Analysis Overview
SHA256
9b5733ec68fa13eedbb1f38a15baa124c7abf0980fba635d65762242e8a2d5da
Threat Level: Known bad
The file 2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:13
Reported
2024-06-11 16:16
Platform
win7-20240419-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jmeFhWT.exe | N/A |
| N/A | N/A | C:\Windows\System\ticTDsR.exe | N/A |
| N/A | N/A | C:\Windows\System\FLKHAfi.exe | N/A |
| N/A | N/A | C:\Windows\System\FyrAybv.exe | N/A |
| N/A | N/A | C:\Windows\System\WpnCNHL.exe | N/A |
| N/A | N/A | C:\Windows\System\MEVQcAW.exe | N/A |
| N/A | N/A | C:\Windows\System\NEVRnPk.exe | N/A |
| N/A | N/A | C:\Windows\System\VoPwbvb.exe | N/A |
| N/A | N/A | C:\Windows\System\RQSdRpK.exe | N/A |
| N/A | N/A | C:\Windows\System\ClDMtFt.exe | N/A |
| N/A | N/A | C:\Windows\System\DTUKxln.exe | N/A |
| N/A | N/A | C:\Windows\System\gnivCDS.exe | N/A |
| N/A | N/A | C:\Windows\System\IOqfvFO.exe | N/A |
| N/A | N/A | C:\Windows\System\umQHDAV.exe | N/A |
| N/A | N/A | C:\Windows\System\KCSWhBO.exe | N/A |
| N/A | N/A | C:\Windows\System\MZiXxsk.exe | N/A |
| N/A | N/A | C:\Windows\System\KqztTcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BJHqEiA.exe | N/A |
| N/A | N/A | C:\Windows\System\meUyfWT.exe | N/A |
| N/A | N/A | C:\Windows\System\tcJoBPa.exe | N/A |
| N/A | N/A | C:\Windows\System\WFfipTN.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jmeFhWT.exe
C:\Windows\System\jmeFhWT.exe
C:\Windows\System\ticTDsR.exe
C:\Windows\System\ticTDsR.exe
C:\Windows\System\FLKHAfi.exe
C:\Windows\System\FLKHAfi.exe
C:\Windows\System\FyrAybv.exe
C:\Windows\System\FyrAybv.exe
C:\Windows\System\WpnCNHL.exe
C:\Windows\System\WpnCNHL.exe
C:\Windows\System\MEVQcAW.exe
C:\Windows\System\MEVQcAW.exe
C:\Windows\System\NEVRnPk.exe
C:\Windows\System\NEVRnPk.exe
C:\Windows\System\VoPwbvb.exe
C:\Windows\System\VoPwbvb.exe
C:\Windows\System\RQSdRpK.exe
C:\Windows\System\RQSdRpK.exe
C:\Windows\System\ClDMtFt.exe
C:\Windows\System\ClDMtFt.exe
C:\Windows\System\DTUKxln.exe
C:\Windows\System\DTUKxln.exe
C:\Windows\System\gnivCDS.exe
C:\Windows\System\gnivCDS.exe
C:\Windows\System\IOqfvFO.exe
C:\Windows\System\IOqfvFO.exe
C:\Windows\System\umQHDAV.exe
C:\Windows\System\umQHDAV.exe
C:\Windows\System\KCSWhBO.exe
C:\Windows\System\KCSWhBO.exe
C:\Windows\System\MZiXxsk.exe
C:\Windows\System\MZiXxsk.exe
C:\Windows\System\KqztTcZ.exe
C:\Windows\System\KqztTcZ.exe
C:\Windows\System\BJHqEiA.exe
C:\Windows\System\BJHqEiA.exe
C:\Windows\System\meUyfWT.exe
C:\Windows\System\meUyfWT.exe
C:\Windows\System\tcJoBPa.exe
C:\Windows\System\tcJoBPa.exe
C:\Windows\System\WFfipTN.exe
C:\Windows\System\WFfipTN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2940-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2940-1-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\jmeFhWT.exe
| MD5 | 45be0acaba61b8a8003f58866b7f3b5a |
| SHA1 | 1d3c13cd16f5261e4af10e8b416f4dc21dd3a803 |
| SHA256 | 9dd8404a6e38486b3950460327c547e7ea2127526ecadd28fc458857e0121336 |
| SHA512 | d7aabb9eeb3bf35d528d52498bdcde59e1eca58e4a56f273634f9cf4891e3078d7b5e046afa72f8e727ea39691033624864c8a4577aa9a01f8296d47d75a7851 |
\Windows\system\ticTDsR.exe
| MD5 | 5a0c9d19fcab038912d5d5cc604c2f93 |
| SHA1 | 160b6701a1c860e9ee0a1d77209620cdc552895a |
| SHA256 | fffd8c7e76c0f2d17dd54c3979d90c50886aeb8cc74267d08efeb9a191af6c2b |
| SHA512 | 9539dfbeea953b279dd8a1e79fca0a669e16ed7bee6931c1e5cc23668d291d4817697eb7bf9d04ea914f176f9b1709dcc48c28e7088950e781705e8fffc4cc6c |
