Analysis Overview
SHA256
27abd97ccbbf25171d9ce3571e3479f374090a014684d67382e3a26646149d3f
Threat Level: Known bad
The file 2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 09:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 09:29
Reported
2024-05-30 09:32
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ORUdPbP.exe | N/A |
| N/A | N/A | C:\Windows\System\CgSeHad.exe | N/A |
| N/A | N/A | C:\Windows\System\UsgcVsf.exe | N/A |
| N/A | N/A | C:\Windows\System\ezGMVpl.exe | N/A |
| N/A | N/A | C:\Windows\System\FGLNsqp.exe | N/A |
| N/A | N/A | C:\Windows\System\WdMesTv.exe | N/A |
| N/A | N/A | C:\Windows\System\eyQVIxh.exe | N/A |
| N/A | N/A | C:\Windows\System\PYXaJvt.exe | N/A |
| N/A | N/A | C:\Windows\System\rHBHaLF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAwEZli.exe | N/A |
| N/A | N/A | C:\Windows\System\uDLNabY.exe | N/A |
| N/A | N/A | C:\Windows\System\dBeSHZd.exe | N/A |
| N/A | N/A | C:\Windows\System\HwUuAQh.exe | N/A |
| N/A | N/A | C:\Windows\System\TEIYzyi.exe | N/A |
| N/A | N/A | C:\Windows\System\kKUMwiy.exe | N/A |
| N/A | N/A | C:\Windows\System\XNLObNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qQJVOJX.exe | N/A |
| N/A | N/A | C:\Windows\System\IESXuth.exe | N/A |
| N/A | N/A | C:\Windows\System\MWewTWM.exe | N/A |
| N/A | N/A | C:\Windows\System\RhYyRol.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnQDxQB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ORUdPbP.exe
C:\Windows\System\ORUdPbP.exe
C:\Windows\System\CgSeHad.exe
C:\Windows\System\CgSeHad.exe
C:\Windows\System\UsgcVsf.exe
C:\Windows\System\UsgcVsf.exe
C:\Windows\System\ezGMVpl.exe
C:\Windows\System\ezGMVpl.exe
C:\Windows\System\FGLNsqp.exe
C:\Windows\System\FGLNsqp.exe
C:\Windows\System\WdMesTv.exe
C:\Windows\System\WdMesTv.exe
C:\Windows\System\PYXaJvt.exe
C:\Windows\System\PYXaJvt.exe
C:\Windows\System\eyQVIxh.exe
C:\Windows\System\eyQVIxh.exe
C:\Windows\System\rHBHaLF.exe
C:\Windows\System\rHBHaLF.exe
C:\Windows\System\ZAwEZli.exe
C:\Windows\System\ZAwEZli.exe
C:\Windows\System\uDLNabY.exe
C:\Windows\System\uDLNabY.exe
C:\Windows\System\dBeSHZd.exe
C:\Windows\System\dBeSHZd.exe
C:\Windows\System\HwUuAQh.exe
C:\Windows\System\HwUuAQh.exe
C:\Windows\System\TEIYzyi.exe
C:\Windows\System\TEIYzyi.exe
C:\Windows\System\kKUMwiy.exe
C:\Windows\System\kKUMwiy.exe
C:\Windows\System\XNLObNQ.exe
C:\Windows\System\XNLObNQ.exe
C:\Windows\System\qQJVOJX.exe
C:\Windows\System\qQJVOJX.exe
C:\Windows\System\IESXuth.exe
C:\Windows\System\IESXuth.exe
C:\Windows\System\MWewTWM.exe
C:\Windows\System\MWewTWM.exe
C:\Windows\System\RhYyRol.exe
C:\Windows\System\RhYyRol.exe
C:\Windows\System\ZnQDxQB.exe
C:\Windows\System\ZnQDxQB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1644-0-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1644-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ORUdPbP.exe
| MD5 | 2e069e4ecfe2330527d5db9e37be9a33 |
| SHA1 | 94e97f60ae12705a17f1b526c828c241159e5b04 |
| SHA256 | cf5115af0dc1774e9866584656423009bf182a7236acd11bca2879308555384f |
| SHA512 | b6b0896f5985cffd85595fa7deeadbdebc6e3e836c1068b62e241ee1f146c92807bed50fc61600a0654ba8b9ade38d79566ba40650a22ae0ece54a041cb56496 |
memory/1644-14-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2052-15-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1060-16-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/1644-9-0x000000013F860000-0x000000013FBB1000-memory.dmp
\Windows\system\CgSeHad.exe
