Analysis Overview
SHA256
6cd3802aef92bdf43531236fcf3ac51027b51d96a31a3a0b7dfe169a9aa9776b
Threat Level: Known bad
The file 2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 10:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 10:09
Reported
2024-06-01 10:12
Platform
win7-20240419-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uzMaDdV.exe | N/A |
| N/A | N/A | C:\Windows\System\aDJEWJt.exe | N/A |
| N/A | N/A | C:\Windows\System\SoXhrBm.exe | N/A |
| N/A | N/A | C:\Windows\System\wAMFcdk.exe | N/A |
| N/A | N/A | C:\Windows\System\dAWZteO.exe | N/A |
| N/A | N/A | C:\Windows\System\pQNbgxn.exe | N/A |
| N/A | N/A | C:\Windows\System\rMsCoWU.exe | N/A |
| N/A | N/A | C:\Windows\System\EfvCBCE.exe | N/A |
| N/A | N/A | C:\Windows\System\Biklqkj.exe | N/A |
| N/A | N/A | C:\Windows\System\VsiadeV.exe | N/A |
| N/A | N/A | C:\Windows\System\yttZlLR.exe | N/A |
| N/A | N/A | C:\Windows\System\sOfEYid.exe | N/A |
| N/A | N/A | C:\Windows\System\dTDmLMj.exe | N/A |
| N/A | N/A | C:\Windows\System\DAiVabL.exe | N/A |
| N/A | N/A | C:\Windows\System\qPNxgcj.exe | N/A |
| N/A | N/A | C:\Windows\System\cSfPUfk.exe | N/A |
| N/A | N/A | C:\Windows\System\hZkwXDN.exe | N/A |
| N/A | N/A | C:\Windows\System\CjQzPsm.exe | N/A |
| N/A | N/A | C:\Windows\System\qCToxvB.exe | N/A |
| N/A | N/A | C:\Windows\System\fXpfvyO.exe | N/A |
| N/A | N/A | C:\Windows\System\ozLNebQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uzMaDdV.exe
C:\Windows\System\uzMaDdV.exe
C:\Windows\System\aDJEWJt.exe
C:\Windows\System\aDJEWJt.exe
C:\Windows\System\SoXhrBm.exe
C:\Windows\System\SoXhrBm.exe
C:\Windows\System\wAMFcdk.exe
C:\Windows\System\wAMFcdk.exe
C:\Windows\System\pQNbgxn.exe
C:\Windows\System\pQNbgxn.exe
C:\Windows\System\dAWZteO.exe
C:\Windows\System\dAWZteO.exe
C:\Windows\System\rMsCoWU.exe
C:\Windows\System\rMsCoWU.exe
C:\Windows\System\EfvCBCE.exe
C:\Windows\System\EfvCBCE.exe
C:\Windows\System\Biklqkj.exe
C:\Windows\System\Biklqkj.exe
C:\Windows\System\VsiadeV.exe
C:\Windows\System\VsiadeV.exe
C:\Windows\System\yttZlLR.exe
C:\Windows\System\yttZlLR.exe
C:\Windows\System\sOfEYid.exe
C:\Windows\System\sOfEYid.exe
C:\Windows\System\dTDmLMj.exe
C:\Windows\System\dTDmLMj.exe
C:\Windows\System\DAiVabL.exe
C:\Windows\System\DAiVabL.exe
C:\Windows\System\qPNxgcj.exe
C:\Windows\System\qPNxgcj.exe
C:\Windows\System\cSfPUfk.exe
C:\Windows\System\cSfPUfk.exe
C:\Windows\System\hZkwXDN.exe
C:\Windows\System\hZkwXDN.exe
C:\Windows\System\CjQzPsm.exe
C:\Windows\System\CjQzPsm.exe
C:\Windows\System\fXpfvyO.exe
C:\Windows\System\fXpfvyO.exe
C:\Windows\System\qCToxvB.exe
C:\Windows\System\qCToxvB.exe
C:\Windows\System\ozLNebQ.exe
C:\Windows\System\ozLNebQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1964-0-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1964-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\uzMaDdV.exe
| MD5 | 0394d3a9fca1ad519790eb53be690147 |
| SHA1 | 1ce477a5585f7b8019307c8f83c0c3e697793e90 |
| SHA256 | bd5a3de94cb1b1784ac8ca231343fb8931f7a6790d9c46db4789fbf45ae17897 |
| SHA512 | 18963735b40b700e395243927673961f6b9a239c31ae3db86c5df39cadb913bf5055c982c1ed2486bd208c142e8e6631d0b76eb4b30dfaa09122a1f7e7a1281a |
memory/2972-8-0x000000013F620000-0x000000013F974000-memory.dmp
\Windows\system\aDJEWJt.exe
| MD5 | 437953c577570eb51a8877d4cc33fa90 |