C:\Windows\system\FLKHAfi.exe
| MD5 | 66e8120f3cb8c8d114ef38455de2ad9e |
| SHA1 | 442c2c6b79d9226013b303feef3a57ffda9bfd4e |
| SHA256 | 30da27366cb0933b4914ea3aec56ef318cb3bdc4c0d7c0fb93e9b06c7f0f6176 |
| SHA512 | 34bdbcb5fcda895173f18231f5049d58faeefebc03ae757211ae461cfcd3634a90c87a7473afbfe496cdf26b4c1f0861e27a622ef55382af1d5879b9461da425 |
memory/2940-20-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2648-22-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2940-19-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2072-18-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2540-16-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2940-7-0x000000013F970000-0x000000013FCC4000-memory.dmp
\Windows\system\FyrAybv.exe
| MD5 | 2a4f92fea9ea48301dbde28380bb9c09 |
| SHA1 | 5f9755ee854227ead0882dc4b9ed3495db19db56 |
| SHA256 | bbb18fe8fb2448ae3c0c1f3a7956caf23d4567e83cf045d69711669d0f0c8ebf |
| SHA512 | 41b7616ff811adc88cfda5579b1c584efb5dd47f10780b694158c3797ac949bdbed77bf195268766f402bb4bd2478a17c4ddff0ae8925c2dddd7a9b4bd3b4b3f |
memory/2940-27-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2556-30-0x000000013F3E0000-0x000000013F734000-memory.dmp
\Windows\system\MEVQcAW.exe
| MD5 | e0a2bd237735720f7ca63b20524d11c7 |
| SHA1 | 74f12fa0b328a5e935312c869ae706d4b1cd367b |
| SHA256 | b1d69a1be1ccba820b278bc1f1ff29fc2602f7257ddbcb2c23a1cc86a71fc3dc |
| SHA512 | 1b8e44cfcf8e00a54630824f9af96207fbcd73fab073a0ca5b19605d9482b46e0d6f9a656caf2e3a6b1643f2bd79e9cb884ef7e350d17790bea911e5568121ca |
memory/2940-35-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2476-44-0x000000013FD20000-0x0000000140074000-memory.dmp
\Windows\system\NEVRnPk.exe
| MD5 | 4b611a561121236d9d32bc04fe31de85 |
| SHA1 | c5620b4383b40c5c54a97f45b5306e93fdf7c2cc |
| SHA256 | 8753463d6b58c881d427b5c3fa82be3eda4e4ef3e1ca93daa2d9a516904fdfd6 |
| SHA512 | fa1fbecaf3ea8c99bd6f46d3f2c3d8e1a5e22d1905575e268adc05c3664c1fb29b49f828a831c3527f898b1d1dcda7fdaa038b21098ab7ed3093de163d99f08a |
memory/2940-56-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2144-57-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2448-50-0x000000013FE20000-0x0000000140174000-memory.dmp
\Windows\system\RQSdRpK.exe
| MD5 | 3df654e99b54eb14d24afd099c73a13e |
| SHA1 | fe145a4f50f44a6af379f0c83df71782ce58ac87 |
| SHA256 | bdd3b48a3ad41d38db3ea107a49e4a9a7070a49a0ebf974a27f381be2121d073 |
| SHA512 | 64f273d4a57c647cc49b8c8fc345110e8816a4f74507756e246a605e41f417e2f54f11239cb9a689da3169aea2792f60e0bb753904acccec68563743d33bf5e9 |
memory/2676-66-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2540-65-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2940-64-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2940-49-0x000000013FE20000-0x0000000140174000-memory.dmp
C:\Windows\system\VoPwbvb.exe
| MD5 | fa5bd831c1a37ccb37b3e7067adf8cea |
| SHA1 | c293a842dcbce0add66bba7c3a03de4757d8a8bc |
| SHA256 | a6872d2be1996f82b22f65b96210093daea08d11ab5602651c2393a9f7068a45 |
| SHA512 | bdf1c1cc8d4fd5250e373d02046253c517093a177fde09e4cdc16a76e94de57d3656f353bea0127a58c1c1dab22fec18ba49d38d661ce2005f8855dcae92a3e8 |
C:\Windows\system\ClDMtFt.exe
| MD5 | 8fecd2a94a2a714a6f243b72394378f3 |
| SHA1 | dbb2cc8264cb63539f3b440f96181de18cfd4e25 |
| SHA256 | bc08e8998591dc8249d5ad241e327fa33c1ae48817eb4ab4fc701904cfdc4698 |
