Analysis Overview
SHA256
afc79d2e838171062903255a34fce33f67f71ea7b99964184e1d728223dd8334
Threat Level: Known bad
The file 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 07:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 07:04
Reported
2024-06-08 07:08
Platform
win7-20240508-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YflPxwS.exe | N/A |
| N/A | N/A | C:\Windows\System\QBqlNpH.exe | N/A |
| N/A | N/A | C:\Windows\System\mnxRrwM.exe | N/A |
| N/A | N/A | C:\Windows\System\fifFZTk.exe | N/A |
| N/A | N/A | C:\Windows\System\MzEsYAX.exe | N/A |
| N/A | N/A | C:\Windows\System\oEJbnIZ.exe | N/A |
| N/A | N/A | C:\Windows\System\gdLYgPC.exe | N/A |
| N/A | N/A | C:\Windows\System\hTFpolD.exe | N/A |
| N/A | N/A | C:\Windows\System\uUcRBjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PAzhpbR.exe | N/A |
| N/A | N/A | C:\Windows\System\GKfcYGd.exe | N/A |
| N/A | N/A | C:\Windows\System\YAfBwvR.exe | N/A |
| N/A | N/A | C:\Windows\System\jLdHOQH.exe | N/A |
| N/A | N/A | C:\Windows\System\lTnJpvt.exe | N/A |
| N/A | N/A | C:\Windows\System\KhGXgXx.exe | N/A |
| N/A | N/A | C:\Windows\System\SdfFolr.exe | N/A |
| N/A | N/A | C:\Windows\System\gXJDiBk.exe | N/A |
| N/A | N/A | C:\Windows\System\LDqSqKR.exe | N/A |
| N/A | N/A | C:\Windows\System\xAhriFR.exe | N/A |
| N/A | N/A | C:\Windows\System\tTGGBQj.exe | N/A |
| N/A | N/A | C:\Windows\System\bLoDaqM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YflPxwS.exe
C:\Windows\System\YflPxwS.exe
C:\Windows\System\QBqlNpH.exe
C:\Windows\System\QBqlNpH.exe
C:\Windows\System\mnxRrwM.exe
C:\Windows\System\mnxRrwM.exe
C:\Windows\System\fifFZTk.exe
C:\Windows\System\fifFZTk.exe
C:\Windows\System\MzEsYAX.exe
C:\Windows\System\MzEsYAX.exe
C:\Windows\System\oEJbnIZ.exe
C:\Windows\System\oEJbnIZ.exe
C:\Windows\System\gdLYgPC.exe
C:\Windows\System\gdLYgPC.exe
C:\Windows\System\hTFpolD.exe
C:\Windows\System\hTFpolD.exe
C:\Windows\System\uUcRBjZ.exe
C:\Windows\System\uUcRBjZ.exe
C:\Windows\System\PAzhpbR.exe
C:\Windows\System\PAzhpbR.exe
C:\Windows\System\GKfcYGd.exe
C:\Windows\System\GKfcYGd.exe
C:\Windows\System\YAfBwvR.exe
C:\Windows\System\YAfBwvR.exe
C:\Windows\System\jLdHOQH.exe
C:\Windows\System\jLdHOQH.exe
C:\Windows\System\lTnJpvt.exe
C:\Windows\System\lTnJpvt.exe
C:\Windows\System\KhGXgXx.exe
C:\Windows\System\KhGXgXx.exe
C:\Windows\System\SdfFolr.exe
C:\Windows\System\SdfFolr.exe
C:\Windows\System\gXJDiBk.exe
C:\Windows\System\gXJDiBk.exe
C:\Windows\System\LDqSqKR.exe
C:\Windows\System\LDqSqKR.exe
C:\Windows\System\xAhriFR.exe
C:\Windows\System\xAhriFR.exe
C:\Windows\System\tTGGBQj.exe
C:\Windows\System\tTGGBQj.exe
C:\Windows\System\bLoDaqM.exe
C:\Windows\System\bLoDaqM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1304-0-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1304-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\YflPxwS.exe
| MD5 | d89b6523697854a16231d4bf79ec441d |
| SHA1 | 8f65d404fc8b6ba61fa96ea35e4ccf76985514b2 |
| SHA256 | 4a965fd20032a141450da17ebe0dba58f4007e18ae6708ee50e1f435d50e16a1 |
| SHA512 | ef5f06be8476f042f01ab59a2dc51a5ede773c06ce5dba90f030e04acefb4e6140a634f650b2a4b75f355713ac1211df1282ed0970161d170f58343c4bc95e7c |
memory/1124-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\QBqlNpH.exe
| MD5 | 08e2d03a0c8757462be73964b920eb93 |
