Analysis Overview
SHA256
0a3bc85494ca8b965809a2f66e561e7408ee221018b84b35d3dcaacedbd68be8
Threat Level: Known bad
The file 2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
xmrig
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 23:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 23:26
Reported
2024-05-29 23:29
Platform
win7-20240215-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MnvECHm.exe | N/A |
| N/A | N/A | C:\Windows\System\xerWHfg.exe | N/A |
| N/A | N/A | C:\Windows\System\MaFkiLG.exe | N/A |
| N/A | N/A | C:\Windows\System\gWjGfra.exe | N/A |
| N/A | N/A | C:\Windows\System\rqOzfbj.exe | N/A |
| N/A | N/A | C:\Windows\System\ybjboAA.exe | N/A |
| N/A | N/A | C:\Windows\System\CusqdIE.exe | N/A |
| N/A | N/A | C:\Windows\System\vEQXKgX.exe | N/A |
| N/A | N/A | C:\Windows\System\ovUTmZI.exe | N/A |
| N/A | N/A | C:\Windows\System\bLmJiAC.exe | N/A |
| N/A | N/A | C:\Windows\System\wOKqZIa.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbBxvEh.exe | N/A |
| N/A | N/A | C:\Windows\System\zMWeGFl.exe | N/A |
| N/A | N/A | C:\Windows\System\mgzfuox.exe | N/A |
| N/A | N/A | C:\Windows\System\ROnOsuy.exe | N/A |
| N/A | N/A | C:\Windows\System\oNdNLbC.exe | N/A |
| N/A | N/A | C:\Windows\System\xkkNkxz.exe | N/A |
| N/A | N/A | C:\Windows\System\EEBdJPW.exe | N/A |
| N/A | N/A | C:\Windows\System\gXAAFkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\sUVdhGi.exe | N/A |
| N/A | N/A | C:\Windows\System\SJOpNxI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\MnvECHm.exe
C:\Windows\System\MnvECHm.exe
C:\Windows\System\xerWHfg.exe
C:\Windows\System\xerWHfg.exe
C:\Windows\System\gWjGfra.exe
C:\Windows\System\gWjGfra.exe
C:\Windows\System\MaFkiLG.exe
C:\Windows\System\MaFkiLG.exe
C:\Windows\System\rqOzfbj.exe
C:\Windows\System\rqOzfbj.exe
C:\Windows\System\ybjboAA.exe
C:\Windows\System\ybjboAA.exe
C:\Windows\System\CusqdIE.exe
C:\Windows\System\CusqdIE.exe
C:\Windows\System\vEQXKgX.exe
C:\Windows\System\vEQXKgX.exe
C:\Windows\System\ovUTmZI.exe
C:\Windows\System\ovUTmZI.exe
C:\Windows\System\wOKqZIa.exe
C:\Windows\System\wOKqZIa.exe
C:\Windows\System\bLmJiAC.exe
C:\Windows\System\bLmJiAC.exe
C:\Windows\System\ROnOsuy.exe
C:\Windows\System\ROnOsuy.exe
C:\Windows\System\ZbBxvEh.exe
C:\Windows\System\ZbBxvEh.exe
C:\Windows\System\oNdNLbC.exe
C:\Windows\System\oNdNLbC.exe
C:\Windows\System\zMWeGFl.exe
C:\Windows\System\zMWeGFl.exe
C:\Windows\System\EEBdJPW.exe
C:\Windows\System\EEBdJPW.exe
C:\Windows\System\mgzfuox.exe
C:\Windows\System\mgzfuox.exe
C:\Windows\System\gXAAFkQ.exe
C:\Windows\System\gXAAFkQ.exe
C:\Windows\System\xkkNkxz.exe
C:\Windows\System\xkkNkxz.exe
C:\Windows\System\sUVdhGi.exe
C:\Windows\System\sUVdhGi.exe
C:\Windows\System\SJOpNxI.exe
C:\Windows\System\SJOpNxI.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2892-0-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2892-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\MnvECHm.exe
| MD5 | 9c13f4567a0e8c38e393890e95a14f88 |
| SHA1 | a76725a9c4ec810b70923c2d497c215aa9089399 |
| SHA256 | 1b742ebfe60531c40defbe97447d88f76ac47601ddc0d7f28d45e262d6beb1dd |
| SHA512 | 5183ad238d10a30b35f751c7f29887dac021c94d39148d3eed4b13c7abad7377d5bc5d7f25d648b8b2f3ad0ceb6ef978c2761c4af53383a4989eb6f90e450fa8 |
C:\Windows\system\xerWHfg.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\gWjGfra.exe
| MD5 | 5f9688397e3722848dc2f1bcc367bfb6 |
