Analysis Overview
SHA256
2e5ede3a0a1efd26cea95a269008368ad9d376e80f3cbcab01f5665d32cc4074
Threat Level: Known bad
The file 2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 01:15
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 01:15
Reported
2024-06-10 01:18
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TlALFKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\REKwFnY.exe | N/A |
| N/A | N/A | C:\Windows\System\UJubOTj.exe | N/A |
| N/A | N/A | C:\Windows\System\YLBCZiv.exe | N/A |
| N/A | N/A | C:\Windows\System\zFJRhcI.exe | N/A |
| N/A | N/A | C:\Windows\System\wmphibY.exe | N/A |
| N/A | N/A | C:\Windows\System\SbgSoBh.exe | N/A |
| N/A | N/A | C:\Windows\System\LpfcxJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YEboFkx.exe | N/A |
| N/A | N/A | C:\Windows\System\anQhADE.exe | N/A |
| N/A | N/A | C:\Windows\System\TViSjzh.exe | N/A |
| N/A | N/A | C:\Windows\System\XrdKsoo.exe | N/A |
| N/A | N/A | C:\Windows\System\crygtgs.exe | N/A |
| N/A | N/A | C:\Windows\System\XhTBwEP.exe | N/A |
| N/A | N/A | C:\Windows\System\UPVxJBu.exe | N/A |
| N/A | N/A | C:\Windows\System\pNKfEkU.exe | N/A |
| N/A | N/A | C:\Windows\System\peQmdVk.exe | N/A |
| N/A | N/A | C:\Windows\System\iWglrnh.exe | N/A |
| N/A | N/A | C:\Windows\System\cwXmtVN.exe | N/A |
| N/A | N/A | C:\Windows\System\qEdLikS.exe | N/A |
| N/A | N/A | C:\Windows\System\yCLwzFU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TlALFKQ.exe
C:\Windows\System\TlALFKQ.exe
C:\Windows\System\REKwFnY.exe
C:\Windows\System\REKwFnY.exe
C:\Windows\System\UJubOTj.exe
C:\Windows\System\UJubOTj.exe
C:\Windows\System\YLBCZiv.exe
C:\Windows\System\YLBCZiv.exe
C:\Windows\System\zFJRhcI.exe
C:\Windows\System\zFJRhcI.exe
C:\Windows\System\wmphibY.exe
C:\Windows\System\wmphibY.exe
C:\Windows\System\SbgSoBh.exe
C:\Windows\System\SbgSoBh.exe
C:\Windows\System\LpfcxJZ.exe
C:\Windows\System\LpfcxJZ.exe
C:\Windows\System\YEboFkx.exe
C:\Windows\System\YEboFkx.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
C:\Windows\System\anQhADE.exe
C:\Windows\System\anQhADE.exe
C:\Windows\System\TViSjzh.exe
C:\Windows\System\TViSjzh.exe
C:\Windows\System\XrdKsoo.exe
C:\Windows\System\XrdKsoo.exe
C:\Windows\System\crygtgs.exe
C:\Windows\System\crygtgs.exe
C:\Windows\System\XhTBwEP.exe
C:\Windows\System\XhTBwEP.exe
C:\Windows\System\UPVxJBu.exe
C:\Windows\System\UPVxJBu.exe
C:\Windows\System\pNKfEkU.exe
C:\Windows\System\pNKfEkU.exe
C:\Windows\System\peQmdVk.exe
C:\Windows\System\peQmdVk.exe
C:\Windows\System\iWglrnh.exe
C:\Windows\System\iWglrnh.exe
C:\Windows\System\cwXmtVN.exe
C:\Windows\System\cwXmtVN.exe
C:\Windows\System\qEdLikS.exe
C:\Windows\System\qEdLikS.exe
C:\Windows\System\yCLwzFU.exe
C:\Windows\System\yCLwzFU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3672-0-0x00007FF7A20D0000-0x00007FF7A2424000-memory.dmp
memory/3672-1-0x000002B7AEB10000-0x000002B7AEB20000-memory.dmp
C:\Windows\System\TlALFKQ.exe
| MD5 | 56c528babba6f089bbcfa0ab60657af2 |
| SHA1 | 3dd996f83984c925be61f7ee46ad7819caee41a5 |
| SHA256 | a979e0e5cc4d6d4cd5849bca4ba5bcd9ae1af9b3a4241694ad13ebd732d0533d |
| SHA512 | 01808dee78eab47d02e0a61b1793a8863f0c12aea3fb338ac25261298dc67240fea5ca923e3473c6279ab7037612f727ad5a09c4f96832c449d6852b2fec6018 |