| SHA1 | 9201c0e8532d4e1e0d2ff4b763729a7937b0e21c |
| SHA256 | f3ea5425190d645f65709d32c8baa726a5ae00cbc8ac2153ea8601508173f63e |
| SHA512 | b773808dd3b4bce5adc28e008703933198ba2fe27c9db4097e9c53ac0ec8102867188a51a79ebe4d62580ecfe701e9963028ffe03c2ff08e66c768dc22d6485c |
C:\Windows\system\SoXhrBm.exe
| MD5 | 8704d3efb5f73b217c89a2f06f8143fb |
| SHA1 | 13243be053ff897ed3965cdea8d8a1ef294bc1b1 |
| SHA256 | 2a23bb198a6c2f2ff7428471155cdd7873079a008f4a01c02d2fdcb7fbc4c4b8 |
| SHA512 | 1de3ed38d8eb39934cf5509841b14308dbf6fd3c532aef533b8b8bcf8a12ce90e91e783144a4e36a85b4dfc9546e1ef350138871ba87a985d275d8abddc4f4e8 |
memory/1964-17-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/3036-15-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2648-20-0x000000013F9F0000-0x000000013FD44000-memory.dmp
\Windows\system\wAMFcdk.exe
| MD5 | 3044685b44d9b19f381491b3f7a128e4 |
| SHA1 | ae7cf282817692c2c95c1502183ec8fb5d40943e |
| SHA256 | dee1f1bbc18b1e397ab9d2e6a927ecd28d934a01dce481d0b626cb024206f671 |
| SHA512 | 78ed4eaa782038ed3bc6183758a7e32ae241e242045b2f9361120237b7a708351fec6d03cd0372fda9b807143a87a623e07ec59091ee2acff63f61d355c0bd05 |
memory/2604-27-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\dAWZteO.exe
| MD5 | be5aa17d97a932ab697b5355ec7864e2 |
| SHA1 | 4e0c499616a5567e99cc0cda18edd0699e396f6c |
| SHA256 | d4873aa86299539746e9e21f434df72aa7498d51d63605b3bf82c70f6b86e9f9 |
| SHA512 | b519637059ad889c6a769441e1a1448ce9c808f74a68c26e812bf037dd0a83cba2fddf9a207889cf35ab219251aecf806c4299e39a357dbf3f282d0b5c2435ad |
memory/2728-35-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\pQNbgxn.exe
| MD5 | de9415f74777f564ffb21084c693b3c1 |
| SHA1 | 4d403addd05b4e41b8d194ad745bfe2530735c89 |
| SHA256 | 54c984649b8c76b3a57b8da017f38d95dcfcf9e4d00f61e50ac7c80ad00d1ff2 |
| SHA512 | 41d8e26ac3ac72b77f22830ae72cb46fdb66080ab349bc927db98284d863041e5d83d504d7f8aecee755e2d5b3e1a54d123ac2ce72b55ef81b077e2346c893f5 |
memory/2992-40-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1964-36-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\rMsCoWU.exe
| MD5 | e435dc94d00d688521b1756d8db26830 |
| SHA1 | e71b82dc5a16aa701c7efaae579ae3e0b178d3c7 |
| SHA256 | 7e9e95e81cb8dc71143c07fc4df9695e5d45da3bfe7c99eff59496046fd984a3 |
| SHA512 | d853f3b29a95e92a32ff5af0ea6310d4ffe6632bf5a7a795ced535fb27747f12cb05ee5c86f541a465b181a415af99e3a0a12801a2c819223053c023c8553b05 |
C:\Windows\system\EfvCBCE.exe
| MD5 | d642670d5efbe5a5399f76203b7343e9 |
| SHA1 | d2fd0f7548ca1692fb4b090ebc21f90a97a6c295 |
| SHA256 | c00459bc750b0fe2c73edc6f8d82653938dc1d933f95c873a482353316ea58f0 |
| SHA512 | 3402eb2fbf8dd993fd1a7028ee94ea77bcd99315b51c65a7e16b82b0980439c9bf3d2b20394f57d61c56ff3874e3e1bd58a92e4192bf06629989738d4a7caccf |
memory/2476-49-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2496-55-0x000000013F600000-0x000000013F954000-memory.dmp
memory/3036-48-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2464-64-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2892-70-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2648-63-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\Biklqkj.exe
| MD5 | 11e583a01cae7e3c94bc9e4198e74b74 |
| SHA1 | c6eba3e8a25263229f772a7bfe0561405f3c93fc |
| SHA256 | b4020b4c3f5f3c8fa47ec42fb6772a297695b34f3e089788f29b484bf9071a87 |
