Analysis Overview
SHA256
1bf86d0802c55cafe6d5cad3e87b1cecea467c276b0d7b2d23efe5bf9f2825ac
Threat Level: Known bad
The file 2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 01:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 01:00
Reported
2024-05-30 01:03
Platform
win7-20240215-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DXnikAd.exe | N/A |
| N/A | N/A | C:\Windows\System\iAVafMz.exe | N/A |
| N/A | N/A | C:\Windows\System\TQulfYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MMHrrpV.exe | N/A |
| N/A | N/A | C:\Windows\System\VsNgNCV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZjSyxYO.exe | N/A |
| N/A | N/A | C:\Windows\System\VgkJYfv.exe | N/A |
| N/A | N/A | C:\Windows\System\KPigTgD.exe | N/A |
| N/A | N/A | C:\Windows\System\HcOqWEl.exe | N/A |
| N/A | N/A | C:\Windows\System\EZnOCKq.exe | N/A |
| N/A | N/A | C:\Windows\System\tmDSLdt.exe | N/A |
| N/A | N/A | C:\Windows\System\scLjMGc.exe | N/A |
| N/A | N/A | C:\Windows\System\VwEqMfc.exe | N/A |
| N/A | N/A | C:\Windows\System\wyWNbIg.exe | N/A |
| N/A | N/A | C:\Windows\System\hgQSjJu.exe | N/A |
| N/A | N/A | C:\Windows\System\hyavcvD.exe | N/A |
| N/A | N/A | C:\Windows\System\pFyirdi.exe | N/A |
| N/A | N/A | C:\Windows\System\BtxXXhy.exe | N/A |
| N/A | N/A | C:\Windows\System\IkAykWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HyaOYZH.exe | N/A |
| N/A | N/A | C:\Windows\System\affTxwf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DXnikAd.exe
C:\Windows\System\DXnikAd.exe
C:\Windows\System\iAVafMz.exe
C:\Windows\System\iAVafMz.exe
C:\Windows\System\TQulfYZ.exe
C:\Windows\System\TQulfYZ.exe
C:\Windows\System\MMHrrpV.exe
C:\Windows\System\MMHrrpV.exe
C:\Windows\System\VsNgNCV.exe
C:\Windows\System\VsNgNCV.exe
C:\Windows\System\ZjSyxYO.exe
C:\Windows\System\ZjSyxYO.exe
C:\Windows\System\VgkJYfv.exe
C:\Windows\System\VgkJYfv.exe
C:\Windows\System\KPigTgD.exe
C:\Windows\System\KPigTgD.exe
C:\Windows\System\HcOqWEl.exe
C:\Windows\System\HcOqWEl.exe
C:\Windows\System\EZnOCKq.exe
C:\Windows\System\EZnOCKq.exe
C:\Windows\System\tmDSLdt.exe
C:\Windows\System\tmDSLdt.exe
C:\Windows\System\scLjMGc.exe
C:\Windows\System\scLjMGc.exe
C:\Windows\System\VwEqMfc.exe
C:\Windows\System\VwEqMfc.exe
C:\Windows\System\wyWNbIg.exe
C:\Windows\System\wyWNbIg.exe
C:\Windows\System\hgQSjJu.exe
C:\Windows\System\hgQSjJu.exe
C:\Windows\System\hyavcvD.exe
C:\Windows\System\hyavcvD.exe
C:\Windows\System\pFyirdi.exe
C:\Windows\System\pFyirdi.exe
C:\Windows\System\BtxXXhy.exe
C:\Windows\System\BtxXXhy.exe
C:\Windows\System\IkAykWQ.exe
C:\Windows\System\IkAykWQ.exe
C:\Windows\System\HyaOYZH.exe
C:\Windows\System\HyaOYZH.exe
C:\Windows\System\affTxwf.exe
C:\Windows\System\affTxwf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1568-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1568-1-0x0000000000200000-0x0000000000210000-memory.dmp
\Windows\system\DXnikAd.exe
| MD5 | ac1730a8b5e74e41682ebc707e0a4a30 |
| SHA1 | e57d421616787c772ea3925115cb7f5dda6ee328 |
| SHA256 | 61073da936f9e4df4e8586601646d049c4622b7aea44e074479c9baebb72b771 |
| SHA512 | 2d846bc1cce348877c6304a71aed33dc0f036b46d4493534db43921622c5b11b48f8124adbfd22c6d5ffe6e19cf9eecec6636f4192ee2012cff2557ad0671cdf |
memory/2504-9-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/1568-7-0x0000000002270000-0x00000000025C1000-memory.dmp
\Windows\system\iAVafMz.exe
| MD5 | 6c41177e04a17d8cde97826ccf6ead2f |
