Analysis Overview
SHA256
d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b
Threat Level: Known bad
The file d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 03:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 03:26
Reported
2024-05-30 03:28
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kxpXHcp.exe | N/A |
| N/A | N/A | C:\Windows\System\avnLcNq.exe | N/A |
| N/A | N/A | C:\Windows\System\TriXBGF.exe | N/A |
| N/A | N/A | C:\Windows\System\XBkbUsc.exe | N/A |
| N/A | N/A | C:\Windows\System\UrLtSje.exe | N/A |
| N/A | N/A | C:\Windows\System\yVVPMJK.exe | N/A |
| N/A | N/A | C:\Windows\System\iMztHxR.exe | N/A |
| N/A | N/A | C:\Windows\System\mHERTJf.exe | N/A |
| N/A | N/A | C:\Windows\System\ayOhFAr.exe | N/A |
| N/A | N/A | C:\Windows\System\zDkeEVL.exe | N/A |
| N/A | N/A | C:\Windows\System\YtZsUvg.exe | N/A |
| N/A | N/A | C:\Windows\System\swjFvUj.exe | N/A |
| N/A | N/A | C:\Windows\System\GnPuriU.exe | N/A |
| N/A | N/A | C:\Windows\System\iQxlxHm.exe | N/A |
| N/A | N/A | C:\Windows\System\rjGvxSK.exe | N/A |
| N/A | N/A | C:\Windows\System\qJPxtiM.exe | N/A |
| N/A | N/A | C:\Windows\System\qMFHYGu.exe | N/A |
| N/A | N/A | C:\Windows\System\gAPvlpm.exe | N/A |
| N/A | N/A | C:\Windows\System\aEesDTf.exe | N/A |
| N/A | N/A | C:\Windows\System\azvirUP.exe | N/A |
| N/A | N/A | C:\Windows\System\QnGLZLA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe
"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"
C:\Windows\System\kxpXHcp.exe
C:\Windows\System\kxpXHcp.exe
C:\Windows\System\avnLcNq.exe
C:\Windows\System\avnLcNq.exe
C:\Windows\System\TriXBGF.exe
C:\Windows\System\TriXBGF.exe
C:\Windows\System\XBkbUsc.exe
C:\Windows\System\XBkbUsc.exe
C:\Windows\System\UrLtSje.exe
C:\Windows\System\UrLtSje.exe
C:\Windows\System\yVVPMJK.exe
C:\Windows\System\yVVPMJK.exe
C:\Windows\System\mHERTJf.exe
C:\Windows\System\mHERTJf.exe
C:\Windows\System\iMztHxR.exe
C:\Windows\System\iMztHxR.exe
C:\Windows\System\ayOhFAr.exe
C:\Windows\System\ayOhFAr.exe
C:\Windows\System\zDkeEVL.exe
C:\Windows\System\zDkeEVL.exe
C:\Windows\System\YtZsUvg.exe
C:\Windows\System\YtZsUvg.exe
C:\Windows\System\swjFvUj.exe
C:\Windows\System\swjFvUj.exe
C:\Windows\System\GnPuriU.exe
C:\Windows\System\GnPuriU.exe
C:\Windows\System\iQxlxHm.exe
C:\Windows\System\iQxlxHm.exe
C:\Windows\System\rjGvxSK.exe
C:\Windows\System\rjGvxSK.exe
C:\Windows\System\qJPxtiM.exe
C:\Windows\System\qJPxtiM.exe
C:\Windows\System\qMFHYGu.exe
C:\Windows\System\qMFHYGu.exe
C:\Windows\System\gAPvlpm.exe
C:\Windows\System\gAPvlpm.exe
C:\Windows\System\aEesDTf.exe
C:\Windows\System\aEesDTf.exe
C:\Windows\System\azvirUP.exe
C:\Windows\System\azvirUP.exe
C:\Windows\System\QnGLZLA.exe
C:\Windows\System\QnGLZLA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2848-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2848-1-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\kxpXHcp.exe
| MD5 | cc834d8bf83d3d4c1546163b45539011 |
| SHA1 | 4eef5af59c47e8cb5a250d64e6efb2a11c5a6341 |
| SHA256 | 22489c532a35c3aecdac4a9e2fb46415d07eb07eb5e0223a2240323eeae62dfa |
| SHA512 | bd2d2315b71015a1bb6c0e214b7edd59a84150d3690784bd201b4776d7347363ac5d0c86e123166cf8ad18033783d0498a0db15e7df4f7d56064dbe6f7194df6 |
memory/3036-9-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2848-8-0x000000013FF90000-0x00000001402E4000-memory.dmp