| SHA1 | d68924740bee5f86870aa185d16f334b4204f7d5 |
| SHA256 | 360c1bf6f5eb37e2436b90a7de40e8ea85cab8d52c9d705eb6f886c7dde048fa |
| SHA512 | 258d97e2541fa40c1eb3445b8fca83c22468ae8546317efb3a5f79661534ae303c89e18c2858d8b86a660fca3954e24786492fd95ffc8fd5e8af31ca95507627 |
memory/2228-14-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2892-22-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\MaFkiLG.exe
| MD5 | 4cc475d2c50805c731eb0ff901123bb8 |
| SHA1 | 3e1666bf57c7530085e4ec4a3ee81080a3b6c4d3 |
| SHA256 | e4258e4551dd0c8bc4733c1741bb18f957d136f6009ea6b4cbeb2a10aa12f0ad |
| SHA512 | a4ec7ea9f48629bd38e6b45ff822d9e089844efb492547a87099175c0a903e5fd2aeb6807ed26ba1a520a3d0f329002fbd2151cbc6e14a4711c0440db705a80c |
memory/2496-27-0x000000013F860000-0x000000013FBB4000-memory.dmp
\Windows\system\rqOzfbj.exe
| MD5 | 66dba6cb47b98bfd75c71eb073616496 |
| SHA1 | 26a8d67cb142f13422e0d17d702b629546f69ebb |
| SHA256 | d003783798ac8bc8dcb51fcb30830645a7718f5365532469da1540f970e3211b |
| SHA512 | 6744106c3b825a82fb172a278dd1ff09d05f5f8a070964f5b696c19799697b29c6b6edd6405d8f0608948d2a26425d5706ef27ea58b6def2384e0c40efd0ffcb |
memory/2892-118-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\mgzfuox.exe
| MD5 | e96adc9521aa7e14d74b1ed9e17b0a71 |
| SHA1 | 0cddabde7d5a1e38a7e35c87593a038d43761fef |
| SHA256 | 9b1e5223862f5ecc82e70721841c459e07240711fad80fc1272dbc172e1520c0 |
| SHA512 | e3ac3f188a6ce7b7eae9bfda25ab5d756b7e512c8cf80468841746f95f0ae540667511fa568d78737258e78acf7d411bfd75a37c12988a528ee736dda9697274 |
C:\Windows\system\sUVdhGi.exe
| MD5 | 76bf0466328f407fb8356697751e9d17 |
| SHA1 | ab6d60cc0022bd9fcb09a7b133772948f1b44e71 |
| SHA256 | bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884 |
| SHA512 | 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6 |
C:\Windows\system\SJOpNxI.exe
| MD5 | 1c5a19510dade4cf2c91f568fe5e392d |
| SHA1 | 2e6333e505076dbb6977a4a8654ce30cca29a0d0 |
| SHA256 | db922c1d889c77bc1e34eabd36d8704f5030bb424c2a1954b1e86262ef89a919 |
| SHA512 | 0a29828ba1d91c559caacfb0e85377879b603e709dab5093bde01602a147e4a8de477db52cfa8492e663eeecc036d5ebbdc17f376e96f8d78643f321f11000e6 |
\Windows\system\sUVdhGi.exe
| MD5 | 58645dfe0a667966648ab5e4d9191cf5 |
| SHA1 | d0d3fbc5a24ffb72f69606ffc3f43349c46574fa |
| SHA256 | 88e855fb73fe828b738156cbd16619bd210df24cb794b25371217744c118633c |
| SHA512 | d695849f83979b4598ec811efcd96bd2a535beb4146b0b91b5f76d40d6fdf95c3c2655994c05a7e5665d53ca3d6c5e55f0cc801a8aeeb81dc1357e3e62cc0784 |
\Windows\system\gXAAFkQ.exe
| MD5 | d1c3344df12b9c002dfe1f2185feb5c4 |
| SHA1 | cf7ace9bc05921217b95e4b62fbee6957ee660b2 |
| SHA256 | 7c2e2dcc6771058b5e19d10949b9271fe69778fd71687fd52efab1ad6a641417 |
| SHA512 | 47fff1a0da3538c0181b7b012feac5fd619fa55ba9c53f1553bb42771500abb11a33b24dcfefb88885135248acd28acb23e57ff971092ca233b44fb39bf21438 |
C:\Windows\system\gXAAFkQ.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
\Windows\system\EEBdJPW.exe
| MD5 | 3dc3ac8c50ffb134380d5ec88c86c55c |
| SHA1 | 1ad6c4211909eba9decaec7460f12a0e156b8c11 |
| SHA256 | 5b23075c9491066c94959ee4114a9a6abdfe6cf62166c7d17d219e937861a94d |
| SHA512 | 2c659e43955fdedd1e64c9f7f4d7c3b51460494bc26e42557e6d87d765ad48eb86c578c59c792eeb546f4d4632119aa4933463d2980aa78c9f5ddf69e908bb27 |
memory/2892-120-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1268-119-0x000000013FFE0000-0x0000000140334000-memory.dmp
\Windows\system\oNdNLbC.exe
