Analysis Overview
SHA256
c6976aab552fc4cfc5d4415a4fd4e92b78a97d837368a2261e21b7aa49948588
Threat Level: Known bad
The file 2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:42
Reported
2024-06-08 04:46
Platform
win7-20231129-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tQaVuvf.exe | N/A |
| N/A | N/A | C:\Windows\System\OLKtbGk.exe | N/A |
| N/A | N/A | C:\Windows\System\xfhmbgF.exe | N/A |
| N/A | N/A | C:\Windows\System\ofEZwaK.exe | N/A |
| N/A | N/A | C:\Windows\System\rPwgwVu.exe | N/A |
| N/A | N/A | C:\Windows\System\fKRwsjl.exe | N/A |
| N/A | N/A | C:\Windows\System\cjBoZOh.exe | N/A |
| N/A | N/A | C:\Windows\System\tMpxSGm.exe | N/A |
| N/A | N/A | C:\Windows\System\FvytjMe.exe | N/A |
| N/A | N/A | C:\Windows\System\GUDHafY.exe | N/A |
| N/A | N/A | C:\Windows\System\NtBxkDO.exe | N/A |
| N/A | N/A | C:\Windows\System\sbZldbF.exe | N/A |
| N/A | N/A | C:\Windows\System\WsoCrLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pCcHeRO.exe | N/A |
| N/A | N/A | C:\Windows\System\agcdIuW.exe | N/A |
| N/A | N/A | C:\Windows\System\IOSkXFd.exe | N/A |
| N/A | N/A | C:\Windows\System\LFivVqT.exe | N/A |
| N/A | N/A | C:\Windows\System\zxHRdpG.exe | N/A |
| N/A | N/A | C:\Windows\System\krjcCyA.exe | N/A |
| N/A | N/A | C:\Windows\System\RmBOmPE.exe | N/A |
| N/A | N/A | C:\Windows\System\rLWhJZD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tQaVuvf.exe
C:\Windows\System\tQaVuvf.exe
C:\Windows\System\OLKtbGk.exe
C:\Windows\System\OLKtbGk.exe
C:\Windows\System\xfhmbgF.exe
C:\Windows\System\xfhmbgF.exe
C:\Windows\System\ofEZwaK.exe
C:\Windows\System\ofEZwaK.exe
C:\Windows\System\rPwgwVu.exe
C:\Windows\System\rPwgwVu.exe
C:\Windows\System\fKRwsjl.exe
C:\Windows\System\fKRwsjl.exe
C:\Windows\System\cjBoZOh.exe
C:\Windows\System\cjBoZOh.exe
C:\Windows\System\tMpxSGm.exe
C:\Windows\System\tMpxSGm.exe
C:\Windows\System\FvytjMe.exe
C:\Windows\System\FvytjMe.exe
C:\Windows\System\GUDHafY.exe
C:\Windows\System\GUDHafY.exe
C:\Windows\System\NtBxkDO.exe
C:\Windows\System\NtBxkDO.exe
C:\Windows\System\sbZldbF.exe
C:\Windows\System\sbZldbF.exe
C:\Windows\System\WsoCrLJ.exe
C:\Windows\System\WsoCrLJ.exe
C:\Windows\System\pCcHeRO.exe
C:\Windows\System\pCcHeRO.exe
C:\Windows\System\IOSkXFd.exe
C:\Windows\System\IOSkXFd.exe
C:\Windows\System\agcdIuW.exe
C:\Windows\System\agcdIuW.exe
C:\Windows\System\zxHRdpG.exe
C:\Windows\System\zxHRdpG.exe
C:\Windows\System\LFivVqT.exe
C:\Windows\System\LFivVqT.exe
C:\Windows\System\krjcCyA.exe
C:\Windows\System\krjcCyA.exe
C:\Windows\System\RmBOmPE.exe
C:\Windows\System\RmBOmPE.exe
C:\Windows\System\rLWhJZD.exe
C:\Windows\System\rLWhJZD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
C:\Windows\system\tQaVuvf.exe
| MD5 | a6992f0d6edf071286d0ec798f60c0d6 |
| SHA1 | 1eb5cb0921426b100d3511f9ae4d546f3e4843ee |
| SHA256 | 07a2f6b7cb64f164d04c0e2ff902673f983063484929f68e43e678b51878402d |
| SHA512 | 2a18670680d0b437426c0a140008e033123099a445dd146f0021ad82ee08998f8358667bfa7c73405f95e174507331e2afa25dd649d6e9b19838c21a6451f602 |
C:\Windows\system\xfhmbgF.exe
| MD5 | 223290c208bd688d3c39ffa22cd1b7a1 |
| SHA1 | 2b563b399ac4bc948a6cef4f2e101dec94f34d57 |
| SHA256 | 1be058a87a511d257fb0d3915c419035e1d115f48c4b08c0f16e926c39c8f3e3 |
| SHA512 | 04c3cef61c4f96333a6ab0a1c9aa202271688212be83e1a8baba660a7926e4ed8f91ebea929dc1dec17e8ff4025bfb5f291b47f8e015175018178c7c3dba5d71 |
memory/2352-22-0x000000013F920000-0x000000013FC74000-memory.dmp
\Windows\system\fKRwsjl.exe
| MD5 | 4830547ce6b7734260f78d1e1d8b37e8 |
| SHA1 | ec2b6774c9d53b969751b236eafa6901180bcbba |
| SHA256 | cf5bac379cd21af794de2fceade61e1a6c4cf80f6437ec3eff916cb5151731ca |
| SHA512 | 1a093eead6047d8a3031885d63d07f45756b5bb7154aaae185440ecddec13059995b1728646c902a8300cac4a5807e20b0c0ea82f4d5a0044a84a4142e079f6b |
memory/2820-36-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\cjBoZOh.exe
| MD5 | af4b1334bb21d19c042cdc7fef14a372 |
| SHA1 | c1ec5fecf28179543f1d8e095dd1b79e8938918d |
| SHA256 | 8001899337b88a3afb00833efddd5aab2d9aa47f832da7d09939453a21b588b8 |
| SHA512 | 903d30a298f67f19346135f18113cdfbb2ca8ce0eb26bfe1fbf9fbd43c901fed5b1cac575390f044e7476bdbf3cee4a5e8c4c54e02129fd845a872f70e0c1b59 |
C:\Windows\system\tMpxSGm.exe
| MD5 | 01144ecef9069cc1f23870d1872246bd |
| SHA1 | d0464225768d337c98d73abda91632df66df2135 |
| SHA256 | f8927abc76c7ab5299cbee405a35d4d253e67575541d9ac55bb41e3b2151747f |
| SHA512 | b6484c14c489d0339c430081964c915d4cebc05d65cedfad3e8c2d4c04d0b458acf75021cc15c77dde7ef68671df31b4c5db226bdd3194f07588f3fa01639c38 |
C:\Windows\system\GUDHafY.exe
| MD5 | b1c34639981e1c4605cb03aa8231f634 |
| SHA1 | b424e29e516c27431fda517ee9a9e8f615074110 |
| SHA256 | 80f6d98c155a8d21719cd2cc1f12c711e359fa3327c6fc4b63a4df04d26609a4 |
| SHA512 | 813ed843faf56d9c15ab581b8d58267b7f38a1d4ff81f3e0844ace0f0482c9b1f6207b2a12ea4e2a01041459eb467168797a2882d5b89509d97568c427f67a50 |
memory/2128-54-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2820-58-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2820-74-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2820-77-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2096-79-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2820-78-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2820-76-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2540-75-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2480-73-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2820-72-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2828-71-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2820-70-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2700-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\sbZldbF.exe
| MD5 | aa021f5743cd0e2e0f9b44031ad681bf |
| SHA1 | 5b2c84234dd57ca4e38d31dbb4bf030aadb16f13 |
| SHA256 | 0ba76fbd26df60af5b71c9c6c8398bc2d1568cbbe498b8afbcf744d0c55b3fca |
| SHA512 | 7f54c4e9f82bfe5c439e10848eb9696700883e58e03dae08e7b2e7190a1cbb1f7271563622928939bebac2462cb49b065cfe1ac15bbedbc61f1357303d927b77 |
\Windows\system\pCcHeRO.exe
| MD5 | 6a79b638efa48b81747c4eda4cef621f |
| SHA1 | 9dfd3f699594994c11af9e80b8c19a0fffc6d535 |
| SHA256 | 26398ee3f9290c9578e20462c8824d9492df4bbe90e08eb240246e3da3f5aa4a |
| SHA512 | 72c3af16a75cfc935496a3994b22e7c02da212adf6a0f4d471fcb7c7970d6c3e0408b762d972636cb69974a7ace8504e4127785f9fb855cf432b979883f38428 |
C:\Windows\system\agcdIuW.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\system\IOSkXFd.exe
| MD5 | 250ad7a4e01f04597d52046ab0429fc5 |
| SHA1 | 8b600ec683dbd95076ba479a58ece0eae2c8a536 |
| SHA256 | abae4585553ded2d4e201e1c673e89b67097b9be8d9edd737c5aad26c862c030 |
| SHA512 | abd5660b83a42eb219cc4a14b5e83d809ee2c1c8a7b812a8d67f3ab0a842d6f8947b6878da09f377236f6e5474dc4b0b39a482722e70b77878504b73c361923a |
\Windows\system\LFivVqT.exe
| MD5 | 1045d27158bb23cbae2863a31d3aa66f |
| SHA1 | b5b81d053c6e8f7881b36a3a0ac5e0bc07d6307c |
| SHA256 | 157d60736e70dfd4cf13f44cb4de19d63ac5666edb169d78b829a3ddf188e54f |
| SHA512 | 40b46f6153516f8313418a8dc01f6413353bd9e75dfb0d1af8c01ffc5d9bd6de18973a00d80d7b6c1ef45f177f282550bb0a9cd7c03a71f5986c7b7e41740e30 |
C:\Windows\system\zxHRdpG.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
\Windows\system\zxHRdpG.exe
| MD5 | 47d7b88382d457d7c913c6fb06391de8 |
| SHA1 | 5c0171404a1f7303a03749cde444fffb299dc5e2 |
| SHA256 | 109ea701568cb51dc375c553f3dfb842d1bbba7f38def2c7f1210b8c83b08109 |
| SHA512 | a2ebbe1b06a03a8c2a4d9ea49c3479b887a39707ee0921c2464aaf7d7d404b80f79d70b00f27f44dde41de9d3dd886b23f849839f8a2f5899497b678e0b61108 |
memory/2820-100-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/2008-107-0x000000013FFF0000-0x0000000140344000-memory.dmp
\Windows\system\agcdIuW.exe
| MD5 | e1b5d11fe379e5e4fb55f6a03df049eb |
| SHA1 | 4dc6b815d658fac3ad97ff5548546b61f351ca5d |
| SHA256 | 99ed279e1b8d4619b7098300b9ff6f654080db6250ea836c905b7e9585f6dffa |
| SHA512 | e9b7542985b2119ed081e1984badf4ac95b327938b613270a8c55ad088e0da50cf45d0ab3cb5a5374a6bd924b8a3c6689444f34490a338cc2c61c79618d2fdb6 |
memory/2820-99-0x00000000022D0000-0x0000000002624000-memory.dmp
C:\Windows\system\pCcHeRO.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
C:\Windows\system\krjcCyA.exe
| MD5 | bff5e52b98278428981d89d50b97cdf0 |
| SHA1 | b0145023cb079129d5e2f4af672d7013418cc6c9 |
| SHA256 | 481a44ea91bb608b317a2c1c9f95204016baa6e0cbdf360b1496024b3d71986d |
| SHA512 | 7dfb6817237ce5c6a8349062b5061d3640d3043c4049a975789691397f1ca198c4800023a5098c9f4952c5acc16e8c7ab57e57df348cf485f326f756be76b355 |
\Windows\system\rLWhJZD.exe
| MD5 | 7278af7f52232e096331e99677eb07ca |
| SHA1 | 5b9ae7cb082945ceefcd6c73325e43cd53c470e9 |
| SHA256 | d4450755e0067e71d233e2fb373cd5342d6420be80a9857fa4939c6abd0fca73 |
| SHA512 | 8b13dad05e18413dd056b3d31f32d579ea078595b34f94dbea755a2271462076eba775c8d476adcef0f781912f0bb4889b0e45dc382e37f7adbd16eb2e3bde38 |
C:\Windows\system\RmBOmPE.exe
| MD5 | 93fa439c7ac5c6f5b4ff052d46df769e |
| SHA1 | cf0324227148d998a38b1908e82abf30a8979a03 |
| SHA256 | fc2a0b9f805457695f43bffc83b3c791a171d3bf5e185a43d4c05498d3fca380 |
| SHA512 | 9c06563d65b8adf1223f04821b3ebcc1196df8398cf82b91de88284742d6bc2eed9a31a3e3ecaad00c5039c8bd7a2c6137f34ca2902f40a79f1f0712a9349899 |
memory/1696-97-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2820-92-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\WsoCrLJ.exe
| MD5 | db9bce43f13df4a675e86fb6e9911e69 |
| SHA1 | 733d15fa3177fdc22474d36c18374dff67f9eea9 |
| SHA256 | da5b3f69f04ba1b02a4e1980097a89d717ba90234e27c12a55f5ecc179ceb6b3 |
| SHA512 | 9cda5f04d00d96845d16efcdd5e2243163cc7915c0dbe5e6d948840402db9aaf8110b18bc44ab5e9c9a69951e1a42de07f32f57dfdf8ef1588ffdfeaf233b856 |
memory/2368-86-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2820-85-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2820-68-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2596-65-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2640-64-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2584-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\NtBxkDO.exe
| MD5 | b535ee21ea9075024dbfa4eeb5ad2063 |
| SHA1 | 9df8ae788008b01af7afccd4641643fb80af8970 |
| SHA256 | 49ad60408e2181b6f83cfcbb0ca194aa9ff4d54150cacf977de83ddac7593946 |
| SHA512 | 9e97b656f0cbf773f39127d9d6f29ca6751465fd02504dafc6056cc285231c9ca3420b05ae3545ebab2cc22b167f5676793d1e4b8bc17c83ba5c7981cf9d0a76 |
\Windows\system\NtBxkDO.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\FvytjMe.exe
| MD5 | 04d080fcb4119488cce7e08853d03abc |
| SHA1 | 1716829293776f790b7a8079c295b9dc1e1db64a |
| SHA256 | d6cfb01d0b11c33169b94ad604cd62b047fe3f9af705e054714b22dea5774ada |
| SHA512 | 3694d9a0083d59cbfa3f138550a0cbff03e677364b3adb92064b43019cd867dfcb49d62315d2ecdee9616f0c0a89f2bcfa8899b08bf337edb05ef122be416809 |
memory/3028-32-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\rPwgwVu.exe
| MD5 | f0cca580442925c5eaa70b383dbb615a |
| SHA1 | e3aeb77c93931230c7d94ad0a9e210e49ef23b92 |
| SHA256 | 7c2b8f85f35dc76b41ab689e6b10607fe934ee399e688d70d52c35ed2d0c40cb |
| SHA512 | f1b8b5de5d0cb0a74c418402bfc1339fff26574d662c97c222a9b3f5ff90ea97447a0490e2ecfd81c6e05938aff1da63f27f8b869bc76a3b6743565a8e75f9df |
\Windows\system\rPwgwVu.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2820-25-0x00000000022D0000-0x0000000002624000-memory.dmp
C:\Windows\system\ofEZwaK.exe
| MD5 | 395a138e7d83b3151a400bc20096b6e4 |
| SHA1 | 3e4011f9d7e2d9d7f698bcaa1aa6ff33a3fb1bfa |
| SHA256 | ff2b179c923912f539fb2c4fa52b1c8c8d2d6d577000b0366b18e5f55876a628 |
| SHA512 | 79d17b856f55843cb6d4aaadd5255c37e192e9af81ed6625fde28de8234e7a6db91851878c74876b0e426396433220bd1cc254e03c95da38de6abe923ba8286d |
C:\Windows\system\OLKtbGk.exe
| MD5 | a64a49f83d2b9d16d5bdb1bfc43d3ed7 |
| SHA1 | 0d675559f2a0e24df4da783fc9fba0417096bf19 |
| SHA256 | d8734139074b95bfe65c89d26f3edfcde9c067568965e72298511a8c61dafff3 |
| SHA512 | d67450ec3df55de83701f9b7a635c10ba14cf3a5341f709d827510057d05b27e1de99ae028af35ab7c63177a870e3a5f0e579f6ada4bf6b0605b080221e4fea0 |
memory/2820-10-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2820-1-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2820-0-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2820-136-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2820-137-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2820-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2820-138-0x00000000022D0000-0x0000000002624000-memory.dmp
memory/1696-140-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2352-141-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2584-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2640-146-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2128-144-0x000000013F430000-0x000000013F784000-memory.dmp
memory/3028-143-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2096-149-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2480-151-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2700-150-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2828-148-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2596-147-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2540-142-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2368-152-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1696-153-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2008-154-0x000000013FFF0000-0x0000000140344000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:42
Reported
2024-06-08 04:46
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wAuAFWX.exe | N/A |
| N/A | N/A | C:\Windows\System\jCEtliZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YXQRtrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OnhrRCw.exe | N/A |
| N/A | N/A | C:\Windows\System\HqtbRDp.exe | N/A |
| N/A | N/A | C:\Windows\System\qbvkORx.exe | N/A |
| N/A | N/A | C:\Windows\System\lMzQJwi.exe | N/A |
| N/A | N/A | C:\Windows\System\LTatXIP.exe | N/A |
| N/A | N/A | C:\Windows\System\HYxIPmg.exe | N/A |
| N/A | N/A | C:\Windows\System\RvMXjjB.exe | N/A |
| N/A | N/A | C:\Windows\System\jMhVfyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sBUbJKo.exe | N/A |
| N/A | N/A | C:\Windows\System\cBMWTQv.exe | N/A |
| N/A | N/A | C:\Windows\System\JHhmkwl.exe | N/A |
| N/A | N/A | C:\Windows\System\zmuhSMF.exe | N/A |
| N/A | N/A | C:\Windows\System\kLQhPVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PGNAHKl.exe | N/A |
| N/A | N/A | C:\Windows\System\IBEvdHZ.exe | N/A |
| N/A | N/A | C:\Windows\System\eZjpsZR.exe | N/A |
| N/A | N/A | C:\Windows\System\CEeEQkU.exe | N/A |
| N/A | N/A | C:\Windows\System\gXjrjLB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wAuAFWX.exe
C:\Windows\System\wAuAFWX.exe
C:\Windows\System\jCEtliZ.exe
C:\Windows\System\jCEtliZ.exe
C:\Windows\System\YXQRtrQ.exe
C:\Windows\System\YXQRtrQ.exe
C:\Windows\System\OnhrRCw.exe
C:\Windows\System\OnhrRCw.exe
C:\Windows\System\HqtbRDp.exe
C:\Windows\System\HqtbRDp.exe
C:\Windows\System\qbvkORx.exe
C:\Windows\System\qbvkORx.exe
C:\Windows\System\lMzQJwi.exe
C:\Windows\System\lMzQJwi.exe
C:\Windows\System\LTatXIP.exe
C:\Windows\System\LTatXIP.exe
C:\Windows\System\HYxIPmg.exe
C:\Windows\System\HYxIPmg.exe
C:\Windows\System\RvMXjjB.exe
C:\Windows\System\RvMXjjB.exe
C:\Windows\System\jMhVfyJ.exe
C:\Windows\System\jMhVfyJ.exe
C:\Windows\System\sBUbJKo.exe
C:\Windows\System\sBUbJKo.exe
C:\Windows\System\cBMWTQv.exe
C:\Windows\System\cBMWTQv.exe
C:\Windows\System\JHhmkwl.exe
C:\Windows\System\JHhmkwl.exe
C:\Windows\System\zmuhSMF.exe
C:\Windows\System\zmuhSMF.exe
C:\Windows\System\kLQhPVZ.exe
C:\Windows\System\kLQhPVZ.exe
C:\Windows\System\PGNAHKl.exe
C:\Windows\System\PGNAHKl.exe
C:\Windows\System\IBEvdHZ.exe
C:\Windows\System\IBEvdHZ.exe
C:\Windows\System\eZjpsZR.exe
C:\Windows\System\eZjpsZR.exe
C:\Windows\System\gXjrjLB.exe
C:\Windows\System\gXjrjLB.exe
C:\Windows\System\CEeEQkU.exe
C:\Windows\System\CEeEQkU.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4852-0-0x00007FF6541B0000-0x00007FF654504000-memory.dmp
memory/4852-1-0x00000223562B0000-0x00000223562C0000-memory.dmp
C:\Windows\System\wAuAFWX.exe
| MD5 | 47aa6e7880d5d7a9c210a8d6eb010c30 |
| SHA1 | 4f4f97ab7452fedfb8b32135b9b6f72bc03dc76b |
| SHA256 | c405b9b2de9ea26852bf43b73b2ef8a680d98c2238c2dcf0f91fce57b0171e99 |
| SHA512 | a3859436c4c8f5bec58ac33d0b19e873b48384c9e65401a55c47b51dd0e542fc85c749a32f75b2dc72467ba737637d421c4781c8928d210c27b809fa464d1510 |
memory/1192-8-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp
C:\Windows\System\jCEtliZ.exe
| MD5 | 0f7db1acf5d2b71d2bb2e8a45566f7f3 |
| SHA1 | de154a1d6026bef5871a8f83ed6d6d93fb5d87bf |
| SHA256 | a9a692ce0bb47f16664d2f4b5e97d928c439d844bd0971177cfb860f4a02950f |
| SHA512 | b43fe1ea6e7c6b7bd1698dbead83992aaa05b5fff21a310e225f3c9951c5f423e4ac63206950f71e2e34b0bd388e4123c6327dbbc749df35d7d2d820de381e1f |
memory/2416-12-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp
C:\Windows\System\YXQRtrQ.exe
| MD5 | 8554def9eecf22326d1c0711319e042a |
| SHA1 | 80934a8a84d9b3ba030590b3ec4697d2802bd76d |
| SHA256 | 35d0ea20b6c37d37b2a7a1bce82bb753a579b3fabf73eeaf0a97933b66d8a03e |
| SHA512 | cf697a7b36bf52f1dbe9f2ba5fd0822868db93febc492c34c4149012a602d3712171a7c0b359578f6cee6390bb16c9e2a759e92f64b8799bdddd56737dd3c005 |
C:\Windows\System\OnhrRCw.exe
| MD5 | 3afa71f5edb8bdce0308c72f7f282d06 |
| SHA1 | cefa6f5c806ef3dab73ad8973dce932037c35b44 |
| SHA256 | 1e2c70746bf2ca7534ce5af9fac97309e6c10fa3a58df07455d79c22ac0cf377 |
| SHA512 | f33dacd052f7f4296e8d38a128937370bbdebbebaa13b53da23869e1a9015301292a0f08f87b4f7aeb5277c1110f11ffbe571eef6609d2cb10050487b3ef6ce2 |
memory/3272-22-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp
C:\Windows\System\HqtbRDp.exe
| MD5 | 204e982c3006189984944dc7eaf13309 |
| SHA1 | 16f46e9d3472c08a69b7cabb05593a0219935b05 |
| SHA256 | 8dad0bcca293e948f415d030d3bc89ae019872777d2ab7606b6cb8753f4a4ff7 |
| SHA512 | aeba0efc7093074057be04c36cb26c1febe91c2d397f411c958e9a680336b989ca687b97644eb5df6e1dc00f15798b13fb394ad89f3243b7513abbfbe7fa8da1 |
C:\Windows\System\LTatXIP.exe
| MD5 | 76f8c665cdf5a60cbc80f7ebdc1938e6 |
| SHA1 | d10fc42dc7ea45fd727a2d12c5c7c0c5a6b4390a |
| SHA256 | e7b8f21bd0a3f357d39ece56d4447deb4c9089dc2a83c25f8d5ef79f272dca42 |
| SHA512 | d40017d7ac1c8a771211b3c85be7419149b63a27f72e6104c502e05f87ce0c5f818a87e0f0daee81cc6349b5c84ab412cf2090b626b1d4c9dd6eed41974e6864 |
memory/5092-49-0x00007FF788200000-0x00007FF788554000-memory.dmp
C:\Windows\System\HYxIPmg.exe
| MD5 | 759f0b1014b0830905d1d59bf1190f36 |
| SHA1 | 89adc4c111cdc64d3257925466be155dd572c42d |
| SHA256 | c33e8a29f056629b0e3dc2629b750c71bef1cdfe618f70609162d35e86679cbe |
| SHA512 | 77e519cfc32b32ce2e45d3b34fe2d849b6bd8101fadae749ff2bfe94cd6d96e780b55e65e07d8be5b2168d8f64781e15c48879f05f19360a0ab39d59f07a94cb |
memory/4580-55-0x00007FF7E1990000-0x00007FF7E1CE4000-memory.dmp
memory/3864-56-0x00007FF6664B0000-0x00007FF666804000-memory.dmp
memory/3092-51-0x00007FF650B40000-0x00007FF650E94000-memory.dmp
memory/4152-50-0x00007FF7B8B40000-0x00007FF7B8E94000-memory.dmp
C:\Windows\System\lMzQJwi.exe
| MD5 | 85632817de59ba03d86293f556405dd9 |
| SHA1 | 7b166bbd39835df95d6377700199c6812c8cf345 |
| SHA256 | 1aabf0a30a5483e06061ae3fec5bb07d3b38dcbfae034e78b3d3bd32b896dc87 |
| SHA512 | 717bc302441c72f2ba758a5964470ba06102101d1df60c08fc47a9753f3291094c65704018b4b0b9a0b368ba1bba4e9a9fb65bef0ebf5bcff63152ebf8cf227f |
C:\Windows\System\qbvkORx.exe
| MD5 | 2cfcf45885227798c2530eea864b1213 |
| SHA1 | 5c80f98780575dcfb37c4565f6819be71c108df0 |
| SHA256 | 8d1b8aba504eb3e10c1b183ea1863214ad54df6dd796ab3753aa9d9524fbc4f6 |
| SHA512 | a50f0674a14dfda7b2de12637b60d1b79b485af95d8cd31a4912609d7a727d8dc275fed8cc5ce2daef0a2d8d7f56d92d755e8092b52ca67064548b6f91118ecc |
memory/5048-24-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp
C:\Windows\System\jMhVfyJ.exe
| MD5 | b5b4bc68d21b20ebed3874141e905e63 |
| SHA1 | 9754c4e62cf542e2783af2f0d063e995d790740e |
| SHA256 | 1591e716a58234160290e090c5980980a4c09669128cc58a7fcba91a5f77e30d |
| SHA512 | c6ea349d069a342d4ff9e61f6d3cce090ecf73ad3365adcee1d622abd60ed31596b9d18501ef8c6e220426762b43671a92460a4007670cf508e70a851b861263 |
memory/1760-66-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp
memory/1812-62-0x00007FF756630000-0x00007FF756984000-memory.dmp
C:\Windows\System\RvMXjjB.exe
| MD5 | f0b066d94b3ebd5b6737f731a2152068 |
| SHA1 | 4d002b5d1e0e83c7f71843e4c3718dd4567dde32 |
| SHA256 | 68e991d2075c2a442abf4642bf83644ebb55fa7975e91185a3ac00cc09c13571 |
| SHA512 | 487ffeb99c121214e06dfe2cad48d8697c5707586f5ffc3e3fdc3cff0dcff18a7a972a962b56b7d19bb5909c09f50cb35cef88ea1de7fb6bca340eaf2dce86e9 |
C:\Windows\System\sBUbJKo.exe
| MD5 | 4051900e5eabc16b5c160fac6ee83fc4 |
| SHA1 | 9f7f37edfe747724d0d4b73776631197e5549e04 |
| SHA256 | d9dbd8372b0245f50fc6f6e26664581979368773eda94ae0fbdbf5d5ded4ea80 |
| SHA512 | c3405e509548a23d76fede6a22b05e1a51a1cb1a41e87788125758b6f41861c1141aa685c7bb979ded4c68919a73b0664948eb1196338385426ab31f4e427ef6 |
C:\Windows\System\cBMWTQv.exe
| MD5 | 9181ef246b534a3fc8cb7f17bbacb44d |
| SHA1 | 42793995cf35f73bec58f260819145500d92f973 |
| SHA256 | eefe94abc78d0733d1f179ba17a340937c0208113ebfc0c8cc0227af578fc66a |
| SHA512 | f73088503ba2d1334ce3360700fd9331280214e99d7496859963abab82cbadb55c521dcb7922a90ba6a119f996dee91f5e0f4c89d20624a25aa4ad5884d9c081 |
C:\Windows\System\JHhmkwl.exe
| MD5 | 3bcd5b8b960d0cf77a6d135bc70bb7a6 |
| SHA1 | cdb77a96fc4d2710cec5d82a8864927ce93448bf |
| SHA256 | 53db796b42b56270f256b10f88e1107f8e9097d259dacff52af416c25302ea14 |
| SHA512 | 9d9bf215d5d645e0a613e1604917c26f890cada8addd9b15a47ce27385246c8bfd6cec166359782f139aceb2ab0cce42588e3d8bf0db72e35ce08bd5b63cdec7 |
memory/3792-82-0x00007FF6E38D0000-0x00007FF6E3C24000-memory.dmp
C:\Windows\System\zmuhSMF.exe
| MD5 | fb0f5ccd507b0ecc24e749cf3d040119 |
| SHA1 | d078c09c244c5e01c12dbff8327556dae06086e8 |
| SHA256 | cc706dc76fc8e30443f981a7265bcce857c5f1a86898a91dc6664563c72f1942 |
| SHA512 | caaed998ed36ec933287ab9624c80d8caab61a154a4cdf5c37aa16fa4f6d9d6e8ba95cb8ad2ec77d3c23baff2f488354637d3ec06d57864c0f62c86f9b90a05e |
memory/4852-89-0x00007FF6541B0000-0x00007FF654504000-memory.dmp
memory/1996-91-0x00007FF6983F0000-0x00007FF698744000-memory.dmp
memory/1780-88-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp
memory/2964-84-0x00007FF64F350000-0x00007FF64F6A4000-memory.dmp
C:\Windows\System\kLQhPVZ.exe
| MD5 | 1167686d8d2e862741b37ccb1b7e771f |
| SHA1 | 789ceba1231bc1b44f1d9dadb1b9e5e9cb26c6f8 |
| SHA256 | 050f3cd0b60a657cd1fc1fc8ca730f0821765c7bf848b6e4225263e4fa45685e |
| SHA512 | f664549a6f871b43ef6dd1e6ee095596a96178184088df10db56d10631e48df0df4d7bee9d3af2e49e94ab095ebd966170be878387940c7040f0d8ce0f2398c8 |
C:\Windows\System\PGNAHKl.exe
| MD5 | dbc708ac9956929315715d4de22ec3f4 |
| SHA1 | 737ea857291764e45de8e2bac5bd16ef52057a65 |
| SHA256 | 83ec793258c09a5524902fe0d69e9e5a72f8ccfea9918c2347d9f39b5c97b8ad |
| SHA512 | 1ed58c19e1f72bb5dff664cb42aa7763145e0f6b70a45e3efb2b0fae7af683d21a843a8ba1b7199fdd2cd5e2ffc04d2997b636c4e93ba43d0a5ade15739d85de |
C:\Windows\System\eZjpsZR.exe
| MD5 | 4aed3f0a28ca8509a40824fd3ff99733 |
| SHA1 | 239375c5d005075ba7411001c0b3a0b4b04d50a2 |
| SHA256 | 125a16ee74c56755699d1d3e33165c59cc539fb91d730a165aff5a91b89069b3 |
| SHA512 | 85d0eab531ecdbeb051ff5131b5521587008de90238d6a9cb7dc2f0f7e1dcca3381bc7ad57a375c9e7f825cdf1323b0a6605c1d934c6c662217b909d1800abc4 |
C:\Windows\System\gXjrjLB.exe
| MD5 | 5b7e391f9c094b162b64c430558bf269 |
| SHA1 | ba0b2bb68d6b91cd2bb848589e10a78b911fca4d |
| SHA256 | 71ef0ba569e3067068ba01864a7b3b91b07b9756de971738330dbd72e0d4b774 |
| SHA512 | 3fd818bf15312f8c3e9e52e2326014fb9f2ea4cc77350ea949d321cb8a4cb99a6bc91150b4ee4645d775a87949647ef2fa07cf7cbdcd07999682406e5feb8dfa |
C:\Windows\System\CEeEQkU.exe
| MD5 | d56136d74f395000372fdf025e878197 |
| SHA1 | 7c87821180906388f220e2c219c4e3d2b23c1732 |
| SHA256 | b33200dd25150db676ba8d660c757738507aa636173e9592e8a32e0010735fb1 |
| SHA512 | aa98b08051893311806dccdf1a800a33902eb16bf378af523e4a5e10fce1a4524819ef5dbe5d336e50cee5b78bd8d7dc3bac319f3cef8da38ee84fd5917ac215 |
C:\Windows\System\IBEvdHZ.exe
| MD5 | 12d5bc2db6703abccc620539c963c203 |
| SHA1 | 10d79902e6ebf991d19b748bb3ac912d451dac09 |
| SHA256 | ca86008ecabeda5c9cef9b34cd986a44070482f416b946f0f536e9eb4395d298 |
| SHA512 | 9511c7102b191a2a2aedfaec70215b2a95cbc620f7ae426ded3d5f447ec3dca6a28a7ca1009950dbb042c36515075b5f80947baff0e6fb073250e9ea83d019df |
memory/4240-117-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp
memory/4864-110-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp
memory/3272-107-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp
memory/2324-105-0x00007FF736D40000-0x00007FF737094000-memory.dmp
memory/2416-101-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp
memory/5048-130-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp
memory/3404-131-0x00007FF68C310000-0x00007FF68C664000-memory.dmp
memory/4844-132-0x00007FF6D2080000-0x00007FF6D23D4000-memory.dmp
memory/3724-129-0x00007FF6947C0000-0x00007FF694B14000-memory.dmp
memory/1192-97-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp
memory/3092-133-0x00007FF650B40000-0x00007FF650E94000-memory.dmp
memory/1780-135-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp
memory/1760-134-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp
memory/1996-136-0x00007FF6983F0000-0x00007FF698744000-memory.dmp
memory/2324-137-0x00007FF736D40000-0x00007FF737094000-memory.dmp
memory/4240-139-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp
memory/4864-138-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp
memory/1192-140-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp
memory/2416-141-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp
memory/5092-144-0x00007FF788200000-0x00007FF788554000-memory.dmp
memory/4580-145-0x00007FF7E1990000-0x00007FF7E1CE4000-memory.dmp
memory/5048-143-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp
memory/4152-146-0x00007FF7B8B40000-0x00007FF7B8E94000-memory.dmp
memory/3272-142-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp
memory/3864-147-0x00007FF6664B0000-0x00007FF666804000-memory.dmp
memory/3092-148-0x00007FF650B40000-0x00007FF650E94000-memory.dmp
memory/1812-149-0x00007FF756630000-0x00007FF756984000-memory.dmp
memory/1760-150-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp
memory/3792-151-0x00007FF6E38D0000-0x00007FF6E3C24000-memory.dmp
memory/2964-152-0x00007FF64F350000-0x00007FF64F6A4000-memory.dmp
memory/1780-153-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp
memory/1996-154-0x00007FF6983F0000-0x00007FF698744000-memory.dmp
memory/4864-155-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp
memory/2324-156-0x00007FF736D40000-0x00007FF737094000-memory.dmp
memory/3724-160-0x00007FF6947C0000-0x00007FF694B14000-memory.dmp
memory/4844-159-0x00007FF6D2080000-0x00007FF6D23D4000-memory.dmp
memory/3404-158-0x00007FF68C310000-0x00007FF68C664000-memory.dmp
memory/4240-157-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp