Malware Analysis Report

2024-10-24 18:15

Sample ID 240607-bvhylagc77
Target 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike
SHA256 49c290d36105bc1b692bc5161866e963c6210b67b6787f6ba34e0ac303b6a80c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49c290d36105bc1b692bc5161866e963c6210b67b6787f6ba34e0ac303b6a80c

Threat Level: Known bad

The file 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:27

Reported

2024-06-07 01:34

Platform

win7-20240221-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\plnbMBN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YJzyvhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PxjSrtP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nEqzteT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cejEZIz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nbumVaJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbTAGhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SONQKWN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\liWZxVO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UEoFWja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ALYGqcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xZKUoEO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bgacZLK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVCvaOY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\brWaMmK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JsmAhjn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RMlvkRq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qlWioWI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aPMoWoQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\viqZqXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UcKimEK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\plnbMBN.exe
PID 2240 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\plnbMBN.exe
PID 2240 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\plnbMBN.exe
PID 2240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qlWioWI.exe
PID 2240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qlWioWI.exe
PID 2240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qlWioWI.exe
PID 2240 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPMoWoQ.exe
PID 2240 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPMoWoQ.exe
PID 2240 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPMoWoQ.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\viqZqXT.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\viqZqXT.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\viqZqXT.exe
PID 2240 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZKUoEO.exe
PID 2240 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZKUoEO.exe
PID 2240 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZKUoEO.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgacZLK.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgacZLK.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgacZLK.exe
PID 2240 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVCvaOY.exe
PID 2240 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVCvaOY.exe
PID 2240 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVCvaOY.exe
PID 2240 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJzyvhe.exe
PID 2240 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJzyvhe.exe
PID 2240 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJzyvhe.exe
PID 2240 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\brWaMmK.exe
PID 2240 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\brWaMmK.exe
PID 2240 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\brWaMmK.exe
PID 2240 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cejEZIz.exe
PID 2240 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cejEZIz.exe
PID 2240 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cejEZIz.exe
PID 2240 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SONQKWN.exe
PID 2240 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SONQKWN.exe
PID 2240 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SONQKWN.exe
PID 2240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbumVaJ.exe
PID 2240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbumVaJ.exe
PID 2240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbumVaJ.exe
PID 2240 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxjSrtP.exe
PID 2240 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxjSrtP.exe
PID 2240 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxjSrtP.exe
PID 2240 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEqzteT.exe
PID 2240 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEqzteT.exe
PID 2240 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\nEqzteT.exe
PID 2240 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbTAGhe.exe
PID 2240 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbTAGhe.exe
PID 2240 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbTAGhe.exe
PID 2240 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\liWZxVO.exe
PID 2240 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\liWZxVO.exe
PID 2240 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\liWZxVO.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UEoFWja.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UEoFWja.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UEoFWja.exe
PID 2240 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALYGqcZ.exe
PID 2240 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALYGqcZ.exe
PID 2240 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ALYGqcZ.exe
PID 2240 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsmAhjn.exe
PID 2240 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsmAhjn.exe
PID 2240 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\JsmAhjn.exe
PID 2240 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UcKimEK.exe
PID 2240 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UcKimEK.exe
PID 2240 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UcKimEK.exe
PID 2240 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMlvkRq.exe
PID 2240 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMlvkRq.exe
PID 2240 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMlvkRq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\plnbMBN.exe