| MD5 | 2690b0a5a1e260a1049fad357afe1bec |
| SHA1 | e6990300803316745beb149b4bbde18dfa16d72c |
| SHA256 | 93c5bfb455a3486790772466c02ea61d62c84bcb15ae2ce76685d6cf09760c1c |
| SHA512 | 6fcf5f332542bbe78d6c2e5a6a795bb7e242b61ffbe077009f094c9ac850800c223657ae32a0a9f39a0160cc71def79a7d40e9c03561008fbc021afdfe6e784d |
C:\Windows\system\UsgcVsf.exe
| MD5 | 166eb795e5a74547573ecdf1ad39aa91 |
| SHA1 | b455cd4e50b090191dae0ee677b3712719f57f5f |
| SHA256 | 3b56b5dd4eef6f78289c37b0a8e72d8d5c6a54509c9b02ad2d46721cb6f8ae07 |
| SHA512 | 6b9ec155b768bd460180c48a7641d75f13984c1b4bb1e686da253bb64ff21a328745f04de866aa4bcf23ea0e67dc1005bfbf125f5462601f574cf9d175b9e61f |
memory/2596-28-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1644-29-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2692-30-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1644-26-0x000000013F9E0000-0x000000013FD31000-memory.dmp
C:\Windows\system\ezGMVpl.exe
| MD5 | bd9d25e63eeabdbfd80d5ad3d8eb9179 |
| SHA1 | a93bfb68a29f9b88991d9af9dc47bfca0daed647 |
| SHA256 | 50b6179d6f735618eaca96501c88e7c954dad44032052e03b4521e4d7969142a |
| SHA512 | e8a7615df804204184b29d03bedce9a1d8342865cf7453fb8b5db365dad60285a8e23d55dd84806a226b0ffe59500648d4da22229a6a6212f58d9d7f5184b00f |
C:\Windows\system\WdMesTv.exe
| MD5 | c935a99f067e0767fb6bc6adc48613e2 |
| SHA1 | ad64c5d0608b7e8658b7fb3a438d8c4b448a27d8 |
| SHA256 | f83bc1f379cf541324f04f1a57e82c903957ec23c68a9948d3d18401502c6be1 |
| SHA512 | ed427c6a11c83d71a2f045ea4d2e075b30074717abf441b485b7493c1999e250c5169860b8ab46ce9406b9f5b202040ed395b719a0c7416a9d45403b5a2b9a4c |
memory/1644-43-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2524-44-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/1644-53-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2600-54-0x000000013FD00000-0x0000000140051000-memory.dmp
C:\Windows\system\ZAwEZli.exe
| MD5 | 6b43ed97183ebabffc9e6a7f7f60850e |
| SHA1 | eea2e814453e4f62c08b152e0585e4d95d628c65 |
| SHA256 | 1c80f120665a66d99dfab533978045b2685b1c796d5c6dd2e963cc120b63a643 |
| SHA512 | a1f2c304987173c8ecaf7acef92291a88c0f42ff6ac1faf5f4fb4200c44adc133c3bba94461961ef2ed8506c0754626559294321544a36b670c6b692273314a6 |
memory/2508-62-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2720-71-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\HwUuAQh.exe
| MD5 | 191010e5b9cb69e485a0d3939f668c8d |
| SHA1 | 035489933f6b3969b5562e4687e7607ba4cd91d3 |
| SHA256 | bc12f0ad7898f67a17ae7449dcd7a318b3201f8e492c42c4574b989407330852 |
| SHA512 | e1335e3ccd4fb16cfafbdcdab9a1ed551f067c9a9cb010e700eb5378dd5a33acc61237d43a314a0a2a82067a54a3515b96652223ec40139d4440232c609720e5 |
memory/2820-92-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1812-99-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1644-107-0x000000013F090000-0x000000013F3E1000-memory.dmp
C:\Windows\system\IESXuth.exe
| MD5 | 62ff1bb59015bd6450026ac01e97e7cc |
| SHA1 | 518fb4ac44eadd7f71c1d1da0a8886dcde279ca6 |
| SHA256 | 1d653c65d589c3ee44d8f74643ced883c297a47796a04292c0ca26cae4fb81b8 |
| SHA512 | d9dddf6c69c32f7413e37e9bd94c64e9266be1bf00af295886a3e2f01e188082ba94f05f478c033fa91d95a0b69843bf7cea3b3e717b6d7da69240b80fba3b20 |
\Windows\system\ZnQDxQB.exe
| MD5 | d3bc95394c7c3ad0c392e5e1d302120c |
| SHA1 | d5f310edc70232fd6912a452d9b3378dbf4d551b |
| SHA256 | fbeb7eb8d59efd0d36b9902e6e213fd5fe89fa37b4645b4b73913da246d52466 |
