Analysis Overview
SHA256
ca167e6872d3cf69c5f45583095bf03c099d04e80e56092269e5a35aef66b0ef
Threat Level: Known bad
The file 2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:25
Reported
2024-06-01 03:28
Platform
win7-20240220-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MlnTFsx.exe | N/A |
| N/A | N/A | C:\Windows\System\byteXcq.exe | N/A |
| N/A | N/A | C:\Windows\System\zAvjOuN.exe | N/A |
| N/A | N/A | C:\Windows\System\FOgmDet.exe | N/A |
| N/A | N/A | C:\Windows\System\ptPnUWa.exe | N/A |
| N/A | N/A | C:\Windows\System\sJsHkbr.exe | N/A |
| N/A | N/A | C:\Windows\System\nSOpRSw.exe | N/A |
| N/A | N/A | C:\Windows\System\HuTTJTs.exe | N/A |
| N/A | N/A | C:\Windows\System\ycrambg.exe | N/A |
| N/A | N/A | C:\Windows\System\ySEBFPL.exe | N/A |
| N/A | N/A | C:\Windows\System\CzVerFL.exe | N/A |
| N/A | N/A | C:\Windows\System\sXMjaNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\oWCWQCF.exe | N/A |
| N/A | N/A | C:\Windows\System\rSsLyEF.exe | N/A |
| N/A | N/A | C:\Windows\System\tpCybaX.exe | N/A |
| N/A | N/A | C:\Windows\System\hwwtTQh.exe | N/A |
| N/A | N/A | C:\Windows\System\tWBDRuy.exe | N/A |
| N/A | N/A | C:\Windows\System\LRjiapD.exe | N/A |
| N/A | N/A | C:\Windows\System\wxjuXGo.exe | N/A |
| N/A | N/A | C:\Windows\System\uoTcKne.exe | N/A |
| N/A | N/A | C:\Windows\System\nQIhWOB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MlnTFsx.exe
C:\Windows\System\MlnTFsx.exe
C:\Windows\System\byteXcq.exe
C:\Windows\System\byteXcq.exe
C:\Windows\System\zAvjOuN.exe
C:\Windows\System\zAvjOuN.exe
C:\Windows\System\FOgmDet.exe
C:\Windows\System\FOgmDet.exe
C:\Windows\System\ptPnUWa.exe
C:\Windows\System\ptPnUWa.exe
C:\Windows\System\sJsHkbr.exe
C:\Windows\System\sJsHkbr.exe
C:\Windows\System\nSOpRSw.exe
C:\Windows\System\nSOpRSw.exe
C:\Windows\System\HuTTJTs.exe
C:\Windows\System\HuTTJTs.exe
C:\Windows\System\ycrambg.exe
C:\Windows\System\ycrambg.exe
C:\Windows\System\ySEBFPL.exe
C:\Windows\System\ySEBFPL.exe
C:\Windows\System\CzVerFL.exe
C:\Windows\System\CzVerFL.exe
C:\Windows\System\sXMjaNZ.exe
C:\Windows\System\sXMjaNZ.exe
C:\Windows\System\oWCWQCF.exe
C:\Windows\System\oWCWQCF.exe
C:\Windows\System\rSsLyEF.exe
C:\Windows\System\rSsLyEF.exe
C:\Windows\System\tWBDRuy.exe
C:\Windows\System\tWBDRuy.exe
C:\Windows\System\tpCybaX.exe
C:\Windows\System\tpCybaX.exe
C:\Windows\System\LRjiapD.exe
C:\Windows\System\LRjiapD.exe
C:\Windows\System\hwwtTQh.exe
C:\Windows\System\hwwtTQh.exe
C:\Windows\System\wxjuXGo.exe
C:\Windows\System\wxjuXGo.exe
C:\Windows\System\uoTcKne.exe
C:\Windows\System\uoTcKne.exe
C:\Windows\System\nQIhWOB.exe
C:\Windows\System\nQIhWOB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2192-0-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2192-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\MlnTFsx.exe
| MD5 | 16e99e9687c937ec1af6d55a1a572224 |
| SHA1 | e13ea44d6fb4cd85ad4b394c029a02cc100a8bd9 |
| SHA256 | 0f15c6905315945af416d83e0e480f9b6086e8091bbabbbe0e129536d97f0eab |
| SHA512 | 99fbdad9fa9d482db1a624b68688fb7edb07d1f8e1ba947eb690dc906f280853d6d336089f64f4a42ae3de33761f6f09a95c6c64f1f3d8c7aaa7536ef81a0ea8 |
\Windows\system\byteXcq.exe
| MD5 | 358fa462aa192b93aaf11ebcde4f7889 |
| SHA1 | 57335baab9ebebb00394a95ea0c4fee299356904 |
| SHA256 | 503125155c9a0ca241ef506837ae7a8a2b60800957fb13e7d4ab1cbfd3cf0d0f |
