Analysis Overview
SHA256
5b8a1fc382326095c107e2f370c775fa125f4a61bd2b7582273eeb9ebcc1d8ff
Threat Level: Known bad
The file 2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:00
Reported
2024-05-22 21:03
Platform
win7-20240221-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lIzyTVc.exe | N/A |
| N/A | N/A | C:\Windows\System\rUXJoor.exe | N/A |
| N/A | N/A | C:\Windows\System\KxEcXvV.exe | N/A |
| N/A | N/A | C:\Windows\System\StxoDWX.exe | N/A |
| N/A | N/A | C:\Windows\System\NKFJXOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AstbRzv.exe | N/A |
| N/A | N/A | C:\Windows\System\MGCctXO.exe | N/A |
| N/A | N/A | C:\Windows\System\luckzOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VIIwkya.exe | N/A |
| N/A | N/A | C:\Windows\System\yTHvoVG.exe | N/A |
| N/A | N/A | C:\Windows\System\DixyUJh.exe | N/A |
| N/A | N/A | C:\Windows\System\vcSrlzD.exe | N/A |
| N/A | N/A | C:\Windows\System\oEiFSsy.exe | N/A |
| N/A | N/A | C:\Windows\System\staLZpx.exe | N/A |
| N/A | N/A | C:\Windows\System\BVjoqgz.exe | N/A |
| N/A | N/A | C:\Windows\System\GIxwDza.exe | N/A |
| N/A | N/A | C:\Windows\System\OiQoBPk.exe | N/A |
| N/A | N/A | C:\Windows\System\wktvGkY.exe | N/A |
| N/A | N/A | C:\Windows\System\wYNlGCt.exe | N/A |
| N/A | N/A | C:\Windows\System\iGASQkH.exe | N/A |
| N/A | N/A | C:\Windows\System\ONbrEcr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lIzyTVc.exe
C:\Windows\System\lIzyTVc.exe
C:\Windows\System\rUXJoor.exe
C:\Windows\System\rUXJoor.exe
C:\Windows\System\KxEcXvV.exe
C:\Windows\System\KxEcXvV.exe
C:\Windows\System\NKFJXOZ.exe
C:\Windows\System\NKFJXOZ.exe
C:\Windows\System\StxoDWX.exe
C:\Windows\System\StxoDWX.exe
C:\Windows\System\AstbRzv.exe
C:\Windows\System\AstbRzv.exe
C:\Windows\System\MGCctXO.exe
C:\Windows\System\MGCctXO.exe
C:\Windows\System\luckzOQ.exe
C:\Windows\System\luckzOQ.exe
C:\Windows\System\VIIwkya.exe
C:\Windows\System\VIIwkya.exe
C:\Windows\System\yTHvoVG.exe
C:\Windows\System\yTHvoVG.exe
C:\Windows\System\DixyUJh.exe
C:\Windows\System\DixyUJh.exe
C:\Windows\System\vcSrlzD.exe
C:\Windows\System\vcSrlzD.exe
C:\Windows\System\oEiFSsy.exe
C:\Windows\System\oEiFSsy.exe
C:\Windows\System\staLZpx.exe
C:\Windows\System\staLZpx.exe
C:\Windows\System\BVjoqgz.exe
C:\Windows\System\BVjoqgz.exe
C:\Windows\System\GIxwDza.exe
C:\Windows\System\GIxwDza.exe
C:\Windows\System\OiQoBPk.exe
C:\Windows\System\OiQoBPk.exe
C:\Windows\System\wktvGkY.exe
C:\Windows\System\wktvGkY.exe
C:\Windows\System\wYNlGCt.exe
C:\Windows\System\wYNlGCt.exe
C:\Windows\System\iGASQkH.exe
C:\Windows\System\iGASQkH.exe
C:\Windows\System\ONbrEcr.exe
C:\Windows\System\ONbrEcr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2188-0-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2188-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\lIzyTVc.exe
| MD5 | 3f06e9aa3ae1a79ab4e0a06f685a8bf4 |
| SHA1 | 031aeec050a80542e3feb5fb7aea747268f549ed |
| SHA256 | cb97f58bbd004ef6b0405bff24d03a3c6d25bc3df8ff0e42ea3d85f7922fff08 |
| SHA512 | 5d22a31df1f3e9530b9081e8e4ca33377f7ec02a4a7da9c07bacec953a7642ec82dcbfa45c5e8e89fe7b945e0737b0c0158e98d89d286f8cb219fd6d66e13284 |
C:\Windows\system\rUXJoor.exe
| MD5 | 35d4b9b40e9b95b4a75dec06c4c6f979 |
| SHA1 | 0b088ae4df4f56a63f25ba22b7e936e89c483dcb |
| SHA256 | a2e35e125d8ab4763501772c6c07ab280e15f436019dc190dfa4cb55de62bc7e |
| SHA512 | 56c93fd59bffe6df5a120e950c179eec9dfb3eaf7c3f2e9804dbd4886aee0b0f3a2ad0227feedbd311243dfffa198f082d84fd5e6761249fd05b31e51ba2784b |
memory/1740-12-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2612-14-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2188-9-0x000000013F870000-0x000000013FBC1000-memory.dmp
\Windows\system\rUXJoor.exe
| MD5 | c2bb444f676e8f14bf0054f9cdac9830 |
| SHA1 | f186f8dc1d8e141ae2c13d699d202e974c7148d5 |
| SHA256 | c4943b864fc590ea5275ce80b61f7e085fce9193cf8dd07d382c550edce91343 |
| SHA512 | d1e012b03557de70d6407a01e686c558083dfbff8d8cfa523655789ca139c1dda2ee6c2bd7deca2d4f28bd347b2b59d6e37424cf93b27a46723ef7b4e7b93ffb |
C:\Windows\system\KxEcXvV.exe
| MD5 | ebcd1db895d26320d96c796c3cd2574e |
| SHA1 | 5c6dfa4e7590f37a0f19f8f62ac3c00b2ad72586 |
| SHA256 | 53f6c580b45cdb45f748912912664a48f68bbe25c5580644faade964da3904b6 |
| SHA512 | 95b662116ead28407f8d76791921ddc981d81fdfe52b67aeab333cb8b677aec8ec864beaf690c8415abcaac902e28480cf7bdc2423004ca8ae84da6eaef09f43 |
\Windows\system\MGCctXO.exe
| MD5 | 76fa58337d1c23881d8c866491b6cab8 |
| SHA1 | c00139d85150fb18ba9438c34e76852e65d9db23 |
| SHA256 | cacf9a31230f5d5282f14c9ec6d20531f1555ae8075cbe0d1cb12cbaa4aa97a1 |
| SHA512 | c89f3fe3425c6b00edf50eb8ed16aeb0243b129458f0c84093e80955347a6001fb88622aaa23a2daedef2d7d566a3f23e947ffd2fb9356f58537f85d86a3a1dd |
memory/2188-29-0x000000013F850000-0x000000013FBA1000-memory.dmp
\Windows\system\AstbRzv.exe
| MD5 | a4b5fc4a9834fcd3151c69a393925610 |
| SHA1 | 9a625e9edaf2b5c3912fc5295a1551c41f589a4c |
| SHA256 | 4cb1f53454e84c34cdf733ae502d41ddba9a18cf6781713b9c39216ae0e03731 |
| SHA512 | 2110fbe205faddebec56e46ef870a7c78ea5e3f94b53c2d5f7a51ee2978d1a27de0619cff8c71f076be2c5706b34b0ed1bd6f0631430c7d95053ca1c3382eb9a |
C:\Windows\system\luckzOQ.exe
| MD5 | 84e797f18419d093ae7c892e22f91c59 |
| SHA1 | 19336b2547a41815486efd848b35a2a16174270d |
| SHA256 | ca95c67af76b708a4cc78b209c2b95a097edb2a5fb53cf5322cb7d305f10cbb4 |
| SHA512 | 39a277eb285b1ab8dc5a5037da9024607dc1dd4e0b593f20ca2e99fe65858f355837be320017cde22603da2823117d694d54ace694c838d25d794695617dc007 |
memory/2564-51-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2188-50-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2424-60-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\yTHvoVG.exe
| MD5 | e8329153b5bbfec881b183d0b4c94cda |
| SHA1 | 034c52610b5b530443d07d3756eb284141406573 |
| SHA256 | bd857b50a541412a5c3da65ccb1fc2150a9095ab63d04307769475a46e467292 |
| SHA512 | 6f9614e951a4884e84fc187d8edd8763fe1cd834180c7b4be532ad8c28944726932130349ea924c7720768793a3a32fae355259c17003b84834bffffecbd1dbe |
memory/2244-84-0x000000013F420000-0x000000013F771000-memory.dmp
C:\Windows\system\oEiFSsy.exe
| MD5 | 6776a0d1d10efe8dce91d3f27f2e0310 |
| SHA1 | 2dad4cbe8909481854f0bed30332ba5f8a7cc355 |
| SHA256 | 67cc4d6beb0dc82a80e794987fa0ff2735fce917a533fa858292db77cb9a385b |
| SHA512 | 2f2f72463a204f13941aa1f0e349217e59fc7eaf8315926122ec6656b1a250ddf2591a264c534c8d2a6dc2fb7ff8e3c1e7f4ea949c0ca225e5a45e627ae5766d |
memory/2980-96-0x000000013F6B0000-0x000000013FA01000-memory.dmp
C:\Windows\system\BVjoqgz.exe
| MD5 | 93fee0215babe824b3d40272a4480973 |
| SHA1 | 6a4a3463f1c53ad8082e41bcf610b86247fab0b2 |
| SHA256 | 57d150dec92d0ceb189945bd059399b8c8fe000ac4413b1848d4ee5fbc3bed17 |
| SHA512 | 708714a836f355e2fcd6c515c126cc3c9eb4617fe176c78dc2857376cf6604df8d82412b61bf04e244f00aa8077e7a92f5b4af34bfc7635b949e9ae874ba7346 |
C:\Windows\system\ONbrEcr.exe
| MD5 | 955e931a7b1a063c8f17207185298676 |
| SHA1 | 976e53897cd615ac1aed196bdcb6d9e742946954 |
| SHA256 | 3a88126fd591175cd9ccc6eebf46dad6be4410954fbf47fc3a8bb076d5220c9a |
| SHA512 | 7d75c9f3400ba9d6ddd982ad00cc19ace9f4c9a91029495951b09da1e8ea0ac363b2196ffc6bc9a9df48a6cb5fd04cc59bc44349922f05267cc96d055c1c8421 |
\Windows\system\ONbrEcr.exe
| MD5 | 4892d49c14a7e283153698e747ec87c9 |
| SHA1 | 7822c69037298ccf4e2cd90381d1446721619c85 |