| MD5 | 634c833b9cc9181462972574bfa4b43c |
| SHA1 | 3a826a05115194e74905ecf77d0ce94756b2d72a |
| SHA256 | c5ce31a9ea0f2849108440fe526cc905418a80f7a955ff248e87b1d60fd62098 |
| SHA512 | 09ee90fc9f594a61ace5198b932dd62876646eaf4913a1083cf714b30be8bd6a335c6d63c3a3020c490451f776da31b38e2793f1e0560fe2b498484440e742cb |
memory/2892-117-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2892-115-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2892-114-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2892-113-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2424-112-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2972-111-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2892-81-0x000000013FC10000-0x000000013FF64000-memory.dmp
\Windows\system\wOKqZIa.exe
| MD5 | 80ff9c861f0f407e92f68378086a560b |
| SHA1 | 7d130a23b1d85eaa367185f27c7c69f3b86f751a |
| SHA256 | 99ed648ec6ccef6f3ba9d1d89a89aa11c1994690d833dfbae657fd327e52d81b |
| SHA512 | ce3798b721b9503febe53c9d6ab31e38b1de4899b16588f828870224d32a1bfe0c7c0922a08204820df48d71629c6046d2b3e4ae4cc0baf49186c700475b3984 |
memory/2876-77-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2892-110-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\xkkNkxz.exe
| MD5 | 2f24430f105ad5ee5054deb47a5e8331 |
| SHA1 | 9875f5346f345022153d1680cde52261cb47132e |
| SHA256 | d065f400499b7c4b73a8fa2267dc9c9850a8749e7eab9392c475a0a5fedb92b1 |
| SHA512 | 18e58c52f2314c5c82d2d2d5abdf8d3d5c9e6c76f15d751e1748d8e5af6f3069031b04ca151e9f9658def2f28d3b2cc91b4d386fff61b38ea4114f68d3086a04 |
memory/2892-107-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2892-105-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\ROnOsuy.exe
| MD5 | 37f663800fe14b98e6fe6857c7bc7d78 |
| SHA1 | 8a49690aee22ea09d706eec96965afc7d74430e5 |
| SHA256 | bc53c71863752b5bdd24add31bd66259acbaf203e277b6cfad3d3e2ced61abda |
| SHA512 | 19ba5e3f22e34280f36cf8daef22a6bb2d420fe5f7c5382418518bed12f36d3a77e3ce12d05fa9dd865c1e560a3d474d18b335b4dcc03bb58c00bcdbe6607b3f |
memory/2440-101-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\zMWeGFl.exe
| MD5 | f37713159468cd6f42e64ebbadedd64a |
| SHA1 | 1a6ac9420dbb5627eedd79f5f97edbc9e56f5e2a |
| SHA256 | 3c91417bf7c7afd2ce497465db832fe2d2f01acede1ccbefacbe8a6abd1e9e0b |
| SHA512 | 73acaa6967e1c199cd811923d5dd3c7f62472280c7fb304e5304898d949b0a610b76d4fa41ac753ee01fb4dab83201b42b2be862a356aa3d56b3a08906a2e4aa |
memory/2188-71-0x000000013F760000-0x000000013FAB4000-memory.dmp
\Windows\system\ZbBxvEh.exe
| MD5 | 0e46df0dc6c436984cc10dd48866fcec |
| SHA1 | 8674c8eea552833d06e20a94b63cc19a40c3c6bc |
| SHA256 | 1e58d1531413368ab839d0ee37badc60c18eeedd862e8a8121fdcc09fd188a5a |
| SHA512 | 29109f5334cbe4236f1ac51f0a807649215344614b5e0e25ed1b3daace079c4f56191b0fc6da944af678cfdf67c3721ea057e0a253679088c899635d1684417a |
memory/2892-58-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2800-56-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2892-66-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2284-65-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2892-64-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\bLmJiAC.exe
| MD5 | 458aabc58bab5b7b452b5ce184c6cf57 |
| SHA1 | ecae5af36e9c65c4a2e62d81e2f788f07dc2156b |
| SHA256 | 75afbaefebe3039eb0342dd7a3c7d286274c50a6ac5e35c3ad22cd27b740895b |
| SHA512 | 70af3d13fab4de937859e5f2a2addcd3096a28f14e1e71093314ccaae810bb1c9843b34772945e09249779434434d9133661e4cb9de2c4268e3687efcd9343d5 |