| SHA512 | c1b75a5ed107749e1335fd215de7c02de6091e6f8c0b22ccf335191683a722e63cb81eb81d26fbb95cae33889f65524e8facb66260e6f2ec5ef853ebe8db83b3 |
memory/2192-16-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\zAvjOuN.exe
| MD5 | 4a2973ee2180210a4b14cd562ee4323d |
| SHA1 | 9962df8478a6689eafc24887f5a8143278317407 |
| SHA256 | ad83e6418a9568124c12a319211c8356cdbad9c66af9d68a51b97fa24e5a35de |
| SHA512 | f64dfd69f078caccb30867815606e1beb33308ad9e49a7dde72fb4fc9522623e766fc2824d672684adbe59d213e067562f8adddca92cf7115175e9124a441a36 |
memory/2984-22-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2476-20-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1788-12-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2192-8-0x0000000002250000-0x00000000025A4000-memory.dmp
\Windows\system\FOgmDet.exe
| MD5 | 8948dad3f42cbb73dafebda2c0ff6803 |
| SHA1 | cea0292962e913e3520e75b93fda129f6be597ee |
| SHA256 | ee55cfc22215577d66f8352da321af5aa9dc4c8df8b9557c48ea15b7a55a528e |
| SHA512 | 5b55a0f45853244916e28b582e05889f57e43671538a5110305f331e15e2c89729820cf3cd03fbd7f22ac5da67acef8eb254862ddb069ce299b34e8aed771c83 |
memory/2192-26-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2644-28-0x000000013F9F0000-0x000000013FD44000-memory.dmp
\Windows\system\sJsHkbr.exe
| MD5 | d9368191b838cd62dad9c37a4fb1f685 |
| SHA1 | 38f3922add0b90201a0f8d2eb520b143b8083585 |
| SHA256 | 70fe31f3c9d69679cfb15a355198539d4b9e723a6de692dbac9d81717bd96c99 |
| SHA512 | a31f508a9a5d3213528183d8a681b92471ac1e46818ed83bd2544978b1bfcbffc070c95d44c2ee7caf47789b5712de1a407752d8df45e9e7cade27fc180e06e1 |
C:\Windows\system\ptPnUWa.exe
| MD5 | 91a464b095f565c71b840e0c8ea08e73 |
| SHA1 | 555658b5ff68a8bcb5b1b68438fc6bdb276e63c2 |
| SHA256 | 3badfa4ad593327a8caf95fa4fe05d5358f4fc4d88408ac045a1fd1e68ee56e8 |
| SHA512 | 328c05212f8d012d959afb0da3b4530cb96aa6f4aa6c38b69398a2c835df89732f62da3c33daf957d64621e1a7f5188762667f2ba0ed7a6d489aab0a7f1ad792 |
C:\Windows\system\nSOpRSw.exe
| MD5 | 129bae82d92fe7f7d00a513c44ffef1e |
| SHA1 | eff5b217ef6c21fbb3fcf800d2eb04c59d45052b |
| SHA256 | 663578324e0551b4a9c5a35b3beff48918ab66e9f6381428c8122b11cfff8cc9 |
| SHA512 | 2516f85bb0d02f8758f7a76b5359cd389e131f9bf58ab6e812c23470ed7f9918531d0cde8a28fd4915ff654ddc3edf9069f3b73d4c52999c621be9dcf27644a1 |
memory/2420-47-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2192-50-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\HuTTJTs.exe
| MD5 | 04a0dad0dbff5154c923cf343b44757a |
| SHA1 | df7f64adc4633bf10e9743a09694ba17d0bf084c |
| SHA256 | 4c2cdf77a48e505dbde2499d9f7d09ed408b153f188515a3cc1e19668b1be2e2 |
| SHA512 | e553dd5f3413fdc8bedb48ce16275ed4dd1cc125fb41af2756c63d8f5fa4ce9c88c7a8ecf46400209ce590ab2be430e9d8742963bbc9d05702a7d34a091ad05a |
memory/2500-57-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2192-56-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2692-49-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2192-48-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/2748-46-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2192-45-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/2192-63-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2192-64-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\ycrambg.exe
| MD5 | 6f333bcd88373e59acf2787615c56a15 |
| SHA1 | 0513f2aad925b6f05d1580e1de6cb802145248c0 |