| SHA512 | ce0be46551116296bf5e3d6d151a0815f26d41328280fe749df1e1d14f53b304b06b2bd2655e0a50bba54bd09d5c3c451b88fd9474b8863e9695446707bae4c9 |
memory/340-73-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\DTUKxln.exe
| MD5 | 66a69153de78dd80266fcda4fa796f27 |
| SHA1 | 71ef3695a4a424ad2933dfe92c3fd6fe145157f7 |
| SHA256 | fa36626cee591167210ab8b1195a2124030c56ea458b9f1876aca9d13c4451e6 |
| SHA512 | 308bdd6dfb332dedbf6f922ae6e16b2c317a3b1c3bdca1c50b07386a412b305e4bcc8d7087aabd4e30a007da087055ad7b2d370bab1835bdc38efb0e7717454a |
memory/2548-79-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2772-89-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1424-96-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\BJHqEiA.exe
| MD5 | 9b6562e215610b94c9686bd24299ef63 |
| SHA1 | 63065ebe990240534f825954d5abb3fc4c505757 |
| SHA256 | 0695cd2b275bce23f2c26369aa3af14db284a9e176a2f2222e63302c3f5c1fd0 |
| SHA512 | ffbcdf90c3c3a000866eb881e43b07a9395f08957091eeb9af13910e05194a7ea85edc825efa37ac2bb330020b773b98ee8b51ca130055f9c0f6be2bbf702b56 |
\Windows\system\WFfipTN.exe
| MD5 | 36f0380ef5e47ed682f90dd6a769060c |
| SHA1 | cc70ec0e39f44c52b2100037fdd2225adae725b7 |
| SHA256 | b8f363aeb9383dfceb68f47b6e970c19b17a4e3a4ca8047c56f8a4ca2ac1bd0d |
| SHA512 | fbdf7c5e4bdf2bfebdefcb82248759c951779a2b0f28a0794f03836a46f241a6db1248c30e566d4c31721834d561652caaacc85faf999846646da7c5c9e94dcb |
C:\Windows\system\tcJoBPa.exe
| MD5 | 2ec23df39b650474516cb4dba2fd2d0f |
| SHA1 | 7329f53d15a7f43b0a0e13a48ebcbd3c819969e4 |
| SHA256 | 33a9b0ece91d727952d46b32ac57d2ba974f36716aacb1a4b93bac618058a6a5 |
| SHA512 | 4a5be516f977a52e181d9b3e577f2788554b427da041016a66d461fe36c70dcd9a81278c870c688f56e493b67a340675c55d7a962014b393cabc0ddb444d48cb |
C:\Windows\system\meUyfWT.exe
| MD5 | 8e114927ece84a081ea728721089327c |
| SHA1 | 3a226ec7b7b919c510553fea82e320e9d79c7835 |
| SHA256 | bba146331a050f1e39c8d1c7749e689936d8799421b2968a989369c86447ff88 |
| SHA512 | 7ced8b9cc95a62b13e71ebf9a6e978385e6677bbac6ca7487cc1ad8e18f0359e91c4a75736bef18138378a7d51dfbc520ec92b731f48b296671cbf324680aec2 |
C:\Windows\system\KqztTcZ.exe
| MD5 | cfa124d1efdf44e0f7782a8d6ff61ced |
| SHA1 | a92d1c7ca75d41a5202d1585d9ce43ab188d4637 |
| SHA256 | 625f0a7e41266e9fe511686ca784adfaa5f2516fbe00ba97c5ea54e4c69bc4d8 |
| SHA512 | 27c36d7939c2225efef543c666cbf9fe9f3fbfa7cd28824ffe2762b953c6f0488a5586f065f9ee97736a83fdb62afac45540bf373e1a7b6fad3b84b4cc31c1e4 |
memory/2940-111-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2476-110-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\KCSWhBO.exe
| MD5 | 0789a09196979f0d7e03d11f72433021 |
| SHA1 | 7c097f31cfea6c5d7f438c489b675e0c46bd8c60 |
| SHA256 | e8587e8913ae29346c78d2c47cbac7d87b085db54fb36c89c57a028023ca70c6 |
| SHA512 | 4b1ceea76e97c95aaacc9f620be2cd5d1ab08fcc5035dee03b90742c5f2149880c94a00139f24a2f77030f54f31b06bff277038ebb3f676a5c164f1f09b37bf7 |
C:\Windows\system\MZiXxsk.exe
| MD5 | 3a21c4433e2315a17346af8532c2697c |
| SHA1 | 5611160de2c47574e7dbfc68301188455b2f2e47 |
| SHA256 | 94248b7017520141faf1b88b6782a9c3a9917710c1598dca8e0b4c80f15cc9c9 |
| SHA512 | 1e813c9b8fd4a9dcc90c8d9bf5d97f16a9ee0896f471802f6cf50e554917780e23625a571988b707c4b35acd899e32f0da75862ad949731579e00800eac6d162 |
memory/2448-142-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/1840-104-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\umQHDAV.exe
| MD5 | 5d080bcf74cc6b3998d2b6616ad8dc97 |
