Analysis Overview
SHA256
27c5b09a238d49db1d1612c80027aff9bad3d5bf4d38d7e35ca81ce87db11ef8
Threat Level: Known bad
The file 2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 14:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 14:23
Reported
2024-06-06 14:25
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\awpdUWP.exe | N/A |
| N/A | N/A | C:\Windows\System\iZjZPWB.exe | N/A |
| N/A | N/A | C:\Windows\System\EPxTDdy.exe | N/A |
| N/A | N/A | C:\Windows\System\CevPuLX.exe | N/A |
| N/A | N/A | C:\Windows\System\MgRbedl.exe | N/A |
| N/A | N/A | C:\Windows\System\eSSfCBu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQcDmpq.exe | N/A |
| N/A | N/A | C:\Windows\System\fQJooND.exe | N/A |
| N/A | N/A | C:\Windows\System\McWIhvx.exe | N/A |
| N/A | N/A | C:\Windows\System\cDfTOfq.exe | N/A |
| N/A | N/A | C:\Windows\System\OlwnRqH.exe | N/A |
| N/A | N/A | C:\Windows\System\doTODZq.exe | N/A |
| N/A | N/A | C:\Windows\System\DSeDILC.exe | N/A |
| N/A | N/A | C:\Windows\System\jFBeZjN.exe | N/A |
| N/A | N/A | C:\Windows\System\AXZpuIG.exe | N/A |
| N/A | N/A | C:\Windows\System\uRNpgZU.exe | N/A |
| N/A | N/A | C:\Windows\System\Givcypn.exe | N/A |
| N/A | N/A | C:\Windows\System\kcINOCX.exe | N/A |
| N/A | N/A | C:\Windows\System\qwMMLQB.exe | N/A |
| N/A | N/A | C:\Windows\System\PPUPtMF.exe | N/A |
| N/A | N/A | C:\Windows\System\mLjMxxq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\awpdUWP.exe
C:\Windows\System\awpdUWP.exe
C:\Windows\System\iZjZPWB.exe
C:\Windows\System\iZjZPWB.exe
C:\Windows\System\EPxTDdy.exe
C:\Windows\System\EPxTDdy.exe
C:\Windows\System\CevPuLX.exe
C:\Windows\System\CevPuLX.exe
C:\Windows\System\eSSfCBu.exe
C:\Windows\System\eSSfCBu.exe
C:\Windows\System\MgRbedl.exe
C:\Windows\System\MgRbedl.exe
C:\Windows\System\ZQcDmpq.exe
C:\Windows\System\ZQcDmpq.exe
C:\Windows\System\fQJooND.exe
C:\Windows\System\fQJooND.exe
C:\Windows\System\McWIhvx.exe
C:\Windows\System\McWIhvx.exe
C:\Windows\System\cDfTOfq.exe
C:\Windows\System\cDfTOfq.exe
C:\Windows\System\OlwnRqH.exe
C:\Windows\System\OlwnRqH.exe
C:\Windows\System\doTODZq.exe
C:\Windows\System\doTODZq.exe
C:\Windows\System\DSeDILC.exe
C:\Windows\System\DSeDILC.exe
C:\Windows\System\jFBeZjN.exe
C:\Windows\System\jFBeZjN.exe
C:\Windows\System\AXZpuIG.exe
C:\Windows\System\AXZpuIG.exe
C:\Windows\System\uRNpgZU.exe
C:\Windows\System\uRNpgZU.exe
C:\Windows\System\Givcypn.exe
C:\Windows\System\Givcypn.exe
C:\Windows\System\kcINOCX.exe
C:\Windows\System\kcINOCX.exe
C:\Windows\System\qwMMLQB.exe
C:\Windows\System\qwMMLQB.exe
C:\Windows\System\PPUPtMF.exe
C:\Windows\System\PPUPtMF.exe
C:\Windows\System\mLjMxxq.exe
C:\Windows\System\mLjMxxq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1464-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1464-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\awpdUWP.exe
| MD5 | 11521a2378a3c1cb993a96ae664f0945 |
| SHA1 | ee045753e597bceef35b88b631f2ac9306209a7a |
| SHA256 | dcb6fa4a7fe16c367b1a3462d90c2e270d06d890aa433001b0851c42ced9c8f5 |
| SHA512 | 738d205041fb7382b7656b51536c57dad4294aa53bc242937423157ed7c6fad33c0dced1ad931bdf1e7f341e0b49e90f603042980825e0813ac7a9482e305fcf |
memory/1464-6-0x00000000023F0000-0x0000000002744000-memory.dmp
\Windows\system\iZjZPWB.exe
| MD5 | d2de1753d58caf0569e778b6e2a95fe4 |
| SHA1 | 38578a7da06b35c7788e1683cd04d55401e3c6f3 |