memory/2592-52-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\ovUTmZI.exe
| MD5 | 3b3aaa7fffde58dcd163d45ce58af3f3 |
| SHA1 | a80f820f27462798f627c335b133303c841154a7 |
| SHA256 | 9ec932626b0d96a7d0161d35cc55bbc0346fa7be46b60650ce37e45802fe0363 |
| SHA512 | fbc19361ba9981a9579112805dbce9679ad17a7886fdd5919e91748f2c37cfc6760a9a8ef55c13d556ef5e43e0d836bafaaa694112efc4cbb743d8b4ad1ac491 |
C:\Windows\system\vEQXKgX.exe
| MD5 | 4131dc18fb625de20c758143c495cd2f |
| SHA1 | f7e962ebd41ac769ebaef96001202eb7462d00a4 |
| SHA256 | 38de71c431106d765cc6c5a8c451e57de885dec7327385a40dbc3752cf56a081 |
| SHA512 | b8202fbcd3e9a4e8c0ed35baa3d5c472104eeb9f51ebc332614ff1b60cefc5f8f0785fce0cde5d9f8c02115635845759356eba3b832c49de28b664d2ee52d854 |
memory/2672-42-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\CusqdIE.exe
| MD5 | 297f69406f728e7de573536bccb88785 |
| SHA1 | 6145bad4f336ee55de7eebe99e782ceeb7751f56 |
| SHA256 | c84be9e20d767a23bb77f3df341854eb8ab0b536d41816e1beca7ec4cea287af |
| SHA512 | 2a5c4417aec3b17b589b7b819bc9c8cbd1d799e392f3ccb9f0e7d009f00ed6df0655054d93e2231fca3dbcedc61cf7d8880c14b7e729e72b3688e0aec634b1ee |
memory/2892-39-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\rqOzfbj.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\system\ybjboAA.exe
| MD5 | cad67df11de10e841e203c91e692e81c |
| SHA1 | a7018035c433ab761acd007e23eb99ada1f91484 |
| SHA256 | d224c59143ab6189c54206c1602c082ca27086a4c144c35ad0bba074b6f11953 |
| SHA512 | 1bec1c18ccd50a55cc220bb8e3675cbf53ae0e130f85ba378a037fd5de78eb34a992a1cdf05efb3be04a0a1b7450502169cb0ea5046dc3525e4ac5e15d2093da |
memory/2892-10-0x000000013F850000-0x000000013FBA4000-memory.dmp
\Windows\system\xerWHfg.exe
| MD5 | 584f538448805d7d8e211736c57faa1f |
| SHA1 | e3e051d7613ae3908cccc821ce6e01ee8c347fe4 |
| SHA256 | 2505a1b68515a87c08ed6737d0fd964b386075f10176c9c5759f2d38f3b6bdfe |
| SHA512 | e04156cb73aaf63d50d81ef1386535f30c70441afd69551ed46240467e9a379f5664c620813e7ec629fd886f4fe40ad8efab85d457709ce78dfb4abe5ec6b850 |
memory/2892-135-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2892-136-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2892-138-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2892-137-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2440-139-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2892-140-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2228-141-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2496-142-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2800-144-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2424-147-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2188-148-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2876-150-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2284-149-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2440-152-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1268-151-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2972-146-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2672-143-0x000000013F2B0000-0x000000013F604000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 23:26
Reported
2024-05-29 23:29
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VkUCxjP.exe | N/A |
| N/A | N/A | C:\Windows\System\rfYeOYz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxdvWfr.exe | N/A |
| N/A | N/A | C:\Windows\System\uiqXsyX.exe | N/A |