| SHA1 | d6517f75c327a6985fc08e332202b463f01cb210 |
| SHA256 | 67ec38fe19247079ae9eb3400bc0e70e4130e04e049f04cfe3f570f4621a37e2 |
| SHA512 | 176c64da572b283a4794f333a6595f67540fc31c4381e9149203c07c563a804c32cb45639e6061e2d483a4e2030f8a5ae81ebc611c1dc7017138eac46e0ef150 |
memory/2940-100-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2940-95-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2484-94-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2556-93-0x000000013F3E0000-0x000000013F734000-memory.dmp
C:\Windows\system\IOqfvFO.exe
| MD5 | a1a6002c82387a79258c6cb8609e011d |
| SHA1 | a2ca195c41be66acfa833d8602a0aa6e01b0d219 |
| SHA256 | d28d6e2e454a13fde94de54bffb96a6aaffb33ac76ffc1ba9bdd8ef0d7292d7f |
| SHA512 | 80bee9fa4fa8fabdb4077c5874d5a5d1d0142decf2cf2c992da3cd12dae1346dbe9348c9b6c275424ce9168767bb1e969002d55c3a75c59412de0c2177ef5d9e |
memory/2940-88-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2648-87-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\gnivCDS.exe
| MD5 | 8f7d2b485cf7dc0129d3b550dcbae633 |
| SHA1 | f61c764389931a9bfde2c28eff257b29e229bf09 |
| SHA256 | cccbb8edd43c64f94a181de03d09bad29b913d6864946b7b4d6da1d8afd3585b |
| SHA512 | ed60b97c036c599cfdcc9ce149f8873057ba4dc32db523ece23c05c2a5faa7f2a522172c2788f5d78e7255f202ef81ffdfccd3d096d4b41661bbf90cac4c7e80 |
memory/2940-78-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2940-72-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2072-71-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2144-143-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\WpnCNHL.exe
| MD5 | da16458c0908072b51f63a697102332b |
| SHA1 | 84b9506a9b3c8439574d488c68ed58fb484ed41a |
| SHA256 | 4fedfd581d940273deb03f430ab2e6edd8135fe65b1287ed33a2a6062e930884 |
| SHA512 | 4d47f69f4828e978b4fd8e639e0db249ecd28aff6ad3a21cca94776282548b78a8e87ecdf2a70fcf67a9a24317d116782210a7512e4cefafea63d0f45061957c |
memory/2940-41-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2484-37-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2940-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/340-145-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2940-146-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2548-147-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2940-148-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1424-149-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2940-150-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1840-151-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2940-152-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2540-153-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2072-154-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2648-156-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2556-155-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2484-157-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2476-158-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2448-159-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2144-160-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2676-161-0x000000013F510000-0x000000013F864000-memory.dmp
memory/340-162-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2548-163-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2772-164-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1424-165-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1840-166-0x000000013F8F0000-0x000000013FC44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:13