| SHA256 | 1bbf7ec7dfa34b0d40895a909b82a3a5ff0e7309cdbaab86e0d5c97264357e18 |
| SHA512 | 822125c120a17f4b7f203a570ed240a57e897b4dcce83658630a5c0833b272b84d104098adb903387f380218356f2efbba086a67aa762dbec174f6c315eb4502 |
C:\Windows\system\iGASQkH.exe
| MD5 | d409f97db526c9603af9f92e58824084 |
| SHA1 | 4ba5155030424571b0d17ef77be2d6e82e93e1e0 |
| SHA256 | be6ae5a5213ce60518d3ccaea59a24ec7e847bcfb38529d4998f9796d0175771 |
| SHA512 | da3ec35a0491e51d1a8064eb20c56ccb919308f79eb44a93b2a68f34dfdb6ff44ae43d2bffe48aa0f1a5a7170bcccb44dab267d4b98028dcfd3f03fb78738d12 |
C:\Windows\system\wYNlGCt.exe
| MD5 | eb1c1412c1d57196f97314fe6b21ac67 |
| SHA1 | ad3ac31326533b6f768755602ff34fb19574fe94 |
| SHA256 | b468939f1efa308584724a62566e34bacb33ba6c2dcabd68e91055b0db5e73ea |
| SHA512 | 5d983ac76119d4125787c86e210faf33ee09a86b58768c8a3a6ece559b4be79dc79f205e47241891cd60c33cee5525ee209afc7e41860b43a73e77270ec71add |
C:\Windows\system\OiQoBPk.exe
| MD5 | 6607cf3edc67fa769712afa7ef7fb76d |
| SHA1 | e071b6ae7aeee32ff31a03175cd8d64571e4b3ab |
| SHA256 | eb38813be7f9c69ac2e17916e20f6f88116e782715219a412b3e6d95721d5ab7 |
| SHA512 | 2c3e481bac2ec8f4a6ed3e3d40b0569a2e77bdf3a7d67dc5f32f776d603faca9a062289cb564b5aee8691e41803a352cca0bf061ad4d542966519f60a1f1df53 |
C:\Windows\system\wktvGkY.exe
| MD5 | 1c4a38b1e11c58bf312f4b6017b881b0 |
| SHA1 | da9610e812771c473e912bc64f34f95313c5eb19 |
| SHA256 | fdba64f2d1239a918f4b8545f5b35741c8c3bceeb5df9809eb85b657eda14ff3 |
| SHA512 | 8642494064f90ea517f7c87a7bb9633d9e2eea696f47f695f701cbd6421e8ea663a6143725b21a589dd8c84db9e53a42eef27605d4f28d0a24d064f80b44bc81 |
memory/2844-103-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2648-102-0x000000013F850000-0x000000013FBA1000-memory.dmp
C:\Windows\system\GIxwDza.exe
| MD5 | cdbba0fcc8c57092489f1e80557d5a9d |
| SHA1 | 8e4c3646d7044e7504afed406d8ef667957ecff1 |
| SHA256 | 46ec73079b929b6c0d592344a1f0aef5ed9099633c89b11471e6c15fddd0a84b |
| SHA512 | c51bffc90f0602310345662ea6e3e2635ce9a05cd33be93d9d4cb4f26d74a8ff05f970cd69861a9230d3a9e357b5b6fef220ee67d60fb1fd2cec1110a26d605a |
memory/2820-89-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2188-95-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\staLZpx.exe
| MD5 | 642f3c53569a198c7eebcc3ecaffa0a4 |
| SHA1 | da6b3a449a311b85ba7c7980921ffbee6114b90f |
| SHA256 | 671b9d87596dfe18ba9f75f3c0017b5386aa041501e0b982c3214dd3ed95fd93 |
| SHA512 | c8f573471ec921b868a2a088b4c2e2dff6b2f3dde761e60b1e6390da7f0271b68cb161d075a9679e2f88b24baa91ad3d959d9589a419848f9eb829a166ed36dc |
memory/2188-83-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2628-135-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2132-77-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2188-76-0x000000013F8B0000-0x000000013FC01000-memory.dmp
C:\Windows\system\vcSrlzD.exe
| MD5 | cfc8242234d7a1f7415bc3389f26ced6 |
| SHA1 | 6eb920d0255e418d5c2752ed74e06469254a1dd3 |
| SHA256 | f3f8cd65374e007a473c892276008fe5ef25bf03f61c21ac8f843baffdd95705 |
| SHA512 | 22cb451acb83eea4efe287466eaf16c514269845f21b7fc5b0bc5383d7679db358736684325d7a3e72ed3de139c650e19324898fd744813562c5b4c45fe0efe8 |
C:\Windows\system\DixyUJh.exe
| MD5 | 0a10b84e3af08499405bb7b7e2f422de |
| SHA1 | c1585e3e36234afd2bfb0cf14f13de2c5045dae5 |
| SHA256 | 8f2b9ad16ac6875d7c9823b8a18647f632af863a9be30a778b6c7f62b0076960 |
| SHA512 | 581c09e3790b2d2810c0fa6fcdf0e5635a5aa24d65b485ae60af96c431b141df252831d39882ef616b9b91793f185396c68ba8f69466e6d9569df4b11b82a6cd |
memory/2500-69-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2188-68-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2556-67-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2188-59-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2612-58-0x000000013F060000-0x000000013F3B1000-memory.dmp
C:\Windows\system\VIIwkya.exe
| MD5 | 9ca5093d74a540271f7c622227ac1e30 |
| SHA1 | c9447b5865d4ccd6dad3d1233ff544f89b192017 |
| SHA256 | b2d48cc4af72b721b530fe39feb50d27ccde0f0a3bd23852064bfe0f827e9e44 |
| SHA512 | 7891da9aaa7506cc98541a506664f8ce7821c57bc4a841f6c7dad57d4027f8ca99495ef963c3dbe2c19d45178d0de86b33d22f99d62982c4d4c03221b54af9ba |
memory/2840-45-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1740-43-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2844-42-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2628-40-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2188-39-0x000000013F460000-0x000000013F7B1000-memory.dmp
C:\Windows\system\NKFJXOZ.exe
| MD5 | 1fca5c4c86e3159344efa30af95d388f |
| SHA1 | 5bbb3a754fa1af9c202fc58ddb46db247df44d98 |
| SHA256 | 38401ad31139ce7dcf623e1a64908301b960e16c6bd42ee14491a5f8f70199a5 |
| SHA512 | 3ad928fd77b8823136e5ba09c2b9a9d3b1d5c97ebf8d79eafa8999f4a71faf7746d3d342cbb1c107807506c8d5306ac4dbdd593ba2658294b373450edf8cddf6 |
memory/2648-36-0x000000013F850000-0x000000013FBA1000-memory.dmp
C:\Windows\system\StxoDWX.exe
| MD5 | 15781732e0bf4031f1f68f4d0bc62884 |
| SHA1 | 403643fca0742c7337572f095438b369bf02e5ad |
| SHA256 | b2f21e6fac00a02df5e38a9f38dff4141c18ad48acc38a5ec9330b1a0dd9dd8c |
| SHA512 | a499b20e3de724b8b81880d773cd4b030e05b8df65dc7f4892ccd5f8bffaf3ab341e1eed92821607cb6e0343968931658036bed4ffaf3a95f8c93d1a565041bb |
\Windows\system\NKFJXOZ.exe
| MD5 | 3ce9749ea53894c34a3ae883115050fb |
| SHA1 | 1fa4d482aefeac734d83dc415eeb52babb172a9a |
| SHA256 | df9d41c3ecfdd6bb4a531f6598558eba12e78b3c0228053bf8eaa6f6c5f5d243 |
| SHA512 | edc47c56d4dcc3c6a6cb72ce026311824ed27c1be830d8bb4acb030204103aadfe8daf4e432b8a487cb02ee07445a65e7986d93d091bccf131199e81b050d992 |
memory/2556-25-0x000000013FB20000-0x000000013FE71000-memory.dmp
\Windows\system\StxoDWX.exe
| MD5 | d7aa29a8c584e0e8f031524c439fc589 |
| SHA1 | 6a193ff1da239340c85e04c1a00a08fe211016a4 |
| SHA256 | 938332d961abf52508483b8bf974e327e8109b945c60338c99150a48331e0536 |
| SHA512 | 8b76323cf878b347746238d181d16e2f00a360e539e39d04be7ce32ecd9f203516de6c90b862f4a5c7c221e12f89756344802789ad4a0ab26dd621edeaf1d681 |
memory/2564-137-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2188-136-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2188-138-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2500-148-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2424-149-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/1564-158-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/320-160-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2188-161-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1532-159-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2668-157-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2412-155-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2984-154-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1724-156-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2980-153-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2820-152-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2188-162-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2188-163-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2188-171-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2188-186-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1740-210-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2556-212-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2648-214-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2840-216-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2612-218-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2844-220-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2628-222-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2424-224-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2132-242-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2500-240-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2244-244-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2820-246-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2980-248-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2564-257-0x000000013F3F0000-0x000000013F741000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:00
Reported
2024-05-22 21:03
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iffTBvj.exe | N/A |
| N/A | N/A | C:\Windows\System\XleJmEC.exe | N/A |
| N/A | N/A | C:\Windows\System\bFVxGdS.exe | N/A |
| N/A | N/A | C:\Windows\System\nCbyCnn.exe | N/A |
| N/A | N/A | C:\Windows\System\CKItioc.exe | N/A |
| N/A | N/A | C:\Windows\System\qbOoDRj.exe | N/A |
| N/A | N/A | C:\Windows\System\CdFrBhF.exe | N/A |
| N/A | N/A | C:\Windows\System\KnrouMu.exe | N/A |
| N/A | N/A | C:\Windows\System\TfQYDgY.exe | N/A |
| N/A | N/A | C:\Windows\System\msqnfRd.exe | N/A |
| N/A | N/A | C:\Windows\System\gOJZhWm.exe | N/A |
| N/A | N/A | C:\Windows\System\vBWJFRN.exe | N/A |
| N/A | N/A | C:\Windows\System\pwKtynM.exe | N/A |
| N/A | N/A | C:\Windows\System\PnVgTKj.exe | N/A |
| N/A | N/A | C:\Windows\System\CxHqvZX.exe | N/A |
| N/A | N/A | C:\Windows\System\xkRrvYf.exe | N/A |
| N/A | N/A | C:\Windows\System\yhDFXtw.exe | N/A |
| N/A | N/A | C:\Windows\System\znOnyLK.exe | N/A |
| N/A | N/A | C:\Windows\System\CzMYPbc.exe | N/A |
| N/A | N/A | C:\Windows\System\TNSoToC.exe | N/A |
| N/A | N/A | C:\Windows\System\DTTUwRa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b3f69aac550e7d1dee683fde5892949c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iffTBvj.exe
C:\Windows\System\iffTBvj.exe
C:\Windows\System\XleJmEC.exe
C:\Windows\System\XleJmEC.exe
C:\Windows\System\bFVxGdS.exe
C:\Windows\System\bFVxGdS.exe
C:\Windows\System\nCbyCnn.exe
C:\Windows\System\nCbyCnn.exe
C:\Windows\System\CKItioc.exe
C:\Windows\System\CKItioc.exe
C:\Windows\System\qbOoDRj.exe
C:\Windows\System\qbOoDRj.exe
C:\Windows\System\CdFrBhF.exe
C:\Windows\System\CdFrBhF.exe
C:\Windows\System\KnrouMu.exe
C:\Windows\System\KnrouMu.exe
C:\Windows\System\TfQYDgY.exe
C:\Windows\System\TfQYDgY.exe
C:\Windows\System\msqnfRd.exe
C:\Windows\System\msqnfRd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
C:\Windows\System\gOJZhWm.exe
C:\Windows\System\gOJZhWm.exe
C:\Windows\System\vBWJFRN.exe
C:\Windows\System\vBWJFRN.exe
C:\Windows\System\pwKtynM.exe
C:\Windows\System\pwKtynM.exe
C:\Windows\System\PnVgTKj.exe
C:\Windows\System\PnVgTKj.exe
C:\Windows\System\CxHqvZX.exe
C:\Windows\System\CxHqvZX.exe
C:\Windows\System\xkRrvYf.exe
C:\Windows\System\xkRrvYf.exe
C:\Windows\System\yhDFXtw.exe
C:\Windows\System\yhDFXtw.exe
C:\Windows\System\znOnyLK.exe
C:\Windows\System\znOnyLK.exe
C:\Windows\System\CzMYPbc.exe
C:\Windows\System\CzMYPbc.exe
C:\Windows\System\TNSoToC.exe
C:\Windows\System\TNSoToC.exe
C:\Windows\System\DTTUwRa.exe
C:\Windows\System\DTTUwRa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4972-0-0x00007FF607B40000-0x00007FF607E91000-memory.dmp
memory/4972-1-0x000001ADCD100000-0x000001ADCD110000-memory.dmp
C:\Windows\System\iffTBvj.exe
| MD5 | b6b3f326883f197aaf0b1482993b174a |
| SHA1 | a9269402115bc36c5f159a949df2e9f1d633c922 |
| SHA256 | 89983b03495b0dd5fa223f1502ad6e730553e34abaa312752637c9a1fe3c8ba8 |
| SHA512 | 351b0cc30fad439b8039ffcd4341566611f18f642b6e0e64cd0d7cdcba2a4f34944e215a266d3b8595f67abeb80d524e10b18bbeec7b22bb478f49365b8e9adf |
memory/2540-7-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
C:\Windows\System\XleJmEC.exe
| MD5 | d924cf8107f3787852c17790298d36b3 |
| SHA1 | 21b0b63fc62eeb4fbc34cfc87fcbb077ff1d360b |
| SHA256 | 6c9cb18f8f275c643cf42fdac387f6d3ed8e436afdfd8a2c5bb933b748498b12 |
| SHA512 | 47e32412230d7440868b188715fd82800384970d35cf8b29c4980b86077b17a9ffdbb06036ea78d2211995f6ab39b4402b733dec1e0400022c4746463ca8d8fa |
C:\Windows\System\bFVxGdS.exe
| MD5 | 66a1ccb85c14eb451f5b8c210beda3fa |
| SHA1 | 6420dafe8e5c8e4f5396d01c2565326d2f62ed8f |
| SHA256 | 988498dbe0a53c91d2f19c4feb5def2cda5ddaa81f9b689fca57cb994c2039a2 |
| SHA512 | e951a42b8b365e1cef9a23cc5d6b9eb6236235fe70bbebbc63b692f4af94030deb77080da87fbb15fa3faaf52a72a64cfec78addd45dc1b35ccc16fb299d0350 |
C:\Windows\System\nCbyCnn.exe
| MD5 | 480810a2ff73751f3e0b4ca4cd4d6e4e |
| SHA1 | 1395b12f79395d1198273acc70cc4b5e1c54a3f1 |
| SHA256 | f180bc5ddfd6dc3a1978af5cccc040f4c302300695727bfab31e7ab422356e50 |
| SHA512 | 34378f800d6cb62d03110e2dd291eaed76eed94f5fd45ae7ba46ae5728762e34806cc2432b4145926295e2b5b8df0a8098379434426da0ac2a246ecabeb43920 |
memory/4844-26-0x00007FF6CF8B0000-0x00007FF6CFC01000-memory.dmp
memory/3496-25-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp
memory/2112-21-0x00007FF6C5A30000-0x00007FF6C5D81000-memory.dmp
C:\Windows\System\CKItioc.exe
| MD5 | d46a0d9dd5f053217561ed5d8d12620f |
| SHA1 | f5cdbdf6d54efce0a072f9ad5c7badbfcaae0708 |
| SHA256 | 80aa457828d9aee7eb6bfde247ba942a3650699447a4fa7f67cab6fdeb88b391 |
| SHA512 | 54f21e3bc08e6f53bf86a4527a73adeeb362b01d978db4690668f9220f73e9d96bb8131bad1c1641454a2f700058e45753ca78381462f01d8f6fd577ddcc0917 |
memory/924-31-0x00007FF779D30000-0x00007FF77A081000-memory.dmp
C:\Windows\System\qbOoDRj.exe
| MD5 | 91e5ecf37ff2fffb753f7669b198a595 |
| SHA1 | ea9efb2e82fd03fcec0797abed636732a07ea17f |
| SHA256 | 5a84addee03759b88a8b136f5adcad328ed1bd8ed4b76f5357e96f8fe69f77dc |
| SHA512 | a4855513a067bac3637538e892055d820539ed0762763b15afc616dde35a8e4761110048b4738428c24183af7c3867c84608fb503262a767d9a732c2df49faa7 |
memory/2708-37-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp
C:\Windows\System\CdFrBhF.exe
| MD5 | 6138064f53142b3a5b25081f7112a7ed |
| SHA1 | 4712af1661f0ee96c5b0397a7578a1d2c786d887 |
| SHA256 | b8fb4d1dc867f20e36cad15aafcb273d7b341f22c28c25e90fb2f5bc94832fbd |
| SHA512 | 664df563f085be15cdd99b107fa0069aa1368e30aa229d2fcb5085b0715e0a65e97b6201cb235c1997f1051ef6ee1c2bc31231988414daf8c7218e4ea3581f28 |
C:\Windows\System\KnrouMu.exe
| MD5 | 50042b08132bb8e71b6a4b7ab7fc6c99 |
| SHA1 | 3d0c546c1c01b42c0fec25d74e066c43bef33ca4 |
| SHA256 | 8260b4e0e05af78d8d63db30f76d14483742ba0651f58eea60b27438576834d7 |
| SHA512 | f3c985457cc4767e7ce5593529bff43a2a5ceac38542cd1eb73cc6fb1018da037d7242ead411850d4da79413ad108359630f0d6dafdb05495741de0b16b058ad |
memory/2120-48-0x00007FF6DE040000-0x00007FF6DE391000-memory.dmp
memory/4036-53-0x00007FF6B94D0000-0x00007FF6B9821000-memory.dmp
C:\Windows\System\TfQYDgY.exe
| MD5 | afcfc0b55aaaf7f4a9c4fbc4a5ce42ee |
| SHA1 | 24a6ada969170a07c093fe127e692d069a1cdb0f |
| SHA256 | ae82b9394373831430aaeb4ad0eb1b6d43e00cf9e61dd65f8d73d48382248a7a |
| SHA512 | f992393273344ad958d28443944030e2951d29968e2c8a2698c433c8416304894cfbdc956cae2ee50689d98b494306420e3427607b8ba707c44e2c448ec55592 |
memory/3528-54-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp
C:\Windows\System\gOJZhWm.exe
| MD5 | 1a17cafb63412561875425c21c0ca08b |
| SHA1 | f983c8d650ca54c816c627fc65a9047aaee1e356 |
| SHA256 | 10c72721ef89a70123e36dbb204eb4b75891f8a1c9c63f37f25d6b6519cfcd95 |
| SHA512 | 6695105204497a521d644749980cb64523aa660d89c41a80485eceef7eaa8d5a38fce580a332e3d460126829777c73bd13e573f1685453c64e7b9f8a395cea54 |
memory/3716-62-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp
C:\Windows\System\msqnfRd.exe
| MD5 | b3bd2aa6d373adbbf1840af2152c26f5 |
| SHA1 | 20f8e9146130bfa1a313580966bafc85f51cf73b |
| SHA256 | 93113d674ee17562db1cc76073e55659523cd8ea8241e419d1419ebf60c8d161 |
| SHA512 | cfc1b99039ef9bf6cfe1abed7e43590c0c567bb22a6f17fc277fd304046afa64e4336553e76e1c987f4928f16b78c9b160a041762c665da38ba0e81b31e3ffa5 |
C:\Windows\System\yhDFXtw.exe
| MD5 | 0035e60d0958d078a35e32c04252f755 |
| SHA1 | 1ab00aab05fcddd481d2eba5215c07dce7bb2aa7 |
| SHA256 | 3e5d9b97242a89b9d54ecfa99c0ec4f918e0fda0cefbf47cab00a570115fbdbc |
| SHA512 | a39caa158d56ac427dcfdcd4fdaed05cf876da282d89480b00ec54e623001e061f5e367779ddfef1db15b96ea8b1657c86dc7f21881c0a083d354ebfaff6085e |
C:\Windows\System\CxHqvZX.exe
| MD5 | f9f87ec727b3daf9e860ce2e5c4350b0 |
| SHA1 | e8ef1c18d8e507012e674bc78e915de2c4ec1736 |
| SHA256 | deefc8e9b9f117805d64b0664e738867dbf7166f8b4b9f400bbab5f812363839 |
| SHA512 | 5ffacfd90c7fa0c666bfc7a7d3cdbb8ca515336293886c8257be4e335dc262f2cfa57da3844eab621e0da33b24f189fe4dc986509f5666a43fc4fc58b3c55525 |
C:\Windows\System\TNSoToC.exe
| MD5 | ac44c075b8ee75f80c1a9f0651888f7a |
| SHA1 | aa373f3a12841b450f39049fb659fc11a5c0a8a7 |
| SHA256 | a918e6f0d80637c93157b0f8fb62b12d469a8ceb11d3d9cda1532a1d0428f795 |
| SHA512 | 8d72b34668be4568ec956b66459e9b49e2ee04876dab2dba8094b5fb851d7025a3eb6dada8ee58b55a2c8a8eb9f9c9199d04e08a513dbd566aa259bdc23e7f73 |
memory/4952-117-0x00007FF670200000-0x00007FF670551000-memory.dmp
memory/3680-119-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp
C:\Windows\System\CzMYPbc.exe
| MD5 | 9443e6fa9376f026858e4405a254800d |
| SHA1 | 61a84a477bd4744b3ac24c60eb2181f808f2452b |
| SHA256 | 041ada35dca8dbb86bacf279b5f4f861e9d2a55336e81818a5df43ae2220ff12 |
| SHA512 | c1cdec58c0c96f902b1899ee0bd6e3aa2b3bd481bef3af6a1a5412bbc69c452cb98938d0d88ba8fea5d0c29b7f462955a821ac2b4aba54eab19f2e81115a6f77 |
C:\Windows\System\znOnyLK.exe
| MD5 | 107ec8f9284446a8066bab4f2645dc32 |
| SHA1 | e954333332f471888ca9583fa1683e0dc9e526f4 |
| SHA256 | 9581692e2446fd90cb754e71553cb7df00045f0307a630e092299280524d6320 |
| SHA512 | c7ed11fc9539a82f2bc3abea04ee7aaac2d3ac258ea56b13164e554e7e88155164ed9f0b5da924ae30abc02ae1e17a5bc780e7fbd7d92e1c67ef0eda01721c37 |
memory/3056-118-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp
memory/3496-116-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp
memory/3324-115-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp
memory/1716-112-0x00007FF7403A0000-0x00007FF7406F1000-memory.dmp
memory/4728-108-0x00007FF7C13B0000-0x00007FF7C1701000-memory.dmp
C:\Windows\System\xkRrvYf.exe
| MD5 | 5daf744dcafa3918606dc9e7fa24bf09 |
| SHA1 | 76d10f09dcff2e5f55aa3147281f174dcbcde92b |
| SHA256 | 2879d4b3888ddf3137d6d1b0686b0858ebe14de3460f109ea07c44f8dcc5deea |
| SHA512 | e512b2f8db49cf3b2aece61dad68cb98f3af4913f25959792a38a8cf7df19bc8520da3c79c61f2e579dc594985ddb5e522600b226bbef9df54e44c0becaa3bc0 |
memory/2384-101-0x00007FF773650000-0x00007FF7739A1000-memory.dmp
C:\Windows\System\PnVgTKj.exe
| MD5 | 4d24337636aa61cdf832f09617428665 |
| SHA1 | cdf6958f7d6e32c6ac41127f0240e887d2d7be47 |
| SHA256 | 0c07175e32cbd27323ef0b0af7fef76a2fcd13a915f77f81831c6e6838918b62 |
| SHA512 | 543ee652c9d334907c25151c391aff3c983f12bc046bbd20aa93b08f077d2084ee58b19a98a11565b6adcd37fb46562d407bec447c5f9b6e5863adb761b1d09b |