| N/A | N/A | C:\Windows\System\vjFkrQb.exe | N/A |
| N/A | N/A | C:\Windows\System\NLXqmxt.exe | N/A |
| N/A | N/A | C:\Windows\System\gtbnxVY.exe | N/A |
| N/A | N/A | C:\Windows\System\zigLJvA.exe | N/A |
| N/A | N/A | C:\Windows\System\msDVnrG.exe | N/A |
| N/A | N/A | C:\Windows\System\vyBYAVJ.exe | N/A |
| N/A | N/A | C:\Windows\System\yCmXvdn.exe | N/A |
| N/A | N/A | C:\Windows\System\JhadslG.exe | N/A |
| N/A | N/A | C:\Windows\System\stxpLVz.exe | N/A |
| N/A | N/A | C:\Windows\System\VluBlJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\vpVXzph.exe | N/A |
| N/A | N/A | C:\Windows\System\nnKpnRW.exe | N/A |
| N/A | N/A | C:\Windows\System\ciYoQAv.exe | N/A |
| N/A | N/A | C:\Windows\System\fNgImyp.exe | N/A |
| N/A | N/A | C:\Windows\System\MZdzPJy.exe | N/A |
| N/A | N/A | C:\Windows\System\liTGOww.exe | N/A |
| N/A | N/A | C:\Windows\System\AqmycWP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_4fb8b6811c707d1b458143427a6cc2c9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VkUCxjP.exe
C:\Windows\System\VkUCxjP.exe
C:\Windows\System\rfYeOYz.exe
C:\Windows\System\rfYeOYz.exe
C:\Windows\System\ZxdvWfr.exe
C:\Windows\System\ZxdvWfr.exe
C:\Windows\System\uiqXsyX.exe
C:\Windows\System\uiqXsyX.exe
C:\Windows\System\vjFkrQb.exe
C:\Windows\System\vjFkrQb.exe
C:\Windows\System\NLXqmxt.exe
C:\Windows\System\NLXqmxt.exe
C:\Windows\System\gtbnxVY.exe
C:\Windows\System\gtbnxVY.exe
C:\Windows\System\zigLJvA.exe
C:\Windows\System\zigLJvA.exe
C:\Windows\System\msDVnrG.exe
C:\Windows\System\msDVnrG.exe
C:\Windows\System\vyBYAVJ.exe
C:\Windows\System\vyBYAVJ.exe
C:\Windows\System\yCmXvdn.exe
C:\Windows\System\yCmXvdn.exe
C:\Windows\System\JhadslG.exe
C:\Windows\System\JhadslG.exe
C:\Windows\System\stxpLVz.exe
C:\Windows\System\stxpLVz.exe
C:\Windows\System\VluBlJJ.exe
C:\Windows\System\VluBlJJ.exe
C:\Windows\System\vpVXzph.exe
C:\Windows\System\vpVXzph.exe
C:\Windows\System\nnKpnRW.exe
C:\Windows\System\nnKpnRW.exe
C:\Windows\System\ciYoQAv.exe
C:\Windows\System\ciYoQAv.exe
C:\Windows\System\fNgImyp.exe
C:\Windows\System\fNgImyp.exe
C:\Windows\System\MZdzPJy.exe
C:\Windows\System\MZdzPJy.exe
C:\Windows\System\liTGOww.exe
C:\Windows\System\liTGOww.exe
C:\Windows\System\AqmycWP.exe
C:\Windows\System\AqmycWP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/3696-0-0x00007FF634290000-0x00007FF6345E4000-memory.dmp
memory/3696-1-0x0000018F743D0000-0x0000018F743E0000-memory.dmp
C:\Windows\System\VkUCxjP.exe
| MD5 | 4c38db6dfdadd06b922adf1ebfa4f027 |
| SHA1 | 10fd55d441a1a8537aab80600627405d79ac8f23 |
| SHA256 | 69b89d0516d81a445f13ae6901e54a7d6233079ba9df3a9cdbe7a73dbed2630a |
| SHA512 | b5e04a5d9e1073dea420eacda4fee57c9849b10afbe999c53006bdfed317fcb5eacd7fe9eabbe33d7e9cb292cf6768d7f3d1fce5bc388d7cb9b03846026b67a9 |
C:\Windows\System\VkUCxjP.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\rfYeOYz.exe
| MD5 | 35b1e62ef54c7bd66cee2b56d39be962 |
| SHA1 | b092ed64bdbcc29fe9cccbcfcf74f8894e1309ab |
| SHA256 | 7278d5fc5a788f4f462b35fe844435f2ea78dd2e8c2558c94df35eb75e6b9c57 |
| SHA512 | ce45e2bd0d41435f1b1fe6e2adcf65e89fcf54aebaf4ed3ef8fc05f2641ad4cdebb1a52b6958f7b82bbfe49b95e7352663b351967599a2aa54c92934a4b00a7b |
C:\Windows\System\ZxdvWfr.exe
| MD5 | 0963563d28ba47d8c0e8d0abb3d57a5f |
| SHA1 | e6c3a120fb6d5acdfbf89a0e42c44402c18f9964 |
| SHA256 | 0f0884d19e0f552e9cb2727b5512a5a2e262198dcb890385ee15de0850bc6148 |