Reported
2024-06-11 16:16
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jmeFhWT.exe | N/A |
| N/A | N/A | C:\Windows\System\ticTDsR.exe | N/A |
| N/A | N/A | C:\Windows\System\FLKHAfi.exe | N/A |
| N/A | N/A | C:\Windows\System\FyrAybv.exe | N/A |
| N/A | N/A | C:\Windows\System\WpnCNHL.exe | N/A |
| N/A | N/A | C:\Windows\System\MEVQcAW.exe | N/A |
| N/A | N/A | C:\Windows\System\NEVRnPk.exe | N/A |
| N/A | N/A | C:\Windows\System\VoPwbvb.exe | N/A |
| N/A | N/A | C:\Windows\System\RQSdRpK.exe | N/A |
| N/A | N/A | C:\Windows\System\ClDMtFt.exe | N/A |
| N/A | N/A | C:\Windows\System\DTUKxln.exe | N/A |
| N/A | N/A | C:\Windows\System\gnivCDS.exe | N/A |
| N/A | N/A | C:\Windows\System\IOqfvFO.exe | N/A |
| N/A | N/A | C:\Windows\System\umQHDAV.exe | N/A |
| N/A | N/A | C:\Windows\System\KCSWhBO.exe | N/A |
| N/A | N/A | C:\Windows\System\KqztTcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MZiXxsk.exe | N/A |
| N/A | N/A | C:\Windows\System\BJHqEiA.exe | N/A |
| N/A | N/A | C:\Windows\System\meUyfWT.exe | N/A |
| N/A | N/A | C:\Windows\System\tcJoBPa.exe | N/A |
| N/A | N/A | C:\Windows\System\WFfipTN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d2508d5767599a1626197fd6409abe0a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jmeFhWT.exe
C:\Windows\System\jmeFhWT.exe
C:\Windows\System\ticTDsR.exe
C:\Windows\System\ticTDsR.exe
C:\Windows\System\FLKHAfi.exe
C:\Windows\System\FLKHAfi.exe
C:\Windows\System\FyrAybv.exe
C:\Windows\System\FyrAybv.exe
C:\Windows\System\WpnCNHL.exe
C:\Windows\System\WpnCNHL.exe
C:\Windows\System\MEVQcAW.exe
C:\Windows\System\MEVQcAW.exe
C:\Windows\System\NEVRnPk.exe
C:\Windows\System\NEVRnPk.exe
C:\Windows\System\VoPwbvb.exe
C:\Windows\System\VoPwbvb.exe
C:\Windows\System\RQSdRpK.exe
C:\Windows\System\RQSdRpK.exe
C:\Windows\System\ClDMtFt.exe
C:\Windows\System\ClDMtFt.exe
C:\Windows\System\DTUKxln.exe
C:\Windows\System\DTUKxln.exe
C:\Windows\System\gnivCDS.exe
C:\Windows\System\gnivCDS.exe
C:\Windows\System\IOqfvFO.exe
C:\Windows\System\IOqfvFO.exe
C:\Windows\System\umQHDAV.exe
C:\Windows\System\umQHDAV.exe
C:\Windows\System\KCSWhBO.exe
C:\Windows\System\KCSWhBO.exe
C:\Windows\System\MZiXxsk.exe
C:\Windows\System\MZiXxsk.exe
C:\Windows\System\KqztTcZ.exe
C:\Windows\System\KqztTcZ.exe
C:\Windows\System\BJHqEiA.exe
C:\Windows\System\BJHqEiA.exe
C:\Windows\System\meUyfWT.exe
C:\Windows\System\meUyfWT.exe
C:\Windows\System\tcJoBPa.exe
C:\Windows\System\tcJoBPa.exe
C:\Windows\System\WFfipTN.exe
C:\Windows\System\WFfipTN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4712-0-0x00007FF7C5310000-0x00007FF7C5664000-memory.dmp
memory/4712-1-0x000001F83D200000-0x000001F83D210000-memory.dmp
C:\Windows\System\jmeFhWT.exe
| MD5 | 45be0acaba61b8a8003f58866b7f3b5a |
| SHA1 | 1d3c13cd16f5261e4af10e8b416f4dc21dd3a803 |
| SHA256 | 9dd8404a6e38486b3950460327c547e7ea2127526ecadd28fc458857e0121336 |
| SHA512 | d7aabb9eeb3bf35d528d52498bdcde59e1eca58e4a56f273634f9cf4891e3078d7b5e046afa72f8e727ea39691033624864c8a4577aa9a01f8296d47d75a7851 |
C:\Windows\System\ticTDsR.exe
| MD5 | 5a0c9d19fcab038912d5d5cc604c2f93 |
| SHA1 | 160b6701a1c860e9ee0a1d77209620cdc552895a |
| SHA256 | fffd8c7e76c0f2d17dd54c3979d90c50886aeb8cc74267d08efeb9a191af6c2b |