memory/5044-6-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp
C:\Windows\System\REKwFnY.exe
| MD5 | 508c7c7b2245eae4543f87aed401979e |
| SHA1 | 4dd3d667c0dd83b2b2430574fc07a7e5a9765694 |
| SHA256 | f06548e2154462252353c47e1dade28c5182c9658e739210bcafa6673243b554 |
| SHA512 | 7154e1451a2633993b1bb30be2ca8fe7f19a0c64a6303f2e0e11921b99e042482fb7b3d71bf45b7599965e6e356e022163190e1b1057c524c0cebe35878df786 |
C:\Windows\System\UJubOTj.exe
| MD5 | 37e9209d153de47215d4f1a08bb7b10d |
| SHA1 | e6dc24ebc2c79d4e806e101084a851a2540c0b48 |
| SHA256 | 8c06f8e76b972ea4369b764a87dc10f50685b835b67b4ae8f21eb70b08b3fa2e |
| SHA512 | fab4bb461e4924b30855af8d845d2085ed3de785393117481b507aaf402d83e1dffd3529a15137d454428fc6bd2597874bb97d71f886cb5ffef7255cb21b6d85 |
memory/5112-14-0x00007FF60AAB0000-0x00007FF60AE04000-memory.dmp
C:\Windows\System\YLBCZiv.exe
| MD5 | f7e9ee2ad8bfaeff5419309b11b89973 |
| SHA1 | 5b170dbdcb7b4b303b9436be74b86f9141ef7fef |
| SHA256 | 09f26be7cad9c003266512da8018e22e69dc6f3ca726582d03e141333b2ceda1 |
| SHA512 | 4eceec56759e4d379cc749760eb9935b61aeead16555f2c02ca700eacf70e4cd1c7ae58c8704e5b33b82c065fb42fdb7840f48eddb7434bcc78b7945c4b74e62 |
memory/628-20-0x00007FF6D3250000-0x00007FF6D35A4000-memory.dmp
memory/212-26-0x00007FF6702A0000-0x00007FF6705F4000-memory.dmp
C:\Windows\System\zFJRhcI.exe
| MD5 | 968c2d90b7e1c954f6d94bff217c828e |
| SHA1 | d8ac2c8f9470daa34a374d8facabe09b28b96430 |
| SHA256 | c6e14dc3b146f1ecbf587def1110a179e245a45489585c326bcd756ad07fbbc8 |
| SHA512 | de3ac7e14b127228ca6fb89b55fd006ee13606dc62519fea6cb3bab019ec9e7d7887481b4a4d4948f7a8d5824757e847de398a0e88dbd690d4df626663b4cb48 |
memory/4212-32-0x00007FF7AE7D0000-0x00007FF7AEB24000-memory.dmp
C:\Windows\System\wmphibY.exe
| MD5 | 625b202e3002a3c66254f68f8cdeb707 |
| SHA1 | acb7fc6bca5547bc0fbf1d66681009533232d585 |
| SHA256 | df8bf5aca2ed46543e4c0a14d6c6fec7f9243bf521eef5669231e53c83845ccf |
| SHA512 | 93c6a68f9399eeed8978aa2ae32dc0de8af10b1ef508293007c314c5b29c43b873f457c6f370b4c786c4d9ba90211c788b457b935405448b5f5a50fbe8fb1b78 |
memory/3184-38-0x00007FF681410000-0x00007FF681764000-memory.dmp
C:\Windows\System\SbgSoBh.exe
| MD5 | ae963f3ce79e9dda31893b78ab489fbe |
| SHA1 | 92bb7eac5a6896e1478dea9223cf216edc82e1ae |
| SHA256 | 5e5aba8f2906e17d14ac08b787c764b6460443d2908fe8e70ec824a8cf453000 |
| SHA512 | 6919dc44b75e70f5ac8687fa2a81c2bdd6b5cc34b2ca0016928e4ada28e3664eaf62315b42d7b45f0973bf7826068fb5e8e304727a675d6e80270e8a0c20d59a |
memory/3940-44-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp
C:\Windows\System\LpfcxJZ.exe
| MD5 | 6474f33be65f7936576d1181fffab333 |
| SHA1 | 70629063187915dfb913598cf22677814ecda5ea |
| SHA256 | c96a5dc5b452f1ec49ddab5d687ff496c6b48b96ca217ed6db8f6b3747195d75 |
| SHA512 | 4b7539d0aebbf3ce789c5165988002dcb5a5d91d26b18055928fa5846995429497c904df33e5fa21903e929202f5174c2c144b6daf5fcdbbc53fb0b1cc2b8ed0 |
memory/2056-50-0x00007FF632670000-0x00007FF6329C4000-memory.dmp
C:\Windows\System\YEboFkx.exe
| MD5 | 9f9d418b9dd85661c67e6bfebc1f4f77 |
| SHA1 | 435db83d09275d610910a84417a8045d40617676 |
| SHA256 | 80fc9589778acffa5728530d16c4be61c79f325ae206d854701cd1b27fbb6aef |
| SHA512 | 9f04b4e81ae2ac358936fe323209d50eded80fb05388ba987da79a6d7f96a10eec497a0452cbfe4116f949c2551fbfb11140c59ddc4d3cd8d2a38af42ec2813c |