| SHA256 | 2dee6e4a4f68654a7e0867fe9a01b7586421b7363b47ae6b347fbb93a2592612 |
| SHA512 | cb5fde6b22bc29d012ffec117485769e5dbbb9f5a35c649b398c476364b7e9b52d896ff63a8f20f90bcc88dcfc59204b74c80aa6039fbc9b98af6fcd068133df |
\Windows\system\ySEBFPL.exe
| MD5 | 53594e3cdd89a843de6ea5a16ecd2e3f |
| SHA1 | 1f3936d4d0363960e32a1c06e4ec2e273d0cf5e6 |
| SHA256 | f26488847a5f2967d9ff5d2296c66d000824758907a31b2d12bf3a8940c304cf |
| SHA512 | 3a9bc6e8c7d8e7b22d854949381f619f6b6d5c6ad054915e011f98b7f35d84d67e9bc7d4e58833d4223f740150971f9a78eff2b49198633a6a2288fd771dbd2a |
memory/2192-69-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1516-72-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2396-65-0x000000013F360000-0x000000013F6B4000-memory.dmp
\Windows\system\CzVerFL.exe
| MD5 | f8c2d12a14128fecc7a2cd36ea510de4 |
| SHA1 | f920fadbdbecacc34c2741a376e3217a73e0ba26 |
| SHA256 | f473835536e7425311067ba1f43e0e658617986d3c6513122b2584d868fefc7a |
| SHA512 | 5778ba6c38242796b17faee2f75c6b3a15a465399f6e8bc5f7f8587cfe64119e49d2bc5fe9cd77752868bffba13ff48d2b43ec653986c88e6e9bd75b2c6dc335 |
memory/2192-74-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2476-79-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\sXMjaNZ.exe
| MD5 | ed61115cb54c4d42382e871f499a3c05 |
| SHA1 | 38ac25074f5a0c9ebc9ac9409e2b492032cff460 |
| SHA256 | 0e4b4ec8e8ec8baf5729f7b26a3ee555630d3292cfddfa0db22c167e6a495a34 |
| SHA512 | 92762a717a275a2c83410cd0e66efac84247ec3c25db350dc26cf5adc8b51f8872efadcd1cfceb5f11d4e474e6aeba6615aed7239b8b40c6c7c5ef2a2411cc32 |
\Windows\system\sXMjaNZ.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
memory/2644-86-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2432-80-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2828-93-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2636-92-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2192-94-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\oWCWQCF.exe
| MD5 | b94c659669ffe2118a7f843fd490738b |
| SHA1 | 58581c05d1f1abf0259a8e539ee1e7978f5f7453 |
| SHA256 | 10f9682b62d5047df1b411911106e312fd69bcfc039760d0ea4115744d6c3f54 |
| SHA512 | 6aa8f4fcbe83b3788eee1f946adfbc4d0c2f2d233c67fd0b65c3c8e800f29d61d9a8378b385355db8aeadb818395eec5ba760c979619ba06e97f865554f5e7b9 |
\Windows\system\rSsLyEF.exe
| MD5 | a708ad471415099490157bc7591756e3 |
| SHA1 | cc02279c9c87754e2c10929468ecb83db262d6d3 |
| SHA256 | ff53634a38b60644817af0bab38316017ed3ee8db7842b8c39cddca8fe51ba48 |
| SHA512 | e70597fd408aadb862007d99cd4fed1ba62b88ca1eefbbb80a93cdf1e12f9f0ab235e5d786abb221c5393848d19517fd46a24541c10cfd079988e7d677d4f2b5 |
\Windows\system\tpCybaX.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\tWBDRuy.exe
| MD5 | 7cf2892acc475b623a61c1f6b620b7e9 |
| SHA1 | 682e3ff7f00db4f50862f3aa1e33308c59cdc082 |
| SHA256 | 7e350d6600c99aa5fe6d93316b763b338231babbde316b815bb86664f8ae2414 |
| SHA512 | b458bc74400a65950509654092647d803cd472ce07e2ef55cb6c859ba54568aa7ed7ae8b0aca2d83d761c4ab9b51ced6b492fa77f9fa1049640da9438dce51f4 |
C:\Windows\system\LRjiapD.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\nQIhWOB.exe
| MD5 | ddf0adb590fd0b79e0bc4e403e5fcd14 |
| SHA1 | 82dce26613436cba2b809c09bd0bd2946db1b1bd |
| SHA256 | 883862b8d8be672d1ead844ca5614e08fb8356c773a6ec13771adf740d287e39 |
| SHA512 | f98601a889c04ddb4a620509a660d30716205bacc6614a5ccb5d0c4888f5a75e128698bf5d6632498045e7a536c43e88c5dafe8efe8b93f12b1d6c1fa572618b |