C:\Windows\System\plnbMBN.exe

C:\Windows\System\qlWioWI.exe

C:\Windows\System\qlWioWI.exe

C:\Windows\System\aPMoWoQ.exe

C:\Windows\System\aPMoWoQ.exe

C:\Windows\System\viqZqXT.exe

C:\Windows\System\viqZqXT.exe

C:\Windows\System\xZKUoEO.exe

C:\Windows\System\xZKUoEO.exe

C:\Windows\System\bgacZLK.exe

C:\Windows\System\bgacZLK.exe

C:\Windows\System\kVCvaOY.exe

C:\Windows\System\kVCvaOY.exe

C:\Windows\System\YJzyvhe.exe

C:\Windows\System\YJzyvhe.exe

C:\Windows\System\brWaMmK.exe

C:\Windows\System\brWaMmK.exe

C:\Windows\System\cejEZIz.exe

C:\Windows\System\cejEZIz.exe

C:\Windows\System\SONQKWN.exe

C:\Windows\System\SONQKWN.exe

C:\Windows\System\nbumVaJ.exe

C:\Windows\System\nbumVaJ.exe

C:\Windows\System\PxjSrtP.exe

C:\Windows\System\PxjSrtP.exe

C:\Windows\System\nEqzteT.exe

C:\Windows\System\nEqzteT.exe

C:\Windows\System\fbTAGhe.exe

C:\Windows\System\fbTAGhe.exe

C:\Windows\System\liWZxVO.exe

C:\Windows\System\liWZxVO.exe

C:\Windows\System\UEoFWja.exe

C:\Windows\System\UEoFWja.exe

C:\Windows\System\ALYGqcZ.exe

C:\Windows\System\ALYGqcZ.exe

C:\Windows\System\JsmAhjn.exe

C:\Windows\System\JsmAhjn.exe

C:\Windows\System\UcKimEK.exe

C:\Windows\System\UcKimEK.exe

C:\Windows\System\RMlvkRq.exe

C:\Windows\System\RMlvkRq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2240-0-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2240-1-0x0000000000300000-0x0000000000310000-memory.dmp

\Windows\system\plnbMBN.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

\Windows\system\qlWioWI.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/1072-13-0x000000013F540000-0x000000013F894000-memory.dmp

\Windows\system\aPMoWoQ.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

C:\Windows\system\viqZqXT.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/2240-25-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2896-28-0x000000013F340000-0x000000013F694000-memory.dmp

\Windows\system\kVCvaOY.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

memory/2240-51-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2240-61-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2240-74-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2240-77-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1760-76-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2240-85-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2240-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2240-90-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\nEqzteT.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

C:\Windows\system\UEoFWja.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\RMlvkRq.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2240-124-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\ALYGqcZ.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/2640-111-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2240-97-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2240-88-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2724-80-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2240-67-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\SONQKWN.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/2148-70-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2656-65-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\YJzyvhe.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

C:\Windows\system\brWaMmK.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

\Windows\system\cejEZIz.exe

MD5 182702f8c189f2105671b3b193ea01bd
SHA1 5cbe4a492c7f661166b4ece7955c0ec73fadc31d
SHA256 a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f
SHA512 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1

\Windows\system\YJzyvhe.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

C:\Windows\system\kVCvaOY.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\xZKUoEO.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

memory/2512-27-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\aPMoWoQ.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

memory/2744-15-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2240-8-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2240-134-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2240-136-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2512-137-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/1072-138-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2724-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1760-144-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2528-146-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/456-150-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2640-151-0x000000013FED0000-0x0000000140224000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:27

Reported

2024-06-07 01:34

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yiDRIVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqjNBCk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQNrXAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OMusCTs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hoFUNEQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tKBFBkG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cmHtvEG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hGFffrx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cESlIRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIMNOry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rtAEzqx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TqylNUh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UObdAVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mBhBVQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aXoBHJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\McHoTLT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SONOrvY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OpIUUtR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ruDiuXb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UJgmbXO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZhfmMnu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\yiDRIVq.exe
PID 2548 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\yiDRIVq.exe
PID 2548 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruDiuXb.exe
PID 2548 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ruDiuXb.exe
PID 2548 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqylNUh.exe
PID 2548 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\TqylNUh.exe
PID 2548 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqjNBCk.exe
PID 2548 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqjNBCk.exe
PID 2548 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKBFBkG.exe
PID 2548 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKBFBkG.exe
PID 2548 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNrXAC.exe
PID 2548 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNrXAC.exe
PID 2548 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMusCTs.exe
PID 2548 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OMusCTs.exe
PID 2548 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmHtvEG.exe
PID 2548 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cmHtvEG.exe
PID 2548 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoFUNEQ.exe
PID 2548 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoFUNEQ.exe
PID 2548 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UObdAVh.exe
PID 2548 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UObdAVh.exe
PID 2548 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGFffrx.exe
PID 2548 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGFffrx.exe
PID 2548 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBhBVQR.exe
PID 2548 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBhBVQR.exe
PID 2548 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXoBHJh.exe
PID 2548 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXoBHJh.exe
PID 2548 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\McHoTLT.exe
PID 2548 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\McHoTLT.exe
PID 2548 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cESlIRZ.exe
PID 2548 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cESlIRZ.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJgmbXO.exe
PID 2548 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJgmbXO.exe
PID 2548 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SONOrvY.exe
PID 2548 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\SONOrvY.exe
PID 2548 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIMNOry.exe
PID 2548 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIMNOry.exe
PID 2548 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhfmMnu.exe
PID 2548 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhfmMnu.exe
PID 2548 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpIUUtR.exe
PID 2548 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpIUUtR.exe
PID 2548 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rtAEzqx.exe
PID 2548 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rtAEzqx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yiDRIVq.exe