| SHA1 | dce4b3530b7f2a60f1cddaf4b1ce6b6a77cfd7bf |
| SHA256 | 19e272d3fa7667794ef9419c5c9ceed2222e01bd610fca20d600eb6afe6336e0 |
| SHA512 | 6c2e127cc1fd2fc578edeaf7534bc5ff23237260217901a0fa6af82f716138fddbc3d24ac7d2d77d6624115dad7c9a0047bc22d87b49e050a63e2474dbc161b1 |
C:\Windows\system\TQulfYZ.exe
| MD5 | f9da6475bf31ae6e5b5a4cb55446e2bc |
| SHA1 | c0384af369186fa79fd32c2e44981ac7b93b7690 |
| SHA256 | e5122a71d640b80dfff3c8aa6fa6701db5f5c58dbd036996006fd3746a3d7968 |
| SHA512 | 3b7f07657ed4d47f54a4a4c37da6dd4b989f8ba7ac071241e947eb32d4b2339526f50cf6440863aa0a238222909204b17e99569e53ebbe0c4ac18b845d65b888 |
memory/1568-23-0x000000013FF90000-0x00000001402E1000-memory.dmp
\Windows\system\MMHrrpV.exe
| MD5 | 7eb97597b031e0345a40f0092b8866fa |
| SHA1 | 0bf1a1251db90e0da46f3c30e1e1da839528a597 |
| SHA256 | e9b1b64d958596a671a09d4f06c9f554dacc75c8c768c955a42f2d0532bee857 |
| SHA512 | 0f04bf842d5f2d6852b771075a2177f6b40ea405b655d2fa0fcb58da443c40558becbf0ed8a72b2b7c7877f935e30f929be012c8c9798711ddfabb322d6cd32e |
C:\Windows\system\VsNgNCV.exe
| MD5 | 7bf445c65c244fc2e686959222e67ad7 |
| SHA1 | e362d98643d8657437acb0d86626bbf7cd462369 |
| SHA256 | 20dcfe4f6f1edda66cfceddd567fd702e3ee141571a5860fa64949417d58aa6c |
| SHA512 | 29c563a1ad5780dd44b79669fc4b5e6d834add9e87b40c130187eeafbe0153a3ebf5bc283479b26f05244d4fce7d4b17d1a85013ff7f0b4e50987cfa5fadb8c3 |
C:\Windows\system\ZjSyxYO.exe
| MD5 | 20b8926f1410f69d239efab635599eeb |
| SHA1 | 0e7e66df1c94b76f940d6c6b4602e93972923e49 |
| SHA256 | 04ce71d8326c471d80f949053fcf393a1ae79363ff4773765e21cfd10a8e403c |
| SHA512 | 65ca5bb832be801b40bdf3bfdffe37931d6e046a616b2a1115188e3a1c196c9ca7d72f57fc8fd874e40462572efc0dc83e23649aa0e0d0c667976f500e10b9ab |
memory/1568-39-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2500-40-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2416-35-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1568-33-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1568-54-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2576-49-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2412-58-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\VgkJYfv.exe
| MD5 | 499dd74d81c312dbed8b0436185842f8 |
| SHA1 | 18254407b82c7aa265e47e025d46cb7529d2cd01 |
| SHA256 | 75760c3d33fcdda29ba6bb845b8debdad1b99be32353fd758c1b928097d29114 |
| SHA512 | 483e71725f2817e1d329aca52962775b90e73dc78e979972567023070b264947fe19362d8a23c5c876bdd63338c9c91f27aa692cb64ab6393cccf76815b1c117 |
memory/1568-44-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/1568-55-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\KPigTgD.exe
| MD5 | f997e1acfd051dfcb6c28aca266220c1 |
| SHA1 | 95c977a3ecda1930c2bf74704d661dd6ddc3ee85 |
| SHA256 | dfcd121a6b77687251f61ccf0fa924880152b6629fb65463e86328499870a8cc |
| SHA512 | 8dfa35cb2b57cec0de40128afdd561fcc2d55ef63b1c45420efc34226951c2ddafc084e5ebe4aa88b1e9ac7b9785029c64731f89747432d24b61082af17ecf7d |
memory/1568-32-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/2216-31-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2652-28-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2540-14-0x000000013FA90000-0x000000013FDE1000-memory.dmp
C:\Windows\system\HcOqWEl.exe
| MD5 | 6de9ef86bae2bb9ef6a7ed3f015d5970 |
| SHA1 | c8c7ecf63b55bf4fb533655fb6469178c81e9c36 |
| SHA256 | ec1c2493edfff89a8b0027d042c12f85cc0abf63c9b8fa55be1928354b5b493e |
