Analysis Overview
SHA256
05bb8ddd38fc4580e2e1d98a1c5b0a230a56d8d0268a81d71df2812d03d7efde
Threat Level: Known bad
The file 2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 09:12
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 09:12
Reported
2024-06-08 09:14
Platform
win7-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KURFxjF.exe | N/A |
| N/A | N/A | C:\Windows\System\sDrUVJw.exe | N/A |
| N/A | N/A | C:\Windows\System\GQfPcFO.exe | N/A |
| N/A | N/A | C:\Windows\System\Vubgkse.exe | N/A |
| N/A | N/A | C:\Windows\System\oWrxBEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tmOxmdL.exe | N/A |
| N/A | N/A | C:\Windows\System\rzxJxkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\TtkCXHl.exe | N/A |
| N/A | N/A | C:\Windows\System\HsVBAsH.exe | N/A |
| N/A | N/A | C:\Windows\System\SUgQiZL.exe | N/A |
| N/A | N/A | C:\Windows\System\ogMxAas.exe | N/A |
| N/A | N/A | C:\Windows\System\mWbNAvq.exe | N/A |
| N/A | N/A | C:\Windows\System\GeEOLsD.exe | N/A |
| N/A | N/A | C:\Windows\System\raKbiva.exe | N/A |
| N/A | N/A | C:\Windows\System\QZKJtLD.exe | N/A |
| N/A | N/A | C:\Windows\System\vKvNNrE.exe | N/A |
| N/A | N/A | C:\Windows\System\RRkgbbw.exe | N/A |
| N/A | N/A | C:\Windows\System\sGcLAKK.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpVCPkC.exe | N/A |
| N/A | N/A | C:\Windows\System\ogckRUe.exe | N/A |
| N/A | N/A | C:\Windows\System\JuVoFLQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KURFxjF.exe
C:\Windows\System\KURFxjF.exe
C:\Windows\System\sDrUVJw.exe
C:\Windows\System\sDrUVJw.exe
C:\Windows\System\GQfPcFO.exe
C:\Windows\System\GQfPcFO.exe
C:\Windows\System\Vubgkse.exe
C:\Windows\System\Vubgkse.exe
C:\Windows\System\oWrxBEQ.exe
C:\Windows\System\oWrxBEQ.exe
C:\Windows\System\tmOxmdL.exe
C:\Windows\System\tmOxmdL.exe
C:\Windows\System\rzxJxkZ.exe
C:\Windows\System\rzxJxkZ.exe
C:\Windows\System\TtkCXHl.exe
C:\Windows\System\TtkCXHl.exe
C:\Windows\System\HsVBAsH.exe
C:\Windows\System\HsVBAsH.exe
C:\Windows\System\mWbNAvq.exe
C:\Windows\System\mWbNAvq.exe
C:\Windows\System\SUgQiZL.exe
C:\Windows\System\SUgQiZL.exe
C:\Windows\System\GeEOLsD.exe
C:\Windows\System\GeEOLsD.exe
C:\Windows\System\ogMxAas.exe
C:\Windows\System\ogMxAas.exe
C:\Windows\System\raKbiva.exe
C:\Windows\System\raKbiva.exe
C:\Windows\System\QZKJtLD.exe
C:\Windows\System\QZKJtLD.exe
C:\Windows\System\vKvNNrE.exe
C:\Windows\System\vKvNNrE.exe
C:\Windows\System\RRkgbbw.exe
C:\Windows\System\RRkgbbw.exe
C:\Windows\System\sGcLAKK.exe
C:\Windows\System\sGcLAKK.exe
C:\Windows\System\ZpVCPkC.exe
C:\Windows\System\ZpVCPkC.exe
C:\Windows\System\JuVoFLQ.exe
C:\Windows\System\JuVoFLQ.exe
C:\Windows\System\ogckRUe.exe
C:\Windows\System\ogckRUe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1224-0-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1224-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\KURFxjF.exe
| MD5 | 34f039b1a652bf6d7a6b38231000fa09 |
| SHA1 | a7dc7b02e97099e52c41a0126860e37e83776ff0 |
| SHA256 | 09b986e10966d84508d05f85565ec10f751cd5bf8c947430a6d910de057dcced |
| SHA512 | 5af03dd03c647c5963efa96ea69c4aef325c95585d39f8a40ea5b800adce1784eb4c5ab41fb6db2ff26496d9bc2f081717d4456995b008b6687d62b1bcfdb0f3 |
memory/1224-8-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2868-9-0x000000013F520000-0x000000013F874000-memory.dmp
