Analysis Overview
SHA256
b0c009145c5c84b738337e8a66cf8ad952c66e914248b12d4084c46c417bcf15
Threat Level: Known bad
The file 2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:53
Reported
2024-06-09 02:59
Platform
win7-20240221-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vUCbbsh.exe | N/A |
| N/A | N/A | C:\Windows\System\IwNGDxb.exe | N/A |
| N/A | N/A | C:\Windows\System\embgdRH.exe | N/A |
| N/A | N/A | C:\Windows\System\kMINxzr.exe | N/A |
| N/A | N/A | C:\Windows\System\gSflHYg.exe | N/A |
| N/A | N/A | C:\Windows\System\slEDbeo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFlVXfA.exe | N/A |
| N/A | N/A | C:\Windows\System\RkfqrrM.exe | N/A |
| N/A | N/A | C:\Windows\System\bGuAJWW.exe | N/A |
| N/A | N/A | C:\Windows\System\RpwIcPT.exe | N/A |
| N/A | N/A | C:\Windows\System\SzQlZlv.exe | N/A |
| N/A | N/A | C:\Windows\System\RVXQEol.exe | N/A |
| N/A | N/A | C:\Windows\System\rHeWrji.exe | N/A |
| N/A | N/A | C:\Windows\System\TYQAnDb.exe | N/A |
| N/A | N/A | C:\Windows\System\VaBiJiS.exe | N/A |
| N/A | N/A | C:\Windows\System\CrTKOmt.exe | N/A |
| N/A | N/A | C:\Windows\System\WiBbcTU.exe | N/A |
| N/A | N/A | C:\Windows\System\EpdTDyo.exe | N/A |
| N/A | N/A | C:\Windows\System\fAZiJBd.exe | N/A |
| N/A | N/A | C:\Windows\System\POixSfg.exe | N/A |
| N/A | N/A | C:\Windows\System\bRiWySn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vUCbbsh.exe
C:\Windows\System\vUCbbsh.exe
C:\Windows\System\IwNGDxb.exe
C:\Windows\System\IwNGDxb.exe
C:\Windows\System\embgdRH.exe
C:\Windows\System\embgdRH.exe
C:\Windows\System\kMINxzr.exe
C:\Windows\System\kMINxzr.exe
C:\Windows\System\gSflHYg.exe
C:\Windows\System\gSflHYg.exe
C:\Windows\System\bGuAJWW.exe
C:\Windows\System\bGuAJWW.exe
C:\Windows\System\slEDbeo.exe
C:\Windows\System\slEDbeo.exe
C:\Windows\System\VaBiJiS.exe
C:\Windows\System\VaBiJiS.exe
C:\Windows\System\ZFlVXfA.exe
C:\Windows\System\ZFlVXfA.exe
C:\Windows\System\CrTKOmt.exe
C:\Windows\System\CrTKOmt.exe
C:\Windows\System\RkfqrrM.exe
C:\Windows\System\RkfqrrM.exe
C:\Windows\System\WiBbcTU.exe
C:\Windows\System\WiBbcTU.exe
C:\Windows\System\RpwIcPT.exe
C:\Windows\System\RpwIcPT.exe
C:\Windows\System\EpdTDyo.exe
C:\Windows\System\EpdTDyo.exe
C:\Windows\System\SzQlZlv.exe
C:\Windows\System\SzQlZlv.exe
C:\Windows\System\fAZiJBd.exe
C:\Windows\System\fAZiJBd.exe
C:\Windows\System\RVXQEol.exe
C:\Windows\System\RVXQEol.exe
C:\Windows\System\POixSfg.exe
C:\Windows\System\POixSfg.exe
C:\Windows\System\rHeWrji.exe
C:\Windows\System\rHeWrji.exe
C:\Windows\System\bRiWySn.exe
C:\Windows\System\bRiWySn.exe
C:\Windows\System\TYQAnDb.exe
C:\Windows\System\TYQAnDb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2208-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\vUCbbsh.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
C:\Windows\system\vUCbbsh.exe
| MD5 | 8ba2c88901d611dd821819b2e5dd8095 |
| SHA1 | 26d2fa29703efb269d858375c5c987698466edda |
| SHA256 | 38132a290038b894e6d77da852fd8efebae51a479ddaf3779228891c5b810931 |
