Analysis Overview
SHA256
e4f9ff88f4511e88e1db77fb12581dcd80993c63e613c42bc352b449eb723e1a
Threat Level: Known bad
The file 2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 13:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 13:24
Reported
2024-05-25 13:27
Platform
win7-20240220-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IDaklQX.exe | N/A |
| N/A | N/A | C:\Windows\System\EGvnXmz.exe | N/A |
| N/A | N/A | C:\Windows\System\jjJSvgM.exe | N/A |
| N/A | N/A | C:\Windows\System\UbMLMko.exe | N/A |
| N/A | N/A | C:\Windows\System\OzHOmCP.exe | N/A |
| N/A | N/A | C:\Windows\System\SZsYXaZ.exe | N/A |
| N/A | N/A | C:\Windows\System\lHfUNvT.exe | N/A |
| N/A | N/A | C:\Windows\System\plOUtHv.exe | N/A |
| N/A | N/A | C:\Windows\System\iltawKi.exe | N/A |
| N/A | N/A | C:\Windows\System\QjLpPLO.exe | N/A |
| N/A | N/A | C:\Windows\System\PdxVAfx.exe | N/A |
| N/A | N/A | C:\Windows\System\oteqolE.exe | N/A |
| N/A | N/A | C:\Windows\System\OXkVuOI.exe | N/A |
| N/A | N/A | C:\Windows\System\ULlBPmj.exe | N/A |
| N/A | N/A | C:\Windows\System\DVwVccN.exe | N/A |
| N/A | N/A | C:\Windows\System\oFfKTDD.exe | N/A |
| N/A | N/A | C:\Windows\System\RyTnkFU.exe | N/A |
| N/A | N/A | C:\Windows\System\vZJpxtu.exe | N/A |
| N/A | N/A | C:\Windows\System\SKTvQFt.exe | N/A |
| N/A | N/A | C:\Windows\System\LTbxVVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VBDlWLK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EGvnXmz.exe
C:\Windows\System\EGvnXmz.exe
C:\Windows\System\IDaklQX.exe
C:\Windows\System\IDaklQX.exe
C:\Windows\System\jjJSvgM.exe
C:\Windows\System\jjJSvgM.exe
C:\Windows\System\UbMLMko.exe
C:\Windows\System\UbMLMko.exe
C:\Windows\System\SZsYXaZ.exe
C:\Windows\System\SZsYXaZ.exe
C:\Windows\System\OzHOmCP.exe
C:\Windows\System\OzHOmCP.exe
C:\Windows\System\lHfUNvT.exe
C:\Windows\System\lHfUNvT.exe
C:\Windows\System\plOUtHv.exe
C:\Windows\System\plOUtHv.exe
C:\Windows\System\iltawKi.exe
C:\Windows\System\iltawKi.exe
C:\Windows\System\QjLpPLO.exe
C:\Windows\System\QjLpPLO.exe
C:\Windows\System\PdxVAfx.exe
C:\Windows\System\PdxVAfx.exe
C:\Windows\System\oteqolE.exe
C:\Windows\System\oteqolE.exe
C:\Windows\System\OXkVuOI.exe
C:\Windows\System\OXkVuOI.exe
C:\Windows\System\ULlBPmj.exe
C:\Windows\System\ULlBPmj.exe
C:\Windows\System\DVwVccN.exe
C:\Windows\System\DVwVccN.exe
C:\Windows\System\oFfKTDD.exe
C:\Windows\System\oFfKTDD.exe
C:\Windows\System\RyTnkFU.exe
C:\Windows\System\RyTnkFU.exe
C:\Windows\System\vZJpxtu.exe
C:\Windows\System\vZJpxtu.exe
C:\Windows\System\SKTvQFt.exe
C:\Windows\System\SKTvQFt.exe
C:\Windows\System\LTbxVVQ.exe
C:\Windows\System\LTbxVVQ.exe
C:\Windows\System\VBDlWLK.exe
C:\Windows\System\VBDlWLK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2172-0-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2172-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\EGvnXmz.exe
| MD5 | 38260f324703dafe28e42ccd644df119 |
| SHA1 | 770d77e06f999f9a997e6eebd69e98a4e44d3cb0 |
| SHA256 | f08a5adec6de8bf585b8ef0e8d60cdc91eeceeb8659ef78c9d2efa3b6eb61418 |
| SHA512 | 9311d441ef61dd87491157186f4e9fdfb39c95f6d49049112919de384451f5deeedc2a79ef4a00860747b9e8ac8e0a042f4593e42c8ac43aa9003ab3ae78d3c9 |
C:\Windows\system\IDaklQX.exe
| MD5 | 7e74a7580dbb089d35789123df4def6d |
| SHA1 | 294afcb1095ae3d6c678b3b9ab28fa053ae1cbca |
| SHA256 | 29b14fd743825476b4637a57d199f4d15149046366268c84b514bdab54817d10 |
| SHA512 | f1deeadf37c20392f0fce348cf6f36ea7affcdc4d53bc18410fb4a4e7533deb4d512975ab7dfc3b2351317fb1f14be1bd5096bdfb0f44fe5fc10159dfd47170d |
C:\Windows\system\jjJSvgM.exe
| MD5 | 621ba7aed07f633f2f3322009520dbbf |
| SHA1 | a746bc54ff2db7e93bf99c3e4977ed2f2b1bc558 |
| SHA256 | 442f8a478b7c1015685f75341b8ce3fa3bed069b9bc5601f3a55be881f67bd79 |
| SHA512 | 39955daf87b3c80147d9c350425123c8943d66b33aa0dca6fc98182c28afbe886ec02c93a993fee4959b66335def8e3e499410e61793b4c5264d42546bd4e68f |
memory/2156-16-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2172-9-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2612-22-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2976-21-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2172-20-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\UbMLMko.exe
| MD5 | a237e84881bc02f77e0ed328f038dce7 |
| SHA1 | 6285e1e083e6b858a284d5ef9e4bec22508e63b9 |
| SHA256 | 2e80ed5cc86c287616183ee22a389d07b7cae9851d45b9e43856fe66e147ecba |
| SHA512 | b01376feffce73e1ca25aa370b8c1c04317b3abe0ea1c3c3890d76118493f8617d955506a83d347bea41d7778b9447c8531d4c0b03ea37c7f08e05b1945b4b0c |
memory/2172-28-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2528-29-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
\Windows\system\SZsYXaZ.exe
| MD5 | 450d5bbf16d7d22673f3ed5960afc77c |
| SHA1 | 71696abbc4e61043feaa90a3cc28c6306cf085cd |
| SHA256 | e45d22099baa813216e1ee1008ea6c0c56befe7e3d807020be4e309711ff5621 |
| SHA512 | 53926b7022c5faf939b1a475fee5799ef78716968ad3d474992b452b2cac2fe94d40a9c9bb1f685e547af2c2c0adab5fe77a59cacce5b88d50447acf903f5317 |
C:\Windows\system\OzHOmCP.exe
| MD5 | 28e76e0c8e73cb4defd1122cf9efeaf2 |
| SHA1 | 42fd66bda31608aa6db4730a0e4d6b0af5674fb7 |
| SHA256 | bf0237287b481b20e4369cf1c54e8698b97e5ab4901930e95f686f45b33cef11 |
| SHA512 | 5bc623968be6d4cb743c70d1db7b6845b8f58a726aa5dbd5b9df815b14a27223d5290895112e336b1adac8e5f96b004c01079fe30587be60091a42fe708ac65d |
memory/2172-44-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1680-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2864-47-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\lHfUNvT.exe
| MD5 | e6adf2e3c5095714b71ab3bdc9988071 |
| SHA1 | de0b8af016e490f93c6887f47d88b375c8dd340e |
| SHA256 | 8f25f91cba5afd7d54b9f25c6a82eabb7c01a52fbadf123bd4f248b17f7b9f60 |
| SHA512 | a3f8a20865a12c4b0e5646c7866de6455fa8550eb1bb2567851f01ded8264142ac5410758920cb365563abf50ac07fa7ad3283c8251da983fc105b4689a71e8a |
memory/2172-49-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2696-48-0x000000013F3E0000-0x000000013F734000-memory.dmp
\Windows\system\plOUtHv.exe
| MD5 | 8fd821b76b768333d9045ff47fc1a82b |
| SHA1 | 0756a59ebaa6a91f87111b8c0d9b9319ec61847d |
| SHA256 | 9ad3bd4a669602e95ec68b59793b4f8efbb0026c7d20cbed7a04d334a7ca5197 |
| SHA512 | 10ef22162329ae8eb352fbab86fd521168535acfec06f23be5f619eb41b7f7f09560af01df5abbd93c1bcddedf1ef81b3fae3acec268c8304d99e12897a9ac93 |
memory/2156-54-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2452-56-0x000000013F330000-0x000000013F684000-memory.dmp
\Windows\system\iltawKi.exe
| MD5 | 51cf04361ec6113f199982c7461321bf |
| SHA1 | ef45a48d224200b96347d2c9da30ff11d3c03c6a |
| SHA256 | 85fd0fa38511502332e207b02cda28c4aafbbbebed8b4aea0a7cf8ff138befc3 |
