Analysis Overview
SHA256
935171ed151bad8fb8dff6dfa7f68227cc519567a7f37c12c319aadcba9db823
Threat Level: Known bad
The file 2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:51
Reported
2024-05-27 17:53
Platform
win7-20240508-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MChgbgr.exe | N/A |
| N/A | N/A | C:\Windows\System\sIGVgIL.exe | N/A |
| N/A | N/A | C:\Windows\System\SHffGtv.exe | N/A |
| N/A | N/A | C:\Windows\System\eVEcGZc.exe | N/A |
| N/A | N/A | C:\Windows\System\iZqhBfO.exe | N/A |
| N/A | N/A | C:\Windows\System\CoRjwop.exe | N/A |
| N/A | N/A | C:\Windows\System\HNZOlEN.exe | N/A |
| N/A | N/A | C:\Windows\System\WqwQdxW.exe | N/A |
| N/A | N/A | C:\Windows\System\hAcwinE.exe | N/A |
| N/A | N/A | C:\Windows\System\eWMGpTe.exe | N/A |
| N/A | N/A | C:\Windows\System\iVFmkrw.exe | N/A |
| N/A | N/A | C:\Windows\System\YjxcnMg.exe | N/A |
| N/A | N/A | C:\Windows\System\pmHfcZj.exe | N/A |
| N/A | N/A | C:\Windows\System\FWyWKNs.exe | N/A |
| N/A | N/A | C:\Windows\System\EYUEZrp.exe | N/A |
| N/A | N/A | C:\Windows\System\GIPtqKW.exe | N/A |
| N/A | N/A | C:\Windows\System\vDVdiqd.exe | N/A |
| N/A | N/A | C:\Windows\System\YtbyKte.exe | N/A |
| N/A | N/A | C:\Windows\System\aGUWJTk.exe | N/A |
| N/A | N/A | C:\Windows\System\BGWfItV.exe | N/A |
| N/A | N/A | C:\Windows\System\WgzAMLb.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sIGVgIL.exe
C:\Windows\System\sIGVgIL.exe
C:\Windows\System\MChgbgr.exe
C:\Windows\System\MChgbgr.exe
C:\Windows\System\SHffGtv.exe
C:\Windows\System\SHffGtv.exe
C:\Windows\System\eVEcGZc.exe
C:\Windows\System\eVEcGZc.exe
C:\Windows\System\iZqhBfO.exe
C:\Windows\System\iZqhBfO.exe
C:\Windows\System\CoRjwop.exe
C:\Windows\System\CoRjwop.exe
C:\Windows\System\HNZOlEN.exe
C:\Windows\System\HNZOlEN.exe
C:\Windows\System\WqwQdxW.exe
C:\Windows\System\WqwQdxW.exe
C:\Windows\System\hAcwinE.exe
C:\Windows\System\hAcwinE.exe
C:\Windows\System\eWMGpTe.exe
C:\Windows\System\eWMGpTe.exe
C:\Windows\System\iVFmkrw.exe
C:\Windows\System\iVFmkrw.exe
C:\Windows\System\YjxcnMg.exe
C:\Windows\System\YjxcnMg.exe
C:\Windows\System\pmHfcZj.exe
C:\Windows\System\pmHfcZj.exe
C:\Windows\System\FWyWKNs.exe
C:\Windows\System\FWyWKNs.exe
C:\Windows\System\GIPtqKW.exe
C:\Windows\System\GIPtqKW.exe
C:\Windows\System\EYUEZrp.exe
C:\Windows\System\EYUEZrp.exe
C:\Windows\System\vDVdiqd.exe
C:\Windows\System\vDVdiqd.exe
C:\Windows\System\YtbyKte.exe
C:\Windows\System\YtbyKte.exe
C:\Windows\System\aGUWJTk.exe
C:\Windows\System\aGUWJTk.exe
C:\Windows\System\BGWfItV.exe
C:\Windows\System\BGWfItV.exe
C:\Windows\System\WgzAMLb.exe
C:\Windows\System\WgzAMLb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2156-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2156-2-0x000000013FCB0000-0x0000000140004000-memory.dmp
\Windows\system\sIGVgIL.exe
| MD5 | f28df4288d3f1137f97bafcc3487060b |
| SHA1 | 1b48ba46d8baf486f633cfc478fd54f2b296e791 |
| SHA256 | 36537c8ef545c51aba5c0d00747044dc135bebee2f97835c8b7712f6bb45e7b7 |
| SHA512 | 4ae7250c38c91df69476ac72bcf734645eedc2f29d772db61a257449a47a341fbc65f049864269f7cce92026080425a92c1488dffcb71ea2cc63b1236f42d921 |
C:\Windows\system\MChgbgr.exe
| MD5 | 1ebbd91ad774e314f34be4e178b784ef |
| SHA1 | e085ca8d989963e69b47392afeff095cc413d921 |
| SHA256 | 2b4ff91b934ca52420ba2c2586f5582211700c0f767f26c761c24a44bda1bc52 |
