Analysis Overview
SHA256
12b3dc830000aac20afd4832dd577be16bfef67e35c377823c14947f4b758d74
Threat Level: Known bad
The file 2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 11:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 11:28
Reported
2024-06-08 11:31
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MRDJPoS.exe | N/A |
| N/A | N/A | C:\Windows\System\YFnMeUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GrGafSY.exe | N/A |
| N/A | N/A | C:\Windows\System\XRcXfVW.exe | N/A |
| N/A | N/A | C:\Windows\System\MSteZfr.exe | N/A |
| N/A | N/A | C:\Windows\System\LcIeYhC.exe | N/A |
| N/A | N/A | C:\Windows\System\VPuhNnv.exe | N/A |
| N/A | N/A | C:\Windows\System\xavoPdy.exe | N/A |
| N/A | N/A | C:\Windows\System\LoHaSld.exe | N/A |
| N/A | N/A | C:\Windows\System\xlyWglb.exe | N/A |
| N/A | N/A | C:\Windows\System\RGMCEbf.exe | N/A |
| N/A | N/A | C:\Windows\System\saJaHgk.exe | N/A |
| N/A | N/A | C:\Windows\System\zZJDGBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\pZHICls.exe | N/A |
| N/A | N/A | C:\Windows\System\HuIrgKK.exe | N/A |
| N/A | N/A | C:\Windows\System\jOklegk.exe | N/A |
| N/A | N/A | C:\Windows\System\nEpFbEy.exe | N/A |
| N/A | N/A | C:\Windows\System\essutVN.exe | N/A |
| N/A | N/A | C:\Windows\System\pLxvdGk.exe | N/A |
| N/A | N/A | C:\Windows\System\jYlRoWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dHJURQd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MRDJPoS.exe
C:\Windows\System\MRDJPoS.exe
C:\Windows\System\YFnMeUJ.exe
C:\Windows\System\YFnMeUJ.exe
C:\Windows\System\GrGafSY.exe
C:\Windows\System\GrGafSY.exe
C:\Windows\System\XRcXfVW.exe
C:\Windows\System\XRcXfVW.exe
C:\Windows\System\LcIeYhC.exe
C:\Windows\System\LcIeYhC.exe
C:\Windows\System\MSteZfr.exe
C:\Windows\System\MSteZfr.exe
C:\Windows\System\VPuhNnv.exe
C:\Windows\System\VPuhNnv.exe
C:\Windows\System\xavoPdy.exe
C:\Windows\System\xavoPdy.exe
C:\Windows\System\LoHaSld.exe
C:\Windows\System\LoHaSld.exe
C:\Windows\System\xlyWglb.exe
C:\Windows\System\xlyWglb.exe
C:\Windows\System\RGMCEbf.exe
C:\Windows\System\RGMCEbf.exe
C:\Windows\System\saJaHgk.exe
C:\Windows\System\saJaHgk.exe
C:\Windows\System\zZJDGBQ.exe
C:\Windows\System\zZJDGBQ.exe
C:\Windows\System\pZHICls.exe
C:\Windows\System\pZHICls.exe
C:\Windows\System\HuIrgKK.exe
C:\Windows\System\HuIrgKK.exe
C:\Windows\System\jOklegk.exe
C:\Windows\System\jOklegk.exe
C:\Windows\System\nEpFbEy.exe
C:\Windows\System\nEpFbEy.exe
C:\Windows\System\essutVN.exe
C:\Windows\System\essutVN.exe
C:\Windows\System\pLxvdGk.exe
C:\Windows\System\pLxvdGk.exe
C:\Windows\System\jYlRoWJ.exe
C:\Windows\System\jYlRoWJ.exe
C:\Windows\System\dHJURQd.exe
C:\Windows\System\dHJURQd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2196-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2196-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp
\Windows\system\MRDJPoS.exe
| MD5 | ab54dd351ee493a070ccbcc0d3e98a1e |
| SHA1 | d0925027a076a54be92d56c1bd1ea7004ea9fcd5 |
| SHA256 | a31754e617e02b31173f36adc2e9fe706742097084b3b2006f0d8a5bf6e69051 |
| SHA512 | 8419636abb931fa73a229583cd015f2a495ece8ba133804e856e5a306f045c7067ce3d50582635f4dc0b6c5e1f4793d72c9df135d98d4132609e62838597a940 |
memory/1740-8-0x000000013FF40000-0x0000000140294000-memory.dmp
\Windows\system\YFnMeUJ.exe
| MD5 | c8e646bf0ad158893b1b754cbe8743dd |
| SHA1 | 5d39f3430ca0bd5a48e27e1822978a4cca213a8f |