C:\Windows\system\uoTcKne.exe
| MD5 | cb933e98b66eda441da7ecb91b9066a5 |
| SHA1 | bf7c4826f0e06c36bdab088a657f1f3b25938738 |
| SHA256 | 499ca6f140d2c55d5301d24b8940dd08844562d0ac117be6d43f6ff189b692e1 |
| SHA512 | 1422510a48cec8b0bb1512cb65483d89f67690ed145068b860abe8d1c7da8ea23e0b090529579bb1c3880593ccb00b5c831158139bf0b68e71e5007d0a8f099c |
C:\Windows\system\wxjuXGo.exe
| MD5 | 31b67c1c7bfa7b6026808e44893bd3ea |
| SHA1 | c2187c3ba293e82a38bc017a4e425852ec153402 |
| SHA256 | 3c8719349e2996189ba04cbeed1c0aef3e759e7cbc864730a7d3de268a43f0db |
| SHA512 | 250566d5262fd433c295d7ed87c19462627d2c62589d3fb87b7c3ed37b06e99e4b1613ae9f269d45471f6784b2cb385b7a679d8c6605cb0ba38504601e2e3652 |
\Windows\system\wxjuXGo.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\LRjiapD.exe
| MD5 | 9b88120cf45e96345698c7bc66eb6abb |
| SHA1 | 5871cc0c4a7af51e97e7723cfa547bbe2be88ad4 |
| SHA256 | 982212cb1bdcbf5c8b4f4c1024ddec0a817499d9fdab0b36337a7d2ba5ae950c |
| SHA512 | 2399f06496b14dc67abc5e81df5150a50d560614089c11933b7d6782770f2d9c4a7f37c9accdb70f4b789c25d9bde163e66d2115faa04eefb05923e9363bd30b |
C:\Windows\system\hwwtTQh.exe
| MD5 | e5a6b64b4f4ffb59732dcfe28154f1af |
| SHA1 | f405db156278f4f4ae2a9bca5f292cf6eee73688 |
| SHA256 | dcca2253e91110eeb93a1f7c23eb3d81ae632d4bc407458639aef90c0339e481 |
| SHA512 | cb782cf390e011896dd2a5132fd7ebd063bb5b4f71b9345263808a2b4582a3adc5a42fa0d35dfd0207ef98e01fb6fb980ad1773cd996a8615f5e11fa1a531740 |
C:\Windows\system\tpCybaX.exe
| MD5 | e2b818524d2f9ebf15b9d03382aaaba5 |
| SHA1 | e18240526782fb75f232c853b6533dcfddbe9558 |
| SHA256 | b1593426a906e2abf19069c45649c2bbb3d5d425de6674482a0dc4da7a527dd8 |
| SHA512 | 9e62acd8d7836e4817d26e802ec71ce22bfe577d5eb0023e0775901cf5a80d0b1ad03517476d948cd973036363313fd1007ad6eac9c831bc001a4a8a2ca5e4c2 |
memory/2192-135-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/1468-134-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2192-136-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2192-137-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2192-138-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2192-139-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/1788-140-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2984-141-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2476-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2644-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2748-144-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2692-145-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2420-146-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2500-147-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2396-148-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/1516-149-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2432-150-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2636-151-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2828-152-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1468-153-0x000000013FE50000-0x00000001401A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:25
Reported
2024-06-01 03:28
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dvAceVL.exe | N/A |
| N/A | N/A | C:\Windows\System\SZNuhgv.exe | N/A |
| N/A | N/A | C:\Windows\System\BDrigul.exe | N/A |
| N/A | N/A | C:\Windows\System\wdhuEVh.exe | N/A |