memory/3644-54-0x00007FF686590000-0x00007FF6868E4000-memory.dmp
memory/3672-62-0x00007FF7A20D0000-0x00007FF7A2424000-memory.dmp
memory/4272-63-0x00007FF7ED700000-0x00007FF7EDA54000-memory.dmp
C:\Windows\System\TViSjzh.exe
| MD5 | 1d00e33bd3fc7e42f60b0b642d53adc3 |
| SHA1 | 833fbd7897ec4d8a37cfffdd663cac3e6586beec |
| SHA256 | f90d4ec70823615267a414750eec3d32593b9991e97b9e48554291518231711c |
| SHA512 | 13252f0bc67834ed5f0a8b949c2f4989d64101411d7e70091105e172e150bc29c5c6909357c5f569955db03ef61eb178935b084567be3bee20fd5981f68595e9 |
C:\Windows\System\XrdKsoo.exe
| MD5 | aa624cc52584afa9a8f85ad457c5c2da |
| SHA1 | 9ceb9d592427589c3a33426ab255612b5298746b |
| SHA256 | c10b6bf24c707275646f57b6276ed4a301af838db7a6b7f6e14209e32f0180d3 |
| SHA512 | f597cabd2a51cfa49fb7f589c22f7f7f2d303a2c16bccbe318ec4f271bee7f568f05f7a7f59cbb8c76cdbbb77de3d67b51aeeba65e351581ac1c0c1f154cd0a8 |
C:\Windows\System\XhTBwEP.exe
| MD5 | 7438ca30b79b9b989236197364853f55 |
| SHA1 | 0b707d912812a8d3089aa5c64cdae20bf6ac922a |
| SHA256 | 2691ddeb4cd7cc705166743d36cc001ded2686249ffe38a0debb014e24de2ce8 |
| SHA512 | 77a40c31a42f8c7b3615bd4a9286cb73ed5e859c6e0560e532917f0bea494f4d83d821f4b5a4d76649d39c4e4bda6123a4ee62e84517ed324348613262ee119a |
memory/2416-84-0x00007FF731F50000-0x00007FF7322A4000-memory.dmp
memory/3916-86-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp
C:\Windows\System\crygtgs.exe
| MD5 | 99f3357654e540b6d50a656ec5bdb2b8 |
| SHA1 | ac82a4adc94a8c1f40a63a2b06044ab87b2dd73c |
| SHA256 | 38096b782cd55b8961c4bc1c0e68da9474410b4e393b10eb16ba18b064ecad88 |
| SHA512 | 30f816eceec701f7e016e4cb1bdc42687c1444f576992d91f35055ad62e510c1ab5f3b8622c04816142eb28529def96cd1e0a8b1b957949e69433e4b6c4d0afa |
memory/408-80-0x00007FF6D0B00000-0x00007FF6D0E54000-memory.dmp
memory/4744-78-0x00007FF799680000-0x00007FF7999D4000-memory.dmp
memory/5044-69-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp
C:\Windows\System\anQhADE.exe
| MD5 | dc3df3ec774842067a9b92efd3c57fad |
| SHA1 | fd4ad595a7abf48e4a12ede62866d623ac23379c |
| SHA256 | cb5e9fecdfa1fad60d06be870762ad0e847db8c7fe12550672c5eec3a660defc |
| SHA512 | 0485bc80072794719b94e902937a2496aef2875c81c779f6128be4af8cea203196568ee37c44997e236d65dd0679210af55a54229b9597e05914272dcbae438f |
C:\Windows\System\UPVxJBu.exe
| MD5 | 0530aa31815f135d5711cf65887af7be |
| SHA1 | dfda18404e3fb503187b9cdbee8e6211ced060c3 |
| SHA256 | 37431f0b3661dfaa266b65be28e94dcd44b55f28a5ce7cb198631d74e6cb7191 |
| SHA512 | bf8ab5573b87a3c5ee084668bf541b0877fcab97d1658650fbe6ed7328b10b5d1167cf22cbe645de6d12affdccdbb4c391860b164d3381ca32ecbb0ceaa885cd |
C:\Windows\System\pNKfEkU.exe
| MD5 | b2119fe0d44be126b0127a68273d4e0c |
| SHA1 | 0fcf2280c836ab714a696790a1f43877cf4810b7 |
| SHA256 | 1df8ecf252a09de59a69de4565850813b8248fe7da10fd8169fe4d5cf4c983b4 |
| SHA512 | c937fddc8dd50c24db396e15e0469ebd4594b0b515873d91c4d80742561272d0ee23f5b7b99b8d4a98e66742de4cf41ffeb939b5f73566ca6c214c9f91d1d41b |
C:\Windows\System\peQmdVk.exe
| MD5 | 0acf4c2d3e32b5f7913021c7cf367ac5 |
| SHA1 | 920fe9ec950d98583ff5c5dac6836ffb763e1a30 |
| SHA256 | 1ca531a69dd4ab74eb328e4e4f3c97bb901e535dad1497e33e28b37de23c65ae |
| SHA512 | d97e5bbf5f52967f6889765d988a0468988de3477d4eedcfaa2fa9128fb9e7fae6619dd4ef8cc424281cb9609fd7436d307cd33e112f6d64a8e17ae5389f1634 |