| SHA1 | 0adf47d38fa6108d5f218936492f8ae134dbb075 |
| SHA256 | 20b54b0ba0318101b0dec60d7a0e04bec3bd0d3bcd4c54e207ac1e28d8998160 |
| SHA512 | 7c57e6eefc774d04305d943e74b599ec44ad792b5dfbf24d055acdbc2fd6fe1746e89018c05ad63bd1b4a6ad2adc027740b01340ee75446202f50a8b1b5c43bf |
memory/2800-14-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\mnxRrwM.exe
| MD5 | 0795d5c24d82912748f300a439db1cb1 |
| SHA1 | 77162b6de7d6fb7c22efd8a1ea916a9b12ddba16 |
| SHA256 | 17f3606296890ef0544cc9b0a27bb3549171f86fe06fb9abc36f9e3fc85cf339 |
| SHA512 | 10056aa24d6df3a4d8c415500bde31bd71321b2fe3b9249e9e5567294e34fc4a4816e8b669689743db954ddf1865e1258c1c369673c9d2c004e403307c603227 |
memory/2052-21-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\fifFZTk.exe
| MD5 | 72d8070420dae7300ddd695a5aab1dc9 |
| SHA1 | 658ca89e405d31be0f18910249cf86a6a2112395 |
| SHA256 | 49a4c5e93c82b9dce4f3646f24535b6775f35fb9630537650c700943bf52ee8f |
| SHA512 | d1c8b7ec56879a8d63165c90c72e4764d7efdca1c104ade087d4653051fb717d3785c96d1569b74823b54960f2e05b1ddd32c62d88b184864ab6340a61c16e7f |
memory/2584-27-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1304-41-0x0000000002480000-0x00000000027D4000-memory.dmp
\Windows\system\gdLYgPC.exe
| MD5 | e631adbdbceac624c705cb98a4ad5129 |
| SHA1 | bfc3ba925f751a909e5d0188d78e1422a7835726 |
| SHA256 | 771b88f3dde576dec6051d66d17ca7483417baeb5258586f4e8c95af9717a1a0 |
| SHA512 | d8c2053df2c450c96a80a05ca3a00c1fcd4fb17864f71e034f5486306329b15d889d992f2d0c101f4f7159f028cb22783fe086a5e237a648fca388c0dcb775a7 |
memory/1304-44-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1304-33-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\MzEsYAX.exe
| MD5 | 6ddcaedd6a3fc2e9e99bb435b113dec0 |
| SHA1 | 6922c3146826e70347684f72e13786f4db96d8f6 |
| SHA256 | 49b5cd6bf952c2bfb697f4bfa2575899edb84d3c581db9db800e0b65eb2058df |
| SHA512 | 2fd699e7f10a8d6011e93936214e0f399d208cc89a4e53f554530c8efdcd74c03ec9771aacc1b59e4eb6f4e785c51372b349b80d29c3a494fb095df6479cd35f |
memory/2620-39-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\oEJbnIZ.exe
| MD5 | e190dfcca64eb46d9af6db7874dfb966 |
| SHA1 | 11d2177eae4695d1d5c25c4f1531c91f09193d2d |
| SHA256 | 1637d460716acf7f8ea93df8c3260eea2cef0d5f5003535d00cfb387be27ad8b |
| SHA512 | dd17344f0b45591746f83869ce5f7d8488e2342bf1d87915dec53ab1f36f9959af520b232f1eada55bd13572c65641e2125ca5282c09ff7665f10d927c508c4a |
memory/2688-36-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1304-26-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/1304-20-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2652-54-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1304-53-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2476-61-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2600-66-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2892-76-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2548-83-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\lTnJpvt.exe
| MD5 | a7b689c7e2d8b2d01ad8bb51326e9892 |
| SHA1 | a113394e13250e1cc4cc5d10f1e73700cc53d7e6 |
| SHA256 | 8f4c00750d41619b1aa72533dadc9232c3bb3f4fe84cc904353da6be084c273a |
| SHA512 | 477f5feaeda2a0ec46f049ff278ff41d94080c0998df67cb93bfc9aa9a3b8f8d0721730985f1966b150d6e11d8502b25f699d32ad32a041420197777dd937037 |
C:\Windows\system\LDqSqKR.exe
| MD5 | 2644857d04651a8e2462c889180ac407 |