C:\Windows\System\yiDRIVq.exe

C:\Windows\System\ruDiuXb.exe

C:\Windows\System\ruDiuXb.exe

C:\Windows\System\TqylNUh.exe

C:\Windows\System\TqylNUh.exe

C:\Windows\System\dqjNBCk.exe

C:\Windows\System\dqjNBCk.exe

C:\Windows\System\tKBFBkG.exe

C:\Windows\System\tKBFBkG.exe

C:\Windows\System\qQNrXAC.exe

C:\Windows\System\qQNrXAC.exe

C:\Windows\System\OMusCTs.exe

C:\Windows\System\OMusCTs.exe

C:\Windows\System\cmHtvEG.exe

C:\Windows\System\cmHtvEG.exe

C:\Windows\System\hoFUNEQ.exe

C:\Windows\System\hoFUNEQ.exe

C:\Windows\System\UObdAVh.exe

C:\Windows\System\UObdAVh.exe

C:\Windows\System\hGFffrx.exe

C:\Windows\System\hGFffrx.exe

C:\Windows\System\mBhBVQR.exe

C:\Windows\System\mBhBVQR.exe

C:\Windows\System\aXoBHJh.exe

C:\Windows\System\aXoBHJh.exe

C:\Windows\System\McHoTLT.exe

C:\Windows\System\McHoTLT.exe

C:\Windows\System\cESlIRZ.exe

C:\Windows\System\cESlIRZ.exe

C:\Windows\System\UJgmbXO.exe

C:\Windows\System\UJgmbXO.exe

C:\Windows\System\SONOrvY.exe

C:\Windows\System\SONOrvY.exe

C:\Windows\System\AIMNOry.exe

C:\Windows\System\AIMNOry.exe

C:\Windows\System\ZhfmMnu.exe

C:\Windows\System\ZhfmMnu.exe

C:\Windows\System\OpIUUtR.exe

C:\Windows\System\OpIUUtR.exe

C:\Windows\System\rtAEzqx.exe

C:\Windows\System\rtAEzqx.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/2548-0-0x00007FF7237B0000-0x00007FF723B04000-memory.dmp

memory/2548-1-0x000001862B880000-0x000001862B890000-memory.dmp

C:\Windows\System\yiDRIVq.exe

MD5 d6271b0d7805859f395bab87a91a13f3
SHA1 a1ddaeca909cafc6a6e49e917af9e0e70fd64de9
SHA256 332dfb5650858e59184d365fe040049e1a11c47ba8880fabb94ad029a542f81b
SHA512 07811a98c3d481dddeb34bfd2164b1be90f6006d2666f38d374c1e8c23d612d5ccb99da7a1d68d2d5662bfc9e928b3bd704608855b745e8310ebb63928d54ff5

memory/2724-8-0x00007FF7160F0000-0x00007FF716444000-memory.dmp

C:\Windows\System\ruDiuXb.exe

MD5 271b9118192265c9a6fa41c86829c113
SHA1 891a46439683c65e78583c61be890b400c88d079
SHA256 008ff0a4b5ab0a4730cadc7cee7f4c4ca566dae3ee44669261b48dec4e414d57
SHA512 d98aa8ff55d9450ec64d2d59c4bb0a2bae361c616114ca17c29113c36e5405cd3572ba609bcfb81a15ff0bdcf853a054bd41d4b9446d73ba061daff6720e65ed

memory/4120-12-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp

C:\Windows\System\TqylNUh.exe

MD5 8300ffaffdf5efde8a4aa67d47455db1
SHA1 c3eb9db5e562a6efdfcc59d1475daa0aa6503a42
SHA256 10883a3048b2e7c5c95be476d5da319df6f4d9088b558ce58c05d85fa9158250
SHA512 36d8cddfdeec49a01c84b0cffb8b2b1d6d927f653bce01fb04f04f168576fd3ac27c29f36608b56af678c800db4befb3dbea83d544f774769cddd2dc9f4270ad