| SHA512 | 25c9ba76d18a62a50ec7d1886771a379ef147613ecc4b93ae3256b18e642d62eca47d8aef41b3a8d9a0ec16358fcf8d43a5eeff478ffe2b12ac62ea4825429c1 |
memory/2172-62-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2172-63-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2456-64-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
\Windows\system\QjLpPLO.exe
| MD5 | 3c1e75f4c78e0b9d19cfe87bc64161f0 |
| SHA1 | 250384b11e2d86e3fd510baba2825d36d0a0e06d |
| SHA256 | c0c8b0b66acffc81fffe2eee4ddbae764760c18fab15994e0e6676e732464db4 |
| SHA512 | af5dceef604ef1b9a2b888f2818b5bae6a18a10926267a3fba540a60f6fd03e680e608dff4aa1dcd1e27e226b7b31de8a2f74247ee3bc9fb47421e8601dfeada |
\Windows\system\PdxVAfx.exe
| MD5 | 4bae0993e2f3ae9563a7ad4331e101ab |
| SHA1 | 2274de7c4e74b8bf242fff374686f40cff2ea7d4 |
| SHA256 | 1aabcd0b643ba6e7a14b41db2876ec79fff37ecf6ab34de40ccbb2143c11b22b |
| SHA512 | 8ac23d691f841ce35cfdbb08a6cfb9f1400903d007d460b840e099a636b22a060518f906369d58514e788d858334d96d209ab36db11af5302b8cb891b095748b |
memory/2172-72-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2296-75-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1664-78-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2172-77-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\oteqolE.exe
| MD5 | c894b02103b674a2c8cbabcf44fc78cb |
| SHA1 | b800c4e687ba387c645fe5a658e44fceb5d367e9 |
| SHA256 | 82443216599a91998801f9dfaad97f0450c794fc2692f787e9c4267adba7111f |
| SHA512 | dae517fa6dbc7b0cd8f74ea541d206481cc39b444be84601b1a0c7d5688fde87e863a493e5db418440d9861503dc06b34a4ab395696e6c48081a01f9ae2f9bc6 |
memory/1504-85-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2172-84-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\ULlBPmj.exe
| MD5 | a8934f4bf4f9bc4cc723c3c03f869be2 |
| SHA1 | 44e702bddd4ca12fd6cfb034a01ab133fec42db4 |
| SHA256 | f5432ec6b5724bf886d5f55f6fbd0689546ada329dbe708b58d7243cc26beff8 |
| SHA512 | 00f5d9af27869f7f8ad945e11e82e16809552f7bc6f41cd52b1ef7337f92765bc15cfe271e75190495a5088d999232604f052aff380cb368f7f2375014225498 |
memory/2172-98-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/776-99-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2372-93-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2172-92-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\OXkVuOI.exe
| MD5 | 367492cdd7bcd9ab6d78242d3ccee469 |
| SHA1 | f63a5ed829ac1da7ba96bd9c22181f7115364d53 |
| SHA256 | a39c0b2f8c3db7ee8d7bcbd2e548303807f0ffb5b58186b49cf6552f74758a79 |
| SHA512 | 8e8637b9e49c44b5e0a2641e3f47094cf91c7a07d70f77d3d33b7bcf46b5d84ad5f03ca6ba73846c4474ff1fdfc44d616d3f2e35e97f14988bd6d00611d7e112 |
memory/2172-88-0x000000013FCD0000-0x0000000140024000-memory.dmp
C:\Windows\system\DVwVccN.exe
| MD5 | 165abdf2a2841c234742851e4d36940b |
| SHA1 | 3a3088b9bbd07ac319dbaa9f5622a32834ead234 |
| SHA256 | 0d4bb4e48fff1a64ee5b3b7fd4076fb24795535b44518b4e9559f1c51c7358a6 |
| SHA512 | 6127320aab089bbd354a354aca3163f1183a52437751ff917df8f89364543ebb73a4fd43a6c08ecebdc444edafe07f3c64a434c8340148bb3594c4ebd7d22d35 |
memory/2172-105-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\oFfKTDD.exe
| MD5 | a80fb21dad208d04f18e9de98b237e61 |
| SHA1 | 8f077540cc36cab8d17e146753d9821540196f70 |
| SHA256 | 757a4861be45725d1caabeab87c77e54b52784118d977a1b7bd9bd5c7dff6a19 |
| SHA512 | 858b8c2faaac6646dbddd52c0d027ca9786c632750652a867c8fbed8ae38fb2acd44986a0d875ea3ef3166eb121697cd90d22de960115c50e9e9ce2fae06c65b |
\Windows\system\RyTnkFU.exe
| MD5 | 617104b8855960abb4117f5acdab4ee2 |
| SHA1 | 024f4635b59533822558e9cc4d0b26ca8b74321e |
| SHA256 | dbc8c594020cf6e123726845e9d7b4c9681977b3dc2ddcc5b792a03e63b23cdb |
| SHA512 | faa723ad726bd8390ff38e271a936438cfa62e66d30f85f27ad6c8e46286c79ad5ad8d4ef53b3ec4814a112ef20dd9545fd83491b8c3468149848a9ba7881491 |
C:\Windows\system\vZJpxtu.exe
| MD5 | d312734b9b5e0883747172775499af99 |
| SHA1 | 2a5de475fb6318ac2ec52a18811e01f18cb37a90 |
| SHA256 | f6714bf0ffa1ded93884524ed8c41faaa10bf240efa7eb8fb53f9534a7b23e14 |
| SHA512 | 0cc99055d333a3239d1647bd499a8059bd6cb6e14e9416af001b597ce32cfbaa0bb33d56813087c64c437773babfa0e8a647746906c11a8ea5099c2215c26d82 |
C:\Windows\system\SKTvQFt.exe
| MD5 | 7070b23d1eda84bac00fc22e84a981dd |
| SHA1 | 3e6fcc6328c93ddfdacaf2bcce311d0c6b3ce9b1 |
| SHA256 | d80fdae989097c0984e2e528cd859c9dd01cc97ae95b0dd476683a854dee958c |
| SHA512 | 5d2ff173a718f4f99b3f0946f37048310b05509f3aee189c9d407a6ae209cbe90ebf0d8acb62a48d70d5e39c495564e7792b90acd3b5b4c976e1f90d3812234f |
C:\Windows\system\LTbxVVQ.exe
| MD5 | 4ca3ee1a8e00ce3134f9cb58f0b7f468 |
| SHA1 | ef5f459bf14b20efff26b83646ed2de2aec847de |
| SHA256 | a793d8b10c18f3f3cde10c1d6b377d0a60c9668e1616cacd6f3bce750d64d2fe |
| SHA512 | b05ce7b2ae12d62c585dc01611e700cad4e72ac338afe473d0fa8666e170478024f32e82304c6773cb5896bf129504627103a1a3a4c01a117c3598267a8f4fe6 |
\Windows\system\VBDlWLK.exe
| MD5 | 1baf544e3e45c58a36bb5594f562cd17 |
| SHA1 | 572b308334e3cf2920adbe6af2e6e9752cb2a9f6 |
| SHA256 | 737eeb3b8041588d510726ef0d893d5a97518675b1b5b8800d0ddc1460809846 |
| SHA512 | eb33c2f4c1e868408d1171b68c065f5ee6cce6f1a6c6fa0e1b9f9130c946a734d0d50aef1cf0f4e064977d07c2728661fe262ad7ce402d87ff1b2094d6a901a4 |
memory/2452-136-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2172-137-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2172-138-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2172-139-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2172-140-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2156-141-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2612-142-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2976-143-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2528-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2696-145-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/1680-146-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2864-147-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2452-148-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2456-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2296-150-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1664-151-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1504-152-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2372-153-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/776-154-0x000000013F5E0000-0x000000013F934000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 13:24
Reported
2024-05-25 13:27
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EGvnXmz.exe | N/A |
| N/A | N/A | C:\Windows\System\IDaklQX.exe | N/A |
| N/A | N/A | C:\Windows\System\jjJSvgM.exe | N/A |