| SHA1 | 6a04b0d5794f59d2f6888d1da83ae2bf39dc8f68 |
| SHA256 | 0b12b83e68aad30e6e028a7c47a25dd4fe45b5c6078cf0efecd26059151ca41b |
| SHA512 | f8584dd4adf8618bc8ff6cf394ae8d2e1a31f407c2daea2285dbb1b3dbfdc0cfd9092bdd9d1dcedbae15365d64a1e0b6ea90cc45cf83b8df8106bfdf2c887707 |
\Windows\system\bLoDaqM.exe
| MD5 | d47d25e1ea2d2589316c609241c29239 |
| SHA1 | bbccbb01ff3afb8978f5b0b1cd3ab1c5bce0f6a9 |
| SHA256 | 5e50bf879b3b6f9691a6857d81aec871bc4593d456cabe9012dd93bb29903562 |
| SHA512 | 86cc4ef5c4b838fcaa1222be9b9676be429f9d20a1dd0b237d94503cfc7931e6bf3f41fff91d2d8b54f7355963bb344c8bb4d7b0ceacc41be79f09f944314004 |
C:\Windows\system\tTGGBQj.exe
| MD5 | a6c862c0378555c4106bf3417463dcf2 |
| SHA1 | df0c530c50a8d299f572028023716b8a5a978cee |
| SHA256 | e275bb2fba4753775c02f2dc53cc216293a28cda50c02e87d8fe8266514b62e0 |
| SHA512 | ae8d25653df58e91957b399e94682a5ec29c193b6f99617bb7a7dc44d88685f40df457f47c0176188bcfad85d69c55524659f4050ce6c63bed64f9f4c142edb3 |
C:\Windows\system\xAhriFR.exe
| MD5 | cc92923033dc59bcc3381716535f7013 |
| SHA1 | df69db8c3bd0af2ad90aaeb228bd792349d29b70 |
| SHA256 | 135929ef5fdd85c3f0500ac11df2c9cca9fa35ac6eb42bf7325851a754a531d5 |
| SHA512 | 8ca542f4ab4262222ab8edd77e50ec8ef3656b0d10de18baa99319005580940b79426f77289abdccb3ebd9a39447547b39672bfd0a65468b70b62afb9cd7df5f |
C:\Windows\system\gXJDiBk.exe
| MD5 | 5a3a76924484d63071e4f78b447f7cb3 |
| SHA1 | fdb988cfd8015cffefc02ee3139faeb3c0f86355 |
| SHA256 | 1b7439a51d11ede91659a343f5e89dc4112f23c7d67148cb469d5841eb338816 |
| SHA512 | d9a719eda9f92944859f4c5c59b0a77471a1792d12cec52577b91997284862a9a69b5a012744855fff193b08608c48a1b13be3b66341b6465064ec8c4b46504c |
memory/1304-106-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\KhGXgXx.exe
| MD5 | b63af94990e99af291e7ac51cbfdb8b4 |
| SHA1 | 2bb3d55ec0f2a4f0c07961d8cba95ce9de428ccc |
| SHA256 | a7d33b0534b85798c322955d14d40ad623532b8f695e90a13d62f92382c0fcad |
| SHA512 | 933abd0a39f8b01470fafbb4e51fc5142f2b2e8f6ee7ff1fb12ca6f3196f035cd7cd9ab2ad9a3d9cb8f53ceff26901a9ad9abacdb0e44a6f7893ac990dc8b2d2 |
C:\Windows\system\SdfFolr.exe
| MD5 | 03b6fb3b9c4243cb5e71cace2841e7fe |
| SHA1 | f1ddf0febe19ed32c56e27d46e4e0a589a7fc8c3 |
| SHA256 | 6e2b35a5925dfb868151616ce87fa2d7ac242b1724384aeb2f21b09c9a18ab03 |
| SHA512 | e7b40483d1fc600b4e65bbe0b0889f077a41cdf867bcdb9fd4f07b519c1225fd434d7354e49f5b596d24646cfadbbc291ffe9fe17be11f8544b9b6b92f61d0b9 |
memory/1152-99-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1304-98-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2868-92-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1304-91-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2620-97-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2688-90-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2584-89-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\jLdHOQH.exe
| MD5 | 7d505ed5635c3f345432a7f6b4daea0d |
| SHA1 | 18c609722dd84ceeeae6e245bd699b78f877c103 |
| SHA256 | fa3091665d3624838cd4fb09b0ac892694e675ddbe688db405a9219412ee0e69 |
| SHA512 | 927a83c01293158e1547ced1a8305bff335311b79f5d32bcbe00c7100599fdf6f909ed52a4042985af7ae33d2eb06a83b42e3d2da58d709e5c15daddeb00388a |
memory/1304-82-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2800-75-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\YAfBwvR.exe