| SHA512 | 53b6766a30382d0c293c1fef588152c2746b10610c35eb8095b686bca8fbe1f83b701b924c400128fb5147f190fceccffe3f8d4f202b3c4d4bec632945cddb8b |
memory/1964-58-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\sOfEYid.exe
| MD5 | 3ac90c9e69ba2182f9f30806bcd7e9d7 |
| SHA1 | b34b3b1460db75420981aa45e74412267313ef8c |
| SHA256 | 76bafcf2831566e9136ba9f3144c10f3acc76fb138d1b6a17609e1febd3c8cbf |
| SHA512 | 3712b5616a9ebc86ed5eaeff106860a5f3b63017e63699b247bd3f3203221fa43723298b17c3280a1d6ff2883e4170d921e42656bb956070ad908ee98057daa7 |
C:\Windows\system\dTDmLMj.exe
| MD5 | 233dc596ddfcbfde15b81d1d64c576d3 |
| SHA1 | 4377c25fc52dfd1e61aee3fe79996fe18e49f55e |
| SHA256 | d85508664bdbbd44acba06dc26515377252088bc83535103d9ed10004f6143ec |
| SHA512 | 74baf3e2323a2c34903c6ac5824e0efed1063f03da2f05513c7c197325fbe3c20bd6019a72cda00647449e36646855c8efa425f575b7031fe6ba869b5fae3555 |
C:\Windows\system\DAiVabL.exe
| MD5 | b6c0424278038625fd284768ed148001 |
| SHA1 | f7d8d852d6a438edfeb980b37e496e1019549291 |
| SHA256 | 0bb65665663ca213a0d52a337f1271e9d1389b506c1926da7a970ada206c4ac1 |
| SHA512 | 74d98fc95e5cf31472faa716cffcc01593b3ad02363ef4f38ff6f7228dfc9526dbad8d4c742f070e7453aca7d2709b050f58c17805c5da56602b9155a1bfb71f |
memory/1840-98-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\qCToxvB.exe
| MD5 | 470499145338a92396b1fc4aeb9fd684 |
| SHA1 | 7dc7f4a1ab4f2a66af077a23ae177ce548c30c46 |
| SHA256 | 49cb92132694136810ea884e69c786ce4fe45bb52674e5d064569c231581639f |
| SHA512 | 47d3abe8f95ade4508179cf0d8d73ae58763726f2aadf5ba03d43060c706250d9350e3ba40e061b22db09b46ee22dd49e70e795974bd760ef200ad7f9f3011ec |
\Windows\system\ozLNebQ.exe
| MD5 | 77e3f66d69a4242bf43bd202b163d805 |
| SHA1 | f73d1a4b4f8991eda6436017a7d3f5bcbb7a24da |
| SHA256 | b5ed4d0e3c814f232073f328401b41716351d8a21c4469920fa4715b721c10d7 |
| SHA512 | ff24b960f916a7b795b13e4f01ca2cb86347222e3491e7d23befec2fdbb1c44d2b9719533394f2e68d9747bd494deccaddfdab1058e0da0c34c01ff0b2ca8292 |
\Windows\system\fXpfvyO.exe
| MD5 | aa3cf19751eb99f44977f7830852bbc4 |
| SHA1 | 5147cc28b371be4d730cb5ee406d1e80ea5cbc0f |
| SHA256 | fb5dc948f5e36a2ebdfcaad019a261a34aebb900e94345097066bf55f3badb99 |
| SHA512 | 9426a4755085ef863e263f3fe5470a417592f79b109f3ccbbd1dfa2aabee3a29bfd0de47497027ef7d76ff1d148bafd936c6a3f1736c5f625908f4fcec841df9 |
C:\Windows\system\hZkwXDN.exe
| MD5 | 22952d9ba28dfda0025cb3b407beebe5 |
| SHA1 | 560c690e9cfc50714786d1165a41df3336ce359a |
| SHA256 | eb645ba26a54fe11b6c20a088b568890a2fa650d18cffbfdb5c40434dd67b369 |
| SHA512 | fdb0cb402434cbdcf0f2a9df2525e22c8534c7ca18df4ad0b063d6bfec07774776f45bc627f0cf9cdb38028d78bed063aaebb3af4f7228948d21d093687edebe |
C:\Windows\system\qPNxgcj.exe
| MD5 | 6e5a08f2438325a96f0d3e2ab516c73a |
| SHA1 | 9f9961c8bed5a4d28e69e787499dd8de53cfe9f4 |
| SHA256 | 031e3a9d0fb1ca3a26690c6e57f65f7744cca613da9df72d21ce1b527fe23262 |
| SHA512 | 5211154825fa57468e54798184c5df3384f9e0114862c81081691501ee372665decba16ee2bdd7851e2cd994967b0df7326301c837e1e1c46cf0468bdb05052a |
C:\Windows\system\CjQzPsm.exe
| MD5 | 7b38825b0a93366b705436bfbc245d35 |
| SHA1 | a7be5867dac4d80d66dc2541aa006665cdfedd06 |
| SHA256 | 81cc80d8e6d6cb4d9d4089f2c1814716de79e67c9287e11d26aa73162a4b9c90 |
| SHA512 | 585115baab6a4aca75feea0dc06c3ae361d6e5591eaa9a88d9640c092fd5392f30d938e49bd0d858ea4c388020c7cf9e3ecee7d96e763a5251bd32eca36f202a |