| N/A | N/A | C:\Windows\System\ZosOPSP.exe | N/A |
| N/A | N/A | C:\Windows\System\LdhyKfA.exe | N/A |
| N/A | N/A | C:\Windows\System\cfsGVLa.exe | N/A |
| N/A | N/A | C:\Windows\System\EuFHLuL.exe | N/A |
| N/A | N/A | C:\Windows\System\AmRGzdi.exe | N/A |
| N/A | N/A | C:\Windows\System\VLeAzkA.exe | N/A |
| N/A | N/A | C:\Windows\System\RXZimIm.exe | N/A |
| N/A | N/A | C:\Windows\System\spiXuUy.exe | N/A |
| N/A | N/A | C:\Windows\System\MMndVmC.exe | N/A |
| N/A | N/A | C:\Windows\System\cATIdwp.exe | N/A |
| N/A | N/A | C:\Windows\System\fLVjQHx.exe | N/A |
| N/A | N/A | C:\Windows\System\vTpbbmd.exe | N/A |
| N/A | N/A | C:\Windows\System\qdbRvzM.exe | N/A |
| N/A | N/A | C:\Windows\System\bmmIQcS.exe | N/A |
| N/A | N/A | C:\Windows\System\qtbxsDm.exe | N/A |
| N/A | N/A | C:\Windows\System\JegVldD.exe | N/A |
| N/A | N/A | C:\Windows\System\kknksJp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b6fa1c3ee28b5260a78f487f754b25fe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dvAceVL.exe
C:\Windows\System\dvAceVL.exe
C:\Windows\System\SZNuhgv.exe
C:\Windows\System\SZNuhgv.exe
C:\Windows\System\BDrigul.exe
C:\Windows\System\BDrigul.exe
C:\Windows\System\wdhuEVh.exe
C:\Windows\System\wdhuEVh.exe
C:\Windows\System\ZosOPSP.exe
C:\Windows\System\ZosOPSP.exe
C:\Windows\System\LdhyKfA.exe
C:\Windows\System\LdhyKfA.exe
C:\Windows\System\cfsGVLa.exe
C:\Windows\System\cfsGVLa.exe
C:\Windows\System\EuFHLuL.exe
C:\Windows\System\EuFHLuL.exe
C:\Windows\System\AmRGzdi.exe
C:\Windows\System\AmRGzdi.exe
C:\Windows\System\VLeAzkA.exe
C:\Windows\System\VLeAzkA.exe
C:\Windows\System\RXZimIm.exe
C:\Windows\System\RXZimIm.exe
C:\Windows\System\spiXuUy.exe
C:\Windows\System\spiXuUy.exe
C:\Windows\System\MMndVmC.exe
C:\Windows\System\MMndVmC.exe
C:\Windows\System\cATIdwp.exe
C:\Windows\System\cATIdwp.exe
C:\Windows\System\fLVjQHx.exe
C:\Windows\System\fLVjQHx.exe
C:\Windows\System\vTpbbmd.exe
C:\Windows\System\vTpbbmd.exe
C:\Windows\System\qdbRvzM.exe
C:\Windows\System\qdbRvzM.exe
C:\Windows\System\bmmIQcS.exe
C:\Windows\System\bmmIQcS.exe
C:\Windows\System\qtbxsDm.exe
C:\Windows\System\qtbxsDm.exe
C:\Windows\System\JegVldD.exe
C:\Windows\System\JegVldD.exe
C:\Windows\System\kknksJp.exe
C:\Windows\System\kknksJp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/4956-0-0x00007FF766CE0000-0x00007FF767034000-memory.dmp
memory/4956-1-0x0000025336B40000-0x0000025336B50000-memory.dmp
C:\Windows\System\dvAceVL.exe
| MD5 | c8967f0ab5751bff25d3f4d228294c60 |
| SHA1 | 11eaa63b7cc49ceadd9ba09fcbda48ea2a73f3ee |
| SHA256 | 4e7b446006b062aa09eb8a515249f084cf2004dab86c6ad25f855eda40fe9756 |
| SHA512 | aef7f14e261112fb06e7b7fbc6a3410cefed8547a31162c88d66305015f8c0d474d3607996e8b7d87305fef001d0a9b11d97c2360c86594f7c63793c73421b3c |
C:\Windows\System\SZNuhgv.exe
| MD5 | 5d2f847875421a8530038173da21d1ef |
| SHA1 | 8237ddb43f5b165613c64573e4e967df6bff5911 |
| SHA256 | 82c5b98b4d5734d69f771dd3eb36546ceea24f3302ae6b294617bfc6aa9d8ecf |
| SHA512 | dbcf0573db2d81475acb7d3d7e1a5f324975cb7ff1a7619362ecc2e1ad3f60e029516e55c59e8580776541ce299e022770d21e9205f97c3bb8d492fae3680670 |
C:\Windows\System\BDrigul.exe
| MD5 | 5c31c0f89406daddadb45e7a3c732862 |
| SHA1 | 6b6edfb5434b113a376f708908798ad3c5d294d8 |
| SHA256 | a5fedd61ee1df8848725ae894314624b81f05ead7fda60b9cb1d89ed9552555b |
| SHA512 | 32e025d02acac72d6ca94670d37d140f9ce4861922545f086b0c4fe8b4f1b4a6a7f54edfa9198ebcb7c01aedbdbd1a8c5224a73d5e213401f681b64412d662f5 |
memory/2676-13-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp
C:\Windows\System\wdhuEVh.exe
| MD5 | 73ed291de9072c3aabbc86d91e124631 |
| SHA1 | f923e621f51a41d8da140373a0ad9edc3e096982 |
| SHA256 | c2d6f38c46a002453826011e7e5f53451c5b6f94b811ea6e4d2906ef7513c62c |
| SHA512 | b374113bb989666e95bb4cd277f7b1a79032ebc6712c859e75b73b923390cda3ec77f3d6981320a5948459c1e2ad46c6657a3b3949d2eee8991d59fbbc843440 |
memory/2732-22-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp
C:\Windows\System\ZosOPSP.exe
| MD5 | 497455450f66f30885574e1b346c2307 |
| SHA1 | 203e4d46ec4535995494f7b75015123a71386abf |
| SHA256 | 35bbc052728b3d0ba8ccbe7382f012f6b0cb5b711f0da9d7efd350fbf55a25f6 |
| SHA512 | 3bef8029b8d8321c95f7c210cffe86d6b04e143fa6f3b5c549b2068ce0503702773c2228d2fdbdc84a42fa8f28299068036c80e415111847f6c27b0c7bda66f4 |
memory/1532-30-0x00007FF670CB0000-0x00007FF671004000-memory.dmp
C:\Windows\System\LdhyKfA.exe
| MD5 | bcf03d1dbefdcddf72a92cb56e04f80e |
| SHA1 | c4c0678ffe391d6848e988b0aaf89036abd94593 |
| SHA256 | dc2e82bfedce02ae8310cc0e4c258234e0b19ff3a3f3aa74b8252d7ed444ea97 |
| SHA512 | 91e25005debfb2d5d6215ec943bedb14bee9e3d4f0ac0575c799a81940d11b223e2b82bc02f71fc3a4f0ea18f284d2bce4545a01be7c0eb2c9f928354858edb4 |
memory/5056-37-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp
C:\Windows\System\EuFHLuL.exe
| MD5 | 7558c3c33e8c8aefa79efd9dd8ebb92c |
| SHA1 | 7b74db3449de840268fa88da577d28be3339be76 |
| SHA256 | bbed0bb7b45361cefde9bd55505e08b6d87efe7fac9669561a48dbd66d821e8e |
| SHA512 | 275ef17eda83d2c1e0619595bf1bf4d8dbba8dbce45e358012ed421c0f6e2e3fbe67c3f66144b9e267c886a8650c2a58b6c7b188c4fe2e5cfb6b245ca2a114f1 |
C:\Windows\System\AmRGzdi.exe
| MD5 | 89debde7d60dd6fd5411dcf6dbdd919a |
| SHA1 | 7f0b30048f5ac2d9509065c4a38de3da5c29f1d2 |
| SHA256 | b08d619db0176fa63dbc5b4a744e3391689c913d9ac303741cc67a129d2d213d |
| SHA512 | 033c3c70e4c2dd236bcac3615a0a5a0d6e5441d77e4fc52ae476c46d052447c853c35606686e18f88d41425a9e46af7c95968a5884ceb675bbdee0c6b47be8ae |
C:\Windows\System\cfsGVLa.exe
| MD5 | ea7c89df6ac79dc2b54e634d660ef4dd |
| SHA1 | a028e244474e0cecbfaec531026c3c6a95a7c643 |
| SHA256 | 2d1277edcdb7fc31ae0336da9cff08ec4b7170843c676913510ddf7248acfcde |
| SHA512 | f6a15cc9f46feb44817049cf2610e8fc65db73168b7837d9c3844841507c4a82ffdb458003c9b32df531bf3e3434f181f5f89930f14a91ac01246d0860db42da |
C:\Windows\System\VLeAzkA.exe
| MD5 | 21864a6cc2f95c7adae014750cde67b4 |
| SHA1 | a5f6595b25b0b637cd7fe725a7fbd245f4cbe0a6 |
| SHA256 | 7c034a9c9a5bacdd2893e7241c2a557875117a03c47aecbc08d1e0a2938f5102 |
| SHA512 | 7f14d0ac73ee4c65921d82b50060b1a16128f90c37febe461d7e20bd403e5d550a452242936ef3e5bca8dfdbf91d3d8e836ae7c2c0b19845f71d1c3e31eddc0a |
C:\Windows\System\RXZimIm.exe
| MD5 | b253d527f8c6b285643a3ed0a5aeca65 |
| SHA1 | 19909de808d49fea46cc03f272f0bc7d6cb55b56 |
| SHA256 | 52911bab97cb393debd1a863ef3a122444823c71c9ac3f1508cf7bc3c1cb4352 |
| SHA512 | e3f63225ea7202b156ca774727ce5af9df200d16f5b7a398bf9443f8f1080bfa67d4677c790620ab894b95d544406e0cf5705eae6257c49f5479690be295cb5a |
C:\Windows\System\spiXuUy.exe
| MD5 | 0dfd80798b23f76e16c7ed48e85f3af3 |
| SHA1 | 6d3f478dbfa979ee095bb8d8f85a4eb84db173ed |
| SHA256 | feedb9f30c1e7ad3a0370e59a75178e4028fe83f62abd4b076316a0988900746 |
| SHA512 | f6bb95607647958bc18e333c2fe1d1349ddf85efc6a2450932fd84517539474b2ddbf2854f9a02baaec0e8997f4c6f8eb1cd41b4ca4186e8fb96c318d518a449 |
memory/1972-72-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp
memory/4712-71-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp
memory/3180-68-0x00007FF6FEFB0000-0x00007FF6FF304000-memory.dmp
memory/4576-54-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp
memory/628-49-0x00007FF681930000-0x00007FF681C84000-memory.dmp
memory/3812-45-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp
memory/4348-28-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp
memory/3540-9-0x00007FF658CD0000-0x00007FF659024000-memory.dmp
memory/4956-80-0x00007FF766CE0000-0x00007FF767034000-memory.dmp
C:\Windows\System\cATIdwp.exe
| MD5 | 4b6f9f4b8206e215a671c5a8cf4c7263 |
| SHA1 | 990c5d915f32824cd02fc9300d3ea433510578d7 |
| SHA256 | 6329206d8ed3a4c71d4057ed5b87e86b43bf62fa31b7615fb452d07f0f5a2285 |
| SHA512 | b3b3d413d34b31c9bb56fb6f483fa38a875c84245237205b3cd5d2f2f3e0845aee24306a754ffdb3dbb80278a9eb339d78cf78b7e10db80d1a967bb73bc6f542 |
memory/3540-87-0x00007FF658CD0000-0x00007FF659024000-memory.dmp
C:\Windows\System\fLVjQHx.exe
| MD5 | ede3237c377b4b72a9780525d106d95c |
| SHA1 | 072c67ecb058ab14a44a778d20ef44ee4d63a26d |
| SHA256 | 3255061675375c00f04eef9f495c9d802c2d03f1edcf0baad3d2af8c3d10d221 |
| SHA512 | f199e11064b9374fc31088759bde592a2481b746f12ad64859c0fff47f9d4bf9df080d597deaa2698e64c64c45382c987321d4ffdae37a4dcda9bead1d3ee2cc |
C:\Windows\System\vTpbbmd.exe
| MD5 | bbfc253e2472be1c43dbc720fe957025 |
| SHA1 | 39ae18397ffaa6050d20513a9af6b8935b5074ec |
| SHA256 | d86c964fe65979dc00a7efac89bcc574715506ecbd105b442adf7265251c6ec6 |
| SHA512 | 64fa1b87e758976f5f0e4b6b337728725922378d5e3a31181e6d07aaf636f8db18012977387211fe0ce7d730c7930dcb81dc751bf1a9b427f967465645dc4aff |
C:\Windows\System\qdbRvzM.exe
| MD5 | 8fd3908774ff69351e792bbaecffb2dd |
| SHA1 | 6b3f636f24b408042aa5c17c788cade5e24dbdae |
| SHA256 | 941b35b3f8c6f39f51ac5fe3b6ee44d450242416708210ae14c18a336196a655 |
| SHA512 | 03dad71b1eea139cceadc5e351e82c0428e7bfdc9cd4410363868006d4a384ced5ec54b6c15319067d13ecf170ae4df929ddca9ff35aa6ab7fafef7504018bed |
C:\Windows\System\qtbxsDm.exe
| MD5 | 36a7cb47750d5080e7a2b14fd6801b72 |
| SHA1 | 8261211d8e6f193d0c024c0885723d7b4ad244c4 |
| SHA256 | 06ab7d395ef048ef76ee7afbc9bfd76d1ebacc7297a37c3b7c90f3977ac03cd0 |
| SHA512 | 6fb2011f61ac67e487e308335dbcf03af2758be402d3a84ccf914c065f531b0c853f7f4f1eda4d8d4ade1167038f1a9496e967f79f01c4bc1fd4cc77b0d0e950 |
C:\Windows\System\kknksJp.exe
| MD5 | 0c4247defe2a09f927d85f740547ba9d |
| SHA1 | e902ba1cee0f590b2905432637f3cbe32df04490 |
| SHA256 | 81da9d2efac23b5b6460c85efc4084e3eb35d6bbf892d11c88699d53f15c47c1 |
| SHA512 | 3f293fae6d81ba1e7fa7249e59a263dffd472dc3caa274d50024f7d8fb5b3ad3ee2d3a4c37cacfaacf27127019896cede949c42edb51cb89fcf4605555c891cc |
C:\Windows\System\JegVldD.exe
| MD5 | 900257e817f1ec41a62048228862b5f2 |
| SHA1 | 883d368a85d72ce6b8269e86951ee19a619e7577 |
| SHA256 | 0edc35816325e82b09d9080959076d6363ad2ba40a6f32ac34786c31bd5257bb |
| SHA512 | a5977c147baf2fdb7a7abbaa416eb8d228cf8ef61a5746f75c8a385e3a6b2c914cb76bb6533b18e2c176a4f91e7551282254d33f9d13fb957bd9e4a1f19cc563 |
C:\Windows\System\bmmIQcS.exe
| MD5 | d25eb3ee95d0450158d37f017cbe16cf |
| SHA1 | 6abbf267d3c59b9dc8410ae23790cdb1058051ac |
