory/1000-194-0x00007FF70C0E0000-0x00007FF70C431000-memory.dmp
memory/404-196-0x00007FF666D20000-0x00007FF667071000-memory.dmp
memory/2688-198-0x00007FF660DC0000-0x00007FF661111000-memory.dmp
memory/3932-203-0x00007FF63ACC0000-0x00007FF63B011000-memory.dmp
memory/3040-205-0x00007FF745310000-0x00007FF745661000-memory.dmp
memory/3928-214-0x00007FF685B80000-0x00007FF685ED1000-memory.dmp
memory/4388-216-0x00007FF717D60000-0x00007FF7180B1000-memory.dmp
memory/3516-218-0x00007FF7A8510000-0x00007FF7A8861000-memory.dmp
memory/2776-220-0x00007FF7CEF80000-0x00007FF7CF2D1000-memory.dmp
memory/3748-222-0x00007FF601CD0000-0x00007FF602021000-memory.dmp
memory/432-224-0x00007FF77A1A0000-0x00007FF77A4F1000-memory.dmp
memory/3380-226-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp
memory/4976-229-0x00007FF7DC3D0000-0x00007FF7DC721000-memory.dmp
memory/4516-230-0x00007FF740BB0000-0x00007FF740F01000-memory.dmp
memory/724-234-0x00007FF6401E0000-0x00007FF640531000-memory.dmp
memory/2316-233-0x00007FF6C7290000-0x00007FF6C75E1000-memory.dmp
memory/2128-236-0x00007FF6B04A0000-0x00007FF6B07F1000-memory.dmp
memory/1556-238-0x00007FF75C8B0000-0x00007FF75CC01000-memory.dmp
memory/452-242-0x00007FF666330000-0x00007FF666681000-memory.dmp
memory/428-241-0x00007FF770F90000-0x00007FF7712E1000-memory.dmp
memory/4912-244-0x00007FF776470000-0x00007FF7767C1000-memory.dmp