Analysis Overview
SHA256
1fa76a106858cabe41291b3cbb7122f5ffd1d562cd61c922c7ce75287574f090
Threat Level: Known bad
The file 2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:27
Reported
2024-06-06 13:31
Platform
win7-20240419-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\arQwbPh.exe | N/A |
| N/A | N/A | C:\Windows\System\GCmRZKM.exe | N/A |
| N/A | N/A | C:\Windows\System\NUjdpif.exe | N/A |
| N/A | N/A | C:\Windows\System\MssuhjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\iduYRWY.exe | N/A |
| N/A | N/A | C:\Windows\System\DGQDQQX.exe | N/A |
| N/A | N/A | C:\Windows\System\KsrFZWK.exe | N/A |
| N/A | N/A | C:\Windows\System\qVhbaqm.exe | N/A |
| N/A | N/A | C:\Windows\System\LqCAgGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uJGluAn.exe | N/A |
| N/A | N/A | C:\Windows\System\tYyGJXu.exe | N/A |
| N/A | N/A | C:\Windows\System\xWCLvhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XRSDhfb.exe | N/A |
| N/A | N/A | C:\Windows\System\NDpyIVN.exe | N/A |
| N/A | N/A | C:\Windows\System\NNuMmqj.exe | N/A |
| N/A | N/A | C:\Windows\System\Asonkbt.exe | N/A |
| N/A | N/A | C:\Windows\System\OvHsuon.exe | N/A |
| N/A | N/A | C:\Windows\System\SxitzGz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZOlpCDD.exe | N/A |
| N/A | N/A | C:\Windows\System\vTHSGbS.exe | N/A |
| N/A | N/A | C:\Windows\System\DDaclVa.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\arQwbPh.exe
C:\Windows\System\arQwbPh.exe
C:\Windows\System\GCmRZKM.exe
C:\Windows\System\GCmRZKM.exe
C:\Windows\System\NUjdpif.exe
C:\Windows\System\NUjdpif.exe
C:\Windows\System\MssuhjZ.exe
C:\Windows\System\MssuhjZ.exe
C:\Windows\System\iduYRWY.exe
C:\Windows\System\iduYRWY.exe
C:\Windows\System\DGQDQQX.exe
C:\Windows\System\DGQDQQX.exe
C:\Windows\System\KsrFZWK.exe
C:\Windows\System\KsrFZWK.exe
C:\Windows\System\qVhbaqm.exe
C:\Windows\System\qVhbaqm.exe
C:\Windows\System\LqCAgGJ.exe
C:\Windows\System\LqCAgGJ.exe
C:\Windows\System\uJGluAn.exe
C:\Windows\System\uJGluAn.exe
C:\Windows\System\tYyGJXu.exe
C:\Windows\System\tYyGJXu.exe
C:\Windows\System\xWCLvhQ.exe
C:\Windows\System\xWCLvhQ.exe
C:\Windows\System\XRSDhfb.exe
C:\Windows\System\XRSDhfb.exe
C:\Windows\System\NDpyIVN.exe
C:\Windows\System\NDpyIVN.exe
C:\Windows\System\NNuMmqj.exe
C:\Windows\System\NNuMmqj.exe
C:\Windows\System\Asonkbt.exe
C:\Windows\System\Asonkbt.exe
C:\Windows\System\OvHsuon.exe
C:\Windows\System\OvHsuon.exe
C:\Windows\System\SxitzGz.exe
C:\Windows\System\SxitzGz.exe
C:\Windows\System\ZOlpCDD.exe
C:\Windows\System\ZOlpCDD.exe
C:\Windows\System\vTHSGbS.exe
C:\Windows\System\vTHSGbS.exe
C:\Windows\System\DDaclVa.exe
C:\Windows\System\DDaclVa.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2420-0-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2420-1-0x0000000000710000-0x0000000000720000-memory.dmp
\Windows\system\arQwbPh.exe
| MD5 | c43517cd2e65eb4018cc4d016624e7fa |
| SHA1 | 569837ea62778939f273e7f89db2e7b63892424d |
| SHA256 | 6a3a4e3ff11e04fa2de73d9a572ac0eb301d15a27e7fb62ec9d60c4592c10d76 |
| SHA512 | 7296a99b5445abfd529ac99b511049c19eeddeb8c5000104b92d6105604ee58076bc9d256da10eeeea6f3ca3043911534a459f8f2dc980d9921872f537209670 |
C:\Windows\system\GCmRZKM.exe
| MD5 | f6143623f312b13f69b0dafea0f34a6c |
| SHA1 | 5dde01b9eda0b8441d8c5beebde3bc8d587ddb03 |
| SHA256 | 885720a7736fdba8bc0373782f537cc358784bae6e2be2cad91d28f98286a915 |
| SHA512 | a1d94f9bd65d1b8e99c9e214208f96f129df639d54908ac7b1c4d3339deb03c22900a3155baae2d22116dc885d159e20026a669a85ecef41e364595d537e9be2 |
memory/2420-11-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2420-7-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1256-15-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2132-14-0x000000013FB90000-0x000000013FEE4000-memory.dmp
C:\Windows\system\NUjdpif.exe
| MD5 | a84d84b9755661f5564806ca75f3f8d8 |
| SHA1 | 138eb60d1ded5558706c54e06f0cd297a2f3989d |
| SHA256 | 45905f8af2ffda63aea8f8e7e11ecc7262f26c767971d143eb2956d3b8c2edb1 |
| SHA512 | fa65bdfb8822178c1ade88ac3fcbb634645ff3609e21545acf03547c1572b8f76a13f9ced7386c4635e4174ed245ecc9a0f1f0815f845aa500d5fd49e9e5d5e9 |
\Windows\system\MssuhjZ.exe
| MD5 | 259a5ae99a72582444302e6ca69973f6 |
| SHA1 | e1c07116911cf6ad5f4ca90d873fbe1123a5feed |
| SHA256 | 553cd19664288a851c241a4651d4b9efb0dfdefcedbf84f478601a6a2b8183e2 |
| SHA512 | 11b4b8d942a2c77f885bc95ceb4b5280a3cce9532e3be83957f647dce6a7f6d734897e30c6caacec6eb244290d7c45d4368e259fc42e0f958ee2d67442f5dc1c |
memory/2420-27-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2280-28-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2420-30-0x000000013FAC0000-0x000000013FE14000-memory.dmp
\Windows\system\iduYRWY.exe
| MD5 | 1d0c3383082b18cfc3f2f8433a6242ec |
| SHA1 | d62cea883b675b1a0035304f77a2717ef703f3a1 |
| SHA256 | af47f30c7ea447260c588e8d0adecd894e5b485a9598b09fa82b47ed55b9e7f2 |
| SHA512 | d3c3e3b4fa469152b5528d42fc407d3ae1a7a2ed79049278118c3088ac9dfbda47ab2ec1ee6d1d85d21678fb766328c47b78aef7af4f5fb346f77277d9a02df7 |
memory/2088-22-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2420-21-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2764-37-0x000000013FAC0000-0x000000013FE14000-memory.dmp
\Windows\system\DGQDQQX.exe
| MD5 | 1e983ff26ea3ffbfc9b1dc4dba795cca |
| SHA1 | 91b8e348c8b111e9db719c57093f8d13ac1871a1 |
| SHA256 | bbec0e4cf7986bcb1a74cc3767bfada645acca852b1d05b10cc00613d58096eb |
| SHA512 | 73ee1c2e1d764e6a37fa7b8491f48d5eb8b33b4e8edfc12a39985d2d9d37113cb065773643daac78178c208277f738ec69e432c75ec15c0a385218a6ae581782 |
memory/2420-42-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2420-40-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2544-44-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\qVhbaqm.exe
| MD5 | 4a41939e38a200185a390496cec7ac72 |
| SHA1 | 7c5b7552f0d13aac41409a4f28e5a9b57698b9e7 |
| SHA256 | d376037a79da81ee6c14e63614ff17984472a58a84c359036d1bc2c3500da7a1 |
| SHA512 | 932d5678e640070dfb3baf0665dc215f0092f5a85d162b53ee456b9c7719ff7a78576166e9da7a0c69d000730fff580595ed5bf57c4824bd8f081912cf2eee52 |
memory/2740-55-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2088-67-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2208-69-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2524-81-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2420-93-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\Asonkbt.exe
| MD5 | 77ce6a70798c3a42a92c155715721dd2 |
| SHA1 | e2d20365938328f012c23a3ad9154f3ee7bb6a32 |
| SHA256 | 53a147e4f199f1164fef2e23c545a405c4df2559d3d4082dceae19a532bedab4 |
| SHA512 | 998e1dc229378aa23a7b12a74576b97626ac8a665bfefd13bb7988e1cc1c4acb2dcf7390bc65ee4ea302778fa53fde45cec70cdd56bb1527c4a9f2220ed5da7a |