| SHA256 | 4771550e308dc222293ae78fdd76e0b9d20f9561c36615f1ea3f51369f19f828 |
| SHA512 | f59380ea3699f65862138124ab8e13c62bdf561727aa50f56bd553a7973d92fdbf63b558b83baa6fa7bf93e68d7cc4480d3dce017f65a12ef74f051f4047fd95 |
memory/636-14-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1464-13-0x000000013FC30000-0x000000013FF84000-memory.dmp
\Windows\system\EPxTDdy.exe
| MD5 | ebb6cc2952d86061967e33bc2aa029c1 |
| SHA1 | ed0e37f3e46b6fef2ee0086695ed93d759244b99 |
| SHA256 | c1710cc4e4cf1dd2ce0e92fe90424657fc4a983983e9ce8bee84746575e63590 |
| SHA512 | 48c99f33f7e3a781b6065e1427cd40343dc17628874dfaa5f47c6944920b7973e760fd6a7381ba9c9a31bcb2217f92e9dc8e631c1ac595f2de7a83594f3d222e |
\Windows\system\eSSfCBu.exe
| MD5 | ca1250e1474d8883bf982f93e2a813fb |
| SHA1 | a56c246d0cb61361580fde6eafea948aa64a2abe |
| SHA256 | e02b22b5cc2c333a5a98277f6370bc1b414527d9426befd416b08405da8654e5 |
| SHA512 | 24d507e58af8542eb9ae74b3df455f70f35ef202317dcdcd09037f0b404b7d6e7e3fdb85e266f4e40ee989172fe91fcf5732da5f8553076cdb67b67d8532b90a |
memory/1464-20-0x00000000023F0000-0x0000000002744000-memory.dmp
C:\Windows\system\CevPuLX.exe
| MD5 | 107f6bfb56bf42e910eb6a9ed3cf1986 |
| SHA1 | 3e800f966dd64e3cf9da8d71d85ec8894a9f54ac |
| SHA256 | 3f5fd63772dc8954264111154bad42b059ab660c5c343ed6918d4dc3f98057e3 |
| SHA512 | 196e9d8257be18150ec351c26fa589338a1cb1d81b1241b842202815e818961209da9ad85e6e374149d425bffd2e85efc431629e2aeb9397975f935f3211d8c6 |
memory/1464-30-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1464-29-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2568-43-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2648-40-0x000000013F070000-0x000000013F3C4000-memory.dmp
\Windows\system\ZQcDmpq.exe
| MD5 | 98790673bbcb5694cd557d022f1ecb58 |
| SHA1 | d89cb51a6e3d89d31626f75e2cd281ed11f1ee39 |
| SHA256 | d39a1433e9998326e2a4a16ab81805610e775fb19c052cc6e343c2f0671af888 |
| SHA512 | 108f9f88d85bb33ac0c9d260fe615fb8e5744ea3fbc3c278273b975130338d7baa54030caa054e3e9ff37fe2014b76fd4e211906f07d1ddc6d13597651a2d1ec |
memory/2540-49-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2588-55-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\fQJooND.exe
| MD5 | a57c0b3f5d4852dc983210a57bd9f447 |
| SHA1 | 6d892d7d19e16edddd4c6414861ca952cebf4ddc |
| SHA256 | a43c58dddbd3a1c09b7c1b114a8c7b8865dab385c1ad08d5518555523cf3858b |
| SHA512 | e1b54d524fe5d4bd59e515e88a7665166023a6b1e45959e14752851d82a029c92ca30f25f804546592dbf07ba1d85f40afbea046b1ca291fbb9523ba31ff29b0 |
memory/2928-59-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2416-65-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2544-71-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1936-84-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1464-98-0x00000000023F0000-0x0000000002744000-memory.dmp
C:\Windows\system\qwMMLQB.exe
| MD5 | 72688b0c0e95323579ce5d70e727162c |
| SHA1 | eb3ac39599b74b2ab1e0054b87169dd2a8657857 |
| SHA256 | 1e4227e4617fe89b36f53d709420fbef51aff828ddfa5383fa48c0467d11aca2 |
| SHA512 | a85d6ebff0840a32b420f39f9343e428ddab8293a09f53bbda4121c9e7aecd9b92223f2731abae85c48042d59740bd65bcbf6d40fe6e3f39dbb49f392616df91 |
\Windows\system\mLjMxxq.exe
| MD5 | 43cbcb0214802aaaf026520b7340a0d4 |
| SHA1 | ede0983916a6b005b72b1c27066489908e9796fb |
| SHA256 | 2344541e0a023c240fc87ccbae6b92fc6f542e7d1b52470639e5f97acacf27d3 |
| SHA512 | 1197c753e079b1c6d8d9e4d733ebf9b91f4124d8a930789e94b701ccaa8341531235c866da015b0a58b47926f36d6950b3fa6eda8bcb7cc0efb05fea82d8eb46 |
C:\Windows\system\PPUPtMF.exe
| MD5 | 509c1a22b62ea2b517379f6e6441c276 |
| SHA1 | d5d89b44166715ac7fccd2673e0d21c373b26351 |
| SHA256 | 685a288baf9260c53148494dd5e849011cc1af694d2b098b69a179ec3f12c29a |
| SHA512 | 2158cd46b1a676e65d860d07f980f1d9f72101484f2161d6bf9bbeb4e0d60cbb1906230a4ebe60d7d15ded0cd6b30c015246b2c94096fa5d2927f13f1b745b6f |
C:\Windows\system\kcINOCX.exe
| MD5 | 51da0b9059dee55183346e6effaeb7dc |
| SHA1 | ec6a9468ce8776876b1250ce2b593101cc9eebcd |
| SHA256 | 31ce5d558266365ea207707bda05549e5336998d4526ba4d99ed9c0da0bed13d |
| SHA512 | 63caca26553cf0346e56fdf9ba577cd7c444bbad39ccc60fb5634f08d082557d32a14a6a650995b4a84e46d158d3d5a05499c928f637e8d8b7d325f36dad7b67 |
C:\Windows\system\Givcypn.exe
| MD5 | c5210d357c3f795831427510344dd633 |
| SHA1 | 64e6932f62cb4da36b73b059ba7c03521ca39009 |
| SHA256 | 3eb77e15884965a5854a78b33a323fce16fdefcbe900a828e44278f52cd41ec6 |
| SHA512 | e8b3b43582b011a995097f7be993884ee80815656e683b63b1ae837346aa2bd244a84e25e6789989495321b426fb248f8a3a8eb056a6de9eaa1b40401024af91 |
memory/2540-138-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\uRNpgZU.exe
| MD5 | 5a3cc804b8e2a4f796023ac59b1bd64c |
| SHA1 | 7de85f894fd3f0a319b5c6b203838f79bab7ecdb |
| SHA256 | 7e1b702b7cb9c8f605b7a3bad27f5400298fc6831beb42b51f878800ced1a177 |
| SHA512 | 5848d16dbf1da20ae6a126804c0ccc137a8a3420e28f6a43f98930698cc40faaaf4e4d6a48f968515e3f726ae1b4498c9b1578600aedfc576c08a5c81bc628f8 |
memory/1464-106-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2568-105-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2648-104-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\AXZpuIG.exe
| MD5 | da81daed24206ca7354ef198077ed05a |
| SHA1 | 94b4ef3a8624c7759791d23c8a44d8d316963f32 |
| SHA256 | 720927d16922d49f23ccdc8a225c5ca4a099751dfc919b6c18496efc821be165 |
| SHA512 | 4bb304f45d615f119da7d4aeaf4fb4e907d7bf0b797dbc6f39695b69b51dec1060e11ee5fe4de5a6526692bc4e6e35ca5e341ef80bf88873dcf111d2de1eae27 |
memory/2828-99-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2696-92-0x000000013FF50000-0x00000001402A4000-memory.dmp
C:\Windows\system\jFBeZjN.exe
| MD5 | 772c11b53c3ce6570264c88d8bae8700 |
| SHA1 | 4fe4fd76c370ad133c6d78b9d137c4c59cef9bc8 |
| SHA256 | 357fd7231be2e1957b8cba8bbb53296308fe2a8a86cbf7a370f1f8776144f2e5 |
| SHA512 | cc5f491b56e0d6f702955a85ca79859320ced3f7e2d4bf74d3bc5d661cfd0edd5d420973f71ab25e9129f4769b94c5813e6d84bac5e04c5cfee801ec35e0fec1 |
C:\Windows\system\DSeDILC.exe
| MD5 | 528066938a5b3bd6c01825518fb53517 |
| SHA1 | f5cd630d652efa88fb0a064b7e7fa6428bdc2b1f |
| SHA256 | ead8e59c2832fb1a9ba47badb7bdca0008fae1179807b76838d7d00b33ad97d6 |
| SHA512 | 9bb51a1752af495eb139cf3912aa0d9ad5a82c9d82652a9cdd27694822790234212606a91b2194bab54a0dbc1907d2bcb69f0d342c4343410734f2e23281b80b |
memory/1928-86-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1464-85-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\doTODZq.exe
| MD5 | 36554a5531c2e607e54a2fcf43882d7e |
| SHA1 | b0516fdb88e7396b38de55bb2fbba28329bd9bce |
| SHA256 | ebfffe1dddf41b84d0829c453c045152c101871502570ed940f35057f3fa613f |
| SHA512 | cc20eab739dd40961d83fd8ceb4c44f5ea1d0fd499e68589c584b8417718b6af41527f319a5472395303186e7ed4572916dae4df095ab85c3028202650a8b64d |
memory/1236-77-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1464-76-0x00000000023F0000-0x0000000002744000-memory.dmp