| SHA512 | b2e3c4b2b5a7ddba525c9feaa8ae09a7f8654626a1ded118a007c38e5af8de11b3e50e93120d2493c6f3ce402594804e5d9c4c6aba362af9507136a10e8da163 |
C:\Windows\system\RhYyRol.exe
| MD5 | d404a97933cba32de07ab0fb09e1fe37 |
| SHA1 | 2e5ed5d278433911c6c090d06a70c8e0a6bd8a8a |
| SHA256 | dffb6a20a7e5a0c89dce2cc45445bd52bc861ba1b3597a35b979d096ab9f3a93 |
| SHA512 | 1d350bc71f9324d4d79afa2b5c5efc52dd2e254d4b1fd2ed695bc35eb68515c8427eca3a33f3affcc2889e2374df2bb57f7e4293a14b325ded0cf78cfd38e2e4 |
C:\Windows\system\MWewTWM.exe
| MD5 | 90d604217abd728ec7eddf7e88afa7f3 |
| SHA1 | b9c41752bf745c43b4d1ae0c44fac368a446e50d |
| SHA256 | d9777d60dd2d87257b5cf5c42722d48820108b2c9e30c0edb6605ecbc76277db |
| SHA512 | 5b044034e454f693eb19652c1ab9f9a1e1e4ed6d2900c08c69221de252e90338cb1158d47dcb0a6c7d4564ee304c3f3eaee98908367d6c07690cc756e980360d |
C:\Windows\system\qQJVOJX.exe
| MD5 | 772eadcc57e4063b5c34dc476fafb046 |
| SHA1 | 43e869856cfa8aa29b19382f3dafa13561d959cb |
| SHA256 | b4b7afc666b81cf9477de831f0bfb946c45e41a6a494f483934e4e506c539dfc |
| SHA512 | 7093c39a1fab7f85037f8f90984440c2fa6b855a123b110f121adbcac023918515cf6f43664c19e4d7379298ee30c2d0a9eff9787d05ac5b9291a2e24a2e8781 |
C:\Windows\system\XNLObNQ.exe
| MD5 | c0297ed1157a60b7f52a0ed69e693484 |
| SHA1 | 5a8f4d94ccb902b695e4bc9637a96bd39497345d |
| SHA256 | e0b82dae56692856cd78c6dbe85a1d7e736889d474b6b1988aa2f182a0bf21e7 |
| SHA512 | 99b4c485bc95c5b42ee1147641e2065a3b5025947eaebb2319ff126bb2925b8c773595f013d04548eeae55662244b65e7199b45ea928672d5ae8bac3bf071dfe |
memory/2632-106-0x000000013F6E0000-0x000000013FA31000-memory.dmp
C:\Windows\system\kKUMwiy.exe
| MD5 | 05ebb1380b118cb5c3a7cd95f2c1bdc6 |
| SHA1 | 1f6bd59c96b318636e445c17cf32e5eb8319481d |
| SHA256 | a4f231097b8413e2b9fb9da28c7630c07268a0301c52788f70fdda3a28a41eb5 |
| SHA512 | badf95d8f2a45cfd0b707dde11f563be17aa8d38d7444b05e291d0e8eda8d3cbf0f417ae97c18242d3f81a2ec660d009ec9642133567c21db40a5e1fa04b9c3c |
memory/1644-98-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2596-97-0x000000013F9E0000-0x000000013FD31000-memory.dmp
C:\Windows\system\TEIYzyi.exe
| MD5 | f2c30ddbb3e252682d7205887d75af74 |
| SHA1 | 66939215d136aaa1967092ee2a348040dd8a7b47 |
| SHA256 | 7ec13a0302f97f5178c44b3f3455d2999ff188f78ba2abdc7253d5f636ca7b76 |
| SHA512 | d35ac1ce6cf2f443de7e4dd5fae6060ce0ab608563ad475a32aab66c2459af4a435d0c40e9664a39699bc088e193c57e62b5c294917987cd1bfc0969ee173b8b |
memory/1644-91-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2788-85-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1644-84-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1600-77-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/1644-76-0x000000013F8C0000-0x000000013FC11000-memory.dmp
C:\Windows\system\uDLNabY.exe
| MD5 | 075811b969720459dc583380fa18bc6a |
| SHA1 | 5765bde375fd85dfd18992269c92f13b0229a69e |
| SHA256 | 4c54705a1221e1cf9928d3a79913d7f9bbc0a10fee6ab12f4979c84422378563 |
| SHA512 | ec736584b2fb67cdb46eac2a20da1cf397bd128001d0f58f505e643f64c48b4264c4977b991dfe8bb7577f281033b280e85238694ce89e443e87db4a9c096d55 |
C:\Windows\system\dBeSHZd.exe
| MD5 | 3934e699ea4e5937f759eb740d7f5af3 |
| SHA1 | 9332da24793d2e4f0e51f15f1f91119fed980496 |
| SHA256 | 807e8dc86d694cf88933dea2ac9664ba35c06cba57d90ee7611f03a2eec51656 |
| SHA512 | d5c18be3d89fd7b89cdb5118f5c895ac8da8a7880d709e80bcab01178abef6ffa40552f28aaa6c22dd80b7ea0fd42f7ac0d2b53b757a94116e364a14c3c620f9 |
memory/1644-70-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2652-61-0x000000013F230000-0x000000013F581000-memory.dmp