C:\Windows\system\vTHSGbS.exe
| MD5 | e126fa4cd1ea6b801bfaf137aa2c9e3e |
| SHA1 | d25a0ab785d2f76a7fbcea1abd83b4fd6c858710 |
| SHA256 | 1c92c3659ecb510226b7276eec5dca200089f00e800ebadc5e009e1057d3ec2a |
| SHA512 | cd793f35b3ad4bc3c0320d7837323e21d33d2068b8b5b53fa741f6d96f17ca4e0d7904e457948ffd28121aff59f5216cf2bb7c859d3d8aca43efdc9cdf399093 |
\Windows\system\DDaclVa.exe
| MD5 | 759d58848e48c7383a69e9aa0e429757 |
| SHA1 | 2e7c09057d2d60bef4a87141ada9620ad25b3b06 |
| SHA256 | 417d90fd2d0bbdf916b2b128cfbd70d0013a41ebf0b3a9f23687e9dff2ad975f |
| SHA512 | 64684695db076b3e0d5aefe4d894e88cf1576613860b1f2e0fc47786394d8702844de791a41988e9390c2e9b0db7d1e5a50ae9fd4fbf99150ad55de23f088f6f |
C:\Windows\system\ZOlpCDD.exe
| MD5 | 0183291a4b99ba21388f8882e26642f3 |
| SHA1 | 033616187aef736a4d6bedabd71c434c09d2e477 |
| SHA256 | 20979b4f95466436b91537b3e84f3922b21bc0a7bb6b7aea152e9c8c2f494c23 |
| SHA512 | 7bfa7bf9c0b0bc4e4259e307cb906fc70eb23644eac05cb3964acf4a64a03e859c1690d7d1ffa264226a003b982d42d34a1393547e744f573cb373b7f2f9f8ff |
C:\Windows\system\SxitzGz.exe
| MD5 | 83176273c714089d99dc31303ea0de9e |
| SHA1 | a9f44580c310e710c57cb7f02a76f6de7ff630d7 |
| SHA256 | 507a200385db2a6ff6eae432cafd300725fd57b2c7247576974ed0f2228bd312 |
| SHA512 | 1969ee96ac834545922002f3e7a510caa700c53e8b25c066859a57005e2a84b8215775ee088e5832b9074d3d50441dc8c119b8c77af9e5dc22827139ba594700 |
C:\Windows\system\OvHsuon.exe
| MD5 | efc26111bb43eb29d29e015ecbe80cf5 |
| SHA1 | ea999566cc74b68e77b9b534dcf85f775d0e2219 |
| SHA256 | 4d97a51627e93a4ef529f86606f26188dc7686324c1ab115e3743d0ebdc68b0f |
| SHA512 | b8aad777699697115e9a97830116b6c835cc423aaf71969990784f219bbf5b355c1a57fd8852e139d74f553e85940a4a6d2d64175c47bf7b98f60a56befe53c8 |
memory/2544-99-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\NNuMmqj.exe
| MD5 | 47d2e8934665c11c54c3c136c520a3da |
| SHA1 | 1bc776cb1bb05626110edbcc97810a25c72aa813 |
| SHA256 | cd5187e7a5b1b0b4dd857ad7318e05096277c6cec5891644dfb2949a31e28043 |
| SHA512 | c070d385bcd4ccef0d78321ff29de09349ca9e772e1beb338de5d1b9e17b8fba703b45d936b7000055e541adea6dbde66b79c7dd6013de5851ea588808e113c0 |
memory/2888-94-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2852-88-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\NDpyIVN.exe
| MD5 | 749fcef9753029c04774eea326c4b763 |
| SHA1 | 76e789af376d3fd5c4079a622810419f1b466ce6 |
| SHA256 | 1b932b9efaf346ad74971d063b407fa690456997d0b1530cbf6fe404b753d3a4 |
| SHA512 | e5a66c9839c6fff5ad967e710c676ed9a16612c8b54179c43f0eead32a0459b70c2fe66f37b15e2a669b74d5ef9f21fb97ed6bbc024f78ed48b14286f8f44da9 |
memory/2420-87-0x00000000022B0000-0x0000000002604000-memory.dmp
C:\Windows\system\XRSDhfb.exe
| MD5 | fdbb05a41d2855cbfa8cdff902f977e8 |
| SHA1 | a569a5e9ccbcc73753bd8447b8462d7a88f612c0 |
| SHA256 | e5321f6bba3d32d3588bcf26ae2857de0baf0647b6304a59d77ee3f4ea821c05 |
| SHA512 | e235dbb3014550de8c9409a5f65ee7a7ab05be1123d0cfe8eed52c754c1b07b18f699bbf04000d078861da090e966b220e2a5b167a90111748d148e33d588b46 |
memory/2420-80-0x00000000022B0000-0x0000000002604000-memory.dmp
C:\Windows\system\xWCLvhQ.exe
| MD5 | d3e722445cc9d1d2121486a2dd4a0636 |
| SHA1 | 7e4228137f849b754139d80cb0d212c0105d2fff |
| SHA256 | 0c2cd3ed06d30a0ce3c4a9df8b44833288d74a79fa372bd0009c47daec325bcd |
| SHA512 | f38c50e0939067580b933187dea606cc2f4fb5900a56ed9bc97935894a0ef493b9d317f35361e2068d83e8c9359f38fb3663b879fbc313b4ff8b957d44ad7c8e |