C:\Windows\system\OlwnRqH.exe
| MD5 | 394c05f825c15c9856a4c8626d017d06 |
| SHA1 | 6329cc88e8a52ba202a808f8daf06376a6899707 |
| SHA256 | bc5f0019e9dbd831a6acab0d4dd4348d1fcc38803cfae873b335708db8ac131e |
| SHA512 | 283b63871690e9d0c2ef787468bc0e0743f3811f18c96db0099e76a1a782c2d9aa634d5e300d7af1d5013cde7aa3a688b5a862c206744dc3ade1f36c77f9e8a9 |
memory/1464-70-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\cDfTOfq.exe
| MD5 | 516b0dcfc870b2286b3f235a13bb09ce |
| SHA1 | 6f91cbd75d4795cd90285221b6a98a564691c53c |
| SHA256 | 7108384c34c4ec4df5d0af83184c0260419d1e3047e847c4f989b971c66b1c3b |
| SHA512 | 57ee5e2d4e9da586937f2db8a857b197bb4501cb7ba5fedbf8c624014092c31a2ce85cab04bea0c431fdace44820cee957ad304fe86c19889e20221e316558d0 |
memory/2756-64-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/636-63-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1464-62-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\McWIhvx.exe
| MD5 | cb34830d4cfa21400df70d08ddded230 |
| SHA1 | aef22432f472dee55375a4ed930a9a96caa716d7 |
| SHA256 | ca6c5bb4038efe23b2a17efaec93b7ba2e2926d320685db5c9e8df135eb64b63 |
| SHA512 | be1480a44f1f765a9b6118ad4b798c80a6f1bf8300ff77f11b33fdbf1eed72af89e8a49e45faf6776bdc4cd0c4f82ea676d689131baaa5fcb04af28266de772e |
memory/1464-48-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\MgRbedl.exe
| MD5 | 27824af6f67c38eb5062127c8920c81c |
| SHA1 | e791bbb8177f132ef17a15a4f3cdeaca468dbf36 |
| SHA256 | 86c2367db8cf61f2f4ee525c93d63c05b55553db57bb79d8ed11bf0042f21640 |
| SHA512 | 681ec05b963558c59ab543620bbd0b2634c9372b455e35fcb00f7dd6ad88dfb42a5014a874415bc784b2868d29f9df9f1a1bda02fcbb555d9651f148c8f38fe9 |
memory/1464-36-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/1936-33-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2756-24-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2544-140-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1464-139-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1236-141-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1464-143-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1928-144-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2696-145-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1464-146-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2828-147-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2928-148-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/636-149-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2756-150-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1936-151-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2648-152-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2568-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2540-154-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2416-155-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2544-156-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1236-157-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1928-158-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2696-159-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2828-160-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2588-161-0x000000013FF70000-0x00000001402C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 14:23
Reported
2024-06-06 14:25
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\awpdUWP.exe | N/A |
| N/A | N/A | C:\Windows\System\iZjZPWB.exe | N/A |
| N/A | N/A | C:\Windows\System\EPxTDdy.exe | N/A |
| N/A | N/A | C:\Windows\System\CevPuLX.exe | N/A |
| N/A | N/A | C:\Windows\System\eSSfCBu.exe | N/A |
| N/A | N/A | C:\Windows\System\MgRbedl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQcDmpq.exe | N/A |
| N/A | N/A | C:\Windows\System\fQJooND.exe | N/A |
| N/A | N/A | C:\Windows\System\McWIhvx.exe | N/A |
| N/A | N/A | C:\Windows\System\cDfTOfq.exe | N/A |
| N/A | N/A | C:\Windows\System\OlwnRqH.exe | N/A |
| N/A | N/A | C:\Windows\System\doTODZq.exe | N/A |
| N/A | N/A | C:\Windows\System\DSeDILC.exe | N/A |
| N/A | N/A | C:\Windows\System\jFBeZjN.exe | N/A |
| N/A | N/A | C:\Windows\System\AXZpuIG.exe | N/A |
| N/A | N/A | C:\Windows\System\uRNpgZU.exe | N/A |
| N/A | N/A | C:\Windows\System\Givcypn.exe | N/A |
| N/A | N/A | C:\Windows\System\qwMMLQB.exe | N/A |
| N/A | N/A | C:\Windows\System\kcINOCX.exe | N/A |
| N/A | N/A | C:\Windows\System\PPUPtMF.exe | N/A |
| N/A | N/A | C:\Windows\System\mLjMxxq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\awpdUWP.exe
C:\Windows\System\awpdUWP.exe
C:\Windows\System\iZjZPWB.exe
C:\Windows\System\iZjZPWB.exe
C:\Windows\System\EPxTDdy.exe
C:\Windows\System\EPxTDdy.exe
C:\Windows\System\CevPuLX.exe
C:\Windows\System\CevPuLX.exe
C:\Windows\System\eSSfCBu.exe
C:\Windows\System\eSSfCBu.exe
C:\Windows\System\MgRbedl.exe
C:\Windows\System\MgRbedl.exe
C:\Windows\System\ZQcDmpq.exe
C:\Windows\System\ZQcDmpq.exe
C:\Windows\System\fQJooND.exe
C:\Windows\System\fQJooND.exe
C:\Windows\System\McWIhvx.exe
C:\Windows\System\McWIhvx.exe
C:\Windows\System\cDfTOfq.exe
C:\Windows\System\cDfTOfq.exe
C:\Windows\System\OlwnRqH.exe
C:\Windows\System\OlwnRqH.exe
C:\Windows\System\doTODZq.exe
C:\Windows\System\doTODZq.exe
C:\Windows\System\DSeDILC.exe
C:\Windows\System\DSeDILC.exe
C:\Windows\System\jFBeZjN.exe
C:\Windows\System\jFBeZjN.exe
C:\Windows\System\AXZpuIG.exe
C:\Windows\System\AXZpuIG.exe
C:\Windows\System\uRNpgZU.exe
C:\Windows\System\uRNpgZU.exe
C:\Windows\System\Givcypn.exe
C:\Windows\System\Givcypn.exe
C:\Windows\System\kcINOCX.exe
C:\Windows\System\kcINOCX.exe
C:\Windows\System\qwMMLQB.exe
C:\Windows\System\qwMMLQB.exe
C:\Windows\System\PPUPtMF.exe
C:\Windows\System\PPUPtMF.exe
C:\Windows\System\mLjMxxq.exe
C:\Windows\System\mLjMxxq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 202.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4932-0-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp
memory/4932-1-0x0000023C6D4F0000-0x0000023C6D500000-memory.dmp
C:\Windows\System\awpdUWP.exe
| MD5 | 11521a2378a3c1cb993a96ae664f0945 |
| SHA1 | ee045753e597bceef35b88b631f2ac9306209a7a |
| SHA256 | dcb6fa4a7fe16c367b1a3462d90c2e270d06d890aa433001b0851c42ced9c8f5 |
| SHA512 | 738d205041fb7382b7656b51536c57dad4294aa53bc242937423157ed7c6fad33c0dced1ad931bdf1e7f341e0b49e90f603042980825e0813ac7a9482e305fcf |
memory/3340-8-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp
C:\Windows\System\iZjZPWB.exe
| MD5 | d2de1753d58caf0569e778b6e2a95fe4 |
| SHA1 | 38578a7da06b35c7788e1683cd04d55401e3c6f3 |
| SHA256 | 4771550e308dc222293ae78fdd76e0b9d20f9561c36615f1ea3f51369f19f828 |
| SHA512 | f59380ea3699f65862138124ab8e13c62bdf561727aa50f56bd553a7973d92fdbf63b558b83baa6fa7bf93e68d7cc4480d3dce017f65a12ef74f051f4047fd95 |
C:\Windows\System\EPxTDdy.exe
| MD5 | ebb6cc2952d86061967e33bc2aa029c1 |
| SHA1 | ed0e37f3e46b6fef2ee0086695ed93d759244b99 |
| SHA256 | c1710cc4e4cf1dd2ce0e92fe90424657fc4a983983e9ce8bee84746575e63590 |
| SHA512 | 48c99f33f7e3a781b6065e1427cd40343dc17628874dfaa5f47c6944920b7973e760fd6a7381ba9c9a31bcb2217f92e9dc8e631c1ac595f2de7a83594f3d222e |
C:\Windows\System\eSSfCBu.exe
| MD5 | ca1250e1474d8883bf982f93e2a813fb |
| SHA1 | a56c246d0cb61361580fde6eafea948aa64a2abe |
| SHA256 | e02b22b5cc2c333a5a98277f6370bc1b414527d9426befd416b08405da8654e5 |
| SHA512 | 24d507e58af8542eb9ae74b3df455f70f35ef202317dcdcd09037f0b404b7d6e7e3fdb85e266f4e40ee989172fe91fcf5732da5f8553076cdb67b67d8532b90a |
C:\Windows\System\ZQcDmpq.exe
| MD5 | 98790673bbcb5694cd557d022f1ecb58 |
| SHA1 | d89cb51a6e3d89d31626f75e2cd281ed11f1ee39 |
| SHA256 | d39a1433e9998326e2a4a16ab81805610e775fb19c052cc6e343c2f0671af888 |
| SHA512 | 108f9f88d85bb33ac0c9d260fe615fb8e5744ea3fbc3c278273b975130338d7baa54030caa054e3e9ff37fe2014b76fd4e211906f07d1ddc6d13597651a2d1ec |
C:\Windows\System\MgRbedl.exe
| MD5 | 27824af6f67c38eb5062127c8920c81c |
| SHA1 | e791bbb8177f132ef17a15a4f3cdeaca468dbf36 |
| SHA256 | 86c2367db8cf61f2f4ee525c93d63c05b55553db57bb79d8ed11bf0042f21640 |
| SHA512 | 681ec05b963558c59ab543620bbd0b2634c9372b455e35fcb00f7dd6ad88dfb42a5014a874415bc784b2868d29f9df9f1a1bda02fcbb555d9651f148c8f38fe9 |
C:\Windows\System\fQJooND.exe
| MD5 | a57c0b3f5d4852dc983210a57bd9f447 |
| SHA1 | 6d892d7d19e16edddd4c6414861ca952cebf4ddc |
| SHA256 | a43c58dddbd3a1c09b7c1b114a8c7b8865dab385c1ad08d5518555523cf3858b |
| SHA512 | e1b54d524fe5d4bd59e515e88a7665166023a6b1e45959e14752851d82a029c92ca30f25f804546592dbf07ba1d85f40afbea046b1ca291fbb9523ba31ff29b0 |
C:\Windows\System\McWIhvx.exe
| MD5 | cb34830d4cfa21400df70d08ddded230 |
| SHA1 | aef22432f472dee55375a4ed930a9a96caa716d7 |
| SHA256 | ca6c5bb4038efe23b2a17efaec93b7ba2e2926d320685db5c9e8df135eb64b63 |
| SHA512 | be1480a44f1f765a9b6118ad4b798c80a6f1bf8300ff77f11b33fdbf1eed72af89e8a49e45faf6776bdc4cd0c4f82ea676d689131baaa5fcb04af28266de772e |
memory/1728-50-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp
memory/4412-63-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp
memory/836-68-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp
C:\Windows\System\doTODZq.exe
| MD5 | 36554a5531c2e607e54a2fcf43882d7e |
| SHA1 | b0516fdb88e7396b38de55bb2fbba28329bd9bce |
| SHA256 | ebfffe1dddf41b84d0829c453c045152c101871502570ed940f35057f3fa613f |
| SHA512 | cc20eab739dd40961d83fd8ceb4c44f5ea1d0fd499e68589c584b8417718b6af41527f319a5472395303186e7ed4572916dae4df095ab85c3028202650a8b64d |
memory/2132-71-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp
C:\Windows\System\OlwnRqH.exe
| MD5 | 394c05f825c15c9856a4c8626d017d06 |
| SHA1 | 6329cc88e8a52ba202a808f8daf06376a6899707 |
| SHA256 | bc5f0019e9dbd831a6acab0d4dd4348d1fcc38803cfae873b335708db8ac131e |
| SHA512 | 283b63871690e9d0c2ef787468bc0e0743f3811f18c96db0099e76a1a782c2d9aa634d5e300d7af1d5013cde7aa3a688b5a862c206744dc3ade1f36c77f9e8a9 |
C:\Windows\System\cDfTOfq.exe
| MD5 | 516b0dcfc870b2286b3f235a13bb09ce |
| SHA1 | 6f91cbd75d4795cd90285221b6a98a564691c53c |
| SHA256 | 7108384c34c4ec4df5d0af83184c0260419d1e3047e847c4f989b971c66b1c3b |
| SHA512 | 57ee5e2d4e9da586937f2db8a857b197bb4501cb7ba5fedbf8c624014092c31a2ce85cab04bea0c431fdace44820cee957ad304fe86c19889e20221e316558d0 |
memory/5068-64-0x00007FF695990000-0x00007FF695CE4000-memory.dmp
