Analysis Overview
SHA256
257da9dae6441cd13e0d6cf1ce31ee4afd671d73fb75575fdccfed0278324753
Threat Level: Known bad
The file 2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 02:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 02:08
Reported
2024-06-07 02:12
Platform
win7-20240221-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fXLEPtO.exe | N/A |
| N/A | N/A | C:\Windows\System\lDyqgYu.exe | N/A |
| N/A | N/A | C:\Windows\System\kKplVRb.exe | N/A |
| N/A | N/A | C:\Windows\System\ahZXqqg.exe | N/A |
| N/A | N/A | C:\Windows\System\JIIJpRx.exe | N/A |
| N/A | N/A | C:\Windows\System\ApPyPWY.exe | N/A |
| N/A | N/A | C:\Windows\System\hauAeiw.exe | N/A |
| N/A | N/A | C:\Windows\System\LrtQOCy.exe | N/A |
| N/A | N/A | C:\Windows\System\JrFcQpu.exe | N/A |
| N/A | N/A | C:\Windows\System\wkFXKsM.exe | N/A |
| N/A | N/A | C:\Windows\System\kqmiLkw.exe | N/A |
| N/A | N/A | C:\Windows\System\Djwizkq.exe | N/A |
| N/A | N/A | C:\Windows\System\fAXBSmB.exe | N/A |
| N/A | N/A | C:\Windows\System\lSWGNCG.exe | N/A |
| N/A | N/A | C:\Windows\System\GbpjMSq.exe | N/A |
| N/A | N/A | C:\Windows\System\vEDGRff.exe | N/A |
| N/A | N/A | C:\Windows\System\uhTZwbG.exe | N/A |
| N/A | N/A | C:\Windows\System\uZpDQXK.exe | N/A |
| N/A | N/A | C:\Windows\System\AdnSqXC.exe | N/A |
| N/A | N/A | C:\Windows\System\tFcIVPX.exe | N/A |
| N/A | N/A | C:\Windows\System\QhTDQSS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fXLEPtO.exe
C:\Windows\System\fXLEPtO.exe
C:\Windows\System\lDyqgYu.exe
C:\Windows\System\lDyqgYu.exe
C:\Windows\System\kKplVRb.exe
C:\Windows\System\kKplVRb.exe
C:\Windows\System\JIIJpRx.exe
C:\Windows\System\JIIJpRx.exe
C:\Windows\System\ahZXqqg.exe
C:\Windows\System\ahZXqqg.exe
C:\Windows\System\ApPyPWY.exe
C:\Windows\System\ApPyPWY.exe
C:\Windows\System\hauAeiw.exe
C:\Windows\System\hauAeiw.exe
C:\Windows\System\LrtQOCy.exe
C:\Windows\System\LrtQOCy.exe
C:\Windows\System\JrFcQpu.exe
C:\Windows\System\JrFcQpu.exe
C:\Windows\System\wkFXKsM.exe
C:\Windows\System\wkFXKsM.exe
C:\Windows\System\kqmiLkw.exe
C:\Windows\System\kqmiLkw.exe
C:\Windows\System\Djwizkq.exe
C:\Windows\System\Djwizkq.exe
C:\Windows\System\fAXBSmB.exe
C:\Windows\System\fAXBSmB.exe
C:\Windows\System\lSWGNCG.exe
C:\Windows\System\lSWGNCG.exe
C:\Windows\System\GbpjMSq.exe
C:\Windows\System\GbpjMSq.exe
C:\Windows\System\vEDGRff.exe
C:\Windows\System\vEDGRff.exe
C:\Windows\System\uhTZwbG.exe
C:\Windows\System\uhTZwbG.exe
C:\Windows\System\uZpDQXK.exe
C:\Windows\System\uZpDQXK.exe
C:\Windows\System\AdnSqXC.exe
C:\Windows\System\AdnSqXC.exe
C:\Windows\System\tFcIVPX.exe
C:\Windows\System\tFcIVPX.exe
C:\Windows\System\QhTDQSS.exe
C:\Windows\System\QhTDQSS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2220-0-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2220-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\fXLEPtO.exe
| MD5 | 15c2d97864e8c143fb2518e0d79fe7fc |
| SHA1 | e88572ddf165f0fd9684d13af9c029353692e01c |
| SHA256 | f56dcefe5e943360d37621024dfce55002d169a9fc20a0d3be94d0ceb21ce2ea |
| SHA512 | 81d7f5d1a85d3230d7a4c1df13f6d160a5072ed0dca0e2479f7dc8ebf2b4e78f88b17bc6533f7a3689abd5114e54b7d80f16d54b57382e98466e1e523e170ec0 |
\Windows\system\fXLEPtO.exe
| MD5 | 2130f4461ba7262c4b9569c7ad362fbe |
| SHA1 | 477f7cc69e47cdff19a52b2da61a04f2127580e1 |