\Windows\system\sDrUVJw.exe
| MD5 | 2e33fd9bea3096fefca8b7e00e152f49 |
| SHA1 | 915c0fbacc4be8b03d69e4faa8a6a2a2ad530d63 |
| SHA256 | 0f515ca3db59ffbb874d931093a81587f01638c46ed7cafeb19077240a21e168 |
| SHA512 | ca87408ecb20daf352f245e697629a3fee33dcbed58b48aaf3ad4fa19a44bf3dff5a3f8cb48ababffdb794c083684a2093a9cd0ce67ddc34e05ac4c2f17b1a47 |
\Windows\system\GQfPcFO.exe
| MD5 | c5776828ca9435eb9831b5a420e00ec5 |
| SHA1 | 66dd00f19881b13942c5f614a5b20a9c6988b0ed |
| SHA256 | 8f92f215abacdde94671b560699ae8a39497da4007246af8239940a38145fd5d |
| SHA512 | 4936a321b4780854b8c54e0452f61bd99cd6d08c1c5c6a6eaf20c7fcd6d8381c14c76bfe7530689d2c02b4ab4a44ecda36a59897e87cf0764abcf8e0fbffe577 |
memory/1224-13-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2808-22-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\Vubgkse.exe
| MD5 | acaec54b171fb40e25d6bd7ad6921e2b |
| SHA1 | aa34a6616ebfa0c73ed7b9eab68ded52907dec93 |
| SHA256 | b080efd57006867875f4e223bea3ddec0b7ce89683bff26932c5409ea2574c49 |
| SHA512 | 6067585fb70e1717894dd9b9bd99b234849889686e0bcd9c657645256988779075dc83bb439eeb0836c5896480e4873ce39da17e776f5d77789abbc6a357d5df |
memory/1224-27-0x000000013F8C0000-0x000000013FC14000-memory.dmp
C:\Windows\system\oWrxBEQ.exe
| MD5 | 7c612ee6f650c64b56d73a9ffe184fe5 |
| SHA1 | 74cee9b9b69f0dcd9c8c1ddcfb3f4655925adc90 |
| SHA256 | 62352e82ae0595eadc8c4a9743c1361d1a3643a0ca73b0835c38871f45209aa2 |
| SHA512 | bf031777004410c95ec1def93025886e1646e0d20ae4d4431b8e4d84f7969e74245e4926fc63a2ba6016ef94d0aabad89b63239a16ae18814f3b893efed320b4 |
memory/2640-34-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\tmOxmdL.exe
| MD5 | b664b23d86efd6272ed2998537927dc5 |
| SHA1 | add80aa93fc579e8c7264621e0ab9b4ed28f2aae |
| SHA256 | fc1b926c2a960c44b7adf5b209add069a9c73168f344e8b17597ad477c826fc3 |
| SHA512 | c6818d1e608fb6f90cf60b3da71b7497576a35de6c3e4a113bebe2bcc6b55625928f60c24d29b316eeeb805b3f713450c7ab720160a7dd4173426770867c0d0c |
memory/1224-74-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2808-76-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2672-80-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1224-85-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\QZKJtLD.exe
| MD5 | fa5c6bda150c09e2ab29379a5cb66a80 |
| SHA1 | 9fa34454bf0d2f831bdc5c239405abcd13e361c3 |
| SHA256 | e8b3432da1089982df141b6144b17f371f9ba747e9aa9290b6f8458f1922beac |
| SHA512 | b00a9bbdc8cb2251f1ef4fa5b1a0249520a02017a817b72f18d868c5121c0465f376ceddb37fbd5500dd02886f78ca5ee7d782335d7fcc7e1b41f7d72754d6dc |
\Windows\system\ogckRUe.exe
| MD5 | 178443474f216b2500d774ce1c87465a |
| SHA1 | 6b19f26afe369c2071c69f6bf25cdad0144f344d |
| SHA256 | 2cee1d838ba20df50c3d5adce91b99cb0d3d56462325ad7ca297d44c4b2b6b21 |
| SHA512 | 69625dcd6810c920ea7eb7e3bce86576ef9e9b80fad72333dc9b9ba2058df346463bc126f30dfe6d972d7fcd4b35d105af8a7af33b34ca9234b8f13e75fa4164 |
\Windows\system\JuVoFLQ.exe
| MD5 | f0680563de498ccf5bb4f279bb9d7049 |
| SHA1 | 151b5e0b3e80fc2a54220db6265817941e706ab6 |
| SHA256 | 9930002b24ac63d006301dd83872ba24dcae3a681b7813a4ec4c4a80c834b1e3 |
| SHA512 | 0b7821fb0e6a6d4d05c8574030565ddc68439bc14e3b19bd7390d41298b06549211cb585a26728f1ed92766af0134b332b45f5587f8c4a5eccb0a2164b69957f |
C:\Windows\system\sGcLAKK.exe