| SHA512 | 9539dfbeea953b279dd8a1e79fca0a669e16ed7bee6931c1e5cc23668d291d4817697eb7bf9d04ea914f176f9b1709dcc48c28e7088950e781705e8fffc4cc6c |
C:\Windows\System\FyrAybv.exe
| MD5 | 2a4f92fea9ea48301dbde28380bb9c09 |
| SHA1 | 5f9755ee854227ead0882dc4b9ed3495db19db56 |
| SHA256 | bbb18fe8fb2448ae3c0c1f3a7956caf23d4567e83cf045d69711669d0f0c8ebf |
| SHA512 | 41b7616ff811adc88cfda5579b1c584efb5dd47f10780b694158c3797ac949bdbed77bf195268766f402bb4bd2478a17c4ddff0ae8925c2dddd7a9b4bd3b4b3f |
C:\Windows\System\FLKHAfi.exe
| MD5 | 66e8120f3cb8c8d114ef38455de2ad9e |
| SHA1 | 442c2c6b79d9226013b303feef3a57ffda9bfd4e |
| SHA256 | 30da27366cb0933b4914ea3aec56ef318cb3bdc4c0d7c0fb93e9b06c7f0f6176 |
| SHA512 | 34bdbcb5fcda895173f18231f5049d58faeefebc03ae757211ae461cfcd3634a90c87a7473afbfe496cdf26b4c1f0861e27a622ef55382af1d5879b9461da425 |
C:\Windows\System\MEVQcAW.exe
| MD5 | e0a2bd237735720f7ca63b20524d11c7 |
| SHA1 | 74f12fa0b328a5e935312c869ae706d4b1cd367b |
| SHA256 | b1d69a1be1ccba820b278bc1f1ff29fc2602f7257ddbcb2c23a1cc86a71fc3dc |
| SHA512 | 1b8e44cfcf8e00a54630824f9af96207fbcd73fab073a0ca5b19605d9482b46e0d6f9a656caf2e3a6b1643f2bd79e9cb884ef7e350d17790bea911e5568121ca |
C:\Windows\System\NEVRnPk.exe
| MD5 | 4b611a561121236d9d32bc04fe31de85 |
| SHA1 | c5620b4383b40c5c54a97f45b5306e93fdf7c2cc |
| SHA256 | 8753463d6b58c881d427b5c3fa82be3eda4e4ef3e1ca93daa2d9a516904fdfd6 |
| SHA512 | fa1fbecaf3ea8c99bd6f46d3f2c3d8e1a5e22d1905575e268adc05c3664c1fb29b49f828a831c3527f898b1d1dcda7fdaa038b21098ab7ed3093de163d99f08a |
C:\Windows\System\VoPwbvb.exe
| MD5 | fa5bd831c1a37ccb37b3e7067adf8cea |
| SHA1 | c293a842dcbce0add66bba7c3a03de4757d8a8bc |
| SHA256 | a6872d2be1996f82b22f65b96210093daea08d11ab5602651c2393a9f7068a45 |
| SHA512 | bdf1c1cc8d4fd5250e373d02046253c517093a177fde09e4cdc16a76e94de57d3656f353bea0127a58c1c1dab22fec18ba49d38d661ce2005f8855dcae92a3e8 |
memory/5008-44-0x00007FF762910000-0x00007FF762C64000-memory.dmp
memory/3448-37-0x00007FF7DCAD0000-0x00007FF7DCE24000-memory.dmp
C:\Windows\System\WpnCNHL.exe
| MD5 | da16458c0908072b51f63a697102332b |
| SHA1 | 84b9506a9b3c8439574d488c68ed58fb484ed41a |
| SHA256 | 4fedfd581d940273deb03f430ab2e6edd8135fe65b1287ed33a2a6062e930884 |
| SHA512 | 4d47f69f4828e978b4fd8e639e0db249ecd28aff6ad3a21cca94776282548b78a8e87ecdf2a70fcf67a9a24317d116782210a7512e4cefafea63d0f45061957c |
memory/4612-30-0x00007FF777B90000-0x00007FF777EE4000-memory.dmp
memory/5068-29-0x00007FF744230000-0x00007FF744584000-memory.dmp
memory/2672-24-0x00007FF72BB20000-0x00007FF72BE74000-memory.dmp
memory/2656-18-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
memory/3532-14-0x00007FF6B75C0000-0x00007FF6B7914000-memory.dmp
C:\Windows\System\RQSdRpK.exe
| MD5 | 3df654e99b54eb14d24afd099c73a13e |
| SHA1 | fe145a4f50f44a6af379f0c83df71782ce58ac87 |
| SHA256 | bdd3b48a3ad41d38db3ea107a49e4a9a7070a49a0ebf974a27f381be2121d073 |
| SHA512 | 64f273d4a57c647cc49b8c8fc345110e8816a4f74507756e246a605e41f417e2f54f11239cb9a689da3169aea2792f60e0bb753904acccec68563743d33bf5e9 |
memory/4328-51-0x00007FF62E2E0000-0x00007FF62E634000-memory.dmp
memory/2844-54-0x00007FF7DB330000-0x00007FF7DB684000-memory.dmp
C:\Windows\System\ClDMtFt.exe
| MD5 | 8fecd2a94a2a714a6f243b72394378f3 |
| SHA1 | dbb2cc8264cb63539f3b440f96181de18cfd4e25 |
| SHA256 | bc08e8998591dc8249d5ad241e327fa33c1ae48817eb4ab4fc701904cfdc4698 |
| SHA512 | ce0be46551116296bf5e3d6d151a0815f26d41328280fe749df1e1d14f53b304b06b2bd2655e0a50bba54bd09d5c3c451b88fd9474b8863e9695446707bae4c9 |