| SHA256 | f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025 |
| SHA512 | bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703 |
memory/2172-9-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2220-8-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\lDyqgYu.exe
| MD5 | 64fc7e100c974b24385b94e08b7141d6 |
| SHA1 | c5f7cd27416475b391ae91d0a42f0426fc7799ed |
| SHA256 | d6f623cd605efda5468d6eef002ce27a25402688b3e0aa927ba702c9d765c300 |
| SHA512 | 4f46e3ee4780451eaa90c083d1818ffe4d89702bafbeeb3ae459a025a35d2c6df4bdcc456f97b263416cae484e428ff6c5f30ec421360553da5b1e24d08e21d3 |
C:\Windows\system\lDyqgYu.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
memory/2220-13-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2220-28-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\ApPyPWY.exe
| MD5 | f8ab2f0e6d7f80fb45c5922b46f7c8d5 |
| SHA1 | ced5fcf24c2b608260d2b77ed9ad4c6f2737ef1e |
| SHA256 | 76609df64a6d4f39efaf9dba71c791ab04546a94c75cdd07b7e19c5921acf679 |
| SHA512 | 53c5a23263ba20129500fc45cc972ce9ac77b42a278c9257caef4efeead33e64306ae4d0dedd5fa2bb81c08327384c4fd39003c0ae2287651840bcc55aa39508 |
memory/2704-42-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2220-46-0x000000013F590000-0x000000013F8E4000-memory.dmp
C:\Windows\system\hauAeiw.exe
| MD5 | 3c496c7626c23d5e958a0b6cbfbbb806 |
| SHA1 | 803d29a6882f8ab5f05080602ce758f426212931 |
| SHA256 | 7feb59059d33c04ec5e7bc01471639a9ca64667caa4ba8b3d43458ad1fc13d6e |
| SHA512 | 48f19c0e4ce520d620c0735a004acda4beb828d62b77a6101178b101e0b7d5adb97d555d9e13ccfb7e6c05d5cc3edef2c07ac8a106f862e57937f83054a1f241 |
C:\Windows\system\LrtQOCy.exe
| MD5 | f0f277157362d48b8111b1706409ed29 |
| SHA1 | 47b5064cc57fda73794448f5bc25e71d4c01a765 |
| SHA256 | fb56c91a87608b71e501b648242ded58e010f72f845badded5e27a4153b2fb4c |
| SHA512 | 8381f0de2f9d3f9c1df9f712a7978f545c83d147177f0d80577cd99ccd1cbe7ea6de6517d3ff34747e63a351bc3bea5628adc8bdea4003ce18ff11edc9eade0a |
memory/2220-57-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\JrFcQpu.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
memory/2848-95-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\uZpDQXK.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
C:\Windows\system\AdnSqXC.exe
| MD5 | 8c5942db9626bdc67d19ecda488bdabf |
| SHA1 | dd6bed4baf0bd317e2ac35a545acaa457c560d70 |
| SHA256 | 3cb81d4d394d5a3d40491e7fe580c60b3108f8e350c8ff343c2bacb831412805 |
| SHA512 | c9b5ef2f12fa572138556051846472a8bcc53cad444fed6520f60322f6d77f8e04d558859c7df249cf27fcd327591689d0b21682a6ca97280b128ad6abfb0668 |
C:\Windows\system\QhTDQSS.exe
| MD5 | c1518081c0655249ee4f83af3cb7a513 |
| SHA1 | 08a4bc472701beffbff31e171d92540ce872e59f |
| SHA256 | 1be42aaddf0664630bd0c55b81b20bef4504bfd9f8224c0a8be5033e8393b084 |
| SHA512 | ffc94d1219b0963d6d2dd090b0558532fb2e074eafbc603ded1132dca1ff59b8b100b60bebdd85da94728ac016e7b3712c85854f9a1078bbfbb804c85be488cb |
C:\Windows\system\tFcIVPX.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
\Windows\system\tFcIVPX.exe
| MD5 | a87d02cdbe7e6add7e29be96af078b04 |
| SHA1 | 061bd0a5bdb6825d189e4ff9f6d82ad5fd8a6c59 |
| SHA256 | 88c4bd78d05060188cea642b76603b730396989a40a1f247a6f3067a1fcf3c77 |
| SHA512 | 9d17685560b55592d030b6396abca098778362db2271bf4cc221812708693866812e286c5067adb9b060d1988021e0fa8251592efaa34c716bd304aaf102ce86 |