| SHA256 | af6a35781ca6725806b64d2736e07f480b77ac600852ba8e908bc7a3d3d81c27 |
| SHA512 | 9b40dd4e806a03495f4367fa8c5fcb7d12d846b3d651bee6d535f5e4cb90f27a9c24fb8dbdd6d427642f9e95185cfe359bf70a788f782a9f25b52ad0e4f9ac01 |
memory/2196-12-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2204-14-0x000000013F970000-0x000000013FCC4000-memory.dmp
\Windows\system\GrGafSY.exe
| MD5 | c65b0fb3ac45486fd1aab366aa7ad185 |
| SHA1 | 07640c9687d1f352fe641ec80c220d0c8cb54865 |
| SHA256 | f854f8513cd5a034994cf93c949265dc1a7da0357887677a421a682c654a083d |
| SHA512 | 432bc876a6dc08413324e23a05289e3415d36082d97b682fe25fda05f27422271cc035c8b46dccb8002c663fa6b4aa54441f82df20f93667eef06715c770f0b6 |
memory/2628-23-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\LcIeYhC.exe
| MD5 | 1e23ef7c144dda42d898b6e43b28c0f1 |
| SHA1 | 6dc37894fd7edfd930a43d8fe77dcb30c99ffc62 |
| SHA256 | 571ae1fa5a527d346df607875861bd4efbe264d63e43b7198478a684775f4f96 |
| SHA512 | f57e676dd5a7b091616f9aef0f53cdcb4fdb32518d9ef7d93e0a8ea10088c699cd70423b87cba118bfacdb4079fced461d2e534688cba2d9663298d9735d6028 |
memory/2196-30-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2760-41-0x000000013F800000-0x000000013FB54000-memory.dmp
C:\Windows\system\xavoPdy.exe
| MD5 | 4eb849f56e03b664837b29168b6c1666 |
| SHA1 | abe50d6a591b17e4277bb1c0088f5ab4b283860b |
| SHA256 | 3d86268ce96eeb78bf03178e32e99bde553de14c92e2f6431a685d3832a026eb |
| SHA512 | 681d0fdbea8653685a47da7b2e3572aa422f8c7718b390eb6ff50ca28d3ce5b2b4f15e034220183f8627cb6368c7aa3747f68432696554348fb6a24854cd4bf9 |
memory/2204-55-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\LoHaSld.exe
| MD5 | e0fc82cdd0e9e7b46741dfaa237b17fa |
| SHA1 | 0a022bdec6a30a58ff325ae8d26a06ca87039c11 |
| SHA256 | 4feea3a28404144af4f3b7641295f09b96cfd5a0d8c56dee10b6846cf635fd93 |
| SHA512 | 4450f751e3e6435387230bff24bfea38ba87c62a65d9ab31f61209134dd01f4690b32ad12d60873c5f0d07ea8c5735103df49609e1ebb75fecef7c74d58ebd8d |
memory/2512-67-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2640-73-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2156-79-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2732-88-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2800-103-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\jOklegk.exe
| MD5 | bc449aa88a154ad0712cedacf19561b7 |
| SHA1 | 2967854e76154ca69b98c1555bf2e321e4bd9863 |
| SHA256 | a75d02486dd4c3680e47eb070fb26684f2f8fdbde3d8b50afb76384e056b6bba |
| SHA512 | f70e0b7215607f149abae27bda965e48e0f3639781ed704f495cb363b4bd467d94790a3e292a4c9be0b9879bde7584ac73869cc64097904d63f4caa8d20278bd |
C:\Windows\system\essutVN.exe
| MD5 | 9631edf84329d7da54ce0335dad1c6b8 |
| SHA1 | 9693e708161186e4f4fd0ad1da9b1619c10b8b4f |
| SHA256 | 19f75fd3914f6e4c29765e8094a016e44e338b2f0a25fb41c11e1daac79dc398 |
| SHA512 | cc970e5aef6194442a1b58ac9fc4fa8a9f9ab4f8e2f64b7460fa3fdd37501e6e3fa95ed06ede20e0bedad9684a7421770ee06cd55b11d33a2d631fdf8e9f79dc |
C:\Windows\system\jYlRoWJ.exe
| MD5 | b891a1309030a3005b54813b3d3329dc |
| SHA1 | 9375368521a975e6429e78fe24e749f5fd42c697 |
| SHA256 | b2949df328561674e0276cba1b38b1d9e338275bfbd7be960da6fa8233e80c94 |
| SHA512 | 5bf2bb12d63d5ba996a24f0c49622605890759a34d6d9a8e8b1423508599c3ca5f30d904a65a5133b45b4c133c118a0aad3b0921e8e9638cdda566c2b21aebda |
\Windows\system\dHJURQd.exe
| MD5 | 4c6880f61b531914e3e1ab7410d6bc23 |