memory/2424-76-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2420-75-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2280-74-0x000000013F8F0000-0x000000013FC44000-memory.dmp
C:\Windows\system\tYyGJXu.exe
| MD5 | c8d6fd33caa4cc052736f2bc3b1d40c6 |
| SHA1 | 8cc353420908dfec0b34a25ebfa2965595009034 |
| SHA256 | 6e772450798ed91975031dad9d072bdeb45213e075923486a8a4c7a3fb52019a |
| SHA512 | 98b7fcb183a13780ffbb1990433afdc809eebb4b368b25b33d812f3038c0592940f8ab442cc7d32afdee00313bc0ccc2e447522007612040f41972e290e1edd0 |
memory/2420-68-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2556-62-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2420-61-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/1256-60-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\LqCAgGJ.exe
| MD5 | dab74966d19018e0ac116e322ac70678 |
| SHA1 | b7b08e930b528d78f06e0319907b55d153af31db |
| SHA256 | e5c01079de36e85c5a06b1ff07b5f4d0851347450c8f14bc4caf44f520ee0f10 |
| SHA512 | 53fca4d71ae98d4f6b3597d0e5beb5fe0772345cabf91d07333c10dd338f32d70ab07fbed597e4954db801a7c5de56fa98d2900f2deffecf52b5b1857af8ef6c |
C:\Windows\system\uJGluAn.exe
| MD5 | 0410589cf037caf954ec0e3c657924ca |
| SHA1 | 7436643c01b270c331c112e60613da41e39e0c1c |
| SHA256 | 305af717bf5a9923cb69d48ac879ba252f373a330adf81b2e382ceb69909c2fe |
| SHA512 | 271792ec65d5e369c838145b00342700c0fc54f38c6d3dd6931af87b8fcac56e242b01c9d8873a45b78e284126641ed862f16c1e496659482e15da1146bacbe1 |
memory/2420-54-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2812-49-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\KsrFZWK.exe
| MD5 | cd401939744944f2ace7b790c211eb8a |
| SHA1 | a3686e7df6504ea72b4c84d7cbd715d16932f334 |
| SHA256 | c33cb0aff0eff5bb5ebbc3923a2bcabeb7e882cfb0c3ee931609446d720e010d |
| SHA512 | 8250b5a4f3d440deb27e10693fe784e1fbc0755c11c1dfae902248c42bf6711aae8726cca39d41f34e2159943ad18697e90738fab7df5a7b127698d235110d71 |
memory/2556-140-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2420-139-0x00000000022B0000-0x0000000002604000-memory.dmp
memory/2208-142-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2420-141-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2424-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2420-143-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2524-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2852-146-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2420-147-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2888-148-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2132-149-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1256-150-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2280-152-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2088-151-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2764-153-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2544-154-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2556-160-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2812-159-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2524-158-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2852-162-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2424-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2888-157-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2740-156-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2208-155-0x000000013F250000-0x000000013F5A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:27