memory/1644-60-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1644-69-0x000000013F4D0000-0x000000013F821000-memory.dmp
C:\Windows\system\rHBHaLF.exe
| MD5 | 4ca386c7af534abc1afbf95e00f6a40a |
| SHA1 | 5cbb5c95d6364270997143c9031bf58d552e031f |
| SHA256 | 3dea0deebccbd223c407a3cc56355e9181c67a2538584640b26e2f219a773280 |
| SHA512 | 8e47aa2595ed6fd5bef8255b88ab8c4eca505b671ddeef1fcda7e7cdde0d9c189a10a583c1dcf27b8209b7874a9a52e43826af280b1f61f1af031b798c38667e |
C:\Windows\system\PYXaJvt.exe
| MD5 | d9777b9d5039427c75014287bbca666a |
| SHA1 | 56411d708db41018cb96a55c993bf327cc8179bb |
| SHA256 | 895d3fb580bc88d44f8a8671e1fb4890414445d951b03ecd64eb94cfb6ae7792 |
| SHA512 | fdb7504faef691361b91699803e2e41de568fb1a26c03ba70c7d9369659648a677a225918239178f00a138f10b91cbe077e7d5d9f02e71de7fa35b2a678fa845 |
C:\Windows\system\eyQVIxh.exe
| MD5 | ab4b98b5f67b57b845e664de1c66654c |
| SHA1 | abd009aaa6c4726b97c27ffcb9b123b1d8e6c8f1 |
| SHA256 | 80182c3d151608d54e804d29861daeeff7d0f069b53d75adcd0c50844fd1b067 |
| SHA512 | 8144c57f8af1272f3abcb3163698ad6de5d61cabaa85048198019563e1643df5daac92392d326ba8eb6c8e5d9be18678caf25a6b1cda1b67b694f2344a8c2fa3 |
memory/2632-36-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1644-35-0x00000000021E0000-0x0000000002531000-memory.dmp
C:\Windows\system\FGLNsqp.exe
| MD5 | f4bfcc68312a4313d337662759f81a09 |
| SHA1 | 65ce6b6ca59f5ce93e8eb84ae19b88921e67a792 |
| SHA256 | d8d5aac0466172c2815e3258b17e0483fbd7932d609e583aa82f84dad4dfe1ed |
| SHA512 | 744ed116d5addcaddff698da9d343b8d031317359a8233744299abd1e35458ffa43280337222a10c79dd798ca66c62f1b8722897e18cc2c35eaf9e698a896b97 |
memory/1644-138-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2720-148-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2508-147-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1600-149-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2652-145-0x000000013F230000-0x000000013F581000-memory.dmp
memory/1608-154-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1880-155-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1588-156-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1644-160-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/856-158-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/768-157-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1080-153-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1812-152-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2820-151-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2788-150-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/868-159-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1644-161-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/1644-162-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1644-163-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1644-185-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1644-186-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1060-216-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2052-217-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2692-219-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2596-221-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2632-223-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2524-225-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2600-227-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2652-231-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2508-230-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2720-245-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1600-247-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2788-249-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2820-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1812-253-0x000000013F170000-0x000000013F4C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 09:29