C:\Windows\System\DTUKxln.exe
| MD5 | 66a69153de78dd80266fcda4fa796f27 |
| SHA1 | 71ef3695a4a424ad2933dfe92c3fd6fe145157f7 |
| SHA256 | fa36626cee591167210ab8b1195a2124030c56ea458b9f1876aca9d13c4451e6 |
| SHA512 | 308bdd6dfb332dedbf6f922ae6e16b2c317a3b1c3bdca1c50b07386a412b305e4bcc8d7087aabd4e30a007da087055ad7b2d370bab1835bdc38efb0e7717454a |
memory/4048-70-0x00007FF6CE4B0000-0x00007FF6CE804000-memory.dmp
C:\Windows\System\gnivCDS.exe
| MD5 | 8f7d2b485cf7dc0129d3b550dcbae633 |
| SHA1 | f61c764389931a9bfde2c28eff257b29e229bf09 |
| SHA256 | cccbb8edd43c64f94a181de03d09bad29b913d6864946b7b4d6da1d8afd3585b |
| SHA512 | ed60b97c036c599cfdcc9ce149f8873057ba4dc32db523ece23c05c2a5faa7f2a522172c2788f5d78e7255f202ef81ffdfccd3d096d4b41661bbf90cac4c7e80 |
memory/2212-64-0x00007FF75A650000-0x00007FF75A9A4000-memory.dmp
memory/4228-74-0x00007FF65F6A0000-0x00007FF65F9F4000-memory.dmp
C:\Windows\System\IOqfvFO.exe
| MD5 | a1a6002c82387a79258c6cb8609e011d |
| SHA1 | a2ca195c41be66acfa833d8602a0aa6e01b0d219 |
| SHA256 | d28d6e2e454a13fde94de54bffb96a6aaffb33ac76ffc1ba9bdd8ef0d7292d7f |
| SHA512 | 80bee9fa4fa8fabdb4077c5874d5a5d1d0142decf2cf2c992da3cd12dae1346dbe9348c9b6c275424ce9168767bb1e969002d55c3a75c59412de0c2177ef5d9e |
C:\Windows\System\umQHDAV.exe
| MD5 | 5d080bcf74cc6b3998d2b6616ad8dc97 |
| SHA1 | d6517f75c327a6985fc08e332202b463f01cb210 |
| SHA256 | 67ec38fe19247079ae9eb3400bc0e70e4130e04e049f04cfe3f570f4621a37e2 |
| SHA512 | 176c64da572b283a4794f333a6595f67540fc31c4381e9149203c07c563a804c32cb45639e6061e2d483a4e2030f8a5ae81ebc611c1dc7017138eac46e0ef150 |
memory/2656-90-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
C:\Windows\System\MZiXxsk.exe
| MD5 | 3a21c4433e2315a17346af8532c2697c |
| SHA1 | 5611160de2c47574e7dbfc68301188455b2f2e47 |
| SHA256 | 94248b7017520141faf1b88b6782a9c3a9917710c1598dca8e0b4c80f15cc9c9 |
| SHA512 | 1e813c9b8fd4a9dcc90c8d9bf5d97f16a9ee0896f471802f6cf50e554917780e23625a571988b707c4b35acd899e32f0da75862ad949731579e00800eac6d162 |
C:\Windows\System\meUyfWT.exe
| MD5 | 8e114927ece84a081ea728721089327c |
| SHA1 | 3a226ec7b7b919c510553fea82e320e9d79c7835 |
| SHA256 | bba146331a050f1e39c8d1c7749e689936d8799421b2968a989369c86447ff88 |
| SHA512 | 7ced8b9cc95a62b13e71ebf9a6e978385e6677bbac6ca7487cc1ad8e18f0359e91c4a75736bef18138378a7d51dfbc520ec92b731f48b296671cbf324680aec2 |
C:\Windows\System\WFfipTN.exe
| MD5 | 36f0380ef5e47ed682f90dd6a769060c |
| SHA1 | cc70ec0e39f44c52b2100037fdd2225adae725b7 |
| SHA256 | b8f363aeb9383dfceb68f47b6e970c19b17a4e3a4ca8047c56f8a4ca2ac1bd0d |
| SHA512 | fbdf7c5e4bdf2bfebdefcb82248759c951779a2b0f28a0794f03836a46f241a6db1248c30e566d4c31721834d561652caaacc85faf999846646da7c5c9e94dcb |
C:\Windows\System\tcJoBPa.exe
| MD5 | 2ec23df39b650474516cb4dba2fd2d0f |
| SHA1 | 7329f53d15a7f43b0a0e13a48ebcbd3c819969e4 |
| SHA256 | 33a9b0ece91d727952d46b32ac57d2ba974f36716aacb1a4b93bac618058a6a5 |
| SHA512 | 4a5be516f977a52e181d9b3e577f2788554b427da041016a66d461fe36c70dcd9a81278c870c688f56e493b67a340675c55d7a962014b393cabc0ddb444d48cb |
C:\Windows\System\BJHqEiA.exe
| MD5 | 9b6562e215610b94c9686bd24299ef63 |
| SHA1 | 63065ebe990240534f825954d5abb3fc4c505757 |
| SHA256 | 0695cd2b275bce23f2c26369aa3af14db284a9e176a2f2222e63302c3f5c1fd0 |
| SHA512 | ffbcdf90c3c3a000866eb881e43b07a9395f08957091eeb9af13910e05194a7ea85edc825efa37ac2bb330020b773b98ee8b51ca130055f9c0f6be2bbf702b56 |
C:\Windows\System\KqztTcZ.exe