| SHA1 | ffe7944f2f9d1f684b03512c7aed96339945808d |
| SHA256 | 46957b40fb5cb87a693e8536ada88c3e6e4e8914fd90315899749bcff7bbe8b1 |
| SHA512 | 2f1f42d4776baef4d41b03f3c442609c85afc87b521b30561c16abe2e2f635f52fe697942b4389e4090c830bf1902a3fc6fcab0e08831f60a12f7d6243e3a6e0 |
C:\Windows\system\pLxvdGk.exe
| MD5 | ec0f6bd61b4d5a1d3cabf3ba241d3e21 |
| SHA1 | 1eda5d8ae2e8a26e5beff639e1e6f416ed50469d |
| SHA256 | 95aba526d5249b74f0d67eadeca8354d1651db5a6c2b9429707f315e47fc7bad |
| SHA512 | e6e2cc07e0fc015020d610aa23f07eb0d90671a09cbb1a5f1777fa376813c912b5a1e1bcbcd7c8d9c5df32d53a7ec0c97585eb87a81f4efac0e55c984f79894f |
C:\Windows\system\nEpFbEy.exe
| MD5 | c98ab2ba7fc0cc590277ae74e729ac97 |
| SHA1 | 406c8733b3d46b217a627ab5adaddbabf80640aa |
| SHA256 | 72d9c3164e5bc5a0056f0d61e5f933dca7843fbe5cb787c60cbaea6f3c4c5eb9 |
| SHA512 | 83a7736e8e2f611d1275bdcaadddc4be6f0e926f5cea75d098251749b2a05fba571b4f21ce94ae321e82e0195eef199c13db434e58d415277f035333c48675f7 |
memory/2552-110-0x000000013FD60000-0x00000001400B4000-memory.dmp
C:\Windows\system\HuIrgKK.exe
| MD5 | 4bca5221cf37d7cfb86fad8aeea0cd8b |
| SHA1 | 4f90cfb3a92151e33a8db0dab8ddd3f91ea64e59 |
| SHA256 | 56f931fc7e31ec2720b75740701353b7d3393bb18cdf856a4f0e40b3946ca882 |
| SHA512 | efc814ea7fae6e9dd82a1e82bdd8b00c615b9783bdf2ea9e5aeb0683b566f5a9d6e1bbd81f8b79466ccda2a10e525b587b5ad87e26f2b6ade4692624b37d8fbb |
memory/696-95-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2652-94-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1668-142-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2196-141-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2196-102-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2760-101-0x000000013F800000-0x000000013FB54000-memory.dmp
C:\Windows\system\pZHICls.exe
| MD5 | f7f3b3dd553eb608ea449129c334de36 |
| SHA1 | 7b7f2ee3f5ab2c3c2f5127c83b60ea183061a423 |
| SHA256 | d5581fc5c111d32f06992c082970eac7ce921f6ddcc9185ad59b540d7e162f28 |
| SHA512 | 523e564ac62cf5a38102142feb278dc3de36d821f153bcb33a574c49444422f240af6c74448cd5d43b228997de2f2c02f5707f7bcc91bdbd91a209e3cb8544eb |
C:\Windows\system\zZJDGBQ.exe
| MD5 | 51b0736a5a843661d2a4f82b42382b8e |
| SHA1 | 5c5cf07176499ac6c6f9ed0e29f6d0b0dbca5339 |
| SHA256 | 54551f3a229436bf826974c21bc8803b961df1f19f4fb689bd10bc7611d6508c |
| SHA512 | 1d6dda3165e5d580dac65c9cb6111b980de6930e76f8a52c672ae110916c90ae6e53a949b4887e5562cc1f52d4fade8bac38bed1be9cadb84563f1089ff080d2 |
memory/2196-91-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1644-89-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\saJaHgk.exe
| MD5 | 5ac4060bad10d6bc3ba12b2e873f9a7a |
| SHA1 | c087dedba0ed092cd7dee31fc5faaa24428b7416 |
| SHA256 | d6ca176addd87ce541c671398b40ffbf8a0b02fe2c489f0f526eace5681a293e |
| SHA512 | 10085ab542c705ae5f9c2c386c35904579d35c83e04c8a488879b548ab4303cabea3f3dd2d96c85f695cec21b07613263fd833e0579112b3d45a69bb684f0fc7 |
memory/2196-84-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2196-78-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\RGMCEbf.exe
| MD5 | c5130c45fd6a72fefa8c87ffac0520c7 |
| SHA1 | d648b5b9a1b4fc1193f773298679887e94a068f1 |
| SHA256 | f986a3904732395deed6af3e9413d0dcc081312cb7bb4ac2529ac564522ef51f |
| SHA512 | 05a4c6a1b7c897f998ef3c287bfb93cd925f53240f3034a9737902804a2d4178725c6a220c47bf5e959f27ba49ab374386e037887c1c41eb4cc3ff4fd04d1e2d |