| SHA512 | fe357d68bf7abef9a45cce099a859efc4adbab675c431663f5339c90d594a20653703c5dd0e65365a861666f735c71bc2895246140a4ec9b0e2332ea1f77cf60 |
memory/2156-10-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2156-6-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2700-12-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\SHffGtv.exe
| MD5 | aaa8bdab966483478f1b8ea220977e7f |
| SHA1 | c6217f969246811e07e0452c9f570ba8f236f8a3 |
| SHA256 | 2bd918e1c761def1a51c8c99a823a3731daeadfdf07916738d4fadb9e3b5fe25 |
| SHA512 | 65206503049066dfb46a11fa5eefa57566d2c0008b311001ad45b5f8b56f8f4d11cc5b90ff0e911860c0e82647ad83cda5fe9cc01ebc1ff07fac7ed99e22e13f |
memory/2464-15-0x000000013F1D0000-0x000000013F524000-memory.dmp
\Windows\system\eVEcGZc.exe
| MD5 | 4a15b8242de96fcfcb0b8840b0d401d5 |
| SHA1 | 003f7f37355b7f67e59703da12ccfbe54315af48 |
| SHA256 | 1a3905300a7b43e55098669de912894c8e1ea99c1e1cfbf33568a4ff49083545 |
| SHA512 | 019834f249058b7a22b4a712882bb10da6d02defee6d14c5b73100f2f2fc5653a398a0618666f55d48d238008085b28fc813896cd1a30e0014390e13d366ef33 |
memory/2156-27-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2672-28-0x000000013F590000-0x000000013F8E4000-memory.dmp
C:\Windows\system\CoRjwop.exe
| MD5 | 68e629e9c1ebc04d5d04d3ee7275a9c7 |
| SHA1 | e4ff9ea1a5f99bc97d78b5be80013019af97379b |
| SHA256 | 0a5d964740ef9381938b1030a7242ae81e9719e49ad64637a8ed950dc72c0b1a |
| SHA512 | 1bbb30050e76097e6490ce3216ff7903acc7f2c5be38b9d4de969452bfefc73649276e362c77a3a859abdc9fd21e6a1371a33e1f0e95f6aed4c1ec652ac3891a |
memory/2528-43-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2624-35-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2156-34-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\iZqhBfO.exe
| MD5 | 270206f6176d21d7890b5a01016a5b7a |
| SHA1 | 2b715b8dc2ce5910280fd35b861ee00da2e73f26 |
| SHA256 | c6f742a47545850be70d53284f16d826ae9df9a17edb4a0f865b4d7b64abe843 |
| SHA512 | a2f8639d6f912b36651271e5923fcdbdc51454b1318f79ab2c0d4495af520fa20f69591a5446124fba2ce9a14110d3a502b8d0616b7ca479bba946ae88daf341 |
memory/2156-42-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2752-21-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2156-20-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2156-56-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2532-57-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\hAcwinE.exe
| MD5 | 222a803460f0510148b091d9a723f227 |
| SHA1 | 988d49f667fed97241c80c9346f475e21caf31eb |
| SHA256 | 282382f6310302046a22958e5d8cc283cee9dbd2dc07d470e7ad11fd22bfbe97 |
| SHA512 | c211e30ba73612ca7e04b1be987d3e0fb812d35098e59411852ab8d75b4ae3a082dfc08d7995a048b97341cfe12c85693baf9f3a5c21bebe75ea6bbf9b8afd42 |
C:\Windows\system\eWMGpTe.exe
| MD5 | bd11157b7bccb81b1c3b72b03ab96e74 |
| SHA1 | 431f594c72334d3824a854f1db2f6881a3c1c54f |
| SHA256 | 03f2690ec38cab553529b6d54074d1496a4b017187e0757e48b239aefd1c7a1b |
| SHA512 | a683c37906496bfd025bbacfefe260498aa3eeccf4d76d3bdc5f10c16b9aeb57c3346fbc9a97b51969291cd30dcbce48fac6ff9e38f5e119267538e255ca7fa5 |
C:\Windows\system\YjxcnMg.exe
| MD5 | 8feea1db828d34d64a4d7e0c951ea789 |
| SHA1 | c5121588bbdd9753495203d5c4006da095a1e4f2 |
| SHA256 | 5694ab73d3e0f3ee606336f6b71f9705fdc803c8a2093e74af50ed434ff3da43 |
| SHA512 | 8ac445d98a5cb438a0a2f8eab9a2b447d46755b22de5c3bc9531409e54484b5e7478e77bade585eb464093e1b2c3032f8a232fcb871d7efd20349e3558802a30 |