| MD5 | 1a9b12e96410bb1eebcca281977d56fb |
| SHA1 | d1e92a86c223864df2fab6df50e91538d675aa0f |
| SHA256 | 3cbe8f268a0b559e16bf5bddf321c14a1d65a7343b17cc25052376d2a4454f53 |
| SHA512 | 37a7ceece37437067b882b9827fc2a423547101fe485b51eda3ec1b663086e1f74edae28118908ceb483eaba7ff166756e864797b763b6350390c05881dda4b9 |
C:\Windows\system\GKfcYGd.exe
| MD5 | e627bf4a91b3f9195517aed1985e4726 |
| SHA1 | 5a473cb62c86c9515b75214a366b930e0bae82ad |
| SHA256 | fd7e722e6dfab63ddf8f0bf809fafa1f683e315d22c27af2e47bab6993c330dc |
| SHA512 | 980099d1b11d99624ff3438fc753d4c559237b7c539e09592c2a515f71e04a261412980237ccda553fc3052f7bb6804f0439f77607d62741fd90391dedd779de |
memory/2748-137-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2652-138-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1124-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\PAzhpbR.exe
| MD5 | c888d97e2d4c47eb4934f7c2b5f66dc2 |
| SHA1 | f30c3043882a83d34b69836f82316409bf9c5860 |
| SHA256 | 60da83231098e205e1ea305e442e8f754b632a8f391acc47852ee6bb51c90793 |
| SHA512 | 451663d64a42f9921c0dc7f7bc7a1f477d239cca5fc94c0fe2270b1ee51bcbbbc394f34afe5075fb1c5a4db0ae88c71650032274c81936ee6dc67efd0adbd199 |
memory/1304-60-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\uUcRBjZ.exe
| MD5 | 8f5662e8941dbe382facabfc739532fd |
| SHA1 | 7c241552d72e9a8bba7a956997085a77b291ea48 |
| SHA256 | 719542013855fd3f7279d830c2fbaaf79e17958c9481e6bd3d74ce133b70da0e |
| SHA512 | d596a6cc3f5e74cb93794b46715f626c56a2262b425cfa30487fa0e49827a7955a6592678bb4c2cec42c72dcd065ce100fe094f02dd5a4818477d3a6efc81f3d |
memory/1304-58-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2748-52-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\hTFpolD.exe
| MD5 | dc93eb239ecd386232f3ba16c9c2d95e |
| SHA1 | 9e2531207f7930d0128cfab4f8b7cb4e387af2bc |
| SHA256 | 462699643efe6f412174893dc5adb18836c098cb5298c5b3bcf64ffdd74e3b29 |
| SHA512 | 86a0cd86acefd35ffffbbc2daa5bbf69e039a49ec68951fa278a91fae31da231d0e240e6b11a08a86d76968fd8ddd4d4c05c2bfc1620b837f6d283ecc59b3687 |
memory/2600-140-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1304-141-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2892-142-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1304-143-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2548-144-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1304-145-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2868-146-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1304-147-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1152-148-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1124-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2800-150-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2052-151-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2584-152-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2688-153-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2620-154-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2600-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2652-156-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2748-157-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2892-158-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2548-159-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2868-161-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1152-160-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2476-162-0x000000013F6F0000-0x000000013FA44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 07:04
Reported
2024-06-08 07:09
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rZaCosZ.exe | N/A |
| N/A | N/A | C:\Windows\System\TLDAbdt.exe | N/A |
| N/A | N/A | C:\Windows\System\XhVDaPf.exe | N/A |
| N/A | N/A | C:\Windows\System\DpJYvdS.exe | N/A |
| N/A | N/A | C:\Windows\System\NdeOoWH.exe | N/A |
| N/A | N/A | C:\Windows\System\ShkOjtu.exe | N/A |
| N/A | N/A | C:\Windows\System\fSuZkpq.exe | N/A |
| N/A | N/A | C:\Windows\System\xacYmWA.exe | N/A |
| N/A | N/A | C:\Windows\System\yOmMuDV.exe | N/A |
| N/A | N/A | C:\Windows\System\GUrpjBj.exe | N/A |
| N/A | N/A | C:\Windows\System\suPwPEy.exe | N/A |
| N/A | N/A | C:\Windows\System\QtFfwdg.exe | N/A |
| N/A | N/A | C:\Windows\System\NJmhuxr.exe | N/A |
| N/A | N/A | C:\Windows\System\rPUdZSz.exe | N/A |
| N/A | N/A | C:\Windows\System\nuDBTrg.exe | N/A |
| N/A | N/A | C:\Windows\System\UfxlDhr.exe | N/A |
| N/A | N/A | C:\Windows\System\UrHVZhY.exe | N/A |
| N/A | N/A | C:\Windows\System\CqLhvnH.exe | N/A |
| N/A | N/A | C:\Windows\System\TdaHuVg.exe | N/A |
| N/A | N/A | C:\Windows\System\YtJVRuE.exe | N/A |
| N/A | N/A | C:\Windows\System\kYbUEwZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rZaCosZ.exe
C:\Windows\System\rZaCosZ.exe
C:\Windows\System\TLDAbdt.exe
C:\Windows\System\TLDAbdt.exe
C:\Windows\System\XhVDaPf.exe
C:\Windows\System\XhVDaPf.exe
C:\Windows\System\DpJYvdS.exe
C:\Windows\System\DpJYvdS.exe
C:\Windows\System\NdeOoWH.exe
C:\Windows\System\NdeOoWH.exe
C:\Windows\System\ShkOjtu.exe
C:\Windows\System\ShkOjtu.exe
C:\Windows\System\fSuZkpq.exe
C:\Windows\System\fSuZkpq.exe
C:\Windows\System\xacYmWA.exe
C:\Windows\System\xacYmWA.exe
C:\Windows\System\yOmMuDV.exe
C:\Windows\System\yOmMuDV.exe
C:\Windows\System\GUrpjBj.exe
C:\Windows\System\GUrpjBj.exe
C:\Windows\System\suPwPEy.exe
C:\Windows\System\suPwPEy.exe
C:\Windows\System\QtFfwdg.exe
C:\Windows\System\QtFfwdg.exe
C:\Windows\System\NJmhuxr.exe
C:\Windows\System\NJmhuxr.exe
C:\Windows\System\rPUdZSz.exe
C:\Windows\System\rPUdZSz.exe
C:\Windows\System\nuDBTrg.exe
C:\Windows\System\nuDBTrg.exe
C:\Windows\System\UfxlDhr.exe
C:\Windows\System\UfxlDhr.exe
C:\Windows\System\UrHVZhY.exe
C:\Windows\System\UrHVZhY.exe
C:\Windows\System\CqLhvnH.exe
C:\Windows\System\CqLhvnH.exe
C:\Windows\System\TdaHuVg.exe
C:\Windows\System\TdaHuVg.exe
C:\Windows\System\YtJVRuE.exe
C:\Windows\System\YtJVRuE.exe
C:\Windows\System\kYbUEwZ.exe
C:\Windows\System\kYbUEwZ.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5020-0-0x00007FF641780000-0x00007FF641AD4000-memory.dmp
memory/5020-1-0x00000222C6E20000-0x00000222C6E30000-memory.dmp
C:\Windows\System\rZaCosZ.exe
| MD5 | b16a3a27c549195bee899fbfd962c3b3 |
| SHA1 | 092a4a7bdac9824ea3d7bc2fcd3238beb92d5c21 |
| SHA256 | 2f7c4a0a3ece38cb360f81ce0fb39655e83fd7f91345dcfadfd68acf2b948dbc |
| SHA512 | 0762bf998163aa9c5c960947b29b68d469523dc44544b92f6fccc1b11b9c516b352a094516a8d56ba0634f1c4f9d48511774e696f2c43e517ca572f77be15c03 |
memory/448-8-0x00007FF618730000-0x00007FF618A84000-memory.dmp
C:\Windows\System\TLDAbdt.exe
| MD5 | 207f9305f3b2648189d6403d74f53853 |
| SHA1 | be38521c6dd86e6a74ea63e4de1e43131672b845 |