| MD5 | 00bfaa7bf2e7e6bf90c2f59cde9c4450 |
| SHA1 | 24f04a75be40333e046d955bbf98249c3f73dbd9 |
| SHA256 | 1b8a1402494b1007da232e2b4ba03fbeedb0061805ff479ecd675937fd8ec1c7 |
| SHA512 | 854e8d217bac46bafdc2ec47062366603378ba43d669a3f4f67b672e192908eaa77a35f73a119c5b66bea7bcba6676c396e0049d0e52103484a43500d710f395 |
C:\Windows\system\ZpVCPkC.exe
| MD5 | 7ae2637a790e339ba131468a404a5a03 |
| SHA1 | 6058d5be987b6a31e6e6747230ddb1dc7f7ce139 |
| SHA256 | 640d5984241cf5eb37ad39209f1e75a95a1a3907e23552066ad621b67d07c378 |
| SHA512 | 37094db57da44095194331e00ff29240d3f2e2935a9638d0d572ff17966712d078b282f2f3e363310cdb71f69f3d95c237652be86548a5464bb56f36edca4174 |
C:\Windows\system\RRkgbbw.exe
| MD5 | e573ce3b9609dc1536569633b7dc1130 |
| SHA1 | c5d350003642a9193eda5497953a933fdcfe30f0 |
| SHA256 | a6f7f4fda3ccee3bd92b06de692a2a1d477043ecadf62eb6a6d3bef2ff590dc4 |
| SHA512 | dea8989a827ca9cecaa4f6debe83bdfd7a9a680e9cd3d89581e43ce38f47e62593c9e32a5417fa6a17f935e3f492806c09d18a9e44ba8d97f44a23c14306c85e |
memory/2984-135-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2656-134-0x000000013FA00000-0x000000013FD54000-memory.dmp
C:\Windows\system\vKvNNrE.exe
| MD5 | 2dd415cfc49e1bb8a58645249fd2e6aa |
| SHA1 | df3a5c1c83d7e6b3d4c6d5d811a113dbe62c5c15 |
| SHA256 | 77b1c9240402662d2b7998836caaa54ba8c416ac52b2351321a99c72213ce797 |
| SHA512 | bee0080c985305b9467ba91614acaffed95bf23d0213f4aa0634b94cc71830a9ae1d20b8aa59c09cab961a4fb97c00017c340a139bebdaaefb551f98d93cdc90 |
memory/1224-104-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2548-86-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\raKbiva.exe
| MD5 | ee95c5343529ae3c5c112e712ce02360 |
| SHA1 | cd9c68fca297f5934d10373d5f303eb002998b2e |
| SHA256 | e152223309c6d86d6e52d803d66610dadfc61fe44a0e2415fab6d75d74876072 |
| SHA512 | 984f87a84dff96ffef8cc325257208e626add062e52175db1c3a4f1bfba97aaaa865d242d86494dcca4e64a0bb30b349589f7e3b7182dbe66fc7f96889effad6 |
memory/2688-79-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2636-69-0x000000013F510000-0x000000013F864000-memory.dmp
\Windows\system\GeEOLsD.exe
| MD5 | 1635aa40d1f7f9846fd3a8d9ceea0346 |
| SHA1 | b923d0ccfaea59dae6c9653af19c4f3b78046aa7 |
| SHA256 | e106cdde9902dff59c058597bc5eab5783fbdfbbeeea8935be4cd86179ebcb3d |
| SHA512 | c009d1a7d476e93d54cc49eb0bac483e244826f9a507da5d045d91ab1770ba7c9788762e0626feff9d0adb166d7333971985fd8f1305866ffc3c5fd2da99a1e6 |
C:\Windows\system\HsVBAsH.exe
| MD5 | b04714f9f399c88545529775471bfb6d |
| SHA1 | 9c291c87009e76c0b7c3b3845796d6725988c93c |
| SHA256 | f39831f181ca7f68125a78f5f39e05628ba87f63b446af7304b83210cd58da4d |
| SHA512 | d225d9dca6805f454f3a3d36054b773717318efce1fedfa86ca57d2598526afe1524eef3a5a55ca441bbcd31df9d429af229f56503c8cbaa13ef79cdf0334566 |
memory/1224-57-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2984-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp
\Windows\system\mWbNAvq.exe
| MD5 | a6c69ac4a36ab6f78eed28507f37defa |
| SHA1 | 683bd594024235f71b2d5b9f965f5016d95f8e58 |
| SHA256 | 0880239297aee6b84e401ab0108a3c7bf5579e12d7b94ebd5f1457d376720f87 |
| SHA512 | a44de6931352ba1b25289d0f8af97a554303e1ea1ab78944c4858381d430e9532ee2cc369e723fba6a401e1d001b10a99b378cdb924bb6322857849ace541709 |
memory/2516-75-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\TtkCXHl.exe