Reported
2024-06-06 13:31
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nZIapKD.exe | N/A |
| N/A | N/A | C:\Windows\System\UuMZinU.exe | N/A |
| N/A | N/A | C:\Windows\System\pnExxgs.exe | N/A |
| N/A | N/A | C:\Windows\System\dAQsNyb.exe | N/A |
| N/A | N/A | C:\Windows\System\CxaEylL.exe | N/A |
| N/A | N/A | C:\Windows\System\UIjGcnU.exe | N/A |
| N/A | N/A | C:\Windows\System\yUXmlRn.exe | N/A |
| N/A | N/A | C:\Windows\System\NGiSWPc.exe | N/A |
| N/A | N/A | C:\Windows\System\LYdRFiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FUPbXRz.exe | N/A |
| N/A | N/A | C:\Windows\System\mcXlRna.exe | N/A |
| N/A | N/A | C:\Windows\System\xWlRbGG.exe | N/A |
| N/A | N/A | C:\Windows\System\xzuGSKf.exe | N/A |
| N/A | N/A | C:\Windows\System\OgLJpqi.exe | N/A |
| N/A | N/A | C:\Windows\System\AVdujpH.exe | N/A |
| N/A | N/A | C:\Windows\System\kzmDVEw.exe | N/A |
| N/A | N/A | C:\Windows\System\VGmlldQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PqtIfud.exe | N/A |
| N/A | N/A | C:\Windows\System\akeoYhc.exe | N/A |
| N/A | N/A | C:\Windows\System\wYmikMe.exe | N/A |
| N/A | N/A | C:\Windows\System\weGIIFy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_13adafc60dc44f1fd94b3f966c2c91c7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\nZIapKD.exe
C:\Windows\System\nZIapKD.exe
C:\Windows\System\UuMZinU.exe
C:\Windows\System\UuMZinU.exe
C:\Windows\System\pnExxgs.exe
C:\Windows\System\pnExxgs.exe
C:\Windows\System\dAQsNyb.exe
C:\Windows\System\dAQsNyb.exe
C:\Windows\System\CxaEylL.exe
C:\Windows\System\CxaEylL.exe
C:\Windows\System\UIjGcnU.exe
C:\Windows\System\UIjGcnU.exe
C:\Windows\System\yUXmlRn.exe
C:\Windows\System\yUXmlRn.exe
C:\Windows\System\NGiSWPc.exe
C:\Windows\System\NGiSWPc.exe
C:\Windows\System\LYdRFiJ.exe
C:\Windows\System\LYdRFiJ.exe
C:\Windows\System\FUPbXRz.exe
C:\Windows\System\FUPbXRz.exe
C:\Windows\System\mcXlRna.exe
C:\Windows\System\mcXlRna.exe
C:\Windows\System\xWlRbGG.exe
C:\Windows\System\xWlRbGG.exe
C:\Windows\System\xzuGSKf.exe
C:\Windows\System\xzuGSKf.exe
C:\Windows\System\OgLJpqi.exe
C:\Windows\System\OgLJpqi.exe
C:\Windows\System\AVdujpH.exe
C:\Windows\System\AVdujpH.exe
C:\Windows\System\kzmDVEw.exe
C:\Windows\System\kzmDVEw.exe
C:\Windows\System\VGmlldQ.exe
C:\Windows\System\VGmlldQ.exe
C:\Windows\System\PqtIfud.exe
C:\Windows\System\PqtIfud.exe
C:\Windows\System\akeoYhc.exe
C:\Windows\System\akeoYhc.exe
C:\Windows\System\wYmikMe.exe
C:\Windows\System\wYmikMe.exe
C:\Windows\System\weGIIFy.exe
C:\Windows\System\weGIIFy.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2252-0-0x00007FF755FC0000-0x00007FF756314000-memory.dmp
memory/2252-1-0x00000208A3E60000-0x00000208A3E70000-memory.dmp
C:\Windows\System\nZIapKD.exe
| MD5 | 35b0b4761db675cf8cb6446114837671 |
| SHA1 | 3eca4fe224fd8bc4409a48d3b9c2beff452d559d |
| SHA256 | 51fc5d01879e44ca5c72cf68ab14d1084ba5d4b1c8543a61862cc8e75565d704 |
| SHA512 | 042115c2db87b0550cb38a66558796387bfdfb8d78832b618df860125549971501887598fec94f2fa253fbc4af9cad617ce024c3728e54edc0c8aa36cecd6f27 |
memory/2076-8-0x00007FF739670000-0x00007FF7399C4000-memory.dmp
C:\Windows\System\UuMZinU.exe
| MD5 | bc95e5a30d98731d32160247e696cc07 |
| SHA1 | f04369bab8f9183c1a9d408bb5427078c0e1e95d |
| SHA256 | 677ed7c66d15b147215ae92acb38e7e61856d09f994e37a253b6379c45320aba |
| SHA512 | b02f73683b1fc367afee3a7c5744a1049b7637ced31f1726e563d57cfb269f0ddf6cabbdaffb1f56de8ae5c4d02a3a324932e1184924ccbc142062472b0b393d |
memory/4212-14-0x00007FF745E20000-0x00007FF746174000-memory.dmp
C:\Windows\System\pnExxgs.exe
| MD5 | 49b86ea8958cd101ad7457da0cb5b84e |
| SHA1 | fa745107e1f4c141eb3b22dd8b20adc41d0e4261 |
| SHA256 | 0125777fb6ca546e3aba5651044a721855e94afdd277886568f1d34b573f4581 |
| SHA512 | 30d2131cede23be0e09570704fbf4250efb80d6187eaffcb0a415ed7edc42b08edf2db83be20c0704a79d7c3e6f62d7c82e08ea523e806f37387cd65decc36f0 |
memory/3996-20-0x00007FF711020000-0x00007FF711374000-memory.dmp
C:\Windows\System\dAQsNyb.exe
| MD5 | 768003b05c75e6877232448f8edf6491 |
| SHA1 | 88f2092f14bea56e8b3970e0404af78bc6238dc4 |
| SHA256 | 8379bfb2f129676d6d2a3f97ca8b39089737143d6d0c9de80026f263083cb8a6 |
| SHA512 | adf664093833af7b6378d337a3ed02278e8132a669e6cba41198c1242b7c76fa723e6af6f59288ba51276ad6b173c74694f2fd48e74bcede0e23e307e2b4c65c |
memory/5060-24-0x00007FF69D040000-0x00007FF69D394000-memory.dmp
C:\Windows\System\CxaEylL.exe
| MD5 | 227e63bb2c930dba260f25d1d10f8571 |
| SHA1 | fb671b536aa4cfa18b1be90ad34e2d041fd2f5f3 |
| SHA256 | 752ac23ca3e317fe3e2baaaaecc200f13ae7af885c21e0470f2c5b6fa8f92073 |
| SHA512 | 88432e6014266ca82a561d67797db1d61a7b68552bc59368287e5975174993ac9c96989404176afaa5e830efe306e540866b4d477036966eaf3714a6013e7d39 |
C:\Windows\System\UIjGcnU.exe
| MD5 | 8b34384a1dea276cc061abd527e35640 |
| SHA1 | 7f4f859f43e93a303e559be047eb10a1b2df0cca |
| SHA256 | 4d4b3e483830dfe77e40259d061e2a36ffbeeb8bbdf0bfbecebae3798e1264f4 |
| SHA512 | ec39d5c17bb5b357f0d5eca9450071919078a3cf1aa1f496db31df9b330ca5d8b63d8fbe62d8192477447e7d9b2d6aada402dedbd6ba106774f3b7b519bc3366 |
memory/3648-38-0x00007FF625A80000-0x00007FF625DD4000-memory.dmp
memory/3380-32-0x00007FF60FD90000-0x00007FF6100E4000-memory.dmp
C:\Windows\System\yUXmlRn.exe
| MD5 | 9bdc92685a6eacadefa686d69401509c |
| SHA1 | 4ec38c55bf353ea766247c0d88f19598ecff9ad6 |
| SHA256 | 66e221d83dee2c315467f2385816ae32f026a89f3dea1129a1125a7b6bc16da5 |
| SHA512 | 560080eda588186fe1e9745edd9e498c5b19c435dffcb8ae9e2d4741da04b511cfd531498aeaa7f74a4418d78e7b04195bb4c8abfb145ce0d016c0ab51ba48cd |
memory/1968-42-0x00007FF670BC0000-0x00007FF670F14000-memory.dmp
C:\Windows\System\NGiSWPc.exe
| MD5 | 1c3d7dbee563c28f5aad1e6697a2d157 |
| SHA1 | 6293d57c7cf3317d688e86b95a32d11893b3a1f9 |
| SHA256 | 298f8efecfa9b8c6b44f81eb5f54a94be2cc3f2558f930fc38986cdb4ced5d4f |
| SHA512 | 58a30f140394b7f39a64df6d8a91f456b9f978612db10a92e7a7d31b148cabfe58218a7a047334e266e16b18e97e2e1983ffbb351261d7337bfa8a2fd001f227 |
C:\Windows\System\LYdRFiJ.exe
| MD5 | 8f27d64b8043e09490f70984e6df9102 |
| SHA1 | 4d6abf0ddb588412958da1c1f8370a39447a9fbf |
| SHA256 | 22dd01182f788f78d39fc7d9d0be45578b7db83e802e0dc0044527928cba9c92 |
| SHA512 | 52cb3d3dc2730c8d6164a383996d3c6b45f20181490e50c5b6d8f11717715760984b69c85a20bbc2ee29705b923bac15c9b8444b2b8a86f58aa7d3965bb3ec5e |
memory/3724-58-0x00007FF69FBB0000-0x00007FF69FF04000-memory.dmp
memory/404-52-0x00007FF742520000-0x00007FF742874000-memory.dmp
C:\Windows\System\mcXlRna.exe
| MD5 | 7bc4f7e8afbc6cfd914f099d0a377504 |
| SHA1 | e0406853307f796e73d7b074d9cd68d2a396e5f2 |