| SHA256 | eaffd790be4abf02d47ef24cec1512e7891adb6a4f1db5b0fd2a3d47a9061d46 |
| SHA512 | dbc8284bf7e0f0580027a9b35d9a1aec37c4b4a17f911735a83900e2d4eb72265fd26e0d075d47ab4a55463dc24eb62816e7b9a3310e0cedb0be71c66072923c |
C:\Windows\System\XhVDaPf.exe
| MD5 | b43521159319c0148406028e2f7bea94 |
| SHA1 | f25a391551be10feb9c8d7241dce677baabd8d77 |
| SHA256 | b1bcb99072c891bcdff24aa6451279e9220b168ccda1e8b652e9435fcb76679f |
| SHA512 | 1d1ca3451c17a94c97a660cd2cb79e855611ab811c487b767b2f2981968d694978807e032ae2a63eddb193ebf72ce6215350a6119d8f158518dfc047d333c106 |
memory/5036-13-0x00007FF790E40000-0x00007FF791194000-memory.dmp
memory/5068-20-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp
C:\Windows\System\DpJYvdS.exe
| MD5 | 83dc01f8353045ad1b50b5215b5029c9 |
| SHA1 | 261935aa4da28e6bf6c8c19d60b4b8aa1f91d606 |
| SHA256 | 3783f9024186da81bc2461824e428659a8fba909c93f5a4b8e69c949bda0fee6 |
| SHA512 | 213863e980a5ad9e84ec6b446158e309e823fe809e91dbaa0c541bd564541a4f9b7f1303c0cd8011e9d94b908d6b6474a169887f2ea8d126a4d8697c69300a12 |
memory/1620-26-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp
C:\Windows\System\NdeOoWH.exe
| MD5 | 65b8702d7ce0314a52a678be919a0a4c |
| SHA1 | 9e3da4085af891abee5ceacdc2884fdd13173308 |
| SHA256 | e5ff01d938149da87ba1bf7b3284d4274f748afa4b1f8d8f29a7ace44d967313 |
| SHA512 | 7e5ad5d9a94906624cffbbb7ee57b3063614e2beb54195145f74d19fd834da04b4374f96a59363685c23da6152c9028243819ffd01f70b2f6d0dd8b2abd2fd18 |
memory/3052-30-0x00007FF6390F0000-0x00007FF639444000-memory.dmp
C:\Windows\System\ShkOjtu.exe
| MD5 | 6cbd71eb1243979185d56d333df9adad |
| SHA1 | 18053fa7ad128401924379dca2f84d5dbedd29cc |
| SHA256 | 87e60ec8b8daa8364dac665f39944d87596a163e4e90cdba6c20f0d837a6eb02 |
| SHA512 | daa76334e79da1b977268870bd814c9659b7b68ef49f03f9f43bec165b7b7a2c6455752894ee54d8ad7546f1b9816417454ff125e31b3541a488fdcda822970d |
C:\Windows\System\fSuZkpq.exe
| MD5 | 04d007705c8d38c12cd2e4c6006a26f6 |
| SHA1 | 1d063625d8847f6a5ca7e76ae59f3683c49e99ab |
| SHA256 | 4cda961d19cde8184808f822c762a1a6a4728967a1598d307c4893d6f83c6123 |
| SHA512 | 41f0f14f77f4e81cd615988f24b1eea834078845e063ea046e68e0e54cafd247f9149b6a8ecc880635a0c0c234e90222dfe06107d29f4d9da1c137e083bce355 |
C:\Windows\System\xacYmWA.exe
| MD5 | 20daa7c7311992888d4e448923d6f528 |
| SHA1 | 093a0f0f233449cd3a78922d7151020efe8c445b |
| SHA256 | fa5b00ea09bd01301f88536f5547b17f0593870c0b0169b7b545372c84e09e01 |
| SHA512 | 3ded8a35a8e4188af225a111474116af32a2330883b5c6a6fbbdd729bd79473ad8ea33f23c643dee084855a685c25aa6273d49b98078250dd6101f4b69b0cd03 |
C:\Windows\System\yOmMuDV.exe
| MD5 | 1cc8b3a430fda581b3eb1d04f9868439 |
| SHA1 | 4dc59b5c1571a68bc8ce700ee1c7857ac74b10da |
| SHA256 | b05d285dac9bbdf94ab960537447bb7f8e2caa6cec68fe60757f36744505eff0 |
| SHA512 | 6882427cf107d898b927b30387563ebe6e86246a97017f83044585ec4872e229cfa817e6541b94c093a723c3da3f217b00d9a777b414992d37f6cdef9335e9c7 |
C:\Windows\System\GUrpjBj.exe
| MD5 | 49dca0cdca0fec4e211d79dca5ba6c48 |
| SHA1 | 930d7ad29da52af9260e6daae17f31c5898b30cd |
| SHA256 | 85512f93949926a06f0f5d024de64b26f112472c7ed1627fdf71efa304ecf7cb |
| SHA512 | e4dadd26b85312d55fb3f099ae466abdd366bdb2a928e98709471dab2265015647ef927fd78f719c449b0c9bf7c0c66fa631618404c6f40919c89257ac68ceb7 |
C:\Windows\System\suPwPEy.exe
| MD5 | 214f4a4ff9d66316ab2211b13ae6c25d |