| MD5 | bb3c528cab8b31820bfa32b864e77b06 |
| SHA1 | 5eb8c019662f40fcdb32739754a687ae9ac88a43 |
| SHA256 | eecf92109179ad8457ee4c3e55763bbb88c295bfc5d33a3044019fc1d12beb00 |
| SHA512 | 1e5687cd789446b147ae28ed4efa1994f5bc4034a0ac3e96989edae7e24c4aae44af2e45ac933d4386b336c6ddc958e03b983988f6fe377e3822b909fdf2609d |
C:\Windows\system\ogMxAas.exe
| MD5 | c440485b3d6e03ab1d40b241fb3971c9 |
| SHA1 | c7bb145af783a4257284eaa65b35160c9276e00f |
| SHA256 | ea4fcd7583f029df31147670e174d4fa8a190673c5371bedb7f3e5cc0951225e |
| SHA512 | 47dd669e8e8988e084209d55b223818e5a9e6d89a430e8937fd76bd14179d08568afadf5083f6e313905644258c98b69b4d45899e717e7125713fa8f4e8ed38b |
memory/1224-65-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2760-64-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\SUgQiZL.exe
| MD5 | f200c8f91e2b6336dd556c8cc44183e7 |
| SHA1 | 95670b4b5db72d8479a34c5bb568fdc7906ec6bf |
| SHA256 | 3ba9c2fb1125e47278b64dbf3953b433ff2a5a8285099b807c311f5203f051e4 |
| SHA512 | 02e9676eeaf2f5e6a7c041e16ae1bdd1efc3cadbc04743bda969debfb7e821853b250dcaa40b5781719b53bcdf0999f9bec34a5d4b7c990ae2ffbc746a1ea98a |
memory/1224-62-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1224-136-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2656-45-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/1224-44-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\rzxJxkZ.exe
| MD5 | 115873bd4f4863d0b2be919cc8b28a9a |
| SHA1 | 18644d87046b7bb7ac0301ba92eb06dba718be1e |
| SHA256 | 4a3e05f20f8bace0d4221ac574366b8d7fd29569f3339f2346087171e72e602f |
| SHA512 | b4ed1e6fb76cc908324c77e6a8cf9099fdc8bd53f177c7d70bb1733cb9edf9d95ddb1aebe8fa4f4cb4b168b360b3db57f24f059858cab985952dedd8790eead9 |
memory/2720-39-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1224-33-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2588-28-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/1924-20-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1224-19-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2636-138-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2760-137-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1224-139-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1224-140-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2516-141-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2688-142-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2672-143-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1224-144-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2548-145-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2868-146-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1924-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2516-153-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2760-152-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2808-151-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2984-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2588-158-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2720-157-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2688-155-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2548-154-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2636-150-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2656-149-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2640-148-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2672-159-0x000000013FD00000-0x0000000140054000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 09:12