C:\Windows\system\cSfPUfk.exe
| MD5 | 93047addbf070364a2981d37e9b7fc3d |
| SHA1 | f720135821b539070f4eebe1b0604114bf07dd7f |
| SHA256 | 03c988416276576053fca595824db153788dff981430d34de5931262a34e3c8d |
| SHA512 | fa9f24db84db57afac6de0a4afa120e4f2ad8e083d054df41593939e1121eeba6af773b3ab37a2b0f45fc193b345df38fed7af9eacebe284880fb87dc239bc47 |
memory/1884-91-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2496-134-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2992-90-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2536-79-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2728-78-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\yttZlLR.exe
| MD5 | b0adab95cc8d4265d168acf90bdcbaa7 |
| SHA1 | 85f04451453b15ab23537f63340b450b89ea87cd |
| SHA256 | 01af08b57ef5047395f4fc1dcd6fd1bcedab61cc78200b483c61556f19070f35 |
| SHA512 | 792c4e35212397841e8a667d90f2785317a65340577c1f3d43242ea38b65c40cb45877babf07b8a77d72c978e1ac28233ee34a15de6719cbe82489a08cfd550d |
memory/1964-76-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2604-75-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2884-85-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1964-69-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\VsiadeV.exe
| MD5 | a119038af374dbb18dfe61b7f6af5e5f |
| SHA1 | 9c37679be1a451eef1f54065d4349495330e9a76 |
| SHA256 | f346ca0deabfe6c7441e56fcbb03cb410656159106dc35ce5856f24a5dcdbf79 |
| SHA512 | fc313ca7022816464f84a814557a7ddfccd43986beb1a2286c2855233317cd3dfe8b87af41b9060e4c17b8b8cb0f174284812d0b5bf1765db2a243183d7e609d |
memory/1964-54-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2972-42-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1964-25-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1964-135-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2892-136-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1964-137-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2536-138-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1964-139-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2884-140-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1884-141-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1840-142-0x000000013F120000-0x000000013F474000-memory.dmp
memory/1964-143-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2972-144-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3036-145-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2648-146-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2604-147-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2728-148-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2992-149-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2476-150-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2496-151-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2464-152-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2892-153-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2536-154-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2884-155-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1884-156-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1840-157-0x000000013F120000-0x000000013F474000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 10:09
Reported