| MD5 | cfa124d1efdf44e0f7782a8d6ff61ced |
| SHA1 | a92d1c7ca75d41a5202d1585d9ce43ab188d4637 |
| SHA256 | 625f0a7e41266e9fe511686ca784adfaa5f2516fbe00ba97c5ea54e4c69bc4d8 |
| SHA512 | 27c36d7939c2225efef543c666cbf9fe9f3fbfa7cd28824ffe2762b953c6f0488a5586f065f9ee97736a83fdb62afac45540bf373e1a7b6fad3b84b4cc31c1e4 |
C:\Windows\System\KCSWhBO.exe
| MD5 | 0789a09196979f0d7e03d11f72433021 |
| SHA1 | 7c097f31cfea6c5d7f438c489b675e0c46bd8c60 |
| SHA256 | e8587e8913ae29346c78d2c47cbac7d87b085db54fb36c89c57a028023ca70c6 |
| SHA512 | 4b1ceea76e97c95aaacc9f620be2cd5d1ab08fcc5035dee03b90742c5f2149880c94a00139f24a2f77030f54f31b06bff277038ebb3f676a5c164f1f09b37bf7 |
memory/3304-91-0x00007FF6A0480000-0x00007FF6A07D4000-memory.dmp
memory/1668-87-0x00007FF638640000-0x00007FF638994000-memory.dmp
memory/2672-86-0x00007FF72BB20000-0x00007FF72BE74000-memory.dmp
memory/3532-85-0x00007FF6B75C0000-0x00007FF6B7914000-memory.dmp
memory/4712-80-0x00007FF7C5310000-0x00007FF7C5664000-memory.dmp
memory/976-125-0x00007FF73E140000-0x00007FF73E494000-memory.dmp
memory/2988-126-0x00007FF750460000-0x00007FF7507B4000-memory.dmp
memory/3040-127-0x00007FF63FEF0000-0x00007FF640244000-memory.dmp
memory/872-128-0x00007FF7F2290000-0x00007FF7F25E4000-memory.dmp
memory/2304-129-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp
memory/4612-131-0x00007FF777B90000-0x00007FF777EE4000-memory.dmp
memory/3120-130-0x00007FF6ACFC0000-0x00007FF6AD314000-memory.dmp
memory/3448-132-0x00007FF7DCAD0000-0x00007FF7DCE24000-memory.dmp
memory/4964-133-0x00007FF7B8D10000-0x00007FF7B9064000-memory.dmp
memory/5008-134-0x00007FF762910000-0x00007FF762C64000-memory.dmp
memory/2844-135-0x00007FF7DB330000-0x00007FF7DB684000-memory.dmp
memory/2212-136-0x00007FF75A650000-0x00007FF75A9A4000-memory.dmp
memory/4048-137-0x00007FF6CE4B0000-0x00007FF6CE804000-memory.dmp
memory/1668-138-0x00007FF638640000-0x00007FF638994000-memory.dmp
memory/976-139-0x00007FF73E140000-0x00007FF73E494000-memory.dmp
memory/3304-140-0x00007FF6A0480000-0x00007FF6A07D4000-memory.dmp
memory/2656-144-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp
memory/2672-143-0x00007FF72BB20000-0x00007FF72BE74000-memory.dmp
memory/5068-142-0x00007FF744230000-0x00007FF744584000-memory.dmp
memory/3532-141-0x00007FF6B75C0000-0x00007FF6B7914000-memory.dmp
memory/5008-146-0x00007FF762910000-0x00007FF762C64000-memory.dmp
memory/4612-147-0x00007FF777B90000-0x00007FF777EE4000-memory.dmp
memory/3448-148-0x00007FF7DCAD0000-0x00007FF7DCE24000-memory.dmp
memory/4328-145-0x00007FF62E2E0000-0x00007FF62E634000-memory.dmp
memory/2844-149-0x00007FF7DB330000-0x00007FF7DB684000-memory.dmp
memory/4048-150-0x00007FF6CE4B0000-0x00007FF6CE804000-memory.dmp
memory/2212-151-0x00007FF75A650000-0x00007FF75A9A4000-memory.dmp
memory/4228-152-0x00007FF65F6A0000-0x00007FF65F9F4000-memory.dmp
memory/3304-153-0x00007FF6A0480000-0x00007FF6A07D4000-memory.dmp
memory/976-157-0x00007FF73E140000-0x00007FF73E494000-memory.dmp
memory/3040-158-0x00007FF63FEF0000-0x00007FF640244000-memory.dmp
memory/4964-156-0x00007FF7B8D10000-0x00007FF7B9064000-memory.dmp
memory/2988-155-0x00007FF750460000-0x00007FF7507B4000-memory.dmp
memory/1668-154-0x00007FF638640000-0x00007FF638994000-memory.dmp
memory/872-159-0x00007FF7F2290000-0x00007FF7F25E4000-memory.dmp
memory/3120-160-0x00007FF6ACFC0000-0x00007FF6AD314000-memory.dmp
memory/2304-161-0x00007FF69F730000-0x00007FF69FA84000-memory.dmp