memory/2424-20-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp

C:\Windows\System\dqjNBCk.exe

MD5 08aafdf0aef322be1faf22254d35d96b
SHA1 1c4c9477954e02a138c1ad2b48c65263cb4adade
SHA256 cd17f908c9e52afa9f174362bd8ae5a15a0b5c0616e5911cbe367c584365c131
SHA512 cb5396b694aeae8a78096b78a7bc2006df9064eba3d21f86ae10f97e498a5cc73947340fbf2d67cf213a05834067fc4416c92c4cb681eac6ea540ef043e1908e

memory/3928-24-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp

C:\Windows\System\tKBFBkG.exe

MD5 c34c7488c7677dacf0cab3f56a3b6a8f
SHA1 fe6050b1086e6e374a0c3b4f44f6a0c602a686e3
SHA256 8346f9baa5e93d5740b9c769af34232b40ebf5ca408bd45fb16eb3e843e5a32b
SHA512 65c4a2f2b6cc2861f97cf50bc8e45c4bdbc59751708424ebec9c57b958d46593b0d114031d026607a61959e60c3a1dce0cb7cbdab6ff02d022316708d52ec9f4

memory/228-32-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp

C:\Windows\System\qQNrXAC.exe

MD5 949f3e69e2fdf4c5a1a48c6ad60eb348
SHA1 5f098b3f877ce2829480dea0a4c904a7602edf6f
SHA256 81fa99c8dae86460f7049490060060964e96eed4b2c5de84ade5eacf35290cb7
SHA512 7d26c530369e984a5cb4a8994ab6e8ca6ad41cb7003c8390a1e501d7b225c88b2d34bfb67ca649672d8a1599d049432530e89dd2bfa0a12be8168ae3d237299e

memory/4148-38-0x00007FF6393D0000-0x00007FF639724000-memory.dmp

C:\Windows\System\OMusCTs.exe

MD5 c95fab30932a9f224e5f8229600299d0
SHA1 d7a17abf40c4ebba93875441edfbe5fde39f95d1
SHA256 ef066ce533c84fafecafed9b4c9bbb7a019d8c6f136159498774aeed44ff6b16
SHA512 749b97fb14bf81f5b747f616f222a78c559e4ca903d5f0a97876f09cfdffb7d49ae324350e84ecda625486b62ae8064b7998465488a2a852c728d2a12e49c4bb

memory/3908-42-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp

C:\Windows\System\cmHtvEG.exe

MD5 c8df57d0006e5bb8375dc34905aee865
SHA1 4e9c94d8102188f2653fdd2d82b9697fcdc0b49b
SHA256 61bb79eb175a2ec6f53e622580f620a99064d19a2ac8611edac2cfdb7d696cdb
SHA512 4de5fa8ec1c3175dbc520c6a5c26ff5f6a07bc160398baf93af5ef2417c24937fea64c5a13c7832bd9741b076225d58d79a6bb7c201d4b87013bceee5f1fac59

memory/4812-52-0x00007FF667C10000-0x00007FF667F64000-memory.dmp

C:\Windows\System\hoFUNEQ.exe

MD5 c5d01e14a6c3a223b549fcc26f8ede46
SHA1 63da8ad6cb170a67a6fdef2c648d31804f126a7f
SHA256 5766f694477cd184f2ceba517739022176a8e89af6ffbcc4e848e89947842a09
SHA512 cc649914d88239235100a29ab8ec1675b7fae41e71ef96e354f13b52ee0f8c732afc13e0fbb0e1ff6c8706119fe8dfd15161cbddbdd563455856d90d42bc697f

C:\Windows\System\UObdAVh.exe

MD5 bd8ccc2c3f300b1918397fd5ba637c66
SHA1 7df58faa762134bcb9e13b80239e9fa60682b9d9
SHA256 9376c1c9476bec592bc8be445d8f701fed0b5a8066bc688eb4b74d81a143b25a
SHA512 e6d317927539078d6dec8d8b9b85924e12f0e04547a3aad1dff7e30aca084daf0255e88daab51f8f6a6389a492cfb342b5dea87a549f7ad1c563d1b7c7ceec70