C:\Windows\system\FWyWKNs.exe
| MD5 | 5a59d055689d0bced2cd46ef4070e774 |
| SHA1 | 3c5eec63fc5c04ac9ce28f5941a9b00d98306ae4 |
| SHA256 | 0b8964a46fe42845b9c6a4b374b32332bf7ec58a8c5643645905d6613bd0d3e3 |
| SHA512 | ab05c9385525c180fc98285058dc8f22e33c4f57504dcbff78e12f474bdaba57240d907adca591b7116d352c86085d4ce9298f2e17919064f27de68472bf27b6 |
C:\Windows\system\vDVdiqd.exe
| MD5 | 3fbe6dbf37f65e843abe2a66addd5f0f |
| SHA1 | d3f4046b74058db82b1a4dfe77ca78644f5032d2 |
| SHA256 | 6d8bc625529d6c2a39f06a205e9382fc5acba88c2136aab015a7e5c850d987c5 |
| SHA512 | ba601092df5b3ceb4f2939a9934306708fcca313219f9343f0495a4706eb0bc678eddd431e8291a4414f267bc8cfe969f77d524f3fce351377d3ca0b08f1abd2 |
\Windows\system\WgzAMLb.exe
| MD5 | 39384bc92bfa9033eabe3a4bd94a0f58 |
| SHA1 | ed10fb4e318f704ec39649e25f7bb583e552a060 |
| SHA256 | 676986400757f59819ec9691cbfe1f0d92db3e26d55876e7009dee02666471fe |
| SHA512 | 6077f716ff6559de2851861f6e90726c1d9e223d892511fe878b9479d865092110310c3465794dcb90381612b0f2325b7ddab71c396b8e71682ebbd32b7e4ead |
C:\Windows\system\aGUWJTk.exe
| MD5 | f7a1740f78c0ff384905fb5697b973e6 |
| SHA1 | 7cb7a63c19236431550cc6e2de85898084f4deff |
| SHA256 | a870b9a9e89b4f87b8fdf12f1cb04b7cb7fe121ac14968d2749141f2692bae78 |
| SHA512 | 2dbfc1ac4f6c19da147d78406f3e23b02bd1810b8f7a12bd6ae81b5f2586220d78ede6bc2ada3e4cbe33d08cd293f054443561977aa24adafbfa2af578949eb6 |
C:\Windows\system\BGWfItV.exe
| MD5 | f903326c6ef70a4879e4079eefb9d7d4 |
| SHA1 | f240a36904182c494a6e9d203030104f72fbff5d |
| SHA256 | 380dfdb111aa4f5cf54913f2501e98bb373b4622929a20aa5d5da3c01c432b94 |
| SHA512 | b725977c739fd18a80a18ab1831e86357d651fb1b9ffe70891bfe2a807c56b9a1910fbeee0391cadd838f0323294aeb229f435199f5557e0d2bae08af0e08a17 |
C:\Windows\system\YtbyKte.exe
| MD5 | 5886f46d197f252f6464588c47eb0a8b |
| SHA1 | 8030486cd694e409a77956238ead95ee30d5e117 |
| SHA256 | b9640f10900af168e7531ac42954ce762df512146c6d5c84ede5c38fbfd487e0 |
| SHA512 | 84bc48b6683e3a903b7da18e8e039dfd50e29af5c924d79e8eb3ee9900a2dccb989b042d5382c1420fa431efc10368a15a7dea815c9ea077468720b11f039ec6 |
memory/2156-107-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2624-106-0x000000013F1F0000-0x000000013F544000-memory.dmp
\Windows\system\GIPtqKW.exe
| MD5 | c0f810d70f078ebc20a1adcd1f5921c3 |
| SHA1 | 4a4df62d06318e7a6d73b7b70a54b00d775c72f8 |
| SHA256 | de7c8e2c77a444a36baf853d6bce9ec82dca6b23764513656eccf2677539f4b9 |
| SHA512 | b19afc171d32a02fabb133cf8f750db5ce0fe26e0836e4bbedc7f0bd00536d150695b92799b90441ad12f33e8c24b7487cb2fa0ba5b466221f990b673ea0cbfc |
C:\Windows\system\EYUEZrp.exe
| MD5 | 1f9e09d3c2bc040f7a9d873f9c059313 |
| SHA1 | 73b034637427773b6812b39e33b1790ae7b62695 |
| SHA256 | 8e728d50c335568d284a7c00d6013480bdf3e25ef7ba7e6dcaee8c057678e2c6 |
| SHA512 | 0524dbca3f31ba75c1b278eaed8dbe3b77641fdc3eb5637a84949a2d75cdb602ff638390d44eaad970fd046a010434e37bafea9cd83a2c0cd3a2e6e3c58fa5a2 |
memory/2728-101-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2156-100-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2672-99-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/3008-92-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2156-91-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2752-90-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\pmHfcZj.exe
| MD5 | 2b04faf7c0b6e48c9a12b5d52892d000 |