| N/A | N/A | C:\Windows\System\UbMLMko.exe | N/A |
| N/A | N/A | C:\Windows\System\SZsYXaZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OzHOmCP.exe | N/A |
| N/A | N/A | C:\Windows\System\lHfUNvT.exe | N/A |
| N/A | N/A | C:\Windows\System\plOUtHv.exe | N/A |
| N/A | N/A | C:\Windows\System\iltawKi.exe | N/A |
| N/A | N/A | C:\Windows\System\QjLpPLO.exe | N/A |
| N/A | N/A | C:\Windows\System\PdxVAfx.exe | N/A |
| N/A | N/A | C:\Windows\System\oteqolE.exe | N/A |
| N/A | N/A | C:\Windows\System\OXkVuOI.exe | N/A |
| N/A | N/A | C:\Windows\System\ULlBPmj.exe | N/A |
| N/A | N/A | C:\Windows\System\DVwVccN.exe | N/A |
| N/A | N/A | C:\Windows\System\oFfKTDD.exe | N/A |
| N/A | N/A | C:\Windows\System\RyTnkFU.exe | N/A |
| N/A | N/A | C:\Windows\System\vZJpxtu.exe | N/A |
| N/A | N/A | C:\Windows\System\SKTvQFt.exe | N/A |
| N/A | N/A | C:\Windows\System\LTbxVVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VBDlWLK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_bfad8857d2186b5cb1dd6039864be94a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EGvnXmz.exe
C:\Windows\System\EGvnXmz.exe
C:\Windows\System\IDaklQX.exe
C:\Windows\System\IDaklQX.exe
C:\Windows\System\jjJSvgM.exe
C:\Windows\System\jjJSvgM.exe
C:\Windows\System\UbMLMko.exe
C:\Windows\System\UbMLMko.exe
C:\Windows\System\SZsYXaZ.exe
C:\Windows\System\SZsYXaZ.exe
C:\Windows\System\OzHOmCP.exe
C:\Windows\System\OzHOmCP.exe
C:\Windows\System\lHfUNvT.exe
C:\Windows\System\lHfUNvT.exe
C:\Windows\System\plOUtHv.exe
C:\Windows\System\plOUtHv.exe
C:\Windows\System\iltawKi.exe
C:\Windows\System\iltawKi.exe
C:\Windows\System\QjLpPLO.exe
C:\Windows\System\QjLpPLO.exe
C:\Windows\System\PdxVAfx.exe
C:\Windows\System\PdxVAfx.exe
C:\Windows\System\oteqolE.exe
C:\Windows\System\oteqolE.exe
C:\Windows\System\OXkVuOI.exe
C:\Windows\System\OXkVuOI.exe
C:\Windows\System\ULlBPmj.exe
C:\Windows\System\ULlBPmj.exe
C:\Windows\System\DVwVccN.exe
C:\Windows\System\DVwVccN.exe
C:\Windows\System\oFfKTDD.exe
C:\Windows\System\oFfKTDD.exe
C:\Windows\System\RyTnkFU.exe
C:\Windows\System\RyTnkFU.exe
C:\Windows\System\vZJpxtu.exe
C:\Windows\System\vZJpxtu.exe
C:\Windows\System\SKTvQFt.exe
C:\Windows\System\SKTvQFt.exe
C:\Windows\System\LTbxVVQ.exe
C:\Windows\System\LTbxVVQ.exe
C:\Windows\System\VBDlWLK.exe
C:\Windows\System\VBDlWLK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/220-0-0x00007FF65A1F0000-0x00007FF65A544000-memory.dmp
memory/220-1-0x000001995D5D0000-0x000001995D5E0000-memory.dmp
C:\Windows\System\EGvnXmz.exe
| MD5 | 38260f324703dafe28e42ccd644df119 |
| SHA1 | 770d77e06f999f9a997e6eebd69e98a4e44d3cb0 |
| SHA256 | f08a5adec6de8bf585b8ef0e8d60cdc91eeceeb8659ef78c9d2efa3b6eb61418 |
| SHA512 | 9311d441ef61dd87491157186f4e9fdfb39c95f6d49049112919de384451f5deeedc2a79ef4a00860747b9e8ac8e0a042f4593e42c8ac43aa9003ab3ae78d3c9 |
memory/4720-8-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp
C:\Windows\System\IDaklQX.exe
| MD5 | 7e74a7580dbb089d35789123df4def6d |
| SHA1 | 294afcb1095ae3d6c678b3b9ab28fa053ae1cbca |
| SHA256 | 29b14fd743825476b4637a57d199f4d15149046366268c84b514bdab54817d10 |
| SHA512 | f1deeadf37c20392f0fce348cf6f36ea7affcdc4d53bc18410fb4a4e7533deb4d512975ab7dfc3b2351317fb1f14be1bd5096bdfb0f44fe5fc10159dfd47170d |
memory/3644-14-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp
C:\Windows\System\jjJSvgM.exe
| MD5 | 621ba7aed07f633f2f3322009520dbbf |
| SHA1 | a746bc54ff2db7e93bf99c3e4977ed2f2b1bc558 |
| SHA256 | 442f8a478b7c1015685f75341b8ce3fa3bed069b9bc5601f3a55be881f67bd79 |
| SHA512 | 39955daf87b3c80147d9c350425123c8943d66b33aa0dca6fc98182c28afbe886ec02c93a993fee4959b66335def8e3e499410e61793b4c5264d42546bd4e68f |
memory/4624-20-0x00007FF62BE40000-0x00007FF62C194000-memory.dmp
C:\Windows\System\UbMLMko.exe
| MD5 | a237e84881bc02f77e0ed328f038dce7 |
| SHA1 | 6285e1e083e6b858a284d5ef9e4bec22508e63b9 |
| SHA256 | 2e80ed5cc86c287616183ee22a389d07b7cae9851d45b9e43856fe66e147ecba |
| SHA512 | b01376feffce73e1ca25aa370b8c1c04317b3abe0ea1c3c3890d76118493f8617d955506a83d347bea41d7778b9447c8531d4c0b03ea37c7f08e05b1945b4b0c |
memory/4124-26-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp
C:\Windows\System\SZsYXaZ.exe
| MD5 | 450d5bbf16d7d22673f3ed5960afc77c |
| SHA1 | 71696abbc4e61043feaa90a3cc28c6306cf085cd |
| SHA256 | e45d22099baa813216e1ee1008ea6c0c56befe7e3d807020be4e309711ff5621 |
| SHA512 | 53926b7022c5faf939b1a475fee5799ef78716968ad3d474992b452b2cac2fe94d40a9c9bb1f685e547af2c2c0adab5fe77a59cacce5b88d50447acf903f5317 |
memory/4028-32-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp
C:\Windows\System\OzHOmCP.exe
| MD5 | 28e76e0c8e73cb4defd1122cf9efeaf2 |
| SHA1 | 42fd66bda31608aa6db4730a0e4d6b0af5674fb7 |
| SHA256 | bf0237287b481b20e4369cf1c54e8698b97e5ab4901930e95f686f45b33cef11 |
| SHA512 | 5bc623968be6d4cb743c70d1db7b6845b8f58a726aa5dbd5b9df815b14a27223d5290895112e336b1adac8e5f96b004c01079fe30587be60091a42fe708ac65d |
C:\Windows\System\lHfUNvT.exe
| MD5 | e6adf2e3c5095714b71ab3bdc9988071 |
| SHA1 | de0b8af016e490f93c6887f47d88b375c8dd340e |
| SHA256 | 8f25f91cba5afd7d54b9f25c6a82eabb7c01a52fbadf123bd4f248b17f7b9f60 |
| SHA512 | a3f8a20865a12c4b0e5646c7866de6455fa8550eb1bb2567851f01ded8264142ac5410758920cb365563abf50ac07fa7ad3283c8251da983fc105b4689a71e8a |
memory/3376-44-0x00007FF7A0D00000-0x00007FF7A1054000-memory.dmp
memory/1180-36-0x00007FF61D520000-0x00007FF61D874000-memory.dmp
C:\Windows\System\plOUtHv.exe
| MD5 | 8fd821b76b768333d9045ff47fc1a82b |
| SHA1 | 0756a59ebaa6a91f87111b8c0d9b9319ec61847d |
| SHA256 | 9ad3bd4a669602e95ec68b59793b4f8efbb0026c7d20cbed7a04d334a7ca5197 |
| SHA512 | 10ef22162329ae8eb352fbab86fd521168535acfec06f23be5f619eb41b7f7f09560af01df5abbd93c1bcddedf1ef81b3fae3acec268c8304d99e12897a9ac93 |
memory/2252-47-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp
C:\Windows\System\iltawKi.exe
| MD5 | 51cf04361ec6113f199982c7461321bf |
| SHA1 | ef45a48d224200b96347d2c9da30ff11d3c03c6a |
| SHA256 | 85fd0fa38511502332e207b02cda28c4aafbbbebed8b4aea0a7cf8ff138befc3 |
| SHA512 | 25c9ba76d18a62a50ec7d1886771a379ef147613ecc4b93ae3256b18e642d62eca47d8aef41b3a8d9a0ec16358fcf8d43a5eeff478ffe2b12ac62ea4825429c1 |
memory/3412-56-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp
C:\Windows\System\QjLpPLO.exe
| MD5 | 3c1e75f4c78e0b9d19cfe87bc64161f0 |
| SHA1 | 250384b11e2d86e3fd510baba2825d36d0a0e06d |
| SHA256 | c0c8b0b66acffc81fffe2eee4ddbae764760c18fab15994e0e6676e732464db4 |
| SHA512 | af5dceef604ef1b9a2b888f2818b5bae6a18a10926267a3fba540a60f6fd03e680e608dff4aa1dcd1e27e226b7b31de8a2f74247ee3bc9fb47421e8601dfeada |
memory/220-62-0x00007FF65A1F0000-0x00007FF65A544000-memory.dmp