memory/1688-55-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp
memory/2092-47-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp
memory/1624-42-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp
memory/5116-37-0x00007FF758640000-0x00007FF758994000-memory.dmp
memory/2016-33-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp
C:\Windows\System\CevPuLX.exe
| MD5 | 107f6bfb56bf42e910eb6a9ed3cf1986 |
| SHA1 | 3e800f966dd64e3cf9da8d71d85ec8894a9f54ac |
| SHA256 | 3f5fd63772dc8954264111154bad42b059ab660c5c343ed6918d4dc3f98057e3 |
| SHA512 | 196e9d8257be18150ec351c26fa589338a1cb1d81b1241b842202815e818961209da9ad85e6e374149d425bffd2e85efc431629e2aeb9397975f935f3211d8c6 |
memory/4380-18-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp
C:\Windows\System\DSeDILC.exe
| MD5 | 528066938a5b3bd6c01825518fb53517 |
| SHA1 | f5cd630d652efa88fb0a064b7e7fa6428bdc2b1f |
| SHA256 | ead8e59c2832fb1a9ba47badb7bdca0008fae1179807b76838d7d00b33ad97d6 |
| SHA512 | 9bb51a1752af495eb139cf3912aa0d9ad5a82c9d82652a9cdd27694822790234212606a91b2194bab54a0dbc1907d2bcb69f0d342c4343410734f2e23281b80b |
C:\Windows\System\jFBeZjN.exe
| MD5 | 772c11b53c3ce6570264c88d8bae8700 |
| SHA1 | 4fe4fd76c370ad133c6d78b9d137c4c59cef9bc8 |
| SHA256 | 357fd7231be2e1957b8cba8bbb53296308fe2a8a86cbf7a370f1f8776144f2e5 |
| SHA512 | cc5f491b56e0d6f702955a85ca79859320ced3f7e2d4bf74d3bc5d661cfd0edd5d420973f71ab25e9129f4769b94c5813e6d84bac5e04c5cfee801ec35e0fec1 |
memory/516-82-0x00007FF62FD30000-0x00007FF630084000-memory.dmp
memory/4932-93-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp
memory/1608-95-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp
C:\Windows\System\uRNpgZU.exe
| MD5 | 5a3cc804b8e2a4f796023ac59b1bd64c |
| SHA1 | 7de85f894fd3f0a319b5c6b203838f79bab7ecdb |
| SHA256 | 7e1b702b7cb9c8f605b7a3bad27f5400298fc6831beb42b51f878800ced1a177 |
| SHA512 | 5848d16dbf1da20ae6a126804c0ccc137a8a3420e28f6a43f98930698cc40faaaf4e4d6a48f968515e3f726ae1b4498c9b1578600aedfc576c08a5c81bc628f8 |
C:\Windows\System\AXZpuIG.exe
| MD5 | da81daed24206ca7354ef198077ed05a |
| SHA1 | 94b4ef3a8624c7759791d23c8a44d8d316963f32 |
| SHA256 | 720927d16922d49f23ccdc8a225c5ca4a099751dfc919b6c18496efc821be165 |
| SHA512 | 4bb304f45d615f119da7d4aeaf4fb4e907d7bf0b797dbc6f39695b69b51dec1060e11ee5fe4de5a6526692bc4e6e35ca5e341ef80bf88873dcf111d2de1eae27 |
memory/3576-89-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp
C:\Windows\System\Givcypn.exe
| MD5 | c5210d357c3f795831427510344dd633 |
| SHA1 | 64e6932f62cb4da36b73b059ba7c03521ca39009 |
| SHA256 | 3eb77e15884965a5854a78b33a323fce16fdefcbe900a828e44278f52cd41ec6 |
| SHA512 | e8b3b43582b011a995097f7be993884ee80815656e683b63b1ae837346aa2bd244a84e25e6789989495321b426fb248f8a3a8eb056a6de9eaa1b40401024af91 |
memory/3948-102-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp
memory/3340-101-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp
memory/4380-108-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp
C:\Windows\System\PPUPtMF.exe
| MD5 | 509c1a22b62ea2b517379f6e6441c276 |
| SHA1 | d5d89b44166715ac7fccd2673e0d21c373b26351 |
| SHA256 | 685a288baf9260c53148494dd5e849011cc1af694d2b098b69a179ec3f12c29a |
| SHA512 | 2158cd46b1a676e65d860d07f980f1d9f72101484f2161d6bf9bbeb4e0d60cbb1906230a4ebe60d7d15ded0cd6b30c015246b2c94096fa5d2927f13f1b745b6f |
memory/1624-118-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp
C:\Windows\System\mLjMxxq.exe
| MD5 | 43cbcb0214802aaaf026520b7340a0d4 |
| SHA1 | ede0983916a6b005b72b1c27066489908e9796fb |
| SHA256 | 2344541e0a023c240fc87ccbae6b92fc6f542e7d1b52470639e5f97acacf27d3 |
| SHA512 | 1197c753e079b1c6d8d9e4d733ebf9b91f4124d8a930789e94b701ccaa8341531235c866da015b0a58b47926f36d6950b3fa6eda8bcb7cc0efb05fea82d8eb46 |
memory/1688-131-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp
memory/3616-133-0x00007FF686600000-0x00007FF686954000-memory.dmp
memory/4412-132-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp
memory/1480-124-0x00007FF717110000-0x00007FF717464000-memory.dmp
memory/1508-123-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp
C:\Windows\System\kcINOCX.exe
| MD5 | 51da0b9059dee55183346e6effaeb7dc |
| SHA1 | ec6a9468ce8776876b1250ce2b593101cc9eebcd |
| SHA256 | 31ce5d558266365ea207707bda05549e5336998d4526ba4d99ed9c0da0bed13d |
| SHA512 | 63caca26553cf0346e56fdf9ba577cd7c444bbad39ccc60fb5634f08d082557d32a14a6a650995b4a84e46d158d3d5a05499c928f637e8d8b7d325f36dad7b67 |
C:\Windows\System\qwMMLQB.exe
| MD5 | 72688b0c0e95323579ce5d70e727162c |
| SHA1 | eb3ac39599b74b2ab1e0054b87169dd2a8657857 |
| SHA256 | 1e4227e4617fe89b36f53d709420fbef51aff828ddfa5383fa48c0467d11aca2 |
| SHA512 | a85d6ebff0840a32b420f39f9343e428ddab8293a09f53bbda4121c9e7aecd9b92223f2731abae85c48042d59740bd65bcbf6d40fe6e3f39dbb49f392616df91 |
memory/440-117-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp
memory/3848-115-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp
memory/5068-134-0x00007FF695990000-0x00007FF695CE4000-memory.dmp
memory/836-135-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp
memory/2132-136-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp
memory/440-137-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp
memory/1508-138-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp
memory/1480-139-0x00007FF717110000-0x00007FF717464000-memory.dmp
memory/3340-140-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp
memory/4380-141-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp
memory/2016-142-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp
memory/5116-143-0x00007FF758640000-0x00007FF758994000-memory.dmp
memory/2092-144-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp
memory/1728-146-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp
memory/1624-145-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp
memory/4412-147-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp
memory/1688-148-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp
memory/836-149-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp
memory/2132-150-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp
memory/5068-151-0x00007FF695990000-0x00007FF695CE4000-memory.dmp
memory/516-152-0x00007FF62FD30000-0x00007FF630084000-memory.dmp
memory/3576-153-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp
memory/1608-154-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp
memory/3948-155-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp
memory/3848-156-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp
memory/440-157-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp
memory/1508-158-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp
memory/3616-159-0x00007FF686600000-0x00007FF686954000-memory.dmp
memory/1480-160-0x00007FF717110000-0x00007FF717464000-memory.dmp