Analysis Overview
SHA256
69997153a5d4eac0ac44526abbdc5ad6aa88eb4d21dd2ae4b7af0c9188b43d9f
Threat Level: Known bad
The file 2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:21
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:21
Reported
2024-06-11 20:24
Platform
win7-20240508-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HdvlkhV.exe | N/A |
| N/A | N/A | C:\Windows\System\ChKXvlo.exe | N/A |
| N/A | N/A | C:\Windows\System\cjbytUP.exe | N/A |
| N/A | N/A | C:\Windows\System\QRijKtY.exe | N/A |
| N/A | N/A | C:\Windows\System\DIkMnUy.exe | N/A |
| N/A | N/A | C:\Windows\System\LpJzaYV.exe | N/A |
| N/A | N/A | C:\Windows\System\lgHZBDK.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHGESwn.exe | N/A |
| N/A | N/A | C:\Windows\System\zGVQlHX.exe | N/A |
| N/A | N/A | C:\Windows\System\NsZVkVq.exe | N/A |
| N/A | N/A | C:\Windows\System\zngGNRn.exe | N/A |
| N/A | N/A | C:\Windows\System\yVdqxMi.exe | N/A |
| N/A | N/A | C:\Windows\System\yJwHuWm.exe | N/A |
| N/A | N/A | C:\Windows\System\SJyBHKf.exe | N/A |
| N/A | N/A | C:\Windows\System\KFwwyBo.exe | N/A |
| N/A | N/A | C:\Windows\System\NYpvHsM.exe | N/A |
| N/A | N/A | C:\Windows\System\jFXQSSs.exe | N/A |
| N/A | N/A | C:\Windows\System\zirckAP.exe | N/A |
| N/A | N/A | C:\Windows\System\RlkvPXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\TfgIVTv.exe | N/A |
| N/A | N/A | C:\Windows\System\gQVSXcL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HdvlkhV.exe
C:\Windows\System\HdvlkhV.exe
C:\Windows\System\ChKXvlo.exe
C:\Windows\System\ChKXvlo.exe
C:\Windows\System\cjbytUP.exe
C:\Windows\System\cjbytUP.exe
C:\Windows\System\QRijKtY.exe
C:\Windows\System\QRijKtY.exe
C:\Windows\System\DIkMnUy.exe
C:\Windows\System\DIkMnUy.exe
C:\Windows\System\LpJzaYV.exe
C:\Windows\System\LpJzaYV.exe
C:\Windows\System\lgHZBDK.exe
C:\Windows\System\lgHZBDK.exe
C:\Windows\System\ZHGESwn.exe
C:\Windows\System\ZHGESwn.exe
C:\Windows\System\zGVQlHX.exe
C:\Windows\System\zGVQlHX.exe
C:\Windows\System\NsZVkVq.exe
C:\Windows\System\NsZVkVq.exe
C:\Windows\System\zngGNRn.exe
C:\Windows\System\zngGNRn.exe
C:\Windows\System\yVdqxMi.exe
C:\Windows\System\yVdqxMi.exe
C:\Windows\System\yJwHuWm.exe
C:\Windows\System\yJwHuWm.exe
C:\Windows\System\SJyBHKf.exe
C:\Windows\System\SJyBHKf.exe
C:\Windows\System\KFwwyBo.exe
C:\Windows\System\KFwwyBo.exe
C:\Windows\System\NYpvHsM.exe
C:\Windows\System\NYpvHsM.exe
C:\Windows\System\jFXQSSs.exe
C:\Windows\System\jFXQSSs.exe
C:\Windows\System\zirckAP.exe
C:\Windows\System\zirckAP.exe
C:\Windows\System\RlkvPXJ.exe
C:\Windows\System\RlkvPXJ.exe
C:\Windows\System\TfgIVTv.exe
C:\Windows\System\TfgIVTv.exe
C:\Windows\System\gQVSXcL.exe
C:\Windows\System\gQVSXcL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-0-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1936-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HdvlkhV.exe
| MD5 | a9ffde251afd6439132af1a467de5ac7 |
| SHA1 | fc4bfc93e80adf62a6882037b942bfad366a77b4 |
| SHA256 | 19143f4131fe67b0e9e88724ce37f81324094fbac2b1fafd896b6054395c2f43 |
| SHA512 | 2fc9058768a22891f75fbdace6680357dea4e6ec1f682aa978dd540b1da841cffc8c153829deecbed325a80ace81015aa4aa70a27470e2b4f3795356952745cd |
C:\Windows\system\cjbytUP.exe
| MD5 | 633e85f804422e32116b5ecc39a2fa2a |
| SHA1 | 7c1ce52e88694f6a4d20096fb439fcedce927cae |