2024-06-01 10:12
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HYFDRgr.exe | N/A |
| N/A | N/A | C:\Windows\System\ovjMfmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\tHsBArz.exe | N/A |
| N/A | N/A | C:\Windows\System\NIjLIrm.exe | N/A |
| N/A | N/A | C:\Windows\System\JkBGNMa.exe | N/A |
| N/A | N/A | C:\Windows\System\vuocFIT.exe | N/A |
| N/A | N/A | C:\Windows\System\fnhiJRx.exe | N/A |
| N/A | N/A | C:\Windows\System\bQwuxbt.exe | N/A |
| N/A | N/A | C:\Windows\System\JPSCPUj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDrQNvg.exe | N/A |
| N/A | N/A | C:\Windows\System\rwRMtbx.exe | N/A |
| N/A | N/A | C:\Windows\System\kHOCEHT.exe | N/A |
| N/A | N/A | C:\Windows\System\vtYpEiv.exe | N/A |
| N/A | N/A | C:\Windows\System\ElEoHvh.exe | N/A |
| N/A | N/A | C:\Windows\System\eXwodaG.exe | N/A |
| N/A | N/A | C:\Windows\System\MZdoNIn.exe | N/A |
| N/A | N/A | C:\Windows\System\nkPpPkj.exe | N/A |
| N/A | N/A | C:\Windows\System\zVbGwfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\flidRdn.exe | N/A |
| N/A | N/A | C:\Windows\System\yIyDbgN.exe | N/A |
| N/A | N/A | C:\Windows\System\hZilBLn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3a4a7a96285d3413174e7bb18bfe86d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HYFDRgr.exe
C:\Windows\System\HYFDRgr.exe
C:\Windows\System\ovjMfmJ.exe
C:\Windows\System\ovjMfmJ.exe
C:\Windows\System\tHsBArz.exe
C:\Windows\System\tHsBArz.exe
C:\Windows\System\NIjLIrm.exe
C:\Windows\System\NIjLIrm.exe
C:\Windows\System\JkBGNMa.exe
C:\Windows\System\JkBGNMa.exe
C:\Windows\System\vuocFIT.exe
C:\Windows\System\vuocFIT.exe
C:\Windows\System\fnhiJRx.exe
C:\Windows\System\fnhiJRx.exe
C:\Windows\System\bQwuxbt.exe
C:\Windows\System\bQwuxbt.exe
C:\Windows\System\JPSCPUj.exe
C:\Windows\System\JPSCPUj.exe
C:\Windows\System\ZDrQNvg.exe
C:\Windows\System\ZDrQNvg.exe
C:\Windows\System\rwRMtbx.exe
C:\Windows\System\rwRMtbx.exe
C:\Windows\System\kHOCEHT.exe
C:\Windows\System\kHOCEHT.exe
C:\Windows\System\vtYpEiv.exe
C:\Windows\System\vtYpEiv.exe
C:\Windows\System\ElEoHvh.exe
C:\Windows\System\ElEoHvh.exe
C:\Windows\System\eXwodaG.exe
C:\Windows\System\eXwodaG.exe
C:\Windows\System\MZdoNIn.exe
C:\Windows\System\MZdoNIn.exe
C:\Windows\System\nkPpPkj.exe
C:\Windows\System\nkPpPkj.exe
C:\Windows\System\zVbGwfZ.exe
C:\Windows\System\zVbGwfZ.exe
C:\Windows\System\flidRdn.exe
C:\Windows\System\flidRdn.exe
C:\Windows\System\yIyDbgN.exe
C:\Windows\System\yIyDbgN.exe
C:\Windows\System\hZilBLn.exe
C:\Windows\System\hZilBLn.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3192-0-0x00007FF686F80000-0x00007FF6872D4000-memory.dmp
memory/3192-1-0x000002079C430000-0x000002079C440000-memory.dmp
C:\Windows\System\HYFDRgr.exe
| MD5 | 2c7e8cfc5a30f9fe871cafacc4cc7ab1 |
| SHA1 | ba6f8fadd0baacb57156a0703322a4a41751c15d |
| SHA256 | 15d02b1c76fe8f5a6c534dbc306c4b5c055778e266ad4c295176182b30c645b9 |
| SHA512 | 2694d4e79c211a25dd5052c3be4a3aca3e56810023caa4b3e94fed75e633d27a9c226d879e4fbab79203e91ead8c0077eb237632b302a23db426729033c01079 |
memory/4036-7-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp
memory/2644-12-0x00007FF739600000-0x00007FF739954000-memory.dmp
C:\Windows\System\ovjMfmJ.exe
| MD5 | fdaeb9ad854c1bb9b14d49a836e90bb5 |
| SHA1 | eb279727551593d0b43b901fe259f0e01767fe77 |