| SHA512 | 361d26e4d18596534e1428f392f60acacfa80797d5fd18e6fc1750000c9cd9d81e51c9b082b8708ccc440bb84795a4949695b31608b344a30f9a3f20b12e7356 |
C:\Windows\system\EZnOCKq.exe
| MD5 | c2a4d076d65c39b1f5d7069297d5a30f |
| SHA1 | cc5c88184884cf968e87263c6044dea3c6447b36 |
| SHA256 | de29c6dbc6baa14b47534d43c4c566fad1d97dcc81c383d806da9a89ab718738 |
| SHA512 | 99bf359c3065f70ce7fc629fdb40b6b499df5dfb0f687154ffee25cccc4850b3d8447c0b2f4f3e0a2c4daaa7b69b430b5a94ce5547c1f63f7b1c60ada2fc87e1 |
memory/2504-68-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/1376-71-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/1568-63-0x0000000002270000-0x00000000025C1000-memory.dmp
\Windows\system\scLjMGc.exe
| MD5 | 873f145c3d603128c262f24972f5bf49 |
| SHA1 | 07cf5cfd914dff07189cda8936ce03d8b6f15b1e |
| SHA256 | 02aa86838ef962bb9c18c77b98aa136ef50db0f9f565aa45fd039ee686b5d59f |
| SHA512 | 9789f72a82a462d8aaecc5ae7229e7201d24c87c7381cabfe99c614c5ad826493e35bc8b9930983cdceccb74c3427c7f379fe639e026aefcaf459f989c5a5861 |
memory/2540-77-0x000000013FA90000-0x000000013FDE1000-memory.dmp
\Windows\system\VwEqMfc.exe
| MD5 | c03ec88eb6bf245fbdfa4b5050498441 |
| SHA1 | bf4892615806e1e574a7fc17f9f94295d8683ae2 |
| SHA256 | 053bd1e9571bd0aca944ec0844fd6dce7505bc5096dd846093babc2083244029 |
| SHA512 | 61ef6f45268db1b9cac5a7146099cfb4b7010f3bd84ac19bf6135a452e5cba4b791cf5e255ec8c882e751156987e2fe7ca20b1a7e2af2aa39d58d395ff8e4209 |
memory/2712-97-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2708-99-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\wyWNbIg.exe
| MD5 | 1aee32065fb6e68267759a5a3de2f925 |
| SHA1 | 62ba50d2c2a09e3184a98dcd67fc46291647b2b0 |
| SHA256 | a592ce7e7eebec8d87f8cd6f48d077ec96198a7e181ea1c544a88d69b1369e40 |
| SHA512 | 6499afa28d900d08f2f03af1defd5bfd652f81f386763b0097c5b38dcbfe62a44c7b5515ab2865192f3c4898b7f232c5d1adabebb438c149963e53fcd7432fe1 |
memory/2416-103-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1652-106-0x000000013FA20000-0x000000013FD71000-memory.dmp
C:\Windows\system\pFyirdi.exe
| MD5 | a60f2d3ccef5c1174b57450d88e68fd0 |
| SHA1 | af3fe2080577cac3d18128622ca10c58b15e38df |
| SHA256 | 86e89d3f04f2e0b67b60605be63ba7e8b10b3502a27e74a83c5463d08da5bc91 |
| SHA512 | 6f6e6581baed1c25854ca550ad28ff810b1067c641178670af0d8040be34980f1c73c507c4b1e79aa8aae4b948b98e9a87a24affa7931c82a6e5d1906da09f40 |
C:\Windows\system\HyaOYZH.exe
| MD5 | dd60081daaa0637c3111b09864166b6e |
| SHA1 | d8a8d21c1453e8b0ab42be613b04b2ad12ff5366 |
| SHA256 | 983b3f1967f55dddbd335e77632173644c77e16e88d1b0e730924561bb20bdd3 |
| SHA512 | 656b4859e97205c6376961108e68b0d8979bffe904bd5506a61b74717085cd42525b9811d02f7e9a082a3d891fa4f4530538760ad83fcef66055edcbb42c11c8 |
\Windows\system\affTxwf.exe
| MD5 | 2f6bf98d797b73d074260d10084e1db1 |
| SHA1 | 1248a34d54a50e45c70c8b4717e7792c16ed8b51 |
| SHA256 | ba92ac4af9fcaf641c4224ea93a4c7e47ae4abcfdc5e55a5bf1a3b8a1a92edf6 |
| SHA512 | 4dd833f2cf2f5702c3e961f9dc6eb7bad1407629e30f76c3f9f21d25ed54cbbd348e8977cd6fad0f305eec646a45e3644b19fd0ac1d6895c22f6280c93fdb0ff |
C:\Windows\system\IkAykWQ.exe
| MD5 | 995d291b9a1662ad69e9b3629a9c8821 |
| SHA1 | 7d56de99c7ca5943c3068bde7dfc7a8891204dd0 |
| SHA256 | 34887a59ac43c7cd5f9b1cb1846aeed208809998e70d06baed4de88ffad041eb |
| SHA512 | a596890dd950c9794806de5b4d3afd86a9e5b29b7c5a6d44bc26c4787f957dd9e14deb7a74ea7900e3b92da157551c41bfadd377a2617bcc8fed94c2f3c5f6f9 |
C:\Windows\system\BtxXXhy.exe
| MD5 | e0fbad318a2ae3716d48c07201bf991a |
| SHA1 | 2edbadefdc2ec88b62090db01bacc3837b678cf8 |