\Windows\system\uZpDQXK.exe
| MD5 | 1d3a027708a48a3c73a911f7d1532fca |
| SHA1 | f960fd40bf0cf951600c386a6a9501a01e54ab51 |
| SHA256 | f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda |
| SHA512 | 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539 |
C:\Windows\system\uhTZwbG.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
memory/2220-105-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2808-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2220-140-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\fAXBSmB.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2220-91-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\fAXBSmB.exe
| MD5 | 453d1aa4a2ed1e619790ad849668194b |
| SHA1 | af82a47d5872e8c1de2a992dec068927772960e7 |
| SHA256 | 5ec67bd5afad11e5cb13b6e5276b36bde6c9bb9ae6a5d3707f276c90aa701ff2 |
| SHA512 | 3733ab98ee77dbdc84b55bb76454b3b6f77aaead8bb09722d9d878fe445210ead6b54afccae45d9f29809df0952f2040627af751ee0fe3f01c808dc92f8367b6 |
memory/3060-81-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2220-80-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2852-103-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\lSWGNCG.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
memory/2220-99-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2704-98-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2540-97-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2980-86-0x000000013FE00000-0x0000000140154000-memory.dmp
\Windows\system\Djwizkq.exe
| MD5 | 9431968fca757c14826bcb9aed267fb5 |
| SHA1 | 4d1afb273f1c44230d7b7aa43b634d556fa80c6d |
| SHA256 | ac942caaf5b2e9b5944e42d2847d911ab9eb5b859a26742b82d0dedd7638d541 |
| SHA512 | 67d5e1e741d803f9e64a0665e84855c200d763437dea398e0ee29681b28312ed2eca9e794b643c7c3997fa7c63728b394d2514eb1e59d0985c725280df817acd |
\Windows\system\kqmiLkw.exe
| MD5 | 3832e7509acba5a85cd802a5dde9c6c7 |
| SHA1 | 79f829af4e17241f3cb79f6caa30d62f8c82e872 |
| SHA256 | 908b5a60f3096d1fe6ebc0c3f2aec8d644c90c871959b040730d63a748b21afc |
| SHA512 | 8c9579bf373b33d684820936d11699033b2aef670b1aa4528f483cddf041e4e1b1f08e9584302b182ab4549955ea09f0e874a1fb73c2e280ccf7041d910b3b29 |
memory/2444-74-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2220-73-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2220-72-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2604-66-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2220-65-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2112-64-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2056-63-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2808-58-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2220-143-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2440-50-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2220-49-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\hauAeiw.exe
| MD5 | 8277fedbd3255e17ffda30a6804ad507 |
| SHA1 | c32c09de51b706fec128d9564a25a53385cea3fd |
| SHA256 | d43f6e9d0972eb990827edb5a308943ead0705d18dde6862ac212f02acb082bc |
| SHA512 | a30d613628f706b740c6aabb343211e2503cbb8767b966ec9ed17f9d484b9271d2ffdfdc7d123cde9df707e49f67b1b427d4473764aa073d1c3b78c01ea789ed |
memory/2540-40-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\JIIJpRx.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