C:\Windows\System\hGFffrx.exe

MD5 2354e14ef6dfd8efec78107eb34fc3f6
SHA1 46dad8ac664325f5e67d0a9845dd2d1fc1d512db
SHA256 b9ff637e1590bdf81d4ba14aa94be5f977276c44c48dc01b8ffcad0afbfe8d1a
SHA512 03e26239542e8e34cb5e36715250003f46827dfdb97c48056500ce1e916c8000bed01f9178de15aacc7b32c7ecee8be9e5a3f6b16edca5e7540572e98abfaf7b

memory/2320-66-0x00007FF70BED0000-0x00007FF70C224000-memory.dmp

memory/748-71-0x00007FF6F90F0000-0x00007FF6F9444000-memory.dmp

C:\Windows\System\mBhBVQR.exe

MD5 4bb2dcdd831b7b6fb46e7f7c65a73caa
SHA1 258bc3cbb331b5aad7a1b3a333ace69df193af12
SHA256 0bda434034ecabc87fa8928a3be74833da7cd3628dc4f50092a463b07f2dc157
SHA512 0c3575114fde254924c6baac4eaaf7c4557fa32d8a8018057503dd4a5ae5883428ef3f1d0e05fa134cbfd740df47b903b9eb0ca05bf3a71abe2c8606c9f8751f

memory/4012-73-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp

memory/2548-72-0x00007FF7237B0000-0x00007FF723B04000-memory.dmp

memory/952-69-0x00007FF72D4E0000-0x00007FF72D834000-memory.dmp

C:\Windows\System\aXoBHJh.exe

MD5 588eb34a154af5bf67bb495b4f9c276c
SHA1 3158c48cbca50057ee28cdd23df129732072a9c8
SHA256 edc3127aed0980aea7aae790f20239bc8dc3d2de0ef543d9f6cad8ef7339b1d7
SHA512 552f5ea59c84b99da44746d84a6dacd343ab37d0eb1e7032030f537ea204848cf4aa1d92b77608f21ce2c2c0d657d9c9bcfd9766eb56afc4952e2eb3f67bc987

C:\Windows\System\McHoTLT.exe

MD5 9f193893131a707c44188bb1dcef860e
SHA1 cc7f3172a92c966c9c1985d4265900cee2436188
SHA256 2683d25d0d41c8f32b56953e8697b2f6412c56342fbb6dfa0f4efcc969379347
SHA512 f81b7cc77606c46111a513333e3a0f314e6d2b3bbe8601cc4b62e3103dffb307b7bba4bed1eb96e758474db0be334e4c6530cf73724dc47a443d01cda327b25b

C:\Windows\System\cESlIRZ.exe

MD5 409dc160234a17be871964577a3961d0
SHA1 4160042f568309c2a4a46a45486c9ec99ade1b9d
SHA256 40876240cd3f15e43d8565d538bedb4d3e7f0edc3f54f828fe09d88663762865
SHA512 072f253c8b3d821131e22da29f4011dfaba8be3316c54c8a7f8ed0bab3933a5e0571772dd47b6dacc4d4de4291478f7d64c7629fc2c01b72d977de8afa377671

C:\Windows\System\UJgmbXO.exe

MD5 e27e8e37029402efbdf8bbde729a3d70
SHA1 8bf4dbdad1ff13718512c0021bcfd16e757441e0
SHA256 bc6d0932fd9c4ab66cad2c88b0c396e10f767f8800c9eafc1858cd82af4e7362
SHA512 e13d8151a3ad763d21616dc34a298ccb485db4d2b7e5eca4c54d149b571f83e266cf08235cfacdcc262bb197ee7362f1ac1a2f33824e984d67219ce25b696e1e

C:\Windows\System\SONOrvY.exe

MD5 2113bc336e3a0b423ddf04108702e1ab
SHA1 b8c25a2fc6c3b015b2f0b58dc7aaeb9e1904b705
SHA256 4b23f00365ab1478f82ff6092e15a00d0125af357c39bde371dd2fec4c9ed59f
SHA512 d8e03e570c91532976ff5e088feba8f22565bb720c9b949108b75142519c99d8b70b80eca534fee46953923069ded0bbf624da61ab759e6072b226198148a9ed

C:\Windows\System\AIMNOry.exe

MD5 5c2d796273b803d0b127a022849342d2
SHA1 c88cd1b18e1cb540f77c474d4e9e11770a8bfdd4
SHA256 808d61fc2e4162efdb6cfda4d2041aa4b17f9b871a756bedd14b75bbf0adb44e
SHA512 9841952aef9c5dede4bc220bf6235781d4c2691e50a72723bc4ca649b4a8cde9b8b9a64235cf0bf1206c861f1814e7b58203ea341e3089ba4a26787b26c2e14f