| SHA256 | 3787d2906c68d1096ff133d2fc3f285795fa23b98e2caa012de36dd947cf9527 |
| SHA512 | 9d5bf784e1af09d38d15a18a7d18697bbf35878a92dba31f8dd3a2df31e7e246544da4506f4eb8671f77cb8e3a017bbd9bf4d49b261ecda53abc961cdc8eb6b2 |
C:\Windows\System\FUPbXRz.exe
| MD5 | 15836cb68aaa0de36b4b3cc6cec158c9 |
| SHA1 | c33f539a6df32a66def899cd40aa4c945030e76c |
| SHA256 | 972dd2fb9f229f1952662b6c11061fbc2848249d1276b479bd8b16ea28ca129a |
| SHA512 | f430c03ec9a2fda4d45929f277b2b8e5083e5a8760ae39cb2b23ca29f5c1e027d576f9fb96c2286d355d9532c443da07a0fac466de93cd8cdce4204557d13c90 |
memory/2512-72-0x00007FF643350000-0x00007FF6436A4000-memory.dmp
C:\Windows\System\xzuGSKf.exe
| MD5 | 0ab82a8c2ee5b13a0eb4b98e243a0dd1 |
| SHA1 | 1666a18f3cb42cba7bb443b9e55d2eb39524d2e3 |
| SHA256 | c81d6d33913ee73a2276ded0024f338f5faac807cca5507cd0db2281f41ce9cc |
| SHA512 | b471b4ea83c49c91bac97317f0cd86170f07a011f42702003015bdfba73f79599760117e34a81bf10850e738def407c38b69bf23c3abb98388d25daef89d2442 |
memory/1128-71-0x00007FF6EAEE0000-0x00007FF6EB234000-memory.dmp
C:\Windows\System\xWlRbGG.exe
| MD5 | b6e86936ee43d50114681364df461d30 |
| SHA1 | 39419e8f2e9353bf0a2cbce4434f098ed9587cdd |
| SHA256 | fc52b4507385fe7d1870a7ce47f494dbe759c770c67d0823635d351c934bb859 |
| SHA512 | e278927fbf1860efa67561a7f6742415b003d834345fddff5f747fca77450eb3f1f2b85c89fb7545543f10e7c94c9bbe90ee9dca169060bcc2a33ea6b85674cf |
memory/2252-63-0x00007FF755FC0000-0x00007FF756314000-memory.dmp
C:\Windows\System\OgLJpqi.exe
| MD5 | d07b146f64f1558a69699758d549288f |
| SHA1 | 367c2e0d7c7f3f323de7239fe166c458dd2ee787 |
| SHA256 | 4de066ca05c6c45f968017ec35a55b63bee5a334ede1e9be2361c7abfb144c9b |
| SHA512 | c92105d1188d74099ee500a346723a5990faaa991085cb9d27785cd2925573d8f0901e513f7478d077709564ba4967d721acdb861e7df21895a76e4d3ebdce31 |
C:\Windows\System\AVdujpH.exe
| MD5 | fd71dd7c6e85883436d8dc70ba0638b0 |
| SHA1 | a3f0c70c201628f674f3dbca0000bddb3807e3ba |
| SHA256 | 86cb7b83e702b5edb82c8a37ba03a74eefbff61617f4d8c0c405e8259500b0b3 |
| SHA512 | 5fbcc3e89a6cf77af3bcac1dfeebf3a7d19f2aef94f1a3452d0799292135d897d695ae7fe9f5359a4cec6c8698967a25dc3548f669394b82dd94e6175afcf502 |
C:\Windows\System\kzmDVEw.exe
| MD5 | 6ca2da0164f42fa51a234d14f2861f12 |
| SHA1 | 705e8644319670c0671b432e7005236339228b81 |
| SHA256 | a339ade6d11fb5650c20f5219d973431398f42e1a405038202d605719d07cb27 |
| SHA512 | 3440bab186fc57b33537e1da2ff9f2f6d3efdd15f6a6df637aa5b31d078af9ccc7bac9e4a3c4618c94f300e1eb7b61fac0774b2ff089c2c9b36b613a18416128 |
C:\Windows\System\VGmlldQ.exe
| MD5 | c4ad3fa86e463829a8815b1ab8a9936e |
| SHA1 | b71995587864db93dc851243313a1b13006bf182 |
| SHA256 | dbe15b8de8e4d2ee5826ff25ea004520f015c6388dc4c38b38384bd41d608e4d |
| SHA512 | 715106bc93c08896d38d9ca20b10efe225ade9bf0890e34200d3166b7c787a94238de75d17cc4a7ce0dc22470a6a6fd8fabaadd051bcd205d9b6e8dc6c236353 |
C:\Windows\System\PqtIfud.exe
| MD5 | 3018e611d68fbb469fa3744b364653ec |
| SHA1 | bd794b28f34688474e629332d0a5cccbf0711f41 |
| SHA256 | 544769b3e5d0ba917124a97f67734cd3ea7d032cf96702614f02f05797d46789 |
| SHA512 | 9b08ca5414f7fbf5b9f171d4de10a81734b972059ba0e04b048054cc728ce11f2c50d1a97955020cac3ff61a89abc60a5a67661a791e4af43cda2a79645f3c29 |
C:\Windows\System\akeoYhc.exe
| MD5 | 96b630caff398e85a6dba170f58d2cf5 |
| SHA1 | 63ff8eec99b232d10336b4234ab93b23c1959675 |
| SHA256 | 3dee349eb15acabdc32290fa1ba578a96d64e2f94b1734912d38012bae3d5dec |