Reported
2024-06-08 09:15
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aeeOVFT.exe | N/A |
| N/A | N/A | C:\Windows\System\jeLkgVB.exe | N/A |
| N/A | N/A | C:\Windows\System\JTkOuNm.exe | N/A |
| N/A | N/A | C:\Windows\System\MBcwlia.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRUQDzx.exe | N/A |
| N/A | N/A | C:\Windows\System\NFLoMpU.exe | N/A |
| N/A | N/A | C:\Windows\System\pMjaJVD.exe | N/A |
| N/A | N/A | C:\Windows\System\ItWqQqF.exe | N/A |
| N/A | N/A | C:\Windows\System\JKnhNuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SQBMlQe.exe | N/A |
| N/A | N/A | C:\Windows\System\issUlkl.exe | N/A |
| N/A | N/A | C:\Windows\System\xxjCfzb.exe | N/A |
| N/A | N/A | C:\Windows\System\MOxMMJq.exe | N/A |
| N/A | N/A | C:\Windows\System\UQtZVnK.exe | N/A |
| N/A | N/A | C:\Windows\System\DOehlYL.exe | N/A |
| N/A | N/A | C:\Windows\System\pwZqNEC.exe | N/A |
| N/A | N/A | C:\Windows\System\wdUPwmx.exe | N/A |
| N/A | N/A | C:\Windows\System\moSapWC.exe | N/A |
| N/A | N/A | C:\Windows\System\TdNOkZr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkihfBh.exe | N/A |
| N/A | N/A | C:\Windows\System\mAHnnPa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f5f50a7810a6c6323e6a27e535c84e13_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\aeeOVFT.exe
C:\Windows\System\aeeOVFT.exe
C:\Windows\System\jeLkgVB.exe
C:\Windows\System\jeLkgVB.exe
C:\Windows\System\JTkOuNm.exe
C:\Windows\System\JTkOuNm.exe
C:\Windows\System\MBcwlia.exe
C:\Windows\System\MBcwlia.exe
C:\Windows\System\ZRUQDzx.exe
C:\Windows\System\ZRUQDzx.exe
C:\Windows\System\NFLoMpU.exe
C:\Windows\System\NFLoMpU.exe
C:\Windows\System\pMjaJVD.exe
C:\Windows\System\pMjaJVD.exe
C:\Windows\System\ItWqQqF.exe
C:\Windows\System\ItWqQqF.exe
C:\Windows\System\JKnhNuJ.exe
C:\Windows\System\JKnhNuJ.exe
C:\Windows\System\SQBMlQe.exe
C:\Windows\System\SQBMlQe.exe
C:\Windows\System\issUlkl.exe
C:\Windows\System\issUlkl.exe
C:\Windows\System\xxjCfzb.exe
C:\Windows\System\xxjCfzb.exe
C:\Windows\System\MOxMMJq.exe
C:\Windows\System\MOxMMJq.exe
C:\Windows\System\UQtZVnK.exe
C:\Windows\System\UQtZVnK.exe
C:\Windows\System\DOehlYL.exe
C:\Windows\System\DOehlYL.exe
C:\Windows\System\pwZqNEC.exe
C:\Windows\System\pwZqNEC.exe
C:\Windows\System\wdUPwmx.exe
C:\Windows\System\wdUPwmx.exe
C:\Windows\System\moSapWC.exe
C:\Windows\System\moSapWC.exe
C:\Windows\System\TdNOkZr.exe
C:\Windows\System\TdNOkZr.exe
C:\Windows\System\ZkihfBh.exe
C:\Windows\System\ZkihfBh.exe
C:\Windows\System\mAHnnPa.exe
C:\Windows\System\mAHnnPa.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3968-0-0x00007FF6A2C80000-0x00007FF6A2FD4000-memory.dmp
memory/3968-1-0x0000021A774C0000-0x0000021A774D0000-memory.dmp
C:\Windows\System\aeeOVFT.exe
| MD5 | f02617ad505b8dbb6f40fa74c09a7bc4 |
| SHA1 | dca9061dc4b0bad8bd0d7ebd86428bc488bd2ae4 |
| SHA256 | fa1b0171a15734adb150035124009e1ffa7e5a00c3b3a4234e613b15b10a8b95 |
| SHA512 | 5590e04119d5fbd86d51d52533249369a7cd653fe3beb3255b70aba57e16fa6fef096cceea60614cc38129ae34558082032f88d013750087f4924358224a25b7 |
memory/4848-8-0x00007FF7DDA50000-0x00007FF7DDDA4000-memory.dmp
C:\Windows\System\jeLkgVB.exe
| MD5 | 7581294fc2619a873300ec63a7724896 |
| SHA1 | c4c29e9a57556bcd6449c15aecb3da7a99c90c34 |
| SHA256 | 06485c56c84d588f02f10f0c10a5a2ce752f54758597d8b83a96936d598612f5 |
| SHA512 | 8efc723c45ff51d6a10ce5b8bdfdef298435c082e06f7894839d47800b87f47dbf560d95a0f27d66f3d23ed8912b96f7e5af322a64231a26dcff690ed2c91e6e |
memory/4572-14-0x00007FF60E990000-0x00007FF60ECE4000-memory.dmp
C:\Windows\System\JTkOuNm.exe
| MD5 | 656502f759d03824dcbcb43487fdef6f |
| SHA1 | b6f829c7e242cc56a5ac9f2d47725b5286b866a8 |
| SHA256 | 82c91261f6553bcc86afc83a3bdd89c38c44ac93ab47b586892e56271c84a812 |
| SHA512 | b1e41524432ca1052bea213f06218a2bc981dfad32e16466e076027857407de2ddeeebcf2b8878a5252d834bbac247ff3f44edbc00b3e17d41c3eb8de8325385 |
C:\Windows\System\MBcwlia.exe
| MD5 | 0c3aca776eeccc7d49e769638fcd40af |
| SHA1 | dee1365401c1a93e341f19838a543b3137c6a1dc |
| SHA256 | 422b2579a141d943239347c9d4a56350393d134e798789a9c48056626a7546f0 |
| SHA512 | 436899ac2dc4ff97a4120203de7e513a26a414900b445ff03d39e3b09e4c4a0433e0cf519c99ea6b73293d2ea9a114c7fb952da3eb6593b159a95562424ab863 |
memory/1156-25-0x00007FF760EA0000-0x00007FF7611F4000-memory.dmp
C:\Windows\System\ZRUQDzx.exe
| MD5 | 77377dd1f89af3a0b8b62b067ad2932b |
| SHA1 | cadcde8eb0fec26f41ffc4f67019e4dd36353865 |
| SHA256 | b163a675dd26f82eef2ead48c8046e2f2813b1238974a5f742930e4d3af9605c |
| SHA512 | 6a43cf04fa8b9d4955d6daa928fa1381901dd34508e68808df8963d680830042aded2412bb12b2d7adccfbc8850dfac75c8c8e6cfb5029ed20fb60645c8e0236 |
C:\Windows\System\NFLoMpU.exe
| MD5 | a2409e5039438c69c62fd0cf77fa487f |
| SHA1 | bb6747249dfacdc1cfcc366213b644f813a4faf4 |
| SHA256 | 729ddf928562e4c1f7b063163c99e775bad7dd6358029d7f87746374abb15e98 |
| SHA512 | d971d0ddf1c8d5a9b04c04ec5a35dc56f2c85cdd51e00117a3d4be121426f0d042b233f6e339628568a5f6b47fd2fd51af13454c9aceb61f87f08350513a3423 |
C:\Windows\System\pMjaJVD.exe
| MD5 | 0985be249e6f4dceeac7a41bda064338 |
| SHA1 | 67dade9b0bf0d1d721414f03839493a6af18101c |
| SHA256 | 1ad38fda2c3fe3df480250076ee955681968e9d41be0560626a80d55cb288bda |
| SHA512 | bb97af847cbc9fd8fd65601786d07a4bf7a97f16b7276e08bd20220a6ba6e07cb9f0cbcbb7815bf00e60751481021748d7b68e9276e467f21c839a12628a6cf4 |
C:\Windows\System\ItWqQqF.exe
| MD5 | 87fa45d975f69c27a84fa22e6f5ccae8 |
| SHA1 | 649b93af74ff68d7a04e0943d0891c5445928760 |
| SHA256 | 75a57a51b4e4adbe195bb4f77c5e075aabb9eefd7ea143a14cbec0838b33f32f |
| SHA512 | 45576612ab805593fbed2a87474958943a0af08fd081397b31207341be4ae5e0b4f5c581a32d1862745221adce6a4fbfef0b260706440efcd7f9ea41353027c0 |
C:\Windows\System\JKnhNuJ.exe
| MD5 | 8274c325b0f88f78a77656ad8d2fc451 |
| SHA1 | 113bbf2d3611afcd3b9a76765e1ac5b4cb8867fe |
| SHA256 | aeda7ec1279b128ce7388227a97e5d78e0ef4edec50e31ef7f40a1baa439e404 |
| SHA512 | 6be3c14f16f25cb78b5af20e1710571046bd470799751a41d832947a25fd8e1a09fdd8f2a7a290ef9c7111fd13d98aa52e6b4393b65ed09459baf99ecd9ab628 |
C:\Windows\System\SQBMlQe.exe
| MD5 | d09bd9ebf5b9818b3414eeb5839b545b |
| SHA1 | 763e3118bdd72672e9fc8e6cbca211bc77b34d4d |
| SHA256 | 308b960728916bf9ade47a36e3529b4b52a283635df6f7a9b1a6015a8c8c9497 |
| SHA512 | ed7112bb0546ea98c1700cfd0532ec972ba9582eafe205de244be579b8b34ad73624d93fb219a155ab33a9e0f3df7916a6d1a47c3f4f12369b601b52e50e806c |