Reported
2024-05-30 09:32
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ORUdPbP.exe | N/A |
| N/A | N/A | C:\Windows\System\CgSeHad.exe | N/A |
| N/A | N/A | C:\Windows\System\UsgcVsf.exe | N/A |
| N/A | N/A | C:\Windows\System\ezGMVpl.exe | N/A |
| N/A | N/A | C:\Windows\System\FGLNsqp.exe | N/A |
| N/A | N/A | C:\Windows\System\WdMesTv.exe | N/A |
| N/A | N/A | C:\Windows\System\PYXaJvt.exe | N/A |
| N/A | N/A | C:\Windows\System\eyQVIxh.exe | N/A |
| N/A | N/A | C:\Windows\System\rHBHaLF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAwEZli.exe | N/A |
| N/A | N/A | C:\Windows\System\uDLNabY.exe | N/A |
| N/A | N/A | C:\Windows\System\dBeSHZd.exe | N/A |
| N/A | N/A | C:\Windows\System\HwUuAQh.exe | N/A |
| N/A | N/A | C:\Windows\System\TEIYzyi.exe | N/A |
| N/A | N/A | C:\Windows\System\kKUMwiy.exe | N/A |
| N/A | N/A | C:\Windows\System\XNLObNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qQJVOJX.exe | N/A |
| N/A | N/A | C:\Windows\System\IESXuth.exe | N/A |
| N/A | N/A | C:\Windows\System\MWewTWM.exe | N/A |
| N/A | N/A | C:\Windows\System\RhYyRol.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnQDxQB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_303556bf5e90783a9b31ebef9ff363dd_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ORUdPbP.exe
C:\Windows\System\ORUdPbP.exe
C:\Windows\System\CgSeHad.exe
C:\Windows\System\CgSeHad.exe
C:\Windows\System\UsgcVsf.exe
C:\Windows\System\UsgcVsf.exe
C:\Windows\System\ezGMVpl.exe
C:\Windows\System\ezGMVpl.exe
C:\Windows\System\FGLNsqp.exe
C:\Windows\System\FGLNsqp.exe
C:\Windows\System\WdMesTv.exe
C:\Windows\System\WdMesTv.exe
C:\Windows\System\PYXaJvt.exe
C:\Windows\System\PYXaJvt.exe
C:\Windows\System\eyQVIxh.exe
C:\Windows\System\eyQVIxh.exe
C:\Windows\System\rHBHaLF.exe
C:\Windows\System\rHBHaLF.exe
C:\Windows\System\ZAwEZli.exe
C:\Windows\System\ZAwEZli.exe
C:\Windows\System\uDLNabY.exe
C:\Windows\System\uDLNabY.exe
C:\Windows\System\dBeSHZd.exe
C:\Windows\System\dBeSHZd.exe
C:\Windows\System\HwUuAQh.exe
C:\Windows\System\HwUuAQh.exe
C:\Windows\System\TEIYzyi.exe
C:\Windows\System\TEIYzyi.exe
C:\Windows\System\kKUMwiy.exe
C:\Windows\System\kKUMwiy.exe
C:\Windows\System\XNLObNQ.exe
C:\Windows\System\XNLObNQ.exe
C:\Windows\System\qQJVOJX.exe
C:\Windows\System\qQJVOJX.exe
C:\Windows\System\IESXuth.exe
C:\Windows\System\IESXuth.exe
C:\Windows\System\MWewTWM.exe
C:\Windows\System\MWewTWM.exe
C:\Windows\System\RhYyRol.exe
C:\Windows\System\RhYyRol.exe
C:\Windows\System\ZnQDxQB.exe
C:\Windows\System\ZnQDxQB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2884-0-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp
memory/2884-1-0x0000022D089A0000-0x0000022D089B0000-memory.dmp
C:\Windows\System\ORUdPbP.exe
| MD5 | 2e069e4ecfe2330527d5db9e37be9a33 |
| SHA1 | 94e97f60ae12705a17f1b526c828c241159e5b04 |
| SHA256 | cf5115af0dc1774e9866584656423009bf182a7236acd11bca2879308555384f |
| SHA512 | b6b0896f5985cffd85595fa7deeadbdebc6e3e836c1068b62e241ee1f146c92807bed50fc61600a0654ba8b9ade38d79566ba40650a22ae0ece54a041cb56496 |
C:\Windows\System\UsgcVsf.exe
| MD5 | 166eb795e5a74547573ecdf1ad39aa91 |
| SHA1 | b455cd4e50b090191dae0ee677b3712719f57f5f |
| SHA256 | 3b56b5dd4eef6f78289c37b0a8e72d8d5c6a54509c9b02ad2d46721cb6f8ae07 |
| SHA512 | 6b9ec155b768bd460180c48a7641d75f13984c1b4bb1e686da253bb64ff21a328745f04de866aa4bcf23ea0e67dc1005bfbf125f5462601f574cf9d175b9e61f |
C:\Windows\System\CgSeHad.exe
| MD5 | 2690b0a5a1e260a1049fad357afe1bec |
| SHA1 | e6990300803316745beb149b4bbde18dfa16d72c |
| SHA256 | 93c5bfb455a3486790772466c02ea61d62c84bcb15ae2ce76685d6cf09760c1c |
| SHA512 | 6fcf5f332542bbe78d6c2e5a6a795bb7e242b61ffbe077009f094c9ac850800c223657ae32a0a9f39a0160cc71def79a7d40e9c03561008fbc021afdfe6e784d |
memory/2568-19-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp
memory/3168-16-0x00007FF6485B0000-0x00007FF648901000-memory.dmp
memory/2176-8-0x00007FF7971D0000-0x00007FF797521000-memory.dmp
C:\Windows\System\ezGMVpl.exe
| MD5 | bd9d25e63eeabdbfd80d5ad3d8eb9179 |
| SHA1 | a93bfb68a29f9b88991d9af9dc47bfca0daed647 |
| SHA256 | 50b6179d6f735618eaca96501c88e7c954dad44032052e03b4521e4d7969142a |
| SHA512 | e8a7615df804204184b29d03bedce9a1d8342865cf7453fb8b5db365dad60285a8e23d55dd84806a226b0ffe59500648d4da22229a6a6212f58d9d7f5184b00f |
C:\Windows\System\FGLNsqp.exe
| MD5 | f4bfcc68312a4313d337662759f81a09 |
| SHA1 | 65ce6b6ca59f5ce93e8eb84ae19b88921e67a792 |
| SHA256 | d8d5aac0466172c2815e3258b17e0483fbd7932d609e583aa82f84dad4dfe1ed |
| SHA512 | 744ed116d5addcaddff698da9d343b8d031317359a8233744299abd1e35458ffa43280337222a10c79dd798ca66c62f1b8722897e18cc2c35eaf9e698a896b97 |
memory/1148-33-0x00007FF65A2C0000-0x00007FF65A611000-memory.dmp
C:\Windows\System\PYXaJvt.exe
| MD5 | d9777b9d5039427c75014287bbca666a |
| SHA1 | 56411d708db41018cb96a55c993bf327cc8179bb |
| SHA256 | 895d3fb580bc88d44f8a8671e1fb4890414445d951b03ecd64eb94cfb6ae7792 |
| SHA512 | fdb7504faef691361b91699803e2e41de568fb1a26c03ba70c7d9369659648a677a225918239178f00a138f10b91cbe077e7d5d9f02e71de7fa35b2a678fa845 |
C:\Windows\System\ZAwEZli.exe
| MD5 | 6b43ed97183ebabffc9e6a7f7f60850e |
| SHA1 | eea2e814453e4f62c08b152e0585e4d95d628c65 |
| SHA256 | 1c80f120665a66d99dfab533978045b2685b1c796d5c6dd2e963cc120b63a643 |
| SHA512 | a1f2c304987173c8ecaf7acef92291a88c0f42ff6ac1faf5f4fb4200c44adc133c3bba94461961ef2ed8506c0754626559294321544a36b670c6b692273314a6 |
memory/4944-53-0x00007FF78F3D0000-0x00007FF78F721000-memory.dmp
memory/3212-63-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp
memory/3640-64-0x00007FF6A9A20000-0x00007FF6A9D71000-memory.dmp
C:\Windows\System\uDLNabY.exe
| MD5 | 075811b969720459dc583380fa18bc6a |
| SHA1 | 5765bde375fd85dfd18992269c92f13b0229a69e |
| SHA256 | 4c54705a1221e1cf9928d3a79913d7f9bbc0a10fee6ab12f4979c84422378563 |
| SHA512 | ec736584b2fb67cdb46eac2a20da1cf397bd128001d0f58f505e643f64c48b4264c4977b991dfe8bb7577f281033b280e85238694ce89e443e87db4a9c096d55 |
memory/1060-66-0x00007FF694620000-0x00007FF694971000-memory.dmp
memory/3208-65-0x00007FF7260C0000-0x00007FF726411000-memory.dmp
C:\Windows\System\rHBHaLF.exe
| MD5 | 4ca386c7af534abc1afbf95e00f6a40a |
| SHA1 | 5cbb5c95d6364270997143c9031bf58d552e031f |
| SHA256 | 3dea0deebccbd223c407a3cc56355e9181c67a2538584640b26e2f219a773280 |
| SHA512 | 8e47aa2595ed6fd5bef8255b88ab8c4eca505b671ddeef1fcda7e7cdde0d9c189a10a583c1dcf27b8209b7874a9a52e43826af280b1f61f1af031b798c38667e |
C:\Windows\System\eyQVIxh.exe