| SHA1 | 796fa21881c2058d755df50da362ee3ee6dcf907 |
| SHA256 | 3dfab4c9e83491ce4439fc6de280c0ca81e10268f2af37099e1c0bc7b3e04935 |
| SHA512 | f47409654e3d59aa05c4a354ba090e2083dbce29c96bca135db4e5a4bdd6a5ec0b6c3fa847bed0af2c1c2b3d3fd94c10969a109762adac5ae283281e7534594b |
memory/2800-139-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2884-86-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2156-85-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2464-84-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2404-76-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2156-75-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2700-74-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\iVFmkrw.exe
| MD5 | 15fb2d490c462a40879d95ae43508166 |
| SHA1 | 6230def66be0693a50b6994f4674fe395720a7ef |
| SHA256 | c6f533836fe364664c2f9bb033df84cc7cb2befbf70379ac5281660483a7cffd |
| SHA512 | 1e9a6455db3bddba20670dbbdbb3ede692cd30ceb4a845e377bea2aa1cac8f10f3a47ee541a347e64581d6111c529a4618351f9d4fdd5e72bbcc86bdde64d20e |
memory/2124-70-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/3004-63-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2532-141-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2156-140-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2156-55-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\WqwQdxW.exe
| MD5 | 3ee21ca5954838ff3c9a7b9bb2cd2d55 |
| SHA1 | bd9e5231ed96ae2eb18ed4beafd4b29d0fca2616 |
| SHA256 | 85590875ccd87ad3c005ef606ce890c11ea64eea6efe2a2296706f289991023a |
| SHA512 | f79b4b69e11196b9045c7db5360c6c32e56b9806c10f6346161b66f3deacedca69daf43241b44f16f9b67bb5b99791d7b5e39404145d8c07f5f324364b80d71a |
memory/2800-49-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2156-48-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\HNZOlEN.exe
| MD5 | 4322e2deb3adbdd4f1be83373a288fa0 |
| SHA1 | 97761c183b6aef0ebdeccfbd2df93b5bb027f208 |
| SHA256 | eb109b6e10672e5046c0a66bba0a0d7257f86fcd4d8cecdd3f7d654924fd240a |
| SHA512 | 4a8f2aa4e0dacc80be98fb836f0a404461ceb85d1a0b990b6e8533c6e8b3b5ae3855b6808a712e11de15d3b8bbc99753af5106c4edb701a9d7f6002c96b7e1d5 |
memory/3004-143-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2156-144-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2404-145-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2156-146-0x000000013F110000-0x000000013F464000-memory.dmp
memory/3008-147-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2728-148-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2156-149-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2700-150-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2752-151-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2672-152-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2528-153-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2624-154-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2800-155-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2532-156-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/3004-157-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2124-158-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2884-159-0x000000013F110000-0x000000013F464000-memory.dmp
memory/3008-161-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2404-160-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2728-162-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2464-163-0x000000013F1D0000-0x000000013F524000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:51