| SHA256 | e83086e358b96a76d5fdd51d10b9c101ebae2f688806c9b302e35ecfa07add43 |
| SHA512 | d6d306bd938ae3ca21cabd88ff50f7699d3313c23846c4dc822b364e67f38a6ca88057c5ee27e16f184ab40b8f2b2a3f3a1a311024cdc95206002cfc3c91a01d |
C:\Windows\System\tHsBArz.exe
| MD5 | d693ffcca076b77cf16a4860b917e4f3 |
| SHA1 | 73fbca5de53be7e84ea19aa111657bbefebde8c0 |
| SHA256 | 42a165f9e3f4bbd265baf0291fb6d6ab74d5193fde2ae66b47dc8a51521b5989 |
| SHA512 | ac97063452711aab89b6db4fc54781a2b27bebb612ca03e74f3f265af5080898c70228913a202d922f29bf7e19dd60b7474dbeaf6ab0cc9b2f02f96b0cf54dbc |
memory/2240-20-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp
C:\Windows\System\NIjLIrm.exe
| MD5 | c3fe9a8fa5e1140ff093a24b716f5944 |
| SHA1 | 8234ee59b2d2e1d5d5348d6c793fe3b42a4c80eb |
| SHA256 | 9efb6351f7075bdea54da9075dbae36d223200e0a66075780b2031053334cb0a |
| SHA512 | 551260a9c11a0ba0195c727831bcc0b5b06f61188f24465134188b490b150903ba6cd08a834a2b9dca4b9c0317be13727d840ffeca1462d04c50b5a298044f2e |
memory/2364-26-0x00007FF617B10000-0x00007FF617E64000-memory.dmp
C:\Windows\System\JkBGNMa.exe
| MD5 | 091ab7f1fc4bd1feae164a389340e758 |
| SHA1 | 1c17e2bc831f7e28ec7ee6731d14cdc1725ef731 |
| SHA256 | d0068d7636c33d188992d10682837c055e97568732941244fa50528fcad45ba6 |
| SHA512 | db432860e11e43d1f8bfc90e3e59f269ab077bfa756fe2d76738524d4355e779835ccecf7a85ca041c5c119165ba1130a7b89322069209258cb04e4f89ae225e |
memory/216-32-0x00007FF7B5910000-0x00007FF7B5C64000-memory.dmp
C:\Windows\System\vuocFIT.exe
| MD5 | 3428bfcb9b55ed527649b5475de95558 |
| SHA1 | 5788f67bf7127da8a0c43cb10be50686c069eb1c |
| SHA256 | 5cfdaae392855de47164110294ca5a7faa48af8e187ac57e5d7859837209ac9d |
| SHA512 | 0714eeaf73dda43482b5b760042492a8ef02de4448719985e55f9e9bb811c8694ac317dbb05a32696170a69199f4fb8774d11c9929171558d82d964c135ce53c |
C:\Windows\System\fnhiJRx.exe
| MD5 | 32a77db0bfedccd25dfd603f88ef7e1d |
| SHA1 | 785aace1477ee187307c60f0d8b472965d380d47 |
| SHA256 | 7876c406baba5431ddf15c82bf0d46f06715ffa401565b95b6bdfb398d77e979 |
| SHA512 | cf4f01726a542d3dbef53a966a3fac80296fedd51c71a6b5c2e72e66a12ff2e0085d011ad089cd10ad910d65a8ba1d8512dad334fd4929a63206ae0c5c780aea |
memory/2904-44-0x00007FF64F640000-0x00007FF64F994000-memory.dmp
memory/2260-38-0x00007FF6AA9D0000-0x00007FF6AAD24000-memory.dmp
C:\Windows\System\bQwuxbt.exe
| MD5 | 4fd9d4d829c08d88fea0b8b646183922 |
| SHA1 | fac67dcf1d34fb753fdaaa178c6232210f151954 |
| SHA256 | e5231fec7c63af9b6c749a3711fda94096e835aded378d18e6ff8dd7c390cf51 |
| SHA512 | 33cde751d09444cec134af9a4af08eeed519b94b6200ccb5af161e8ce2f8f37630e54e6ced7b577b5b87550164a164f958c4cfa8442117314356d9084a7e13a0 |
memory/1016-50-0x00007FF77A6D0000-0x00007FF77AA24000-memory.dmp
C:\Windows\System\JPSCPUj.exe
| MD5 | a350094889283275de5c66fa8a03430a |
| SHA1 | 2c75674890afabe17a32ad17a91767384d94788c |
| SHA256 | e21ab20743f06c716a6c4c4b397709bc9c8adc4f918b79602c182002a152f182 |
| SHA512 | 35c400e7d6f44bca192aac8c18107b6cbb99984256030265f7206fdb47c83edd5e596e9abb99c4d13894fbfe6121921c49c0f47ea169406cb232fb6ac69de618 |
memory/5060-54-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp
C:\Windows\System\rwRMtbx.exe
| MD5 | 1b2d3b77d426be2be89c7469ecdccb3c |
| SHA1 | 824098d7b6e010769cbbdef94cf76e24bf09dc11 |
| SHA256 | 07581d8cda59680de432f47dee7e293c5a0575531eb58aa5686723b4c09860e0 |