| SHA512 | e7f96141fadf1dfed757a73d5f24ed07d6474fc2391b414fcaaa27c0d0bdeaf2e0fbb4f4a6aeddbd503c46f36c5bc42e24759783f064e2844062023568dbea95 |
memory/5092-20-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp
C:\Windows\System\uiqXsyX.exe
| MD5 | cb02de4872003a2358976d18e269ea2d |
| SHA1 | 1b7a5720d65a0f79d0a0afaad8ac9af52cfd39fb |
| SHA256 | 134532abc3bd6ed219e691a70330024344b85dd775a7bb0e987f703af17f796a |
| SHA512 | 6b26852fbc135955ff5b6fbf660efbca7d393494aa6ff203145471f6ac671c9c755009ef4513bc21df7613777b96410c2983522fe015685ee12c02bc6abef40a |
C:\Windows\System\vjFkrQb.exe
| MD5 | 77c7c6c70a8bf7b31f15ad36d806d562 |
| SHA1 | ec29815efda0cbf74bc873a5b027e4a69b166d9c |
| SHA256 | 227fae4a52a859668aedf776757f932e5f07c4fee352ca5b005a68b6ce651003 |
| SHA512 | 9536a81956b2f8dbcfa77186fb3937d9927816c446ce18220c79f1f12718b4e0721b74ca0ad8ea526b4aabf7cefd15b534aa427ebe8794c3c54d461f60fa90a0 |
C:\Windows\System\NLXqmxt.exe
| MD5 | 281a17f80e4a189f045542c86441b37c |
| SHA1 | 6b5d422dc0efc95b6aef75aaac448ebbefda0cd7 |
| SHA256 | 9e6b9923d8d426be386b4d08f028b413158faabaa488f36850e8cc2c7f4e3b1c |
| SHA512 | bcdf84191c1d5bcd0a66376ab7ca7eaea1609eecae0554dc37aa1d9694a1d9f0ff66a979ce9831b02c0dd21c580b496dc5ca5d8106c45f8035cce019a7d14468 |
memory/4904-39-0x00007FF69BE80000-0x00007FF69C1D4000-memory.dmp
memory/1560-42-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp
C:\Windows\System\zigLJvA.exe
| MD5 | e2ba4394832f6afb8892a6cfc9c19b41 |
| SHA1 | ff9cf29849647ea076c6df44d5db1f25431fe55c |
| SHA256 | c2221f1f96b4a66c1814c9bd47b65523ffb4349fcaa65f3f8fe2ae791b9c1cf4 |
| SHA512 | 0d69e932096fda932b694a9534d6e977111f5bf25c380043bd9ccfb39d9aab9c876f54513eb9bb5167b6082f149d1bb91cfb59ab958e9c394853b44586641b64 |
C:\Windows\System\msDVnrG.exe
| MD5 | d83c263cee8cb52cf60f8589daeb3a3d |
| SHA1 | 73f0fdca219c8dfef17ae938aff3d190b483bc6b |
| SHA256 | 0dd61c117272ab7d58147c7616f3880baffa912cb0a1d53bd23b6f3745848f3c |
| SHA512 | 2bbc18462dd8c65db4592a0d4663892363bfc5f342c8007ca316e4e88cf7c8597da8e9105682020e9b4f3c4b687fdf909422f0d4a86e3fa4c94df7828eb2a58b |
C:\Windows\System\vyBYAVJ.exe
| MD5 | 224570d5e9ced5f1d73b15ca5c7d1ca0 |
| SHA1 | 4f061c022fbf440806438d47c545cf896d1f97ef |
| SHA256 | 2474bd0c66a46c28947395d649bac7504c4a93d8ae9dffce5e5756303350d6e1 |
| SHA512 | e557cec176aed5ecff219cb7feec8019b0e6df062c0973173699a785df314b3b748c05c3400e4178d4c0e5ad1c9fc8ac9a83fcefb5c256d51bf0e2a71c5b4ed2 |
memory/2452-61-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp
memory/3696-66-0x00007FF634290000-0x00007FF6345E4000-memory.dmp
C:\Windows\System\stxpLVz.exe
| MD5 | d10f1344c8763fb541d3806a071e575a |
| SHA1 | 9a6b19a276c5a96e9715d7fb5cefc5f425b39b37 |
| SHA256 | 180f267d1959fb453286beaee6587ed15f6ef02964c63d582b3e0b05f3591d0f |
| SHA512 | fda3e79a55847615234a54e4a39ed25c63bffff6e413011996dc610107ebeac85997200807fb513ea59c48f5838595b1ce3a54eac3eba32824d5c59fda16d063 |
memory/5092-93-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp
C:\Windows\System\vpVXzph.exe
| MD5 | a66e4e946aca4d3e3e45a0b531c2f8e9 |
| SHA1 | 8d23347e247718715798d47f0878841549cd36d3 |
| SHA256 | b7890751a3dfddc235e236308e6dd8167da32aad1340b86d81250e6c54fe9014 |
| SHA512 | 7445335311be64cadc924a5cc42849ed13d9cfc3080ca670b9a7d33655c4377a7aa0c4caf55727497c326346c654149f4d4158bf6762dc43c842ca12a68c7eba |
memory/1608-94-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp
C:\Windows\System\VluBlJJ.exe