Reported
2024-05-27 17:53
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LCvRXFS.exe | N/A |
| N/A | N/A | C:\Windows\System\PMuwoTd.exe | N/A |
| N/A | N/A | C:\Windows\System\EBKJxMW.exe | N/A |
| N/A | N/A | C:\Windows\System\vkiDUsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jvQvRAz.exe | N/A |
| N/A | N/A | C:\Windows\System\YQsVsaK.exe | N/A |
| N/A | N/A | C:\Windows\System\ODIIqeB.exe | N/A |
| N/A | N/A | C:\Windows\System\mxUIbqK.exe | N/A |
| N/A | N/A | C:\Windows\System\lutrbPA.exe | N/A |
| N/A | N/A | C:\Windows\System\NqvWrsw.exe | N/A |
| N/A | N/A | C:\Windows\System\UEpPaxS.exe | N/A |
| N/A | N/A | C:\Windows\System\PcQHnto.exe | N/A |
| N/A | N/A | C:\Windows\System\blQGAOS.exe | N/A |
| N/A | N/A | C:\Windows\System\rVMWllF.exe | N/A |
| N/A | N/A | C:\Windows\System\LSnyuky.exe | N/A |
| N/A | N/A | C:\Windows\System\Gbnlgfq.exe | N/A |
| N/A | N/A | C:\Windows\System\rPUDZVR.exe | N/A |
| N/A | N/A | C:\Windows\System\PfoFPec.exe | N/A |
| N/A | N/A | C:\Windows\System\xbNmVjz.exe | N/A |
| N/A | N/A | C:\Windows\System\ggZCXYq.exe | N/A |
| N/A | N/A | C:\Windows\System\ntmSrJo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_2355a6ab87e49315f1d55e96d57f9483_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LCvRXFS.exe
C:\Windows\System\LCvRXFS.exe
C:\Windows\System\PMuwoTd.exe
C:\Windows\System\PMuwoTd.exe
C:\Windows\System\EBKJxMW.exe
C:\Windows\System\EBKJxMW.exe
C:\Windows\System\vkiDUsJ.exe
C:\Windows\System\vkiDUsJ.exe
C:\Windows\System\jvQvRAz.exe
C:\Windows\System\jvQvRAz.exe
C:\Windows\System\YQsVsaK.exe
C:\Windows\System\YQsVsaK.exe
C:\Windows\System\ODIIqeB.exe
C:\Windows\System\ODIIqeB.exe
C:\Windows\System\mxUIbqK.exe
C:\Windows\System\mxUIbqK.exe
C:\Windows\System\lutrbPA.exe
C:\Windows\System\lutrbPA.exe
C:\Windows\System\NqvWrsw.exe
C:\Windows\System\NqvWrsw.exe
C:\Windows\System\UEpPaxS.exe
C:\Windows\System\UEpPaxS.exe
C:\Windows\System\PcQHnto.exe
C:\Windows\System\PcQHnto.exe
C:\Windows\System\blQGAOS.exe
C:\Windows\System\blQGAOS.exe
C:\Windows\System\LSnyuky.exe
C:\Windows\System\LSnyuky.exe
C:\Windows\System\rVMWllF.exe
C:\Windows\System\rVMWllF.exe
C:\Windows\System\Gbnlgfq.exe
C:\Windows\System\Gbnlgfq.exe
C:\Windows\System\rPUDZVR.exe
C:\Windows\System\rPUDZVR.exe
C:\Windows\System\PfoFPec.exe
C:\Windows\System\PfoFPec.exe
C:\Windows\System\xbNmVjz.exe
C:\Windows\System\xbNmVjz.exe
C:\Windows\System\ggZCXYq.exe
C:\Windows\System\ggZCXYq.exe
C:\Windows\System\ntmSrJo.exe
C:\Windows\System\ntmSrJo.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/2620-0-0x00007FF7B53C0000-0x00007FF7B5714000-memory.dmp
memory/2620-1-0x000001FC1B3A0000-0x000001FC1B3B0000-memory.dmp
C:\Windows\System\LCvRXFS.exe
| MD5 | b5eab3ec12678565464c9e0e2ff0c2a1 |
| SHA1 | d7948fc2355de6ed605dd83bb9767392350adce5 |
| SHA256 | 04a98640286257324d72919b75364f6b4aabf47714d877ba7d47de0415d88cc2 |
| SHA512 | bfd3e80c50bb58610cb95b47d8f308fef93501e60b800231977f001ffbece4dd057832d45526235097e55a346506b17574999b4c5a2eaff50e93cc63b97019fb |
memory/2056-8-0x00007FF7F6CC0000-0x00007FF7F7014000-memory.dmp
C:\Windows\System\PMuwoTd.exe
| MD5 | 4a36d31bd080cf7c66fc0201cd70c9a8 |
| SHA1 | 2b59011a98346b6bd4931395919d0de480c4da0c |