C:\Windows\System\iWglrnh.exe
| MD5 | e639487040d2b63292ea458ecb6defa5 |
| SHA1 | 1309668539821e2d791b3649990d36c0e85e4a3c |
| SHA256 | 9956011ff5a35b35f89ba1f7f2302c0f05c48691ba2cb983b6c532c6f84106af |
| SHA512 | 920b380d4b0a175a94c2f72cca3e6aacda5e5dc1d606ed05b77110f8dec792df4deb0c544a7734b4aa94737634f2ca5760b8015007b989c51c4290fdcc41ce03 |
memory/2152-104-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp
memory/2648-103-0x00007FF60CFC0000-0x00007FF60D314000-memory.dmp
memory/2504-99-0x00007FF6DD8F0000-0x00007FF6DDC44000-memory.dmp
memory/3940-112-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp
memory/3544-113-0x00007FF637060000-0x00007FF6373B4000-memory.dmp
C:\Windows\System\cwXmtVN.exe
| MD5 | e66facc710f5769850342c587bb0621e |
| SHA1 | a681e7bec803849b402f99176bfe3bbb21e27419 |
| SHA256 | 05aad3f084369577db5e7120afdf255949e952a6c43895abe347702556604e4f |
| SHA512 | 2ffa24d9ae3e1aa88d930814414045f563bd662ce5c3392c9181e2b97e2e52aa24251cd5f44ac0b5c0fabb699f2f846ae66da2916a9889ace89d4792cda6a66f |
C:\Windows\System\qEdLikS.exe
| MD5 | a1268ed3757e8bb9f99983715f5815ca |
| SHA1 | 7040161ad0fcef39b2f982a897fe9a2f43d37928 |
| SHA256 | 357af2fe088eb42e70b05dd392d0cabcb41d4fe66292071d07481e8eac6e0b2e |
| SHA512 | 052f00e0531c72e88f7df7b5dcdd2d3b59c9d6e56d064f0f03037f1d9d5645883b1597c31b07a911abb9be53bd46edd3ef1ab4de0d90c673fee979a4d054460c |
C:\Windows\System\yCLwzFU.exe
| MD5 | 686d196eb4ae3e12c776cf153790fa51 |
| SHA1 | 276a35cd001dc1dad6d26319fbd72e2dcde38394 |
| SHA256 | 968a81d42a52c2552abd06c4b12d734f8c610092d85a4033e2743040b1cc78d3 |
| SHA512 | a7f550192c678463d95c408ce550728f95fc7c819aec104545ecc353ebf005655ab268b24d2abaaa87e5c23b99645c2a0c58a59cb31e51b7a7a641f99e940443 |
memory/3236-127-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp
memory/3644-124-0x00007FF686590000-0x00007FF6868E4000-memory.dmp
memory/1992-118-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp
memory/2984-131-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp
memory/3916-132-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp
memory/2152-133-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp
memory/1992-134-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp
memory/5044-135-0x00007FF6FB540000-0x00007FF6FB894000-memory.dmp
memory/5112-136-0x00007FF60AAB0000-0x00007FF60AE04000-memory.dmp
memory/628-137-0x00007FF6D3250000-0x00007FF6D35A4000-memory.dmp
memory/212-138-0x00007FF6702A0000-0x00007FF6705F4000-memory.dmp
memory/4212-139-0x00007FF7AE7D0000-0x00007FF7AEB24000-memory.dmp
memory/3184-140-0x00007FF681410000-0x00007FF681764000-memory.dmp
memory/3940-141-0x00007FF6F2690000-0x00007FF6F29E4000-memory.dmp
memory/2056-142-0x00007FF632670000-0x00007FF6329C4000-memory.dmp
memory/3644-143-0x00007FF686590000-0x00007FF6868E4000-memory.dmp
memory/4272-144-0x00007FF7ED700000-0x00007FF7EDA54000-memory.dmp
memory/408-145-0x00007FF6D0B00000-0x00007FF6D0E54000-memory.dmp
memory/4744-146-0x00007FF799680000-0x00007FF7999D4000-memory.dmp
memory/2416-147-0x00007FF731F50000-0x00007FF7322A4000-memory.dmp
memory/3916-148-0x00007FF6D20F0000-0x00007FF6D2444000-memory.dmp
memory/2504-149-0x00007FF6DD8F0000-0x00007FF6DDC44000-memory.dmp