| SHA256 | 2b5d95f8347af4330fc64c9b5faff9233f0cb9d57e7af7bb994da56e58404e7a |
| SHA512 | e7646106436720a7c8664fa089280c81cae744e6a6d1a0b5a8f144557621ff524b87fa44860b7d9480fca5d9fd17e1d61279a74a7bd50724de1058d2c3789f78 |
memory/3464-108-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp
memory/1532-105-0x00007FF670CB0000-0x00007FF671004000-memory.dmp
memory/4208-104-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp
memory/2732-101-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp
memory/516-99-0x00007FF61CD80000-0x00007FF61D0D4000-memory.dmp
memory/4348-95-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp
memory/2676-94-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp
memory/4268-91-0x00007FF6C2350000-0x00007FF6C26A4000-memory.dmp
memory/3204-81-0x00007FF7FAD10000-0x00007FF7FB064000-memory.dmp
C:\Windows\System\MMndVmC.exe
| MD5 | fa8052a1c0ed7203ee28127050816e1b |
| SHA1 | c6a8259e64f2c534c3a89e8d0d9d35d108891604 |
| SHA256 | 0f917284376c76f8dbc23daf85b9d29e47c01f94c655a619b7124adafda373a9 |
| SHA512 | 4921652d6465931613a45ecb4e75af57c154c4dfd16c78b0358306781b6281e5514622fb7bf821b0085ed63ebe4b5f55fac383c86c293a9c6efd65879ad20cdc |
memory/628-132-0x00007FF681930000-0x00007FF681C84000-memory.dmp
memory/5020-133-0x00007FF718C20000-0x00007FF718F74000-memory.dmp
memory/1608-134-0x00007FF746080000-0x00007FF7463D4000-memory.dmp
memory/3948-136-0x00007FF79A170000-0x00007FF79A4C4000-memory.dmp
memory/212-135-0x00007FF604CC0000-0x00007FF605014000-memory.dmp
memory/3812-131-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp
memory/5056-130-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp
memory/4576-137-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp
memory/4712-138-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp
memory/1972-139-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp
memory/4208-140-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp
memory/3464-141-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp
memory/3540-142-0x00007FF658CD0000-0x00007FF659024000-memory.dmp
memory/2676-143-0x00007FF7BDC90000-0x00007FF7BDFE4000-memory.dmp
memory/4348-144-0x00007FF6A3600000-0x00007FF6A3954000-memory.dmp
memory/2732-145-0x00007FF6B62D0000-0x00007FF6B6624000-memory.dmp
memory/1532-146-0x00007FF670CB0000-0x00007FF671004000-memory.dmp
memory/5056-147-0x00007FF65A0B0000-0x00007FF65A404000-memory.dmp
memory/3812-148-0x00007FF65D660000-0x00007FF65D9B4000-memory.dmp
memory/628-149-0x00007FF681930000-0x00007FF681C84000-memory.dmp
memory/3180-150-0x00007FF6FEFB0000-0x00007FF6FF304000-memory.dmp
memory/4576-151-0x00007FF6A94E0000-0x00007FF6A9834000-memory.dmp
memory/4712-152-0x00007FF75E970000-0x00007FF75ECC4000-memory.dmp
memory/1972-153-0x00007FF68E880000-0x00007FF68EBD4000-memory.dmp
memory/3204-154-0x00007FF7FAD10000-0x00007FF7FB064000-memory.dmp
memory/4268-155-0x00007FF6C2350000-0x00007FF6C26A4000-memory.dmp
memory/516-156-0x00007FF61CD80000-0x00007FF61D0D4000-memory.dmp
memory/4208-157-0x00007FF6F5CB0000-0x00007FF6F6004000-memory.dmp
memory/5020-159-0x00007FF718C20000-0x00007FF718F74000-memory.dmp
memory/3464-158-0x00007FF60C6A0000-0x00007FF60C9F4000-memory.dmp
memory/3948-162-0x00007FF79A170000-0x00007FF79A4C4000-memory.dmp
memory/212-160-0x00007FF604CC0000-0x00007FF605014000-memory.dmp
memory/1608-161-0x00007FF746080000-0x00007FF7463D4000-memory.dmp