memory/1572-63-0x00007FF6FCF10000-0x00007FF6FD264000-memory.dmp
memory/4720-67-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp
C:\Windows\System\PdxVAfx.exe
| MD5 | 4bae0993e2f3ae9563a7ad4331e101ab |
| SHA1 | 2274de7c4e74b8bf242fff374686f40cff2ea7d4 |
| SHA256 | 1aabcd0b643ba6e7a14b41db2876ec79fff37ecf6ab34de40ccbb2143c11b22b |
| SHA512 | 8ac23d691f841ce35cfdbb08a6cfb9f1400903d007d460b840e099a636b22a060518f906369d58514e788d858334d96d209ab36db11af5302b8cb891b095748b |
memory/2808-70-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp
C:\Windows\System\oteqolE.exe
| MD5 | c894b02103b674a2c8cbabcf44fc78cb |
| SHA1 | b800c4e687ba387c645fe5a658e44fceb5d367e9 |
| SHA256 | 82443216599a91998801f9dfaad97f0450c794fc2692f787e9c4267adba7111f |
| SHA512 | dae517fa6dbc7b0cd8f74ea541d206481cc39b444be84601b1a0c7d5688fde87e863a493e5db418440d9861503dc06b34a4ab395696e6c48081a01f9ae2f9bc6 |
memory/3644-74-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp
memory/2020-75-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp
C:\Windows\System\OXkVuOI.exe
| MD5 | 367492cdd7bcd9ab6d78242d3ccee469 |
| SHA1 | f63a5ed829ac1da7ba96bd9c22181f7115364d53 |
| SHA256 | a39c0b2f8c3db7ee8d7bcbd2e548303807f0ffb5b58186b49cf6552f74758a79 |
| SHA512 | 8e8637b9e49c44b5e0a2641e3f47094cf91c7a07d70f77d3d33b7bcf46b5d84ad5f03ca6ba73846c4474ff1fdfc44d616d3f2e35e97f14988bd6d00611d7e112 |
C:\Windows\System\ULlBPmj.exe
| MD5 | a8934f4bf4f9bc4cc723c3c03f869be2 |
| SHA1 | 44e702bddd4ca12fd6cfb034a01ab133fec42db4 |
| SHA256 | f5432ec6b5724bf886d5f55f6fbd0689546ada329dbe708b58d7243cc26beff8 |
| SHA512 | 00f5d9af27869f7f8ad945e11e82e16809552f7bc6f41cd52b1ef7337f92765bc15cfe271e75190495a5088d999232604f052aff380cb368f7f2375014225498 |
memory/1804-92-0x00007FF7E62E0000-0x00007FF7E6634000-memory.dmp
memory/2288-94-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp
memory/4028-95-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp
C:\Windows\System\oFfKTDD.exe
| MD5 | a80fb21dad208d04f18e9de98b237e61 |
| SHA1 | 8f077540cc36cab8d17e146753d9821540196f70 |
| SHA256 | 757a4861be45725d1caabeab87c77e54b52784118d977a1b7bd9bd5c7dff6a19 |
| SHA512 | 858b8c2faaac6646dbddd52c0d027ca9786c632750652a867c8fbed8ae38fb2acd44986a0d875ea3ef3166eb121697cd90d22de960115c50e9e9ce2fae06c65b |
C:\Windows\System\RyTnkFU.exe
| MD5 | 617104b8855960abb4117f5acdab4ee2 |
| SHA1 | 024f4635b59533822558e9cc4d0b26ca8b74321e |
| SHA256 | dbc8c594020cf6e123726845e9d7b4c9681977b3dc2ddcc5b792a03e63b23cdb |
| SHA512 | faa723ad726bd8390ff38e271a936438cfa62e66d30f85f27ad6c8e46286c79ad5ad8d4ef53b3ec4814a112ef20dd9545fd83491b8c3468149848a9ba7881491 |
C:\Windows\System\vZJpxtu.exe
| MD5 | d312734b9b5e0883747172775499af99 |
| SHA1 | 2a5de475fb6318ac2ec52a18811e01f18cb37a90 |
| SHA256 | f6714bf0ffa1ded93884524ed8c41faaa10bf240efa7eb8fb53f9534a7b23e14 |
| SHA512 | 0cc99055d333a3239d1647bd499a8059bd6cb6e14e9416af001b597ce32cfbaa0bb33d56813087c64c437773babfa0e8a647746906c11a8ea5099c2215c26d82 |
C:\Windows\System\SKTvQFt.exe
| MD5 | 7070b23d1eda84bac00fc22e84a981dd |
| SHA1 | 3e6fcc6328c93ddfdacaf2bcce311d0c6b3ce9b1 |
| SHA256 | d80fdae989097c0984e2e528cd859c9dd01cc97ae95b0dd476683a854dee958c |
| SHA512 | 5d2ff173a718f4f99b3f0946f37048310b05509f3aee189c9d407a6ae209cbe90ebf0d8acb62a48d70d5e39c495564e7792b90acd3b5b4c976e1f90d3812234f |