| SHA1 | a04a28b4044866231db72cfa9a9b421d0b8e3aa4 |
| SHA256 | c2d3acea6a79291ffdd86cf9f07dbb4b79e72262609d299ae4e08182dbf25dac |
| SHA512 | 16f8a33ea0d67e09e333c90f6a62d06ef6a3b88c425659cfbe50725b5722d16f559d0a8fb099798ae0b54ffeb8d6a05269fd0fc0c037cb87aebbfd81f6235b74 |
C:\Windows\System\QtFfwdg.exe
| MD5 | 9d9fe62280a596f81d6c6ae25ade3992 |
| SHA1 | d4915f15b753227a10833bdcb887617dec337376 |
| SHA256 | 80c1128f95fff471effdfa7fd051bc327d1b4203aff10f5437eaa15cc1a6e312 |
| SHA512 | 903f91c4843f677c128ffe3bde57e9b4a8b6aaf90e30e255f14122f9c3818504402c040c205ea62081ab5aabedef25086c58b08e5ca87c61dbe3511678923e58 |
C:\Windows\System\NJmhuxr.exe
| MD5 | a021f064c1a9c188748adfbbae66e038 |
| SHA1 | a65899afff666e9dbefcf1737786045c46239465 |
| SHA256 | 77e8c87a36c396568fb79129476084a6f3f55aafb2d12c2d9a4f183c898bb2e5 |
| SHA512 | cc4b8ad0dae49d493a92ea7bf1ac57f5a67d1245eb8a1e565129643a3b722b249a730c461877d792cd00ea7a6404b16e79594e5a477cc5ec47ee608006d5e03d |
C:\Windows\System\rPUdZSz.exe
| MD5 | 5956718358a7db6fcfcfcbc5f70e4146 |
| SHA1 | c376dafa961a1727b6cb56115966b93cf28b304c |
| SHA256 | 7cf1dc537f90a850fdbb3ab65b8a9cb52289aaaab9f79347d8ca428da973036b |
| SHA512 | 2cd598470f116d66f5c6e61abd0ddc37ea7fd56c55e9df236561a86398dcac24d25103c5b87edf7a081167bc8ccd3fa4054395a7ff7ef5af08fcb85f82afdc37 |
C:\Windows\System\nuDBTrg.exe
| MD5 | 3ef655a2fe8a9615724d445317376250 |
| SHA1 | b30ab733ad994f32584a1b8ce7a502c21723d4d4 |
| SHA256 | 0190f291d43b049f274050fb67d1188febf5c5ea5c6849767a9ac4423c6d446e |
| SHA512 | 0f29d1c64d8dd617ed28621da03a6b39bca7aae43600495d940c51153a7f1440dfeec2b76e123e7fe15b1afb55425deff0f4472455dc5a34811a96fa9515c935 |
C:\Windows\System\UfxlDhr.exe
| MD5 | 9ebf627471171082eee9f328a3d7b5ce |
| SHA1 | 2c79e67a3b4c54660912c92fa08709346f528e76 |
| SHA256 | af9fc0598a15328ae37c7c8271fdcf1a186c2aebef0303f464e8fcab1e00dbbf |
| SHA512 | 5a45591a845d8c131bf3b6efde88256360047dcd7be926fda34eb9610891b3c2c019e6783e49b17f9247622bb14a7e2ccdfb996b563980b42b6fd18d182dc8c1 |
C:\Windows\System\CqLhvnH.exe
| MD5 | eac5cafa4fcd4d14aa591c797adfc4d2 |
| SHA1 | 07f7d0e837c04c2a800e7f0823318bd79c93801e |
| SHA256 | 13c3e92289da62d51fedb8821b15323ffb94cf8186f555be65eed68210588507 |
| SHA512 | 1f727c13379e3d6943daea43f52d46d8e264a6a70a3882bcd07d0688e02a43910bcc5c104c4f583a381105098a9a6ac46bf80c503d1f81f9c34b2a0a7fdddcbf |
C:\Windows\System\kYbUEwZ.exe
| MD5 | 6686b15fdd22bbb34e1fa2315c272361 |
| SHA1 | 365c20a19873b66784c4a2abe1041b3354d21086 |
| SHA256 | 5bf78396ffae00ae28c36b4c8b6bd3a6b652a0f58009c8cb4b8c2313d41f1d54 |
| SHA512 | e9c2787d074380b7b63fe0d2b2f843bf13bfb559fe9bc5ad1bfc890129b850c296533f473a873d2004571933488fbe6e337ae4adad9c46212d72491aed937941 |
C:\Windows\System\YtJVRuE.exe
| MD5 | 5444dd0b9f211dfeda429b000b6eeb7f |
| SHA1 | 7d0f4094c17ecb7aec95df14ab974a5938b312f0 |
| SHA256 | 34b9bcc62f30b0551c49c2c5582a9a14bf8f04fead4f12a58860bb82c206c9c2 |
| SHA512 | 97f703abc2b51b48ab7a8b4608f833ed3139ee34607fcbccf26549dc2190e53ae916a2ad487a34218d008ad05be752045c9bd01e0e42b6878fe57c6e9169c92c |
C:\Windows\System\TdaHuVg.exe
| MD5 | 815342602360f7be137516f639bf1f3b |
| SHA1 | ebac87375fa02d97120b254a8f9791beb04c907e |
| SHA256 | 5d2c52b0cd751b1f2b35f80433d2c2a815841ad02d1583b50a77320c92540b25 |
| SHA512 | 34321227082fce15068e48afc2cb2e856db24d97b32acadecbd3e75790a5b1e317160fa50b4d3feec72c24ab515e67a78b8bad39d999884b884279efb04118d6 |