| SHA512 | 045c89b09afaf4e07ad87d2e60878e7a0aef15fd0fa9fd55071e0fb72ecc087bf392b4738332700a2ebff93747714760deeb8906ac7e168145a91891df0fd2bc |
memory/4876-68-0x00007FF7B7CD0000-0x00007FF7B8024000-memory.dmp
memory/4036-71-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp
memory/1640-73-0x00007FF6EF9C0000-0x00007FF6EFD14000-memory.dmp
memory/968-75-0x00007FF77A420000-0x00007FF77A774000-memory.dmp
memory/2644-74-0x00007FF739600000-0x00007FF739954000-memory.dmp
C:\Windows\System\kHOCEHT.exe
| MD5 | b76172e85cc64ae94a95af9874bb881f |
| SHA1 | 914226798aa77504256ff93492c2b3c2874449cc |
| SHA256 | 2f73b8069586da60cf1ef61db6430b0b30017d7876ba11f506302629e240b79f |
| SHA512 | bff3840de4f2fcfa6fff9f6e17500233248fe99a8391778ba2ddc6cc0db683bdd083aa4ee3bd89895fedfd941d7f16c03addd2dd9ee2dcfd4d129206d6eaf744 |
memory/3192-62-0x00007FF686F80000-0x00007FF6872D4000-memory.dmp
C:\Windows\System\ZDrQNvg.exe
| MD5 | 74288fc049a4e9615b7ae2773cbda0aa |
| SHA1 | 5325ebc3868e60b5cbb23a990f2f98ef73c2a92d |
| SHA256 | 02e83ed6eb4d5a3bef1bcc343ab5fc42220739199d56cd917ee6c38e83bfd815 |
| SHA512 | 6fd89e06243e5d71721860719f024b6f1715721d21649135fc49f1dc2b695b3ce02d1e72d8cb7cf676caae2a3d5be3a28063c7331c8a135baf315b4ea2b740de |
C:\Windows\System\vtYpEiv.exe
| MD5 | 287a3132565f32a9f6861384ab51c170 |
| SHA1 | 5e865e912cd6aa5d933a0846670322c23fad1ce7 |
| SHA256 | 5e26e9406093586c211c99f614b19255b1b351e8ffc5c6042520af0630e819e6 |
| SHA512 | 683f5367a8966ecc4d3bec90a620298a875825a2f2b4fbbbb7bd48cf51db2f9b8a4066fa213db14b5433fda7ae2dc5e8b3e3f2dc04f2c98d0ad1ce3a8802aa01 |
memory/2240-83-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp
C:\Windows\System\ElEoHvh.exe
| MD5 | f0657206f111b995527e12ab1d9f24d8 |
| SHA1 | e10f49780dbab5730362da988bf2d1cf51d79cca |
| SHA256 | 965f27e9c42553b89c7c63c2a8b694423ac5dfbfaf6c24ffd1f6098865e140bf |
| SHA512 | 946856ade0cf9f0ec8b4bcc3e4f85cd12826e24c0eae5138a98ee78a3c2a83ea87a59c5e14281fbc57954dac723fece2a0ceed6c782211e4f9711b2892855e00 |
memory/436-84-0x00007FF750070000-0x00007FF7503C4000-memory.dmp
C:\Windows\System\eXwodaG.exe
| MD5 | 6e043ea8e53e1f3b30c0ee44ec116213 |
| SHA1 | e3e9573283bf9424e9cee0fbd3bf1c89ead00e10 |
| SHA256 | ad257e25da349ee2ed80302ff332e05908a0cd12e14c81063afb7e82943f82c1 |
| SHA512 | 0a57ae26d633dd64d5e1444dfe10192431e8cdb9d830240913f4220052f28d6b08fc6fd2e855a3dc73229198cdbf4a83370caa039b41689df14df7d324a223cd |
C:\Windows\System\MZdoNIn.exe
| MD5 | f77b462579de9916c654b5bb5c0224d1 |
| SHA1 | 4aff9d19561837226ff68dd11abbfe8fbe1b2421 |
| SHA256 | 4446fd73c3a8be38fc7148ed2ff590f1636ca3c60039f7f8f035d148b2185691 |
| SHA512 | 3fde35ad72438ded90ebf00f7f329f83242d9b0a18bc120f38c5f168049a741732e8f0f11867253ffd0a63bc7544bd321443e5565c105b09b68c0296ede52e67 |
C:\Windows\System\nkPpPkj.exe
| MD5 | 139c3b9a42aa187314ab92e59a55d325 |
| SHA1 | 194a09c0d05187753f1c0550c0b603ed59731c2a |
| SHA256 | 65b6e26ea8d228dd3cd3f760e4d4bf2b8e26a35f212a077206190663d04fd3da |
| SHA512 | 11b52a4202d7760328d37282167cad590e0f937aa0e7e75f281b086b00f4a426bb2a5d1b754de21b7d4237061b1c7fa8422a02ee410fb36d4a8c76d4aa763627 |
C:\Windows\System\zVbGwfZ.exe
| MD5 | 595367571b7d723355cf1d8ab47b1e34 |
| SHA1 | d22807b4cf0b5d6a57b05c0e386288e36682da63 |
| SHA256 | 1a70aa25076cfefbc35adacf3b78ec143737c6473b3034f179454b86c7114eae |