memory/2648-150-0x00007FF60CFC0000-0x00007FF60D314000-memory.dmp
memory/3544-152-0x00007FF637060000-0x00007FF6373B4000-memory.dmp
memory/2152-151-0x00007FF6BD7B0000-0x00007FF6BDB04000-memory.dmp
memory/3236-154-0x00007FF66DA60000-0x00007FF66DDB4000-memory.dmp
memory/2984-155-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp
memory/1992-153-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 01:15
Reported
2024-06-10 01:18
Platform
win7-20240215-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NQEscJn.exe | N/A |
| N/A | N/A | C:\Windows\System\kmXwBVu.exe | N/A |
| N/A | N/A | C:\Windows\System\KikRgyd.exe | N/A |
| N/A | N/A | C:\Windows\System\LvXbqUT.exe | N/A |
| N/A | N/A | C:\Windows\System\QMlZjfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rLgFyUz.exe | N/A |
| N/A | N/A | C:\Windows\System\yNtyEeX.exe | N/A |
| N/A | N/A | C:\Windows\System\aTJkvxa.exe | N/A |
| N/A | N/A | C:\Windows\System\UjjKtsB.exe | N/A |
| N/A | N/A | C:\Windows\System\umiIquy.exe | N/A |
| N/A | N/A | C:\Windows\System\bpWcBRr.exe | N/A |
| N/A | N/A | C:\Windows\System\XrudYYP.exe | N/A |
| N/A | N/A | C:\Windows\System\PjSIxVU.exe | N/A |
| N/A | N/A | C:\Windows\System\SXIskue.exe | N/A |
| N/A | N/A | C:\Windows\System\XJhXiZO.exe | N/A |
| N/A | N/A | C:\Windows\System\fdXeTyO.exe | N/A |
| N/A | N/A | C:\Windows\System\eKIKLgj.exe | N/A |
| N/A | N/A | C:\Windows\System\IdxLmXR.exe | N/A |
| N/A | N/A | C:\Windows\System\ygWMEjf.exe | N/A |
| N/A | N/A | C:\Windows\System\MbNDprI.exe | N/A |
| N/A | N/A | C:\Windows\System\bPEKjre.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9f176d5050a214bd78ff026da96be5e3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NQEscJn.exe
C:\Windows\System\NQEscJn.exe
C:\Windows\System\kmXwBVu.exe
C:\Windows\System\kmXwBVu.exe
C:\Windows\System\KikRgyd.exe
C:\Windows\System\KikRgyd.exe
C:\Windows\System\QMlZjfQ.exe
C:\Windows\System\QMlZjfQ.exe
C:\Windows\System\LvXbqUT.exe
C:\Windows\System\LvXbqUT.exe
C:\Windows\System\rLgFyUz.exe
C:\Windows\System\rLgFyUz.exe
C:\Windows\System\yNtyEeX.exe
C:\Windows\System\yNtyEeX.exe
C:\Windows\System\aTJkvxa.exe
C:\Windows\System\aTJkvxa.exe
C:\Windows\System\UjjKtsB.exe
C:\Windows\System\UjjKtsB.exe
C:\Windows\System\umiIquy.exe
C:\Windows\System\umiIquy.exe
C:\Windows\System\bpWcBRr.exe
C:\Windows\System\bpWcBRr.exe
C:\Windows\System\XrudYYP.exe
C:\Windows\System\XrudYYP.exe
C:\Windows\System\PjSIxVU.exe
C:\Windows\System\PjSIxVU.exe
C:\Windows\System\SXIskue.exe
C:\Windows\System\SXIskue.exe
C:\Windows\System\eKIKLgj.exe
C:\Windows\System\eKIKLgj.exe
C:\Windows\System\XJhXiZO.exe
C:\Windows\System\XJhXiZO.exe
C:\Windows\System\IdxLmXR.exe
C:\Windows\System\IdxLmXR.exe
C:\Windows\System\fdXeTyO.exe
C:\Windows\System\fdXeTyO.exe
C:\Windows\System\ygWMEjf.exe
C:\Windows\System\ygWMEjf.exe
C:\Windows\System\MbNDprI.exe
C:\Windows\System\MbNDprI.exe
C:\Windows\System\bPEKjre.exe
C:\Windows\System\bPEKjre.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2740-0-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2740-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\NQEscJn.exe
| MD5 | 80ea5efb81dd4e0050dfd8d85509ad85 |
| SHA1 | e49d09913369b691f10ab8d28527011f4da256a6 |
| SHA256 | fd8c3779c5c92160a71235a7043d26870ac84d8f50b977ab5c80870cd4230d5c |