memory/2580-37-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2220-36-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\ahZXqqg.exe
| MD5 | b5d356ba280ba2d74bb0341f065f4cfe |
| SHA1 | b1972bf062af0f0920c9d663f3945bcd4be61a83 |
| SHA256 | da27f98ce9b5629a313856afc899854755e2ba954582c5ca0405383eeafb5a33 |
| SHA512 | 5b3d59d618c10b5594d7a2e73c694cf0bf3436e6658b25b28de492950da37a51683773bdb6d63074313363a3c5017d817a74ae9259b3f8d3c610204e9d4f6155 |
memory/2220-33-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\ApPyPWY.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
memory/2112-24-0x000000013F550000-0x000000013F8A4000-memory.dmp
\Windows\system\JIIJpRx.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2220-20-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\kKplVRb.exe
| MD5 | dd240f409c9a8ba2d8b733d2e2b7fda8 |
| SHA1 | ef4a5f4cf09a6b0567ca4a094c1eb56fe5b1b6ab |
| SHA256 | da1546ebc647a64928b54f1bdf601adb00c345b6e23b570ebc34ee68ab593eb6 |
| SHA512 | c0c1e0663c973a676d5e7277bdff2401f175e546a813a199acd5677f87232758ddf83084200702a81af1bfb57719b2485be92cb457e900d9e6dcf3a6ecd8e783 |
memory/2056-15-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2444-145-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2220-144-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/3060-147-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2220-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2980-149-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2220-148-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2220-150-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2220-151-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2852-152-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2220-153-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2172-154-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2580-156-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2056-157-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2440-158-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2704-159-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2540-160-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2112-155-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2808-161-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2444-162-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/3060-164-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2980-163-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2848-165-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2852-166-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2604-167-0x000000013FC40000-0x000000013FF94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 02:08
Reported
2024-06-07 02:12
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vhYMwWc.exe | N/A |
| N/A | N/A | C:\Windows\System\UeSGrdr.exe | N/A |
| N/A | N/A | C:\Windows\System\vVlkuaz.exe | N/A |
| N/A | N/A | C:\Windows\System\AXJRpzl.exe | N/A |
| N/A | N/A | C:\Windows\System\KcKysmV.exe | N/A |
| N/A | N/A | C:\Windows\System\TAMpxap.exe | N/A |
| N/A | N/A | C:\Windows\System\WnYJraa.exe | N/A |
| N/A | N/A | C:\Windows\System\ArfEHlS.exe | N/A |
| N/A | N/A | C:\Windows\System\LJgIVrw.exe | N/A |
| N/A | N/A | C:\Windows\System\TVXWwNs.exe | N/A |