| SHA256 | 827aca61139be192ecd0776c9556c2ab68c60724d531f53e6e2d942be05162b7 |
| SHA512 | cdec4d535fbe6dc4fa44378e607952ddc0db6ba1fd09abf0991ac31fc1a704d313292c2bc49e4a29bcb0ebd78e5e1f6f161afb12383cfa02c82ac5e3a6f2fe3c |
memory/1936-22-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2076-21-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1936-19-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2576-23-0x000000013F360000-0x000000013F6B4000-memory.dmp
\Windows\system\ChKXvlo.exe
| MD5 | 924bd7c6ea0fc13fe8740e2d563f7184 |
| SHA1 | 737876e8318fa8f82fb9fd168ea728f448b1167f |
| SHA256 | 5ac823f539d2ef4134c9ffe32a0b3f1cdac7a86a94fd41cfe8c70fbaf2a2aa06 |
| SHA512 | b76a909719465fb931434848f62a99ebd09dee471157d023683f143be2968e64e7e052b18c19b6899775bee106cba8d9e7ea04614ba4b823aa6c95c60e556b89 |
\Windows\system\QRijKtY.exe
| MD5 | 5aa430aa7730a14193583dab2ef050c4 |
| SHA1 | ec9e4f37ddaa67575defab45548d6a4965113efb |
| SHA256 | 218d948ac62acd202ca23d131ce20ac90fd346a9e876a8c30da7752688010cc1 |
| SHA512 | aad66c14c83581a5da2366b2c97a4ba6424c52abb038d67de9a6a3b13711e628f76c746307c23f426256b677f8b5de0c167521e593919b40bcda9747960486eb |
memory/1916-12-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/1936-26-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2560-28-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1936-8-0x000000013FC00000-0x000000013FF54000-memory.dmp
\Windows\system\DIkMnUy.exe
| MD5 | daf61c03a5fc96474b4e6610dc590e28 |
| SHA1 | 7f0b3a9040351cfca5c1034d1e2d6c8289169323 |
| SHA256 | 24d925227f21b7cc9084199e73f7658bf5f70d7c7c83bf243b4ec0cbad9f55ca |
| SHA512 | 5591dd345b40184c71122c292f4f4489f277279e776f4ea475ad02449b908fea0068b65346015fd081e76b8dbf37af34750d3ff754371d632f7ccd846482f78c |
\Windows\system\LpJzaYV.exe
| MD5 | 65bec40c2635849ea1cf88a5991758f3 |
| SHA1 | 8382578a2d45ff988cfb63ab79c30aa00bfc7dc9 |
| SHA256 | b276bcbca8b472e607fc8baa5fef33163a560d95fc5a70311a7a3bc823ec16b6 |
| SHA512 | 1425af6f28391feb5a192506ecc939fbb0154fd4968a253b0979578d81fd67b9c778a10c6e97a589439fd5f35d0dd0925b778e5ac319f8acfa5344e526a81a33 |
memory/2400-42-0x000000013F5C0000-0x000000013F914000-memory.dmp
\Windows\system\lgHZBDK.exe
| MD5 | 8105118ea2b1ce4d36d81d0610ad6445 |
| SHA1 | 5f2e747bfee984d0f9f39d28e26c3384f82a0c27 |
| SHA256 | de300a41d0007637930dfcc5f2a71b191abbcf591b0de710e9e8db4969d4fb20 |
| SHA512 | aea25974a5448b7f6e01cfbe794ce9047e199d0b0a73e84e0f8915c8ce6f0d3a204e00f1a4b10b39d61395df51c413f2fb6e38afad558b368c452b330248d4b2 |
memory/2404-50-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1936-49-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2648-36-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1936-34-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\ZHGESwn.exe
| MD5 | 05547d8a92a52f4fbdf8957e485bf4d5 |
| SHA1 | c2249185ea5fb70f556c18830a8900c434cdb799 |
| SHA256 | eed2a66b42a1f8a6ed73a59508fad572c491cb04aa639b1abe0780c826474da3 |
| SHA512 | f2db71cca50f42e14c57b7a268de3a75f959f5961a7d215cde9afd1b45a12278e19c741297381b85158ad10478841b55d273a7500073c0ee203b6a23f6bd0f47 |
memory/1936-60-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1936-77-0x0000000002230000-0x0000000002584000-memory.dmp
memory/3032-79-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2296-78-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1936-76-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/1936-74-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\zngGNRn.exe