| SHA512 | ce86ce99f61c2db318bb2b5fbaba9d24e7dbb6cb658ecca2c30755b72da2cbc09dd29fc06ae26237f7530116823459d032146466c8e63cf9950584cce2bed301 |
\Windows\system\IwNGDxb.exe
| MD5 | b27e06f3e32e84b4955eb21935a7f718 |
| SHA1 | e1bb7e21a0747232c4d3307cb855886d8edeacdb |
| SHA256 | a9e7a3354cc85e1bbebde6116e94eb84ad5db6cae0de31615f32f11a4b6086b9 |
| SHA512 | b871279d80497f4e1b110ea840fa51eed3cbf150a6db84a71c8e76c1228ea07d8aadc6287fc5ee9d288361fc70f9e802a46569a01ed6c8338b27d97ee4783de5 |
C:\Windows\system\embgdRH.exe
| MD5 | 87e7bffe186b98434468380177f61aa9 |
| SHA1 | 2121f58a870d11f5d5aec73c82df28564324fb5e |
| SHA256 | 2a864af8ee72ab84cf0c4dc94ea1779f6e4a9a2b497f491616908ad2ea5f68b0 |
| SHA512 | a5e4ffa13f056bbba6669c6db1d6f18cb7dce6df7b00eea490d90ba35005c8a89a13d61796350a9e7d36a849135bba60a4f9ef5e50a3fb347a5c2578394493a7 |
memory/2208-10-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\kMINxzr.exe
| MD5 | edb8ddbe9be2a1d93725081bca1076be |
| SHA1 | 2e81f42a93b35020b06f38e531c99fa4530a8386 |
| SHA256 | 9acbeabab3d027a57b0942dc65c5011911c5fbc7e7e5933f54f0f3b9354d97da |
| SHA512 | 5600c9242ea54108c66ffddb267ae3f9fefa9c7a9b401e8f575bf89559f5b649506144a8bc53acb0d00f4d35de4495225d14ad49c010d069c861d0c48b1a121c |
memory/1384-16-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2208-114-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\bRiWySn.exe
| MD5 | e54933575ee2b3428ad75315cec866c9 |
| SHA1 | 619ea4f971dde33c43df6ffb2c8bc2db844ba166 |
| SHA256 | 7dfad4203c240c7b11ba32812530a0d5384e05acd4f6d78d7a71d71705151545 |
| SHA512 | db5fdffe64206360a76fce5c11cb0a42f34673df1b8fb84f982eed536cf05479fb81187cf0d1e4cd51ae46dde58eae8539bd2dee908deff96a74ec52f6d21f6a |
C:\Windows\system\rHeWrji.exe
| MD5 | db81d7ce223d11cd6128310c3ffb501f |
| SHA1 | c0d0f2aab880325019465938bab1b6bde941235b |
| SHA256 | 83bac1c5c0a609fc1275440d84a4417587c0c7cf2e6af9b540afd4664d8b824f |
| SHA512 | 1acd67de73a90e4ded8c4e7cccfafdcd02b7aa746c8887ffec436573a7765dcab15f3735254bff2df521909d62aa3cc435c6c294267fd54ccc3c913ebe807a7c |
C:\Windows\system\RVXQEol.exe
| MD5 | 8c5a7bced8b30b6d4753774c4e9bdfb7 |
| SHA1 | 595c94d0c6a66daa1abd63499b4333a0c41d5d8f |
| SHA256 | 8add21920fc658a99992c81d1195a5b97def5792df7f9ae0c1151180f69a3f74 |
| SHA512 | 56b1ac4e580e91826674cae3faf79397bf979d2c4463e1a7cbcff059d1d0cb0d44369d61b762c8430a7acbf4e8221b173feb8821f27bfcdef2a1341e0092a980 |
\Windows\system\POixSfg.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2208-95-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2208-94-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\fAZiJBd.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
memory/2380-85-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2208-84-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\EpdTDyo.exe
| MD5 | 86552a533336fa9b3b40101de855a2d5 |
| SHA1 | 660ae7e05e44236f94fdfeb3092a1c8cc9a10b6f |
| SHA256 | 19a7d9d6018321cba180e4feae755fef1d2eada686f23621a5da1a4514c9a2ec |
| SHA512 | ff7f7aabedad6b29c823c25993dd938ccbb6eb3afd504fcdfc81b4210fa50022c937a0149795f2de18ce0c92d25c218fd5b5fff4e6c66d661c6ccdda4c6af3e1 |
memory/2408-75-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2396-74-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2208-73-0x000000013FE30000-0x0000000140184000-memory.dmp
\Windows\system\WiBbcTU.exe
| MD5 | 40fb9e204a1a8c8bda6caf48757e7ceb |
| SHA1 | 90bf178769a325d8d6e777ae460fdc7d4be75b1f |
| SHA256 | 8cf44bd6d9d81ce9c3a1b21a3ef48bf5907e1ef38bafdbef60280fedeba4f488 |
| SHA512 | 42383bdc23a01dfd485af1ea36e19c9bae61dde6ac0dc85ffbdb6b972332e66f9501f31e59bdd7d359debd28abecae3a90c25851fcc34e51b3d96254bdae9d3a |
memory/2748-56-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2208-54-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2716-53-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2552-52-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\ZFlVXfA.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
\Windows\system\CrTKOmt.exe
| MD5 | 25af8d2cd9fef5e33a6621becdd9430e |
| SHA1 | e55d7db5b76e7240dace290189f636654ad2e919 |
| SHA256 | 3c646eacf05f49d5239f03da61668b7e77d437c61a679d2cd051e32a2206b377 |
| SHA512 | 1d821ef47998d48471343dc32ecffffb14a7bc062dd59f03ac7c98dc554f0d245cf0f9fe7a8276c66e70698c870e0c976aaa91e066a3be0b270b9d828887d4f1 |
memory/2208-43-0x000000013F720000-0x000000013FA74000-memory.dmp
\Windows\system\VaBiJiS.exe
| MD5 | 33d6e4b95316fb4c363088e8483b090e |
| SHA1 | febc68f16ed2d9887b79fcd957ad1fbc6c09f3fc |
| SHA256 | 42c4d28cab499f54d5f71bde82848719f34f4ebff1d26f73a6994ee67420bfc0 |
| SHA512 | 2003c13367a46e7c18a6ab70d963e1a1ae66f49501703a62061da788a43e1e98484056e2f18db5c65349b120d724ad0ae814c3928b0eeba38b86dc78a9354d2e |
C:\Windows\system\POixSfg.exe
| MD5 | ac67a7bed58e40b676c932dc4d6714b8 |
| SHA1 | fb1c7c8cd3e6ee2728bd6971eb89bbb406434f17 |
| SHA256 | c97a1ce46afc362abca61fbd1934cb8c686cc48fbb130a60ae721c013883118e |
| SHA512 | d0eb575167b56f12c13cecd995c1da4f36a9b92f9ba875e83abda4040beb81dffbae82036cb6571a23991037fa9a196add6e51d9d7e97eee006f900031e4bde6 |
C:\Windows\system\fAZiJBd.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\system\CrTKOmt.exe
| MD5 | 98ddbea8b700025cfea6cdb4aa3e43e8 |
| SHA1 | 50ceb41fa98f8da019e896ed8b56fb815ade85c3 |
| SHA256 | f3d04b1b505bbd1edfc225f0ff843d2d6e124620e1863f1cebccc8fb38f1e763 |
| SHA512 | d10c79b9ffe04655d2ed28a606ef98f8550b5560c30acde63f1522d23a06ada25993e4c72d6366952d8876ac8ea72ef7e8996ba2e92abd973881f2d8a97c9a8a |
memory/2208-134-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2632-135-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\VaBiJiS.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\system\TYQAnDb.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
\Windows\system\TYQAnDb.exe
| MD5 | 0b26ef55132d1a1770c2a1bce9704fd3 |
| SHA1 | c06a3bf19637daeb9f4b043b68fb9c756750c616 |
| SHA256 | c133fa2867dba55ba6c8da1d481b4c64491aaeec2c7ced8a9019fd8a38f3d6ae |
| SHA512 | 2fa92eb5ac8f987f0e0b2342101e9b7d9f895b61575e46b41e9f37435c74095a431760742a2e25a3578e52c75e4b22ee0e5d07e01337fa52dcb3ecadc105e9e1 |
memory/2208-107-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\rHeWrji.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/760-99-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\SzQlZlv.exe
| MD5 | 54728b2c68b211b7a0f49b92d4720773 |
| SHA1 | 4427f60c03a9ffcdeb31d35d2d081c5195a384ef |
| SHA256 | fd0fc613e2ead61842106c93fbbaac11f90fe5ac985a01039a8f2abcfccbc151 |
| SHA512 | 7f02c37054e7070780e1844681c4b087f7e82b66c97297e23d744acbe62eed96e7497a71a2b2c95fb463acac658bd76a14590e4efb1790d6b5fb3039d8ab0072 |
\Windows\system\SzQlZlv.exe
| MD5 | 2130f4461ba7262c4b9569c7ad362fbe |
| SHA1 | 477f7cc69e47cdff19a52b2da61a04f2127580e1 |
| SHA256 | f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025 |
| SHA512 | bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703 |
memory/2208-136-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2208-80-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\RpwIcPT.exe
| MD5 | 4f0266104585ce6749cad5aa5fee6f0e |
| SHA1 | 27e2a35aa76980090913549703bca12ebb05b771 |
| SHA256 | f9737587aecd79b9ef02cd33927a01fed69a5ab13694a78d779869421a762a0b |
| SHA512 | af4b7ab474a13c3b1c85eedca67379ad378f79076636c3eefdcc4d20f0244a1a4991d526b7ef7fa013060f6ed54148eda37ab4c14b178e88109177ee59dab2bc |
memory/2208-69-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2208-32-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2208-68-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2208-67-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2968-65-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2056-64-0x000000013FB00000-0x000000013FE54000-memory.dmp
\Windows\system\bGuAJWW.exe
| MD5 | 90b4e931954ca71f987eacf3848373c9 |
| SHA1 | fe034abdd2cd27801fcb7113d51f343ee1020fc2 |
| SHA256 | f8beb22d0bf97b2df5b204067ae87e51c57faf6cbe7d88cb7cd40f2dd2120548 |
| SHA512 | 81ad09d9b1fc7fa3faa673f9a72d1c1544d1dc550bd7dc4ec9340c73d970dd54cb282aac847715f6e0c9fc0a11fe4a54ab4338d1c418f5a0ccdb167fb5d5901a |
memory/2208-61-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\RkfqrrM.exe
| MD5 | 8d6df18be05179c3d52c61de14eda2c2 |
| SHA1 | 67b46401dc1fdeac9e888c4b642daf9378dc693e |
| SHA256 | c1bb4e296fce211ed4b948580110c3bb415d6e6de4db1cc0ebb6f7fe7d620202 |
| SHA512 | 5e65b99bf2b576f5c31ecfb35d4d5a73db8603dec80ffedbee9f37847e4b15c81cd68d08a38598bee11d5e208f016c6d6dd7bcb426dfcb9f38d7d6f70a3419c5 |
\Windows\system\ZFlVXfA.exe
| MD5 | f548888928ec554b9464cd05c1dd61bb |
| SHA1 | d36512b1a33d53d9cb0b11177acf9feefd9df0c8 |
| SHA256 | 521efe32e9cdcff951a1730c95c1c5f43505c56b8026c2f9f719ec6930575d7c |
| SHA512 | 74025033b989a11ebc83b27de3f289904dfec2e23bdbebe9e409abc20e53a8aaf8ff416a571de08a08e50c8404dc2e28f9059cb3e8789d66092b26929213d6e8 |
memory/2632-39-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\slEDbeo.exe
| MD5 | 4a8f0e7005dd0305198e86b5e4b40c50 |
| SHA1 | 603dde14ff3905a3d9dfc1437a30a20f7bd074ad |
| SHA256 | 54f846ed1b6196f831e9acb53c0c24f20bb45f01c10f1bc98c25e8e134f73cc0 |
| SHA512 | aa20faebce917e97b3bee0e68c13db572fa8b2731d743f6df3fee5b598e0627d12bd311742a70abe06cfc76e85ca4bc9014010ca8e0b5fbc5a3eafde5df73dfe |