| SHA256 | 7afe058cb8deab8f76da606e3822ccd08b67114e3a316cfc91566099d152d5fd |
| SHA512 | 3a762c7a1da3191e320772f317b9a66b5800b5454dd579b969da6db1afc622c4b9d4cbbc271755fb68b1eebecdde20da6053c58faad6b04400bf63c68ee4b12a |
memory/4992-14-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
C:\Windows\System\EBKJxMW.exe
| MD5 | 4e65d361e4984e0a84cdbde1d9ef2778 |
| SHA1 | db1bb8d0f05454ad96be606b0f1d57e5524457ac |
| SHA256 | c5080077daa68889a63fd2165a38656c96c5e1b7bd1e28f31eebfbc1f2cf46ed |
| SHA512 | 0ef81496ef2b7570d5f5ae3ba6845f591525b7a1b2cd51446c71d09dd5acd5287cb2fbd11c3ebcec459cd5915c46243390e7de19081d7cdf4eebcda989bf072f |
memory/5548-19-0x00007FF7F9680000-0x00007FF7F99D4000-memory.dmp
C:\Windows\System\vkiDUsJ.exe
| MD5 | d429a6d70a073d6df8bc4c1b4e464d71 |
| SHA1 | f996711f8cdafb29a87b9e00c317d1b403307df7 |
| SHA256 | 07285ab4d08e2b0982d5417820a2cf6afbf2d7e195948eb1405ec256239f0710 |
| SHA512 | 3e6ff7b6728dda244390594985dee420701012a8904d010f98aa45dcd72aa6ad9581a9ce475768697c814826bb8f615ab399d8b42197041d44a2eced066fac02 |
C:\Windows\System\jvQvRAz.exe
| MD5 | f6214cd65240488d0ca379058a7d5ef8 |
| SHA1 | fd086e0d8e16de6f1eae79442d90c4682949fc0a |
| SHA256 | df666ffd697040df2f0cd3c95bd58d7a86651c864f65ec3df8367b248ceec64f |
| SHA512 | c2bd6e44a3dea6f0447763816beb63fd5e832a020034b301a7b48196125df7d3e175bb36e77f4418f1dbc7ffae64d7e8f8373e31bbb6248937e0e8d2641afa6e |
memory/4320-31-0x00007FF71D3C0000-0x00007FF71D714000-memory.dmp
memory/4696-32-0x00007FF642680000-0x00007FF6429D4000-memory.dmp
C:\Windows\System\YQsVsaK.exe
| MD5 | 67fdf2a2820c1dc325bd51feb8de7f40 |
| SHA1 | ab740f1fc9c04e7ee7678c0999175a8ce3d39d45 |
| SHA256 | db60b6752ff82356b60de86d9da34a204ae2fcfd132fd84bc67c7acc96a9400d |
| SHA512 | fefa323031933b0b191bb9ad931a6dc54db7a6781b6133391f48843fa3a6875e8ba271017886eae328f9e0b0692b2c00deaf1b593499ca2e4b3df3b054e5c2e7 |
memory/3288-36-0x00007FF694830000-0x00007FF694B84000-memory.dmp
C:\Windows\System\ODIIqeB.exe
| MD5 | ec680647f6372be76cb381ef952c4757 |
| SHA1 | 5c115b7f4ffad76a72823458821fd49329868ac3 |
| SHA256 | d0b461e2b6a1f0f43d1fd17c42837160cad608a6199eb611e35555529c846e85 |
| SHA512 | c43f9041f58f4efa90361c482153962149cda481eca0a3d01b816aa78b118d85926883a17cb85db102440617ce20c37ff5275c7d0c6c26abed67eebf1394aa50 |
C:\Windows\System\mxUIbqK.exe
| MD5 | 6dac813fe434360c4e8ff0fe5b01543c |
| SHA1 | 72074f44e99603e3567080b2589cce373008214b |
| SHA256 | eb4c183240af70f04958f1f76db0816b6e4284b118917e84a7ba4d329d45634d |
| SHA512 | 001eff91eb00a5b94439fc7bb9a746b1d830406287398a1b29fc99402005bc4362ad82dcd224db044fa48446e94e3c5fba00f47b40eb0b82ead4a3e03a1e6db1 |
memory/5428-48-0x00007FF708750000-0x00007FF708AA4000-memory.dmp
memory/5152-44-0x00007FF6520F0000-0x00007FF652444000-memory.dmp
C:\Windows\System\lutrbPA.exe
| MD5 | f3c5dc7093eb741944c007e7076d3c4c |
| SHA1 | c862456eb66c8f2d043d2ca99045be806336dbb1 |
| SHA256 | 86e75a13fe084dd81bd24a864b292c793544d4ac189360a96c61ab6fbb71cfbc |
| SHA512 | 8882ebd4345a9ef5c3210585cf31a77a5cbeca43d17f6ecf5a6ab0392b8fce1daa648f806943714a1e091a4a6836a723ded08294cb749763d8d1c3668db70b01 |
memory/5756-56-0x00007FF6F4DF0000-0x00007FF6F5144000-memory.dmp
C:\Windows\System\NqvWrsw.exe
| MD5 | 091b0ead32d607936904f94f8ee72494 |
| SHA1 | f59cfff907ce1a84f33741af2297495c46ce9287 |
| SHA256 | 0d8813a266bfb2dad95f4dd2030cb782189b2f9be3cea164aa6e780bf03b39e4 |