| SHA512 | 851acf59ce1e767eba8e513f9bebcf1af45a869cec2667f0be0cae8123713189388f97ebe7756c3d451c600956c18a71a3946012bd56cea386f31860ee7eec63 |
\Windows\system\kmXwBVu.exe
| MD5 | 09c00138f8f9c1be9ccdf16cea9a3d5a |
| SHA1 | 1fb345fef5f5876beb24fb1a585bdc87a35556cb |
| SHA256 | 1c9d07f55a6abdfd82856e1b5fb9e369f8ea58d6f81716a14c9c02baa1debaf7 |
| SHA512 | e57abbe3ca95cb047b4b8d8ed5429fabe09e07e43a8506cf9063598fbc1ad3790e47f0e7ba764531168a8a8be17fed99c87dd830f594d978c1f4cb8431f3a31e |
memory/2204-14-0x000000013F360000-0x000000013F6B4000-memory.dmp
\Windows\system\QMlZjfQ.exe
| MD5 | f56acf89a525f4356cf9dde56340cc30 |
| SHA1 | fad8cf94e8901de955d1bb2a1b066065134ff967 |
| SHA256 | f96986241839215a01d68d9f37d09949e49a9b26c32207adb9853a732d107015 |
| SHA512 | 263a059fe544f0975a1a3bc12dcd0dd3a6ff25f8371b7b3ce7c57fa693fd21b615fc8af5a488a34badcf9fb67cb6adea217c000551110761c8c15c3ffc474ef3 |
C:\Windows\system\rLgFyUz.exe
| MD5 | c4a8b3cf306a2ad94a7d9729f6eb3a24 |
| SHA1 | b62cc89f2ec3ebd4967e6a5a6d722ad44970e742 |
| SHA256 | 23dc67e1437b7776e6aa628a1eb4b7fa68675ef1ea6b630002585edbca2ee1ca |
| SHA512 | 758ce3de4f9d8371abecf247235eed943b4388eb88e9ec512c0a6d5a5f3bab8a8cfe1e74187a67588db382391ef7ff9b3d419e96ea1cffa2242154abe55b84df |
C:\Windows\system\yNtyEeX.exe
| MD5 | de3dc48a350b186eaa687e06ecdd23d1 |
| SHA1 | 036b2f3f66e300e4709d7040359d9dbd1af09f1d |
| SHA256 | 348f5cfae5fdbb514504657752a3596f247cef2a8c3ddee483e040d5916a8be1 |
| SHA512 | 962903551e34a50a5adfc49c50b6c5fb0f2f9632f5ddc06436403ad59ac52a77c17df191fab1124a6621f7837da25a4cc2fde45c4de710f8a53e04f9a4492d78 |
memory/2740-54-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2728-56-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2740-55-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2720-53-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2576-51-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\aTJkvxa.exe
| MD5 | b7861634cf08d4c7130d568ad7ce315e |
| SHA1 | 38bd4fa3ff3b7400483b08f604e169c9a84eede1 |
| SHA256 | ec86f047aec630f541eedf003068d128aa352bf2e715f0b122e05a56d7e912d5 |
| SHA512 | aa5f3b28e25ff27755bd8fc54a21a0a4942c258c9bcee540941a245141fbb4053e4189d0fd0e4f4f0950d6f09a38e7df7990b24d7217aa3d86406a4004172451 |
memory/2740-47-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/2692-45-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2740-42-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/2996-39-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2564-63-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2492-70-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2740-69-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2740-62-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\umiIquy.exe
| MD5 | e010bc225c69d070a0782ebcc7ae90e2 |
| SHA1 | e82502b2ff39d34d1b83065836ff02ccb850561d |
| SHA256 | 05ebe47c90c76761a79ca478d4d9ddd3e39b4869c1162b09f3cf8f09201346ae |
| SHA512 | 8cb89c7ac1bfbb47ca8028c6181427d70884d47155a2d496ad8fb01224e406ff2949ddc89da9de052260db6ec112d685256e17196523c54f243f2ab80686afd2 |
C:\Windows\system\UjjKtsB.exe
| MD5 | fb548018d6f90baaa855ab8db5ae31ab |
| SHA1 | ad889150b8d22957642ed8912a930a677dcf2d6d |
| SHA256 | ba2a48a053aa0e5493789c7af4e1cfad80569a568e279e3f479f33d89f4e546b |