C:\Windows\System\VBDlWLK.exe
| MD5 | 1baf544e3e45c58a36bb5594f562cd17 |
| SHA1 | 572b308334e3cf2920adbe6af2e6e9752cb2a9f6 |
| SHA256 | 737eeb3b8041588d510726ef0d893d5a97518675b1b5b8800d0ddc1460809846 |
| SHA512 | eb33c2f4c1e868408d1171b68c065f5ee6cce6f1a6c6fa0e1b9f9130c946a734d0d50aef1cf0f4e064977d07c2728661fe262ad7ce402d87ff1b2094d6a901a4 |
C:\Windows\System\LTbxVVQ.exe
| MD5 | 4ca3ee1a8e00ce3134f9cb58f0b7f468 |
| SHA1 | ef5f459bf14b20efff26b83646ed2de2aec847de |
| SHA256 | a793d8b10c18f3f3cde10c1d6b377d0a60c9668e1616cacd6f3bce750d64d2fe |
| SHA512 | b05ce7b2ae12d62c585dc01611e700cad4e72ac338afe473d0fa8666e170478024f32e82304c6773cb5896bf129504627103a1a3a4c01a117c3598267a8f4fe6 |
C:\Windows\System\DVwVccN.exe
| MD5 | 165abdf2a2841c234742851e4d36940b |
| SHA1 | 3a3088b9bbd07ac319dbaa9f5622a32834ead234 |
| SHA256 | 0d4bb4e48fff1a64ee5b3b7fd4076fb24795535b44518b4e9559f1c51c7358a6 |
| SHA512 | 6127320aab089bbd354a354aca3163f1183a52437751ff917df8f89364543ebb73a4fd43a6c08ecebdc444edafe07f3c64a434c8340148bb3594c4ebd7d22d35 |
memory/4124-93-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp
memory/1052-90-0x00007FF79A380000-0x00007FF79A6D4000-memory.dmp
memory/3788-127-0x00007FF799FD0000-0x00007FF79A324000-memory.dmp
memory/3836-128-0x00007FF653CB0000-0x00007FF654004000-memory.dmp
memory/2804-129-0x00007FF694C20000-0x00007FF694F74000-memory.dmp
memory/1236-130-0x00007FF7C3EB0000-0x00007FF7C4204000-memory.dmp
memory/5096-131-0x00007FF789EA0000-0x00007FF78A1F4000-memory.dmp
memory/1180-132-0x00007FF61D520000-0x00007FF61D874000-memory.dmp
memory/2724-133-0x00007FF6346A0000-0x00007FF6349F4000-memory.dmp
memory/2252-134-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp
memory/4720-135-0x00007FF6E7DF0000-0x00007FF6E8144000-memory.dmp
memory/2808-136-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp
memory/3644-137-0x00007FF704CA0000-0x00007FF704FF4000-memory.dmp
memory/4624-138-0x00007FF62BE40000-0x00007FF62C194000-memory.dmp
memory/2020-139-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp
memory/4124-140-0x00007FF6B3360000-0x00007FF6B36B4000-memory.dmp
memory/4028-141-0x00007FF667C80000-0x00007FF667FD4000-memory.dmp
memory/3376-142-0x00007FF7A0D00000-0x00007FF7A1054000-memory.dmp
memory/1180-143-0x00007FF61D520000-0x00007FF61D874000-memory.dmp
memory/2252-144-0x00007FF7D2ED0000-0x00007FF7D3224000-memory.dmp
memory/3412-145-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp
memory/1572-146-0x00007FF6FCF10000-0x00007FF6FD264000-memory.dmp
memory/2288-147-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp
memory/2808-148-0x00007FF7C34B0000-0x00007FF7C3804000-memory.dmp
memory/2020-149-0x00007FF7E5140000-0x00007FF7E5494000-memory.dmp
memory/1052-150-0x00007FF79A380000-0x00007FF79A6D4000-memory.dmp
memory/1804-151-0x00007FF7E62E0000-0x00007FF7E6634000-memory.dmp
memory/2288-152-0x00007FF67C950000-0x00007FF67CCA4000-memory.dmp
memory/2724-153-0x00007FF6346A0000-0x00007FF6349F4000-memory.dmp
memory/3788-154-0x00007FF799FD0000-0x00007FF79A324000-memory.dmp
memory/3836-155-0x00007FF653CB0000-0x00007FF654004000-memory.dmp
memory/2804-156-0x00007FF694C20000-0x00007FF694F74000-memory.dmp
memory/1236-158-0x00007FF7C3EB0000-0x00007FF7C4204000-memory.dmp
memory/5096-157-0x00007FF789EA0000-0x00007FF78A1F4000-memory.dmp