| SHA512 | 4ef79cd95d36c3a4570f7de6ccd3bfd0ca44edd76cc90e1b0558050370952bb3acef6903c6c696aec7330619162a9a19396f53ffbac743d71e29deb6bd7c5d39 |
C:\Windows\System\wYmikMe.exe
| MD5 | 74ab1f65b101409718c72481e9c72e9d |
| SHA1 | 76d02bfa1ac37e944d01d6c954f39f1561736551 |
| SHA256 | 29dad6409e59e99d9896e12e3cb98af3c162b597996daef48d397eb57249fea7 |
| SHA512 | bd0ba0b41288f3f5512c2233167f3a34c326ebca02a894bc06692c79a480f6a628243516b1d1b195bc9a044f878a6cb09012c7743c88de7ca35bf3960eb7b5a3 |
C:\Windows\System\weGIIFy.exe
| MD5 | add9ae36adcfb872ea72bb58ce100267 |
| SHA1 | dcd87ba373ead90da3ae7c7a6ed3e3f42dc31359 |
| SHA256 | a3efa1ca3566ce1231af26d4dde3377c92bd19309c5079fafbf754251156ea6b |
| SHA512 | cc22e5fa703241389af975408059a68670f270d7dcaae56c4ee3823645ab06559496ac43f9edc1d08e5da11cef1cc793c7c389bc0de586521a796883c91c01c6 |
memory/2076-112-0x00007FF739670000-0x00007FF7399C4000-memory.dmp
memory/4952-121-0x00007FF698F00000-0x00007FF699254000-memory.dmp
memory/4748-122-0x00007FF7C2910000-0x00007FF7C2C64000-memory.dmp
memory/3940-124-0x00007FF7AF590000-0x00007FF7AF8E4000-memory.dmp
memory/2620-127-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
memory/1368-128-0x00007FF75C420000-0x00007FF75C774000-memory.dmp
memory/4212-129-0x00007FF745E20000-0x00007FF746174000-memory.dmp
memory/1884-130-0x00007FF676EC0000-0x00007FF677214000-memory.dmp
memory/3800-126-0x00007FF71B880000-0x00007FF71BBD4000-memory.dmp
memory/928-125-0x00007FF6179D0000-0x00007FF617D24000-memory.dmp
memory/4440-123-0x00007FF608CB0000-0x00007FF609004000-memory.dmp
memory/5016-120-0x00007FF7AF050000-0x00007FF7AF3A4000-memory.dmp
memory/5060-131-0x00007FF69D040000-0x00007FF69D394000-memory.dmp
memory/3648-132-0x00007FF625A80000-0x00007FF625DD4000-memory.dmp
memory/1968-133-0x00007FF670BC0000-0x00007FF670F14000-memory.dmp
memory/1128-135-0x00007FF6EAEE0000-0x00007FF6EB234000-memory.dmp
memory/3724-134-0x00007FF69FBB0000-0x00007FF69FF04000-memory.dmp
memory/2076-136-0x00007FF739670000-0x00007FF7399C4000-memory.dmp
memory/4212-137-0x00007FF745E20000-0x00007FF746174000-memory.dmp
memory/3996-138-0x00007FF711020000-0x00007FF711374000-memory.dmp
memory/5060-139-0x00007FF69D040000-0x00007FF69D394000-memory.dmp
memory/3380-140-0x00007FF60FD90000-0x00007FF6100E4000-memory.dmp
memory/3648-141-0x00007FF625A80000-0x00007FF625DD4000-memory.dmp
memory/1968-142-0x00007FF670BC0000-0x00007FF670F14000-memory.dmp
memory/3724-144-0x00007FF69FBB0000-0x00007FF69FF04000-memory.dmp
memory/404-143-0x00007FF742520000-0x00007FF742874000-memory.dmp
memory/1128-145-0x00007FF6EAEE0000-0x00007FF6EB234000-memory.dmp
memory/2512-146-0x00007FF643350000-0x00007FF6436A4000-memory.dmp
memory/5016-148-0x00007FF7AF050000-0x00007FF7AF3A4000-memory.dmp
memory/1368-147-0x00007FF75C420000-0x00007FF75C774000-memory.dmp
memory/4952-149-0x00007FF698F00000-0x00007FF699254000-memory.dmp
memory/4748-150-0x00007FF7C2910000-0x00007FF7C2C64000-memory.dmp
memory/4440-151-0x00007FF608CB0000-0x00007FF609004000-memory.dmp
memory/3940-152-0x00007FF7AF590000-0x00007FF7AF8E4000-memory.dmp
memory/928-153-0x00007FF6179D0000-0x00007FF617D24000-memory.dmp
memory/3800-154-0x00007FF71B880000-0x00007FF71BBD4000-memory.dmp
memory/2620-156-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
memory/1884-155-0x00007FF676EC0000-0x00007FF677214000-memory.dmp