| MD5 | f75564539a83b376903c5ecfa5901e06 |
| SHA1 | 860909f2131254f5457375c9de8cb6e8e7533a93 |
| SHA256 | a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82 |
| SHA512 | d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c |
memory/2408-72-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2600-71-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1936-70-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\NsZVkVq.exe
| MD5 | 51223cb6a80619b1a1d1ea5cf58459c5 |
| SHA1 | cc4a060628a1d86c8defdd15c135b239483db366 |
| SHA256 | 57af93476e0b47504c421d6e4620f4d8da320b9f6afedb7623188b83c3f4d428 |
| SHA512 | f2e70bb60acd922cdf24b56440d5e7f5c95b31108b8848c37d3b98601328e834826551c74815163f6da52859b7c9cebdb3a30a2b34d94c80072fc2efe8153506 |
\Windows\system\zngGNRn.exe
| MD5 | c30250509354733d04f859384ea9b836 |
| SHA1 | ad2d12bae68ffabe87effe01357693ec6afe5634 |
| SHA256 | 6c6071a07aa42abff3edb35683616c37f26006903d3f895d3d88cbab0bf8a7bc |
| SHA512 | 17ffa12634dba36e38441c1eeb3cb1c6b3b60345fce6f5fdd9484bebd6df5516fc840a46b0e4f2c6362b7f1c231c794a42d310ca2dcd71b3b37f48f2df26e96e |
C:\Windows\system\zGVQlHX.exe
| MD5 | d51fe51c9f90c9c551f75c713ea0e5f2 |
| SHA1 | 3c27c75a0ec137e3eb8a79c643b85b8891a1421d |
| SHA256 | e106bc423fa1a47ca435ffa36dec26f14e5e2405f2a92418470d86342add81cc |
| SHA512 | 41b81815aa4cb0ba6a61c9741eda119ab75c273a727ccd66067d1febbaa62b0620b1ae7e285ecd9efa2d1b6f65623bfdc286a083f1ae13b57f96b184855a8f49 |
C:\Windows\system\yVdqxMi.exe
| MD5 | 635c2d866253401acc983d55e30c6438 |
| SHA1 | ed2f12aae9111e69f200ae042f1080d2c46e85fa |
| SHA256 | 12feee8c9196f75edb92b6c044deb1f97fc8477bfab8e8978d09997d3586a57d |
| SHA512 | 38d438f3e9ab06d71cd7a65ab74f8946791d763cc02b4c8680f097fa9e6a3ce8b62c3d6b0224d65013b52076ba5e84fcafe0245f1ed857f0accb20eb1a6299d4 |
memory/356-85-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2560-94-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1556-105-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2648-107-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\KFwwyBo.exe
| MD5 | cbcfcfadb0a5b2e7b301b1c4000d89a3 |
| SHA1 | ecd590cb7d1daf5ee58b22b68e4dc8ed630e5df3 |
| SHA256 | 7ab83e44ca37ff6d5bd80bfa21fbb459779f0f20f070eae1f80300a5fab2f97b |
| SHA512 | a92100de5e7983b1880fb7df4b8a57fbb003c937481b1cdfa73e6ae12d80467de32fe143b11bb754d45200a10fb3986ae334f9dd673975684677e368258e22cb |
memory/1936-103-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1936-101-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\SJyBHKf.exe
| MD5 | d0721fd2b4d4873019de74c9f52cb24d |
| SHA1 | 81ddc6033f515746f0b84f61cd98c457302a00c8 |
| SHA256 | edbc8d58ab90ee56976a0f9f2d711a674bcbc817e09447839515b2e7cbf6911d |
| SHA512 | adcef53181fc4658de46c9e0b46475c89364ae6c8bcebf12898696d6178fef7a9eee3d92259434d244568949848a5bc7af1005bf7351be77c5bce248294190db |
memory/1592-99-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1936-98-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\yJwHuWm.exe
| MD5 | 878b121eca5a580f07209affbd0fe3a0 |
| SHA1 | b5b9c48e334602bd3d786e4e3475de077ab782b8 |
| SHA256 | fdaf51082e8b73f10cb8680caad83fabe8076056f6f597721e2c2541fe26334c |
| SHA512 | 1cd2d2b769c0425b9d157d0db303ad5e4500acbe3596f83cb4792b652af4a5c8311a491a978960af67e6055953b56c21320f206b31152c652231f54a0bdc8bc9 |