| MD5 | 327965b950c05649b5684fb649a7acb4 |
| SHA1 | 61325ccfc3f34771a9f567e8050fb7546f781b37 |
| SHA256 | 0b345d41c5fcbab3b7bdf3f2a35e0df8b185d6336d3daf55c59b270f4d4224de |
| SHA512 | 016b4f5b9c2a1de107d2e24e3f7c64bd26ccca23ad6be5f914f76275667eedfb9a15a201e1f4e0c714d23d0154a10cc7e35d32c3d9791e96b490387622a7b6ef |
memory/1148-87-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp
memory/1088-86-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp
memory/1604-83-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp
memory/2296-78-0x00007FF740190000-0x00007FF7404E4000-memory.dmp
memory/2820-77-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp
memory/3384-74-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp
C:\Windows\System\JhadslG.exe
| MD5 | ec36da25a783ab9307ef22197f2fe1d1 |
| SHA1 | 51de4ef83744d8a0fd5ea3613d155fa6c2a9a88f |
| SHA256 | 7a85c2a3f225cce9b11f912a5a0c793152d400273bbfb2a27c7e35391ecf2331 |
| SHA512 | 850e0bf37a27d9e3a8ea1569b4e9b158306068c348a2a334be5015337ce74edea37005dd0a40dbbebf3c101c9fed832edacd642752a0aeac88482e7e4a7e99ca |
C:\Windows\System\yCmXvdn.exe
| MD5 | 68743e34d443ff13041a9461f097b4fe |
| SHA1 | 8dd039597fd326162800aab60abd20e754017892 |
| SHA256 | 61910b86974accdfc072d87c2d1b12316fce4daf2b48f53ce276b4c73c16299e |
| SHA512 | a1a46d618db61cfd2b1445fc060e1397572aeb3ffe8db45f4df9b42aec941f04171e61a4e75f5d30a82ab8fb8cb974f708a05d77396f7991162372d52f8d641e |
memory/736-65-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp
memory/524-56-0x00007FF6E4290000-0x00007FF6E45E4000-memory.dmp
C:\Windows\System\gtbnxVY.exe
| MD5 | 3f21fc58ec0ad6fe458b8ef4960ba370 |
| SHA1 | 18d1f49c9530351ee1161dbb8e5127916f4cf92e |
| SHA256 | 2d5ab85e2606321799e0b1261796c1376c6758ca37a77ef08fcfb189c6e3584c |
| SHA512 | ce67c102823ade843fffe92e28a626475ac4155902ffb2427b1a298d7e16480d49f16045234cbf66eeb9c59a16798fb508b2598de2826cc24539308d37326195 |
memory/4896-33-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp
memory/2720-26-0x00007FF6E14E0000-0x00007FF6E1834000-memory.dmp
memory/1604-14-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp
memory/2820-8-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp
C:\Windows\System\MZdzPJy.exe
| MD5 | 0e731dda6e07f134e8905bfc70233a8f |
| SHA1 | 46d42a6dee450d6c72c45198da72e3f0a5286ce8 |
| SHA256 | d6db155c39c3cdf5456652b54d19377a58e512c7831981708309090958747a85 |
| SHA512 | 85fbe8aaa2516d4d711ccb2fd1255cd9f28b095acfd592bb35fc49d5d882b7bf4985bb9b78027f023b96763f25543987bc3c85b856d04ff04f24b14a6cc166e0 |
C:\Windows\System\fNgImyp.exe
| MD5 | bf4d60c80ea0b279ae116232092cd663 |
| SHA1 | dd3d663938ec2c2f870f8ebce8e3209b6591ea07 |
| SHA256 | 1c5dbc325311514e81c692187ebaebb50eb29163dfc9f2ba864bb0272c6e0b12 |
| SHA512 | 5bf07d3e948f17397827ebc2d8202f3bde19a701e456c356246fc9bf793085d7d7c50afb74d83a8092f9c9c512a5f8bff0fee1bd11d3c9d1c43fb0292dcb01b7 |
memory/4200-124-0x00007FF757000000-0x00007FF757354000-memory.dmp
memory/4168-127-0x00007FF6C63B0000-0x00007FF6C6704000-memory.dmp
memory/1284-133-0x00007FF6D74A0000-0x00007FF6D77F4000-memory.dmp
C:\Windows\System\liTGOww.exe
| MD5 | d1716528559e5f8b05456e8abb0015f8 |
| SHA1 | e0a18e4a6c1015baabf94cd3f248defe3029a832 |
| SHA256 | b5877d64318748c42858f3419dacbedbf0d2a5f66b456feb1f9ded15f6cfa970 |
| SHA512 | 47d89d40e75dc5f8c6acd8a467f0ca79a514de3237061dc7711f4beaaf630574886d60b34dfbd7aaf8bd2f5a2ed79e5d058faac75012df5aac1d0edba1751131 |