memory/2208-29-0x000000013F720000-0x000000013FA74000-memory.dmp
C:\Windows\system\gSflHYg.exe
| MD5 | f8ab73b228609536c4f34d1aeeedf5f4 |
| SHA1 | 95e645a67118504c7c6b7b4832894f6a2080d6b1 |
| SHA256 | ff53550d0c8e83729b58f0db178423baa2ba4e76eb6f1febccd502967d6d2bff |
| SHA512 | ee72ef70fa51d22af74ae21414171af68613ad0eaacde33dde9a7b36a303e142ee634b586858ca9eb09e004342f40ffa5ab8168d5f2ff8630274b9daf9d29df4 |
memory/2748-137-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2208-138-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2380-139-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1384-140-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2968-142-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2056-141-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2552-143-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2632-144-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2716-145-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2748-146-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2396-147-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2408-148-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/760-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2380-150-0x000000013F250000-0x000000013F5A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 02:53
Reported
2024-06-09 02:59
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BhzuMmS.exe | N/A |
| N/A | N/A | C:\Windows\System\pWAOHPF.exe | N/A |
| N/A | N/A | C:\Windows\System\oVmqDmV.exe | N/A |
| N/A | N/A | C:\Windows\System\kTQjmKW.exe | N/A |
| N/A | N/A | C:\Windows\System\VcZbqfV.exe | N/A |
| N/A | N/A | C:\Windows\System\ghDcllv.exe | N/A |
| N/A | N/A | C:\Windows\System\EzzPLCy.exe | N/A |
| N/A | N/A | C:\Windows\System\OxfiDuR.exe | N/A |
| N/A | N/A | C:\Windows\System\dacAsXE.exe | N/A |
| N/A | N/A | C:\Windows\System\isCbYvz.exe | N/A |
| N/A | N/A | C:\Windows\System\KIrfRZC.exe | N/A |
| N/A | N/A | C:\Windows\System\VitAoju.exe | N/A |
| N/A | N/A | C:\Windows\System\WGkgQar.exe | N/A |
| N/A | N/A | C:\Windows\System\JIodPBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QEmgYGH.exe | N/A |
| N/A | N/A | C:\Windows\System\xvuzfMb.exe | N/A |
| N/A | N/A | C:\Windows\System\zeqqDfv.exe | N/A |
| N/A | N/A | C:\Windows\System\JHkFiVz.exe | N/A |
| N/A | N/A | C:\Windows\System\NOfvYUQ.exe | N/A |
| N/A | N/A | C:\Windows\System\yuyerLo.exe | N/A |
| N/A | N/A | C:\Windows\System\qLgmvZR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_8e1414541032a6ea5738f676bf6ddea6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BhzuMmS.exe
C:\Windows\System\BhzuMmS.exe
C:\Windows\System\pWAOHPF.exe
C:\Windows\System\pWAOHPF.exe
C:\Windows\System\oVmqDmV.exe
C:\Windows\System\oVmqDmV.exe
C:\Windows\System\kTQjmKW.exe
C:\Windows\System\kTQjmKW.exe
C:\Windows\System\VcZbqfV.exe
C:\Windows\System\VcZbqfV.exe
C:\Windows\System\ghDcllv.exe
C:\Windows\System\ghDcllv.exe
C:\Windows\System\EzzPLCy.exe
C:\Windows\System\EzzPLCy.exe
C:\Windows\System\OxfiDuR.exe
C:\Windows\System\OxfiDuR.exe
C:\Windows\System\dacAsXE.exe
C:\Windows\System\dacAsXE.exe
C:\Windows\System\isCbYvz.exe
C:\Windows\System\isCbYvz.exe
C:\Windows\System\KIrfRZC.exe
C:\Windows\System\KIrfRZC.exe
C:\Windows\System\VitAoju.exe
C:\Windows\System\VitAoju.exe
C:\Windows\System\WGkgQar.exe
C:\Windows\System\WGkgQar.exe
C:\Windows\System\JIodPBZ.exe
C:\Windows\System\JIodPBZ.exe
C:\Windows\System\QEmgYGH.exe
C:\Windows\System\QEmgYGH.exe
C:\Windows\System\xvuzfMb.exe
C:\Windows\System\xvuzfMb.exe
C:\Windows\System\zeqqDfv.exe
C:\Windows\System\zeqqDfv.exe
C:\Windows\System\JHkFiVz.exe
C:\Windows\System\JHkFiVz.exe
C:\Windows\System\NOfvYUQ.exe
C:\Windows\System\NOfvYUQ.exe
C:\Windows\System\yuyerLo.exe
C:\Windows\System\yuyerLo.exe
C:\Windows\System\qLgmvZR.exe
C:\Windows\System\qLgmvZR.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/628-0-0x00007FF741910000-0x00007FF741C64000-memory.dmp
memory/628-1-0x00000192B66A0000-0x00000192B66B0000-memory.dmp
C:\Windows\System\BhzuMmS.exe
| MD5 | 4abd2f31151ccdafb22a7777964b5eb7 |
| SHA1 | 3925328dac43e61c26be16566b8cefd97b83609f |
| SHA256 | fde4123410ac2da8cda904481125819ed5f44540432a42e4208903da9861d6d0 |
| SHA512 | 3dba4a52e71f2ade1a1896b016821e40869c8a3f65e25859eed4a9ea05e7ee1a3b40ca88bb6a594f07f7fea04ba2eb8f52d8d881516f72007f76d52f0cd65f31 |
memory/1448-8-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp
C:\Windows\System\pWAOHPF.exe
| MD5 | 9bebd1043e4bb1016b61aea18ad3a2ad |
| SHA1 | 985f53ed60deecdffaf9b700d554ebfe9904b5ba |
| SHA256 | 9fdb44b07f908f16f7af37b35e37937593442bc602b212835656d9535effd384 |
| SHA512 | ddf498e71e4386ecf50444d84f610e14592b4a72d34c1c182224b17d875de7a8f7889ea4d1c6e08caf9c93d26c3a920ef8fa1d7c1d91c25bf92f6217afd4d194 |
memory/444-14-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp
C:\Windows\System\oVmqDmV.exe
| MD5 | 61e110bf845e2e351f66cde743ee5e44 |
| SHA1 | a03e0c0214abf524a68f8f428ccdede6dcb9e143 |
| SHA256 | 34fcf858482e296dc5f3c5d0076022d5b971ae3a88a3894cf4159169169e0f8c |
| SHA512 | 8cc4911a523e871bff71ab9807946eb6b4ff61efe85ff19c6e8d1b5b76175e5a22c81ba8af993d911e8177d79983c3303dba7be884ed67ad4fc212e6743c59d4 |
C:\Windows\System\kTQjmKW.exe
| MD5 | 76d2eacd3255927c333aab6f955accf5 |
| SHA1 | adfdf6092d95496249a1b38d583607a85a130210 |
| SHA256 | 13ce5c05b2f9736a2f71b135d2eda469640acc80afc113c5686ba2980a69a1c2 |
| SHA512 | 613074a9d125e512cd720181858d98d042acedb7c4a554a6325235388037a59d9357581b01e0714162e0a69b9fc52229489ab625f452010524de059250ecba91 |
memory/4696-20-0x00007FF68F640000-0x00007FF68F994000-memory.dmp
C:\Windows\System\VcZbqfV.exe
| MD5 | 52731b1b5e491eab142cb563e5dee4c0 |
| SHA1 | eb74d98a47d0ac2b920688cb9ac6dc1afefe847b |
| SHA256 | 0d01b12d9c81b73710469447fe31518b7f7f316de206491d48d09ed8f50cda0d |
| SHA512 | 1af413def4fe92d9c3698b48ee14bc5accce99ab347067489dc6f23d6ab00dfd4607094b7a86505a062eaba38e17a6369001fab7689731699c61c4be7dffaf2c |
memory/2032-27-0x00007FF778770000-0x00007FF778AC4000-memory.dmp
memory/572-32-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp
C:\Windows\System\ghDcllv.exe
| MD5 | 7e9dec720c4d16f3269547eabe38de0d |
| SHA1 | cd67722951f3599f5051e56a089aba50678b4dbf |
| SHA256 | e49c18d01afa8b9cbb4a582e5d290f595e01899e8892b3b3a4d3552a708f57d4 |
| SHA512 | 7b320a8b325f860e192665d6a653e56064120cf22ab40e664201411093aadda258b850a1a16667413749df7e55d0cec677681ed8ed7bfa48895a4bb58bcf800c |
memory/3632-38-0x00007FF7442D0000-0x00007FF744624000-memory.dmp
C:\Windows\System\EzzPLCy.exe
| MD5 | be1f7f7f27ad9e1b0ece68c108fdf696 |
| SHA1 | 2c4e13ae04019ed375a5426234e5c66e3c0cc70a |
| SHA256 | 9809e920fd737b20e8e9d53a6736a8e910abe6d58747a8daf7005efd44753418 |
| SHA512 | a2beddc8a4321800081490860299cd39342da3499460949726201712d011c9fde916628931685f91e3b08fc94b95bf53add6f072e554e7cb71d9821b46df743b |
memory/1972-44-0x00007FF695A50000-0x00007FF695DA4000-memory.dmp
C:\Windows\System\OxfiDuR.exe
| MD5 | c0fd26727f551dce2a78ae627dfcbcba |
| SHA1 | f0ffdc967d7cd77dad011138dc96a22d9ff6c65b |
| SHA256 | d58dc2b439ccf97a8e096bf66acb5d420ba10e3670f333da7d7bf9ad49edc303 |
| SHA512 | a6d2ced0e40764f292e3b0a4f9ab4e36e4ec23e23e75b0be9602585aed5bd29232ac03035125f2b5ed352d87d74d2c6eb0afa1d88e2f4a0e26e3fb19e791d6a3 |
C:\Windows\System\OxfiDuR.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/2492-50-0x00007FF6B6A40000-0x00007FF6B6D94000-memory.dmp
C:\Windows\System\dacAsXE.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
C:\Windows\System\dacAsXE.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
memory/2996-56-0x00007FF606060000-0x00007FF6063B4000-memory.dmp
memory/628-62-0x00007FF741910000-0x00007FF741C64000-memory.dmp
C:\Windows\System\isCbYvz.exe
| MD5 | 1d3a027708a48a3c73a911f7d1532fca |
| SHA1 | f960fd40bf0cf951600c386a6a9501a01e54ab51 |
| SHA256 | f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda |
| SHA512 | 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539 |
memory/960-63-0x00007FF60F1C0000-0x00007FF60F514000-memory.dmp
C:\Windows\System\isCbYvz.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
memory/1448-67-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp
C:\Windows\System\KIrfRZC.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\KIrfRZC.exe
| MD5 | c2630368f2b0f1676e4f1cfe1abe40fe |
| SHA1 | 1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb |
| SHA256 | ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952 |
| SHA512 | 0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0 |
memory/1636-70-0x00007FF7D2310000-0x00007FF7D2664000-memory.dmp
C:\Windows\System\VitAoju.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/444-75-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp
memory/2424-77-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
C:\Windows\System\VitAoju.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\WGkgQar.exe
| MD5 | 7d9f1099f6b47550fd37adb914ba896f |
| SHA1 | 73597804426883357ebb880f6c0164793f40ad60 |
| SHA256 | 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285 |
| SHA512 | e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77 |