\Windows\system\NYpvHsM.exe
| MD5 | 36bd7235f32f4270f866edb36845d1b0 |
| SHA1 | 8faa5c64621669a07b04181859c27131ba7813e1 |
| SHA256 | 459d4d478bd3b091691eebf69ae2cd7b768dce5c9f56e1e2af67145582d671aa |
| SHA512 | f5174267026e00fac4d002d88da008660291225fd0955df98b52d61268875d3a39fc21766eb98861b290f3e5b74491ada9eb97c74bf66b7ca59048cdbdf6e915 |
C:\Windows\system\jFXQSSs.exe
| MD5 | b1058647a26cfb24c986f8cddbc6884d |
| SHA1 | 24d0d6a451479e878fcecc14d795ca8d1b2e6e0e |
| SHA256 | 31c243f564e8736c62769f85d3a3041c61aa352d52dcaa969b8cbb6f11d9fdca |
| SHA512 | 8cb1e977a7af657440cc91abb6004be278965097ec3ee836a292ec26c4663a8dc97c3c2c7d82bccf671d4431fc2d4604d98d0ebd96822fc73c24545586d8c023 |
C:\Windows\system\zirckAP.exe
| MD5 | 08335df7103abc2469c627c6ab490b75 |
| SHA1 | 663318a93774d93d6095a04cf5494b48eb7d64be |
| SHA256 | 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08 |
| SHA512 | 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7 |
\Windows\system\zirckAP.exe
| MD5 | 8bbb6da82d2e29e7c0f0c4bd07d064d0 |
| SHA1 | 911bbe4d00cda0d68d4b818330c2c9adc480464a |
| SHA256 | 2abfa14fb5b14933b166ab4c4dadac20f78d3877c0a5ef61a7825ba68d316650 |
| SHA512 | 74953e71e159b80271e89e3bc846010ff225c8bc2654f7824124bfa5440399d2ca7e0d0eb718ad9448dcba2011e3df7f9d4547c46d8e6e370136326615813e83 |
C:\Windows\system\RlkvPXJ.exe
| MD5 | df1a35c569a45b6b0351911cf6687c26 |
| SHA1 | 8dfe8d9ca2abb051ecccab1dab8a060fbb42496e |
| SHA256 | 8ede1fd8600cc8dfb18a63f88bc53f176ad22b1a07db088d44164a1cfa3477c7 |
| SHA512 | e89ad331f1d247426f00aa16692e0410c4c6edc866e4269a31ff7ddfeb60f932128876774ad5faa9676a60bd87e9c6827cfb314a01d1e1ae03dba92b659d21a2 |
C:\Windows\system\TfgIVTv.exe
| MD5 | 15a20a0337aff96dc28c757ef973a220 |
| SHA1 | 1872f86b707b88ad241f8fd6070efe6452615567 |
| SHA256 | 75fa6b631ff6d0af4bcaa15ba7a20567c6229639597f00ca870541d3c0657396 |
| SHA512 | 12577e0046f1e2b0223bd40d1fb4a8c09f2f5c72fc355e2b01ae587d283a24fd265bc8e13d96cad455b8084fb8d3570043a642b0f3cdfdf072e747890096c04b |
\Windows\system\gQVSXcL.exe
| MD5 | 7ec27c1ff9ac338b6177a64aea9d7a74 |
| SHA1 | 576ec79ca263a6e9ea216e7a890a8e0140d8ad59 |
| SHA256 | b9c6a344d46b2b8e5107f326e4dd60d3ffa9aabaf0842ebd77547cef3f25e654 |
| SHA512 | d2696d80bcbcea452951f5199fe22e024a8493a71fc0cbfe29bc5b341f31a5b0e9f6053482910ca3459adf27b97eee5bea8a0b2c009c29b2fd62b143aef005a8 |
memory/1936-133-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2400-138-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/1936-139-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1936-140-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1916-141-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2576-142-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2076-143-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2560-144-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2648-145-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2400-146-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2404-147-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2600-148-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2408-149-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2296-150-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3032-151-0x000000013F240000-0x000000013F594000-memory.dmp
memory/356-152-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1592-153-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1556-154-0x000000013FA70000-0x000000013FDC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:21
Reported
2024-06-11 20:24
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lUBXXxx.exe | N/A |
| N/A | N/A | C:\Windows\System\HrEvPSt.exe | N/A |
| N/A | N/A | C:\Windows\System\HFsRTbH.exe | N/A |
| N/A | N/A | C:\Windows\System\XoFqirW.exe | N/A |
| N/A | N/A | C:\Windows\System\APtLXea.exe | N/A |
| N/A | N/A | C:\Windows\System\vCYtVzb.exe | N/A |
| N/A | N/A | C:\Windows\System\OMaXaqR.exe | N/A |
| N/A | N/A | C:\Windows\System\tsukIwE.exe | N/A |
| N/A | N/A | C:\Windows\System\BxONfsY.exe | N/A |
| N/A | N/A | C:\Windows\System\wvISGPi.exe | N/A |
| N/A | N/A | C:\Windows\System\zOIpYsu.exe | N/A |
| N/A | N/A | C:\Windows\System\hhrkxtF.exe | N/A |
| N/A | N/A | C:\Windows\System\oZJRrco.exe | N/A |
| N/A | N/A | C:\Windows\System\FdDSSOl.exe | N/A |
| N/A | N/A | C:\Windows\System\kvALnMT.exe | N/A |
| N/A | N/A | C:\Windows\System\zJZwsaN.exe | N/A |
| N/A | N/A | C:\Windows\System\dkvzfKd.exe | N/A |
| N/A | N/A | C:\Windows\System\qKszVzm.exe | N/A |
| N/A | N/A | C:\Windows\System\DvVFGAf.exe | N/A |
| N/A | N/A | C:\Windows\System\rSYJSvX.exe | N/A |
| N/A | N/A | C:\Windows\System\XSfsQHf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d05625a09cbb6ac32de8c6f5abcff41e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lUBXXxx.exe
C:\Windows\System\lUBXXxx.exe
C:\Windows\System\HrEvPSt.exe
C:\Windows\System\HrEvPSt.exe
C:\Windows\System\HFsRTbH.exe
C:\Windows\System\HFsRTbH.exe
C:\Windows\System\XoFqirW.exe
C:\Windows\System\XoFqirW.exe
C:\Windows\System\APtLXea.exe
C:\Windows\System\APtLXea.exe
C:\Windows\System\vCYtVzb.exe
C:\Windows\System\vCYtVzb.exe
C:\Windows\System\OMaXaqR.exe
C:\Windows\System\OMaXaqR.exe
C:\Windows\System\tsukIwE.exe
C:\Windows\System\tsukIwE.exe
C:\Windows\System\BxONfsY.exe
C:\Windows\System\BxONfsY.exe
C:\Windows\System\wvISGPi.exe
C:\Windows\System\wvISGPi.exe
C:\Windows\System\zOIpYsu.exe
C:\Windows\System\zOIpYsu.exe
C:\Windows\System\hhrkxtF.exe
C:\Windows\System\hhrkxtF.exe
C:\Windows\System\oZJRrco.exe
C:\Windows\System\oZJRrco.exe
C:\Windows\System\FdDSSOl.exe
C:\Windows\System\FdDSSOl.exe
C:\Windows\System\kvALnMT.exe
C:\Windows\System\kvALnMT.exe
C:\Windows\System\zJZwsaN.exe
C:\Windows\System\zJZwsaN.exe
C:\Windows\System\dkvzfKd.exe
C:\Windows\System\dkvzfKd.exe
C:\Windows\System\qKszVzm.exe
C:\Windows\System\qKszVzm.exe
C:\Windows\System\DvVFGAf.exe
C:\Windows\System\DvVFGAf.exe
C:\Windows\System\rSYJSvX.exe
C:\Windows\System\rSYJSvX.exe
C:\Windows\System\XSfsQHf.exe
C:\Windows\System\XSfsQHf.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3220-0-0x00007FF64B020000-0x00007FF64B374000-memory.dmp
memory/3220-1-0x000001E9EAAD0000-0x000001E9EAAE0000-memory.dmp
C:\Windows\System\lUBXXxx.exe
| MD5 | ef7247d0070f580b0a63c8ff299a0f5a |
| SHA1 | 9fd4e4b091796c2a766a60e5c42a77751feeda7d |
| SHA256 | 0e7ab8609d53737a5393c023d6d8fe93ada7ef4ed441c330691f57e5bc24a1cd |
| SHA512 | fafb48a5f24599b44c6fc1aa364e59afd80833406507d489eda260b874f91c334b1d15af3e42514221bd5fe219ff2183f4267e0db2e5224fcedb0927ac52fede |
memory/1420-7-0x00007FF7F7880000-0x00007FF7F7BD4000-memory.dmp
C:\Windows\System\HrEvPSt.exe
| MD5 | 0ee4d6d68ce903b3b0ce5a33caed9cf0 |
| SHA1 | 753191a2dca12b0cabb889b20307fc972e92ab8e |
| SHA256 | 8991ef5bc7ae81c7a7bf6aa51e33a5bdbef8529ac1fa0ad3457a98ac13c07a57 |
| SHA512 | 4ae2968bc1fff4afbaff3233f08a6542a2789ebe49f3d477a6a942136978942b2450eee9c3c821256f82b36f7c66ac692a94f3c70bbc90e7ac145df7c98ec381 |
memory/3164-14-0x00007FF6DE7B0000-0x00007FF6DEB04000-memory.dmp
C:\Windows\System\HFsRTbH.exe
| MD5 | d2f9f20ffc67a6eeac533bdfa78d2994 |
| SHA1 | 1321fce7d6d1b8ee554742417831b6eb863ea47a |
| SHA256 | 5ab70d3a7b05712adeece39d3004d1525ce60d2083b2cc2f1920a4d482dda9e3 |
| SHA512 | 9194e431ccad4e346447ed282a2067516199090a4d1c2330f8d0c3e396c1eb3390c1e53403cf1517af335d14f65c6f60dd9fcafc160b52d91ed80e0627d8d05a |
memory/3736-18-0x00007FF763440000-0x00007FF763794000-memory.dmp
C:\Windows\System\XoFqirW.exe
| MD5 | 4e19d095530245bfe383a6d36c4ac34a |
| SHA1 | 0daf8ea86a34c44e987038916280aedcf8df6fff |
| SHA256 | 38ea8799903af2e3645c2cfdbc11cfe213cdb461400fdd3735a5fcc0b337e897 |
| SHA512 | fb7de00595cf2d3c2c474e14c86c07bd1fe2617e4020954f71f03feed0da2111ee4bdba8e4b641835a1bf771ac28f6ba788a5868805ab3041d4347e95ca0e0d3 |
memory/2376-26-0x00007FF6EEAA0000-0x00007FF6EEDF4000-memory.dmp
C:\Windows\System\APtLXea.exe
| MD5 | 39779fb929bcd03287e261e49cf3a0ec |
| SHA1 | b011d373bbeb76747bfa287e2c8bd457364f11f3 |
| SHA256 | 2f03b6e0155e3b3f75ba5e82e586d6de00dc95e8ed4561cea18f7c645a01d180 |
| SHA512 | a83133edd5072163caed261b92e324378ac7e1b8822d097e2fd4d8a2d17e97338b49c16acb01b79074c3b7fc1d36bbe3c39380d16302c0d1a498d46247fe9950 |
memory/1104-32-0x00007FF794E40000-0x00007FF795194000-memory.dmp
C:\Windows\System\vCYtVzb.exe
| MD5 | 692cd7c96f53d21c20a4964f748e7d5c |
| SHA1 | be109e9caf96f3ada17eb66d872e1f3a77a2f1ec |
| SHA256 | 3166d8a880a79c7ab64f35a446d58caafefe4db3bf5d996bfcc48072d43e52ae |
| SHA512 | 9c47eb438aea8c9eaea2764917e8f99f9e4b9ed86beb9f118f6fd23c187090a423f843eb8af3b8fad04734c73df1eb5d59910449df70d86f6087b629d5593115 |
memory/3896-37-0x00007FF64F5E0000-0x00007FF64F934000-memory.dmp
C:\Windows\System\OMaXaqR.exe
| MD5 | 825196323afce00ba7d503b71bc936f0 |
| SHA1 | 6c6528ae80885e92a27b79d185389b16eca22745 |
| SHA256 | 97a2d1838dd908350fc93b6b6999ef5b605e9953db385cbffa38ca176a0c812e |
| SHA512 | 037ccfde5ee9b0a847efe7f21ad31e539c922359430127044dc170be35973db8917165f4bf4e41273b7d9d79b119abd91bfbd8663283fb3d1a2c79ddf4c7ea33 |
C:\Windows\System\tsukIwE.exe
| MD5 | f314a43b178889d7aba896b459d4ba2a |
| SHA1 | 924d98496ca6db239e8bf45a4af334cf413df738 |
| SHA256 | 2e46dbf46be88c0fd50e333f962a1fb525ae0aff07b916d27454e8a83bca900e |
| SHA512 | de05cc17804dd20f9377b0e5950a647a2132de519b83b5005bd43aab67dd9276daa78a393b43fa84023fefeb90fc0efb65446f852a23efa3b80ba3a6b5f5b248 |
memory/60-42-0x00007FF6255C0000-0x00007FF625914000-memory.dmp
C:\Windows\System\BxONfsY.exe
| MD5 | 87a55bf4d40e78c9b32bde784a5e1bda |
| SHA1 | 14a9dc187b217209eef1f8085483d7c54481712a |
| SHA256 | adf15ff84a60d0533f8fc43854c755f65bf80681ae90a74dd1791148c5ff14d2 |
| SHA512 | bf6b44c88ddc55d5887e24f8d143de57c57a88e892f6c0d109b2d2e10fd6d45fb29be7fea30d766f7f5228371a288aad02e7d2c41ae834caab29b38cb45071e7 |
C:\Windows\System\wvISGPi.exe
| MD5 | 203970d6d4839bd865019df709d8638d |
| SHA1 | aaadf81ac7bc32b7a3f7568eb8e35035d197b616 |
| SHA256 | a3af76aae80acdeb63a8788b20e28d885e124e9015763c4bdd7376d4b364765e |