memory/2196-72-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2196-143-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2196-66-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2628-65-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\xlyWglb.exe
| MD5 | 877605930e52169d74f1cd81dea5fade |
| SHA1 | 222cdc1738ba0063a1578b0f1c1504be546e8c07 |
| SHA256 | ac030bbf6391c0c92b24e081f814239eaab875d3f576bf43b42c2b66022a109e |
| SHA512 | 680ffcefcc03ee9171114af60998949ab8986cf4feee0e879e5de0c3c9b820a62d9aa996f56a42ec0e268ade49263fe9dea0b65ceb9c63ae55ac3250b4c485d4 |
memory/2552-50-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1740-49-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\VPuhNnv.exe
| MD5 | 180bae2512e5272758ec4b140e59d08e |
| SHA1 | 478f08f611f1571b4253d6395d35e606286e0d49 |
| SHA256 | f101b31c2026d98a2f467ed8ae2d179b4efed4f40002dfa6569931167d94ce16 |
| SHA512 | a3fd7887ed89538f2d40787e09546b45db2217415ac799af78a9005aa12dc4744002652ea06d1139fd2df9c3be10c99b078f639be5e85c9ae2a5df9e37cec5b4 |
memory/1668-56-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\XRcXfVW.exe
| MD5 | b874d39af76a40ac8818ecca24eb120d |
| SHA1 | ea7ea790cfba7c72556587394e3d6357c96c0c07 |
| SHA256 | 9041d319dfe32d9ac2f4616fdbf85c47977992ff6663441661a03d49b97bd10c |
| SHA512 | cdba7cedd378ff6a647449e7d9403ed3ff754e74ef4365392854bc0a7d3e54e999827fd52d028d36a292c3fe44446dffe7b4ce76bca725d1f9fd0098a0ebc1a0 |
memory/2196-28-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2196-19-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2652-38-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2196-37-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2196-36-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\MSteZfr.exe
| MD5 | 9e3b142fec52847cd19a1d1a8d7f771e |
| SHA1 | d2bb66aa63c102ad88eab77ef2e8d833478027d7 |
| SHA256 | e1365f0bf7a7ecd4c71d9f2b7cdc79725059005d6ca437bf2a36fa01b0f07567 |
| SHA512 | c2ba4216cfd94c33d3519d127f50bcf9b0a1c40a64c70e41c18e90a8ee7fcab192f786dbc9b78813c9c24c9e8d117e6cbe56785abf10840f0c8d6b7a3eb92705 |
memory/2196-34-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2732-33-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2640-145-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2196-144-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2196-146-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2156-147-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2196-148-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/696-149-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2196-150-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2800-151-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2196-152-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1740-153-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2628-154-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2652-156-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2732-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2760-159-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2512-161-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2552-160-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2204-158-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1668-157-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2640-162-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2156-163-0x000000013F110000-0x000000013F464000-memory.dmp
memory/1644-164-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/696-165-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2800-166-0x000000013FAF0000-0x000000013FE44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 11:28
Reported
2024-06-08 11:31
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TezUshD.exe | N/A |
| N/A | N/A | C:\Windows\System\NXaTinn.exe | N/A |
| N/A | N/A | C:\Windows\System\QTJkFne.exe | N/A |
| N/A | N/A | C:\Windows\System\fRkAVZB.exe | N/A |
| N/A | N/A | C:\Windows\System\rmCUPwz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZtCGJmP.exe | N/A |
| N/A | N/A | C:\Windows\System\odoBxKF.exe | N/A |
| N/A | N/A | C:\Windows\System\qpRgJqx.exe | N/A |
| N/A | N/A | C:\Windows\System\PBqEfdh.exe | N/A |
| N/A | N/A | C:\Windows\System\duhnyuh.exe | N/A |
| N/A | N/A | C:\Windows\System\JmgrmJV.exe | N/A |
| N/A | N/A | C:\Windows\System\kTAGbwB.exe | N/A |
| N/A | N/A | C:\Windows\System\MhxavUv.exe | N/A |
| N/A | N/A | C:\Windows\System\tsSSOvd.exe | N/A |
| N/A | N/A | C:\Windows\System\xyemenW.exe | N/A |
| N/A | N/A | C:\Windows\System\BRECBri.exe | N/A |
| N/A | N/A | C:\Windows\System\UFJfavQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YsttKSY.exe | N/A |
| N/A | N/A | C:\Windows\System\TSxVSrS.exe | N/A |
| N/A | N/A | C:\Windows\System\NBBZZPT.exe | N/A |
| N/A | N/A | C:\Windows\System\AuZOZmT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7be062e05b3c591d4d7fc80903c42aab_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\TezUshD.exe
C:\Windows\System\TezUshD.exe
C:\Windows\System\NXaTinn.exe
C:\Windows\System\NXaTinn.exe
C:\Windows\System\QTJkFne.exe
C:\Windows\System\QTJkFne.exe
C:\Windows\System\fRkAVZB.exe
C:\Windows\System\fRkAVZB.exe
C:\Windows\System\rmCUPwz.exe
C:\Windows\System\rmCUPwz.exe
C:\Windows\System\ZtCGJmP.exe
C:\Windows\System\ZtCGJmP.exe
C:\Windows\System\odoBxKF.exe
C:\Windows\System\odoBxKF.exe
C:\Windows\System\qpRgJqx.exe
C:\Windows\System\qpRgJqx.exe
C:\Windows\System\PBqEfdh.exe
C:\Windows\System\PBqEfdh.exe
C:\Windows\System\duhnyuh.exe
C:\Windows\System\duhnyuh.exe
C:\Windows\System\JmgrmJV.exe
C:\Windows\System\JmgrmJV.exe
C:\Windows\System\kTAGbwB.exe
C:\Windows\System\kTAGbwB.exe
C:\Windows\System\MhxavUv.exe
C:\Windows\System\MhxavUv.exe
C:\Windows\System\tsSSOvd.exe
C:\Windows\System\tsSSOvd.exe
C:\Windows\System\xyemenW.exe
C:\Windows\System\xyemenW.exe
C:\Windows\System\BRECBri.exe
C:\Windows\System\BRECBri.exe
C:\Windows\System\UFJfavQ.exe
C:\Windows\System\UFJfavQ.exe
C:\Windows\System\YsttKSY.exe
C:\Windows\System\YsttKSY.exe
C:\Windows\System\TSxVSrS.exe
C:\Windows\System\TSxVSrS.exe
C:\Windows\System\NBBZZPT.exe
C:\Windows\System\NBBZZPT.exe
C:\Windows\System\AuZOZmT.exe
C:\Windows\System\AuZOZmT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4208-0-0x00007FF625BE0000-0x00007FF625F34000-memory.dmp
memory/4208-1-0x000002C56BD20000-0x000002C56BD30000-memory.dmp
C:\Windows\System\TezUshD.exe
| MD5 | bc17c836fbac43905d9d63579ed18e91 |
| SHA1 | fe0b426a35657688bb568a0c1dd1efdc8996a2f4 |
| SHA256 | a57303458aaa9355b483ce09901b2730568944da6fd364f9bc2e0d63b2aa9f75 |
| SHA512 | b98d3920faccf83de372283ee4917f3be23dcc53229d8b3f0fcaec688e6829776423caf5c5f210db40175791bae7afb3b846555f93f9988e26ec075944e7312f |
C:\Windows\System\NXaTinn.exe