| N/A | N/A | C:\Windows\System\rNqmGvW.exe | N/A |
| N/A | N/A | C:\Windows\System\vCaeTrX.exe | N/A |
| N/A | N/A | C:\Windows\System\DiHQWVr.exe | N/A |
| N/A | N/A | C:\Windows\System\OBFEstq.exe | N/A |
| N/A | N/A | C:\Windows\System\sIBPEfy.exe | N/A |
| N/A | N/A | C:\Windows\System\wrijRsd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBLIJmO.exe | N/A |
| N/A | N/A | C:\Windows\System\oHfKNjD.exe | N/A |
| N/A | N/A | C:\Windows\System\mZgeLVA.exe | N/A |
| N/A | N/A | C:\Windows\System\Jvxtwxn.exe | N/A |
| N/A | N/A | C:\Windows\System\NJyxmNH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b9acecfdbcb04eab0819768cc9bc34a2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vhYMwWc.exe
C:\Windows\System\vhYMwWc.exe
C:\Windows\System\UeSGrdr.exe
C:\Windows\System\UeSGrdr.exe
C:\Windows\System\vVlkuaz.exe
C:\Windows\System\vVlkuaz.exe
C:\Windows\System\AXJRpzl.exe
C:\Windows\System\AXJRpzl.exe
C:\Windows\System\KcKysmV.exe
C:\Windows\System\KcKysmV.exe
C:\Windows\System\TAMpxap.exe
C:\Windows\System\TAMpxap.exe
C:\Windows\System\WnYJraa.exe
C:\Windows\System\WnYJraa.exe
C:\Windows\System\ArfEHlS.exe
C:\Windows\System\ArfEHlS.exe
C:\Windows\System\LJgIVrw.exe
C:\Windows\System\LJgIVrw.exe
C:\Windows\System\TVXWwNs.exe
C:\Windows\System\TVXWwNs.exe
C:\Windows\System\rNqmGvW.exe
C:\Windows\System\rNqmGvW.exe
C:\Windows\System\vCaeTrX.exe
C:\Windows\System\vCaeTrX.exe
C:\Windows\System\DiHQWVr.exe
C:\Windows\System\DiHQWVr.exe
C:\Windows\System\OBFEstq.exe
C:\Windows\System\OBFEstq.exe
C:\Windows\System\sIBPEfy.exe
C:\Windows\System\sIBPEfy.exe
C:\Windows\System\wrijRsd.exe
C:\Windows\System\wrijRsd.exe
C:\Windows\System\ZBLIJmO.exe
C:\Windows\System\ZBLIJmO.exe
C:\Windows\System\oHfKNjD.exe
C:\Windows\System\oHfKNjD.exe
C:\Windows\System\mZgeLVA.exe
C:\Windows\System\mZgeLVA.exe
C:\Windows\System\Jvxtwxn.exe
C:\Windows\System\Jvxtwxn.exe
C:\Windows\System\NJyxmNH.exe
C:\Windows\System\NJyxmNH.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4760 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4796-0-0x00007FF718FC0000-0x00007FF719314000-memory.dmp
memory/4796-1-0x0000017739510000-0x0000017739520000-memory.dmp
C:\Windows\System\vhYMwWc.exe
| MD5 | ef9f1c31e83699ade1561c5b0f5a56f8 |
| SHA1 | f7066b855127e7342b0b07bcb0009e518c755003 |
| SHA256 | f43f9f14594171c71bce6a6d4dcd99b64d3b97304220e1e164177d00281a50cb |
| SHA512 | 885d3e0a8a72113a59ed7f50c2205d9134245c0fa4bca1da1d633233af988b5d2547bacf01018f6ec74e3c2b0827840274a961853b04b9d59c6d753fac9aeb26 |
memory/3180-8-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp
C:\Windows\System\UeSGrdr.exe
| MD5 | 20007038785c8b46deabcba2d9e12182 |
| SHA1 | 70fda0c7a8a83cd87eacb8621a166f852e253d4d |
| SHA256 | 272ef349ccb6d60445d3b356875400238f76dbc09a2187b3a0eee9ab0e9b2e6d |
| SHA512 | 6c3cb0841287bfff718cf14d54068fc94220d97e473afb690f21692884fb4c4296136feadd33dd6439e52d19afa922f9ec8584b284acb810e96092be6739dad6 |
memory/1544-14-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp
C:\Windows\System\vVlkuaz.exe
| MD5 | 9f9d252bb6ae8245b4d9d967e4b1bc78 |
| SHA1 | 6960fcb92b2b46dbec9ae0624cb7964f9d3f035d |
| SHA256 | d927eac56fa0a06aed3e47bf497179d388b8ae474b358597d7dae7c01d7519b8 |
| SHA512 | 4552229f0353a40a33d58d80d73a18cd5e7736bde4f744c64afc4b6e6124b9a246bc43c255d7bf982df608e057e652b72c4975ca709977fbc301f6e751e5cfd1 |