| SHA512 | b280b48972ff9338c1607b5919cdb1ce7c72b8596f1eeb08036ee6d90a200bc8e15bed95a189d518c9d7dd069ca07e36298b6be048b87a8f36b89d0fd72395ef |
memory/2664-35-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2740-29-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
C:\Windows\system\LvXbqUT.exe
| MD5 | 4d35b828b344d53732360805e666abf2 |
| SHA1 | e675bfe2ba25418b771595ff4634e77bc8da0746 |
| SHA256 | a445a226ae799e7a260bde7d0d602d77c30038ac0ef8d74b7f8d6b3541e20ba4 |
| SHA512 | 94a8586ccba3b438dec3620c33dc29e3b053593ff036a4ada7ff25d99e3b95e9fba00433c633cc048cb10bc66cb08dbd848250757380856f60349dba218c3141 |
\Windows\system\LvXbqUT.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
C:\Windows\system\KikRgyd.exe
| MD5 | 5efc59a8876fe86ed1f6efb6c54446ab |
| SHA1 | 8b47295d9262ffb5265b42e1fb8efd70e8d99dcf |
| SHA256 | 20f29904c73671ce2ed560930a0906e2fe16b2710542db21373c6bcdd9e0f31a |
| SHA512 | 6ec0b8d764617e6f50d3e08f36988ad1d7e30254e227c2ffa70b1a27a8a844a207c5b2d15397c0e1caa803e384f089dc67a4004d400a96301ec82f277a292b27 |
C:\Windows\system\bpWcBRr.exe
| MD5 | 77654ed0c5dd15716578a044cee07111 |
| SHA1 | c1663c9ae775bdc2887fbbcb5682bf9fd13c6ed7 |
| SHA256 | 6c513bb182041fe6dffceb28486068e1f4a77f9291e73863051b50fa2f439889 |
| SHA512 | 9cf5d69deb9fd5102d47893dee35b09afc07bcab78b6f5bcc059ad55ed0b4afa2fe28c54d54581cf872937d5b5d91b0cfea8dfe58ade3fad3eb508a2a3c1993e |
memory/2920-75-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2740-74-0x000000013F110000-0x000000013F464000-memory.dmp
\Windows\system\bpWcBRr.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
\Windows\system\XrudYYP.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
C:\Windows\system\IdxLmXR.exe
| MD5 | 17784aebda31d4b1af643ad82655e04c |
| SHA1 | 8e40f62ca1b969b7f281da7bd4cfe14f96fd0f86 |
| SHA256 | 6e388db819e338ea68574dd4f011f9d8a94587466c4dfb804ee04ec5f47f01d5 |
| SHA512 | e3fddaea080507a7ae397e2492a3fac17966b30182dc8da0e654bf48feca61906f3935d6213d3efc5fdc1e04be81c515fa3445e53484a87bff283eddbd423fd4 |
\Windows\system\bPEKjre.exe
| MD5 | ef3c248dc879ef2d14b07311fa6abf92 |
| SHA1 | 8e6c5779d6fef4cb7ba126f74c3e8b699b22318b |
| SHA256 | 24a011fcd2bf19fef94a57c530e00bfbb621832988e0b52f372ec8bdd1f1e4e9 |
| SHA512 | 0baa6907ee48f8e42846a52ea52baff05c71751aeb437fa9501626cf0dddfd289005bc9ecc1c7ee9aa7f6ebbb2d450fd150bccba8e641bc9f26a2bc83fc819d2 |
C:\Windows\system\MbNDprI.exe
| MD5 | 529055656518e6da6c6270633c6f9de1 |
| SHA1 | 5682551738927068d1be79a158661fa0769fd781 |
| SHA256 | 16165851b82fa17d0ce715293dada4689488cd8ce71ad35fedb4e94ebefcbc48 |
| SHA512 | 71dc4bd0b3ac58817685e88cc87e60f086066d52499862121a6334122313eafe703dfa98024fb8ee395399f79a53447bd167f3a70d2367c166c3f4b6ccdccd6f |
C:\Windows\system\ygWMEjf.exe
| MD5 | 33b6801c3b2b2e2e73d676693617ac21 |
| SHA1 | 3a9b0a20ef3d0ca2f1093bc6500cdbd6a3b9ab9a |
| SHA256 | 3a48e8fca108daa50b01b48a2190c43ff6547b717ed7384c82c37b047525ccc9 |
| SHA512 | 975c5f8d11eeffe350a0aef35955a89dbba16d4c8626b8b83bcb5fb26c791482a4a42c51bce37b8fb16a2664031bf1651e854d87e4d3ddbd69ff5bb0bf80672b |
memory/2740-116-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/872-113-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\eKIKLgj.exe
| MD5 | 0255e7f06d781b3a8c1df6c5f8b73384 |