| MD5 | 785e3be72285c544ed756e627cfcf341 |
| SHA1 | 624988ad52b24dbe1ccdb7b4b2bba4d37333dffe |
| SHA256 | e80f3b53012760993f1d3fb4bbc101d1e533462209fd603295ddd5e9d4b469b2 |
| SHA512 | 87eee5bf6fd73766e8de3e9a8a2c654fb4f59ee019e74c5a8c760c60dab07ee6d9a49f7963b94a0d083193023a355b898d2e437e6e089d2e6aa2bd10bb20ff69 |
memory/2472-8-0x00007FF73CB30000-0x00007FF73CE84000-memory.dmp
C:\Windows\System\QTJkFne.exe
| MD5 | d89ef6c33112983727fc6aa4b9e546e3 |
| SHA1 | 7c9def8c22796486895d383ed915d4bf58f8139f |
| SHA256 | fd306811a82db58e946b9ee35833b2b814374e432dcc221f5be01bda219a91ec |
| SHA512 | 250a2a809517eb20263e843fd53a67caa06c378a54db56d4ef835a7adac6531886d9d5f03cc8ff92298938e0ce745c1d4144db1edeb53b20e8b83268f2db2421 |
memory/4324-14-0x00007FF715280000-0x00007FF7155D4000-memory.dmp
C:\Windows\System\fRkAVZB.exe
| MD5 | 2f30356ac72b98bd869ce37818c2cb1e |
| SHA1 | c7be445ff794916ce2bfc63583b7f5ae0ecf32d5 |
| SHA256 | 09520e8dbd78a5fe5e95aa6a790dd4c048d13b8d0fe42dabc8821d58013cdb38 |
| SHA512 | f27824699392084c72133baccf06c41c9d38415ee44eccbc7249293afb93a74de87713206520cd77e3968407293cbef54211b8f66d808475d17c2c7123b81c18 |
memory/4916-22-0x00007FF6B84C0000-0x00007FF6B8814000-memory.dmp
C:\Windows\System\rmCUPwz.exe
| MD5 | 1a4af04782475b7110abd271b6118263 |
| SHA1 | 37cccc7f3f7c45371022a85e39c96c9763344679 |
| SHA256 | 90bafaa8122bfafa76269638f0e0b6e41e04294aa6d4b52d0ee39c0241e770f7 |
| SHA512 | 0771c2d118d3ed572f4b5b4cd99612ecd15dcbe4f0ed7e16c13e8a12dd2a6bf2c3695a8e43b56d69e0e0c3fd635c6cde0f188b24add3453be0b2ed670cbc7f05 |
memory/3732-30-0x00007FF7BB9E0000-0x00007FF7BBD34000-memory.dmp
memory/3164-25-0x00007FF6BF950000-0x00007FF6BFCA4000-memory.dmp
C:\Windows\System\ZtCGJmP.exe
| MD5 | f2edc0a68d4b1cc6583e0c34a690df74 |
| SHA1 | 357ef20897dda627dda6d067bb3e5a786337a8fb |
| SHA256 | 7eec406203df9cd73fe0fa3b8ec9dd483417d61ccb391890302ada6d60a7a618 |
| SHA512 | be430676c477bd4a53eb56e28af70b98d51f1e761a0f68a702105f493773dd4b67812dc08ad970d0f1985af5bc88354a3e84094fff64a2e73758866b140eda48 |
memory/3668-36-0x00007FF7DBFE0000-0x00007FF7DC334000-memory.dmp
memory/2216-42-0x00007FF634F80000-0x00007FF6352D4000-memory.dmp
C:\Windows\System\qpRgJqx.exe
| MD5 | 74105f2e056d7b2a47ee472e2ace000f |
| SHA1 | 10dee70e35b8edc74eca7629feca7751f61ad2ba |
| SHA256 | e7250ad3595c5094bfc511c4ed5414ff664e8df67790ec6b3f053709667f5e72 |
| SHA512 | 4d97ffdc908a7db0afcdce0b482c68096a08caf94481de067181694a7ad2d95e7a6a62231a7224111b9e3732d1461b82758e9d5fa9fe314c85161c12258a19bf |
C:\Windows\System\odoBxKF.exe
| MD5 | 9bb6efc7e322918274c7f6029602ac69 |
| SHA1 | 358e6161a36775d5884f53f2a8b9c41ad05ee480 |
| SHA256 | 67aef6ca8b76fd4e89638982129951f67facbab23021978f458bd3ab74de6c9c |
| SHA512 | d7b317a0f671e16f7c3da13eabad3ceb33ab901d4d7bcb6cb86e8e0c817ecf479e2c459bacf177dd3207f02ff6ac58b163b8fecc7c3bb2316b0a0eda740cc5c1 |
C:\Windows\System\PBqEfdh.exe
| MD5 | ebc505b68200f9b01f6c45788f9fe278 |
| SHA1 | 697d0566993df8dace666b9713e1cdfcff59898c |
| SHA256 | 77f0c6aded1ab2952d15e1deb95e4a0bf1af75aca76f62a484ed1e829ebd9470 |
| SHA512 | 92230d349a137ad96f402bb422a14204d5f08eb5dc9f1861234bf52bf19c3bc49716f7a3ea2a30ef69ce010056e6211343f339efae948d3ad071ae3bb69b56a2 |
memory/1368-48-0x00007FF76BCE0000-0x00007FF76C034000-memory.dmp
C:\Windows\System\JmgrmJV.exe
| MD5 | e7eaf028bb03a4be577dac8a5a4fc059 |
| SHA1 | 5b8c77a4f48ab0f95e4c5bd30d6f02dd1751a51a |
| SHA256 | 49a5bda298d43d76e02e9fa2dae3fb31bc4cc3bbf190e864aee56826959c49e3 |
| SHA512 | 54921d893f91df82d265ad8d372e51fa7214de61398102b6ffdf0d7dfbd395eacfd53b72666c3f7fbba5e5a31728614f12d1e74c44051370c250234c59fc4758 |
C:\Windows\System\kTAGbwB.exe
| MD5 | 0b577663aa29ee8beacb7937264b8f29 |
| SHA1 | 447f9bbbb11e5de6030dbf41a8f16808872a358a |
| SHA256 | ef4ff7314380604d34386bc2aaa394333753bd0d970a131615621cda31eef828 |
| SHA512 | fedf1217567b4fc25f19e083c455eeb27a78a3813431c8dc7b46dd71b40cc8ba23109a16ac1de85c2b6f464e2437ab305671b10a25fcd91c3b6fe294567fc456 |
C:\Windows\System\tsSSOvd.exe
| MD5 | 17ace7dc0962d384ae8bf8f78800fee3 |
| SHA1 | c76c5ef183e07caa10f8f50fa557477268a1abc5 |
| SHA256 | 9c3bd597b0858b3ce991e7698d44ddfa7a309aec2208feec25f18f452619229f |
| SHA512 | 8be7522a2e7893488e6c6fcfb6c07c5644e0611ae2dd2c5e148e5fa4216d3a9920f7624db7b70b260a2d6132dd3886ac8164df9ecd2557710be05790ab893948 |
C:\Windows\System\YsttKSY.exe
| MD5 | 0505b79bf68734e2bcc321938a459238 |
| SHA1 | 2fccccdf9f6ce0cf3b52b56fb2a78184a52fd7b4 |
| SHA256 | 90b259da75146df081ba481caf93f88a29438300a1f5d861b76ca5709a138f35 |
| SHA512 | f260a94a353a9e5addc1ef79a0c67f8a0be36c2058d78333e1f65ad458d91fe317ad0955fcfda7b5b95253a1a78dc117b8f590fe3aa2936292273af0d3035795 |
C:\Windows\System\NBBZZPT.exe
| MD5 | bd9947533b628e2948de10cca737a34c |
| SHA1 | 584ddfe6011839be901e228705b645f04f7a9b02 |
| SHA256 | f98f0a24ccb75c92c47656629016d6f4d6dff7f732c4406f7b4ac7bf1dcc913a |
| SHA512 | 695ab9488a4f31c992296779dfd82da9892ca7babfb8a806aa58b767f5a2252397cb84f46b817153fa0eeb2df6c7d897508665fe5d730c70e772c3f7e6ef94ac |
C:\Windows\System\AuZOZmT.exe
| MD5 | 914631ff5212ca9afa51e8d6e654d652 |
| SHA1 | 03823c81ad332332316c08043b953ed93748dddb |
| SHA256 | 36ed1ed618c5883da3fc882887fb5dc70ae5b88db3d410ebbaf30459d1a7b167 |
| SHA512 | a1e180db077ec5db6aaf8c8bea85bff3567164b82841efdffb51b939e8c1e4e38d80251aef4671be02f21772a83c95b9328d6693c5611e117383895bcfe31daa |
C:\Windows\System\TSxVSrS.exe
| MD5 | 69e120b6342b123f956b703a85c0bea8 |
| SHA1 | 29d589bc87136d4df06961f48150d9d66128b5bc |
| SHA256 | 74dfb57b1a1ba9ab85f6e26df0543ae7c779af6545036ba591b204d6b0795742 |
| SHA512 | 8f0356a61a66cb8b511572d913797c0986c36f72640407194c55a9df9f9fb5e90ab2ed180068cb8aea387bb3cf81d473a6524ed88d3f17d477de44f9dbd57162 |
C:\Windows\System\UFJfavQ.exe
| MD5 | 5bdb81881c08438e22f98f9932b70a8d |
| SHA1 | 20e892ddf0482bbdd8241bb1e9d3a02883b656ef |
| SHA256 | 4f302e8397a0aaaa18226cd9ee82f6a54af05759c1afadc66ba6290e97574730 |
| SHA512 | 4a47b68c8cc914cb0b6c2fade18dac8c126a566735442ac4a101ebd6a45e30f76838d58aba3ed2ccd8b977eddf77bc67d80b148b503ed2e04e79e0a51fb74966 |
C:\Windows\System\BRECBri.exe
| MD5 | e72ea209b0999b223daa88d0b89a5b59 |
| SHA1 | 14df14c6e8959e8071d27b5ec272e9114df84252 |
| SHA256 | f17bdc352a5316724434b89dd69a6c1adf95c34dd8260c78b7d75edd2f87138e |
| SHA512 | 47b08852917a72642ad0b88753dac2e304599b390493dc1244615a7f6a0c6700fc464670dedbbe58d4dd81e67f3d59b97b79cd40b82ac8ff3249cab8d863ff74 |
C:\Windows\System\xyemenW.exe
| MD5 | 3956e5e5913e05f03ccd8d42f7365e1a |
| SHA1 | a95101c8ecc4de25e653ab27065f8b5146de8547 |
| SHA256 | d7bffc87b4f488c7c56812604e0d126647916a004fa8f45df59bb6954629a749 |
| SHA512 | 46230b9a95de63e15966d2969763485b6333ea6c99296c8b76934e2df6221183940f063ec2cb42006f80b53407d3b838c71b76d001dbf71a404c1bb9a0f1e86c |
C:\Windows\System\MhxavUv.exe