C:\Windows\System\WGkgQar.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
memory/4304-83-0x00007FF6E75F0000-0x00007FF6E7944000-memory.dmp
C:\Windows\System\JIodPBZ.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
C:\Windows\System\JIodPBZ.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/4068-89-0x00007FF75C5C0000-0x00007FF75C914000-memory.dmp
memory/572-95-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp
memory/4040-96-0x00007FF74B040000-0x00007FF74B394000-memory.dmp
C:\Windows\System\xvuzfMb.exe
| MD5 | 170dd624fc04fc3839f9c4b66a089ce7 |
| SHA1 | 689050489367e9d7989856de58d7dae4b3e867bb |
| SHA256 | 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b |
| SHA512 | 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a |
C:\Windows\System\xvuzfMb.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
memory/3804-102-0x00007FF710710000-0x00007FF710A64000-memory.dmp
C:\Windows\System\zeqqDfv.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
C:\Windows\System\JHkFiVz.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/4724-114-0x00007FF7B8100000-0x00007FF7B8454000-memory.dmp
memory/2332-118-0x00007FF71E620000-0x00007FF71E974000-memory.dmp
C:\Windows\System\NOfvYUQ.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/2408-131-0x00007FF764750000-0x00007FF764AA4000-memory.dmp
memory/2468-125-0x00007FF681920000-0x00007FF681C74000-memory.dmp
memory/3784-108-0x00007FF721E20000-0x00007FF722174000-memory.dmp
memory/3784-132-0x00007FF721E20000-0x00007FF722174000-memory.dmp
memory/2332-133-0x00007FF71E620000-0x00007FF71E974000-memory.dmp
memory/2468-134-0x00007FF681920000-0x00007FF681C74000-memory.dmp
memory/1448-135-0x00007FF75CCA0000-0x00007FF75CFF4000-memory.dmp
memory/444-136-0x00007FF6E1540000-0x00007FF6E1894000-memory.dmp
memory/4696-137-0x00007FF68F640000-0x00007FF68F994000-memory.dmp
memory/2032-138-0x00007FF778770000-0x00007FF778AC4000-memory.dmp
memory/572-139-0x00007FF6319B0000-0x00007FF631D04000-memory.dmp
memory/3632-140-0x00007FF7442D0000-0x00007FF744624000-memory.dmp
memory/1972-141-0x00007FF695A50000-0x00007FF695DA4000-memory.dmp
memory/2492-142-0x00007FF6B6A40000-0x00007FF6B6D94000-memory.dmp
memory/2996-143-0x00007FF606060000-0x00007FF6063B4000-memory.dmp
memory/960-144-0x00007FF60F1C0000-0x00007FF60F514000-memory.dmp
memory/1636-145-0x00007FF7D2310000-0x00007FF7D2664000-memory.dmp
memory/2424-146-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
memory/4304-147-0x00007FF6E75F0000-0x00007FF6E7944000-memory.dmp
memory/4068-148-0x00007FF75C5C0000-0x00007FF75C914000-memory.dmp
memory/4040-149-0x00007FF74B040000-0x00007FF74B394000-memory.dmp
memory/3804-150-0x00007FF710710000-0x00007FF710A64000-memory.dmp
memory/3784-151-0x00007FF721E20000-0x00007FF722174000-memory.dmp
memory/4724-152-0x00007FF7B8100000-0x00007FF7B8454000-memory.dmp
memory/2332-153-0x00007FF71E620000-0x00007FF71E974000-memory.dmp
memory/2408-155-0x00007FF764750000-0x00007FF764AA4000-memory.dmp
memory/2468-154-0x00007FF681920000-0x00007FF681C74000-memory.dmp