C:\Windows\System\UrHVZhY.exe
| MD5 | 1f734523a55e3fe76eb512470d89f9d0 |
| SHA1 | b25d8be99b0c2037b6b6d09e493498a97ac60a88 |
| SHA256 | e03b05e83bd61025551580ced3a3210dc212e12888a7b91165a9f7ca7e24a7c1 |
| SHA512 | 494a191d6ba8d9f53656ad47915eeb30d398523bc8ed36f117db4ffd0a94934a06542a7a30a5d30a406c27f27dc58401fc7cc6e1441ce056588fda03de79fa8a |
memory/116-112-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp
memory/3836-113-0x00007FF638C40000-0x00007FF638F94000-memory.dmp
memory/2000-114-0x00007FF785560000-0x00007FF7858B4000-memory.dmp
memory/4492-115-0x00007FF6FCFF0000-0x00007FF6FD344000-memory.dmp
memory/2608-116-0x00007FF74FA20000-0x00007FF74FD74000-memory.dmp
memory/2492-117-0x00007FF707890000-0x00007FF707BE4000-memory.dmp
memory/3204-120-0x00007FF70D610000-0x00007FF70D964000-memory.dmp
memory/2216-121-0x00007FF605D30000-0x00007FF606084000-memory.dmp
memory/1808-122-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/3860-119-0x00007FF7F22B0000-0x00007FF7F2604000-memory.dmp
memory/432-118-0x00007FF7E3390000-0x00007FF7E36E4000-memory.dmp
memory/1048-123-0x00007FF760E60000-0x00007FF7611B4000-memory.dmp
memory/2176-124-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp
memory/1128-125-0x00007FF736590000-0x00007FF7368E4000-memory.dmp
memory/4664-126-0x00007FF7BAAF0000-0x00007FF7BAE44000-memory.dmp
memory/1520-127-0x00007FF7FD250000-0x00007FF7FD5A4000-memory.dmp
memory/5020-128-0x00007FF641780000-0x00007FF641AD4000-memory.dmp
memory/448-129-0x00007FF618730000-0x00007FF618A84000-memory.dmp
memory/5036-130-0x00007FF790E40000-0x00007FF791194000-memory.dmp
memory/5068-131-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp
memory/1620-132-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp
memory/3052-133-0x00007FF6390F0000-0x00007FF639444000-memory.dmp
memory/116-134-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp
memory/448-135-0x00007FF618730000-0x00007FF618A84000-memory.dmp
memory/5036-136-0x00007FF790E40000-0x00007FF791194000-memory.dmp
memory/5068-137-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp
memory/1620-138-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp
memory/116-139-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp
memory/3052-140-0x00007FF6390F0000-0x00007FF639444000-memory.dmp
memory/1520-141-0x00007FF7FD250000-0x00007FF7FD5A4000-memory.dmp
memory/3836-142-0x00007FF638C40000-0x00007FF638F94000-memory.dmp
memory/2000-143-0x00007FF785560000-0x00007FF7858B4000-memory.dmp
memory/4492-144-0x00007FF6FCFF0000-0x00007FF6FD344000-memory.dmp
memory/2608-145-0x00007FF74FA20000-0x00007FF74FD74000-memory.dmp
memory/2492-146-0x00007FF707890000-0x00007FF707BE4000-memory.dmp
memory/3204-147-0x00007FF70D610000-0x00007FF70D964000-memory.dmp
memory/432-148-0x00007FF7E3390000-0x00007FF7E36E4000-memory.dmp
memory/3860-149-0x00007FF7F22B0000-0x00007FF7F2604000-memory.dmp
memory/2216-150-0x00007FF605D30000-0x00007FF606084000-memory.dmp
memory/1808-151-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp
memory/1048-152-0x00007FF760E60000-0x00007FF7611B4000-memory.dmp
memory/2176-153-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp
memory/4664-155-0x00007FF7BAAF0000-0x00007FF7BAE44000-memory.dmp
memory/1128-154-0x00007FF736590000-0x00007FF7368E4000-memory.dmp