| SHA512 | a5b09db6c0e6017e2608144d719d6a4d547b9cecec26f1907d377cbeee72aca716c7a4bdadf65fe5ac5a1f33d0052f370f3ea25ada5877be1f6e0f4a47d67b24 |
C:\Windows\System\zOIpYsu.exe
| MD5 | b406fc6842a46cb23d35bcee5d1711d1 |
| SHA1 | 7a0d00454e4ed8565a8626fee9f4fed02f15b876 |
| SHA256 | cc318efcb4b7e936185b0eaaa5e9f61cd52a1daa551df30410e085910cdec42e |
| SHA512 | bef7dc72ecc65c5a14d9a8b2420870174c516c84dde75be47b04015f609c5254aed6f175142a8c44bf94d3e3f20de8d328f88d26cdeb28bd1d04d9425e2b5141 |
C:\Windows\System\hhrkxtF.exe
| MD5 | 4c3a1151c4e02e8be67010cc62e364b3 |
| SHA1 | a156f48248f634612ab3e4ff40585163d2cb8c89 |
| SHA256 | 04bc8c6abef4e57182ff02939568249aa53f12dfa1242aa3b4d2f604b8a4fcff |
| SHA512 | 845a6c2e48feef012d5047c3382dcd9bd8324872c19ddd2d4475e9e8c6c3200de5ae51ec9642746f773a4f4af90cc160b10581ce1cae985990af1279b1f720ce |
C:\Windows\System\oZJRrco.exe
| MD5 | 9b4684e69ff494938c4c2792a3e547bc |
| SHA1 | 670fc3ca07fa59f7ee558a5381efeda2cda6fe6a |
| SHA256 | f740aeb954d8c63eca133ee99a9e6cd4151f6c6b637227ef7964bd12a8396293 |
| SHA512 | c4e56fd15d381632a0a97c83772a7d6eb403dcc8a7a80cc34fda51385491fb8b17abafeaf75bc46d61b07e8aeb9a77fd38c38001d81d9ae900b640cfd2bb72e7 |
C:\Windows\System\FdDSSOl.exe
| MD5 | f505e174718bdccf9c48d96205dc80e5 |
| SHA1 | c6f954230e0ee017504c1c9e8ab59a8aabb5a232 |
| SHA256 | 903e41eb9a04fe994e982cef41dd911a377693fc32f71a82c19de5a95329207a |
| SHA512 | f82e7eab6de138687d974732fb1b695e6fef124dd24088f4602407ec5f5f0a7afb26ed9b2c96627e67ae3436a1236f948d0d106db4461467df6ed52d699ad0ea |
C:\Windows\System\kvALnMT.exe
| MD5 | 587b015152e262526e5a9e7004ef5890 |
| SHA1 | 39669fcf6e40b4f0e552c3b59ec1dbe51c7ac040 |
| SHA256 | 24e1b06a909197fa80f6e24ec46d9afc39328ab91f343d510a2fac22436c5818 |
| SHA512 | 82c76ef0f95f6bf3a411e5e5987f2a1ff8dea2d9103909b7fb303d304fa3e0ce14ced0b6efc0830e9f4a04ac11d65085c2ed680910f5ec2b8296354e65082664 |
C:\Windows\System\zJZwsaN.exe
| MD5 | 3fa6c50ee5120b9896d8114d1a772932 |
| SHA1 | 1f374c1d69c5dfb66d95a2c52b3c7c48a4250f1c |
| SHA256 | 24b6afb3b481326668a02741f48fd8d28fd8061e7be716b92f37bb0d98423cad |
| SHA512 | 48de4bde1c7e1aa9605d6e7dde6e446840f42cc20b7bf438ac09f017d3828ce35544f03be69f6b731c17b9e4354f34638805eeae54c649d62cba7480e392bcc7 |
C:\Windows\System\DvVFGAf.exe
| MD5 | a72555d0eaa5ab0c1cdc3a38e522d794 |
| SHA1 | df4458bb3d2ce38a1b9c6ea6206f4d3a0c2d9d06 |
| SHA256 | 0c68344075e7e622052cbd18608ddfce3d1e0373a5adf5fcd05a976dc03414d3 |
| SHA512 | 20cb4907c0767406b45afe456c044376679a420e44130d5e425ba67ba804d167293be70fb3f8e4ab8b7f35569ad049a26842c16c77a9c959cf7e27ae5df70a98 |
C:\Windows\System\qKszVzm.exe
| MD5 | 50ddc784a067de80d28947499f7d9a21 |
| SHA1 | 63e0327245cea15856ce823e841d419b074febc6 |
| SHA256 | 6b8f940b4ed3dd5b5143c3a93f8440586e873cbe5425e85f3a00e64cbf865aa4 |
| SHA512 | 297ca166cb9aa0427c79e84d23dca9b55509071c227285d89b7c7f976f7a50f3a34320ad86b5040fb3ce81187c4126696c1f16f2f761f46598f0400345038383 |
C:\Windows\System\XSfsQHf.exe
| MD5 | 6333d11e07dbca8225db904fca54aea5 |
| SHA1 | e7c0720cf2231f9d6b016a5537bbc09f02794bc6 |
| SHA256 | 9c66bf94198bb15b706039ee7767ca4c839e4fb03be459414c934d72e7bd061c |
| SHA512 | 4b88c98b736a761c08c9a9bc4b7308823f4ebc6da9dcba3bfd111f7778e2a0f99bde0d0d39c0b19b6f26d4211a259cf9dcf2d54fdebfbf32a000a931234f1dfd |
C:\Windows\System\rSYJSvX.exe
| MD5 | 9a1a493a91600fe1c804ede347fe8300 |
| SHA1 | 19de688a26b7563afde97d826bad7fd88a480cea |