| SHA512 | 078b8c827cdde94d109de48f4bce9b70fd3ffa32e28c9b380084a14bc4e486f76803d73ca577824fcfedbd7f66fd03ce0eb34765ca41abad1002d8954431837c |
memory/5340-62-0x00007FF772980000-0x00007FF772CD4000-memory.dmp
C:\Windows\System\UEpPaxS.exe
| MD5 | 72039f3fe10cb21680543422d251c1c2 |
| SHA1 | 9738eeb5d4133f917876fc74677087592833d1f2 |
| SHA256 | 08cfa8157776ed61a2140bc7372c31ebc859a26060aaa8e21efa6050bbd1cc59 |
| SHA512 | 670fed362a1093c96771b13763a77e03ccda21f4810bfaf848c568b3e6918499ca1af5482d8e0aed6db4c98e0cc048709be91f9cd19bf98537f9013edebac256 |
memory/2620-67-0x00007FF7B53C0000-0x00007FF7B5714000-memory.dmp
C:\Windows\System\PcQHnto.exe
| MD5 | 3a2183c5057b971aaf8a45db61fb252d |
| SHA1 | ffa734dfce42d862a16ef9da77f6fff0323c73a3 |
| SHA256 | 3c493c80808b7930ff6d135dc8e7c54d66a997d249bf03b243b0c3d184c9c2b0 |
| SHA512 | d008c4f6fee9bb0e85e27ef35f55ee9fa17f2bff9ce59ea45a1658eb64edecd53735c1c105c885c0cbb4d11c7146965204ab6a3a758c1a82f80a1c2d6ab14f50 |
memory/5396-70-0x00007FF6380E0000-0x00007FF638434000-memory.dmp
memory/2056-75-0x00007FF7F6CC0000-0x00007FF7F7014000-memory.dmp
memory/4408-76-0x00007FF768350000-0x00007FF7686A4000-memory.dmp
C:\Windows\System\blQGAOS.exe
| MD5 | 3c581266fa5b274bb1d8ee03abc36e4d |
| SHA1 | c45b50338c7bc4188dda61c9bda7fcb8407bbf94 |
| SHA256 | c1868771dc08757aefacf428bfb1a58542760d8775775c806b014b11e3ad78e0 |
| SHA512 | 9bdcae7ad96b644a93d46fdb2e10b004cad07450e1c5d122880b0ff4ede8abc3c948757cc16289310e72b4f4c79c74595d70135ca715db7b61a1bb3f05b0a3e3 |
C:\Windows\System\LSnyuky.exe
| MD5 | 99cbf23e7aae871ea0be891e366f9a41 |
| SHA1 | ae19ca12a3f369f3f69054cae30d8f070a70498c |
| SHA256 | 783fb8a5cae09a15b0dea7ebda0692af25038b25d8292ab8b819dd3cc53f2131 |
| SHA512 | aa85aa29e2b001dc63a2acea311dc911978de15089616a3a4f1e106e930b771838057bf320f71e7e61b6e5fd529b58dcc0a52c5c3a8de78ef06ca7fdc02c9c38 |
memory/4992-92-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
memory/3144-93-0x00007FF7A2E40000-0x00007FF7A3194000-memory.dmp
memory/3080-94-0x00007FF7BD0E0000-0x00007FF7BD434000-memory.dmp
memory/4860-95-0x00007FF7E9D50000-0x00007FF7EA0A4000-memory.dmp
memory/5548-96-0x00007FF7F9680000-0x00007FF7F99D4000-memory.dmp
memory/4320-99-0x00007FF71D3C0000-0x00007FF71D714000-memory.dmp
C:\Windows\System\Gbnlgfq.exe
| MD5 | 5057198fe4b20e9ddb1dd82bd10bed8c |
| SHA1 | 54e9da492817b9da53933ffed164687136d70ad5 |
| SHA256 | d031a92212a7e5aa381e6ed8801fdbfd13e6b080d9013c80f0e8afd31827938a |
| SHA512 | a9b88ff7970927e7ace4fba3cf9028a5c50100c4ce574f292246f70b0d8bb63aba8fa8ff5d98851591c165304460ad994b8ddb36c6494b8db990d852f0832e70 |
memory/5884-101-0x00007FF7B03F0000-0x00007FF7B0744000-memory.dmp
C:\Windows\System\xbNmVjz.exe
| MD5 | 370579f85d62d1f6f4d2d56c0f8ef746 |
| SHA1 | 126c7c0e7667540b747914ee5d7c8bba889906f0 |
| SHA256 | f74ca77f1423a65af63d30b3da3a0a197919cc2d982ca5909ac2aeabd98e25ec |
| SHA512 | 04fb6ff3df7064f7cc0e8c3fc63986084021bb445de607e7e83c96842eaf6b5634e92e0170b9decc623a952f5fd10288a6fdd6ca46cb255025a72fee7699619a |
C:\Windows\System\ntmSrJo.exe
| MD5 | a5e4f530e0c30427baf9cb58e53b743c |
| SHA1 | 459ace8b636551f51da6a61a056e3e3ef60e7fb2 |
| SHA256 | 248cf13c25444a616e8dcbbaaa0718789b39e0a402ca02b211ef7b42db97f48d |
| SHA512 | 1347556fd36e5681610724eb3bd3e1c4beb8dcf9c6a8f143419482b5db5ebb96eb419f36458e8bb6c1fb8d951f99686d908e0467b428487ff4bd084c01bdfcf4 |