memory/2540-92-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
memory/2572-91-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp
C:\Windows\System\pwKtynM.exe
| MD5 | 62b0a9bb614549c5616e0ea621b8153a |
| SHA1 | d8da1721e3e96dde1afdf2cafd845403f3118568 |
| SHA256 | 87bd10f92304ec910040b87c355ec956011090d4d152ece375ef7dc2379cc1d2 |
| SHA512 | e06fe87209aaabfa1aa2917f3176297755e7588d82c27c1b3aa314780f8299fce693cc202726fd208d921e1f2e886210cc4b84dc241a46ba0a7ea07d3f62abb2 |
memory/3484-84-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp
C:\Windows\System\vBWJFRN.exe
| MD5 | e1ec731006e03c3982327e5bb9daeefb |
| SHA1 | dc1b43ab2a125e2028b490dd34421a081bb7c418 |
| SHA256 | 658cfe20353d36f61e064ea9ea6439cc305a4ef3995bcc45064052d32e637253 |
| SHA512 | 74601007d39440e417820d5d57ae3e4500ef015508a57ccef400d1ce1c0b2c676d94daaa0084f0468d402e11af2feac140795512d6121dcceb5a8853e8416dff |
memory/960-73-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp
memory/4972-70-0x00007FF607B40000-0x00007FF607E91000-memory.dmp
C:\Windows\System\DTTUwRa.exe
| MD5 | e341271e9ec1422882fa35f3fa929277 |
| SHA1 | 45bb97fbc879af510b0970003bcdcf6ef8a79abf |
| SHA256 | f6690f1acce5c20f5277e904bd8a4b5ae5cc89f2f550c34b041a826bdeeb7cd3 |
| SHA512 | 96b1428e16f6f15544d8ca967ba86691773972e954d7ddfdf3e425ab23a8ce476eefe0987a7940f383c3a870a09866d0601d4f7359fb7a308ac220f8ef69c7b3 |
memory/4972-128-0x00007FF607B40000-0x00007FF607E91000-memory.dmp
memory/924-133-0x00007FF779D30000-0x00007FF77A081000-memory.dmp
memory/1892-134-0x00007FF654910000-0x00007FF654C61000-memory.dmp
memory/3716-139-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp
memory/3484-141-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp
memory/3324-148-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp
memory/3056-147-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp
memory/3680-149-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp
memory/2572-145-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp
memory/960-140-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp
memory/3528-138-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp
memory/2708-135-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp
memory/4972-151-0x00007FF607B40000-0x00007FF607E91000-memory.dmp
memory/2540-196-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
memory/2112-198-0x00007FF6C5A30000-0x00007FF6C5D81000-memory.dmp
memory/4844-200-0x00007FF6CF8B0000-0x00007FF6CFC01000-memory.dmp
memory/3496-202-0x00007FF7E8F80000-0x00007FF7E92D1000-memory.dmp
memory/924-206-0x00007FF779D30000-0x00007FF77A081000-memory.dmp
memory/2708-208-0x00007FF6C1DD0000-0x00007FF6C2121000-memory.dmp
memory/2120-210-0x00007FF6DE040000-0x00007FF6DE391000-memory.dmp
memory/4036-212-0x00007FF6B94D0000-0x00007FF6B9821000-memory.dmp
memory/3528-214-0x00007FF63BFE0000-0x00007FF63C331000-memory.dmp
memory/3716-217-0x00007FF74D1D0000-0x00007FF74D521000-memory.dmp
memory/960-230-0x00007FF7A9F10000-0x00007FF7AA261000-memory.dmp
memory/2384-232-0x00007FF773650000-0x00007FF7739A1000-memory.dmp
memory/3484-236-0x00007FF6AE8C0000-0x00007FF6AEC11000-memory.dmp
memory/4728-234-0x00007FF7C13B0000-0x00007FF7C1701000-memory.dmp
memory/1716-238-0x00007FF7403A0000-0x00007FF7406F1000-memory.dmp
memory/2572-240-0x00007FF6A0ED0000-0x00007FF6A1221000-memory.dmp
memory/4952-242-0x00007FF670200000-0x00007FF670551000-memory.dmp
memory/3324-244-0x00007FF6CB010000-0x00007FF6CB361000-memory.dmp
memory/3680-248-0x00007FF7B9070000-0x00007FF7B93C1000-memory.dmp
memory/3056-247-0x00007FF6FE2F0000-0x00007FF6FE641000-memory.dmp
memory/1892-251-0x00007FF654910000-0x00007FF654C61000-memory.dmp