| SHA256 | 88a3b41421e6a0e027467cbbd14a07f05858311bd19994aee799f396dcae8b9e |
| SHA512 | c1410c77b0a710b41f120bf8d6202dbff458065a25e760db7c9d83d9a05319cdc1eab156584c0f24b896797c5a156e88b0115e5199a2ca732913aa8b72c2e49e |
memory/748-105-0x00007FF7AF5A0000-0x00007FF7AF8F4000-memory.dmp
memory/3632-101-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp
C:\Windows\System\dkvzfKd.exe
| MD5 | 849fc88c2b555942e875944639df30e8 |
| SHA1 | 921da51c13e3c7981c9c8cc6d2c87b4960d6fadc |
| SHA256 | e9f8881f603aaa0cdb24c2d895db71b6666af0467bfeacdcef5fe89775f4a6ed |
| SHA512 | 39cd2f776cd1e1efa66687bcd1033d38f14ed6074bcb7d4d74c2c9df77a554498c5491453301b606bc7be41ffe0061144c77e3c068e25c7efd2716d0d6c8d0b5 |
memory/4992-98-0x00007FF7E4F80000-0x00007FF7E52D4000-memory.dmp
memory/2028-117-0x00007FF7807C0000-0x00007FF780B14000-memory.dmp
memory/2164-118-0x00007FF789590000-0x00007FF7898E4000-memory.dmp
memory/4104-119-0x00007FF6108A0000-0x00007FF610BF4000-memory.dmp
memory/5048-120-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp
memory/2840-121-0x00007FF7C2710000-0x00007FF7C2A64000-memory.dmp
memory/1988-122-0x00007FF727F20000-0x00007FF728274000-memory.dmp
memory/4008-123-0x00007FF6A9620000-0x00007FF6A9974000-memory.dmp
memory/4108-125-0x00007FF6D16A0000-0x00007FF6D19F4000-memory.dmp
memory/2144-124-0x00007FF617C00000-0x00007FF617F54000-memory.dmp
memory/468-127-0x00007FF7C25B0000-0x00007FF7C2904000-memory.dmp
memory/820-126-0x00007FF6D6FC0000-0x00007FF6D7314000-memory.dmp
memory/3220-128-0x00007FF64B020000-0x00007FF64B374000-memory.dmp
memory/1420-129-0x00007FF7F7880000-0x00007FF7F7BD4000-memory.dmp
memory/3164-130-0x00007FF6DE7B0000-0x00007FF6DEB04000-memory.dmp
memory/3736-131-0x00007FF763440000-0x00007FF763794000-memory.dmp
memory/2376-132-0x00007FF6EEAA0000-0x00007FF6EEDF4000-memory.dmp
memory/1104-133-0x00007FF794E40000-0x00007FF795194000-memory.dmp
memory/3896-134-0x00007FF64F5E0000-0x00007FF64F934000-memory.dmp
memory/60-135-0x00007FF6255C0000-0x00007FF625914000-memory.dmp
memory/1420-136-0x00007FF7F7880000-0x00007FF7F7BD4000-memory.dmp
memory/3164-137-0x00007FF6DE7B0000-0x00007FF6DEB04000-memory.dmp
memory/3736-138-0x00007FF763440000-0x00007FF763794000-memory.dmp
memory/2376-139-0x00007FF6EEAA0000-0x00007FF6EEDF4000-memory.dmp
memory/1104-140-0x00007FF794E40000-0x00007FF795194000-memory.dmp
memory/3896-141-0x00007FF64F5E0000-0x00007FF64F934000-memory.dmp
memory/4992-142-0x00007FF7E4F80000-0x00007FF7E52D4000-memory.dmp
memory/60-143-0x00007FF6255C0000-0x00007FF625914000-memory.dmp
memory/820-144-0x00007FF6D6FC0000-0x00007FF6D7314000-memory.dmp
memory/3632-145-0x00007FF69D550000-0x00007FF69D8A4000-memory.dmp
memory/748-146-0x00007FF7AF5A0000-0x00007FF7AF8F4000-memory.dmp
memory/2028-147-0x00007FF7807C0000-0x00007FF780B14000-memory.dmp
memory/2164-148-0x00007FF789590000-0x00007FF7898E4000-memory.dmp
memory/4104-149-0x00007FF6108A0000-0x00007FF610BF4000-memory.dmp
memory/5048-150-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp
memory/2840-151-0x00007FF7C2710000-0x00007FF7C2A64000-memory.dmp
memory/1988-152-0x00007FF727F20000-0x00007FF728274000-memory.dmp
memory/4008-153-0x00007FF6A9620000-0x00007FF6A9974000-memory.dmp
memory/4108-155-0x00007FF6D16A0000-0x00007FF6D19F4000-memory.dmp
memory/468-154-0x00007FF7C25B0000-0x00007FF7C2904000-memory.dmp
memory/2144-156-0x00007FF617C00000-0x00007FF617F54000-memory.dmp