| MD5 | 8973c9f99128a16a1d2171b9f965759b |
| SHA1 | 83cc895c5d04e93c1efed570e8c928fb695d98c3 |
| SHA256 | 0ce01ab8ff8ebf22afb8e86f8d749f7b0d3c8ad684c0f8b987afa9a7e972ff54 |
| SHA512 | f6f266622e784999e857f45babba86a6295cb007ba78c60eaafa6dcd01488afee70ce33be51706c9cb33f481f5dd7031f9f411f949e56e79b5954caa6ccb99b0 |
C:\Windows\System\duhnyuh.exe
| MD5 | 0becf541a54f394683a2ea78c99337bd |
| SHA1 | 09bfc319e41c610c109e58fd29d876d646d6f607 |
| SHA256 | 8ebbbd22103168fc2fbf796b607d2be971fa827a22a9eae5c1be2be757137940 |
| SHA512 | cf8c18d4c75476de95535ae3d19a8f1cd3ddd3cbaacf203c7bba0a8c775629582f59c22be37a7565ab31a67e8bb6743c736a232308618046c2bb7ab7ae499453 |
memory/4208-60-0x00007FF625BE0000-0x00007FF625F34000-memory.dmp
memory/4548-58-0x00007FF6E7760000-0x00007FF6E7AB4000-memory.dmp
memory/3544-117-0x00007FF743610000-0x00007FF743964000-memory.dmp
memory/872-120-0x00007FF700B50000-0x00007FF700EA4000-memory.dmp
memory/4380-122-0x00007FF708F40000-0x00007FF709294000-memory.dmp
memory/2624-124-0x00007FF74A5C0000-0x00007FF74A914000-memory.dmp
memory/2400-123-0x00007FF7FC650000-0x00007FF7FC9A4000-memory.dmp
memory/1256-125-0x00007FF7F2D10000-0x00007FF7F3064000-memory.dmp
memory/4376-126-0x00007FF73C400000-0x00007FF73C754000-memory.dmp
memory/3480-121-0x00007FF6B45E0000-0x00007FF6B4934000-memory.dmp
memory/2688-119-0x00007FF6209D0000-0x00007FF620D24000-memory.dmp
memory/1416-118-0x00007FF76A190000-0x00007FF76A4E4000-memory.dmp
memory/4372-127-0x00007FF76FCA0000-0x00007FF76FFF4000-memory.dmp
memory/2472-128-0x00007FF73CB30000-0x00007FF73CE84000-memory.dmp
memory/2440-129-0x00007FF781AC0000-0x00007FF781E14000-memory.dmp
memory/3164-130-0x00007FF6BF950000-0x00007FF6BFCA4000-memory.dmp
memory/3732-131-0x00007FF7BB9E0000-0x00007FF7BBD34000-memory.dmp
memory/3668-132-0x00007FF7DBFE0000-0x00007FF7DC334000-memory.dmp
memory/2216-133-0x00007FF634F80000-0x00007FF6352D4000-memory.dmp
memory/1368-134-0x00007FF76BCE0000-0x00007FF76C034000-memory.dmp
memory/3544-135-0x00007FF743610000-0x00007FF743964000-memory.dmp
memory/2472-136-0x00007FF73CB30000-0x00007FF73CE84000-memory.dmp
memory/4324-137-0x00007FF715280000-0x00007FF7155D4000-memory.dmp
memory/4916-138-0x00007FF6B84C0000-0x00007FF6B8814000-memory.dmp
memory/3164-139-0x00007FF6BF950000-0x00007FF6BFCA4000-memory.dmp
memory/3732-140-0x00007FF7BB9E0000-0x00007FF7BBD34000-memory.dmp
memory/3668-141-0x00007FF7DBFE0000-0x00007FF7DC334000-memory.dmp
memory/2216-142-0x00007FF634F80000-0x00007FF6352D4000-memory.dmp
memory/1368-143-0x00007FF76BCE0000-0x00007FF76C034000-memory.dmp
memory/4548-144-0x00007FF6E7760000-0x00007FF6E7AB4000-memory.dmp
memory/3544-145-0x00007FF743610000-0x00007FF743964000-memory.dmp
memory/2440-146-0x00007FF781AC0000-0x00007FF781E14000-memory.dmp
memory/1416-147-0x00007FF76A190000-0x00007FF76A4E4000-memory.dmp
memory/872-149-0x00007FF700B50000-0x00007FF700EA4000-memory.dmp
memory/2688-148-0x00007FF6209D0000-0x00007FF620D24000-memory.dmp
memory/4380-151-0x00007FF708F40000-0x00007FF709294000-memory.dmp
memory/3480-153-0x00007FF6B45E0000-0x00007FF6B4934000-memory.dmp
memory/2624-152-0x00007FF74A5C0000-0x00007FF74A914000-memory.dmp
memory/2400-150-0x00007FF7FC650000-0x00007FF7FC9A4000-memory.dmp
memory/1256-154-0x00007FF7F2D10000-0x00007FF7F3064000-memory.dmp
memory/4376-156-0x00007FF73C400000-0x00007FF73C754000-memory.dmp
memory/4372-155-0x00007FF76FCA0000-0x00007FF76FFF4000-memory.dmp