| MD5 | ab4b98b5f67b57b845e664de1c66654c |
| SHA1 | abd009aaa6c4726b97c27ffcb9b123b1d8e6c8f1 |
| SHA256 | 80182c3d151608d54e804d29861daeeff7d0f069b53d75adcd0c50844fd1b067 |
| SHA512 | 8144c57f8af1272f3abcb3163698ad6de5d61cabaa85048198019563e1643df5daac92392d326ba8eb6c8e5d9be18678caf25a6b1cda1b67b694f2344a8c2fa3 |
memory/3268-47-0x00007FF690C20000-0x00007FF690F71000-memory.dmp
memory/5072-45-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp
C:\Windows\System\WdMesTv.exe
| MD5 | c935a99f067e0767fb6bc6adc48613e2 |
| SHA1 | ad64c5d0608b7e8658b7fb3a438d8c4b448a27d8 |
| SHA256 | f83bc1f379cf541324f04f1a57e82c903957ec23c68a9948d3d18401502c6be1 |
| SHA512 | ed427c6a11c83d71a2f045ea4d2e075b30074717abf441b485b7493c1999e250c5169860b8ab46ce9406b9f5b202040ed395b719a0c7416a9d45403b5a2b9a4c |
C:\Windows\System\dBeSHZd.exe
| MD5 | 3934e699ea4e5937f759eb740d7f5af3 |
| SHA1 | 9332da24793d2e4f0e51f15f1f91119fed980496 |
| SHA256 | 807e8dc86d694cf88933dea2ac9664ba35c06cba57d90ee7611f03a2eec51656 |
| SHA512 | d5c18be3d89fd7b89cdb5118f5c895ac8da8a7880d709e80bcab01178abef6ffa40552f28aaa6c22dd80b7ea0fd42f7ac0d2b53b757a94116e364a14c3c620f9 |
C:\Windows\System\HwUuAQh.exe
| MD5 | 191010e5b9cb69e485a0d3939f668c8d |
| SHA1 | 035489933f6b3969b5562e4687e7607ba4cd91d3 |
| SHA256 | bc12f0ad7898f67a17ae7449dcd7a318b3201f8e492c42c4574b989407330852 |
| SHA512 | e1335e3ccd4fb16cfafbdcdab9a1ed551f067c9a9cb010e700eb5378dd5a33acc61237d43a314a0a2a82067a54a3515b96652223ec40139d4440232c609720e5 |
memory/2236-79-0x00007FF69A5A0000-0x00007FF69A8F1000-memory.dmp
memory/2884-80-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp
C:\Windows\System\TEIYzyi.exe
| MD5 | f2c30ddbb3e252682d7205887d75af74 |
| SHA1 | 66939215d136aaa1967092ee2a348040dd8a7b47 |
| SHA256 | 7ec13a0302f97f5178c44b3f3455d2999ff188f78ba2abdc7253d5f636ca7b76 |
| SHA512 | d35ac1ce6cf2f443de7e4dd5fae6060ce0ab608563ad475a32aab66c2459af4a435d0c40e9664a39699bc088e193c57e62b5c294917987cd1bfc0969ee173b8b |
C:\Windows\System\kKUMwiy.exe
| MD5 | 05ebb1380b118cb5c3a7cd95f2c1bdc6 |
| SHA1 | 1f6bd59c96b318636e445c17cf32e5eb8319481d |
| SHA256 | a4f231097b8413e2b9fb9da28c7630c07268a0301c52788f70fdda3a28a41eb5 |
| SHA512 | badf95d8f2a45cfd0b707dde11f563be17aa8d38d7444b05e291d0e8eda8d3cbf0f417ae97c18242d3f81a2ec660d009ec9642133567c21db40a5e1fa04b9c3c |
C:\Windows\System\XNLObNQ.exe
| MD5 | c0297ed1157a60b7f52a0ed69e693484 |
| SHA1 | 5a8f4d94ccb902b695e4bc9637a96bd39497345d |
| SHA256 | e0b82dae56692856cd78c6dbe85a1d7e736889d474b6b1988aa2f182a0bf21e7 |
| SHA512 | 99b4c485bc95c5b42ee1147641e2065a3b5025947eaebb2319ff126bb2925b8c773595f013d04548eeae55662244b65e7199b45ea928672d5ae8bac3bf071dfe |
memory/3164-100-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp
memory/520-104-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp
C:\Windows\System\IESXuth.exe
| MD5 | 62ff1bb59015bd6450026ac01e97e7cc |
| SHA1 | 518fb4ac44eadd7f71c1d1da0a8886dcde279ca6 |
| SHA256 | 1d653c65d589c3ee44d8f74643ced883c297a47796a04292c0ca26cae4fb81b8 |
| SHA512 | d9dddf6c69c32f7413e37e9bd94c64e9266be1bf00af295886a3e2f01e188082ba94f05f478c033fa91d95a0b69843bf7cea3b3e717b6d7da69240b80fba3b20 |
C:\Windows\System\MWewTWM.exe
| MD5 | 90d604217abd728ec7eddf7e88afa7f3 |
| SHA1 | b9c41752bf745c43b4d1ae0c44fac368a446e50d |
| SHA256 | d9777d60dd2d87257b5cf5c42722d48820108b2c9e30c0edb6605ecbc76277db |
| SHA512 | 5b044034e454f693eb19652c1ab9f9a1e1e4ed6d2900c08c69221de252e90338cb1158d47dcb0a6c7d4564ee304c3f3eaee98908367d6c07690cc756e980360d |