| SHA512 | 982d1db04e12b72dee06fd50b94ef3d841ab1d7cea710ea85ac7e5a8047be03fa75e8b2e2a3cbe0021ec2b7acabef9ba046b60135292d9f2ae8220d5f64ab005 |
memory/2364-108-0x00007FF617B10000-0x00007FF617E64000-memory.dmp
memory/3288-112-0x00007FF79D280000-0x00007FF79D5D4000-memory.dmp
C:\Windows\System\flidRdn.exe
| MD5 | d9fc7fe1f49305ff562cee0c91cbf692 |
| SHA1 | f8dc4cda7f8c72e93ddaa74205db0cf80c5ccf1d |
| SHA256 | 5a399e2de54fd9ab9a7c4c4a58158f74941fbe7c50e6c62fd360f7a28c335841 |
| SHA512 | 03d4cea8167eda768ac8ad4964bf77d745745ebe571222d5a5def48c394a1cc5b5bad15750de76a24f365a3f205e9aefbb5994cef87f2f3d7c1d5799b1ecf53a |
C:\Windows\System\yIyDbgN.exe
| MD5 | 7c19438c8acfa540c513ee67d2a09d3a |
| SHA1 | 0411b8e713fd3d271211af10f5a1d34c358c8029 |
| SHA256 | 5f8462ce33828a4096cbe58b05953087bbb93a129ad9f764da2853f33fafa7df |
| SHA512 | da3b2bff642c5321bed4b1e1c0a2ae75185f39f65039dae2e46f011dc7b042514c56f6a995e6b5b457711b905167342557fb56687b843e77bd6d79fd6ec52dcb |
C:\Windows\System\hZilBLn.exe
| MD5 | a6b26bd43aa8dfde5e4f6420e1bef8f2 |
| SHA1 | 15553a77293662aa58a7ee79ed9faf0f35b35ed2 |
| SHA256 | 4510c6817fabc5af1859eede710309b356ccc85037dd528be063e40d4a706a93 |
| SHA512 | e8a83f2f62be26c201a22b87e699c4f41eda05b631a4b5187721c3e4c57689ea9a624cd054d24df9ffba199fe06b71f5e24cef5d644af96ebc87a122ecce0604 |
memory/3344-132-0x00007FF60E1E0000-0x00007FF60E534000-memory.dmp
memory/4604-131-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp
memory/828-127-0x00007FF74FEB0000-0x00007FF750204000-memory.dmp
memory/3568-123-0x00007FF7D7EA0000-0x00007FF7D81F4000-memory.dmp
memory/5028-120-0x00007FF6DBBC0000-0x00007FF6DBF14000-memory.dmp
memory/456-118-0x00007FF6FC840000-0x00007FF6FCB94000-memory.dmp
memory/3152-113-0x00007FF749720000-0x00007FF749A74000-memory.dmp
memory/5060-133-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp
memory/968-134-0x00007FF77A420000-0x00007FF77A774000-memory.dmp
memory/4604-135-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp
memory/4036-136-0x00007FF7D8480000-0x00007FF7D87D4000-memory.dmp
memory/2644-137-0x00007FF739600000-0x00007FF739954000-memory.dmp
memory/2240-138-0x00007FF654A50000-0x00007FF654DA4000-memory.dmp
memory/2364-139-0x00007FF617B10000-0x00007FF617E64000-memory.dmp
memory/216-140-0x00007FF7B5910000-0x00007FF7B5C64000-memory.dmp
memory/2260-141-0x00007FF6AA9D0000-0x00007FF6AAD24000-memory.dmp
memory/2904-142-0x00007FF64F640000-0x00007FF64F994000-memory.dmp
memory/1016-143-0x00007FF77A6D0000-0x00007FF77AA24000-memory.dmp
memory/5060-144-0x00007FF6AC5C0000-0x00007FF6AC914000-memory.dmp
memory/4876-145-0x00007FF7B7CD0000-0x00007FF7B8024000-memory.dmp
memory/1640-146-0x00007FF6EF9C0000-0x00007FF6EFD14000-memory.dmp
memory/968-147-0x00007FF77A420000-0x00007FF77A774000-memory.dmp
memory/436-148-0x00007FF750070000-0x00007FF7503C4000-memory.dmp
memory/3288-149-0x00007FF79D280000-0x00007FF79D5D4000-memory.dmp
memory/3152-150-0x00007FF749720000-0x00007FF749A74000-memory.dmp
memory/456-151-0x00007FF6FC840000-0x00007FF6FCB94000-memory.dmp
memory/5028-152-0x00007FF6DBBC0000-0x00007FF6DBF14000-memory.dmp
memory/3568-153-0x00007FF7D7EA0000-0x00007FF7D81F4000-memory.dmp
memory/828-154-0x00007FF74FEB0000-0x00007FF750204000-memory.dmp
memory/4604-155-0x00007FF7B4FE0000-0x00007FF7B5334000-memory.dmp
memory/3344-156-0x00007FF60E1E0000-0x00007FF60E534000-memory.dmp