C:\Windows\System\ZhfmMnu.exe

MD5 28f66d7d216efc651bd008ad8fe93ef9
SHA1 91c6c0300a5ddd343f8b28d0fc213ddab32401fc
SHA256 e7f192548b87f9d0467fdb20f44142619c86cddc4044c1a75ef52e98aa55c848
SHA512 c10001d888d7657029194778cbc1f7d2fb7a5d53b14a10110fd1d82963aee79a6f29fe9728e245dcf445f0dcf80d953734840332d2db599fbe94f89cd3c1c1dd

C:\Windows\System\OpIUUtR.exe

MD5 ec8293e9792e70e3e631854a32316bcf
SHA1 e6a6e1ea0b3a2b9744a4b698486684fa6bb938c6
SHA256 49d139949182b95db2b3771d397a9d73ce2f30c2200c087e110158752cbf05f8
SHA512 abc6c6d9e71c611dc6a9625243aefb590ab8c084770bfd746030ac5809dc6ab3f2c70010c87370ade5325975712c29afd164e22973b52a14a8c119b82083df61

C:\Windows\System\rtAEzqx.exe

MD5 9d0692f158fa4555842640324f507105
SHA1 2b7d8994a44132fb9c913241f6a03ea30eb3f8c4
SHA256 8db5d1cd11611d72c5e3aae11125deba4cab265a6fa7a8ff4c45ecf46789112c
SHA512 64d8909008d5575913c7f5d9dff83c288d6c571972bedd4d902439d1f32d1c931f175289e78ec10ba22e4bc195e81a1a6a07c41dfada1fcdb6869353bbb2b484

memory/3648-120-0x00007FF7CD670000-0x00007FF7CD9C4000-memory.dmp

memory/2420-121-0x00007FF6FE200000-0x00007FF6FE554000-memory.dmp

memory/1448-122-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp

memory/1808-123-0x00007FF7E7130000-0x00007FF7E7484000-memory.dmp

memory/3236-124-0x00007FF650A30000-0x00007FF650D84000-memory.dmp

memory/2428-125-0x00007FF7D77E0000-0x00007FF7D7B34000-memory.dmp

memory/1172-126-0x00007FF76D190000-0x00007FF76D4E4000-memory.dmp

memory/1516-128-0x00007FF68C1C0000-0x00007FF68C514000-memory.dmp

memory/896-127-0x00007FF738580000-0x00007FF7388D4000-memory.dmp

memory/4120-129-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp

memory/2424-130-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp

memory/3928-131-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp

memory/228-132-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp

memory/4148-133-0x00007FF6393D0000-0x00007FF639724000-memory.dmp

memory/3908-134-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp

memory/4012-135-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp

memory/2724-136-0x00007FF7160F0000-0x00007FF716444000-memory.dmp

memory/4120-137-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp

memory/2424-138-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp

memory/3928-139-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp

memory/228-140-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp

memory/4148-141-0x00007FF6393D0000-0x00007FF639724000-memory.dmp

memory/3908-142-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp

memory/4812-143-0x00007FF667C10000-0x00007FF667F64000-memory.dmp

memory/2320-144-0x00007FF70BED0000-0x00007FF70C224000-memory.dmp

memory/952-145-0x00007FF72D4E0000-0x00007FF72D834000-memory.dmp

memory/748-146-0x00007FF6F90F0000-0x00007FF6F9444000-memory.dmp

memory/4012-147-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp

memory/3648-148-0x00007FF7CD670000-0x00007FF7CD9C4000-memory.dmp

memory/2420-149-0x00007FF6FE200000-0x00007FF6FE554000-memory.dmp

memory/1448-150-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp

memory/1808-151-0x00007FF7E7130000-0x00007FF7E7484000-memory.dmp

memory/3236-152-0x00007FF650A30000-0x00007FF650D84000-memory.dmp

memory/2428-153-0x00007FF7D77E0000-0x00007FF7D7B34000-memory.dmp

memory/1172-154-0x00007FF76D190000-0x00007FF76D4E4000-memory.dmp

memory/1516-156-0x00007FF68C1C0000-0x00007FF68C514000-memory.dmp

memory/896-155-0x00007FF738580000-0x00007FF7388D4000-memory.dmp