memory/4796-115-0x00007FF7298B0000-0x00007FF729C01000-memory.dmp
memory/4740-118-0x00007FF766520000-0x00007FF766871000-memory.dmp
C:\Windows\System\RhYyRol.exe
| MD5 | d404a97933cba32de07ab0fb09e1fe37 |
| SHA1 | 2e5ed5d278433911c6c090d06a70c8e0a6bd8a8a |
| SHA256 | dffb6a20a7e5a0c89dce2cc45445bd52bc861ba1b3597a35b979d096ab9f3a93 |
| SHA512 | 1d350bc71f9324d4d79afa2b5c5efc52dd2e254d4b1fd2ed695bc35eb68515c8427eca3a33f3affcc2889e2374df2bb57f7e4293a14b325ded0cf78cfd38e2e4 |
memory/2176-113-0x00007FF7971D0000-0x00007FF797521000-memory.dmp
memory/944-112-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp
C:\Windows\System\qQJVOJX.exe
| MD5 | 772eadcc57e4063b5c34dc476fafb046 |
| SHA1 | 43e869856cfa8aa29b19382f3dafa13561d959cb |
| SHA256 | b4b7afc666b81cf9477de831f0bfb946c45e41a6a494f483934e4e506c539dfc |
| SHA512 | 7093c39a1fab7f85037f8f90984440c2fa6b855a123b110f121adbcac023918515cf6f43664c19e4d7379298ee30c2d0a9eff9787d05ac5b9291a2e24a2e8781 |
memory/1380-94-0x00007FF6A4720000-0x00007FF6A4A71000-memory.dmp
memory/3752-83-0x00007FF79EE90000-0x00007FF79F1E1000-memory.dmp
memory/2568-129-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp
C:\Windows\System\ZnQDxQB.exe
| MD5 | d3bc95394c7c3ad0c392e5e1d302120c |
| SHA1 | d5f310edc70232fd6912a452d9b3378dbf4d551b |
| SHA256 | fbeb7eb8d59efd0d36b9902e6e213fd5fe89fa37b4645b4b73913da246d52466 |
| SHA512 | b2e3c4b2b5a7ddba525c9feaa8ae09a7f8654626a1ded118a007c38e5af8de11b3e50e93120d2493c6f3ce402594804e5d9c4c6aba362af9507136a10e8da163 |
memory/2976-131-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp
memory/5072-136-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp
memory/3212-140-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp
memory/1060-142-0x00007FF694620000-0x00007FF694971000-memory.dmp
memory/900-144-0x00007FF6A27C0000-0x00007FF6A2B11000-memory.dmp
memory/4740-151-0x00007FF766520000-0x00007FF766871000-memory.dmp
memory/944-150-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp
memory/2884-154-0x00007FF67BCE0000-0x00007FF67C031000-memory.dmp
memory/2176-207-0x00007FF7971D0000-0x00007FF797521000-memory.dmp
memory/3168-209-0x00007FF6485B0000-0x00007FF648901000-memory.dmp
memory/2568-211-0x00007FF600A80000-0x00007FF600DD1000-memory.dmp
memory/1148-213-0x00007FF65A2C0000-0x00007FF65A611000-memory.dmp
memory/5072-215-0x00007FF6512A0000-0x00007FF6515F1000-memory.dmp
memory/3268-218-0x00007FF690C20000-0x00007FF690F71000-memory.dmp
memory/4944-219-0x00007FF78F3D0000-0x00007FF78F721000-memory.dmp
memory/3208-221-0x00007FF7260C0000-0x00007FF726411000-memory.dmp
memory/3212-225-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp
memory/3640-224-0x00007FF6A9A20000-0x00007FF6A9D71000-memory.dmp
memory/1060-227-0x00007FF694620000-0x00007FF694971000-memory.dmp
memory/2236-235-0x00007FF69A5A0000-0x00007FF69A8F1000-memory.dmp
memory/3752-237-0x00007FF79EE90000-0x00007FF79F1E1000-memory.dmp
memory/1380-239-0x00007FF6A4720000-0x00007FF6A4A71000-memory.dmp
memory/3164-241-0x00007FF7AD780000-0x00007FF7ADAD1000-memory.dmp
memory/520-243-0x00007FF6B0FE0000-0x00007FF6B1331000-memory.dmp
memory/4796-245-0x00007FF7298B0000-0x00007FF729C01000-memory.dmp
memory/944-247-0x00007FF7B9D70000-0x00007FF7BA0C1000-memory.dmp
memory/4740-249-0x00007FF766520000-0x00007FF766871000-memory.dmp
memory/2976-251-0x00007FF767FA0000-0x00007FF7682F1000-memory.dmp
memory/900-255-0x00007FF6A27C0000-0x00007FF6A2B11000-memory.dmp