C:\Windows\System\ggZCXYq.exe
| MD5 | bbf4d989062c3f5122df56a8cd6a8951 |
| SHA1 | 3e5557690196ecbb57dd0bcf060690ea26378f52 |
| SHA256 | 061b39bb5aaf9db4c28638e928ac74486b6adbba01d690cd5986a32799b28562 |
| SHA512 | f3662cec7c66aee223bd3453747c816523f17c48b094f7b6180e8c30917e45e8daada278debabadd692d614dd81a61c274e5f7122c2db7975546c4b8352b0502 |
C:\Windows\System\PfoFPec.exe
| MD5 | 13a1d8e8d26dcd8daf81cbb50ebf1a48 |
| SHA1 | 2a6eec909884cb56bcd2617b530d2bc850d356c0 |
| SHA256 | 4c5bf7cefa79ab897b2a53e9b74217487d3e24011de6f8a482334bb19cf23b51 |
| SHA512 | a72601c2c0837808ab75509b3917ec4375b2ecf90e0b4e2799befb317577417ed33e5ce2cc1671e21fef66f38b7305cf9e35e1a8143e442f2345f14fe1dd0cdc |
C:\Windows\System\rPUDZVR.exe
| MD5 | 20542bf7d18d68c035eca50748025dfb |
| SHA1 | 39eed559bafb272e171f3dac72e648e5de086f3e |
| SHA256 | 506e8561597b3a95dad59beb83f6df6061a994daacd7003251275563c3451958 |
| SHA512 | a13161f95e2f717cf439d2c842e13c02c68a97cfd2b325fdbf6cb1415dbf3f077fb58646c098db0cfe4cae7fcea84f616a686af6f0d4d663955b55eb1c443fab |
C:\Windows\System\rVMWllF.exe
| MD5 | d2590fc4088d233ee4143e6c5f85481d |
| SHA1 | a1364045a57d81fba7f6ecc8a6ba66df3cd786c3 |
| SHA256 | 79f7029e7c7d06e5f95cb2791707900e471d7f6b89c4d8523c6dd06a03124079 |
| SHA512 | f4b7e95dda48a85a81d3d176c7be3b85b3c6a09f4e778afd5d0b8aaa965a1f54ef4e2e32a4a564b818341eebb5059545993da535d1eea65f6eea9dcfb7ce74a4 |
memory/3288-128-0x00007FF694830000-0x00007FF694B84000-memory.dmp
memory/5980-129-0x00007FF7DAA50000-0x00007FF7DADA4000-memory.dmp
memory/5824-130-0x00007FF694710000-0x00007FF694A64000-memory.dmp
memory/5488-131-0x00007FF75C310000-0x00007FF75C664000-memory.dmp
memory/5468-132-0x00007FF70F0A0000-0x00007FF70F3F4000-memory.dmp
memory/2188-133-0x00007FF72C5B0000-0x00007FF72C904000-memory.dmp
memory/5152-134-0x00007FF6520F0000-0x00007FF652444000-memory.dmp
memory/5428-135-0x00007FF708750000-0x00007FF708AA4000-memory.dmp
memory/2056-136-0x00007FF7F6CC0000-0x00007FF7F7014000-memory.dmp
memory/4992-137-0x00007FF7FC020000-0x00007FF7FC374000-memory.dmp
memory/5548-138-0x00007FF7F9680000-0x00007FF7F99D4000-memory.dmp
memory/4320-140-0x00007FF71D3C0000-0x00007FF71D714000-memory.dmp
memory/4696-139-0x00007FF642680000-0x00007FF6429D4000-memory.dmp
memory/3288-141-0x00007FF694830000-0x00007FF694B84000-memory.dmp
memory/5152-142-0x00007FF6520F0000-0x00007FF652444000-memory.dmp
memory/5428-143-0x00007FF708750000-0x00007FF708AA4000-memory.dmp
memory/5884-144-0x00007FF7B03F0000-0x00007FF7B0744000-memory.dmp
memory/5756-145-0x00007FF6F4DF0000-0x00007FF6F5144000-memory.dmp
memory/5340-146-0x00007FF772980000-0x00007FF772CD4000-memory.dmp
memory/5396-147-0x00007FF6380E0000-0x00007FF638434000-memory.dmp
memory/4408-148-0x00007FF768350000-0x00007FF7686A4000-memory.dmp
memory/3144-149-0x00007FF7A2E40000-0x00007FF7A3194000-memory.dmp
memory/4860-150-0x00007FF7E9D50000-0x00007FF7EA0A4000-memory.dmp
memory/3080-151-0x00007FF7BD0E0000-0x00007FF7BD434000-memory.dmp
memory/5884-152-0x00007FF7B03F0000-0x00007FF7B0744000-memory.dmp
memory/5980-153-0x00007FF7DAA50000-0x00007FF7DADA4000-memory.dmp
memory/5824-154-0x00007FF694710000-0x00007FF694A64000-memory.dmp
memory/5488-155-0x00007FF75C310000-0x00007FF75C664000-memory.dmp
memory/5468-157-0x00007FF70F0A0000-0x00007FF70F3F4000-memory.dmp
memory/2188-156-0x00007FF72C5B0000-0x00007FF72C904000-memory.dmp