memory/1444-20-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp
C:\Windows\System\AXJRpzl.exe
| MD5 | f214cb9198a39970b372cb715b68f128 |
| SHA1 | d599aad658c6a286a00a62e74a3b0192a3a5f65f |
| SHA256 | 8fa2468069ded1a8769d1b2748917320c16cec0b89e9afaa37ff613521f44a2e |
| SHA512 | e10285a404bc2e1723069568a2e94130cf8ebc2961b5afbafd8cd4528ae66866fb2aab3aba1e88396e6d82843be30af3b5084adfcc9c7d5e2779e72ca4c5f166 |
memory/3248-25-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp
C:\Windows\System\KcKysmV.exe
| MD5 | 51dd25c412a739a01d24df269451ce17 |
| SHA1 | 96d5f975ace4d5f83d1d69491d5707f2ca223074 |
| SHA256 | 022992ab3ba5a0a87f6bdb754deedb9a71f9b6f053f08fe53e9a11f101f66da5 |
| SHA512 | a310efd45bbb4a66e3faeaccafb8dc2b1c8f94238f6061431ea2dbfd0debee0c199826cff14daed0bd6cb97e0a4aa2e9ced6c356d606ba1fa3a9ffc1b8af781c |
memory/4780-32-0x00007FF77F140000-0x00007FF77F494000-memory.dmp
C:\Windows\System\TAMpxap.exe
| MD5 | a3789effa85326966e79654aeeae7b7e |
| SHA1 | 0292478eba5c1f215d4fa0f8cac907bb961bbdcd |
| SHA256 | 9482e8a64ef0518dd7db685c6b4af5c40665078dc547a0855bcdba6f43914c1b |
| SHA512 | fe3bf4038655a186160b7d250e67e73408aebd78635c98de9cfae67689d58f94c1b48e3e56857d577bae1768de217eab608dd4db16ddae6e383f19d905681712 |
C:\Windows\System\WnYJraa.exe
| MD5 | 4af8ac3d2cf1e4522400ce184e871a29 |
| SHA1 | 305d0ed356a0cb63c93d76b7dc8ac98b6cd0342e |
| SHA256 | d46f9bb8e063e4e549d8a131d315d8f5f4848c242828b2b015cd32f1f9c687f8 |
| SHA512 | 1094200ba08c15c2fa480c03fd3a6893cbd18783a6f051101d2e3720f6653b2a9b303c3ccc60be1065ac1177ac4a0686a80ea8ad620d138d90de799fdd20ab57 |
memory/4640-40-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp
C:\Windows\System\ArfEHlS.exe
| MD5 | 15b560f6907d1922a3d324a3303f14df |
| SHA1 | 9051c8e2c2d835a8aa86867ae26731b1336aed77 |
| SHA256 | 064fc63f52941573a0c16b92151b09f5d30145d57ca2ed4e0dd4407d30af7a75 |
| SHA512 | 4beae9bd8ae4ca0b072489773fd0fc792c731c944f0729158209591f22e1c6d86750f8826f66ebd36b1d60e046fad3083d90c8e5692f1ed908b2259106326efe |
memory/1496-47-0x00007FF621D20000-0x00007FF622074000-memory.dmp
C:\Windows\System\LJgIVrw.exe
| MD5 | 6e5b6f84f1b12ed468c3b7936da05fa7 |
| SHA1 | d10f4c3bc6b8742bdc34ef204c98856d210328c5 |
| SHA256 | 77c4a5a707b6df0693dd525fea36dcdc42fcd372ef68a9dbba8832f41c94d1e5 |
| SHA512 | 4fef6cd35f2647879beeddb3e6aeba81c9d3a42df6327ba9d95adc00b69929a7c4510905868b17f5e8357b7125ca659eae51f1c3be3b48b9e5d42a686e6fd9bd |
memory/4340-48-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp
C:\Windows\System\TVXWwNs.exe
| MD5 | 13b7fc334f51cc5ca1de928539f65632 |
| SHA1 | 6ea3a0ffe9f86522e014e16da001c005c43a0301 |
| SHA256 | 23576af0b1503c887ad6ffbc3561f80902d320e8ac20081ee22eac2bae29613e |
| SHA512 | 5b527b0e38e44698a0c7c428ac56ea7424f8ec2d4171daa0f52ce5db4a1807d036fb42ee18defa3fff534388c91e9a0846ef590e2f90ff71ec5b4af8cf691c7d |
C:\Windows\System\rNqmGvW.exe
| MD5 | d222b74cc4b4fac705716becf06cae1a |
| SHA1 | 886a0ef56e39e1ca9fa48149c49c3ad1c519252b |
| SHA256 | 9229f57793d6f13a8e5eac89e967386730337fb58348d66f1c9ad68ce9b504d7 |
| SHA512 | a6280849b8445e467d2b93046221a24f4abf618a8b1e65028c3d1231b7f1d1f792a45a9741e5e0cdc284be480c3eb3753990dcd449ce38926e60c6b0c9e46c69 |
C:\Windows\System\rNqmGvW.exe
| MD5 | 98ddbea8b700025cfea6cdb4aa3e43e8 |
| SHA1 | 50ceb41fa98f8da019e896ed8b56fb815ade85c3 |
| SHA256 | f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763 |
| SHA512 | d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a |
C:\Windows\System\vCaeTrX.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\System\DiHQWVr.exe
| MD5 | 002ac8049241c80f5c410544e38d0cbf |
| SHA1 | 33613dc0ebb3ba959740ecd34313a51d2540d78e |
| SHA256 | 7337764c4ba8069ac208bc86289a3fb05b3e66f639d0154413eb2c9cc41dd5b1 |
| SHA512 | 0379e3c299bf5e1c59866132171c92623da09a8cfe11243b0a3a6c6c2101eac44cb81faf6ac1968a719df5bdb6dc4492a9e5a9c56bced0dfdb4fd422bf61b6d1 |
C:\Windows\System\OBFEstq.exe
| MD5 | 6f708884c64011b1b7b4efe237bf3258 |
| SHA1 | bd2e2d5073a94e0f1dfdb49449517442daa7f71d |
| SHA256 | 1f724237479fe4a3dbbc86fec9a6f17c1838b0c3103fa89d589d30acefe0841a |
| SHA512 | 9ecc11c326b3ef06536b7f6e38fa8dfc3819c5e0290a1ae1f4bb5ccb9f59b1be8eadfeccddcc6dd3b8ef67f210b83986eb2ca7e4912b64dec90050bfffbb4513 |
C:\Windows\System\sIBPEfy.exe
| MD5 | ef2131eded6f82457b6ff3f0ad490b88 |
| SHA1 | ca11cdc97b4555826e7448a96e59eee36b40faed |
| SHA256 | d54dff04bf667ad6323b8ffd99f216e03c552ef139f24e3fbcc9695e83848b22 |
| SHA512 | 894f21f0ba15f8fa5d4da18d3120e381e389880383d9dd652c416338561e6619c7272869193317cfd15c6fdd1451c4c19fc7ddd479a50fce6ef4f138fdb95798 |
C:\Windows\System\wrijRsd.exe
| MD5 | 135b436ac96391534afbbeeecb84c492 |
| SHA1 | 093f4d0f53069c2503d83cd811467ed411b4826f |
| SHA256 | 2f81bc43ceeb86e1ee0ee5d218bdb50d54ed5b24bd670e0afa31e188a6380ac2 |
| SHA512 | 7815d31f33cc6c10caeacf93a73da4b79bc88c461543bec5cc22ad03114f316e1d65916d98ee17dcd6b55f9f1d7638d784decb8ca264228541eda8f736ec7290 |
C:\Windows\System\ZBLIJmO.exe
| MD5 | 3751a2899762b2a12a2153f55b533921 |
| SHA1 | 26268046ad64ea5ace7808c7a22fc4cd39b00e5d |
| SHA256 | fa990d4b424dcdb03bb883900fff6392d28bec914a547e012f2ce63aa61435e3 |
| SHA512 | 9ca2d848aec63787eb85c3019a1ed1f2738ff080633e22629b71ab34fd9435eecdfdf11737fdc696d1a8bb62858645a0d5188845aedd8732c148f5f1548dd312 |
C:\Windows\System\oHfKNjD.exe
| MD5 | b82c73c002bf46083d0ff2444ea1db0b |
| SHA1 | 47866cf0b20f830226cbeb7501ca060a826163c8 |
| SHA256 | 068057cec27c51b71e00faa03f8e28d29ee615e1881e831bb6d776793cdd54a4 |
| SHA512 | 60dc461a2f4b47d15dd53e9e36cbc8cbf187238ccb94ecda2620f438bc21f8e483c00b5383b527196928ff1246f0414cf8dabdf42705ce65acf5f8bf4f738457 |
C:\Windows\System\mZgeLVA.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\System\Jvxtwxn.exe
| MD5 | ad0bc882b54ae48afb2034b714dacb2c |
| SHA1 | a76a975f198ded66f2e4cd8befb78ee2bb67be8e |
| SHA256 | 6d9223a495b50db1593b7ad40d2ffd2397b5dd376bcde6f64e781b58c0cc4dfa |
| SHA512 | 65f64452f2da926eb7f6990111241d0a295f38e4a6077a250326428d3153f658096bc4ebc4f6765063fa38884ff833dee62536bf94a5324a2a10d4652b764170 |
C:\Windows\System\NJyxmNH.exe
| MD5 | 289d862207cc53836e60670e67427342 |
| SHA1 | 072aa7b7acddbfa41d30604820f7a72de99b783b |
| SHA256 | c67427a528c841bc16c01ba95da390039c056a17950c47e2bd4c004e9ee6a2e8 |
| SHA512 | 4b6d1748fdc41833af9f2870a693de408a674d2c92483716620e40142b1c365d8691d001bdff7d6ebe0a1feb309b7070d9a93473977a08554a9b534e76680e14 |
C:\Windows\System\mZgeLVA.exe
| MD5 | 9e136eecdd2c9fd44973c17a490e14c6 |
| SHA1 | c12d059e76874d6d3637069ac676b5d1ab0e30af |
| SHA256 | d3c5406769d044aab6389d785b34dc0848c603b64b5882adbe39bc4b0d43ace4 |