C:\Windows\System\issUlkl.exe
| MD5 | 1d3c582fed959bf5ff18d8afece6b41a |
| SHA1 | 16f3dd4c53e26728dce54afe185acee0748471d2 |
| SHA256 | f135049825c137b83ffc869efa3206894ed3023c31c8574b2c1077b3553773d9 |
| SHA512 | f3b8049acedd0cc17b93933b51940920321d796a8274b7a65a897a2017e80b14d240b0e94b8d1ee5c230f6194d79f5895f1ffdc647db03fc09109a96964f9007 |
C:\Windows\System\MOxMMJq.exe
| MD5 | 61ec244b9eac06177c8c17af20a29c09 |
| SHA1 | 9526eefe867333e948523ed00a3f8a365ca4b883 |
| SHA256 | 76e1a139cd24d8840085867d204326294da3d51c7096a89b96d264aa50a88c76 |
| SHA512 | 7220d6fe35c6fc565da3ad72fd2851fd67a6f5aead66bb11963b1fd302c7a873f664a1b3fa01aa29d34e790231117af40c3f43c64b53510a9514a97a58ab3022 |
C:\Windows\System\DOehlYL.exe
| MD5 | b16aabcb880ee27ed6baf8cca6356158 |
| SHA1 | 7b16a98c3b8f387ab77b188f6431f9416bd4ed30 |
| SHA256 | 1c30c0e4de964e35da1c0d6abcd0fb1e86965f2f26179ee575e584841a7467f0 |
| SHA512 | cb6dcfd05706cc71e1afb6659147ce7734c472bd2526476447d2803e7fd86ad6313648b5a47718a8d2b448bc685b19955aa837a5c2cc722e954e30bb15bcbcaa |
C:\Windows\System\pwZqNEC.exe
| MD5 | 2dc531d58d2dbd8ed9918abd09ee8331 |
| SHA1 | c4fda0e3eaa7680b76e469cda6bdb49e3153dad2 |
| SHA256 | 525f797c946c9a3cd38956f237c291bfb5bf5040a90219d911b150dc1c37c33e |
| SHA512 | 7f50d63df6cc0a50c9bfdf84d878e8a1e9aacdb7d653425532612413f3e89be745f9b7d9909e946df03f6ee78aa5fda49b25013f62872ffa8511a4eaf5880f87 |
C:\Windows\System\moSapWC.exe
| MD5 | 30abacbbd9de0769789c8fb71469b68f |
| SHA1 | 598960c1227bf763234499c4a03864d519117892 |
| SHA256 | 01009a4519078e78a6cff42d49ed718519cc8f26fe44df4969c07bf6cc3278d8 |
| SHA512 | d56a0a99148edc5659a0ba7f1768a5b77bcad02acb1149234a715a92bc910ba4fd7a922ad11d91a7b142398c694795fedd33d43348a58275ee9d28842ea60e9d |
C:\Windows\System\TdNOkZr.exe
| MD5 | 3a2e2decd803d5d9f75e1e5d45542e59 |
| SHA1 | cc679643380814ad5c95ce4bf4c102f89f0cf9c3 |
| SHA256 | 9d958e4b5b61990f6f2bc68acf714cb5be108f9d73d671a5ad0110602b71df36 |
| SHA512 | 6eece6e817580901d29f37e6109d66229287b0dd2ac5b9ce6f86ce36d5f5a40dce88c08b27254b151ebcdee8df3ebb541a645fbf6ee9a2a4831e3dd3a88ddbdb |
C:\Windows\System\ZkihfBh.exe
| MD5 | 4a6dd7eec1b8e020e36d79f88b99f19e |
| SHA1 | aeb930dbf0f94d03be63e22a3efc9094ce308a0c |
| SHA256 | 819318ef1dee47f305935f751b6d2fda008559e95569ef62368d7d15a720d6b1 |
| SHA512 | f7c9c785fa1c14946e5a7da402f86d3bef34c52af816af2e07874bdbede314958f6c4e9964e9004403cc9a0c996dd0abb8274f903f691ff7a66e09193e4421c0 |
C:\Windows\System\mAHnnPa.exe
| MD5 | 742c942762d9253b27397d1e61a3cc43 |
| SHA1 | 4cae3874fdaf971417b54b08a1dfe771bb093dc5 |
| SHA256 | 04c74bd386d419a5616c84d9d86f2eccc6ef823913f181c60dcf1c8c8f74a526 |
| SHA512 | f613c1906dbb37008c1366db91cb728ef2ac6eed5687e881219fd84b47b76ec0dd7b7bb167db3f5e211df5f1e4e746220b87573334bc04f7384249e83f4d44d1 |
C:\Windows\System\wdUPwmx.exe
| MD5 | 0d9b37ffc38b452a514127027dcdaf8b |
| SHA1 | 86e31987fce7ef11229cc7b52b88c43ced72a437 |
| SHA256 | 50548b439e033780b8c03f9a503cf098cc174582f8765aec9c35aecbc95a8408 |
| SHA512 | 65e071ede6f5d76f7b9f971d2bbb0e49af8f2f815272d58999c3a3631e7aedf31a6cfaeed7e71339961006d22d891f835894f2dd42a2653dbeba27889c8573cd |
C:\Windows\System\UQtZVnK.exe
| MD5 | 33630c88dcd2b73e33a55dc6efaba773 |
| SHA1 | 30f2175da3066df56e3911878ccf3e390373fbee |