C:\Windows\system\avnLcNq.exe
| MD5 | 7c4dc88d455eb9b774938b4b498fcf6b |
| SHA1 | fbb60bf9b3a286507a7a504bb8fbbd78b25937c0 |
| SHA256 | 376a9aafc7c2933a4a3b412e290f15149e107aead22c74706db794380f79eacf |
| SHA512 | c34150b0a9eabff4e8a9bc3c4513b83b433dcbe146d5ff89b2622f6f1be6f7b365f7c5925bae463f19ca4bd1c2245faa2500abbba677ad2c80fd8930d6def888 |
memory/2848-15-0x000000013F3D0000-0x000000013F724000-memory.dmp
\Windows\system\XBkbUsc.exe
| MD5 | 723df4682eba6ebca3baaeceda07710a |
| SHA1 | 24a2056ff936ff1281384ec57f085b908d6a22f9 |
| SHA256 | bbfad5a016082143b15877e67b69dda84474660f21f86479bc630adf31faba48 |
| SHA512 | 66ca7ff704ee68da2d9d1a0e89054758a5cfec9ee19f2c7940fcf1500f97b908563c1f55773a929c67930cdb7e845933a84d01cadf361a0801d5d411771b1007 |
memory/2128-21-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2676-29-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2848-27-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\TriXBGF.exe
| MD5 | f6eb578cd1bab88bf1b8981bc447f52b |
| SHA1 | f1cf58e2e2ecf6147aa63ea993b33d9ea204c14c |
| SHA256 | ae5b6dd1487e4daa946a675e2fa5bf817954845711d835ed7aa0a447540e681e |
| SHA512 | 284770b5e737923c69811506d11425edcce58149785060e04840bc99a5d7ee8acc003b0e78fc5b068e122cc309cf8f9c3cf9503db65174b73e9629c16925abde |
memory/2144-17-0x000000013F3D0000-0x000000013F724000-memory.dmp
\Windows\system\UrLtSje.exe
| MD5 | 05125c22802d70f73df1bcbc39b1fe1b |
| SHA1 | fff0f9ed0af8772e35da9bea5671e5b5714726e3 |
| SHA256 | 901db15b2094d6462d6f60bc210a66f8e61f519c5da6c130ef2a8b34ae33a4bc |
| SHA512 | c7a7a4733f33c26103ae4181deac1bcb6534466a0d49ab726ac197ac35fb0d2846f30f31989d895e6e95f4965959351598837957f29d5d9f6f5ba4a6783057ef |
C:\Windows\system\yVVPMJK.exe
| MD5 | 81f0d9db174960863daf84232919341f |
| SHA1 | d78f8568f43df92009a7d8f76c31bec4afaa7cae |
| SHA256 | 674ad222e3dea172006d9316a123de7acabc12fdfbae056ed59b7475c0a91944 |
| SHA512 | 70e8dd74438ea5dd1132745d52a6a04d06a4115b1b6a79433d22c645d04dd7e608582886abf4162a2858e970856610ce44ae930dfa098a5832d37c6ef9b45fb5 |
memory/2848-41-0x000000013FDB0000-0x0000000140104000-memory.dmp
\Windows\system\iMztHxR.exe
| MD5 | b14473b31dc636a7d9dd15df060a2a03 |
| SHA1 | 5dc4f96036e090eb7fe858686fa076d8e403b5db |
| SHA256 | 1de1b0a49f8dc0e08a8f3418415fa88a5a9a35163acb2b6457d1e66770fb19cf |
| SHA512 | 2730babbb2270839bdff5afd734fa28646b52be546e778b97f6c68a0ade7f4c2068cbdba641d0a9a161e8477298d2d422f2646e3821f3d3f2b4bf501fc803117 |
C:\Windows\system\mHERTJf.exe
| MD5 | b1396b3a01f0635ae2b8aeb1fd804fa6 |
| SHA1 | 4b612024664a9e81d4338eb248080956b164d651 |
| SHA256 | 28fa2a829c7468396b669d1ebf861ad69da493f6d45863028d3bc95338450c2a |
| SHA512 | 8b6e60ce66eb9913543dfb429c92f2fdc0685e14f19c91ce212b049e02e6589f49a83436dc18a76933ca4496813afbcdf7445acace43ebfefd84cb7faf7456e9 |
memory/2776-53-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2500-84-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2724-97-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\qMFHYGu.exe
| MD5 | 0605fe87b292f50937a17d2609dae823 |
| SHA1 | 052fabac733b8c6c451b667fdbe34acf605f30cf |
| SHA256 | e1c0bdcd78b7675612107adaaee0b9d8ac2a8741584d906874ba0cfa01fa2e24 |
| SHA512 | 3e845d01dee52babe3c0a3cd4df4e7919b2a21461cac37d2843b2a9fd3eceb8c06cfbf4bfe3fb997ede0b91ae5ed718cdaf068a9d7687554dee4281032921bb8 |
C:\Windows\system\azvirUP.exe
| MD5 | b26ae9c84ec5add2732c9b472f8536b1 |
| SHA1 | c136a0e257d1f51eccc3d9ea3f7645ccd11fadf3 |
| SHA256 | d54aaee7cf186e85a07b4c038a1176272406e6092e9cbd1924a10b88ab1459c8 |
| SHA512 | e5603020204f9fd9a253818bf7a41ca29bfae5f69fc39ea36845a9eed2236f5925919d8aca7988647f187fda0064f90f8de74b12ed431edb12e0761eedb2a1b7 |
\Windows\system\QnGLZLA.exe
| MD5 | 20c18de86239b00f17bb62fa31de5dc9 |
| SHA1 | 4b5fa1785b9c842e29f44465381d7cf0ca369a4c |
| SHA256 | 618932a4ae3e2fa252a342f954d0bf8b0c0e89c6f124c7e1a02f3c058c4c5773 |
| SHA512 | 187499253a7be2cfb77abfa422c0f8b841528db99864091b7e605665c83443e8f47e84f12c6c39bd83b1559721ffeacd4bee1f8220a98938c846dbc479a552b7 |
C:\Windows\system\aEesDTf.exe
| MD5 | ad1c2a5d7306a4578fb6fc1035d6fbc8 |
| SHA1 | 7be382b44e82e416e769608a9c049cd23758a777 |
| SHA256 | a1c3970fa8e0ac13add1a0c20bc82d834688013734593a4b5e3a820c1a760732 |
| SHA512 | 3a45c546a3d0370e54b5a53b47c6deeea48c31fcd29ebf6205fb5030b8af37cb74a1c88692896953d6916c3a577f42d3ad83ae92aa249a8a5c7e6a83b24d5079 |
C:\Windows\system\gAPvlpm.exe
| MD5 | 70d12ed216c8ef9fd51bb2dbdd804504 |
| SHA1 | f2c1ad6555b33839b7f9951a8d6d2a684890d147 |
| SHA256 | d0452378f5ab232f58df00caf6a07db0628fc0509de67b025b05186c34af0a4e |
| SHA512 | f202ae4ede55175ce21d6ca6cf9b6330993090140abae3e5a177f74973f878a8ab70faaf9799079c693b9a309c61950e2473ed9dc7567bd2f58a0df4d89cc3d2 |
C:\Windows\system\qJPxtiM.exe
| MD5 | b11831aa883ab9169087cb61050fa1d5 |
| SHA1 | 5bbf42faae209f4336536555f3ce58bc3ddbf652 |
| SHA256 | 2f587aa79f2d043ac8de72d3015493ddcc6ae228ca668d3ec5b0c392dc3c562c |
| SHA512 | 934fd29307eb023ab8520d36d56d7f733a64d3b722d94680b3be39c1dd9b83b94bc96c7ca9ac5d4b8d8eb56fdb76017593ab2235630ccb896f5b44512f1f94a2 |
memory/2848-106-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2808-105-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\rjGvxSK.exe
| MD5 | 9468e3709cda46249cd031e02403083b |
| SHA1 | 4118fb9428fbe6b3a4d437576357cb24fd942878 |
| SHA256 | a6640055da13e0e39e86dfdf757e27b1ad68ef896ea59888afc29cf781bb83cb |
| SHA512 | d97b9a9ef294d744538edc4bd81ebc84895ae41a274a66066553ebed9fe2696e063ed7308c2459d954a52f4ca59909cf26ae2b06d6bbfad6aa6d456a38cee876 |
memory/2564-99-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2848-98-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\iQxlxHm.exe
| MD5 | 317c4b5aebd99091a7d08661d2b6f099 |
| SHA1 | f41b5cf9657c56216bdf317d781e8c83ba832632 |
| SHA256 | 782a9ab96ecc3d4e2075c0b3a421caaeac26818289ca30237b76840ee46456ab |
| SHA512 | 685e224946856353f79c497f80e30b67fa4218aa9369fe9ff677e1a8745db3fd440947573652cccf21dd735ddbe2a040e6fcd145ddc738f98d4f3f3d337574d8 |
memory/2772-90-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2848-89-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\GnPuriU.exe
| MD5 | 85ab2033837b5c0e1f0327a065b44057 |
| SHA1 | 3920f6dbde1868469e45c9158b3cbcf258be8aaa |
| SHA256 | 700162547adf86390d86e124cd05e384708ba7f5436f092dd077ddea4a5d2d29 |
| SHA512 | 575ee7d51c6f37fbd3726f489b43a5913a121f002f003fe847a3af89c795869f5a17c2d388179159d115478ede34542a3d12aaf2cd8222629ef9ede0d663b4c5 |
memory/2116-76-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2848-75-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2848-83-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2128-82-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\YtZsUvg.exe
| MD5 | ceb6dcee7dbb7fd0106e73b891b86593 |
| SHA1 | e0c05e70e23088fae66f586879717387b5df2bc4 |
| SHA256 | 59ec97dfe353c39a160e4290c3410ee089da948902afe0cce47487ec9527feaa |
| SHA512 | e7ee4db8cfba4c4b0c6e3fd4bec8081ea66855e1c96a9c37c32acfaecd75700bfb96803b35110b66ae47071c87b9c49c5f43f5f7427d16b197f9cd0e19177751 |
memory/2536-61-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2548-60-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\swjFvUj.exe
| MD5 | c0b73709c7e8469787759b9d2d95947a |
| SHA1 | 5da957e407bfe0527033c3578c31c5babd7aa70f |
| SHA256 | f1fc9969e21fa2d315f17668bada6705043ec71cd2280f53a7d545f040e7d05e |
| SHA512 | de3bb82a1eef4afef3deb9df2eb9d8035d88f8f8591882b56cdf3d0b27b5f8722a44e8bedc2385cc0ff8c49ff7aaebbbcd1c4efed152c4f793af903773ebdc2e |
memory/2640-67-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2848-66-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\ayOhFAr.exe
| MD5 | 2e6b09bf4214d4bd127894e43ae9ee0e |
| SHA1 | 741ec8d2a74bbcece762749e75006d390990a769 |
| SHA256 | 9a9a4540947ca8e84078abf1e5e357cd85d3f82ff4a5fc30ace86b8cdfa64686 |
| SHA512 | 09b357d51232ec682635f702f22b90e89b7cd3bb49c12ee469f4e4a706f0ae7fa16bb17786c397bc765b07e322124c22b2e50401244f8bc22dbe43f32f6298be |
C:\Windows\system\zDkeEVL.exe
| MD5 | a03381e1b2b7306f8196ba31d140aa0f |
| SHA1 | ece6db9ed5539d73b5c40111c371bb15ccc81e6b |
| SHA256 | a5040bae0db4f4a8b98556a609b8499ec34e4dfe2478155c8d65dac059c59dcf |
| SHA512 | 2ad3a947b28880cacf335ff4c5505038bc230de4564f550df818eb7d631d0d4a78aceea703791aec27834376d3d09fd733014dbc2726af7427b015e556727f1b |
memory/2848-52-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2848-48-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2808-42-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2724-35-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2848-34-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2776-137-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2848-139-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2536-140-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2548-138-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2848-141-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2640-142-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2848-143-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2116-144-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2500-145-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2772-146-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2848-147-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2564-148-0x000000013F230000-0x000000013F584000-memory.dmp
memory/3036-149-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2144-150-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2676-151-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2128-152-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2724-153-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2808-154-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2776-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2536-156-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2640-157-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2548-158-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2500-160-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2116-159-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2772-161-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2564-162-0x000000013F230000-0x000000013F584000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 03:26
Reported
2024-05-30 03:28
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xfiAVfD.exe | N/A |
| N/A | N/A | C:\Windows\System\wnOTlqy.exe | N/A |
| N/A | N/A | C:\Windows\System\nKvrJwS.exe | N/A |
| N/A | N/A | C:\Windows\System\gJHZzzm.exe | N/A |
| N/A | N/A | C:\Windows\System\hDrZzxR.exe | N/A |
| N/A | N/A | C:\Windows\System\QXnTggO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZjtynMI.exe | N/A |
| N/A | N/A | C:\Windows\System\FFAlDeP.exe | N/A |
| N/A | N/A | C:\Windows\System\aXpymkq.exe | N/A |
| N/A | N/A | C:\Windows\System\LOtUomW.exe | N/A |
| N/A | N/A | C:\Windows\System\REGYcLM.exe | N/A |
| N/A | N/A | C:\Windows\System\joSDjtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\XVkxbEg.exe | N/A |
| N/A | N/A | C:\Windows\System\jCTEdUH.exe | N/A |
| N/A | N/A | C:\Windows\System\espeuQi.exe | N/A |
| N/A | N/A | C:\Windows\System\iIFWeUP.exe | N/A |
| N/A | N/A | C:\Windows\System\FXkIPvX.exe | N/A |
| N/A | N/A | C:\Windows\System\dlaCZcR.exe | N/A |
| N/A | N/A | C:\Windows\System\aSXjZyE.exe | N/A |
| N/A | N/A | C:\Windows\System\iEaxVFa.exe | N/A |
| N/A | N/A | C:\Windows\System\BOlrvvY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe
"C:\Users\Admin\AppData\Local\Temp\d4a3f28b56d0751d4883f9a20899507ead4010860e097f63245baae1031f6c7b.exe"
C:\Windows\System\xfiAVfD.exe
C:\Windows\System\xfiAVfD.exe
C:\Windows\System\wnOTlqy.exe
C:\Windows\System\wnOTlqy.exe
C:\Windows\System\nKvrJwS.exe
C:\Windows\System\nKvrJwS.exe
C:\Windows\System\gJHZzzm.exe
C:\Windows\System\gJHZzzm.exe
C:\Windows\System\hDrZzxR.exe
C:\Windows\System\hDrZzxR.exe
C:\Windows\System\QXnTggO.exe
C:\Windows\System\QXnTggO.exe
C:\Windows\System\ZjtynMI.exe
C:\Windows\System\ZjtynMI.exe
C:\Windows\System\FFAlDeP.exe
C:\Windows\System\FFAlDeP.exe
C:\Windows\System\aXpymkq.exe
C:\Windows\System\aXpymkq.exe
C:\Windows\System\LOtUomW.exe
C:\Windows\System\LOtUomW.exe
C:\Windows\System\REGYcLM.exe
C:\Windows\System\REGYcLM.exe
C:\Windows\System\joSDjtZ.exe
C:\Windows\System\joSDjtZ.exe
C:\Windows\System\XVkxbEg.exe
C:\Windows\System\XVkxbEg.exe
C:\Windows\System\jCTEdUH.exe
C:\Windows\System\jCTEdUH.exe
C:\Windows\System\espeuQi.exe
C:\Windows\System\espeuQi.exe
C:\Windows\System\iIFWeUP.exe
C:\Windows\System\iIFWeUP.exe
C:\Windows\System\FXkIPvX.exe
C:\Windows\System\FXkIPvX.exe
C:\Windows\System\dlaCZcR.exe
C:\Windows\System\dlaCZcR.exe
C:\Windows\System\aSXjZyE.exe
C:\Windows\System\aSXjZyE.exe
C:\Windows\System\iEaxVFa.exe
C:\Windows\System\iEaxVFa.exe
C:\Windows\System\BOlrvvY.exe
C:\Windows\System\BOlrvvY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 226.238.32.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1068-0-0x00007FF6F2550000-0x00007FF6F28A4000-memory.dmp
memory/1068-1-0x000001D2B0D90000-0x000001D2B0DA0000-memory.dmp
C:\Windows\System\xfiAVfD.exe
| MD5 | d3efd4f2b0e5777e58fb32ae56175bd5 |
| SHA1 | 2016ba511318e43ca5c70c1b61fd0906f525efd9 |
| SHA256 | fb0bed6b388e018a298771c1b59ded7aef85cb8dd7eec92113653f4c83110412 |
| SHA512 | dfa3b3434775d277cdc944e87f2500a40851a6e1cd0f63c9b9243a00350932278271add581102e6b1d2f2c3344f732ac2ff8411c13cb766c8009cb7ef4416842 |
memory/4472-8-0x00007FF7D0900000-0x00007FF7D0C54000-memory.dmp
C:\Windows\System\wnOTlqy.exe
| MD5 | d576f4489321a3c5472ddebaa345b328 |
| SHA1 | 88a579bd7a0c55d7e214143926c791717c80460c |
| SHA256 | c64577731daff8e23bb0bdb8151dfe701b8f4df0e324a1bb0b191f09216dd42e |
| SHA512 | 095cc91fefa3605b6f48d3288214f630a2acfd4b963b076d3be6fdd10e71c723540b24606b11f11b97f09d1a46e75debcef478accc78f9cc91011b4aeb273e1d |
memory/3384-14-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp
C:\Windows\System\gJHZzzm.exe
| MD5 | 562b68a2a0cc96a22efe36e94f13db99 |
| SHA1 | 5cb6463e9f4a4ae2646c3cafe4509e77be178211 |
| SHA256 | c45d46952de246cde852149e7cc50411ee9207c1350cf4c05fc926a6e6b2bf08 |
| SHA512 | 47d9ab087d18236e4620cd047f2e9077fc22bc9d85a87dc959076c9efc9db6e8422215ac3d0cd6ee2b7faec4a746b5c38f64f880d057b6d61482dbc05fe8491b |
C:\Windows\System\hDrZzxR.exe
| MD5 | 3ae64c0219a77d3dce4fb30ba5eb930f |
| SHA1 | 5577549c559404a2171648aded50704658b5e4cc |
| SHA256 | 90a0af902531860a093cd969d4274c2cc239feb35be3738d78f4371271910b1f |
| SHA512 | c1ab16f4b95b6fae96861ab28c06b9cb6254a8a7e09f8531b70d99743c37d5f1917feecb5d43c8c07a4b30c9ade5cae0122bbbe79dceb9a6e782bfb3b6d7a297 |
memory/4952-29-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp
memory/1460-34-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp
C:\Windows\System\ZjtynMI.exe
| MD5 | 63881b488e90325061b6cf126633a193 |
| SHA1 | 61b60d53b4945ffb42b90c5090a49eea900b34dd |
| SHA256 | ed42c420df1f006acb9359a25ff18212ce514a693b35741e2367affe0c1f0643 |
| SHA512 | 33d07ebd83aa6a7aafa63672aee646ef0a22169ef4bb11b10ef89bf30a2863ebd751ab7ec26afa38a110c2ae66190e35bc522eefe222d535640479193394d3b8 |
C:\Windows\System\QXnTggO.exe
| MD5 | 87d14058da5bda1f73e6f4a652e361aa |
| SHA1 | 73414b25af0940aa6395a0416dba7fb832c1e024 |
| SHA256 | 8bda4887a7f2da1ac5b4a0e110b1b9034d9c6081234f7c4cda38c8d36095f5db |
| SHA512 | 99c4e02fc20195875fcf36a76e8ad2f086b9ec331d9d5448ed29239f74819e35a8c20fc1a63ca5770de54c4d725529b7ab11bbcd7858440d96ec616d12ea0c52 |
memory/60-38-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp
C:\Windows\System\FFAlDeP.exe
| MD5 | 6f6d6722ac79b9cd5c351bca2a88f1f3 |
| SHA1 | 518fb80c032235c17f8c2be3ed7a1e767d4b4583 |
| SHA256 | a595707284719510608abdec16820559097bc8c7484053f31686340fb6672fbb |
| SHA512 | 4b5182ca81089e1a9b9074dedd1fbe0fe1fb055c29cc0413f75fed2ca25ded1485489927a669ddab2b50e218210ae6c69ac8df5fcddf3a04f2c1cf65b7d6426b |
C:\Windows\System\aXpymkq.exe
| MD5 | 6ddce8e58a50d0c64b9351e9a309684b |
| SHA1 | b70b957272aaa89ab8cbb9c47072db3bd8b465e0 |
| SHA256 | 6f040c61438486afaaf753803467fa2876da8372de83ff68b173402a27d41774 |
| SHA512 | 53c65d0ff16470f6aea352ea6952b25fa764f835fa94bb7121995dbeeb8dab6aa0a650522eeef90902da6aff5070eeac800163c88ac0246631170afc870e542b |
C:\Windows\System\LOtUomW.exe
| MD5 | 8b98174e7946fda389f262b08c0891ee |
| SHA1 | 6e16de810fc3ea980ba7764f65156e44728d371d |
| SHA256 | b489f65356b9e2bc5cfca704e273271c489b5a98834676708f19a2c4b4cdb120 |
| SHA512 | f264f0ddbef633407239f4dff42cba3b12452635e96a6dd8a11d747d2b4a0ab11188ae9c37d44a6c676dbab16dffc6594af693f317a8968b8452f28efd577c6b |
memory/4844-67-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp
C:\Windows\System\joSDjtZ.exe
| MD5 | 179d0c7be4b396b9bfe28fed9c2c1f3d |
| SHA1 | 1c0015f3a239fdd071f45b64021973b17aff0c0e |
| SHA256 | 0c45de09135d33aac916a1a0ae3086598145702939c3eba23d75dbf288309850 |