| SHA512 | 92d1223defadfdcd80c7b551f20755adb1dafa51c0bca907534648f67443325d17af44a456ec2139d79750f03f59b57704ed7555f8498daaa327250f8b6fcfaa |
C:\Windows\System\ZBLIJmO.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\vCaeTrX.exe
| MD5 | 4b7216d89e20f49e9c16c0253cc47511 |
| SHA1 | 2897390157f4ddd1aa5b6b0434e8fd2685151896 |
| SHA256 | 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f |
| SHA512 | f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84 |
C:\Windows\System\ArfEHlS.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/4064-115-0x00007FF6A2880000-0x00007FF6A2BD4000-memory.dmp
memory/4040-116-0x00007FF623DD0000-0x00007FF624124000-memory.dmp
memory/3348-119-0x00007FF6CBC20000-0x00007FF6CBF74000-memory.dmp
memory/1412-121-0x00007FF79BA60000-0x00007FF79BDB4000-memory.dmp
memory/3992-120-0x00007FF6325A0000-0x00007FF6328F4000-memory.dmp
memory/3496-118-0x00007FF79C550000-0x00007FF79C8A4000-memory.dmp
memory/4500-117-0x00007FF7372D0000-0x00007FF737624000-memory.dmp
memory/4836-122-0x00007FF6894E0000-0x00007FF689834000-memory.dmp
memory/4684-123-0x00007FF758C30000-0x00007FF758F84000-memory.dmp
memory/708-124-0x00007FF69E610000-0x00007FF69E964000-memory.dmp
memory/4892-126-0x00007FF656640000-0x00007FF656994000-memory.dmp
memory/4312-127-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp
memory/2944-125-0x00007FF651590000-0x00007FF6518E4000-memory.dmp
memory/4796-128-0x00007FF718FC0000-0x00007FF719314000-memory.dmp
memory/3180-129-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp
memory/1544-130-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp
memory/1444-131-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp
memory/3248-132-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp
memory/4780-133-0x00007FF77F140000-0x00007FF77F494000-memory.dmp
memory/4640-134-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp
memory/4340-135-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp
memory/3180-136-0x00007FF6F42F0000-0x00007FF6F4644000-memory.dmp
memory/1544-137-0x00007FF6DBF50000-0x00007FF6DC2A4000-memory.dmp
memory/1444-138-0x00007FF7FB420000-0x00007FF7FB774000-memory.dmp
memory/3248-139-0x00007FF726AC0000-0x00007FF726E14000-memory.dmp
memory/4780-140-0x00007FF77F140000-0x00007FF77F494000-memory.dmp
memory/4640-141-0x00007FF7CACB0000-0x00007FF7CB004000-memory.dmp
memory/1496-142-0x00007FF621D20000-0x00007FF622074000-memory.dmp
memory/4064-143-0x00007FF6A2880000-0x00007FF6A2BD4000-memory.dmp
memory/4040-144-0x00007FF623DD0000-0x00007FF624124000-memory.dmp
memory/4500-145-0x00007FF7372D0000-0x00007FF737624000-memory.dmp
memory/3496-146-0x00007FF79C550000-0x00007FF79C8A4000-memory.dmp
memory/3348-147-0x00007FF6CBC20000-0x00007FF6CBF74000-memory.dmp
memory/3992-148-0x00007FF6325A0000-0x00007FF6328F4000-memory.dmp
memory/1412-149-0x00007FF79BA60000-0x00007FF79BDB4000-memory.dmp
memory/4836-150-0x00007FF6894E0000-0x00007FF689834000-memory.dmp
memory/4684-151-0x00007FF758C30000-0x00007FF758F84000-memory.dmp
memory/708-152-0x00007FF69E610000-0x00007FF69E964000-memory.dmp
memory/2944-153-0x00007FF651590000-0x00007FF6518E4000-memory.dmp
memory/4312-155-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp
memory/4892-154-0x00007FF656640000-0x00007FF656994000-memory.dmp
memory/4340-156-0x00007FF67ABB0000-0x00007FF67AF04000-memory.dmp