| SHA1 | 1613b26f2732ace813791a2ae88e263ca1b3e498 |
| SHA256 | b3e08b0cec974ceaa28fd0f5d87b34d482f3a12f9e16839d1dd9e5130400a998 |
| SHA512 | b5d6507ba4f644fc8f07163b5374902d741d5c05bd17d3fbe997cf95ba7ba8fa5a35983f1e497729e12d8d5c7031d6e0fccb06370161d35fb495e8e45963986c |
memory/2740-110-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2172-104-0x000000013FE70000-0x00000001401C4000-memory.dmp
C:\Windows\system\fdXeTyO.exe
| MD5 | f57e8218a9872898557a5aadd6297582 |
| SHA1 | 09ff2cc5d94b0b0aaadc74bed2832d8c8187b97e |
| SHA256 | 4cd7c8f3daf75e0f044318bc6eb9145bd3212a4a89529734762273a452493f55 |
| SHA512 | a03bb8dfd2dc3977f6bb6ddc2767946409439e916df9c89570d594cc62cb9516818fbfdb91cd67374ceaa70dc40c79935aea369eeacbb4b6cea381d7ed81f547 |
C:\Windows\system\XJhXiZO.exe
| MD5 | 9392e1304936a67bcc155188e54c8653 |
| SHA1 | 069a81747cb838e1a53e07bc8e53b16c30d6bf18 |
| SHA256 | 4124b6efc5b90216bc1e55dcfc6496e87fd1ba85fed0065a8a04164e3c58b06d |
| SHA512 | 683fad87d797169c2567666b00dcfe4d28f7c1d8e1195fb3cfa5f25ae2c841cd1305bb43b782caedc92c6e3c7f0201b6bd6a55b906a809a6e7b3794cc2e0ecd0 |
C:\Windows\system\SXIskue.exe
| MD5 | 2d990043cd67cc5a51d68104541b0a84 |
| SHA1 | 30811c74961535cc434cb75662c0fc99f98adffe |
| SHA256 | f566b3d8461775fff4e67f9deb2cb02ad1c12a2f3d09782c846b1cd931935517 |
| SHA512 | 5475da8534d26baf171115deb97e3c2527c78e97d34a1c044150680ab1b038a8a3587e56b4922f63c5758298b8f112fa53fcf09a67d845a3d5c7d5f82d773678 |
C:\Windows\system\PjSIxVU.exe
| MD5 | d5999667da5b48b31a6c3cb5f4f1b6be |
| SHA1 | 762ccbe88e9bea54bcf2a4d5dab377aafba10e13 |
| SHA256 | bc9b99c71649e034a467409af979870634116f44327599d22349896912dc3ca9 |
| SHA512 | 75d7a1a5523aae2c370a051f717c2e940c2a9e27c751d8d8cee7cfdbd0c997414296fd60d051f01c4f675adf716d7770cfc8eacde2d596f26fe85e199ea27a0b |
C:\Windows\system\XrudYYP.exe
| MD5 | 0465a0e52d4df6a5e893b79eb835e8b3 |
| SHA1 | 241be985926ec2b8fb8644686f3e02f2a9f6dd33 |
| SHA256 | 28e9b7f35e381e6d092840b27338cd1b6255b7cf8940459d5fb82e220e792c9b |
| SHA512 | ec3c48887603354c7b10ab01a630afec1fa2776ebf9c32f9ad757f475ef92069384e8327d89631e5da80b56b54e4b2cb45acad58dec4956e20813b07420a9019 |
memory/2944-17-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2740-11-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2664-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2740-131-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/2920-133-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2204-134-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2944-135-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2996-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2664-137-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2692-138-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2576-139-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2720-140-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2728-141-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2564-142-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2492-143-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2920-144-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2172-145-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/872-146-0x000000013F3E0000-0x000000013F734000-memory.dmp