| SHA256 | e0b2c6bc26ba6e5333c42e579696b4bf7bd02d6950019dd0c56aac5b097a6883 |
| SHA512 | 745a9f4908382944de43c326bb2f71efaebb22cd6d97d680447cc0ebd914e14bd4f20fa50389053632fc7c1967838020d0d4eabb72851d407c512c13ceb10bad |
memory/1568-111-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\hgQSjJu.exe
| MD5 | 486a80ea801068dee204c6fe157aaa34 |
| SHA1 | f0e3306501c0d522e7b33fa2d7992165f6497d5b |
| SHA256 | 1111d992e1dd8d155496d1aaf4462e2284a9684cf60de09a72ea0477876d832f |
| SHA512 | c1487e8d4a963265e4d47ed0fac31ff29bf213766fdff1136ac4b81a50f809a8902eb179aa040dd35d9cd642fd2283f4d0ccf4bcc449ecb4c172c51e1367845f |
C:\Windows\system\hyavcvD.exe
| MD5 | 20ad42227a9ceaf1c4a6ad6b1d11a5fb |
| SHA1 | fd259c95294be6a9c32ad322beb0e9aed5a871b7 |
| SHA256 | 50402857709c9f3b79f4b3a0641f10deb232582c83c634ffa2791d22e3f6db60 |
| SHA512 | 048b40bca82080fa74839112e17501abc6b7dc53ccf1d84940ff89c2b9ac16a482cbd0a9d270085c8c00f99bcd36dfe3a694fa782f0c713f311ca240720834ab |
memory/2500-104-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1568-95-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/2216-94-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1568-93-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1288-92-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1568-90-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/1568-89-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/1568-76-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\tmDSLdt.exe
| MD5 | 1ba38b9f8942ab8015fed06c216b25b3 |
| SHA1 | adbddc2befc0f1414da65dbe590c9eeb289e54e9 |
| SHA256 | f7b2d0dc79e0dab92a87fce0a4f022932a21ec1a5deb5fb4e6417731ab3bc352 |
| SHA512 | b3b25d2a9e247374ef1aaa053cd15b78a5125304b06a9866302659ce7e587518080a1460be9730d056de4bd47b1072165a381a42d7e893e513000a7c26d5ee2a |
memory/2652-82-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1568-79-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2412-142-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1568-143-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1652-157-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2532-159-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1568-158-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/1432-163-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1268-165-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/1968-166-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/932-162-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2320-164-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2172-161-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1600-160-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1568-167-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2504-221-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2540-223-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2216-226-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2652-227-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2500-229-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2576-231-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2416-233-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2412-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2532-237-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1376-239-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/1288-241-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2712-243-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2708-245-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1652-247-0x000000013FA20000-0x000000013FD71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 01:00
Reported
2024-05-30 01:03
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NUEggcG.exe | N/A |
| N/A | N/A | C:\Windows\System\cJBilFS.exe | N/A |
| N/A | N/A | C:\Windows\System\LrgaWEr.exe | N/A |
| N/A | N/A | C:\Windows\System\vUAfBUm.exe | N/A |
| N/A | N/A | C:\Windows\System\RdEIajN.exe | N/A |
| N/A | N/A | C:\Windows\System\ocGOvVz.exe | N/A |
| N/A | N/A | C:\Windows\System\rXTGAsO.exe | N/A |
| N/A | N/A | C:\Windows\System\WAybSDX.exe | N/A |
| N/A | N/A | C:\Windows\System\DJnweWR.exe | N/A |
| N/A | N/A | C:\Windows\System\FZxrOOj.exe | N/A |
| N/A | N/A | C:\Windows\System\IeDhgGe.exe | N/A |
| N/A | N/A | C:\Windows\System\suyyMxk.exe | N/A |
| N/A | N/A | C:\Windows\System\gWIZcEu.exe | N/A |
| N/A | N/A | C:\Windows\System\VWnBtqn.exe | N/A |
| N/A | N/A | C:\Windows\System\VRODktp.exe | N/A |
| N/A | N/A | C:\Windows\System\IajHGpD.exe | N/A |
| N/A | N/A | C:\Windows\System\nPXrFwf.exe | N/A |
| N/A | N/A | C:\Windows\System\AieeDwP.exe | N/A |
| N/A | N/A | C:\Windows\System\YYBkQiX.exe | N/A |
| N/A | N/A | C:\Windows\System\ALXzNOO.exe | N/A |
| N/A | N/A | C:\Windows\System\ILDUMVm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8e93b3c763d72c05f5a29898eb320caf_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NUEggcG.exe
C:\Windows\System\NUEggcG.exe
C:\Windows\System\cJBilFS.exe
C:\Windows\System\cJBilFS.exe
C:\Windows\System\LrgaWEr.exe
C:\Windows\System\LrgaWEr.exe
C:\Windows\System\vUAfBUm.exe
C:\Windows\System\vUAfBUm.exe
C:\Windows\System\RdEIajN.exe
C:\Windows\System\RdEIajN.exe
C:\Windows\System\ocGOvVz.exe
C:\Windows\System\ocGOvVz.exe
C:\Windows\System\rXTGAsO.exe
C:\Windows\System\rXTGAsO.exe
C:\Windows\System\WAybSDX.exe
C:\Windows\System\WAybSDX.exe
C:\Windows\System\FZxrOOj.exe
C:\Windows\System\FZxrOOj.exe
C:\Windows\System\DJnweWR.exe
C:\Windows\System\DJnweWR.exe
C:\Windows\System\IeDhgGe.exe
C:\Windows\System\IeDhgGe.exe
C:\Windows\System\suyyMxk.exe
C:\Windows\System\suyyMxk.exe
C:\Windows\System\gWIZcEu.exe
C:\Windows\System\gWIZcEu.exe
C:\Windows\System\VWnBtqn.exe
C:\Windows\System\VWnBtqn.exe
C:\Windows\System\VRODktp.exe
C:\Windows\System\VRODktp.exe
C:\Windows\System\IajHGpD.exe
C:\Windows\System\IajHGpD.exe
C:\Windows\System\nPXrFwf.exe
C:\Windows\System\nPXrFwf.exe
C:\Windows\System\AieeDwP.exe
C:\Windows\System\AieeDwP.exe
C:\Windows\System\YYBkQiX.exe
C:\Windows\System\YYBkQiX.exe
C:\Windows\System\ALXzNOO.exe
C:\Windows\System\ALXzNOO.exe
C:\Windows\System\ILDUMVm.exe
C:\Windows\System\ILDUMVm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/4212-0-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp
memory/4212-1-0x00000263BAB40000-0x00000263BAB50000-memory.dmp
C:\Windows\System\NUEggcG.exe
| MD5 | d4f691cb14211934316c101505ba9350 |
| SHA1 | 95b315acd33bef02a574afb6b1c71682a25202ca |
| SHA256 | 67f2c341b4decd05048c1f944f5b9a2f66af96c3484d0fa49c5052d90c40bba8 |
| SHA512 | eb43a574b08603110a46352e3c60c508f032029435c57ff967a0b4dda6cb385ae4a192d1c11500a5ac796ec55e9daff01dab48bf96d7c3d7b4878bc494ee993b |
C:\Windows\System\LrgaWEr.exe
| MD5 | 83cd775f47cefdd557a32e5bd1996a07 |
| SHA1 | 05f05d0f276c03b582bd14b61710dcc0ffebd6f6 |
| SHA256 | f151d122773213705c40814693a30296ac2024174da0e2264af4263737abe8a8 |
| SHA512 | a416fadfc4c7ed77fd0094b81056a93f40ac9e13352e5f81ac534ba19028246a60fafa7f7a258ba7f983050966dad461854f2b812eb33f338d497d6fe1a0b905 |
C:\Windows\System\cJBilFS.exe
| MD5 | 0d33231261e0e338209c6f6e4f5e0b58 |
| SHA1 | 64b2cb00922a28fb5c0f691fb3c5d9ea8f6973d7 |
| SHA256 | 3eead18ee2c9d6c3e403d9d33fd39e6352b66085285c487f8c68af1e479ea4ce |
| SHA512 | 41b57102a2dcb5b9a7601f3104cae54e934acb75692f7d0d294290ab402f10be3f3e56e42905ae7bfc5becc2b2a9777a853c3d6131beb6a697ed7074f5fc4007 |
memory/3272-12-0x00007FF702A30000-0x00007FF702D81000-memory.dmp
memory/4444-6-0x00007FF6082B0000-0x00007FF608601000-memory.dmp
C:\Windows\System\vUAfBUm.exe
| MD5 | 4f4734283db0ea2519115ab20ba09168 |
| SHA1 | 5d1c9704be819a90689896caafc2f66494ffcd5e |
| SHA256 | 6a6c25ca489c6231eaf1eee79cea526688793d98559a37fa98f4377eed6e6bcd |
| SHA512 | 46df67ae8e64cf7b4e2f48282b03aebbe21e20fb87fb633f55eb17ee7d61154cab94d5b68b914e48da44340786a08fa28364e0d7ba6ed7c7c0bf2138c00fa82e |
memory/3120-24-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp
memory/3160-22-0x00007FF6995C0000-0x00007FF699911000-memory.dmp
C:\Windows\System\RdEIajN.exe
| MD5 | 4dd9d5a22e70641443591849805529e5 |
| SHA1 | 3ae6304084d19368155d5ac84a914b0fa8365104 |
| SHA256 | 1e7b6f4021e1256f55e518a6348ec98efff60000584b6d696c2d9ad3ed3e7abe |
| SHA512 | 66ccc19aa47c5fb25ef99842582dc7682887dbe3593aa1ed5ec8d60384d8e3d33b2f5b5079ec996b3d901f7d46db474befa17972fbbf8edeea513f42844c3ae9 |
C:\Windows\System\ocGOvVz.exe
| MD5 | d918d3e2e91210176a2903117defee61 |
| SHA1 | 45b357ff13b27a150acf735d7a074b90b9093738 |
| SHA256 | 6daaff8affcf99673f118a1b230f671b13e09c666f5f30525e9ce2acc164bebb |
| SHA512 | 31e8509b2e53aafc60f59549b836ab7972d5047824c81da3c8371e72691950e2d35e91c6c855ee28836ca5d292b114b2638b405014cbff037d7db8ff0f906873 |
C:\Windows\System\rXTGAsO.exe
| MD5 | 96acb60dc91a9d4afd4280d7557b0c25 |
| SHA1 | 37c03b2c4b469248e733c1df447993692456d4ca |
| SHA256 | a20799f70a99f04a31fdd30544145af7dd768b47dbaaeb2890271a8c64e6181c |
| SHA512 | faa6f90e0ecf8b7e4ec9fc0586ea2d541ee0bae29529db293f44ddcf7f21de965eb8ca5b297e53601e94f78c8ef8fcab70b273712541b298c08fe67a79dea3d3 |
C:\Windows\System\WAybSDX.exe
| MD5 | 9afcdf0c2747c7fcc9a1f4787a26b9af |
| SHA1 | d62ff08c47a23b7a5a530fbdc682f6a047b89706 |
| SHA256 | bc40917f91178a7ed9c9e5bea86dd647779733906c3feb9c56e939fe50820cf7 |
| SHA512 | b3c88bf291a47cf8b49f11a504f05ea12ef16ea069d13d3a67d45394271b4e4d630753accbf6d802f527248da397bfdd7ab24819e7998c36715098853262dc7d |
memory/3392-44-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp
C:\Windows\System\IeDhgGe.exe
| MD5 | 41dc2b759037cb8fb8937067e3e52edf |
| SHA1 | b2cf24388ced06e51b0bb92eb55f8e74652054c4 |
| SHA256 | 441f6674148343571b724988ff6d1dcc0102c0512a78fa76afffdf44c49fc497 |
| SHA512 | 9cd9cdbcf500bc73318561faef4ede30b819379c1e6c2dbbcfd3695c671178643603a08995789dd1455fa6fd363072e0605ffd9c9523c41fd35e10926424a9ce |
C:\Windows\System\DJnweWR.exe
| MD5 | 95ca3ea02f39883326061c6bdbe62972 |
| SHA1 | 50eb99e1243c8a5a071db72bc3647faf75807710 |
| SHA256 | 0ffc934787adec89c621b8c5f24d89eba3bc2f0e34f4954bb7c3df4035cb1a1d |
| SHA512 | 11bd132cc43cf12a402a4a4c355ae20f000a3897c203fe4f687ac7a3c2e6c0e09f17db77174515dcbc19028824b2808dbfa697dd6c865be406dbbd16487e0740 |
memory/4912-61-0x00007FF64F1A0000-0x00007FF64F4F1000-memory.dmp
memory/4212-71-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp
C:\Windows\System\AieeDwP.exe
| MD5 | bb8163f3a527f2a983c8b346080e49a2 |
| SHA1 | f476e8a6171bead5ab369b9591e2f767efd8fa22 |
| SHA256 | 1f4407e91d82fa15660c6417994bb4d93a109390f56a9b8261f4ea26629ab0a8 |
| SHA512 | 227a9c343d81d8f94da07acae84dfcb4058371ce527c11f40ac62668af097c8b558a69d0102d104497f628bf3ff4d7537db4bed07b7cba433878a3c2ca89b3ae |
C:\Windows\System\YYBkQiX.exe
| MD5 | 3fa77f742c7930a030c586020af9a325 |
| SHA1 | c4f5f5d75b05344180d8679e2fde312a1aeda906 |
| SHA256 | 4c4cc438eb507017a2504633f3ca4e1efdca2ea2105b068b4665f67d463eb712 |
| SHA512 | 3efd7898063657ba334db75c858ea83b99daf7606c0739398d8f40d7d718b358f8b00dfa7408d2893c273ff05274fcf9cd56f7d5696e525c89f17d1a1b8c6866 |
C:\Windows\System\ILDUMVm.exe
| MD5 | dc81e95be43338db7d867fe96b37da2e |
| SHA1 | 95635beb4bcb73c118974d51437017ea29070765 |
| SHA256 | 93c92ab336c1184f8ac95b42de78482683f96a58d272fc49f0d7cfd31a4732b1 |
| SHA512 | e093c156f8907f6ceb202098e0eef4f9e9c2f01241c8f97b0173211529c9f7be9d25bcd78ce5e9fa614f4889501fd56bfee7f10126e0bc841d9dc6ec6d191451 |
C:\Windows\System\ALXzNOO.exe
| MD5 | bce21724d6b8db1c7993a3df64ac070c |
| SHA1 | 745fce877781b12c6fb8482bd1f100a7eb055e1c |
| SHA256 | 132f4dc4039b692919ec5328efd68b0df30697c169960ba5b3886e89fe5fd137 |
| SHA512 | 82585c5d7bd0f0567919258d9778f244f5a9672b9b537c945d891e2e33b5be4ffc63622d4a51d1aed09bbcad8162effef0bc0ab0b19d404029b1e937252a0207 |
C:\Windows\System\nPXrFwf.exe
| MD5 | 5b75f61e7134db7aadb0c014275a6a8d |
| SHA1 | 8352b42209a6cd917e8bb5250b89f9eb52dcf68b |
| SHA256 | 5183b781b8db2fc72addcdfd3d68f5f5f3e5e1751b99ea34ee5d09424c2a44da |
| SHA512 | 4a4df6e47cc1ef88f37d125e055f1e104dfe89e0deefd13bc8d5d8d8ff56d92dabd827fc7b48393e19bc75e206e8b4b760ecf6029512df03263ad269d23f844b |
C:\Windows\System\IajHGpD.exe
| MD5 | e1ee2a806f2b5dc85971d2adec1c0b65 |
| SHA1 | 6a7123c84dd13e26fcf1545d0b91b456de28a038 |
| SHA256 | 0ce5d6a1e46618cbdeadfade690950ef604c0d2c382c058c38c277fda158c503 |
| SHA512 | 92d08b56d4a7433e1201faa10a1bce3722be6ced51297ae0030319f14174be58be45a0b73a76863e4abb5761d36e8ae637c7528b796b87bf8086469eb0e51391 |
C:\Windows\System\VRODktp.exe
| MD5 | 06b454ef53d4ff1c294f13f90c63a0b1 |
| SHA1 | 1b6f79dd2d4ec3ddbde5812ca3d2f4eec20e44fb |
| SHA256 | 216c4d420194c5fa5f4e48953d1053a95f51cfe7fd05f26fa3d28c1d1b6eb7e7 |
| SHA512 | 5591e6f542f557323f985d0cb98b98126d980439c6fc91deba6d1f920dc780b57b0f1e818436e7b4fba570717df7ae3ff6408af5c16c4b4c3e45f28a99cd7918 |
C:\Windows\System\VWnBtqn.exe
| MD5 | 0494a5da4fd7c97ea98cb0f7496c4396 |
| SHA1 | 96470895ce4b08ec98cbb8fbc655ffc361320fa0 |
| SHA256 | 31a3c4d29797ff5b9b2b05e9bc7feaffd5a77ea92d8295f33fdf3d68377e5e7f |
| SHA512 | 187606cc4c500929e38c95c659adda2fd698fbe3574c3ccf7e31d08325f794cb7cd00cf070ae5a7c7f69ccfd38ecc431d3a0a09af7cc479805f744b52df2c919 |
C:\Windows\System\gWIZcEu.exe
| MD5 | dca1257f3044cc24c1fdd169871817b2 |
| SHA1 | 4b90d00360e5afef73fd38b00d0b8c8f7d9bc5f4 |
| SHA256 | cc27d1ac743ff0c4288e32c59b1c4cd4609da7cf9184d16e03af72b3b8d4e26b |
| SHA512 | 63e8c92e0b037ffeb08da1f00a9f051546ff2263a19f8ee2e169784eeb11af5f384c08a79945a30c5e12cfb5fc125c90832437dede6aeb13a24a8abe560547c2 |
C:\Windows\System\suyyMxk.exe
| MD5 | 102e816119697ea8944e7b319140ff82 |
| SHA1 | 12e0a230f72f0d5e0aa11e990beb186722accb5c |
| SHA256 | 45c876a576a54dc49c5c481e88e07d402e456cde09f74bb5ef0fdad087d04ce1 |
| SHA512 | f18b7a08f3115227b3b2bf07f8592b266cc28bcdda076ec0bce8565d47da7f23b735f09899ab0ab088ae71f48f47ec465889293af3f13e9151df64ebf1297148 |
memory/4592-72-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp
memory/4992-70-0x00007FF765EF0000-0x00007FF766241000-memory.dmp
memory/940-68-0x00007FF6653B0000-0x00007FF665701000-memory.dmp
C:\Windows\System\FZxrOOj.exe
| MD5 | 6d6914f89b25bb1043ffc2e25765752a |
| SHA1 | 5d2ab660b9669a220961b9a43f8c8cfa054b9147 |
| SHA256 | 21cca2287efbeefdb95728366f2b287df5bbe4450829549e14435748f1006149 |
| SHA512 | 4fd3a38364cb4eb8154b3ecb728c68972476de6a224513d199915b93eef9fcd647d44e2f0b1407d20270611ae44bdcb39c62fc4e6f98692cae6e20f2d2823406 |
memory/4752-62-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp
memory/1880-37-0x00007FF612580000-0x00007FF6128D1000-memory.dmp
memory/4788-33-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp
memory/4212-119-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp
memory/4444-125-0x00007FF6082B0000-0x00007FF608601000-memory.dmp
memory/4788-124-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp
memory/3636-128-0x00007FF6D8130000-0x00007FF6D8481000-memory.dmp
memory/1568-129-0x00007FF769930000-0x00007FF769C81000-memory.dmp
memory/632-132-0x00007FF704A00000-0x00007FF704D51000-memory.dmp
memory/1380-134-0x00007FF64DF50000-0x00007FF64E2A1000-memory.dmp
memory/3752-135-0x00007FF609E60000-0x00007FF60A1B1000-memory.dmp
memory/1160-133-0x00007FF7BB090000-0x00007FF7BB3E1000-memory.dmp
memory/920-131-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp
memory/4864-130-0x00007FF7C0D10000-0x00007FF7C1061000-memory.dmp
memory/2552-127-0x00007FF6854A0000-0x00007FF6857F1000-memory.dmp
memory/3120-123-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp
memory/3272-121-0x00007FF702A30000-0x00007FF702D81000-memory.dmp
memory/4592-142-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp
memory/940-141-0x00007FF6653B0000-0x00007FF665701000-memory.dmp
memory/4752-139-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp
memory/3392-137-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp
memory/1880-136-0x00007FF612580000-0x00007FF6128D1000-memory.dmp
memory/4212-152-0x00007FF682C60000-0x00007FF682FB1000-memory.dmp
memory/4444-201-0x00007FF6082B0000-0x00007FF608601000-memory.dmp
memory/3272-203-0x00007FF702A30000-0x00007FF702D81000-memory.dmp
memory/3160-205-0x00007FF6995C0000-0x00007FF699911000-memory.dmp
memory/3120-207-0x00007FF7861A0000-0x00007FF7864F1000-memory.dmp
memory/4788-210-0x00007FF6BBB30000-0x00007FF6BBE81000-memory.dmp
memory/3392-212-0x00007FF6DA190000-0x00007FF6DA4E1000-memory.dmp
memory/1880-214-0x00007FF612580000-0x00007FF6128D1000-memory.dmp
memory/4912-216-0x00007FF64F1A0000-0x00007FF64F4F1000-memory.dmp
memory/4992-218-0x00007FF765EF0000-0x00007FF766241000-memory.dmp
memory/4752-220-0x00007FF7FEC30000-0x00007FF7FEF81000-memory.dmp
memory/4592-222-0x00007FF647C50000-0x00007FF647FA1000-memory.dmp
memory/2552-224-0x00007FF6854A0000-0x00007FF6857F1000-memory.dmp
memory/3636-226-0x00007FF6D8130000-0x00007FF6D8481000-memory.dmp
memory/1568-228-0x00007FF769930000-0x00007FF769C81000-memory.dmp
memory/4864-237-0x00007FF7C0D10000-0x00007FF7C1061000-memory.dmp
memory/632-240-0x00007FF704A00000-0x00007FF704D51000-memory.dmp
memory/920-241-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp
memory/1160-245-0x00007FF7BB090000-0x00007FF7BB3E1000-memory.dmp
memory/3752-247-0x00007FF609E60000-0x00007FF60A1B1000-memory.dmp
memory/1380-244-0x00007FF64DF50000-0x00007FF64E2A1000-memory.dmp
memory/940-250-0x00007FF6653B0000-0x00007FF665701000-memory.dmp