| SHA256 | 835a71ad421a2c7a4371492c3873a4a296fc132c13e0d159a8e858b83da91940 |
| SHA512 | 2aff8de9d9a10f3e05263b9d919dc0ddeffd8ab6c12d487269da778555635a826be290d3dc4c3e9bd4c3296fae6ed47623827a89f2000856407bfea954df3f9b |
C:\Windows\System\xxjCfzb.exe
| MD5 | 1e80205a888f27136b531ce0a990d162 |
| SHA1 | 4eb27250ce3196efbb95823a5313808c1cb73dae |
| SHA256 | f0ef5efc3393be59362011fd1407ba7fd7479a3b1b47973d4c7ce43e1c07114f |
| SHA512 | cf854d229b315a70b6d35dc891fb9edfedbcb64acddeaad6511b6b5313c6254f5dea3593b1708f64ad45151895aa50c455939a5ed8f052fd45371553859b2e17 |
memory/2876-110-0x00007FF6CF0D0000-0x00007FF6CF424000-memory.dmp
memory/1052-112-0x00007FF6EC540000-0x00007FF6EC894000-memory.dmp
memory/1176-111-0x00007FF7EED70000-0x00007FF7EF0C4000-memory.dmp
memory/3260-113-0x00007FF663F50000-0x00007FF6642A4000-memory.dmp
memory/4828-115-0x00007FF6EC2A0000-0x00007FF6EC5F4000-memory.dmp
memory/2952-116-0x00007FF710C90000-0x00007FF710FE4000-memory.dmp
memory/456-114-0x00007FF69AA60000-0x00007FF69ADB4000-memory.dmp
memory/4200-118-0x00007FF679AE0000-0x00007FF679E34000-memory.dmp
memory/1944-119-0x00007FF63C7B0000-0x00007FF63CB04000-memory.dmp
memory/4472-117-0x00007FF72DB10000-0x00007FF72DE64000-memory.dmp
memory/3360-121-0x00007FF723740000-0x00007FF723A94000-memory.dmp
memory/3696-122-0x00007FF666570000-0x00007FF6668C4000-memory.dmp
memory/4212-120-0x00007FF600D20000-0x00007FF601074000-memory.dmp
memory/3568-123-0x00007FF6A1690000-0x00007FF6A19E4000-memory.dmp
memory/3516-124-0x00007FF748350000-0x00007FF7486A4000-memory.dmp
memory/2460-125-0x00007FF679660000-0x00007FF6799B4000-memory.dmp
memory/3104-126-0x00007FF6B8760000-0x00007FF6B8AB4000-memory.dmp
memory/4348-127-0x00007FF75A190000-0x00007FF75A4E4000-memory.dmp
memory/3968-128-0x00007FF6A2C80000-0x00007FF6A2FD4000-memory.dmp
memory/4848-129-0x00007FF7DDA50000-0x00007FF7DDDA4000-memory.dmp
memory/4572-130-0x00007FF60E990000-0x00007FF60ECE4000-memory.dmp
memory/4848-131-0x00007FF7DDA50000-0x00007FF7DDDA4000-memory.dmp
memory/4572-132-0x00007FF60E990000-0x00007FF60ECE4000-memory.dmp
memory/1156-133-0x00007FF760EA0000-0x00007FF7611F4000-memory.dmp
memory/2876-134-0x00007FF6CF0D0000-0x00007FF6CF424000-memory.dmp
memory/4348-135-0x00007FF75A190000-0x00007FF75A4E4000-memory.dmp
memory/1176-136-0x00007FF7EED70000-0x00007FF7EF0C4000-memory.dmp
memory/1052-137-0x00007FF6EC540000-0x00007FF6EC894000-memory.dmp
memory/3260-138-0x00007FF663F50000-0x00007FF6642A4000-memory.dmp
memory/456-140-0x00007FF69AA60000-0x00007FF69ADB4000-memory.dmp
memory/4828-139-0x00007FF6EC2A0000-0x00007FF6EC5F4000-memory.dmp
memory/2952-141-0x00007FF710C90000-0x00007FF710FE4000-memory.dmp
memory/4472-142-0x00007FF72DB10000-0x00007FF72DE64000-memory.dmp
memory/4200-143-0x00007FF679AE0000-0x00007FF679E34000-memory.dmp
memory/1944-144-0x00007FF63C7B0000-0x00007FF63CB04000-memory.dmp
memory/3360-147-0x00007FF723740000-0x00007FF723A94000-memory.dmp
memory/4212-146-0x00007FF600D20000-0x00007FF601074000-memory.dmp
memory/3696-145-0x00007FF666570000-0x00007FF6668C4000-memory.dmp
memory/3568-149-0x00007FF6A1690000-0x00007FF6A19E4000-memory.dmp
memory/3516-148-0x00007FF748350000-0x00007FF7486A4000-memory.dmp
memory/3104-150-0x00007FF6B8760000-0x00007FF6B8AB4000-memory.dmp
memory/2460-151-0x00007FF679660000-0x00007FF6799B4000-memory.dmp