| SHA512 | 963f62aa65952b3732a9d4bbb2a06992d7b814944e6aab1261c392e6d86360cd059b1e0631e157ed7e3575ab229d9237820aeddc7811fc9852d7a65c4241c4b5 |
memory/4564-79-0x00007FF655220000-0x00007FF655574000-memory.dmp
C:\Windows\System\jCTEdUH.exe
| MD5 | 8bd9f653e9d68321a77ee829e1affedc |
| SHA1 | 4955bee16c610ce5ebe708720b1b6f0691a619db |
| SHA256 | fc55b9bcca73667bd2a828f3b741b7f5163c46809134017321cac1adfe2aaaac |
| SHA512 | b2357cd095b476a7be44b588addc5eb00e76595ef420cf45905c2068820fadcf4e73b21e3974c1356b8fbe288b2abccdd7779304ca00cff2b67d42938bb26398 |
memory/2944-85-0x00007FF7539B0000-0x00007FF753D04000-memory.dmp
memory/1068-89-0x00007FF6F2550000-0x00007FF6F28A4000-memory.dmp
C:\Windows\System\espeuQi.exe
| MD5 | 1ce641669b7f904077da5623eda0d04b |
| SHA1 | 5cd7f863a051d3a416010dd0ac71ba25bbbd383b |
| SHA256 | f26df6d0e8efee1deeb4dada7cd7de8797b100a5ab05387f096fbb9a43b47702 |
| SHA512 | b09accee17d434c9d372e40d7318a69020214e997cad2c9ad3776791147274082e9e4e0e82f3a820e8cc38721535f828f4908ea26a10b237425320e2f15da804 |
memory/2168-91-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
memory/2992-90-0x00007FF7C7200000-0x00007FF7C7554000-memory.dmp
C:\Windows\System\aSXjZyE.exe
| MD5 | c395c60cc7a86436664fdc899d6b1d0f |
| SHA1 | abd1b501d223c628a6ec7edcff94f6eb1577fe63 |
| SHA256 | 1e4748e7bead775d039d652b8e33064eb4f0c107d993f5c1d589297af077ce12 |
| SHA512 | 82ab6757db518810ac6e9d33a1c032f1b208654ceae638c46597a7385eeb4ab00ccfef60d09895fac442e535ada17032e9b49c4318588ffadd20c3d91b11688f |
C:\Windows\System\iEaxVFa.exe
| MD5 | ce596d8f38f314ad6106fadab438603c |
| SHA1 | 53e5b180aeb2d6de82a64d2009c9db87676ceb17 |
| SHA256 | 962a31b894d2d461e90e3831ed1318a533c72a5c4e227caf25c2e12d29f5bd03 |
| SHA512 | 715baca6cc3e2e1924394bb2e0d21542e2ceb37cfe5478a2deb5c9ced4a8f0ba9fa93c337ce7db5dcddebbc6a217abd2f9dfff8675cbe03a75190a1ff9aa309c |
C:\Windows\System\BOlrvvY.exe
| MD5 | 0f170349df60481a87f1fe3393443c87 |
| SHA1 | 1fb2cc19451e671a12f347e037d5f32b0a32889f |
| SHA256 | 0cd4a12c00da11f863ca3b12f6b1b8570adff747a61787e1627d9267e67dfb09 |
| SHA512 | e0c0d79df04e774b522a179655ca9f529df573019e1f5ef51e35a56b25ac96d16b24c2826b13b3b07ccdcc0e7f687b02fb2360a9ebba6c6a0d305641db778ee0 |
C:\Windows\System\dlaCZcR.exe
| MD5 | 350194d80ab97c31679d2382d7da2200 |
| SHA1 | 8869adf464bee5c8fcfe6a39331de3d6bda16cbb |
| SHA256 | d5a3ca9dc0f231398c4a837c6eb7c948b78766630174390426cfe13d90f17ccc |
| SHA512 | 71858afdc5f875dd35dc6766f0531d89df70935b4ebddc78877a39a8e95bcea2120dd4f471c94726fc45ea95e66c2f77734bb36115424892a923eb0b65c24ee4 |
C:\Windows\System\FXkIPvX.exe
| MD5 | dcef448ccdf8a8e1b81d42c700a2919a |
| SHA1 | 3596c64dbbcff03d7d7b11f85b9608101ae032c5 |
| SHA256 | a9d01ba9cdfffb4f0a6850144b31532aba507e2617ca46832f96a7d930003f1b |
| SHA512 | 9f330572dcccbb507cb52a536773dd367bc5d3cda164ce36a80b5f77ab511b2c466b19da9ac8d3ba269f8301326b04af21432d7f7f2bfb70dadf638621bb0fe5 |
C:\Windows\System\iIFWeUP.exe
| MD5 | 3e75489ca1ced1979576060cc4699fcd |
| SHA1 | bfe96d56ad83184caf1e9e174bc6b450de12c31e |
| SHA256 | 665a232de3c9fb5aef8c5ee890f60d03fc07a83d1897e2cc172ac3deeeb26c1d |
| SHA512 | 4f839fee1b7cd1831a38fd76990ea6268a48a3954c3cf983d5bb6e09bbe71509328af745aa24dcac93980f199f2dd98a519a00bf1d610b84f3c0457b2db196a1 |
C:\Windows\System\XVkxbEg.exe
| MD5 | 52984192391bef3e8750343e9e0321f1 |
| SHA1 | ad31520c88493cc6c4ce9b4e355c900796576e71 |
| SHA256 | 1cfe5be8216b4a557b719b20191547d7e448db722ce8d116aff88226e63357ad |
| SHA512 | 4f0250c85d18ecd49d9576d5a25f5a0aa6ba9eb96035cff3ed72798967a2187530ee6d164865197ef69ad8cf7a543f18d83df009a82715bc506e6d0e6e2d7b1b |
memory/2088-76-0x00007FF718680000-0x00007FF7189D4000-memory.dmp
memory/3536-73-0x00007FF6BAFC0000-0x00007FF6BB314000-memory.dmp
memory/1256-69-0x00007FF765F40000-0x00007FF766294000-memory.dmp
memory/2764-64-0x00007FF7BAE20000-0x00007FF7BB174000-memory.dmp
C:\Windows\System\REGYcLM.exe
| MD5 | c123296e795e73df7fb89ef8ea1a013c |
| SHA1 | 7bf3c5bc6892aafafc90768d86c91ae7b4e7d3c7 |
| SHA256 | f95d2c3ee2beade243b0ff2ee42b9eff48b17916043776173b075ae400de6ebc |
| SHA512 | ea086309dc1882bf556209af9ebdfed4082b63dbef613d6c4ca8888271c6b47af7540965ae10eaf95f5be44533b35dcddb1106cc184e9c4073d1a418d289bc42 |
memory/4880-22-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp
C:\Windows\System\nKvrJwS.exe
| MD5 | a930b825c30f0d72ca768bba6a09e0ff |
| SHA1 | 4fded3b18346f2dff065b68d49a840be02f274f8 |
| SHA256 | 0a6993d667c0e71a9e69aa278a61b2b69e168cc804cb2abf166973774dec85b8 |
| SHA512 | 0f44b08f1be770e272f9adefe0ad819ac7163936262df2de113a62122c53bee3bf54c649da69ce534e0b2bb893d5b512ac359bc9cbdda5d701ca2f42b8075bf0 |
memory/5080-126-0x00007FF6D3040000-0x00007FF6D3394000-memory.dmp
memory/3796-125-0x00007FF7B3890000-0x00007FF7B3BE4000-memory.dmp
memory/3700-124-0x00007FF6C81F0000-0x00007FF6C8544000-memory.dmp
memory/3384-123-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp
memory/2540-127-0x00007FF61D6C0000-0x00007FF61DA14000-memory.dmp
memory/3368-129-0x00007FF6040E0000-0x00007FF604434000-memory.dmp
memory/4904-128-0x00007FF7D38C0000-0x00007FF7D3C14000-memory.dmp
memory/4952-130-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp
memory/1460-131-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp
memory/60-132-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp
memory/2168-133-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
memory/4472-134-0x00007FF7D0900000-0x00007FF7D0C54000-memory.dmp
memory/3384-135-0x00007FF61E070000-0x00007FF61E3C4000-memory.dmp
memory/4880-136-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp
memory/4952-137-0x00007FF7225A0000-0x00007FF7228F4000-memory.dmp
memory/1460-138-0x00007FF7A5F30000-0x00007FF7A6284000-memory.dmp
memory/60-140-0x00007FF62EBA0000-0x00007FF62EEF4000-memory.dmp
memory/2764-139-0x00007FF7BAE20000-0x00007FF7BB174000-memory.dmp
memory/2088-141-0x00007FF718680000-0x00007FF7189D4000-memory.dmp
memory/4844-142-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp
memory/1256-143-0x00007FF765F40000-0x00007FF766294000-memory.dmp
memory/3536-144-0x00007FF6BAFC0000-0x00007FF6BB314000-memory.dmp
memory/4564-145-0x00007FF655220000-0x00007FF655574000-memory.dmp
memory/2944-146-0x00007FF7539B0000-0x00007FF753D04000-memory.dmp
memory/2992-147-0x00007FF7C7200000-0x00007FF7C7554000-memory.dmp
memory/2168-148-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp
memory/3700-149-0x00007FF6C81F0000-0x00007FF6C8544000-memory.dmp
memory/3796-150-0x00007FF7B3890000-0x00007FF7B3BE4000-memory.dmp
memory/5080-151-0x00007FF6D3040000-0x00007FF6D3394000-memory.dmp
memory/2540-152-0x00007FF61D6C0000-0x00007FF61DA14000-memory.dmp
memory/4904-153-0x00007FF7D38C0000-0x00007FF7D3C14000-memory.dmp
memory/3368-154-0x00007FF6040E0000-0x00007FF604434000-memory.dmp