memory/4880-130-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp
memory/1560-129-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp
C:\Windows\System\AqmycWP.exe
| MD5 | 16f80b2031920f59fa948e08b2716444 |
| SHA1 | f758a5f38cd5a24e26fbcc4f1d9685fcbe801557 |
| SHA256 | a075d87e5c49cb17844ae40ff5f8e85945a432af4a976e23a8a399dde6540108 |
| SHA512 | 94792d5265fb4d299f4a94aa3f62341be65b4ce482e2fb4d4a04f011c54ded6245a9ac0e02ef561663c2e1481a8e2d58e49fcd67b501bfa51ce0602d7a4e10bb |
C:\Windows\System\liTGOww.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
C:\Windows\System\ciYoQAv.exe
| MD5 | 53367e0e2c20d72ef99de9814e932d89 |
| SHA1 | 5ba6457355513e53b98318aa850c21c8313907b6 |
| SHA256 | 290b8abf79ade2cae054152f2e368f1d03c609fe5b898d727ffacbb81ecfd203 |
| SHA512 | 8940bf1f4ee110e6bde4639acbf912cd84627f338415ac4e4cf0d95d4350a1fe20a3b91a814ddb46b25f1bca92cb84175966c40f06a8064b6e5939240fa33734 |
memory/436-109-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp
memory/4896-107-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp
memory/2208-104-0x00007FF67D750000-0x00007FF67DAA4000-memory.dmp
C:\Windows\System\nnKpnRW.exe
| MD5 | 804953174911071cccd83df944783b22 |
| SHA1 | b900cea399ae3c4de77a22c0cf57d086d1e56f47 |
| SHA256 | 8b0f3bc6df93e532d86cf1a43d2ab149c3455f6b10e29cb44a1f3d7be4887614 |
| SHA512 | e203c93b93970d30405df5203f36ff43a9006cd6f6c4c1059b6b64fb3f2ac4ffd59d125bceafc7f6867003c0384b60f6d8a2f46957872fc2f221ea3867343ab8 |
C:\Windows\System\nnKpnRW.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/2452-134-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp
memory/3384-135-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp
memory/1148-137-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp
memory/1088-136-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp
memory/1608-138-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp
memory/436-139-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp
memory/4880-140-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp
memory/2820-141-0x00007FF6A77E0000-0x00007FF6A7B34000-memory.dmp
memory/1604-142-0x00007FF7D8CD0000-0x00007FF7D9024000-memory.dmp
memory/5092-143-0x00007FF7136C0000-0x00007FF713A14000-memory.dmp
memory/2720-144-0x00007FF6E14E0000-0x00007FF6E1834000-memory.dmp
memory/4896-145-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp
memory/4904-146-0x00007FF69BE80000-0x00007FF69C1D4000-memory.dmp
memory/1560-147-0x00007FF7C31A0000-0x00007FF7C34F4000-memory.dmp
memory/524-148-0x00007FF6E4290000-0x00007FF6E45E4000-memory.dmp
memory/2452-150-0x00007FF6D56E0000-0x00007FF6D5A34000-memory.dmp
memory/736-149-0x00007FF6B7C40000-0x00007FF6B7F94000-memory.dmp
memory/3384-151-0x00007FF6B0900000-0x00007FF6B0C54000-memory.dmp
memory/2296-152-0x00007FF740190000-0x00007FF7404E4000-memory.dmp
memory/1148-154-0x00007FF618A90000-0x00007FF618DE4000-memory.dmp
memory/1088-153-0x00007FF721A80000-0x00007FF721DD4000-memory.dmp
memory/1608-155-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp
memory/2208-156-0x00007FF67D750000-0x00007FF67DAA4000-memory.dmp
memory/436-157-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp
memory/4168-159-0x00007FF6C63B0000-0x00007FF6C6704000-memory.dmp
memory/4200-158-0x00007FF757000000-0x00007FF757354000-memory.dmp
memory/1284-160-0x00007FF6D74A0000-0x00007FF6D77F4000-memory.dmp
memory/4880-161-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp